Laptop BIOS password recovery using a simple dongle

laptop_bios_reset

In his line of work, Instructables user [Harrymatic] sees a lot of Toshiba laptops come across his desk, some of which are protected with a BIOS password. Typically, in order to make it past the BIOS lockout and get access to the computer,  he would have to open the laptop case and short the CMOS reset pins or pull the CMOS battery. The process is quite tedious, so he prefers to use a simpler method, a parallel loopback plug.

The plug itself is pretty easy to build. After soldering a handful of wires to the back of a standard male D-sub 25 connector in the arrangement shown in his tutorial, he was good to go. When a laptop is powered on with the plug inserted, the BIOS password is cleared, and the computer can be used as normal.

It should be said that he is only positive that this works with the specific Toshiba laptop models he lists in his writeup. It would be interesting to see this tried with other laptop brands to see if they respond in the same way.
Since no laptops are manufactured with parallel ports these days, do you have some tips or tricks for recovering laptop BIOS passwords? Be sure to share them with us in the comments.

Comments

  1. NishaKitty says:

    I’m not sure why this made the news it is old as and doesn’t even work on the latest models of Toshiba since no one uses LTP ports on laptops anymore as far as I know. Slow news day?

  2. HeavyPropsGuy says:

    hmm… it’s not that big of a deal with my HP, since the CMOS battery is really easy to get to…

  3. T.Blair says:

    Used to work, about 6 years ago :)) . Nowadays most bios pw (challenge/ response ) are insanely easy to remove via keygen
    or failing that some hw method, eeprom on the board itself

    most time i only need bios to boot from cd/dvd and re-install, usually on encrypted boot in which case
    sometimes it’s easier to take the hdd out, ofc it will fall
    to 2nd,3rd boot option (cd/dvd), erase partitions + mbr through linux, put hdd back in, cd in then restart it will fail to boot from hdd and just start up cd, obvious but i’ve seen plenty of people wnot think this

  4. Life2Death says:

    Dell latitude e-series are 1 screw away from anything inside

  5. toodlestech says:

    haha laptops haven’t had printer ports in over a decade!!!! Slow news day indeeed

  6. 3-R4Z0R says:

    Doesn’t work on any current Toshiba model (current being newer than ~2002). It’d be much more interesting if someone found out how to do this to the Satellite Pro U200 I have lying around useless here that I got from a relative once he locked himself out by not knowing the password and disabling the fingerprint reader.

  7. pccrusher says:

    I refurb and resell laptops as a side job. I have collected my fair share of parallel port bearing laptops in my day, though rarely are they locked with a BIOS password.

    I suppose this would be useful if I ever do.

  8. _Matt says:

    My old netbook’s cmos battery was user replaceable.

    However, my new laptop has it hidden under the panel, so I’d have to void the warranty to replace it :|

    But, I was under the impression a BIOS password would only prevent BIOS changes, not booting an OS.

  9. M4CGYV3R says:

    For the record, instructables is not a good place to search for hacks. This is useful, but is older than the internet. Only one of my four PCs even uses BIOS anymore. They’re all on to UEFI now.

  10. error404 says:

    I think most laptops these days are using EEPROM to store the passwords which makes it a bit more difficult. Laptops with a TPM may use that to store it, making it virtually impossible.

  11. Nolan says:

    Toshiba’s from ~2-5 years can randomly get BIOS passwords if the BIOS wasn’t updated. Usually clearing it involves unplugging the AC adapter and battery, opening the memory bay, removing the memory and then jumping a solder pad for about 15-30 seconds. It varies for each series, but J1 open is a pretty common label. You may have to peel back plastic film to get to it too. If you do succeed in removing a random one, make sure you grab the newest BIOS update so it doesn’t happen again. I’d guess I’ve taken off 10-15 in the past few years with this method.

  12. Nolan says:

    @3-R4Z0R
    If you want to take a picture from inside the memory compartment with the memory removed I can maybe tell you which ones to try. Often it’s will look like a T stuck inside of a U or two triangles forming a diamond. Or if you can give me the model number (All U200s should be the same, but just in case), I can try to get the info from a Toshiba maintenance manual.

  13. jordan says:

    I had an old toshiba laptop with a password from a relative. the loopback connector didn’t work, killing cmos batteries didnt work, and I ended up guessing the password with the power of human nature and social engineering.

  14. Mike says:

    A more useful look at this would be from a previous article http://hackaday.com/2010/10/07/bios-password-cracking/ . A guy by the name of Dogbert has a blog where he points out flaws in the password and bios passwords that companies release with their computers. He releases scripts to calculate the passwords from the checksums given by the bios. It takes an extra computer and python, but I think it would be a little easier to come by then hoping the computer is a toshiba with an lpt port.

  15. KD says:

    Apple/Mac Laptops
    Depends on the model, but it generally comes down to:
    do a pram+nvram reset (google this)
    if you can’t, and there’s a boot/OF/EFI password, remove the ram (change the modules out for a different quantity of memory)
    also, check the hard disk for any efi stuff and remove that, the mac may boot that first

  16. supershwa says:

    Yeah this is an ancient hack. Did it myself many years ago with an old printer cable and soldering iron. Still have the loopback dongle in a drawer, with lots of dust on it. ;p

  17. John says:

    Newer Dell Lattitude laptops are even worse. I couldn’t find the bios or CMOS battery. Everywhere I’ve been says you have to call Dell for an unlock code. They’ll only provide it if you know the exact name of the person who originally purchased the laptop.

  18. jasonpctech says:

    I re-sold these in the early 90’s on ebay for the old Toshiba Satellite models. took 5 min to make them by hand and sold for like $60 back then. I doubt there are too many older laptops around that this would work on now. Can I post that trick where you add a notch to a single sided floppy disk to make it double sided?

  19. David says:

    As already said this is very old news, I made one about 3 years ago with some innards for cat5e when a customer came to my last place of work with a laptop they couldn’t access and a quick google revealed that to be the easiest fix.

  20. Chris W says:

    Here’s a real old one for Toshiba laptops that will probably work if it has a floppy drive. Take a floppy disk and hex edit it so that the the first five bytes of the second sector are 4B 45 59 00 00. Boot with the floppy in the drive and you will be able to bypass the password and set a new one.

  21. Alex B says:

    I used to work for a warranty repair center in the late 90s. I was Toshiba certified, the dongle came as a repair kit for technicians. We used to charge 50 to 70 to reset it as it was not covered under warranty. Good old days, my first computer job.

  22. Paul Potter says:

    Handy for people like me that have a collection of old computers.

  23. bward says:

    an old hp/compaq service manual I have for one of my older machines says that this works too. pinout might be slightly different, however, but the idea is the same.

  24. Jeditalian says:

    i just pop it in the microwave for 45 seconds. the microwaves erase the password.
    i like when the CMOS battery has its own little access panel, but you don’t see that very often nowadays. I haven’t, anyway.. BIOS passwords p*ss me off because i can’t even boot from USB without it, if it’s set the annoying way. of course, if you really want to protect your data, do that, plus build your computer inside a safe and weld it shut.. or, it’s a safe, just lock it i guess. and bolt it down. and laser tripwires, which text you if tripped, and cameras. overkill!

  25. HaDAk says:

    I wrote a small bit of C code for my Teensy that’ll brute force a bios password, but it’s incredibly slow and only works sometimes (if at all). Not as impressive as this dongle hack, but if you want in to a machine without leaving any traces, and you have plenty of time to kill…it’s an option.

  26. Bas says:

    HaD had an article a while back, it featured this blog: http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html. It’s quite interesting and he has a couple of nice scripts available free of charge. I used a modified version of his script to decode the bios and hdd password, which were luckily set to the same value. The script actually just calculated the hash values from words out of a dictionary, and came up with the right one for the bios password.

  27. Myoso says:

    I got my hands on a Password protected (bios setup) Acer laptop a few years back, I started out trying to reset bios by shorting pins and removing battery, but to no use. However I found that the acer bios flash program had some parameters to use when flashing, these were not accessible via the default appname.exe /?. I found them by opening the flasutil in a hexeditor, it had a parameter for just what i needed “erase bios passwords”. done and done.

  28. This will also work on the Toshiba Portege series. I don’t remember my model number and it worked on that one.

  29. Max says:

    Back in the day when 286’s and 5″ floppy disks were the cutting edge, the “antivirus” solution of our university was to disable said floppy disks (and password the BIOS, of course). Some of us who knew the trick used to be able to sit down at the MS-DOS command prompt then type in and execute ~5 assembly instructions in DEBUG which overwrote the BIOS checksum. At which point the BIOS panicked and readily let us in to enable the floppy drive without a password… ;)

  30. 3-R4Z0R says:

    @Nolan: Could you contact me via Skype (decryphe) or e-mail (sjoekvist@…that big hot email service)?

  31. ganmaoyao says:

    Which Computer? Is it a bios/cmos password? You can get help from these tutorials.

    How to Reset IBM ThinkPad T30 BIOS Password

    http://findpassword.net/how-to-reset-ibm-thinkpad-t30-bios-password/

    Reset Toshiba Satellite BIOS Password

    http://findpassword.net/reset-toshiba-satellite-bios-password/

    Reset HP / Dell BIOS Password

    http://findpassword.net/reset-hp-dell-bios-password/

    Reset ACER Aspire 3610 BIOS Password – Only 8 Steps

    http://findpassword.net/reset-acer-aspire-3610-bios-password-only-8-steps/

  32. jeff says:

    was it lshift-insert or lctrl-insert, i dont remember.. but if you loaded the keyboard buffer with that when hard resetting, it would clear everything taking the password with it.

    hey it worked 15 yrs ago, maybe it’s still implemented?

  33. holly_smoke says:

    CMOS battery for holding password in memory? Man, this must be a very old laptop (1990s?).

    As above, they switched to EEPROM in most cases. The EEPROM would usually be a small SOIC8 package that was even silkscreen identifiable as “PWD1″ or something similar.

    If you were not inclined to dig out an eeprom reader, it was simlpy a case of shorting two pins together and booting up the laptop. This caused the eeprom to erase itself and wipe the password.

    Had this a few times on DELL machines, you can find exact details on google.

    Also as posted above, it’s all old hat anyway. Look up the guy “Dogbert”. He has reversed engineered a lot of BIOS and given away password calculation algo’s free.

    Some bad bad people have even put his free work into commercial products. If you are stupid enough, you may have purchased a calc yourself off ebay.

  34. 3-R4Z0R says:

    @ganmaoyao: Thanks for that link to the Toshiba version. I haven’t tried it yet (I’m still at university), but it might even work, since any other methods have failed. Maybe this doesn’t work either, since it’s a Satellite Pro U200 that my father’s friend bricked. Supposedly the Pro series are safer than the regular ones.

  35. will says:
  36. Martin says:

    Simpler would be to use a simple boot-drive loaded with EveryAdminsFave: KillCMOSS.

    Been out for years and years and…

  37. DarkFader says:

    The BIOS password isn’t all that important. Just rip out the hard drive and throw away the rest.

  38. yeah, i used this trick too back in “the old days” (1998!)
    I see that they finally killed Debug on Windows 7, but not the “Save as *.com” in Notepad.

    Interestingly many older password protected HDDs can be um, unsecured by simply running a manufacturer’s tool across them which initiates an LLF using the onboard controller.
    Takes an hour or so but at least the drive is useable again minus the data.

  39. moleyboy says:

    I remember this article: http://uk.lifehacker.com/5676258/decode-a-laptop-bios-password-using-a-simple-checksum-script

    from Lifehacker a few months ago. This is what I’ve used about 5 times since and it has always worked. may only work on newer laptops though?

    Moleyboy

  40. Doc says:

    yo, dudes
    any thought about reseting or decrypting a SafeGuard Easy laptop ?, its a preboot mbr encrypt with an kernel core on a hidden clusterpart on the hdd. its a dell latitude E4200

    Doc

  41. Dave Merrick says:

    I have a Toshiba Satallite T30-10s and the bios
    was passworded tried loads of suggestions but Nolans suggestion was spot on,to reset takes 1 minute all you have to do is remove the wifi card cover and just by the side of the card (the one with the black and gray wires) is J1 is 2 solder points remove the battery short out the 2 solder points for about 20 seconds put back to gether and hey presto no more password
    Cheers Nolan you are a star ***

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,486 other followers