A Guide to Hacking AMOS The Alpha Micro computer is a fairly easy system to understand, for those of you familiar with VAX systems. The operating system (AMOS) is a ripoff of the DEC stuff, so many commands are similar. This is a guide on how to use the Alpha. Background on security: ---------- -- --------- When the Alpha Micro leaves the factory, they do not have any type of security feature built into it, except for certain higher end models, which will be discussed later. Thus, if the user installs a modem directly to the system, and you call in, you'll be at the OS level already. Pretty easy, eh? Due to the lack of a cursor display character, the pound sign (#) will be used to represent the cursor throughout this document. The prompt for AMOS is a period, which users refer to as the dot. Wnen you log on, you'll see this: .# At this point, you can type away and use the various accounts and programs on the system. When you first connect, depending on how the last user left the modem, you may or may not be logged in to a partition. To verify this, type in the LOG command. .LOG The computer will respond in one of two fashions. If it says "Not logged in", then you will have to log to an existing account. If it says "Current login is DSK1:[203,1]", then there is no need to scan for an account right away. Perhaps the most important thing to do after this is to do a SYSTAT, which will let you know who else is on the system, and what account, program is being run, and other info. Example: .SYSTAT Status of AMOS/L version 1.3D(165) on Friday, November 11, 1988 03:24:54 PM JOB1 TRM1 DSK1:201,3 0067732 ^C CONECT 122880 bytes at 4505554 JOB2 TRM2 DSK0:1,2 0024984 TI SYSACT 176800 bytes at 4505554 JOB3 TRM3 Not logged 0015460 ^C MEMORY 12288 bytes at 3137554 MODEM HAYES DSK0:1,4 0037325 SL SYSTAT 67912 bytes at 2179023 4 jobs allocated on system, 3 jobs in use (3 logged in) Total memory on system is 2048K bytes System uptime is 07:28:19 DSK0 26402 blocks free DSK1 3578 blocks free 4 devices on system, total of 29980 blocks free .# Here's a quick rundown on what each column means... Col 1: The name of the job Col 2: The terminal to which the job is attached Col 3: The device and account into which the job is logged Col 4: The octal memory address where the JCB is located Col 5: Terminal status of for that job Col 6: Last program run by that job Col 7: Number of bytes (decimal) of memory allocated Col 8: Octal memory address for beginning memory partition The rest is self explanatory. The 5th column (terminal status) has numerous codes which need to be given. Here's the abbreviation and what it stands for: TI Terminal input wait state TO Terminal output wait state LD Program load state SL Sleep state IO I/O access other than terminal EW External wait state RN Running SP Suspended state SW Semaphore wait ^C Control-C The SYSTAT program can be used even when you are not logged in, which is a plus if you wish to access an account without knowing the password. There is another program, called STAT, but don't use this. It constantly updates the screen, and will mess you up if you're using a modem. Before going further, it should be mentioned on how the Alpha Micro computer is structured. On each system, a number of hard drives subdivided into logical units are encountered. These may be named in any fashion by the sysop, following only the limitation of the LU being three letters or less in length. This is then followed by the device number. Sample LU's may look like: DSK0:, DSK1:, WIN0:, HWK3:, etc. On each disk is found a grouping of accounts, also known as partitions, or PPN's (project, programmer number). It is in these accounts where you log in to, and execute programs. These are enclosed in square brackets [], to separate them from the disk specification. When used all togther, it looks like this: DSK0:[1,2], DSK0:[1,4], WIN3:[100,0], DSK4:[377,7] System Commands: ------ --------- When in doubt, type HELP. This will give you some online information the system you are currently logged in to. Below are a list of some of the more common commands that you can use. ASCDMP -- displays the data in physical bocks in ASCII form. ATTACH -- connects a job to a terminal. BASIC -- places you in interactive BASIC mode. BATCH -- loads frequently used commands to your memory partition. BAUD -- change the baud rate of your terminal. CAL100 -- allows you to calibrate the clock oscillator. CLEAR -- write zeroes to all free disk blocks. COMPIL -- use this to compile BASIC programs. COPY -- copies one or more files between accounts or disks. CREATE -- creates a random file of specified size (any size!!). CRT610 -- verifies quality of videocasstte backup media. DATE -- returns with current system date. DING -- rings the terminal bell. DIR -- gives a directory listing for specific files or accounts. DIRSEQ -- alphabetizes all current entries in an account. DSKANA -- analyzes the data on a disk, and reports errors. DSKCPY -- copies contents of one disk and places on another disk. DSKDDT -- allows you to examine and change data directly on disk. DSKPAK -- packs the blocks in use to create area of free blocks. DUMP -- display file contents & memory to the screen. ERASE -- deletes one or more files from disk. ERSATZ -- displays the currently defined ersatz names. FIX -- disassemble assembler (.LIT) code. FORCE -- allows you to send terminal input to another job. HELP -- displays all available help files for the system. JOBALC -- displays your job name. JOBPRI -- determine your job priority, and change other's priority. JOBS -- shows all jobs on system, and how many are in use. KILL -- kill the program being run by another job, or a single job. LNKLIT -- creates ML programs by linking object code files. LOAD -- loads disk files into your memory partition as mem modules. LOG -- logs you into an account so you can access the files there. LOGOFF -- logs you out of the account you were logged into. MAKE -- creates the first record of a SEQ file (make a bogus file). MEMORY -- allocates memory to your job (e.g. .MEMORY 64K). MONTST -- tests the system monitor by bringing up the system new. MOUNT -- see which disks are on the system. Do a /U to unmount a disk. M68 -- assemble an assembler program to an unlinnked ML file. PASS -- allows you to change your account password. PPN -- displays a list of all accounts on a logical device (eg DSK0:). PRINT -- send one or more files to a printer. QDT -- allows you to examine and modify locations in memory. REBOOT -- reboots the system after hitting RETURN. REDALL -- diagnostic test that looks at disk & reports read errors. RENAME -- rename files in an account from one name to another. RUN -- runs a compiled BASIC program. SAVE -- save memory modules as disk files. SEND -- send messages to other terminals on the system. SET -- set terminal handling options for your terminal. SLEEP -- put your job to "sleep" for a period of time. SORT -- alphabetically & numerically sort data in a SEQ file. STAT -- displays & continually updates status of all system jobs. SUBMIT -- used to enter, change, or delete files from task manager. SYSACT -- used to change account passwords, or initialize a disk. SYSTAT -- mentioned above. TIME -- displays or sets the time of day. TRMDEF -- gives information about the system terminals. TYPE -- displays a text file to the screen (use the /P switch). VCRRES -- read files from videocassette to disk. VCRSAV -- save files from disk to videocassette. VER -- gives you version of current operating system level. VUE -- create and enter text editor. Use ESCape to toggle modes. You have to be careful with how the programs are used. If done inappropriately, you could do major damage to the computer. Many of the above programs can only be executed from the operator account DSK0:[1,2]. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Entering via BASIC: There is a back door in the version of BASIC that comes bundled with AMOS. Depending on the type of security present, you can gain access to the system operator account (DSK0:[1,2]), which gives you the power to do quite a few things. What the command essentially does is poke into memory the appropriate values to give you sysop access. Type this in at the dot prompt (.) : .BASIC AlphaBASIC Version 1.3 (217) READY # Once inside BASIC, type in this command as seen below; it doesn't matter if you use upper or lower case. WORD(WORD(1072)+20)=258 BYE .# The BYE command exits you out of BASIC and puts you back at the OS level. You can also rename files and open files via BASIC. Depending on the security in the system, if you typed in everything as above, you should be logged into DSK0:[1,2], also known as OPR:. This is the system operator's account, from which all types of commands can be issued. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ When you finally get connected to the system, you need some place to log in to. There are certain default accounts on every system. These are: OPR: --> DSK0:[1,2] SYS: --> DSK0:[1,4] DVR: --> DSK0:[1,6] CMD: --> DSK0:[2,2] LIB: --> DSK0:[7,0] HLP: --> DSK0:[7,1] BOX: --> DSK0:[7,2] BAS: --> DSK0:[7,6] MAC: --> DSK0:[7,7] While logging around to the different accounts, some will have defined "ersatz" names. This means that besides the [p,pn] specification, you can access that account with a defined name. In the above examples, logging into SYS: is the same as logging into DSK0:[1,4]. As mentioned previously, older models of the Alpha Micro did not have any security built in to them. Later versions of the operating have changed this, though. Once you get connected and you try to log into an account, you may be asked for a password. The word you type is not echoed on your screen. Two default passwords that you can try for logging purposes are "DEMO" and "SYSTEM SERVICE". These are not case-sensitive, so you can type them in either upper or lower case. If neither of these work (which is unlikely, since people are too lazy to change them), try running the SYSTAT command. What happens is that you will often see people logged in under a short (6 digits or less) user name, such as JOHN, AMY, SUSAN, etc. Try logging in with one of these as your PW. 80 per cent of the time it will work. If you've gotten into the system this far, then good. There are lots of things to do or access. If you're looking around for information, these are contained in files that end in a .TXT extension. These may be examined by using the TYPE command from AMOS. The syntax would be: .TYPE MODEM.TXT/P The /P is not required, but is useful, because otherwise the file would be diaplayed too quickly for you to look at. The /P switch displays the contents one page at a time. Pressing will scroll through the text. One word of warning: Don't use the TYPE command on .LIT, .SBR, or .OBJ files; doing so will usually result in your terminal being locked up, effectively ending your session. Now let's say you wanted to check out the files that are in other accounts. Usually all that is needed is to simply log there. However, certain accounts will be passworded. There is no simple way to just dump the contents of a disk block and see what the PW is. There are alternatives, however. One method is to log into the operator account (DSK0:[1,2]) and use the SYSACT command. This lets you to various things to the disk, but the one you would be concerned about lists all of the accounts on a parti- cular disk. The command works like this: .# .SYSACT DSK0: Use the "H" to get a listing of all the available commands from within SYSACT. * *h Implemented commands are: A PPN - Add a new account C PPN - Change password of an account D PPN - Delete an account E - Rewrite MFD and exit to monitor H - Help (Print instructions) I - Initialize entire disk L - List current accounts The last one "L" is the one we're concerned with. Press after it to see a listing of all the accounts on the disk. Passwords (if any) will be displayed to the right. The "C" option will allow you to change the PW on an individual account. Then press "E" to go back to the command level. If you want to check out a file a little less elegantly, this may be done by simply copying the file to an unpassworded account or by typing the file from another account. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Account and file structure: As explained before, there are accounts on the disk, which may or may not contain files in them. AMOS maintains this account structure on the disk. In fact, a listing of which files belong in what account are kept track of in the account directory. There are two types of files that are possible on the Alpha Micro: sequential (linked) and random (contiguous) files. Each block is 512 bytes in length, which may or may not be filled up totally. Files may not overlap onto another disk, and each disk block has a unique number by which it is referenced to via AMOS. The format of most Alpha files are sequential -- AMOS reads in each disk block of the file, which tells it the disk address of the next disk block. The key point is that to access one block of data, you have to access all preceding blocks. When AMOS writes a sequential file to the disk, it looks for the first free disk block. It writes a copy of the first file block into that disk location. Next, it looks for another free disk block. This next disk block may or may not be anywhere near the first block used. This process goes on until the entire file is transferred to the disk. The disk blocks that make up the file may be scattered across the disk. Each disk block in the file contains a portion of the file; it also contains the address of the next disk block used by the file. *-----------*-----------* | Address of| Data in | | next block| file block| *-----------*-----------* Sequential files are also called linked files because the disk blocks are linked together by the information in each block that points to the address of the next disk block. The last block in the file is designated as such by a link of zero. It looks like this: /---\ /----------------\ /----------------\ ! | ! ! ! ! ! X *-----------*--------* ! *-----------*--------* ! *----------*-------* | Address of| DATA | ->| Address of| DATA | !->| EOF | DATA | | next block| | | next block| | | Zero link| | *-----------*--------* *-----------*--------* *----------*-------* Random files differ from their sequential counterparts because the data in them can be accessed randomly. AMOS knows how long the files are, and also knows exactly where the files begin on the disk. The operating system can therefore access any block in a file by computing an offset value from the front of the file, and then reading the proper disk location. The distinc- tion between random and sequential is that since the disk blocks don't have to be accessed in any particular order, AMOS can locate specific data in a file quicker. When a random file is written to disk, the first free groups of contiguous blocks are searched for which are large enough to hold the entire file. If there aren't enough blocks on the disk, the message "Disk full" appears. Random files look something like this: *---------------*---------------*---------------*---------------* | File block #1 | File block #2 | File block #3 | File block #4 | *---------------*---------------*---------------*---------------* One a random file is allocated on the disk, it is not possible to expand it. Random files are used mainly for applications where the file length remains constant. The first block on a disk (block 0) is the disk ID block. Alpha Micros use this disk block to maintain permanent identification information about the disk. The next block (block 1) is the Master File Directory (MFD). At block 2 lies the disk bitmap. The bitmap is the structure that keeps track of which blocks on the disk are in use, and which are available. The bitmap contains one bit for each block on the disk. If a block is in use, the bit in the bitmap that represents that disk block is a 1; if the block is available for use, its bit in the bitmap is a 0. The bitmap is perma- nently stored on the disk beginning with block 2 and extending as far as necessary. The last two words in te bitmap form a hash total. If some data in the bitmap becomes destroyed, then there is a chance that data corruption has occurred. The ocre for writing data to the disk is: [1] Find in memory a copy of the bitp of the disk to be accessedd. [2] Computer the hash total of the bitmap & check agains the sh. [3] Consult bitmap to see the next free block. [4] Change bitmap to shockthe block is in use. [5] Recompute bitmap hash to reflect the modified bmap. [6] Write modified bitmap back out to the disk. [7] Write thata to the chosen block. Every disk contains one Master File Directory (MF Each disk contains one MFD. The MFD is one block long, and contains e entry of four words for each user account allocated on that disk. This ps the limitation of having a maximum of 63 user accounts per disk. Each try in the MFD identifies a specific acct directory. Individual account dectories are known as User File Directories (UFDs). The entry contains thccount PPN, number of the first block used by the UFD, and a password assned (if any). The MFD contains one entry for every UFD on the disk.One UFD exists for each user account; it contains one entry for eachlein that account. These contain various sorts of information relating tthe file. A UFD may consist of more than one disk block; if it is larger than oblock, the first word of the FD is nzero and gives the link to the next UFD bock. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Since the existing security the Alpha Micro is lax, third party comiehave wriiten their own sceurity systems, making it considerably more dicult to access a system. However, all is not lost. There are a few wato make things easier. Default passwords are the first step. One of the security systems, known as TSASS, has the default passwords of MAL, MAL, MAL for its prompts. You will know that you've encounted an Alpha Micro running TSASS by the message: "Welcome to a Time Shar and Security System". Another security package, UltraSafe, has the dult PW's of OPR, OPR, OPR. An UltraSafe system is harder to recognize because the prompts can be changed, although some more common ones ask for NAME, PORD, and GROUP. The next option is if you have found a password that lets you in, it may be one of low security. This can automatically chain you into a menu or shell program. Depending onw the system is configure, a string of Control C'or any other key sequence) can mess up the buffer, automatically causing e curity system to crash, and bringing you to AMOS, without being confined to the security program. The input must be typed in rapidly, or it won't work. This method works for both TSASS and UltraSafe.