Documentation

Device Password Manager Interface

Preliminary Description

Suggest Edits

CalAmp’s Device Password Manager Service will address key security threats/challenges by preventing unauthorized device access. It not only enhances device security but also protects the device and any information contained therein from destruction, use, modification, or disclosure.

CalAmp will be releasing the Device Password Manager Support for product lines in an iterative/phased manner.

Description

This page describes the release of the device password manager interface API. This API allows customers to download unique strong passwords that will be enabled by default on devices. The APIs are considered preliminary, and it has not been released on production servers. Changes to the APIs may occur prior to release.

The device password interface is a GET endpoint to retrieve the password for a device specified by its ESN (Electronic Serial Number), IMEI or MAC. The API can be authenticated using CTC or PULS credentials, but the authentication method varies between the two.

Device Password Manager Deployment

The first bulletin, detailing CalAmp’s Phase 2 plan, can be found here

Throughout Phase 2, CalAmp will subsequently introduce Device Password Manager support for additional product lines, as they are validated in iterative bulletins (Phase 2.2, 2.3, 2.4 etc)

Phase 2.1 for the affected devices is scheduled to rollout August, 2021.

Overview

On LMU8 and older firmware on other platforms, the password is specified in Parameter 2177, Index 0 ("P2177,0") and enabled when S-Register 171 bit 4 ("S171b4") is set.  If S171b4 is clear, P2177,0 is "just another Short String".  P2177,0 can be up to 15 characters. 

On newer firmware, the password is stored in non-volatile memory as a secured password.  With this firmware, the AT#PW command can be used locally to change/clear the password.  The password cannot be changed via SMS.

At boot time, the newer firmware will migrate a P2177,0/S171b4 password into a secured password if the old-style (parameter based) password is detected and a secured password doesn't exist. . Then P2177,0 & S171b4 will both be cleared so the password will no longer be available in plain text.  Subsequent changes to P2177,0/S171b4 will be ignored since the secured password now exists.  This migration happens in two common use cases:

  • A device with a P2177,0/S171b4 password is upgraded from older to newer firmware.
  • A Configuration CSV file is loaded into a device with the newer firmware, usually either over-the-air from DM-CTC/PULS or by CalAmp Production as part of a CRAF (Customer Request Authorization Form).

❗️

When the Device Password Manager is released on specific product lines, ESN-based passwords will no longer be provided, and an existing CRAF cannot override the random primary password.

Updated over 3 years ago