Page 1 of 2 12 LastLast
Results 1 to 20 of 21

Thread: Tracer Summit BCU Backdoor

  1. #1
    Join Date
    Apr 2006
    Location
    Columbus, Ohio
    Posts
    1,424
    Post Likes

    Tracer Summit BCU Backdoor

    We recently acquired a new building with Trane Tracer Summit. The previous owner took the Tracer Summit workstation with them and left nothing behind for the new owner. We attempted connection to the BCU with our Tracer Summit software and couldn't initially gain connection. We used the mini monitor port to extract the IP address and attempted connection again and at least got the site name to pop up when we uploaded the BCU. Unfortunately, the old owner deleted every single typical user account from the BCU. In our area, all Trane BCUs contain user accounts like "Tracer", "Srv", and "Ics". These user accounts don't exist on this BCU. I tried multiple usernames and all of them indicate that the user doesn't exist in the system. I am being told that going back to the old owner hasn't been an option so far.

    I was talking with someone at the local branch a few weeks ago and he mentioned that Trane has a way to backdoor into a BCU panel. I was curious as to what that process is? My email is in my profile if you would prefer to assist that way. Any feedback on this is greatly appreciated!
    J. King

  2. #2
    Join Date
    Apr 2005
    Location
    Boulder,CO.
    Posts
    636
    Post Likes
    Tracer Summit does include a feature that allows limited access in cases where all the security supervisor user names and passwords on a site are lost or deleted. The procedure requires a technician to call Controls Product Support and request access. Controls Product Support can generate a one-time code that will allow access to the site security editor for a limited time. The technician can then create a new security user, which will allow them to find the existing security supervisor user name and password or restore a deleted user.



    Security is a vital function within Tracer Summit and we take the integrity of our customers' systems very seriously. Our ability to access a system with a temporary password, while necessary, may be regarded as a vulnerability by our customers. For that reason Trane insists on receiving independent confirmation from the customer before providing a temporary password. The written request can be sent to Controls Technical Support via email.



    The request must include the customers' permission to access the system and their phone number so we may call to confirm.

    We also recommend the customer CC: the Trane Employee they are working with.

    Our email address is: ControlsTechnicalSupport@trane.com



    We apologize for the occasional inconvenience this policy will produce. We will do our best to deal with these requests as quickly as we can.



    Once permission is granted, you must call Controls Product Support back (or make arrangements to have a Controls Product Support agent call you back) and be sitting in front of a Tracer Summit workstation (the backdoor log on is an interactive process).



    From Tracer Summit:



    1. Restart Tracer Summit and log on with a User name of the current year (yyyy) and a password of the current month and day (mmdd).



    2. A password generation number now appears on the screen. Give this password generation number to the Controls Product Support.

    3. The agent will they will generate the password for you, enter this in the provided space.

    4.You now have 60 seconds to create a new user; it is vitally important that you give security supervisor rights (Operator Level 4) to this

    new user.

  3. Likes numbawunfela liked this post.
  4. #3
    Join Date
    Apr 2006
    Location
    Columbus, Ohio
    Posts
    1,424
    Post Likes
    Thread Starter
    Quote Originally Posted by controldude View Post
    Tracer Summit does include a feature that allows limited access in cases where all the security supervisor user names and passwords on a site are lost or deleted. The procedure requires a technician to call Controls Product Support and request access. Controls Product Support can generate a one-time code that will allow access to the site security editor for a limited time. The technician can then create a new security user, which will allow them to find the existing security supervisor user name and password or restore a deleted user.



    Security is a vital function within Tracer Summit and we take the integrity of our customers' systems very seriously. Our ability to access a system with a temporary password, while necessary, may be regarded as a vulnerability by our customers. For that reason Trane insists on receiving independent confirmation from the customer before providing a temporary password. The written request can be sent to Controls Technical Support via email.



    The request must include the customers' permission to access the system and their phone number so we may call to confirm.

    We also recommend the customer CC: the Trane Employee they are working with.

    Our email address is: ControlsTechnicalSupport@trane.com



    We apologize for the occasional inconvenience this policy will produce. We will do our best to deal with these requests as quickly as we can.



    Once permission is granted, you must call Controls Product Support back (or make arrangements to have a Controls Product Support agent call you back) and be sitting in front of a Tracer Summit workstation (the backdoor log on is an interactive process).



    From Tracer Summit:



    1. Restart Tracer Summit and log on with a User name of the current year (yyyy) and a password of the current month and day (mmdd).



    2. A password generation number now appears on the screen. Give this password generation number to the Controls Product Support.

    3. The agent will they will generate the password for you, enter this in the provided space.

    4.You now have 60 seconds to create a new user; it is vitally important that you give security supervisor rights (Operator Level 4) to this

    new user.
    Thanks for outlining this process! I assume that this process only works if the customer has a running Tracer Summit workstation with the site database on it? On the site in question, the old owner took the workstation with them. When trying this method during a BCU upload, it doesn't generate a temporary password. It will just say "user not found". Is there a method to get into a BCU that doesn't have a workstation on site?
    J. King

  5. #4
    Join Date
    Apr 2006
    Location
    Columbus, Ohio
    Posts
    1,424
    Post Likes
    Thread Starter
    Quote Originally Posted by apprentice3 View Post
    Thanks for outlining this process! I assume that this process only works if the customer has a running Tracer Summit workstation with the site database on it? On the site in question, the old owner took the workstation with them. When trying this method during a BCU upload, it doesn't generate a temporary password. It will just say "user not found". Is there a method to get into a BCU that doesn't have a workstation on site?
    I contacted our local Trane branch and it sounds like they don't know of another method to gain access if the workstation has been removed. They tried looking through their backup files, but couldn't really find anything for this site.

    If I create a new Tracer Summit database/ BCU with the same name and set my computer time back a couple of years, will the BCU synchronize its copy of the site back to my workstation? I don't want to risk deleting the site in the BCU, so I thought I would ask first. Any other ideas to access the BCU?
    J. King

  6. #5
    Join Date
    May 2003
    Location
    Connecticut
    Posts
    598
    Post Likes
    Do you have Summit on your Computer?

  7. #6
    Join Date
    Apr 2006
    Location
    Columbus, Ohio
    Posts
    1,424
    Post Likes
    Thread Starter
    Quote Originally Posted by #1servicetech View Post
    Do you have Summit on your Computer?
    Yes, That is how I have been trying to gain access. Since the workstation is gone and there are no backups to be found, I have been just trying to use my computer with Tracer Summit to perform an upload on the BCU. Since someone has removed all of the standard user accounts, it won't let me perform the upload. I tried doing the whole Trane backdoor with the year and the date. It seems like that will only work if you're trying to access a site database built into a workstation. Since I don't have the site database and I am trying to upload the BCU, the year and date thing isn't working. I have also used a couple tools to connect to the mini-monitor port to see if there was a way to reset the password or pull the backup. I am not seeing anything coming out at me.

    Any ideas on how to get into a BCU with my computer running Tracer Summit when none of the usernames or passwords are known?
    J. King

  8. #7
    Join Date
    May 2003
    Location
    Connecticut
    Posts
    598
    Post Likes
    It has been a while but I think that if you log in with a different account and go to configuration and add a new site. it will let you upload it.

  9. #8
    Join Date
    Apr 2006
    Location
    Columbus, Ohio
    Posts
    1,424
    Post Likes
    Thread Starter
    Quote Originally Posted by #1servicetech View Post
    It has been a while but I think that if you log in with a different account and go to configuration and add a new site. it will let you upload it.
    Yeah, that is part of my problem. I can log into my Tracer Summit software initially because I know the usernames/ passwords of the sites that I have on my computer. However, since none of my usernames/ passwords are available on the existing site, it won't let me perform the upload.

    My process so far has been.... I logged into my software with the standard username and password. I went into site configuration and clicked new. I setup my connection for BACnet IP to connect to the IP address assigned to the BCU. It goes to locate the BCU and it locates it. Since my username and password isn't compatible, it tells me that my user doesn't exist on the BCU. It prompts me to utilize a user account on that site to upload the BCU. The old owner took everything with them and we don't know what users are setup in the system (none of the standard ones are working).

    If I create a site database with the same name as the existing site that I am trying to upload and set my computer time backwards, will the BCU automatically synchronize its site to my computer? At this point, I am just trying to get the site on my computer. From there, I can utilize the backdoor to get into the system. The backdoor isn't working right now because I don't have a copy of the site on my computer and I can't get a copy through an upload due to the issues mentioned above.

    Thanks for your reply!
    J. King

  10. #9
    Join Date
    May 2003
    Location
    Connecticut
    Posts
    598
    Post Likes
    Have you tried the default username and password?

  11. #10
    Join Date
    Apr 2006
    Location
    Columbus, Ohio
    Posts
    1,424
    Post Likes
    Thread Starter
    Quote Originally Posted by #1servicetech View Post
    Have you tried the default username and password?
    Yes, I have tried the default username and password. I have also tried the standard "Trane Branch" user accounts (srv and ics). It claims that none of these user accounts exist on the BCU. Someone literally went in and removed every typical user account from the BCU. I even tried standard names of people, hvac, the building address, the building name, etc It claims that none of the user accounts that I have tried so far exist in the BCU.
    J. King

  12. #11
    Join Date
    May 2003
    Location
    Connecticut
    Posts
    598
    Post Likes
    The last thing I would try is a BCU Reboot. if that doesn't work you need tech support. also keep in mind that they could Have turned on the match case.

  13. #12
    Join Date
    Apr 2006
    Location
    Columbus, Ohio
    Posts
    1,424
    Post Likes
    Thread Starter
    Quote Originally Posted by #1servicetech View Post
    The last thing I would try is a BCU Reboot. if that doesn't work you need tech support. also keep in mind that they could Have turned on the match case.
    Yes, we tried a BCU reboot as well. When we first arrived the BCU didn't even have power to it. The UPS that is was plugged into had a fault on it.

    I didn't think of the match case thing. I will give that a shot. Thanks!
    J. King

  14. #13
    Join Date
    Sep 2007
    Location
    Kenilworth NJ
    Posts
    4,152
    Post Likes
    Quote Originally Posted by #1servicetech View Post
    the match case.
    Whats this?
    Hmmmm....smells like numbatwo to me.

  15. #14
    Join Date
    Apr 2006
    Location
    Columbus, Ohio
    Posts
    1,424
    Post Likes
    Thread Starter
    Quote Originally Posted by numbawunfela View Post
    Whats this?
    In the user account settings you can check mark “match case” and it will force the username and password to be case sensitive. By default you can type the username and password in any case and as long as the word matches it will let you through.


    Sent from my iPhone using Tapatalk
    J. King

  16. #15
    Join Date
    May 2003
    Location
    Connecticut
    Posts
    598
    Post Likes
    Quote Originally Posted by numbawunfela View Post
    Whats this?
    when you set up a user, you can select "match case" for the user name and password which means it matches upper and lower case.

  17. #16
    Join Date
    Sep 2007
    Location
    Kenilworth NJ
    Posts
    4,152
    Post Likes
    Thanks for the replies!
    Hmmmm....smells like numbatwo to me.

  18. #17
    Join Date
    Apr 2006
    Location
    Columbus, Ohio
    Posts
    1,424
    Post Likes
    Thread Starter
    I just wanted to let everyone know that I got this resolved. As mentioned above, since the previous owner took the workstation with them all of the backdoor password hacks (with the year and date) wouldn't work. It seems like that backdoor method only works if you have a workstation on site with a site database running on it. However, if the workstation is removed and all you have is a locked down BCU then it will still say "user doesn't exist". I contacted someone that I knew at the local Trane branch and they sent me the last backup file that they took from the site back in 2009. After opening up the file, I quickly realized that some upgrades had been done since that backup was taken. The backup had old Comm3 and Comm4 devices. The site now has a lot of Comm5 devices and a upgraded BMTX BCU as compared to the BTMW BCU that was in the backup database. I asked Trane to see if the corporate office had a way to backdoor into the BCU directly and they told me that they had never heard of a way and that I would probably need to start over.

    I started thinking about how the BCU synchronizes to the workstation and how it is based on which one has the most current database (by date). I figured I couldn't mess it up anymore than it already was, so I set my laptop time backwards to 2019, created a brand new site with the same exact name as the site in question, created a BCU that matched the type, device ID, and network ID of the one in question, added the default username and password, and waited for synchronization. After a couple of minutes, I noticed that the site synchronized. A small + symbol appeared next to my site name and all of my devices were there. Of course the navigation tree wasn't organized, but that was the least of my worries. I thought I would let everyone know how this panned out just in case anyone else runs into a similar problem.
    J. King

  19. Likes roadgear16, Nuclrchiller, control$ liked this post.
  20. #18
    Join Date
    Sep 2007
    Location
    Kenilworth NJ
    Posts
    4,152
    Post Likes
    Quote Originally Posted by apprentice3 View Post
    created a brand new site with the same exact name as the site in question, created a BCU that matched the type, device ID, and network ID of the one in question, added the default username and password, and waited for synchronization. After a couple of minutes, I noticed that the site synchronized. A small + symbol appeared next to my site name and all of my devices were there.
    Good job posting the response.
    Anything else besides the users synchronize? Seems like the users were the only thing in your artificial 'backup'
    Sounds like you could have dangled anything that was set up to look passable. Neat trick. I like it.
    Reminds me of the onsite staff at a fortune 500 that defeats the first rate IT security with a 27 cent binder clip that clamps the space bar down so the workstation never times out. I LOVE that sort of thing.
    Hmmmm....smells like numbatwo to me.

  21. #19
    Join Date
    Feb 2006
    Location
    Where the wind comes sweeping down the plain
    Posts
    434
    Post Likes
    Quote Originally Posted by apprentice3 View Post
    I just wanted to let everyone know that I got this resolved. As mentioned above, since the previous owner took the workstation with them all of the backdoor password hacks (with the year and date) wouldn't work. It seems like that backdoor method only works if you have a workstation on site with a site database running on it. However, if the workstation is removed and all you have is a locked down BCU then it will still say "user doesn't exist". I contacted someone that I knew at the local Trane branch and they sent me the last backup file that they took from the site back in 2009. After opening up the file, I quickly realized that some upgrades had been done since that backup was taken. The backup had old Comm3 and Comm4 devices. The site now has a lot of Comm5 devices and a upgraded BMTX BCU as compared to the BTMW BCU that was in the backup database. I asked Trane to see if the corporate office had a way to backdoor into the BCU directly and they told me that they had never heard of a way and that I would probably need to start over.

    I started thinking about how the BCU synchronizes to the workstation and how it is based on which one has the most current database (by date). I figured I couldn't mess it up anymore than it already was, so I set my laptop time backwards to 2019, created a brand new site with the same exact name as the site in question, created a BCU that matched the type, device ID, and network ID of the one in question, added the default username and password, and waited for synchronization. After a couple of minutes, I noticed that the site synchronized. A small + symbol appeared next to my site name and all of my devices were there. Of course the navigation tree wasn't organized, but that was the least of my worries. I thought I would let everyone know how this panned out just in case anyone else runs into a similar problem.
    Nicely done. I don't know that I would have thought to try that.

  22. #20
    Join Date
    Dec 2005
    Location
    California
    Posts
    836
    Post Likes
    I'll jeep that little nugget of information in the back of my head. Nice job!!
    Controls, the cause of... and solution to... all your HVAC problems.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •