Tag Archives: tx140 s2

Fujitsu iRMC S4 on the TX140 S2

Fujitsu servers come with a remote management solution called iRMC S4 (newer models have iRMC S5). iRMC S4 and S5 are like other lights-out remote management solutions from HP (iLO) or Dell (iDRAC) which comprises a baseband management controller firmware along with other software utilities to remotely configure and manage servers. Importantly though, iRMC S4 runs Linux.


Before we get into the hardware of iRMC S4, let us examine the firmware update process. iRMC S4 follows a pretty typical BMC firmware update process: Fujitsu’s support website offers firmware downloads, and the iRMC web management interface allows you to upload the update which is then written to the inactive firmware slot.

As is common for enterprise hardware, there is no rollback protection, so you can downgrade the installed firmware to previous versions. I did not extensively test this functionality though, so there may be limits to how far you can downgrade as the firmware modifies the persistent conf partition (which is not redundant).

Running binwalk against the update file for the TX140 S2, we can immediately see that it is not encrypted:

$ binwalk FTS_TX140S2D3239iRMCKronos4FirmwareUpdatefo_TX140S20960Fsdr0344_1233853.BIN 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
148820        0x24554         U-Boot version string, "U-Boot 1.1.6 (Sep 22 2015 - 17:25:45)"
150076        0x24A3C         CRC32 polynomial table, little endian
184888        0x2D238         CRC32 polynomial table, little endian
589824        0x90000         uImage header, header size: 64 bytes, header CRC: 0x2658385F, created: 2020-04-01 11:24:03, image size: 27389952 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0x6B45479A, OS: Linux, CPU: ARM, image type: RAMDisk Image, compression type: none, image name: ""
589888        0x90040         CramFS filesystem, little endian, size: 27389952, version 2, sorted_dirs, CRC 0x6745F599, edition 0, 15794 blocks, 4707 files
27983936      0x1AB0040       uImage header, header size: 64 bytes, header CRC: 0x27056A57, created: 2019-11-04 16:46:29, image size: 3042664 bytes, Data Address: 0x80808000, Entry Point: 0x80808000, data CRC: 0x222093D7, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.14.17-ami"
27984000      0x1AB0080       Linux kernel ARM boot executable zImage (little-endian)
28002116      0x1AB4744       gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
31129600      0x1DB0000       CramFS filesystem, little endian, size: 45056, version 2, sorted_dirs, CRC 0x52551191, edition 0, 31 blocks, 12 files

As far as I have been able to determine, here is the firmware layout of iRMC S4 on the TX140 S2:

00000000:0008ffff uboot1
00090000:01aaf040 root1 # cramfs1
01ab0040:01daffff zImage1
01db0000:01dc0000 platform1 # sdr1
01e24554:01e8ffff uboot2
01e90000:038af040 root2 # cramfs2
038b0040:03baffff zImage2
03bb0000:03bc0000 platform2 # sdr2
03c00000:03ff0000 conf
03ff0000:03ffffff fru

These correspond to the lower and higher firmware slots in iRMC S4, and ensure that the firmware you are updating is not the currently running firmware.


So, could our way into iRMC S4 be as easy as modifying the cramfs from the firmware update?

Unfortunately, no. The update is signed and the signature is checked by /usr/local/bin/flasher against an RSA-1024 public key located on the conf partition prior to overwriting:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdgO/cGwthsFEZLuohVB5DNvU/
LolrQobsNASL4Sc+uzn8PsULIPiG0v3zhR8zCwlChmF/umVvk1gxKy5cAY0Bj3oo
cUhXwHf4t2ty+2ZY+p975Yg6YonQJSTKVPVfBlk/9PqNRj/Ih5P3zqd80YxAoKhX
i77qhLxjehHLsRSP2QIDAQAB
-----END PUBLIC KEY-----

Attempting to modify and repack cramfs results in the following output to the UART:

[1533 : 1533 INFO]VerifyImage
Signature Verification Failure
[1533 : 1533 CRITICAL][utils.c:1241]Signature verification failed 
[1533 : 1533 CRITICAL][utils.c:1522]Encrypted hash of Image and the actual contents of rom.ima does not match

With our software-only modification route looking grim, it is time to move on into the realm of the evil maid.

On the TX140 S2 the BMC UART has been routed to pads, located just below PCIe slot 2, which are easily soldered to:

BMC UART connections on a Fujitsu TX140 S2 motherboard
BMC UART on the TX140 S2 (D3239) motherboard

To stop the default boot sequence, press Escape within 2 seconds:

U-Boot 1.1.6 (Jun 20 2013 - 09:09:05)

DRAM:  247 MB
Fast clk is set
Found SPI Chip Macronix MX66L51235F 
Flash: 64 MB
Net:   pilot_eth0, pilot_eth1
Hit Esc key to stop autoboot:  0 
------ Boot Options-------
        0. Normal Boot
        1. Diagnostics
        2. Remote Recovery
        3. Management Console
        4. Raw Console
Select Boot Option:

Despite requesting the GPL source code for iRMC S4 in December 2020, Fujitsu still has not provided the source code. Without the source code for u-boot, it is difficult to determine if there are any routes that could lead to easy exploitation.


Getting a root console is relatively straightforward with soldering or a chip jig. If you use a jig, you will need very steady hands as flashrom requires 20-30 minutes to write and verify the 27MB cramfs region.

512MBit MXIC flash of the TX140 S2 iRMC S4 BMC

Lucky me, Fujitsu engineers considered physical modification of the iRMC S4 firmware out of scope, and there is no secure boot or signature verification of the cramfs on flash.

Since we can manipulate cramfs, we can bypass the stock Fujitsu shell and replace /usr/local/bin/remman with a symlink to /bin/sh and SSH as the admin user. This is not particularly useful though, as the admin user is not root sysadmin, and the busybox that Fujitsu ship is lacking the su applet, so there’s no way to easily escalate your privileges from admin to sysadmin once logged in.

~ $ id
uid=1002(admin) gid=501(ipmi) groups=501(ipmi),504(lanoem),510(serialoem),528(iRMCsettings),529(RemoteStorage),530(UserAccounts),531(VideoRedirection),532(CfgConnectionBlade),535(RemoteManager)

The uid 0 account is not called root, but rather sysadmin with the password superuser:

sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:18627:0:99999:7:::

The sysadmin account is not visible in the iRMC web interface and, as far as I can tell, the password cannot be changed (unless you physically modify the contents of cramfs). I believe the account is leftover from the SDK that iRMC S4 appears to be based on.

All my attempts to login as sysadmin via SSH or uart with the default remman shell were unsuccessful, so it doesn’t appear to be a security risk out of the box.

However, once you have replaced /usr/local/bin/remman with a symlink to /bin/sh it is possible to login as the sysadmin user and enjoy root access to your iRMC S4.

Fujitsu TX140 S2

The SuperMicro X10SLE-F is nice, but it has very limited expansion; no PCIe slots and the MicroLP adapters with SFP+ are insanely expensive. Fujitsu motherboards, in the EU, are quite cheap (33€ on eBay) and I have never owned a Fujitsu system before, so I thought I would give it a try.

Fujitsu TX140 S2 motherboard

The first order of business, since I bought a bare motherboard, is to power it from an ATX power supply. Luckily for me, other people have determined the 16-pin power supply pinout:

Fujitsu 16-pin power supply pinout

Side note: this appears to be a common power supply connector for Fujitsu motherboards with a 16-pin power connector. The Celsius W520 uses the same pinout.

The 12V rail appears to go directly to the PCIe slots and is completely isolated from 12V V1.


If the ambient temperature sensor is absent, iRMC considers the system in an error state. The Global Error/CSS lights are flashing and the fans run at full speed (100% PWM).

Unfortunately the ambient temperature sensor is integrated into the front-panel assembly (c26361-k644-c550), which I don’t have:

I couldn’t locate the technical manual for the TX140 S2 (D3239), but technical manual of the TX140 S1 (D3049) has the following to say:

Measurement of the processor and the system internal temperature by an onboard temperature sensor, measurement of the ambient temperature by a I²C temperature sensor.

System board D3049 for PRIMERGY TX140 S1 / TX120 S3 – Technical Manual

I am unaware of any publicly available pinout of the 16 pin front-panel header (2×8, 2.0mm spacing), so I reverse engineered it:

Fujitsu TX140 S2 front panel pinout

In table format:

PinDescriptionPinDescription
1SDA (serial data)23.3V
3Ground4SCL (serial clock)
5CSS LED positive (Customer self service)6ID button
7ID LED+ (anode)8NMI button
9Reset button10Global Error LED+ (anode)
11Ground12HDD activity LED+ (anode)
13Standby LED+ (anode)14Power LED+ (anode)
15Power button16Key (pin absent)
Fujitsu TX140 S2 front panel pinout

We can confirm the I²C pins with a logic analyzer:

I²C found

Now unfortunately, there are no high resolution photos of the front-panel PCB, so it’s not possible to easily determine which I²C temperature sensor is being used.

There is a photo of a Fujitsu RX300 front-panel with a failed temperature sensor, but that is only enough to allow us to guess the chip model as the Texas Instruments LM75.

The CJMCU-75 is a cheap and readily available LM75 sensor

We can also guess the I²C address from the RX300 front-panel: all 3 address lines should be tied to VCC.

Now with the sensor connected to the front-panel connector using the pinout above, it is time to find out if Fujitsu used the same ambient temperature sensor on the RX300 and TX140 S2, and if I guessed the I2C address correctly.

Yes, iRMC S4 reads the ambient temperature from the CJMCU LM75!

There is a chassis IDPROM also in the front panel assembly, which from the iRMC log appears to store a backup of the BIOS parameters after successful POST. I consider the IDPROM somewhat optional, as iRMC does not consider it a critical component in terms of server functionality.


First impressions are good, power consumption is very low, though not as low as the X10SLE-F. Idle power consumption in Linux is under 20W with an E3-1220 v3 and 16GB of PC3L-12800E.

lspci output:

00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v3 Processor DRAM Controller (rev 06)
00:01.0 PCI bridge: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor PCI Express x16 Controller (rev 06)
00:01.1 PCI bridge: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor PCI Express x8 Controller (rev 06)
00:14.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family USB xHCI (rev 05)
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection I217-LM (rev 05)
00:1a.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #2 (rev 05)
00:1c.0 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #1 (rev d5)
00:1c.2 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #3 (rev d5)
00:1d.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #1 (rev 05)
00:1f.0 ISA bridge: Intel Corporation C224 Series Chipset Family Server Standard SKU LPC Controller (rev 05)
00:1f.2 SATA controller: Intel Corporation 8 Series/C220 Series Chipset Family 6-port SATA Controller 1 [AHCI mode] (rev 05)
00:1f.3 SMBus: Intel Corporation 8 Series/C220 Series Chipset Family SMBus Controller (rev 05)
00:1f.6 Signal processing controller: Intel Corporation 8 Series Chipset Family Thermal Management Controller (rev 05)
03:00.0 VGA compatible controller: Matrox Electronics Systems Ltd. MGA G200e [Pilot] ServerEngines (SEP1) (rev 05)
03:00.1 Co-processor: Emulex Corporation ServerView iRMC HTI
04:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03)

I have requested the GPL source code of iRMC from Fujitsu, and if they get back to me with the source code I may have some interesting findings to share. Stay tuned…