BIOS Password Backdoors in Laptops:

Synopsis: The mechanics of BIOS password locks present in current generation laptops are briefly
outlined. Trivial mechanisms have been put in place by most vendors to bypass such passwords,
rendering the protection void. A set of master password generators and hands-on instructions are given
to disable BIOS passwords.

When a laptop is locked with password, a checksum of that password is stored to a so-called FlashROM -
this is a chip on the mainboard of the device which also contains the BIOS code and other settings, e.g.
memory timings.

For most brands, this checksum is displayed after entering an invalid password for the third time:

The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop
and reboot it, it will work just as before. From such a checksum (also called "hash"), valid passwords can
be found by means of brute-forcing.

The bypass mechanisms of other vendors work by showing a number to the user from which a master
password can be derived. This password is usually a sequence of numbers generated randomly.

Some vendors resort to storing the password in plain text onto the FlashROM, and instead of printing out
just a checksum, an encrypted version of the password is shown.

Other vendors just derive the master password from the serial number. Either way, my scripts can be used
to get valid passwords.

A few vendors have implemented obfuscation measures to hide the hash from the end user - for instance,
some FSI laptops require you to enter three special passwords for the hash to show up (e.g. "3hqgo3
jqw534 0qww294e", "enable master password" shifted one up/left on the keyboard). Some HP/Compaq
laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for
the last time.
Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and
letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a
matter of trying all of them and finding the one that fits your laptop.

It does not matter on what machine the script are executed, i.e. there is no reason to run them on
the locked laptop.
This is an overview of the algorithms that I have looked at so far:

Vendor Hash Encoding Example of Hash Scripts

Code/Serial

Compaq 5 decimal digits 12345 pwgen-5dec.py

Windows binary

Dell serial number 1234567-595B Windows

1234567-D35B binary&source
1234567-2A7B

Fujitsu-Siemens 5 decimal digits 12345 pwgen-5dec.py

Windows binary

Fujitsu-Siemens 8 hexadecimal digits DEADBEEF pwgen-fsi-hex.py

Windows binary

Fujitsu-Siemens 5x4 hexadecimal digits AAAA-BBBB-CCCC- pwgen-fsi-hex.py

DEAD-BEEF Windows binary

Fujitsu-Siemens 5x4 decimal digits 1234-4321-1234-4321- pwgen-fsi-5x4dec.py

1234 Windows binary

Hewlett-Packard 5 decimal digits 12345 pwgen-5dec.py

Windows binary

Hewlett- 10 characters CNU1234ABC pwgen-hpmini.py

Packard/Compaq Windows binary
Netbooks

Insyde H20 (generic) 8 decimal digits 03133610 pwgen-insyde.py

Windows binary

Phoenix (generic) 5 decimal digits 12345 pwgen-5dec.py

Windows binary

Sony 7 digit serial number 1234567 pwgen-sony-serial.py

Windows binary

Samsung 12 hexadecimal digits 07088120410C0000 pwgen-samsung.py

Windows binary
The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the
binary files (.exe) don't work out for you, install Python 2.6 (not 3.x) and run the .py script directly by
double-clicking them. Make sure that you correctly read each letter (e.g. number '1' vs letter 'l').

has also converted my scripts to javascript so you can calculate the passwords with
your browser: http://bios-pw.org/ (sources).

Be aware that some vendors use different schemes for master passwords that require hardware to be reset
- among them are e.g. IBM/Lenovo. If you find that your laptop does not display a hash or the scripts do
not work for you for whatever reason, try to:

Use a USB keyboard for entering the password for avoiding potential defects of the built-in
keyboard,
Run CmosPwd to remove the password if you can still boot the machine,
Overwrite the BIOS using the emergency recovery procedures. Usually, the emergency flash code
is activated by pressing a certain key combination while powering on the machine. You also need
a specially prepared USB memory stick containing the BIOS binary. The details are very much
dependent on your particular model. Also, be aware that this can potentially brick your device
and should only be done as a last measure.
Some dell service tags are missing the suffix - just try the passwords for all suffices by adding -
595B, -2A7B and -D35B to your service tags.
The passwords for some HP laptops are breakable with this script.
Unlocking methods for some Toshiba laptops are described here.
Some older laptop models have service manuals that specify a location of a jumper / solder bridge
that can be set for removing the password.

If none of the above methods work, please use try out the following methods:

Discharging the Battery Completely:

First and foremost thing to do when you forget your password is, opening the case of your computer. If
you are using a personal computer then, it becomes much easier to discharge the battery. Just remove the
CMOS Battery and leave it outside for few minutes until the charge gets down completely. In other case,
if you are using a portable computer like Laptop or Netbook then you need to remove the back case and
you will have to remove the jumper connected to the battery. Leave the jumper disconnected for
sometime and after sometime connect the jumper to its position.

Bypass using Master Password:

Some of the computer maker like Lenovo, Dell, Compaq, Toshiba and more have provided a master
password so that when you forget your BIOS password it is much easier to use your computer. The
computer maker will be having the Master Password. It can be got by contacting the customer support by
telling the error code (commonly known as hash code) received when you enter a wrong password. Some
of the third party websites also provides a feature to get the master password.
Flashing the BIOS:
Flashing means, upgrading the BIOS version. Recently, my Netbook showed an error like, Password
Check Fail!! Press any key and after three attempts, it said System will halt!! Press any key. I felt that
my password was correct as my Netbook was working fine till last night. My Netbook didnt contained
any jumper or a better at the back inside the case. Upgrading the BIOS solved the problem. After Flashing
the BIOS, my Netbook worked fine.

Reset BIOS Password by using Software:

Computers that run Windows Operating System will have a better option to reset BIOS password using
software. A popular software, BIOS/CMOS Password Recovery Tool can help you in recovering the
BIOS password. When you boot your computer with the CD provided by that software company, you can
recover the BIOS password. Its a low cost software to recover your BIOS password. There are also free
software to recover BIOS password. CmosPWD is a freeware that can be used to reset your BIOS
password.

Replacing the BIOS chip:

If the above methods doesnt works, then you have to replace the BIOS chip which may cost around $20.
For this, you may have to contact your seller.

Please understand that my motivation for reverse-engineering comes from a personal interest - I will not
accept offers to look at the specifics of certain models and let me know if any problem arises by dropping
your comments at Softek IT Consult.
Remember any questions or suggestions are always welcome.

Doc By;
TitusMukisa
TEL; +256782476780
+256702401917
Softek Systems