Steal the administrator password from an EEPROM

locating_atmel

Did you forget your hardware-based password and now you’re locked out? If it’s an IBM ThinkPad you may be in luck but it involves a bit more than just removing the backup battery. SoDoItYourself has an article detailing the retrieval of password data from an EEPROM.

The process is a fun one. Disassemble your laptop. Build a serial interface and solder it to the EEPROM chip where the password is stored. Connect this interface to a second computer and use it to dump the data into a file. Download a special program to decipher the dump file and dig through the hex code looking for something that resembles the password. Reassemble your laptop and hope that it worked.

We know that most people won’t be in a position to need a ThinkPad administrator password, but there must be other situations in which reading data off of an EEPROM comes in handy. What have you used this method for?

Comments

  1. Jed says:

    Getting the HDD Key off an Xbox motherboard so I could replace the hard drive

  2. Sean says:

    Reading the contents of an EEPROM on a printer cartridge to see if we could make it use all of its contents, instead of it arbitrarily declaring itself empty.

    We used a different method though: we desoldered the chip and soldered it to an empty EEPROM socket on some RAM (the chip was I2C). Then we used a linux utility to dump the chip contents.

    In the end we discovered that all we needed to do was set the date backwards on the printer menu, but it was still fun.

  3. David S says:

    I’ve actually done something like this about 6-7 years back. At the time you had to send the dumped memory to this guy in Australia and he’d tell you what it said for like 25 bucks. Still, it was pretty awesome.

  4. djsashaz says:

    I’ve done this before but better. Dell latitude laptops have a service-tag for identification purposes and so that you can find drivers a heck of lot easier when searching for them from the del website. I was able to replace an eeprom (I wish I could remember which one now, im sure its searchable) with a blank one and I was able to #1 be able to login to the machine that had this asset/service tag password and now when you look at the bios #2 be able to see a blank asset tag, so in theory it couldn’t be verified that it was (ahem) miss placed or something……

  5. Hitek146 says:

    On many Dells you can just short the data line to ground when first booting the computer, and when the BIOS finds that it cannot read the data on the EEPROM, it goes into service mode. From there you can then clear or re-enter a new password…

  6. JanezD says:

    Oh man! I’ve been waiting for ages for something like that! This will come handy with my ISP’s Patton ISDN interface. Finally, home owner asterix, here I come!

  7. IBMslut says:

    i found that method to be a bit harder than necessary. It turns out you can do the quick and dirty and just replace the entire IBM security chip.

  8. Jeppo says:

    Old news.. did this a year ago. But still, pretty handy :)

  9. sherbang says:

    Did it a few years ago to unlock a Vonage provided Cisco ATA. This one required desoldering the flash chip.

  10. farthead says:

    Wiping the serial eeprom typically will do the job as well.

    I’ve dont that many times, connect up, zero out the eeprom, reboot the pc and Voila.

    step 2 is to smack the crap out of the stupid person that set the password.

  11. Wolffe says:

    Accupuncture pins and funtack (a blue sticky claylike putty) worked well for me instead of soldering.

  12. Andrew says:

    I don’t believe this works on the newer lenovo’s or any computer that comes with a TPM instead of just an EEPROM.

  13. rasz says:

    yep, new Lenovos (T60 and so on) use TPM integrated into IO chip. You can still hack the password, but method is kept secret by people who cracked it (afaik one from Poland and one from Russia) for obvious reasons (money). you can send laptop to poland or just buy RPC8394 tool from russians.

  14. slincolne says:

    How come nobody mentioned the use of a ‘Bus Pirate’ ?

  15. James says:

    One thing I would suggest changing would be to use SMD test clips rather than solder directly to the chip.
    The SMD clips mentioned in the Bus Pirate cable how-to would work great.

  16. conundrum says:

    have recovered a broken tatung TV by reading back the eprom, erasing the areas that stored the fine tuning data then replacing. went from “won’t work on any channel for more than a minute” to “tunes fine”. lasted about a year before it failed for good.

    this happens a lot on lcd tvs, in fact you can buy eproms online for this very reason. (symptoms include a blue screen LOL)

  17. conundrum says:

    anoter useful trick:- use a surplus “mains test” lcd screwdriver, as its rubber elastomers are low resistance. add a salvaged lcd panel connector and some shapelock and you are cooking with plasma :)

  18. PacketStorm4 says:

    Have already done this with great success,
    Resurrected 2 IBM t41’s
    Easy and fun hack

  19. PReDiToR says:

    Been meaning to fix up this T22 I’ve had for years. Forgot the admin PW and dreading the CMOS battery dying. Instructions for reading/decoding the EEPROM have been online for years.
    Thanks for bringing it to the fore again though. Might make me get off my backside and do it!

  20. anon says:

    this is older than jesus

  21. tmbinc says:

    Did anyone notice that this is a AT24RF08? While http://www.thinkwiki.org/wiki/AT24RF08 states that the RFID interface is unused, all it seems to require is an external antenna.

    That opens up a whole chapter of conspiracy theories. Can you remotely set a password? Can they remotely deactivate a thinkpad? Could they remotely exploit the bios to execute code?

    Back in 2003 when I tried to add a WLAN card to my A31, the bios complained that the WLAN card wasn’t the twice-as-expensive original IBM card, and refused to boot. Was that because they support the hidden remote access functionality only with their card?

  22. Rachel says:

    I read my xbox’s EEPROM just a couple days ago using this same tutorial. It is rather fun, but what I really want is a parallel EEP(ROM) reader/writer for hacking older video game systems. It should be easy to make with an arduino and a couple shift registers, but I don’t have the right chips laying around.

  23. octel says:

    @tmbinc:

    I don’t know about conspiracy theories, but I do know that IBM tries to screw people by forcing them to purchase “official” IBM parts.
    The solution is to modify the BIOS to disable checking of the WLAN card model, using a utility called NO-1802.

  24. octel says:

    wish someone would reverse-engineer the PC8394 utilities so that you don’t have to pay insane amounts of money to get your computer unlocked. lame.

  25. casey says:

    i wish people would stop using cmos passwords and forgetting them…. i have a simple tip for remembering them, write the password under the motherboard with a sharpie, anyone willing to take out the mobo to hack the cmos password can just have the password

  26. cantido says:

    @tmbinc

    Maybe they got a good deal on those parts?

    The card lockout stuff going on is a bit lame; If their expansion slots fit the relevant standard what’s the problem with other standards compliant hardware going in the slot? I’ve seen worse though, I kind of remember some HP or Compaq boxes requiring drives to have some “tattoo” thing otherwise the BIOS wouldn’t register them.

  27. Joe Grand says:

    Gaining administrator access on USB authentication tokens (http://tinyurl.com/ybxbavw) and cloning MAC addresses on NICs (http://tinyurl.com/yda5btr) almost 10 years ago.

    The more things change, the more they stay the same.

    Joe

  28. brad says:

    I actually have seen something like this before, but that same guy who would “read” the data for you from this chip doesn’t seem to have his write utility for this chip up anymore. My ThinkPad decided to screw something up in the checksums on this chip shown here, and now the laptop refuses to boot. No amount of mucking about with the battery or anything fixed it, so I can’t really seem to figure out what I can do here. If anyone has any ideas, it would be great if they could post them here.

  29. charlie says:

    hacking ecu’s for cars.

  30. Hitek146 says:

    Many laptops built during a certain period lock out non-factory installed MiniPCI wifi cards because the manufacturers stupidly agreed to abide by the FCC’s request to only allow radio cards to operate in the computer if they were the exact same card that was installed in the laptop during the laptop’s FCC certification trials… IIRC…

  31. Jayson says:

    I’ve removed the battery in the past to reset the password so that I can force the bios to go into default and have it boot from cd to use a program to reset the password on windows. Taking laptops apart is a pain to do.

  32. dogbert says:

    most vendors use Phoenix BIOSes, and they leave a backdoor open for retrieving the password’s checksum. other valid passwords can be generated from this without the need for any soldering. I’ve reverse-engineered the protection schemes of generic Phoenix, FSI, Samsung, HP and Compaq BIOSes and published the keygens on my blog: http://dogber1.blogspot.com

  33. gripen40k says:

    I’ve used them to read the EDID info from various displays, they are just stored on a regular EEPROMs. They have a particular formatting but if you look hard enough you can find info on them.

    http://en.wikipedia.org/wiki/Extended_display_identification_data

  34. signal7 says:

    I did this very hack only a month ago for a couple of friends. They even paid me $50 for the service even though I told them it was a learning experience for me and I didn’t want any compensation.

    @brad: Take the laptop apart and you’ll see a small battery located somewhere on the motherboard – probably not far from the eeprom chip. Remove the battery for a few minutes, reconnect it, and then put it all back together. I had to do this for one of the IBM laptops I was repairing where the password wasn’t set but the BIOS was prompting for a password anyway. I had to email the guy that posted the n2408 utility to figure that out because the contents of the eeprom didn’t make any sense.

  35. signal7 says:

    I should have mentioned as well that the FT232RL chip makes a much better interface for the 24rf08 eeprom. It can be configured for the correct voltages instead of putting standard serial voltages on the 3.3v chip and taking the risk of burning out the chip.

  36. DannyX says:

    I have done the same with my xbox after a crashed softmod.
    works perfect!

    love it to do it this way :P

  37. Bob says:

    I used that method three years ago, on a rental Thinkpad R40e that was returned with a locked bios. It does work! Instead of soldering direct to the IC, I used an IC test clip. The password was readable when the software was set to scancode translation “off” and set to classic mode.

  38. Jian says:

    I need ThinkPad R40E`s 24RF08CN rom file. Please email to cpubar@gmail.com if you have.
    Thanks

  39. bob says:

    any ideas on how to do this with the

    any idea on how to do this on a compaq nc6320 which is a lookalike business compaq

  40. CuteLinux says:

    Compaq nc6320 Bios Password reset
    If the Stringent security NOT activated, you can follow this Steps:
    1) Remove power cord and battery
    2) Remove the keyboard
    3) Unplug the RTC-Battery for about five minutes
    4) Plugin the rtc battery once again
    5) Plugin the power cord, but leave the battery outside its bay.
    6) Switch the notebook on
    7) Enjoy the cleared bios ;)
    8) Enter Bios setup and restore to factory defaults.

  41. CDKent says:

    The links to the software are broken

  42. bidomo says:

    I’ve tried to read the eeprom from a T400, it gave me only 128 byte .bin, anyone can help?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,960 other followers