Whenever you buy used computers there is a risk that they come with unpleasant surprises that are not of the insect variant. From Apple hardware that is iCloud-locked with the original owner MIA to PCs that have BIOS passwords, some of these are more severe than others. In the case of BIOS passwords, these tend to be more of an annoyance that’s easily fixed by clearing the CMOS memory, but this isn’t always the case as [Casey Bralla] found with a former student-issued HP ProBook laptop purchased off Facebook Marketplace.
Maybe it’s because HP figured that locking down access to the BIOS is essential on systems that find their way into the hands of bored and enterprising students, but these laptops write the encrypted password and associated settings to a separate Flash memory. Although a master key purportedly exists, HP’s policy here is to replace the system board. Further, while there are some recovery options that do not involve reflashing this Flash memory, they require answers to recovery questions.
This led [Casey] to try brute-force cracking, starting with a Rust-based project on GitHub that promised much but failed to even build. Undeterred, he tasked the Claude AI to write a Python script to do the brute-forcing via the Windows-based HP BIOS utility. The chatbot was also asked to generate multiple lists of unique passwords to try that might be candidates based on some human guesses.
Six months later of near-continuous attempts at nine seconds per try, this method failed to produce a hit, but at least the laptop can still be used, just without BIOS access. This may require [Casey] to work up the courage to do some hardware hacking and erase that pesky UEFI BIOS administrator password, proving at least that apparently it’s fairly good BIOS security.
Sounds quite complicated compared to say the 90’s, e.g. AMIBIOS, when all you needed was a friend with a similar release, a few reboots to figure out which positions the password was stored in, followed by zeroing of those bytes in the targets bios backup and a quick reboot…all with nothing more than a little patience and some turbo pascal.
I just used the CMOS clear jumper.
I remember looking up how to remove the password on my thinkpad, just to see if it was even possible. It was, but it required me to open it up and dump the bios, send the dump along with $60 to some dude in eastern europe so he can insert an uefi driver that somehow bypasses boot guard, then flash that modified image back so the driver can actually erase the password.
Meanwhile the average desktop requires just shorting a couple pins.
That’s because them Thinkpads ‘r smarter than us…
Typically they have two bios chips that have to be faulted at the same time, after dr
aining local capacitors.
For many laptops, https://bios-pw.org/ will work and is really easy. For the Thinkpads, many of them password can be bypassed by shorting some pins at just the right time. Check Russian forums and/or Yandex search to find how for your model.
This is a generic way to bypass any password when BIOS are stored on external chips. You just short the input pin of the chip with ground for a moment while the computer want to acess it and release it after entering in the BIOS (which is empty because the read wasn’t successful). Then you proceed to change the apssword to a known one then you reboot your computer with these changes made.
I’ve read somewhere once (“tell me you have a bad memory without telling me you have a bad memory”) that the aim was to crack a password and the “craker” realized that when the tried password had some correct characters, the reply of being a bad password would take longer than when it didn’t have any good character, maybe that could help or maybe I’m talking rubbish…
Well, at least that theory has now been disproven. Cracking a password is apparently not a game of Mastermind.
It’s the case on non hardened/non-constant time algorithms when you can use side channel analysis (timing attack) to infer if a password (or hash of it) is good or not. It’s kind of rare in the field
I would try empty flash/eeprom chips, forcing recovery, no?
If the password is good AI cannot do anything for you. https://xkcd.com/936/
Most consumer devices have a back door for service with BIOS passwords. Just google the serial number of the device. It is very likely that you find advice.
I reference that comic all the time, usually when I get “the look” after someone asks for my Wi-Fi password 🤣
Former favorites:
rubberbabybuggybumpers
tallgiraffeseatleaves
humpbackwhalesarescaredofheights
lotofheliumtothrowahippo
Sadly, the best passwords are often unusable, thanks to password length restrictions.
I also use “correct horse battery staple” as a password. It’s a very good password and I can highly recommend it.
and yet most business including at enterprise level, banks, etc all seem to want us to continue to use combinations of upper, lower, “special character” and number.
then tell us not to write it down.
Why on earth is this?
Combination of things. Part of it is regulations (PCI, FBA), and the fact that financial institutions are notoriously late and slow to change and adopt new standards (like for NIST).
The other part is legacy software or systems that have limits on character length, but more capability re: supporting different character sets. How do you gain security with a max of 12 char? Combinations of upper, lower, number and non-alphanumeric. It’s also (usually) easier to overlay some soft of MFA, and don’t worry as much about shorter, weaker passwords (and work to eliminate SFA.)
Could have just done the smart, obvious thing and used a TSOP clip and a CH341A to flash out the password instead of wasting nearly 2 months on AI bullshit to no good result.
Please, point out the instructions to do that on this specific laptop, instead of just “hey you can connect some wires and use some magic code that I assume exists but I’m too lazy to look for”.
The smart, obvious thing is not to make comments this pointless.
+1 nice to see some competent advice on hackaday. Been awhile 😂
i sure got excited about the confidence with which you used the phrase ‘TSOP clip’. i could see the product in my mind’s eye and i would just love to imagine that it’s cheap and common these days. but google shopping didn’t turn up a hit in the first page of results so :(
https://a.co/d/5r1IsDX
Did they try Bios-pw.org?
Yes, I tried this. Unfortunately it didn’t work for me because the laptop would never give me a code, even after multiple manual attempts to unlock the BIOS.
This isn’t really using AI to crack the BIOS password as much as it is vibe coding a python script to do a standard brute force attack.