I have seen this all over the web and no one had the answer that worked for me untill I found a clue hidden in an update.

The Symptoms are (in my case)
Outlook 2016 Suddenly (after an update) Starts asking for a password, although it seems to take the password and username eventually on some machines, more often than not it’ll keep asking.
In this case we are using Exchange 2010. There are a mixed bag of machines on the network and its only the 2016 machines that are doing this. Most of the time cancelling the dialog would make Outlook behave for a while but one or two machines were behaving oddly.

Reset everything in credential manager, forced the autodection via registry, rebuilt the profiles (More on that in a sec), reset passwords, reinstalled Office, tried a fresh install in fact NOTHING worked.

When we created new profiles we could not get them to work, they would not log in no matter what we tried, however OWA was fine with the same details.

At this point we are three months in…

So a few days ago with the intention of doing something else entireley I looked a bit deeper. Rand the connection diagnostics and noticed that was coming back clear. Isolated the machine from the net and BOOM! Prompt gone, Outlook goes back to normal. Allow access to the net again and the prompt is back. So some sniffing at the firewall and Outlook is talking to something at Microsoft prior to even looking at the AD/Exchange servers. A red flag is coming up at this point.

Office 16.0.6741.2017 Added support for something called Direct Connect to Office 365. A few people flagged up that during migrations this ‘Feature’ can screw up where Outlook goes to get mail and cause all manner of stuff ups. The reccomendation is that during a migration you set a registry key:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\autodiscover
DWORD: ExcludeExplicitO365Endpoint
Value = 1

So I set this key and bam! Again, Outlook is behaving. Then it dawned on me. When 365 launched it was being given away like candy by a number of businesses including BT. Both sites where I’ve seen this they are/were BT customers and both had been given free 365 accounts. These accounts were long defunct but aparently still there. As we migrated them to AD and Exchange the email addresses would be the same, of course we changed the passwords for most, but not all. Where the passwords were not changed the login would work, Outlook would behave normally but things like checking for email automatically or calendar events were not quite right. Changing the password on one of these accounts broke it like the others. Disabling the “feature” put everything back to normal.

So the new profile I created for myself didn’t work because I had never had an account on 365, Outlook was trying to log into the now no good account for the customers’ domain with details that never existed and failing then not even trying AD. When the registry change was installed I could setup a new account.

Long story short, it seems that MS didnt think that people would ever move away from 365, and by assuming that O365 is ALWAYS authoritative over internal AD and DNS it means that anywhere 0365 has been in place in the past on a domain, you are going to get this error. Of course if the domain has never had an account O365 just denies all knowledge and we fall back to AD without ever knowing.

I’m not sure when overriding settings put in place by an admin became a good idea, but its just another part of the huge train wreck that Microsoft QA has become.

We were recently approached by a customer (They will remain nameless but are a charity) with a batch of Cisco SPA504G IP phones. These had been purchased in good faith and duly delivered. Only they had vendor lock in. The customer tried a few avenues and if you’ve done a lot of searching you’ll know that there are a dozen ways to unlock. Most of them rely on assumptions that the vendor has not done something. The method below worked in this case and goes a little further than other suggestions, however if there has been a certificate set you are out of luck. I know there are people looking at hardware unlocking but at this point I would suggest you gave up.

Firsty, an honourable mention to the provider, Gamma Telecom. An inital call to their support guy was very promising. He didnt see an issue, took some details and we looked at the wireshark dumps (with plain text SIP credentials) and worked out who they belonged to and that they were indeed retired phones and there wasnt an issue with us having them. He took my number and wandered off. Shortly he called back and said I needed to speak to someone else and told me the process to get through the labyrinthine voicemail system. Hopeful I did as instructed.

“No, absoluteley not, we cant give you that information” Thats as far as I got. Despite owning the phones legally the rather rude woman wouldnt even listen to anything we asked. Explaining they were for a charity got no leeway at all. I even suggested the reprovision them and push a reset out that way. The phone went down.

SO here’s what was needed.

The phone gets plugged into my lab setup, its behind its own firewall there and I can control and manipulate everything. It turns out some simple DNS hacks were all that were needed. So watching the phone with wireshark, it asks for an IP, great, it’ll take the TFTP server and try that, no, no dice. It then asks right away for a SRV record from the provider. Ah-HA! I cant change the SRV record at this point, but a quick dig shows that it will ALWAYS return the same hosts, node7 and node4.sip.unlimitedhorizon.co.uk. Host overrides entered in PFSense and the phones start trying to register to my Freepbx lab server. They get denied, but it means I have some control over the damn things.

At this stage I’ve been puzzling over this for a while and then I spot something. When the phones dont get a response or are told to go swing by those servers they sit there in a loop retrying. HOWEVER a login failure rather than a refusal triggers something else. Hot on the tails of both servers failing the login it then tries to connect to an HTTP server, xsp.unlimitedhorizon.co.uk and it asks for /dms/Cisco_504d/<mac>-Recovery.xml A manual browse over there gets nothing, however tweeking the mac address results in firmware images being served. There’s some big security issues here, least being that I suspect its possible to take over another phone by flashing that image to another unit. For us this means that we have an in.

This Site suggests that you can serve an xml file to it. You can then force the phone to pull the file. However if the web UI is locked that wont work and if it’s also not looking for TFTP servers it wont work either. So, I added another DNS override to point that host to one of my servers, uploaded that file, renamed it to match what the phone was asking for and rebooted.

File gets requested and sent, all looks good, phone then ignores the file and switches to trying to use TLS for an update. Uh oh I’m stuffed here. I cant spoof the cert. I can see it failign as it doent like my server cert’s CA. What now.

I have an SPA504G on my desk, I know you can dump the XML so off I go and do just that. A quick look at the XML shows that the MAC is included, so thats edited to match the locked phone and the admin password line from the above xml is added. We reboot again…

Asks for the file…
Grabs the whole damn thing…
Reboots. On reboot i’m greeted with a clone of my phone. A quick venture into the menus shows that the admin password has gone too. A quick factory reset which I can now do and its all up and running as it should. One clean, factory reset phone.

Now this presents a number of conclusions. Cisco are good at this, we’ve seen that if this DID resort to TLS and there is an option to do this, you would be screwed. That they didnt do this seems odd, its one setting, but in doing so they left it wide open. Everything else was set to make it as hard as possible to unlock the phone so why leave this back door wide open?

How much of a risk is that web server. I have five phones here with distict MAC ranges. I can take a good guess that phones would have arrived in batched and a search in a range and a quick text shows I can pull about 5 xml files that dont relate to me.

Its possible they have realised there could be an issue here as the XML files point to a .bin file, the file freely downloads which raises the question of what it is, and can I flash it to anything? I knwo I can force the phones as they stand into arbitary configurations, can these files then be written to a phone to hijack that ‘line’? I’m not willing to risk the customers phones but it does raise the question of security of the system as a whole.

UPDATE

The XML I used from my own phone is here, you use these files at your own risk!

Cisco_504d XML Files

The next thing to look at is how the display deals with the above three modes. Although we wont be using these modes they do show how we may be able to get a few extra bits that we can use.

Radio mode is actually REALLY simple. For some reason though my head unit wont stay in AM mode so I wont cver it but it should be pretty similar. I susect there is a variation on the tuning mode that will display the right steps. I also dont have the telltale codes as I cant actually see them on my display 🙁

We are interested in the code 0x09A,  0x02, 0xaa, 0xbb. This seems to put the display in frequency mode and then displays the frequency in steps of .1MHz from 87.5 so for example 0x01 would be 87.6Mhz. 0xbb is always set as zero but it may be this is used for AM mode.

0x9A, 0x13 is issued just before, I dont think this is mode switching but likeley refers to setting of the telltales. It does seem this is used with every LCD mode change however I have noticed the micro does update the screen whenever it can rather than when needed.

Now the fun (and useful) one. RDS mode. This seems just as simple as above. On switching from frequency mode to RDS mode we see the following commands…

0x9A, 0x02, 0xaa, 0x00 – Freq display refresh, not sure why this is sent
0x9A, 0x23, 0x00, 0x00, 0x00 – Clear display
0x9A, 0x48,0xnn……

Why we are updating the frequency then clearing the display I really dont know. But once the display is clear the head unit sends the station ID as text. The bytes 0x9A and 0x48 are followed by 8 characters as their ASCII codes. If the ID is less then it is padded with 0x20 (space). Exactly what characters are valid is unknown. It should be possible to implement scrolling though as the display updates very fast. It may be possible to skip the clear to make it smoother.

Next: Tape Mode

So we have out unit unlocked. We have the keypad protocol now time to see how the diaplay works. The keypad never changes its behaviour so the previous section applies and I wont show the keyboard data.

It seems that there are at least 4 modes :

“SAFE” this simply displays the word SAFE and nothing else.

“TAPE” Likewise although there are two direction indicators that show

Text mode. This allows freeform text. There are a number of legends too that sadly cant be seen on my display.

Radio Mode. This displays a frequency. It seems to take an 8 bit step number which the display translates.

All commands to the display start with 0x94, there then follows a command byte and the various commands seem to have different lengths. As with the keyboard there is no CRC generation.

“Safe” mode: Assuming you’ve powered up your radio from cold and its been out of the car a while AND its not had the code disabled (some seem to) you’ll be presented with a screen that says SAFE. This is the code entry screen and it seems to be one of a number of stored screen modes.  We see the following commands at boot into safe mode:

0x25, 0x25 : Init from keypad

0x09, 0x61,  0x0B sent along with 0x13, 0x40, 0x00, 0x00 right after. 0x13 is LED and LCD teltale command and this sets a single bit so its possibl this is what actually sets the SAFE display, HOWEVER 0x09 controls the tape direction telltales so this could also be involved here. Until I’m able to extract the codes for the Teltales which will mean being able to see them, I cant be sure what the LED command is doing here. I do plan on sending some of these commands to the display to see what happens so that may help here too. Pressing and holding RDS and TP will send keycode 0x1E and the micro issues a new sequence of commands:

0x9A, 0xE1, 0xFB – No idea what this does.
0x9A, 0x61, 0x0B – This apears to activate the SAFE display.

Once this sequence is done, the second sequence is resent  every 2S. Pressing and holding RDS+TP to go into code entry gets the following:

0x9A, 0x13, 0x40, 0x00, 0x00 – 0x13 IS led control. Byte 3 is LCD telltales as far as I can see.
0x9A, 0x23, 0x00 ,0x00 ,0x00 – LCD Clear
0x9A, 0x92, 0x10 ,0x00 – This is code entry mode. the last 4 nibbles are the currently displayed code. so in this case 1000.

Hitting 1,2,3 or 4 to change the code now will resend the above command with the nibbles altered. eg, if you hit 2 twice you’ll get

0x9A, 0x92, 0x12 ,0x00

Pressing and holding TP+RDS will either start a normal boot (next page) or restart the whole process.

On to RDS and Radio modes

SO into deep hack. I want to be able to talk to the front display and buttons. Although I plan to replace the deck this doesnt give me all the buttons I might want. A quick poke shows that I get 3 buttons to work with if I pick the deck commands up as is. I’d like more and I’d also like the front panel to say something other than ‘TAPE’

The Concert and Chorus are more or less the same thing so the manual here covers both. A quick look shows us we want X1001 (The front panel connector) and in particular pins 2, 3 and 4. These compose the SPI interface to the panel. With my analyser set for Active low clock, validon  leading edge and enable (status) active high I’m able to see whats going on.

Now I’ve only been looking at these three lines and something that is imediately of concern is that the schematis shows these as unidirectional TO the display. I beleive this to be an error.  Status is shown as originating from the display, again, I’m not sure on this one.

Watching the exchange its imediately clear that there is a simple command set in use here. The first byte seems to specify if the data of coming from the keypad or to the display. The keypad is pretty simple.

The first byte is always 0x25 followed by a key ID. A key up is sent when a key is released (0x21).

The keycodes apear to be:

0x01 – 1
0x02 – 2
0x03 – 3
0x04 – 4
0x05 – 5
0x06 – 6
0x07 – Seek >
0x08 – TP
0x09 – RDS
0x0A – CPS
0x0B – MODE
0x0C – <<
0x0D – FAD
0x0E – BAL
0x10 – BASS
0x11 – AM
0x12 – Dolby
0x13 – >>
0x14 – TREB
0x15 – AS
0x16 – SCAN
0x17 – FM
0x18 – Seek <
0x19 – REV
0x1A – Knob +
0x1B – Knob –
0x1E – Code in (TP+RDS)

There may be others but this seems to cover most. Interestingly the controller is pretty dumb, switching to tap or CD doesnt diable the unused button, the micro on the board just ignores it. This means intercepting these unuded keys should be trivial enough giving full use of ALL buttons.

On boot the keypad does send 0x25, 0x00 which seems to be a message stating that no keys are down at boot. I’ll verify this.

So in summary for the keypad, this all looks very simple to get to. I could now simply drop into tape mode as per the original firmware and be done but as I plan to have both bluetooth and MP3 built I’d like more functionality and that means the display.

So, on to the display…

My latest aquisition is an Audi A6 2.8 Quattro. Of the many really nice bits of thought that Audi put into this was the flap that covers the head unit. Like many I like as little light in the cabin as possible as night so I thought this was great. Sadly the Alpine head unit, which is Awesome) that has been fitted after market sticks out too far, you cant close tha flap. In fact a quickl look shows that most manufacturers insist in a stupid, huge control knob, so there is nothing that will drop in. I’d also like to keep is stock and get the dash display back. So off we go looking….

Exhibit 1, the Concert 2. This is CD rather than Casette but requires a CAN bus equipped car. The facelist A6 B5 does support this and this is the radio in those cars. It supports the BOSE audio system in mine, should make the dash work and supports multiple inputs (CD Changer, Nav, Phone) So should be hackable for bluetooth and Line in. I obtained a CAN adaptor and off we went…..

No Dash screen. Seems the Concert 2 wants to chat to the dash screen over CAN, not the FIS interface my car had. Bugger. This is fixable with a different CAN adaptor to the one I have. It shouldnt be a huge thing to make a convertor. A bigger pain is despite being the radio fitted in the facelift car it physically doesnt fit. You have to press both controls in and then close the flap which will turn the radio back on as it presses the tops or turns it off. Close but no cigar.

So Option 2. Hack a concert. Having otained one I hit the first big snag. Unless you have the code you are stuffed. Working concerts with the code and working volume controls are few and far between.  I’ve stripped it down and decided there are a few ways to do this but by far the easiest is the realisation taht the tape unit is not only a module but its largeley independant with its own MechCon board. As this is a logic driven deck its very likeley this board simply takes commands from the main MCU in the form of play/stop/rev/etc. Having found a schematis the audio out from the head pre-amp is easy to get to as well so a drop in board is a possiblilty.

The MCU uses a large number of serial busses which are a mix of SPI, I2C and RS232 and each section of the radio is a clearly defined block so there are a large number of possibilities here.

First goal is to get this bugger unlocked. I have the dev kit for the Micro they chose (Its been in storage for years because I thought it may be useful) so I’m planning on sucking its brains out and pulling the code out. I’m also chasing Audi who, in the manual, insist its a free service but the main stealers want £50 to get the code.  Audi UK are chasing this for me. Given that locked ones can be found easilly it may be a better bet to work out how to get it myself.

http://kovo-blog.blogspot.co.uk/2015/08/audi-chorus-concert-how-to-recover.html

Gives some pointers on how to do it, so I guess this is the first stop. I modified a cheap CH340 dongle and using that circuit pulled the code out first time. Not only can you do this WITHOUT removing the micro Audi/Blaupunkt left test pads for all of these connections under the board…

Its worth noting at this point that it *should* be possible to suck the ROM contents out too. I’m not sure if this version of the chip uses EEPROM or Mask ROM/EPROM for the main program. Armed with a disassembler it should be possible to fix the actual bug. You can also use the MotoHack tool to change the keycode or disable it. I opted to leave well alone as I dont know if there is a checksum in there or not.

Having pulled the cod I confirmed it does work and unlocked the unit. Turns out my display is a little dead but for our purposes its good enough. Off we go now to decipher the front panel…

Next: Keypad Hacking

<><><><><><> WORK IN PROGRESS <><><><><><><>

CPU: AMD Geode LX MMX @ 500MHz (K6 Core)
RAM: 512Mb DDR 333 PC2700
IDE/SATA: VIA VT6241
Audio: Realtek ALC206
Video: AMD Onboard Geode Lx800
GPS: UBLOX Serial
3G: Unknown GPRS
Serial: 2x on board UART on Kontron ETX-LX which dont seem to be used.  8x Exar XR17V158

In theory there are 6 devices available externally. On top of that the GPS, 3G and Touchscreen need AT LEAST one serial port each. The driver for the serial multiport card will start assigning from the next available com port BUT it seems like the order is preserved. EG if it starts at COM5, Com5 is the first port. Same if it starts at COM6 etc.

Ublox TIM-4H GPS Receiver
Seimens HC15 GSM/UMTS/HSDPA Modem

I managed to grab one of these for  good money a few weeks ago. I’m not sure what it’ll get used for but it seemed like a good idea to see if Tezero would be ok on it.

First up this one had no cables, no drive or drive mounts. This is the first challenge.

Although it uses a dual link DVI connector dont be fooled. This connector is a custom LVDS connection, you need to use the supplied monitor. There is an SVGA connector under the board but I dont have the pinouts for this. Finding them will mean dragging the scope out and I wanted to avoid this. Once again, its a DUAL link digital cable. Using a single link or analog cable wont work. Using a DVI monitor will also, not work. Assuming that the LVDS connections are directly driving this port you might even kill the LVDS drivers trying. I didnt but I may have been lucky.

This is a single link DVI cable, it’ll power up the monitor but it wont work!

This is the one you need, known as a dual link cable

Next is the power connector. This is a standard 4 pin molex as per the PC 12Aux connector from an ATX PSU. I’ll pop the pinouts up in a lil while. A word here, these things are very picky about supply voltage. If you supply under 12V they wont even try and power up.

The pinouts as far as I’ve been able to discover.

This is all you need to get it powered up. The ? pin goes to an optocoupler and I suspect is for the brake/handbrake input. Pin 1 must be pulled up to +12v to get the unit to power on. If it is allowed to go low the unit will shut off after a second or two. There is no load on this pin as this is all carried by pin3. This is used to charge the internal pack and run the unit. A 5A fuse in this line would be good. The PSU *MUST* provide a good quality output, I had a LOT of issues getting going and it turns out it was mostly down to PSU issues, I was using an ATX PSU and the +12V was ocasionally wandering down as low as 11.4V which was enough to upset the unit.

I reused an ATX Aux12V connector to get running. Realise if you do this that the colour codes are totally and utterly wrong!

Internally you have a plethora of hard drive options, however here you’ll hit the fist real snag. The SATA headers will recognise an optical drive, but they wont boot from it. The IDE header is also 2.5″ IDE so unless you have an adaptor cable thats not going to happen either.

You’ll need a 2 pin molex minifit to get +5v power for your drive if you are going the SATA route, in my case I’ve used a 32Gb Team SSD. You could eaqually use a CF card. Soldering in a SATA power connector is an option as below. However this will ONLY work with Laptop drives that only use +5V

Now, there is a SATA connector on the Terrafix board, the aforementioned 2.5″ IDE header and a CF slot. There is also a CF slot on the CPU card and two SATA ports. The CF card slots are bootable as are the SATA ports, although the ones on the CPU card seem more reliable. USB Booting does not work, network booting definately does.

The CPU on here is an AMD Geode at 500MHz, so realistically with the 512Mb of ram you are looking at Linux or XP. 7 *might* boot but based on experiences with Atom based machines, it wont be much use. If going the XP route then look at XP Embedded. its still supported and is undoubtedly the way Terrafix went. A low footprint Linux install would work too.

Setup Time
Heres the good news. Windows 7 PE wont work. Win XP PE *might* but I have no means to test it. Bootable USB media doesnt work and booting off the IDE header seems to, there is another BUT here. You are going to need the VIA VT6421 drivers. You can either slipstream these in with nLite OR if you can find a USB floppy drive and a disk, do it that way. If you are going the Linux route I have tested Debian and it went on with no real issues. I have made an image with nLite thats missing a lot of the cruft and is tweaked specifically for this sort of application however you will need an XP Pro licence key and you need to bear in mind XP is discontinued. I may upload this later.
If you have a 2.5″ to 3.5″ adaptor its not all plain sailing, it seems that the header they have used is a bit too narrow for a standard laptop IDE header, I had to shave the edges of mine down a little with a scalpel. I pulled +12V off of the PSU I was using and picked +5V up off of the IDE cable. A good ground is important too, dont rely on the ribbon.

Alternatively you should be able to use a USB drive, the BIOS supports USB CD-ROM, Win XP will setup fine from one however I only have a DVD drive which it doesnt seem to like. You’ll need a powered drive too as the power output of the USB ports is pretty low.

You *could* in theory use another machine, do the OS install on there and move it over, however you are going to hit the same driver issues when you move it over. Unless you have something with a VT6421 controller in (Its an OLD chip) this is probobly not the best way.

There is also provision for a reset button which may be handy while setting up. Simply short the pins.

I had issues with corrupt didsk, lockups and all manner of silliness, this all seems to have been caused by a combination of PSU issues as above and a bad stick of ram.

All the drivers are available. I’ll likewise pop these somewhere however there seems to be an issue with the multi port serial and possibly the modem too. This could be the bit that causes issues.

Not one of the serial ports seems to do anything, in addition the modem must be powered on. if it is or not, there’s no way to tell but I suspect there is some funky stuff going on with the Altera CPLD under the processor board. it may be there is an inhibit line there that needs tweaking. For now I need to get the scope out and see what comes out of the UART and where it goes.

So the IoD have called for more government action in the shadow of the TalkTalk hacks.

Let’s look at this quickly. IT security is a necessary evil nowadays, not matter how big or small you are you WILL be attacked. As an example while setting up an Asterisk system for our Canada office it was very briefly open to the world. It took less than 5 minutes for it to be attacked (unsuccessfully) however let’s put that into perspective…

There are at last guess, 3,706,452,992 public facing IP addresses out there. Yet in 5 minutes a number of people noted and attacked just one. If you take the assumption that seems to be the norm with many directors that there are a small group of hackers in their bedrooms then the odds of hitting our server are similar to hitting the lottery. This points to a more likely and well known scenario in the security community, that this is a major form of organised crime.

Now with such a vast address space it suddenly makes no sense from an economic point to concentrate all your resources on one single host. In fact it’s easier to scan and pick on the low hanging fruit. The misconfigured, poorly maintained badly written sites and those relying on security through obscurity. And here we come to the crux of it.

As a director you are responsible for your business. You make sure your premises are secure, you make sure all your staff are safe and you protect your business. And yet for many businesses, especially larger ones, IT is simply something you must have and the trick is to spend as little money on it as possible. Your IT provider is responsible for your security online and making sure your internet presence is as safe as your real work presence. When this department is typically starved of resources, contracted to the lowest bidder with no check of their credentials, or outsourced, things can and do go wrong.  You wouldn’t go to B&Q and put £5 locks on all your doors, but for most the ISP’s supplied free router, and a £5 a month hosting package are ‘good enough’.

And Talk Talk? It’s looking like it was an SQL Injection attack, the kind that every IT professional knows about, knows the risks and knows to NEVER allow out into the wild. If this was the cause of the leak TalkTalk should be sued into oblivion and its directors jailed. It’s inconceivable that a company so big dealing with so much data should fall prey to such a basic flaw.

So no, IoD, we don’t need more government help. We need you to give your members a BIG wake up call. IT has been starved and treated as something you have to have but spend as little as possible on for too long, so much that it’s become institutionalised. This needs to change, or more of your members will fall the same way. This is a problem your members have caused and they alone can fix.

If government help is needed its to make this behaviour on behalf of company directors a criminal offence with strong punishments to include custodial sentences and large fines. Stop starving IT of resources from being a viable cost cutting measure.

This is more a note for me. I’m always forgetting this. Most motherboards use a Realtek chip so the following will get it going in most cases. You are going to need to reboot so make sure all clients are stopped.

Grab https://vibsdepot.v-front.de/depot/bundles/net55-r8168-8.039.01-napi-offline_bundle.zip

Pop it in your datastore, in my case it goes (with other bits I need) in the first datastore, eg the default one called datastore1.

Enable SSH server in BOTH services and firewall, configureation -=> security profile. If you plan on using SSH after this make sure that you set SSH server to ‘Start with host’ else it’ll be gone when you reboot.

SSH into the server

esxcli software acceptance set –level=CommunitySupported

esxcli software vib install -d /vmfs/volumes/datastore1/scratch/net55-r8168-8.039.01-napi-offline_bundle.zip

reboot

Once the server reboots your NIC should show.