Monday, April 6, 2009

Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit

Some time ago, I managed to get a base unit of a Fujitsu Siemens notebook for little money from a seller who runs a business repairing defective laptops. Because both the supervisor and the user password have been set in the BIOS of the notebook's mainboard, he didn't have any use for it. The manufacturer offers quite an expensive service to remove the password, and the fee for this greatly exceeds the overall value of the board. Hence he was happy to sell it to me.
I welcomed the challenge to hack the board, and finally I had some free time to get my hands dirty. After a deep dive into the gruesome world of 16 bit assembly, I have found a way to override any password: if a certain sequence of passwords is entered (3hqgo3, jqw534, 0qww294e), you get a 5x4 digits code from which a master password can be calculated. Finding the hashing function was just a matter of time, and I've written a small script which re-implements the algorithm. It's been released under GPL here: http://sites.google.com/site/dogber1/blog/pwgen-fsi-5x4dec.py. Binaries for Windows are available here. The script should work for most Lifebook and Amilo series laptops.

Overall, the password protection is much weaker than I anticipated: there's a custom IC on the board (MB90378) which could have easily been used for checking the password in a much more secure manner, but apparently their security relies on the somewhat inherent obfuscation of the BIOS. Not their brightest call...

Edit: A more thorough explanation is here.