Hello everyone,

I am currently engaged in a deep reverse engineering challenge concerning the HPE SmartMemory authentication mechanism used in ProLiant Gen10 servers (specifically tested on a DL380 Gen10).

The goal is to successfully modify the Serial Number (SN) in the DRAM Serial Presence Detect (SPD) EEPROM of non-HPE RAM modules (Samsung/Hynix/Micron) while maintaining the "SmartMemory" status (the green tick in iLO/BIOS).

The Problem: We have successfully cloned a full SPD dump from an original HPE Samsung module onto a non-HPE module, which works perfectly and gets the SmartMemory tick. However, when we attempt to change the 4-byte Serial Number (SN) at SPD address 0x145-0x148, the SmartMemory status is lost, even after correcting the known CRC-16 checksum.

Steps Taken & Findings:

1. Successful Cloning: A full raw dump from an original HPE Samsung module works perfectly on non-HPE modules (even Hynix/Micron), confirming that the physical chip brand is NOT the primary issue.

2. Known Checksum (CRC-16/CCITT-FALSE): We identified and successfully calculated the CRC-16/CCITT-FALSE over the range 0x145 to 0x18F (stored at 0x143-0x144). When the SN is changed, we recalculate and write the new CRC.

3. Failure Point: Despite correcting the CRC-16, the SmartMemory status is lost. This strongly suggests the existence of a secondary, cryptographically-derived signature (likely an HMAC or similar) that is dependent on the Serial Number and other data blocks.

4. SPD Checksum (0x7F): We also verified that the standard SPD Checksum (Sum of 0x00-0x7E, stored at 0x7F) is correct.

Hypothesis: The HPE SmartMemory authentication relies on a Digital Signature/HMAC stored in one of the reserved blocks (likely 0x1A0-0x1D9) that is calculated using a proprietary algorithm and a secret key, with the Serial Number as a key input.

Request for Assistance: Has anyone in the community successfully identified the algorithm, the data range, or the location of this secondary signature? Any pointers, especially from those who have worked on HPE Gen9/Gen10 server memory authentication, would be greatly appreciated.

We are willing to share more raw dumps (original and modified) for comparison and analysis.

Thank you for your time and expertise.

changed serial number 16gb.bin changed serial number 64GB.bin orginal 16GB.bin orginal 64GB.bin

To avoid blind guessing, I suggest you to get old iLO firmware packages and analyze them. See what conditions must be fulfilled in order to get the "SmartMemory" status.

If my google-fu is working, Gen10 servers use iLO5, here is it's general spec: https://www.hpe.com/us/en/collaterals/collateral.c04154343.html, and here are the download links https://support.hpe.com/connect/s/softwaredetails?language=en_US&collectionId=MTX-2dc80c4ae4b943fa. It would appear that older firmware packages didn't use any encryption, just some (trivial) compression, making the job so much easier.

Found this last week when I was looking for gen9 bios/firmwares

http://dl.mobinhost.com/Firmware/HP/iLO/

@kao

Yes, gen10 is iLO5.

It might be the same check on both generations, so maybe checking old iLO4 would also work...

@Niutish

Can the memory be programmed by soft or it can only be done via hw?

Does CH341A works for this?

PS: I have never reversed fw/bios, but I guess it can be backtraced from here?

LDR             R3, [R10,#0x10]
MOV             R2, R5
ADD             R0, SP, #0x194+var_64
MOV             R1, #0x40 ; '@'
BL              0x3EEFFE0
LDR             R2, [SP,#0x194+var_178]
ADR             R1, aMemoryModuleIs ; "Memory module is HP SmartMemory"

Edited Friday at 07:22 PM2 days by cachito