Laptop BIOS Password Recovery Using A Simple Dongle

laptop_bios_reset

In his line of work, Instructables user [Harrymatic] sees a lot of Toshiba laptops come across his desk, some of which are protected with a BIOS password. Typically, in order to make it past the BIOS lockout and get access to the computer,  he would have to open the laptop case and short the CMOS reset pins or pull the CMOS battery. The process is quite tedious, so he prefers to use a simpler method, a parallel loopback plug.

The plug itself is pretty easy to build. After soldering a handful of wires to the back of a standard male D-sub 25 connector in the arrangement shown in his tutorial, he was good to go. When a laptop is powered on with the plug inserted, the BIOS password is cleared, and the computer can be used as normal.

It should be said that he is only positive that this works with the specific Toshiba laptop models he lists in his writeup. It would be interesting to see this tried with other laptop brands to see if they respond in the same way.
Since no laptops are manufactured with parallel ports these days, do you have some tips or tricks for recovering laptop BIOS passwords? Be sure to share them with us in the comments.

49 thoughts on “Laptop BIOS Password Recovery Using A Simple Dongle

  1. I’m not sure why this made the news it is old as and doesn’t even work on the latest models of Toshiba since no one uses LTP ports on laptops anymore as far as I know. Slow news day?

  2. Used to work, about 6 years ago :)) . Nowadays most bios pw (challenge/ response ) are insanely easy to remove via keygen
    or failing that some hw method, eeprom on the board itself

    most time i only need bios to boot from cd/dvd and re-install, usually on encrypted boot in which case
    sometimes it’s easier to take the hdd out, ofc it will fall
    to 2nd,3rd boot option (cd/dvd), erase partitions + mbr through linux, put hdd back in, cd in then restart it will fail to boot from hdd and just start up cd, obvious but i’ve seen plenty of people wnot think this

      1. google is your friend. but in seriousness, you need to look up you laptop for the instructions on getting the challenge/response screen, then call toshiba and they should be able to generate your code for you.

        1. I just got a used HD that I put in a Toshiba Satellite U200 and it asks for a HDD Password as soon as the laptop turns on. There is no boot screen wait time to hit the F8 key for safe mode. In face, as soon as you press the power button it immediately asks for the password. I don’t see any way around this as all options I’ve Googled require me to get into the bios, except I don’t believe it’s a bios password as I can’t do anything once I hit the power button. Any other options besides chucking it?

  3. Doesn’t work on any current Toshiba model (current being newer than ~2002). It’d be much more interesting if someone found out how to do this to the Satellite Pro U200 I have lying around useless here that I got from a relative once he locked himself out by not knowing the password and disabling the fingerprint reader.

  4. I refurb and resell laptops as a side job. I have collected my fair share of parallel port bearing laptops in my day, though rarely are they locked with a BIOS password.

    I suppose this would be useful if I ever do.

  5. My old netbook’s cmos battery was user replaceable.

    However, my new laptop has it hidden under the panel, so I’d have to void the warranty to replace it :|

    But, I was under the impression a BIOS password would only prevent BIOS changes, not booting an OS.

  6. For the record, instructables is not a good place to search for hacks. This is useful, but is older than the internet. Only one of my four PCs even uses BIOS anymore. They’re all on to UEFI now.

  7. I think most laptops these days are using EEPROM to store the passwords which makes it a bit more difficult. Laptops with a TPM may use that to store it, making it virtually impossible.

  8. Toshiba’s from ~2-5 years can randomly get BIOS passwords if the BIOS wasn’t updated. Usually clearing it involves unplugging the AC adapter and battery, opening the memory bay, removing the memory and then jumping a solder pad for about 15-30 seconds. It varies for each series, but J1 open is a pretty common label. You may have to peel back plastic film to get to it too. If you do succeed in removing a random one, make sure you grab the newest BIOS update so it doesn’t happen again. I’d guess I’ve taken off 10-15 in the past few years with this method.

  9. @3-R4Z0R
    If you want to take a picture from inside the memory compartment with the memory removed I can maybe tell you which ones to try. Often it’s will look like a T stuck inside of a U or two triangles forming a diamond. Or if you can give me the model number (All U200s should be the same, but just in case), I can try to get the info from a Toshiba maintenance manual.

  10. I had an old toshiba laptop with a password from a relative. the loopback connector didn’t work, killing cmos batteries didnt work, and I ended up guessing the password with the power of human nature and social engineering.

  11. A more useful look at this would be from a previous article http://hackaday.com/2010/10/07/bios-password-cracking/ . A guy by the name of Dogbert has a blog where he points out flaws in the password and bios passwords that companies release with their computers. He releases scripts to calculate the passwords from the checksums given by the bios. It takes an extra computer and python, but I think it would be a little easier to come by then hoping the computer is a toshiba with an lpt port.

  12. Apple/Mac Laptops
    Depends on the model, but it generally comes down to:
    do a pram+nvram reset (google this)
    if you can’t, and there’s a boot/OF/EFI password, remove the ram (change the modules out for a different quantity of memory)
    also, check the hard disk for any efi stuff and remove that, the mac may boot that first

  13. Newer Dell Lattitude laptops are even worse. I couldn’t find the bios or CMOS battery. Everywhere I’ve been says you have to call Dell for an unlock code. They’ll only provide it if you know the exact name of the person who originally purchased the laptop.

  14. I re-sold these in the early 90’s on ebay for the old Toshiba Satellite models. took 5 min to make them by hand and sold for like $60 back then. I doubt there are too many older laptops around that this would work on now. Can I post that trick where you add a notch to a single sided floppy disk to make it double sided?

  15. As already said this is very old news, I made one about 3 years ago with some innards for cat5e when a customer came to my last place of work with a laptop they couldn’t access and a quick google revealed that to be the easiest fix.

  16. Here’s a real old one for Toshiba laptops that will probably work if it has a floppy drive. Take a floppy disk and hex edit it so that the the first five bytes of the second sector are 4B 45 59 00 00. Boot with the floppy in the drive and you will be able to bypass the password and set a new one.

  17. I used to work for a warranty repair center in the late 90s. I was Toshiba certified, the dongle came as a repair kit for technicians. We used to charge 50 to 70 to reset it as it was not covered under warranty. Good old days, my first computer job.

  18. i just pop it in the microwave for 45 seconds. the microwaves erase the password.
    i like when the CMOS battery has its own little access panel, but you don’t see that very often nowadays. I haven’t, anyway.. BIOS passwords p*ss me off because i can’t even boot from USB without it, if it’s set the annoying way. of course, if you really want to protect your data, do that, plus build your computer inside a safe and weld it shut.. or, it’s a safe, just lock it i guess. and bolt it down. and laser tripwires, which text you if tripped, and cameras. overkill!

  19. I wrote a small bit of C code for my Teensy that’ll brute force a bios password, but it’s incredibly slow and only works sometimes (if at all). Not as impressive as this dongle hack, but if you want in to a machine without leaving any traces, and you have plenty of time to kill…it’s an option.

  20. HaD had an article a while back, it featured this blog: http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html. It’s quite interesting and he has a couple of nice scripts available free of charge. I used a modified version of his script to decode the bios and hdd password, which were luckily set to the same value. The script actually just calculated the hash values from words out of a dictionary, and came up with the right one for the bios password.

  21. I got my hands on a Password protected (bios setup) Acer laptop a few years back, I started out trying to reset bios by shorting pins and removing battery, but to no use. However I found that the acer bios flash program had some parameters to use when flashing, these were not accessible via the default appname.exe /?. I found them by opening the flasutil in a hexeditor, it had a parameter for just what i needed “erase bios passwords”. done and done.

  22. Back in the day when 286’s and 5″ floppy disks were the cutting edge, the “antivirus” solution of our university was to disable said floppy disks (and password the BIOS, of course). Some of us who knew the trick used to be able to sit down at the MS-DOS command prompt then type in and execute ~5 assembly instructions in DEBUG which overwrote the BIOS checksum. At which point the BIOS panicked and readily let us in to enable the floppy drive without a password… ;)

  23. Which Computer? Is it a bios/cmos password? You can get help from these tutorials.

    How to Reset IBM ThinkPad T30 BIOS Password
    http://findpassword.net/how-to-reset-ibm-thinkpad-t30-bios-password/

    Reset Toshiba Satellite BIOS Password
    http://findpassword.net/reset-toshiba-satellite-bios-password/

    Reset HP / Dell BIOS Password
    http://findpassword.net/reset-hp-dell-bios-password/

    Reset ACER Aspire 3610 BIOS Password – Only 8 Steps
    http://findpassword.net/reset-acer-aspire-3610-bios-password-only-8-steps/

  24. was it lshift-insert or lctrl-insert, i dont remember.. but if you loaded the keyboard buffer with that when hard resetting, it would clear everything taking the password with it.

    hey it worked 15 yrs ago, maybe it’s still implemented?

  25. CMOS battery for holding password in memory? Man, this must be a very old laptop (1990s?).

    As above, they switched to EEPROM in most cases. The EEPROM would usually be a small SOIC8 package that was even silkscreen identifiable as “PWD1” or something similar.

    If you were not inclined to dig out an eeprom reader, it was simlpy a case of shorting two pins together and booting up the laptop. This caused the eeprom to erase itself and wipe the password.

    Had this a few times on DELL machines, you can find exact details on google.

    Also as posted above, it’s all old hat anyway. Look up the guy “Dogbert”. He has reversed engineered a lot of BIOS and given away password calculation algo’s free.

    Some bad bad people have even put his free work into commercial products. If you are stupid enough, you may have purchased a calc yourself off ebay.

  26. @ganmaoyao: Thanks for that link to the Toshiba version. I haven’t tried it yet (I’m still at university), but it might even work, since any other methods have failed. Maybe this doesn’t work either, since it’s a Satellite Pro U200 that my father’s friend bricked. Supposedly the Pro series are safer than the regular ones.

  27. yeah, i used this trick too back in “the old days” (1998!)
    I see that they finally killed Debug on Windows 7, but not the “Save as *.com” in Notepad.

    Interestingly many older password protected HDDs can be um, unsecured by simply running a manufacturer’s tool across them which initiates an LLF using the onboard controller.
    Takes an hour or so but at least the drive is useable again minus the data.

  28. yo, dudes
    any thought about reseting or decrypting a SafeGuard Easy laptop ?, its a preboot mbr encrypt with an kernel core on a hidden clusterpart on the hdd. its a dell latitude E4200

    Doc

  29. I have a Toshiba Satallite T30-10s and the bios
    was passworded tried loads of suggestions but Nolans suggestion was spot on,to reset takes 1 minute all you have to do is remove the wifi card cover and just by the side of the card (the one with the black and gray wires) is J1 is 2 solder points remove the battery short out the 2 solder points for about 20 seconds put back to gether and hey presto no more password
    Cheers Nolan you are a star ***

Leave a Reply to edwardCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.