TL;DR: The main purpose of this blog post is to explain how you can get access to the IPMI interface in case no access is available due to unknown BMC configuration settings. For example, if you have bought a used motherboard.
At the end of last year (2025) I've decided to upgrade my homelab. For this reason, I spent several hours looking for "the perfect" motherboard. Perfect? At least for my purpose and with the focus on efficiency and power consumption (More on this topic in future blog posts. I promise!) However, I've found a used board on eBay that seems to fit these requirements. The board comes with an ASPEED AST2500 chipset for IPMI (Intelligent Platform Management Interface).
➜ ~ dmidecode -t connector
# dmidecode 3.6
Getting SMBIOS data from sysfs.
SMBIOS 3.2.0 present.
Handle 0x0004, DMI type 8, 9 bytes
Port Connector Information
Internal Reference Designator: J8
Internal Connector Type: None
External Reference Designator: IPMI LAN
External Connector Type: RJ-45
Port Type: Network Port
[...]
The motherboard itself has a VGA that uses the output as the primary device. Unfortunately, I had no VGA-to-HDMI adapter lying around. This should in general not be a big deal, as we have IPMI that can be used to access the BIOS. If the settings are not changed, the BMC (Baseboard Management Controller) will use DHCP to obtain an IP address by default. Which means putting an RJ45 cable in the dedicated IPMI port, starting the board, and waiting until the interface receives the IP and accesses the interface, right? Nope! In my case the settings seem to be changed. As the board was used, I've already assumed that the board or the BMC was not reset. If the board did not get an IP address the first time, this could have several reasons, for example:
Accessing the IPMI from this point can be challenging, as we don't know how the BMC was configured - at least in my case, without access to a VGA-to-HDMI adapter... As the IPMI interface seems not to be configured to use DHCP the port could be disabled or a static IP address is in place. If a static IP address is configured, we can try to get the IP of the interface by connecting the IPMI port with another device, starting Wireshark, and looking for ARP requests [1] . With this method I also had no success; an alternative solution has to be found!
Since none of the mentioned methods above worked, the next idea was to build a custom ISO that gets an IP via DHCP, enables SSH, and allows access to the system as root. After gaining access to the system, we can then use the tool ipmitool [2] to read the configured IP (In the case the BMC is configured with a static IP address.) [3] or even reset the whole BMC configuration. As I really like Alpine Linux, I've decided to use this Linux distribution as my starting point. Alpine Linux used so-called APK Overlay (apkovl) files, which store all configuration files that have changed from the default one. If a file with the schema <hostname>.apkovl.tar.gz is there, the content from the file is overlaid on top of the contents of the base image. This allowed us to add the functionality mentioned above (DHCP and SSH access). The approach you can see here is based on the blog post from Stefan Kreutz [4] .
➜ ~ curl --location --remote-name-all \
https://dl-cdn.alpinelinux.org/alpine/v3.23/releases/x86_64/alpine-standard-3.23.2-x86_64{.iso,.iso.sha256}
➜ ~ sha256sum -c alpine-*.iso.sha256
alpine-standard-3.23.2-x86_64.iso: OK
➜ ~
If everything is fine we can start to create the apkvol file; but before, we have to prepare some structures:
➜ ~ mkdir ovl
➜ ~ mkdir -p ovl/etc
➜ ~ touch ovl/etc/.default_boot_services
➜ ~ mkdir -p ovl/etc/runlevels/default
➜ ~ mkdir -p ovl/etc/local.d
➜ ~ ln -sf /etc/init.d/local ovl/etc/runlevels/default
Now the structure is prepared; the magic start script can be created as seen below. The script will install the openssh package and enable DHCP for eth0. Furthermore, the password for the root user is set to resetipmi. The password hash can be created via openssl passwd -6 (Don't forget to escape the $ characters!). After the password was "set" the ssh daemon was configured to allow access as root via SSH.
➜ ~ cat << 'SETUP' > ovl/etc/local.d/auto-setup-alpine.start
#! /bin/sh
set -o errexit
set -o nounset
apk add openssh
cat << EOF > /etc/network/interfaces
auto eth0
iface eth0 inet dhcp
EOF
# pwd -> openssl passwd -6
cat << EOF > /etc/shadow
root:\$6\$0pGeKltDBijInhiU\$h72GOHR2XmysQrvenILso46tylYmN7huCTkPphHKwsgtH4m1oGrFz5EnI6jAGyWEB2Oa0dT.2c76v0CrloYQn.:20422:0:::::
EOF
cat << EOF > /etc/ssh/sshd_config
PermitRootLogin yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM no
EOF
ln -s /etc/init.d/sshd /etc/runlevels/default/sshd
/etc/init.d/sshd start
/etc/init.d/networking restart
SETUP
To allow the execution of the created auto-setup-alpine.start script, we have to set the necessary permissions. At the end, to create the overlay package, we can use tar. The content of the file should look like as seen below:
➜ ~ chmod 755 ovl/etc/local.d/auto-setup-alpine.start
➜ ~ tar --owner=0 --group=0 -czf localhost.apkovl.tar.gz -C ovl .
➜ ~ tar tvf localhost.apkovl.tar.gz
drwxr-xr-x root/root 0 2026-01-26 18:24 ./
drwxr-xr-x root/root 0 2026-01-26 18:35 ./etc/
-rw-r--r-- root/root 0 2026-01-26 18:25 ./etc/.default_boot_services
drwxr-xr-x root/root 0 2026-01-26 18:35 ./etc/local.d/
-rwxr-xr-x root/root 554 2026-01-26 18:35 ./etc/local.d/auto-setup-alpine.start
drwxr-xr-x root/root 0 2026-01-26 18:25 ./etc/runlevels/
drwxr-xr-x root/root 0 2026-01-26 18:25 ./etc/runlevels/default/
lrwxrwxrwx root/root 0 2026-01-26 18:25 ./etc/runlevels/default/local -> /etc/init.d/local
➜ ~
With the help of xorriso we can then create a new ISO file based on the downloaded Alpine Linux ISO. The newly created ISO file will also contain the previously created apkovl tar file.
➜ ~ xorriso \
-indev alpine-standard-3.23.2-x86_64.iso \
-outdev alpine-3.23.2-autossh.iso \
-map localhost.apkovl.tar.gz /localhost.apkovl.tar.gz \
-boot_image any replay
➜ ~
As usual, the ISO file can be used to dd the file to a USB/SSD to boot from this device. If everything goes well, the system will boot from the device, getting an IP address via DHCP and exposing the SSH service on TCP port 22. Logging in as root should also work.
In my case I had luck, and the system was booting from the device where I've put the created ISO file. The boot process took some time due to the different boot priorities configured within the BIOS. However, later I was able to see that the device obtained an IP address via DHCP. Logging in as root with the password resetipmi also worked. From this point, the system access allows to interact with the IPMI directly with ipmitool (At least after the package ipmitool was installed via apk and the kernel modules ipmi_devintf and ipmi_si were loaded via modprobe [5] .). The IPMI can reset to the factory default settings, including the user and network configuration with the raw bytes 0x30 0x41. The operation to the factory default restore can take 1-2 minutes, so don't be too hasty and wait a bit. After the BMC was reset and rebooted the LAN configuration can be get via ipmitool lan print:
➜ ~ ipmitool raw 0x30 0x41
➜ ~ ipmitool lan print
Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
Auth Type Enable : Callback : MD2 MD5 PASSWORD
: User : MD2 MD5 PASSWORD
: Operator : MD2 MD5 PASSWORD
: Admin : MD2 MD5 PASSWORD
: OEM : MD2 MD5 PASSWORD
IP Address Source : DHCP Address
IP Address : 10.10.0.42
Subnet Mask : 255.255.255.0
MAC Address : XX:XX:XX:XX:XX:XX
SNMP Community String : public
IP Header : TTL=0x00 Flags=0x00 Precedence=0x00 TOS=0x00
BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled
➜ ~
In general, the IPMI (web)interface should now be available. The default credentials (Don't forget to change the default credentials after the reset!) are sometimes ADMIN:ADMIN on modern systems; the default IPMI credentials are printed directly on the motherboard itself.
➜ ~ ipmitool -U ADMIN -P 'XXXXXXXX' -H 10.10.0.42 sensor | grep -E "(Temp|FAN)"
CPU Temp | 33,000 | degrees C | ok | 5,000 | 5,000 | na | na | 100,000 | 100,000
PCH Temp | 35,000 | degrees C | ok | 5,000 | 5,000 | na | na | 90,000 | 105,000
System Temp | 32,000 | degrees C | ok | 5,000 | 5,000 | na | na | 85,000 | 90,000
Peripheral Temp | 43,000 | degrees C | ok | 5,000 | 5,000 | na | na | 85,000 | 90,000
MB_10G Temp | na | | na | na | na | na | na | na | na
VRMCpu Temp | 32,000 | degrees C | ok | 5,000 | 5,000 | na | na | 100,000 | 105,000
M2_SSD1 Temp | na | | na | na | na | na | na | na | na
DIMMAB Temp | na | | na | na | na | na | na | na | na
FAN1 | 840,000 | RPM | ok | 280,000 | 280,000 | na | na | 7000,000 | 7560,000
FAN2 | 840,000 | RPM | ok | 280,000 | 280,000 | na | na | 7000,000 | 7560,000
FAN3 | 840,000 | RPM | ok | 280,000 | 280,000 | na | na | 7000,000 | 7560,000
FAN4 | 980,000 | RPM | ok | 280,000 | 280,000 | na | na | 7000,000 | 7560,000
FANA | 840,000 | RPM | ok | 280,000 | 280,000 | na | na | 7000,000 | 7560,000
FANB | 840,000 | RPM | ok | 280,000 | 280,000 | na | na | 7000,000 | 7560,000
➜ ~
#EOF