Jump to content
the.red

[py] BIOS Password Backdoors in Laptops

Recommended Posts

Posted

When a laptop is locked with password, a checksum of that password is stored to a sector of the FlashROM - this is a chip on the mainboard of the device which also contains the BIOS and other settings, e.g. memory timings. For most brands, this checksum is displayed after entering an invalid password for the third time:

systemdisabled2.JPG

The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, there are not new penalties such as additional passwords, locks and so on. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing. Another method commonly used is that instead of a checksum, a number is displayed from which a randomly generated password can be calculated. Quite often, vendors also resort to storing the password in plain text, and instead of printing out just a checksum, an encrypted version of the password is shown. Either way, my scripts can be used to derive valid passwords with the hash.

Some vendors have implemented obfuscation measures to hide the hash from the end user - for instance, some FSI laptops require you to enter three special passwords for the hash to show up (see other post). HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for the last time.

Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a matter of trying them all and finding the right one. This is an overview of the algorithms that I took a look at so far:

VendorHash EncodingExample of Hash Code/SerialScripts

Compaq 5 decimal digits 12345 pwgen-5dec.py

Dell serial number1234567-595B 1234567-D35B 1234567-2A7B Windows binary&source

Fujitsu-Siemens 5 decimal digits 12345 pwgen-5dec.py

Windows binary

Fujitsu-Siemens 8 hexadecimal digits DEADBEEF pwgen-fsi-hex.py

Windows binary

Fujitsu-Siemens 5x4 hexadecimal digits AAAA-BBBB-CCCC-DEAD-BEEF pwgen-fsi-hex.py

Windows binary

Fujitsu-Siemens5x4 decimal digits1234-4321-1234-4321-1234pwgen-fsi-5x4dec.py

Windows binary

Hewlett-Packard5 decimal digits12345pwgen-5dec.py

Windows binary

Hewlett-Packard/Compaq Netbooks10 charactersCNU1234ABCpwgen-hpmini.py

Windows binary

Phoenix (generic)5 decimal digits12345pwgen-5dec.py

Windows binary

Samsung12 hexadecimal digits07088120410C0000pwgen-samsung.py

Windows binary

The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the binary files (.exe) don't work out for you, install Python 2.6 (not 3.0!) and run the .py script directly by double-clicking them.

Please comment on what make/model the scripts work and on what they don't. Also, be aware that some vendors use other schemes to handle the passwords - among them are e.g. IBM/Lenovo. You are then at the mercy of their service.

Dogbert's Blog: BIOS Password Backdoors in Laptops

//aici gasiti si algo. hash de la fiecare marca laptop (py code)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...