Steal The Administrator Password From An EEPROM

locating_atmel

Did you forget your hardware-based password and now you’re locked out? If it’s an IBM ThinkPad you may be in luck but it involves a bit more than just removing the backup battery. SoDoItYourself has an article detailing the retrieval of password data from an EEPROM.

The process is a fun one. Disassemble your laptop. Build a serial interface and solder it to the EEPROM chip where the password is stored. Connect this interface to a second computer and use it to dump the data into a file. Download a special program to decipher the dump file and dig through the hex code looking for something that resembles the password. Reassemble your laptop and hope that it worked.

We know that most people won’t be in a position to need a ThinkPad administrator password, but there must be other situations in which reading data off of an EEPROM comes in handy. What have you used this method for?

43 thoughts on “Steal The Administrator Password From An EEPROM

  1. Reading the contents of an EEPROM on a printer cartridge to see if we could make it use all of its contents, instead of it arbitrarily declaring itself empty.

    We used a different method though: we desoldered the chip and soldered it to an empty EEPROM socket on some RAM (the chip was I2C). Then we used a linux utility to dump the chip contents.

    In the end we discovered that all we needed to do was set the date backwards on the printer menu, but it was still fun.

  2. I’ve actually done something like this about 6-7 years back. At the time you had to send the dumped memory to this guy in Australia and he’d tell you what it said for like 25 bucks. Still, it was pretty awesome.

  3. I’ve done this before but better. Dell latitude laptops have a service-tag for identification purposes and so that you can find drivers a heck of lot easier when searching for them from the del website. I was able to replace an eeprom (I wish I could remember which one now, im sure its searchable) with a blank one and I was able to #1 be able to login to the machine that had this asset/service tag password and now when you look at the bios #2 be able to see a blank asset tag, so in theory it couldn’t be verified that it was (ahem) miss placed or something……

  4. On many Dells you can just short the data line to ground when first booting the computer, and when the BIOS finds that it cannot read the data on the EEPROM, it goes into service mode. From there you can then clear or re-enter a new password…

  5. Wiping the serial eeprom typically will do the job as well.

    I’ve dont that many times, connect up, zero out the eeprom, reboot the pc and Voila.

    step 2 is to smack the crap out of the stupid person that set the password.

  6. yep, new Lenovos (T60 and so on) use TPM integrated into IO chip. You can still hack the password, but method is kept secret by people who cracked it (afaik one from Poland and one from Russia) for obvious reasons (money). you can send laptop to poland or just buy RPC8394 tool from russians.

  7. have recovered a broken tatung TV by reading back the eprom, erasing the areas that stored the fine tuning data then replacing. went from “won’t work on any channel for more than a minute” to “tunes fine”. lasted about a year before it failed for good.

    this happens a lot on lcd tvs, in fact you can buy eproms online for this very reason. (symptoms include a blue screen LOL)

  8. anoter useful trick:- use a surplus “mains test” lcd screwdriver, as its rubber elastomers are low resistance. add a salvaged lcd panel connector and some shapelock and you are cooking with plasma :)

  9. Been meaning to fix up this T22 I’ve had for years. Forgot the admin PW and dreading the CMOS battery dying. Instructions for reading/decoding the EEPROM have been online for years.
    Thanks for bringing it to the fore again though. Might make me get off my backside and do it!

  10. Did anyone notice that this is a AT24RF08? While http://www.thinkwiki.org/wiki/AT24RF08 states that the RFID interface is unused, all it seems to require is an external antenna.

    That opens up a whole chapter of conspiracy theories. Can you remotely set a password? Can they remotely deactivate a thinkpad? Could they remotely exploit the bios to execute code?

    Back in 2003 when I tried to add a WLAN card to my A31, the bios complained that the WLAN card wasn’t the twice-as-expensive original IBM card, and refused to boot. Was that because they support the hidden remote access functionality only with their card?

  11. I read my xbox’s EEPROM just a couple days ago using this same tutorial. It is rather fun, but what I really want is a parallel EEP(ROM) reader/writer for hacking older video game systems. It should be easy to make with an arduino and a couple shift registers, but I don’t have the right chips laying around.

  12. @tmbinc:

    I don’t know about conspiracy theories, but I do know that IBM tries to screw people by forcing them to purchase “official” IBM parts.
    The solution is to modify the BIOS to disable checking of the WLAN card model, using a utility called NO-1802.

  13. i wish people would stop using cmos passwords and forgetting them…. i have a simple tip for remembering them, write the password under the motherboard with a sharpie, anyone willing to take out the mobo to hack the cmos password can just have the password

  14. @tmbinc

    Maybe they got a good deal on those parts?

    The card lockout stuff going on is a bit lame; If their expansion slots fit the relevant standard what’s the problem with other standards compliant hardware going in the slot? I’ve seen worse though, I kind of remember some HP or Compaq boxes requiring drives to have some “tattoo” thing otherwise the BIOS wouldn’t register them.

  15. I actually have seen something like this before, but that same guy who would “read” the data for you from this chip doesn’t seem to have his write utility for this chip up anymore. My ThinkPad decided to screw something up in the checksums on this chip shown here, and now the laptop refuses to boot. No amount of mucking about with the battery or anything fixed it, so I can’t really seem to figure out what I can do here. If anyone has any ideas, it would be great if they could post them here.

  16. Many laptops built during a certain period lock out non-factory installed MiniPCI wifi cards because the manufacturers stupidly agreed to abide by the FCC’s request to only allow radio cards to operate in the computer if they were the exact same card that was installed in the laptop during the laptop’s FCC certification trials… IIRC…

  17. I’ve removed the battery in the past to reset the password so that I can force the bios to go into default and have it boot from cd to use a program to reset the password on windows. Taking laptops apart is a pain to do.

  18. most vendors use Phoenix BIOSes, and they leave a backdoor open for retrieving the password’s checksum. other valid passwords can be generated from this without the need for any soldering. I’ve reverse-engineered the protection schemes of generic Phoenix, FSI, Samsung, HP and Compaq BIOSes and published the keygens on my blog: http://dogber1.blogspot.com

  19. I did this very hack only a month ago for a couple of friends. They even paid me $50 for the service even though I told them it was a learning experience for me and I didn’t want any compensation.

    @brad: Take the laptop apart and you’ll see a small battery located somewhere on the motherboard – probably not far from the eeprom chip. Remove the battery for a few minutes, reconnect it, and then put it all back together. I had to do this for one of the IBM laptops I was repairing where the password wasn’t set but the BIOS was prompting for a password anyway. I had to email the guy that posted the n2408 utility to figure that out because the contents of the eeprom didn’t make any sense.

  20. I should have mentioned as well that the FT232RL chip makes a much better interface for the 24rf08 eeprom. It can be configured for the correct voltages instead of putting standard serial voltages on the 3.3v chip and taking the risk of burning out the chip.

  21. I used that method three years ago, on a rental Thinkpad R40e that was returned with a locked bios. It does work! Instead of soldering direct to the IC, I used an IC test clip. The password was readable when the software was set to scancode translation “off” and set to classic mode.

  22. Compaq nc6320 Bios Password reset
    If the Stringent security NOT activated, you can follow this Steps:
    1) Remove power cord and battery
    2) Remove the keyboard
    3) Unplug the RTC-Battery for about five minutes
    4) Plugin the rtc battery once again
    5) Plugin the power cord, but leave the battery outside its bay.
    6) Switch the notebook on
    7) Enjoy the cleared bios ;)
    8) Enter Bios setup and restore to factory defaults.

Leave a Reply to gripen40kCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.