dogber1.blogspot.com Open in urlscan Pro
2a00:1450:4001:829::2001  Public Scan

Form analysis
0 forms found in the DOM

Text Content

DOGBERT'S BLOG







SATURDAY, MAY 2, 2009


BIOS PASSWORD BACKDOORS IN LAPTOPS


Synopsis: The mechanics of BIOS password locks present in current generation
laptops are briefly outlined. Trivial mechanisms have been put in place by most
vendors to bypass such passwords, rendering the protection void. A set of master
password generators and hands-on instructions are given to disable BIOS
passwords.

When a laptop is locked with password, a checksum of that password is stored to
a so-called FlashROM - this is a chip on the mainboard of the device which also
contains the BIOS code and other settings, e.g. memory timings.

For most brands, this checksum is displayed after entering an invalid password
for the third time:

The dramatic 'System Disabled' message is just scare tactics: when you remove
all power from the laptop and reboot it, it will work just as before. From such
a checksum (also called "hash"), valid passwords can be found by means of
brute-forcing.

The bypass mechanisms of other vendors work by showing a number to the user from
which a master password can be derived. This password is usually a sequence of
numbers generated randomly.

Some vendors resort to storing the password in plain text onto the FlashROM, and
instead of printing out just a checksum, an encrypted version of the password is
shown.

Other vendors just derive the master password from the serial number. Either
way, my scripts can be used to get valid passwords.

A few vendors have implemented obfuscation measures to hide the hash from the
end user - for instance, some FSI laptops require you to enter three special
passwords for the hash to show up (e.g. "3hqgo3 jqw534 0qww294e", "enable master
password" shifted one up/left on the keyboard). Some HP/Compaq laptops only show
the hash if the F2 or F12 key has been pressed prior to entering an invalid
password for the last time.

Depending on the "format" of the number code/hash (e.g. whether only numbers or
both numbers and letters are used, whether it contains dashes, etc.), you need
to choose the right script - it is mostly just a matter of trying all of them
and finding the one that fits your laptop. It does not matter on what machine
the script are executed, i.e. there is no reason to run them on the locked
laptop.
This is an overview of the algorithms that I looked at so far:



VendorHash EncodingExample of Hash Code/SerialScripts AsusMachine
Date01-01-2011pwgen-asus.py Compaq5 decimal digits12345pwgen-5dec.py
Windows binary Dellserial number1234567-595B
1234567-D35B
1234567-2A7Bbios-pw.org Fujitsu-Siemens5 decimal digits12345pwgen-5dec.py
Windows binary Fujitsu-Siemens8 hexadecimal digitsDEADBEEFpwgen-fsi-hex.py
Windows binary Fujitsu-Siemens5x4 hexadecimal
digitsAAAA-BBBB-CCCC-DEAD-BEEFpwgen-fsi-hex.py
Windows binary Fujitsu-Siemens5x4 decimal
digits1234-4321-1234-4321-1234pwgen-fsi-5x4dec.py
Windows binary Fujitsu-Siemens6x4 decimal
digits8F16-1234-4321-1234-4321-1234pwgen-fsi-6x4dec.py Hewlett-Packard5 decimal
digits12345pwgen-5dec.py
Windows binary Hewlett-Packard/Compaq Netbooks10
charactersCNU1234ABCpwgen-hpmini.py
Windows binary Insyde H20 (generic)8 decimal digits03133610pwgen-insyde.py
Windows binary Phoenix (generic)5 decimal digits12345pwgen-5dec.py
Windows binary Sony4x4 hexadecimal digits1234-1234-1234-1234pwgen-sony-4x4.py
Sony7 digit serial number1234567pwgen-sony-serial.py
Windows binary Samsung12 hexadecimal digits07088120410C0000pwgen-samsung.py
Windows binary


Here are some other folks' efforts (python/ocaml/javascript):



VendorHash EncodingExample of Hash Code/SerialScripts HP8 decimal
digitsi1234578https://gist.github.com/Rdp3389 Acer/Insyde10 decimal
digits123457890https://github.com/let-def/insydious


The .NET runtime libraries are required for running the Windows binary files
(extension .exe). If the binary files (.exe) don't work out for you, install
Python 2.7 (not 3.x) and run the .py script directly by double-clicking them.
Make sure that you correctly read each letter (e.g. number '1' vs letter 'l').

Вячеслав Бачериков has also converted my scripts to javascript so you can
calculate the passwords with your browser: http://bios-pw.org/ (sources).

Please leave a comment below on what make/model the scripts work. Also, be aware
that some vendors use different schemes for master passwords that require
hardware to be reset - among them are e.g. IBM/Lenovo. If you find that your
laptop does not display a hash or the scripts do not work for you for whatever
reason, try to:

 * use a USB keyboard for entering the password for avoiding potential defects
   of the built-in keyboard,
 * run CmosPwd to remove the password if you can still boot the machine,
 * overwrite the BIOS using the emergency recovery procedures. Usually, the
   emergency flash code is activated by pressing a certain key combination while
   powering on the machine. You also need a specially prepared USB memory stick
   containing the BIOS binary. The details are very much dependent on your
   particular model. Also, be aware that this can potentially brick your device
   and should only be done as a last measure.
 * Some dell service tags are missing the suffix - just try the passwords for
   all suffices by adding -595B, -2A7B and -D35B to your service tags. 
 * The passwords for some HP laptops are breakable with this script.
 * Unlocking methods for some Toshiba laptops are described here (edit: gone). 
 * Some older laptop models have service manuals that specify a location of a
   jumper / solder bridge that can be set for removing the password.


If none of the generators/methods above works, please use the vendor support.
Please understand that my motivation for reverse-engineering comes purely from a
personal interest. I will not accept offers to look at the specifics of certain
models.

Posted by dogbert at 8:33 AM 2974 Comments

Labels: 2a7b, 595b, acer, advent, backdoor, bios, bypass, circumvent, compaq,
dell, fjs, fsi, fujitsu siemens, hp, key generator, keygen, override, password,
recovery, samsung


Newer Post Older Post Home





RECENT COMMENTS

 * John Lysek
   
   I am sure you have helped thosands with this. Cleared my e6420 just like
   that, thank you.
   
   Dogbert's Blog: BIOS Password Backdoors in Laptops · 4 months ago

 * RJ Latherow
   
   Thanks to everyone, both the developer and the folks sharing the result! The
   BF97 trick fixed my generated 6FF1 password also-
   
   Dogbert's Blog: BIOS Password Backdoors in Laptops · 5 months ago

 * Jose David Cruz Chavez
   
   muy buena herramienta ..gracias..me ayudo mucho
   
   Dogbert's Blog: BIOS Password Backdoors in Laptops · 10 months ago

 * Karichimoto
   
   Dogbert I bought an Acer Predator Helios 300 ph315-51 that came with a locked
   BIOS and Intel VTx and VTd disabled. Your scripts on bios-pw.net saved this
   laptop. Now BlueStacks 5 runs 10x faster!
   
   Dogbert's Blog: BIOS Password Backdoors in Laptops · 1 year ago

 * Rene
   
   Thanks Dogbert, for providing BIOS password recovery tool it works perfect on
   a Dell E5470 !!
   
   Dogbert's Blog: BIOS Password Backdoors in Laptops · 1 year ago




DONATE





BLOGROLL

 * Abort, Retry, Hack?
   Debugging an evil Go runtime bug
   5 years ago
   
 * Amendae
   Zagraj w darmowe gry online loterii na wiodącej loteriach online poprzez
   polecone Games Article
   6 years ago
   
 * bunnie's blog
   Name that Ware, April 2023
   1 week ago
   
 * debugmode
   
   
 * Flylogic's Analytical Blog
   
   
 * The Squirrel's Nest
   
   




BLOG ARCHIVE

 * ►  2016 (1)
   * ►  April (1)

 * ►  2015 (2)
   * ►  November (1)
   * ►  January (1)

 * ►  2014 (1)
   * ►  July (1)

 * ►  2012 (1)
   * ►  January (1)

 * ►  2011 (9)
   * ►  December (1)
   * ►  October (1)
   * ►  September (1)
   * ►  July (1)
   * ►  April (1)
   * ►  March (2)
   * ►  February (1)
   * ►  January (1)

 * ►  2010 (20)
   * ►  December (2)
   * ►  October (1)
   * ►  September (2)
   * ►  July (2)
   * ►  June (2)
   * ►  May (1)
   * ►  April (4)
   * ►  March (2)
   * ►  February (3)
   * ►  January (1)

 * ▼  2009 (10)
   * ►  December (1)
   * ►  November (1)
   * ►  October (1)
   * ►  July (1)
   * ►  June (2)
   * ▼  May (1)
     * BIOS Password Backdoors in Laptops
   * ►  April (3)




ABOUT ME

dogbert View my complete profile





Copyright (c) dogbert. Simple theme. Powered by Blogger.



Ce site utilise des cookies provenant de Google pour fournir ses services et
analyser le trafic. Votre adresse IP et votre user-agent, ainsi que des
statistiques relatives aux performances et à la sécurité, sont transmis à Google
afin d'assurer un service de qualité, de générer des statistiques d'utilisation,
et de détecter et de résoudre les problèmes d'abus.En savoir plusOK