Whenever you buy used computers there is a risk that they come with unpleasant surprises that are not of the insect variant. From Apple hardware that is iCloud-locked with the original owner MIA to PCs that have BIOS passwords, some of these are more severe than others. In the case of BIOS passwords, these tend to be more of an annoyance that’s easily fixed by clearing the CMOS memory, but this isn’t always the case as [Casey Bralla] found with a former student-issued HP ProBook laptop purchased off Facebook Marketplace.
Maybe it’s because HP figured that locking down access to the BIOS is essential on systems that find their way into the hands of bored and enterprising students, but these laptops write the encrypted password and associated settings to a separate Flash memory. Although a master key purportedly exists, HP’s policy here is to replace the system board. Further, while there are some recovery options that do not involve reflashing this Flash memory, they require answers to recovery questions.
This led [Casey] to try brute-force cracking, starting with a Rust-based project on GitHub that promised much but failed to even build. Undeterred, he tasked the Claude AI to write a Python script to do the brute-forcing via the Windows-based HP BIOS utility. The chatbot was also asked to generate multiple lists of unique passwords to try that might be candidates based on some human guesses.
Six months later of near-continuous attempts at nine seconds per try, this method failed to produce a hit, but at least the laptop can still be used, just without BIOS access. This may require [Casey] to work up the courage to do some hardware hacking and erase that pesky UEFI BIOS administrator password, proving at least that apparently it’s fairly good BIOS security.
Sounds quite complicated compared to say the 90’s, e.g. AMIBIOS, when all you needed was a friend with a similar release, a few reboots to figure out which positions the password was stored in, followed by zeroing of those bytes in the targets bios backup and a quick reboot…all with nothing more than a little patience and some turbo pascal.
I remember looking up how to remove the password on my thinkpad, just to see if it was even possible. It was, but it required me to open it up and dump the bios, send the dump along with $60 to some dude in eastern europe so he can insert an uefi driver that somehow bypasses boot guard, then flash that modified image back so the driver can actually erase the password.
Meanwhile the average desktop requires just shorting a couple pins.