BIOS password cracking

[Dogbert] took a look at the security that goes into BIOS passwords on many laptops. He starts off with a little background about how the systems work. People are bound to forget their passwords, so when you enter a wrong one three times in a row you get a message similar to the one above that locks you out until all power is removed from the system (then you get three more tries). But check out that five-digit number in the picture. That’s a checksum of the password. Some BIOS versions display it automatically, some require you to hold down a certain key during POST, but it’s the pivotal data needed to crack the password.

[Dogbert’s] post doesn’t go into verbose detail about the algorithms he uses to brute force the passwords. But he has posted the Python scripts he uses to do so. Learning how to generate the passwords based on the checksum is as simple as studying the code, which is often the best way to learn.

34 thoughts on “BIOS password cracking

  1. When you have a Thinkpad with that damn 24RF04 EEProm you’re fucked. Or you pay some shithead to decode things for you or to get a completely new eeprom file with working checksums…

  2. looking at the code is easier said than done..most vendors use obfuscation on their .ROM and flashers now days, and in some cases even in the EEPROM itself. A lot of EEPROM makers even have instruction for acceleration and libs for devs.

    If you have a lot of experience in RCE it’s a piece of cake though. I’ve done some ACPI stuff before doing custom ROM flashing, but they didn’t have security.

    I think it’s stupid to present RCE like it consists of skill sets easy to acquire..

    1. I think the idea was to look at the code that dogbert provided, rather than at the manufacturers rom code. Dogbert already has an algorithm for taking these checksums and generating possible valid passwords, but his original post didn’t explain that algorithm. Instead, he gave us source code to study from which we could learn his algorithm.

  3. He reveresed the algo from shadowed is looking at the manufacturer’s code..

    on most systems bios boot block pushes the bulk of bios code into RAM, decompresses it and runs it in a in-between addressing mode. There is no way you’ll reverse these algos off frequency analysis or blind factoring on this many digits..

    Now days though the systems have crypto even in bios, so it is easier said than done. Also I’m not talking about checksums, I’m talking about encrypted code under compression with stub in boot block.

  4. I used to just invalidate the checksum by changing the hashed password on the eeprom, causing it to prompt for a new password. It worked on my old 386/486 computers, probably works now.

  5. Why?? simply open the laptop, connect to the chip and blank the password.

    I’ve done this dozens of times. It’s not hard on HP or Dell laptops, and Desktops are a complete breeze.

    1. My wife did this exact thing-set a bios password and forgot it. 95% of my business tax information is on the computer- three unpaid years! The IRS doesn’t care one bit so interest and penalties are running.

      Can you tell me which direction to run screaming? I’ve tried almost all of them. :-(

  6. I just used this about 2 weeks ago to crack the password stored on a Compaq N610c laptop.

    Worked perfectly!

    There are times where removing the CMOS battery doesn’t work, or worse yet, requires nearly complete disassembly of the laptop.

    This will save you a LOT of time.

    For Marvin’ Thinkpad above – depending on the model, you may be able to do this yourself.

    Otherwise, you’re best off buying a pre-flashed BIOS chip for your machine.

    If you have a machine with a TPM chip… Good luck… Some can be read (read: $$$), others can’t…

  7. I actually had somebody sell me a dell d610 because it had a password on the BIOS and the EU couldn’t remember or figure it out. After a night of googling I found a guy who hooked me up with some info and I ended up taking a paper clip to short two spots the motherboard while I powered it on. The laptop restarted and the password was gone. That was in the summer of 2006 so sorry for the vague details.

  8. @marvin can you not jsut do a BIOS update with the IBM utility and reload the default BIOS? It will probably require a USB floppy drive or boot from USB if that option is possible. May save you some time and money. If IBM doesn’t have a utility, try going to the manufacturer’s website (Award, AMI, etc and get their utility :)

  9. doesn’t go […] to brute force the passwords. But he has posted the Python scripts.

    If he is stupid enough to use python scripts to brute force a password, Id rather not want to know his algorithm…

  10. Crypto is actually extremely rare in BIOS. But much of it is compressed. OEMs want to use the smallest possible flash parts they can, so compression helps with that.
    You won’t get all the BIOS, but you can usually dump the 0xF000 segment and get the the ‘runtime’ code at the very least, certainly the password routines are.

    At least in the BIOS world, there are not standards used for the password system. The details of how it is stored and handled are entirely up to both the ODM and IBV. It is even possible for a separate microcontroller to handle the entire process so even the hash is never stored where it could be dumped.

    As for the old pull the battery trick, this depends on the BIOS using the batter backed up ‘CMOS’ that, IIRC is part of the RTC. It has become increasingly common dedicate a block or two on the flash part to store nonvolatile data rather than using the battery backed up RTC CMOS. So pulling the battery won’t accomplish much. But it is not that uncommon to have a jumper to clear a system’s passwords.

  11. Regarding thinkpad: They have a boot block procedure too. If you cant find the recovery procedure you order a new chip for like 10 bucks.

    Actually IBM isn’t the worse..HP/Compaq is, and their accessible support(forums etc) are beyond useless. Ive never seen a x86 BIOS that didnt have a boot block restore procedure, but they usually work on a IDE or SATA link only.

  12. The best way to recover is to just dissemble the whole laptop and de-solder the cmos battery and again solder it… and assemble the laptop, now u can go on.. its a little technical related but the easy method without going for the above method…

  13. doesnt work for gateway fx p-172x generating 5 digit code 07340, very disapointed guess i gotta fork up 130 usd to the manufacturer just for a password, cant believe no on has cracked this thing yet.

    worst thing is i can use the comp just fine but i wanna change some clock settings and i cannot.
    so it isnt even protecting anything just blocking me from my damn clock settings

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s