BIOS password cracking

[Dogbert] took a look at the security that goes into BIOS passwords on many laptops. He starts off with a little background about how the systems work. People are bound to forget their passwords, so when you enter a wrong one three times in a row you get a message similar to the one above that locks you out until all power is removed from the system (then you get three more tries). But check out that five-digit number in the picture. That’s a checksum of the password. Some BIOS versions display it automatically, some require you to hold down a certain key during POST, but it’s the pivotal data needed to crack the password.

[Dogbert's] post doesn’t go into verbose detail about the algorithms he uses to brute force the passwords. But he has posted the Python scripts he uses to do so. Learning how to generate the passwords based on the checksum is as simple as studying the code, which is often the best way to learn.

Comments

  1. Junkman says:

    I always just flash the bios works using a jumper setting and takes just a minute or 2.

  2. Marvin says:

    When you have a Thinkpad with that damn 24RF04 EEProm you’re fucked. Or you pay some shithead to decode things for you or to get a completely new eeprom file with working checksums…

  3. xorpunk says:

    looking at the code is easier said than done..most vendors use obfuscation on their .ROM and flashers now days, and in some cases even in the EEPROM itself. A lot of EEPROM makers even have instruction for acceleration and libs for devs.

    If you have a lot of experience in RCE it’s a piece of cake though. I’ve done some ACPI stuff before doing custom ROM flashing, but they didn’t have security.

    I think it’s stupid to present RCE like it consists of skill sets easy to acquire..

    • Smilr says:

      I think the idea was to look at the code that dogbert provided, rather than at the manufacturers rom code. Dogbert already has an algorithm for taking these checksums and generating possible valid passwords, but his original post didn’t explain that algorithm. Instead, he gave us source code to study from which we could learn his algorithm.

  4. RussWill says:

    It was nice to learn that the phoenix implementation of the CRC-16 contains a rather severe bug… Who knew?

  5. xorpunk says:

    He reveresed the algo from shadowed ROM..it is looking at the manufacturer’s code..

    on most systems bios boot block pushes the bulk of bios code into RAM, decompresses it and runs it in a in-between addressing mode. There is no way you’ll reverse these algos off frequency analysis or blind factoring on this many digits..

    Now days though the systems have crypto even in bios, so it is easier said than done. Also I’m not talking about checksums, I’m talking about encrypted code under compression with stub in boot block.

  6. YHVH says:

    I used to just invalidate the checksum by changing the hashed password on the eeprom, causing it to prompt for a new password. It worked on my old 386/486 computers, probably works now.

  7. fartface says:

    Why?? simply open the laptop, connect to the chip and blank the password.

    I’ve done this dozens of times. It’s not hard on HP or Dell laptops, and Desktops are a complete breeze.

  8. Nova15 says:

    I think I don’t have a fuckng clue what the hell you guys are talking about hahaha! XD

  9. NishaKitty says:

    Don’t ever lose your code on a Toshiba, they are hell x.x

    • Mark says:

      My wife did this exact thing-set a bios password and forgot it. 95% of my business tax information is on the computer- three unpaid years! The IRS doesn’t care one bit so interest and penalties are running.

      Can you tell me which direction to run screaming? I’ve tried almost all of them. :-(

  10. DarkFader says:

    @Marvin: try a tweezer attack?

  11. Maave says:

    Cool, this is useful. BIOS recovery programs have failed on the Compaqs I’ve tried, now for some fancy button pressing to recover the checksum instead.

  12. logan says:

    hm. i looked at the page and my computer is a hp dv5 and my hash had 8 characters… none of his files fit that even though it says he has an HP one.

  13. Captain Zilog says:

    I just used this about 2 weeks ago to crack the password stored on a Compaq N610c laptop.

    Worked perfectly!

    There are times where removing the CMOS battery doesn’t work, or worse yet, requires nearly complete disassembly of the laptop.

    This will save you a LOT of time.

    For Marvin’ Thinkpad above – depending on the model, you may be able to do this yourself.

    Otherwise, you’re best off buying a pre-flashed BIOS chip for your machine.

    If you have a machine with a TPM chip… Good luck… Some can be read (read: $$$), others can’t…

  14. Captain Zilog says:

    @ NishaKitty : Have you tried making a toshiba password dongle (hint : Google is your friend).

    That blanks a lot of passwords on Toshibers…

  15. draeath says:

    @junkman:

    That’s not flashing… not even close.

  16. I actually had somebody sell me a dell d610 because it had a password on the BIOS and the EU couldn’t remember or figure it out. After a night of googling I found a guy who hooked me up with some info and I ended up taking a paper clip to short two spots the motherboard while I powered it on. The laptop restarted and the password was gone. That was in the summer of 2006 so sorry for the vague details.

  17. Digital says:

    I used to just take the lithium battery out and wait a second, replace the battery, and voila! Password gone.

  18. Sörn says:

    A friend of mine did it the hard way: Identify the eeprom on the mainboard, dump, modify and then rewrite it… Though it seems the IBM/Lenovo Laptops don’t show the checksum to the user.

    Here’s the Project:

    http://das-labor.org/wiki/Thinkpad-EEPROM-Reset

  19. xorpunk says:

    Most of this stuff is bob the local PC tech level stuff. The RCE is obviously over most peoples heads..

    He didn’t figure out the algo by analyzing the displayed code..

  20. blue carbuncle says:

    @marvin can you not jsut do a BIOS update with the IBM utility and reload the default BIOS? It will probably require a USB floppy drive or boot from USB if that option is possible. May save you some time and money. If IBM doesn’t have a utility, try going to the manufacturer’s website (Award, AMI, etc and get their utility :)

  21. jyfg says:

    doesn’t go [...] to brute force the passwords. But he has posted the Python scripts.

    If he is stupid enough to use python scripts to brute force a password, Id rather not want to know his algorithm…

  22. Don says:

    Crypto is actually extremely rare in BIOS. But much of it is compressed. OEMs want to use the smallest possible flash parts they can, so compression helps with that.
    You won’t get all the BIOS, but you can usually dump the 0xF000 segment and get the the ‘runtime’ code at the very least, certainly the password routines are.

    At least in the BIOS world, there are not standards used for the password system. The details of how it is stored and handled are entirely up to both the ODM and IBV. It is even possible for a separate microcontroller to handle the entire process so even the hash is never stored where it could be dumped.

    As for the old pull the battery trick, this depends on the BIOS using the batter backed up ‘CMOS’ that, IIRC is part of the RTC. It has become increasingly common dedicate a block or two on the flash part to store nonvolatile data rather than using the battery backed up RTC CMOS. So pulling the battery won’t accomplish much. But it is not that uncommon to have a jumper to clear a system’s passwords.

  23. xorpunk says:

    Regarding thinkpad: They have a boot block procedure too. If you cant find the recovery procedure you order a new chip for like 10 bucks.

    Actually IBM isn’t the worse..HP/Compaq is, and their accessible support(forums etc) are beyond useless. Ive never seen a x86 BIOS that didnt have a boot block restore procedure, but they usually work on a IDE or SATA link only.

  24. Blade says:

    I just pull out the cmos battery and in like 14 minutes with the cord and everything out everything’s at default

  25. t&p says:
  26. mrb says:

    I did something similar years ago. The BIOS password hash is often stored in the 128/256-byte CMOS RAM. I read the password hash from there (/dev/nvram) and disassembled / reverse engineered a couple of BIOS to crack the hash and show a list of possible passwords:

    http://www.zorinaq.com/bpwd/

  27. demonstech says:

    The best way to recover is to just dissemble the whole laptop and de-solder the cmos battery and again solder it… and assemble the laptop, now u can go on.. its a little technical related but the easy method without going for the above method…

  28. sp00nix says:

    Awesome! Worked like a charm, Acer, Phoenix BIOS.

  29. p52 says:

    doesnt work for gateway fx p-172x generating 5 digit code 07340, very disapointed guess i gotta fork up 130 usd to the manufacturer just for a password, cant believe no on has cracked this thing yet.

    worst thing is i can use the comp just fine but i wanna change some clock settings and i cannot.
    so it isnt even protecting anything just blocking me from my damn clock settings

  30. Aotpust says:

    I have a Toshiba Satellite A210 – 169, with a bios password when i enter 3 times a wrong password i don’t get a hash code back, do you now what the solution is thx

  31. cnewman402 says:

    If this does not work try my tutorial: http://youtu.be/9rNsUeI3kHQ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,671 other followers