Last, but not least, here's the version for the 5 decimal code:
Script
Windows Binaries
Please report back on what models the script works.
Edit: A more thorough explanation is here.
Wednesday, April 22, 2009
Thursday, April 9, 2009
Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit, Part Deux
Apparently, FSI hasn't done a much better job for the Amilo Pro series: this time, they've used the table of the CCIT-CRC16 algorithm (!) for a rather simplistic hashing algorithm. Lesson learned: never trust your data with security schemes which rely purely on obfuscation.
I have released the script and binaries for Windows under the GPL.
I want to thank blAck for providing me with some memory dumps which have made the reverse engineering considerably easier.
Update: I've made slight adaptions to the script so it should also work for 5x4 hexadecimal codes.
Edit: A more thorough explanation is here.
I have released the script and binaries for Windows under the GPL.
I want to thank blAck for providing me with some memory dumps which have made the reverse engineering considerably easier.
Update: I've made slight adaptions to the script so it should also work for 5x4 hexadecimal codes.
Edit: A more thorough explanation is here.
Monday, April 6, 2009
Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit
Some time ago, I managed to get a base unit of a Fujitsu Siemens notebook for little money from a seller who runs a business repairing defective laptops. Because both the supervisor and the user password have been set in the BIOS of the notebook's mainboard, he didn't have any use for it. The manufacturer offers quite an expensive service to remove the password, and the fee for this greatly exceeds the overall value of the board. Hence he was happy to sell it to me.
I welcomed the challenge to hack the board, and finally I had some free time to get my hands dirty. After a deep dive into the gruesome world of 16 bit assembly, I have found a way to override any password: if a certain sequence of passwords is entered (3hqgo3, jqw534, 0qww294e), you get a 5x4 digits code from which a master password can be calculated. Finding the hashing function was just a matter of time, and I've written a small script which re-implements the algorithm. It's been released under GPL here: http://sites.google.com/site/dogber1/blog/pwgen-fsi-5x4dec.py. Binaries for Windows are available here. The script should work for most Lifebook and Amilo series laptops.
Overall, the password protection is much weaker than I anticipated: there's a custom IC on the board (MB90378) which could have easily been used for checking the password in a much more secure manner, but apparently their security relies on the somewhat inherent obfuscation of the BIOS. Not their brightest call...
Edit: A more thorough explanation is here.
I welcomed the challenge to hack the board, and finally I had some free time to get my hands dirty. After a deep dive into the gruesome world of 16 bit assembly, I have found a way to override any password: if a certain sequence of passwords is entered (3hqgo3, jqw534, 0qww294e), you get a 5x4 digits code from which a master password can be calculated. Finding the hashing function was just a matter of time, and I've written a small script which re-implements the algorithm. It's been released under GPL here: http://sites.google.com/site/dogber1/blog/pwgen-fsi-5x4dec.py. Binaries for Windows are available here. The script should work for most Lifebook and Amilo series laptops.
Overall, the password protection is much weaker than I anticipated: there's a custom IC on the board (MB90378) which could have easily been used for checking the password in a much more secure manner, but apparently their security relies on the somewhat inherent obfuscation of the BIOS. Not their brightest call...
Edit: A more thorough explanation is here.