Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Panopticon of global surveillance
#87

Dogbert's Blog






























Saturday, May 2, 2009

BIOS Password Backdoors in Laptops


Synopsis: The mechanics of BIOS password locks present in current generation laptops are briefly outlined. Trivial mechanisms have been put in place by most vendors to bypass such passwords, rendering the protection void. A set of master password generators and hands-on instructions are given to disable BIOS passwords.

When a laptop is locked with password, a checksum of that password is stored to a so-called FlashROM - this is a chip on the mainboard of the device which also contains the BIOS code and other settings, e.g. memory timings.

For most brands, this checksum is displayed after entering an invalid password for the third time:
[Image: systemdisabled2.JPG]
The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, it will work just as before. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing.

The bypass mechanisms of other vendors work by showing a number to the user from which a master password can be derived. This password is usually a sequence of numbers generated randomly.

Some vendors resort to storing the password in plain text onto the FlashROM, and instead of printing out just a checksum, an encrypted version of the password is shown.

Other vendors just derive the master password from the serial number. Either way, my scripts can be used to get valid passwords.

A few vendors have implemented obfuscation measures to hide the hash from the end user - for instance, some FSI laptops require you to enter three special passwords for the hash to show up (e.g. "3hqgo3 jqw534 0qww294e", "enable master password" shifted one up/left on the keyboard). Some HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for the last time.

Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a matter of trying all of them and finding the one that fits your laptop. It does not matter on what machine the script are executed, i.e. there is no reason to run them on the locked laptop.
This is an overview of the algorithms that I looked at so far:

[TABLE="class: sample"]
[TR]
[TH]Vendor[/TH]
[TH]Hash Encoding[/TH]
[TH]Example of Hash Code/Serial[/TH]
[TH]Scripts[/TH]
[/TR]
[TR]
[TD="class: s3"]Compaq[/TD]
[TD="class: s4"]5 decimal digits[/TD]
[TD="class: s5"]12345[/TD]
[TD="class: s4, align: center"]pwgen-5dec.py
Windows binary[/TD]
[/TR]
[TR]
[TD="class: s3"]Dell[/TD]
[TD="class: s4"]serial number[/TD]
[TD="class: s5"]1234567-595B
1234567-D35B
1234567-2A7B[/TD]
[TD="class: s4, align: center"]
Windows binary&source[/TD]
[/TR]
[TR]
[TD="class: s7"]Fujitsu-Siemens[/TD]
[TD="class: s8"]5 decimal digits[/TD]
[TD="class: s9"]12345[/TD]
[TD="align: center"]pwgen-5dec.py
Windows binary[/TD]
[/TR]
[TR]
[TD="class: s7"]Fujitsu-Siemens[/TD]
[TD="class: s8"]8 hexadecimal digits[/TD]
[TD="class: s9"]DEADBEEF[/TD]
[TD="class: s8, align: center"]pwgen-fsi-hex.py
Windows binary[/TD]
[/TR]
[TR]
[TD="class: s7"]Fujitsu-Siemens[/TD]
[TD="class: s8"]5x4 hexadecimal digits[/TD]
[TD="class: s9"]AAAA-BBBB-CCCC-DEAD-BEEF[/TD]
[TD="class: s8, align: center"]pwgen-fsi-hex.py[URL="http://sites.google.com/site/dogber1/blag/pwgen-fsi-hex.zip"]
[/URL]Windows binary[/TD]
[/TR]
[TR]
[TD="class: s7"]Fujitsu-Siemens[/TD]
[TD="class: s8"]5x4 decimal digits[/TD]
[TD="class: s9"]1234-4321-1234-4321-1234[/TD]
[TD="class: s8, align: center"]pwgen-fsi-5x4dec.py
Windows binary[/TD]
[/TR]
[TR]
[TD="class: s7"]Hewlett-Packard[/TD]
[TD="class: s8"]5 decimal digits[/TD]
[TD="class: s9"]12345[/TD]
[TD="class: s8, align: center"]pwgen-5dec.py
Windows binary[/TD]
[/TR]
[TR]
[TD="class: s7"]Hewlett-Packard/Compaq Netbooks[/TD]
[TD="class: s8"]10 characters[/TD]
[TD="class: s9"]CNU1234ABC[/TD]
[TD="class: s8, align: center"]pwgen-hpmini.py
Windows binary[/TD]
[/TR]
[TR]
[TD="class: s11"]Insyde H20 (generic)[/TD]
[TD="class: s8"]8 decimal digits[/TD]
[TD="class: s9"]03133610[/TD]
[TD="class: s8, align: center"]pwgen-insyde.py
Windows binary[/TD]
[/TR]
[TR]
[TD="class: s11"]Phoenix (generic)[/TD]
[TD="class: s8"]5 decimal digits[/TD]
[TD="class: s9"]12345[/TD]
[TD="class: s8, align: center"]pwgen-5dec.py
Windows binary[/TD]
[/TR]
[TR]
[TD="class: s7"]Sony[/TD]
[TD="class: s8"]7 digit serial number[/TD]
[TD="class: s9"]1234567[/TD]
[TD="class: s8, align: center"]pwgen-sony-serial.py
Windows binary[/TD]
[/TR]
[TR]
[TD="class: s7"]Samsung[/TD]
[TD="class: s8"]12 hexadecimal digits[/TD]
[TD="class: s9"]07088120410C0000[/TD]
[TD="class: s8, align: center"]pwgen-samsung.py
Windows binary[/TD]
[/TR]
[/TABLE]


The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the binary files (.exe) don't work out for you, install Python 2.6 (not 3.x) and run the .py script directly by double-clicking them. Make sure that you correctly read each letter (e.g. number '1' vs letter 'l').

Вячеслав Бачериков has also converted my scripts to javascript so you can calculate the passwords with your browser: http://bios-pw.org/ (sources).

Please leave a comment below on what make/model the scripts work. Also, be aware that some vendors use different schemes for master passwords that require hardware to be reset - among them are e.g. IBM/Lenovo. If you find that your laptop does not display a hash or the scripts do not work for you for whatever reason, try to:
  • use a USB keyboard for entering the password for avoiding potential defects of the built-in keyboard,
  • run CmosPwd to remove the password if you can still boot the machine,
  • overwrite the BIOS using the emergency recovery procedures. Usually, the emergency flash code is activated by pressing a certain key combination while powering on the machine. You also need a specially prepared USB memory stick containing the BIOS binary. The details are very much dependent on your particular model. Also, be aware that this can potentially brick your device and should only be done as a last measure.
  • Some dell service tags are missing the suffix - just try the passwords for all suffices by adding -595B, -2A7B and -D35B to your service tags.
  • The passwords for some HP laptops are breakable with this script.
  • Unlocking methods for some Toshiba laptops are described here.
  • Some older laptop models have service manuals that specify a location of a jumper / solder bridge that can be set for removing the password.

If none of the above methods work, please use the vendor support. Please understand that my motivation for reverse-engineering comes from a personal interest - I will not accept offers to look at the specifics of certain models.

http://dogber1.blogspot.com.au/2009/05/t...-bios.html
"The philosophers have only interpreted the world, in various ways. The point, however, is to change it." Karl Marx

"He would, wouldn't he?" Mandy Rice-Davies. When asked in court whether she knew that Lord Astor had denied having sex with her.

“I think it would be a good idea” Ghandi, when asked about Western Civilisation.
Reply


Messages In This Thread
Panopticon of global surveillance - by Magda Hassan - 01-01-2014, 01:36 PM
Panopticon of global surveillance - by R.K. Locke - 14-02-2015, 07:26 PM

Possibly Related Threads…
Thread Author Replies Views Last Post
  Dumbo : how the CIA blind surveillance cameras Magda Hassan 0 34,223 14-08-2017, 12:16 AM
Last Post: Magda Hassan
  HR 658 Authorizes 30.000 surveillance drones over the USA - to be increased! Peter Lemkin 8 17,983 31-01-2017, 02:50 AM
Last Post: Magda Hassan
  AP Sues US Gov’t over Fake FBI News Article Booby Trapped with Surveillance Virus Magda Hassan 0 5,986 06-12-2015, 02:39 PM
Last Post: Magda Hassan
  The Limits of The Panopticon Magda Hassan 0 5,641 22-11-2015, 07:41 AM
Last Post: Magda Hassan
  US spy chief Clapper defends Prism and phone surveillance David Guyatt 485 122,381 13-12-2014, 10:08 AM
Last Post: David Guyatt
  'Five Eyes' surveillance pact should be published, Strasbourg court told Magda Hassan 1 4,146 09-09-2014, 09:34 AM
Last Post: David Guyatt
  Defensive Shift - Turning the Tables on Surveillance Magda Hassan 0 3,740 26-08-2014, 03:14 PM
Last Post: Magda Hassan
  Surveillance Capitalism Magda Hassan 0 3,282 05-07-2014, 02:44 AM
Last Post: Magda Hassan
  Biggest anti-mass surveillance event in the U.K. Magda Hassan 2 6,417 12-06-2014, 10:05 AM
Last Post: Magda Hassan
  Secret EU surveillance drone project revealed David Guyatt 0 4,491 12-02-2014, 09:43 AM
Last Post: David Guyatt

Forum Jump:


Users browsing this thread: 1 Guest(s)