I constantly getting mails asking about Sun e10k keys. People get those incredible computers but without software keys which make them work.
I believe Sun Microsystems forgives me as clearly e10k is obsolete and Sun has no direct interest in selling those keys anymore. Also should be obvious that using method described below voids your warranty and maybe support contract with Sun. So, use it only when you have no other options left.
Normally you get keys for this computer from Sun. Key consists from Host ID which is something like 0x80xxxxxx where "xxxxxx" represents your computer serial number or any other number provided by Sun and key itself which is pretty long hexadecimal string and should match given Host ID. You may not have any of them.
Easiest way is to fool this computer is to use binary utility "sys_id" under debugger and bypass key and hostid validity checks. You should have gdb and SSP software installed. Now just follow few simple steps:
ultra5:jes% /opt/csw/bin/gdb -q sys_id (no debugging symbols found) (gdb) break *0x00011644 Breakpoint 1 at 0x11644 (gdb) break *0x00011150 Breakpoint 2 at 0x11150 (gdb)Now binary is in memory and we run it with usual arguments. Only key and hostid are not valid. I chosed "deadbeef" as hostid and "1101100110011001100" as key:
(gdb) run -k 1101100110011001100 -h 0xdeadbeef -f eeprom.image.deadbeef Starting program: /opt/SUNWssp/bin/sys_id -k 1101100110011001100 -h 0xdeadbeef -f eeprom.image.deadbeef (no debugging symbols found) warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1" (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Breakpoint 1, 0x00011644 in main () (gdb)Program stopped in our breakpoint. Just tell him to bypass some security checks:
(gdb)jump *0x00011648 Continuing at 0x11648. Breakpoint 2, 0x00011150 in set_key () (gdb)And again....
(gdb) jump *0x00011170 Continuing at 0x11170. Program exited normally. (gdb) quitOk, cracking is done. We have ready to use EEPROM file now named "eeprom.image.deadbeef". Let's create domain "deadbeef":
ultra5:jes% domain_create -d deadbeef -o 5.10 -p jes -b 6 domain_create: Error! No eeprom file for this domain: deadbeef ultra5:jes%Oh no! I forgot, "eeprom.image.deadbeef" should be in directory /var/opt/SUNWssp/.ssp_private/eeprom_save/
ultra5:jes% mv eeprom.image.deadbeef /var/opt/SUNWssp/.ssp_private/eeprom_save/ ultra5:jes% domain_create -d deadbeef -o 5.10 -p jes -b 6 Domain : deadbeef is created ! ultra5:jes% domain_switch deadbeef Switch to domain deadbeef ultra5:deadbeef% power -on Warning: This system does not have any power supply redundancy. Warning: Bulk power is insufficient to power all existing system boards. Powering up centerplane: 0...power already enabled Powering up centerplane: 1...power already enabled Powering up system board: 6...done ultra5:deadbeef% bringup -A off Trying to get bringup.lock lock... OK Checking that all other domains are down..... NO Bringing up domain deadbeef Starting: hpost Opening SNMP server library... Significant contents of /export/home/ssp/.postrc: # logfile Using blacklist file /var/opt/SUNWssp/etc/jes/blacklist #mgroup 2.1 Reading centerplane asics to obtain bus configuration... Bus configuration determined to be 3F. phase cplane_isolate: CP domain cluster mask clear... phase init_reset: Initial system resets... phase jtag_integ: JTAG probe and integrity test... phase mem_probe: Memory dimm probe... FAIL MemBank 6.3: unknown dimm type 62 phase iom_probe: I/O module type probe... phase jtag_bbsram: JTAG basic test of bootbus sram... phase proc1: Initial processor module tests... phase pc/cic_reg: PC and CIC register tests... phase dtag: CIC DTAG tests... phase mem: MC register and memory tests... phase io: I/O controller tests... phase procmem2: Processor vs. memory II tests... phase lbexit: Centerplane connection tests... phase npb_mem: Non-Proc Board MC and memory tests... phase npb_iopc: Non-Proc Board IOPC register tests... phase npb_io: Non-Proc Board I/O controller tests... phase npb_cplane: Non-Proc Board centerplane connection tests... phase nmb_procmem2: Non-Mem Board Proc vs. memory II tests... phase final_config: Final configuration... Configuring in 3F, FOM = 1152.00: 1 proc, 3 Scards, 3072 MBytes. Creating OBP handoff structures... Configured in 3F with 1 processor, 3 Scards, 3072 MBytes memory. Interconnect frequency is 99.902 MHz, from SNMP MIB. Processor external frequency is 199.805 MHz, from SNMP MIB. Processor internal frequency is 399.610 MHz, from proc clk_mode probe. Boot processor is 6.1 = 25 POST (level=16, verbose=20) execution time 4:08 Boot processor 25 written to /var/opt/SUNWssp/etc/jes/deadbeef/bootproc Updating domain deadbeef with bootproc 25 domainInstance 3 and interrupt vector MIB... OK Starting obp_helper -m 25 -A off... OK Starting netcon_server -p 25 ... OK ultra5:deadbeef% netcon -g trying to connect... connected. Unlocked write permission is granted. Incorrect configuration checksum; Setting NVRAM parameters to default values. SUNW,Ultra-Enterprise-10000, using Network Console OpenBoot 3.2.181, 3072 MB memory installed, Serial #11386607. Ethernet address 0:0:be:ad:be:ef, Host ID: 80adbeef. <#25> ok <#25> ok
It works :-)
Something little is wrong as ethernet address is not "de:ad:be:ef:" as expected but this is probably because original hostid has always 0x80 as first byte. So probably something like 0x80c0ffee would be better. Anyway, good luck.