Dogbert's Blog

Password Recovery for FSI Amilo Pi Laptops

2012-01-21T16:36:00.000-08:00

I received numerous emails in the past from owners of Fujitsu-Siemens Amilo Pi laptops that got locked up beyond recovery: in a nutshell, a BIOS update or some other minor event has caused the password checksum to be overwritten by a seemingly random number above 2^14 (16384). In conjunction with the butchered CRC16 implementation courtesy of Phoenix, this basically means that there are no valid passwords for checksums above that number, i.e. the laptop has become an expensive paperweight.

However, there is a small backdoor, and that is the BIOS emergency recovery: it's basically the last resort to recover from a bad BIOS update. I've patched out the password check from the binary so it can be used to reset the machine to a valid password. Here's a quick how-to:

Get a USB floppy drive and a floppy - format it to FAT16.
Copy the BIOS file (pi1536, pi1556) as "bios.wph" to the root directory of the floppy.
Remove the battery and power cord from the laptop.
Connect the USB floppy drive to the laptop, then insert the battery, then the power cord.
Press both Ctrl+Home keys while actuating the power button. Keep Ctrl+Home pressed for another 2-3 minutes.
The BIOS is being reflashed - after that, the machine should reboot on its own.
When it boots up, go to setup and set new passwords. If you get asked for a password, just enter a few random characters.
Boot the laptop up again, re-flash the vendor BIOS.
Go to the BIOS, reset all passwords.

That should unbrick your laptop.

Conrado strikes again

2011-12-27T23:56:00.000-08:00

Another fraud victim has sent me an email with this:

It has the same quality as Conrado Davila's previous fraud: he modified my code a bit (removing the GPL license, attributions, etc.), claiming this time that it can calculate Toshiba unlock codes, and sold it to some guy for $460. Interesting, the payment went to "Luis Eugenio Davila de Garate". He probably has burned his personal paypal account and is tapping into the account of a relative now.

In other news, here are some of his clumsy attempts to advertise on youtube, and here is a fan site which he created with all of his skills in a pretty lame attempt to extort me to retract all the information about his scams...

Update 11/1/12: Conrado's getting desperate:

Dell 1D3B

2011-10-09T15:48:00.000-07:00

Surprisingly, it was even easier than older models:
Dell Laptop Master Password Generator.
Copyright (C) 2011 dogbert; 2007-2010 hpgl
Short service tag should be right padded with '*' up to length 7 chars
HDD serial number is right 11 chars from real HDDSerNum left padded with '*'
Some BIOSes has left pad HDD serial number with spaces instead '*'
Input: #ABCDEFG-1D3B
09.10.2011 22:42 DELL service tag: ABCDEFG-1D3B password: xvn0qEeftqyrkG52

In light of this (and this), a pack of monkeys looks sophisticated in comparison to Dell engineers. Also, please don't even bother to send me emails: you're just wasting both our time.

"Donate" Button

2011-09-05T22:12:00.000-07:00

I've been asked a few times to accept donations. Please find a button linking to Animal Rescue International on the right side - I'm quite certain that your donations are better off with them.

Free Unlocker for Palm/HP Phones

2011-07-31T09:40:00.000-07:00

A few weeks back, I ditched my iPhone for good and got my hands on a used Palm Pre. Unfortunately, it was net-locked by the provider. Fortunately, the modem is Qualcomm device and hence, all security features can be bypassed so easily that they appear meaningless in the first place. I've written unlocking scripts that work on every webOS phone, i.e. Palm Pre (Plus), Palm Pre2, Palm Pixi (Plus), HP Veer, or HP Pre3. You do not need a SIM card, and the unlock is perfectly safe, i.e. you can't brick your device. Here's a quick how-to:

Install python 2.6.x (32 bit/x86 version): http://www.python.org/download/releases/2.6/
Windows: Install pywin32 for python 2.6: http://sourceforge.net/projects/pywin32/files/
Install pyserial: http://sourceforge.net/projects/pyserial/files/
Linux: Use your packet manager to install the required libraries, e.g. sudo apt-get install python-serial for Debian based distributions (Ubuntu, Mint, etc.)
Download the unlocker (Pre/Pre2/Pixi, Pre3/Veer) and unpack it (e.g. into the directory C:\unlock)
Calculate the USB passthrough key: go to device info, write down the "Serial Number", and use pre_keygen.py to generate the key from this number. The serial number is also printed on the back of your device and/or underneath the battery.
Start the phone without a SIM card, then start the dialer: either select "emergency call" from the notification area at the bottom and delete the number (911, 112 etc.), or just type "BZ" (#*) on the keyboard. Enter "#*USBPASS# (#*8727277#) in the dialer application and press the dial icon. A window will appear which asks you to enter the passthrough key. After you've done that, select "Diag" for the "USB PORT 1" (only for that port, the rest has to be set to "None").
If you have trouble enabling the passthrough mode, install Preware and install the "Enable USB Passthrough" application from Preware.
Windows: Connect your phone to your machine and install these drivers for the serial diagnostics port (not the R-ACM or any other device). The first time you plug in the phone in diagnostics mode, Windows will ask you for drivers. You can also force the driver installation in the device manager by right-clicking the unknown serial port under "Other devices" and selecting "Update drivers". You might have to acknowledge a few warnings about broken driver signatures.
Linux: Insert the module usbserial module with vendor and product parameters matching the vendor and product ID (lsusb), e.g. sudo modprobe usbserial vendor=0x0830 product=0x8043. You have to make the device file (usually /dev/ttyUSB0) accessible to regular users, or you have to run the unlock script with root privileges.
Run pre_unlock.py / pre3_veer_unlock.py and write down your network unlock code.
If the serial port is not found automatically or if the search is stuck, you can specify it as a command line parameter. Open up a command prompt, navigate to the directory (cd \unlock) and run the unlocker, e.g. pre_unlock.py --diagPort COM5
If the firmware version has not been recognized, update your device to either the latest webOS 1.4.x or 2.x version. If you don't have a Palm account, you can obtain the updater here.
Disable the passthrough mode: enter "#*USBPASS# (#*8727277#) and press the dial icon again. Set "None" for "USB PORT 1".
Shutdown the phone. Put in a SIM card that is not accepted by the phone and boot it up again.
Carefully enter the network unlock code obtained in step 8. If it gets rejected, please contact me with the perso.txt file that has been saved to the directory of the script. Reboot and enjoy your unlocked phone.
If and only if the unlock code does not work for you ("Enter Unblock Code"), try running the script with the parameter --writeBack from the command prompt. After it has completed successfully, reboot your phone and it should be unlocked.
If you need to activate your phone, but your carrier does not support data services, you can try this.

The script should also work for Linux, MacOS, BSD and any other system which has drivers for the USB diagnostics mode and a python interpreter. I'd like to know whether this worked for you, so please leave a comment. Also, all sources of the unlocker have been released under the terms of the GPL. Feel free to hack away with them.

Shmuck of the Week: Alexis Toledo / novatec / biosremoval

2011-04-26T19:08:00.000-07:00

Here's another guy selling passwords to people for ludicrous prices: $35 for 2 minutes of work - not bad. You'd think that he can afford a nice website by now, but it still looks like the final project of a community college web design class in the nineties:

Thankfully, his apparent lack of discernible technical knowledge made it very easy to find docs:
alexis toledo
422 mystic ave
somerville, MA 02145
US
781-330-1378

Another address of someone who is involved with this is:
Edisley Sousa
6xx American Legion Hwy
Rosindale, MA 02131
US

There's a bunch of websites and accounts he operates under:
biosremoval.com
novatecdirect.com
revertendotecnologia.com.br
palmastec@gmail.com
hi5geeksolutions@gmail.com
biosremoval@gmail.com
youtube.com/user/alexisakaedisley

I've been collecting his stuff long ago, but never had the time to award him properly until he sent me this reminder:

Guess what...

If you ever have been foolish enough to send this guy money, please contact the paypal fraud department.

Update 1: I just love emails like that.

Update 2: Alexis resorts to empty threats in LARGE LETTERING. I won't be able to sleep tonight :(.

Roll Call - State of Electronics

2011-03-31T16:52:00.000-07:00

The trailer of Karl von Moller's latest documentary gets my mouth watering:

Roll Call - State of Electronics from karl von moller on Vimeo.

Hopefully, it'll be out soon.

Shmuck of the Month: Sony

2011-03-06T10:30:00.000-08:00

Two types of companies exist: those which are growing and those which are dying. Sony clearly belongs to the latter for over a decade now. The high level of engineering that once made their products excel has been replaced by bland mediocrity and delusional control ideas that are manifested in recent Sony products such as Bluray, the PS3, etc. In their latest act of desperation, they are suing a couple of guys who have successfully hacked the PS3 to bring Linux back to the console after it has been illegally removed in a firmware update. The flaws they used to obtain access to the multi-millon dollar security system can almost solely be attributed to crass design blunders that would have been completely avoidable in the first place.

Sony has a line of laptops ("Vaio") which compete mainly in the high value market segments. They implemented a master password bypass which is rather sane in comparison to the rest of the bunch:

The randomly generated master password is only stored in RAM, e.g. it's lost after the next reboot ("one time password").
RSA is used for encrypting the password which is then converted to a human-readable form (4x4 characters/8 bytes/64 bits).
Their customer support apparently allows for one free password generation per device which is pretty decent by the industry standard.

However, they screwed up by choosing a key length that is just 64 bit and hence too small: an unoptimized python implementation of a general number sieve yields the factors of the key in less than a minute. With these, writing the generator script is an easy exercise:
python pwgen-sony.py
Master Password Generator for Sony laptops (16 characters otp)
Copyright (C) 2009-2010 dogbert

After entering the wrong password for the third time, you will receive a code from which the password can be calculated,
e.g. 73KR-3FP9-PVKH-K29R

Please enter the code:
D63K-XFVF-TK7H-RJKX
The password is: 43878945

I'm not the first one who discovered this: hpgl also reversed this scheme quite a while back. There are even some idiots on eBay who sell these master passwords. Given that my stuff has been exploited by so many greedy idiots in the past, I decided against releasing it. This will hopefully also help to reduce the influx of stupid emails from *@hotmail.com users.
Update: Since I still get a substantial amount of email concerning pwgen-sony.py, let me be perfectly clear: I will neither send you the generator nor generate codes for you. I am not interested in selling the script nor am I a substitute for the Sony support or the lack thereof. Also, I do not endorse nor am I affiliated to any shady service that sells passwords or generators. In fact, I'm in the sole possession of the script so anyone claiming to sell the script to you is clearly attempting to defraud you.

Shmuck of the Month: Conrado Davila / laptoprebirth.com

2011-02-09T19:00:00.000-08:00

Among the many contestants for this award, there are always some who stand out as exceptionally smug. Conrado has successfully gained access to this select class of people. This is an email from the first time he tried to contact me:

By stating that he is "involved in the world of laptop hacking", he actually means that he defrauds people by selling them my stuff for only 40-50 $/password on his website:

Among the clusterfuck of typographical mistakes and perspective errors in his graphics, he has thankfully put his full name and address in the whois record of the domain:

laptoprebirth.com #17036
conrado davila (conradodav@hotmail.com)
eugenio sue 1279 colinas de san jeronimo
Monterrey
,41600
ES
Tel. +34.955842323

respectively

NAME: Conrado Dávila de Gárate
ADRESS: La Luisiana #3
CITY: ARAHAL (SEVILLA)
COUNTRY: SPAIN
POSTAL CODE: 41600

I'm sure that the local DA has an extensive record on him.

The icing on the cake, however, is his sale of my GPL'd code to some gullible sucker for big bucks. That guy actually wanted to buy a generator for the Sony one-time-password stuff from him, so Conrado just modified my 5dec script to the effect that it seems to generate the password from the Sony one-time key. Suffice to say that it doesn't work at all since he has no technical expertise whatsoever. The other thing that he conveniently removed is my authorship of the script. Here's his delivery email:

So this month, the prestigious "Shmuck" award goes to Spain. Congratulations - you earned it!

Yet Another BIOS Broken by Design: InsydeH20

2011-01-23T19:37:00.000-08:00

Seriously, guys? The master password generator is linked in the other post...

Atmel SecureMemory Key Cracker

2010-12-22T19:37:00.000-08:00

A couple of years ago, Atmel started selling EEPROM chips dubbed as "SecureMemory" (AT88SC153, AT88SC1608). These chips are still in use today on many contact smartcards and other devices.
Data sectors on that device can be read-/write-protected by requiring a proprietary challenge-response authentication. In addition, these devices also feature a basic password protection which is reasonably easy to circumvent as flylogic has demonstrated. The challenge-response authentication algorithm is vulnerable to a unroll/meet-in-the-middle attack to the effect that the secret key can be guessed from only a few eavesdropped authentication sessions - researchers from the Radboug University Nijmwegen have published a paper on this a couple of months ago.
I've implemented their attack and recovered keys of several such devices successfully. However, an even more primitive, yet effective vulnerability is a man-in-the-middle attack: an attacker can easily take control of the bus after the authentication / password verification has taken place and inject data at his will. It's not hard to come up with some piece of hardware that does just that. This is also a successful attack against the successor family, the AT88SC...C devices, which implements a slightly better authentication scheme.

Facepalm.jpg

2010-12-21T11:54:00.000-08:00

I've been poking around in the BIOS of a Fujitsu Lifebook A530 (source).
What is wrong with this function:

Shmuck of the Week: 3_2_1_4you / bluechip82

2010-10-20T23:07:00.000-07:00

Here's another gem from eBay that a reader has sent me:

3_2_1_4you's apparent lack of technological knowledge ("dos box tools" etc.) is just the icing on the cake. The epitome of his chutzpah, however, is the price at which he's trying to sell my stuff: $85 - just wow. That easily earns him the glorious "Shmuck of the Week" award.

Update: Apparently, he's now going with the username "bluechip82".

Another One Bites the Dust: HP/Compaq Mini Netbooks

2010-09-11T13:55:00.000-07:00

That was suprisingly easy:

As always, the script (Windows binary) is released under the binding terms of the GPL - let's sit back and watch the decline of eBay prices and the sudden appearance of my code in the tools of the GSM idiots.

Update: I got a couple of emails from folks for which the generated passwords didn't seem to work. It turned out that they confused the number "l" for the letter "1" and vice versa. If you find that it doesn't work for you, copy and paste the generated password from the script into an editor which has a legible typeface.

Shmuck of the Week: Jason Smith / mastermindit.biz

2010-09-08T23:35:00.000-07:00

Here's a screenshot of Jason's awful site:

Designed like it's hosted on Geocities in 1995 - check. Shitty ads - check. Asking for donations without mentioning my site for the extremely hard task of running my stuff - check. So the Shmuck award goes to you, Jason - congratulations, you earned it!

Shmuck of the Week: jebishere

2010-07-10T10:46:00.000-07:00

Among the many, many, many douchebags who just want to make a quick buck from the work of others, a reader of my blog found this gem on eBay:

This is outstandingly presumptuous, and so the 'Shmuck' award goes to jebishere - congratulations!

How to protect better: Secure BIOS Passwords for Laptops

2010-07-04T16:15:00.000-07:00

Since I get a lot of visitors from within the networks of computer vendors (hi guys!), I might as well just give you some hints on how to implement a laptop password in a more secure way. I understand that a lot of your customers forget their passwords and that it's just too expensive for you and your customers to swap the mainboards each time this happens. Also, you are prone to use the lame password implementations of the BIOS vendors. Don't - do your own stuff. Here are a few advices free of charge on how to do better:

Use better hashing functions for the passwords. CRC16, CRC32, etc. are a bad choice - they are invertible, and even if they weren't, a modern machine can find a hash collision within seconds because the keyspace is only 2^32 in size. Various implementations of better algorithms such as MD6 and SHA2 are readily available.
Use the machine's serial number in conjunction with the MAC address of the network card to salt the password before hashing it. If the password isn't set, just use both of these to check a hash stored in your 'NVRAM' anyway. This makes it a bit harder to just clone an EEPROM, FlashROM, or any other chip.
Try to calculate some portions of the algorithm not on the main CPU, but on the keyboard controller - this puts a physical obstacle on reversing the code. Also, provide a secure path for updating the code if the need arises - you don't want to have unencrypted code in your update binaries that can be easily disassembled and reverse-engineered.
If the password can't be verified, generate a random number from the RTC the third time an invalid password has been entered. Salt it heavily with serial numbers (laptop, MAC, CPU, etc.). Then hash it to generate a one-time password (OTP). Use public-key cryptography on the OTP, e.g. elliptic curves. DO NOT STORE THE PRIVATE KEY IN THE BIOS. Output the result to the screen, making sure that it is properly encoded ('O' vs '0', checksums). Do not save the one-time password anywhere. In fact, wipe it from the memory just after it has been encrypted. Make sure that it's really zero'd out everywhere (CPU cache).
When a customer calls the support and asks for a password reset, verify that he is indeed the owner of the laptop. Let him read the encrypted and encoded OTP to you, then calculate the OTP by decoding and decrypting it using your private key.
Do not hand out service tools to your service team which contain the private key. Instead, run a central password service on a server which is secured and can only be accessed with proper authentication. Actively monitor each and every access.
Do not charge customers for resetting a password. That's just lame.

So.. I'm eager to see something more advanced than your current lame attempts at password protection.

How to protect better: The Apple iPhone

2010-06-26T17:09:00.000-07:00

Apple's iPhone is a prime example for a well-engineered netlock protection. To this day, it has remained uncracked in principle: all current and past unlock solutions just patch the firmware running on the baseband modem to the effect that the netlock checks are overriden. These solutions basically inject code into the firmware 'on the fly' by exploiting buffer/heap overflows. A small piece of homebrew code runs on the application processor for just doing that - a jailbreak is therefore a prerequisite for an unlock. These firmware patches can't be permanently applied to the firmware of 3G and later devices because it is signature-checked by the baseband bootloader before it is executed. Whenever Apple decides to update the baseband firmware, they fix the injection holes. Firmware downgrades are blocked, so a way to permanently unlock the baseband has yet to be found for models other than the first iPhone 2G. In a nutshell, the protection works like this:

Two identification numbers unique to each device are generated from the NOR flash and baseband CPU serials: the norID and the chipID, 8 respectively 12 bytes in size.
The device-specific deviceKey is generated from truncating a SHA1 hash of the concatenated and padded norID and chipID.
A supposedly random NCK ('network control key') is SHA1-hashed. With the hashed NCK and the norID and chipID, the second key nckKey is generated. The hashing algorithm uses Tiny Encryption Algorithm (TEA). The nckKey is also device-specific since both the norID and chipID are used.
A device-specific RSA signature is generated: two SHA1 hashes are generated from the norID and chipID. The status that the lock has after the correct NCK has been entered is also embedded into this message. The PCKS 1.5 format is used to pad the hashes and the status from (2*160+32) bit to 2048 bit (256 byte).
The asymmetric RSA algorithm is used for the encryption of the unlock signature. Keep in mind that the algorithm uses two different keys: a private key for encryption and a public key for decryption. With the private RSA key, the signature is encrypted and stored in protected memory.
This signature is encrypted with TEA once again using the device-specific deviceKey in CBC mode.

In pseudo code, it looks like this:

deviceKey = SHA1_hash(norID+chipID)

nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)

rawSignature = generateSignature(SHA1_hash(norID+chipID), SHA1_hash(chipID))

Signature = RSA_encrypt(rawSignature, privateRSAkey)

encryptedSignature = TEA_encrypt_cbc(Signature, nckKey)

The encryptedSignature is then saved to a protected memory area - the device has been locked. This happens when Apple issues the AT+CLCK="PN",1,"NCK" command presumably directly after manufacturing the phone.

When testing a network code key, the baseband firmware reads the encryptedSignature, calculates the deviceKey and the nckKey from the entered NCK, decrypts the encryptedSignature with the nckKey using TEA, decrypts it once more with the public RSA key and verifies the signature with the SHA1 hashes of the chipID / norID. Here's the pseudo code:

deviceKey = SHA1_hash(norID+chipID)

nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)

encryptedSignature = readEncryptedSignature()

Signature = TEA_decrypt_cbc(encryptedSignature, nckKey)

rawSignature = RSA_decrypt(Signature, publicRSAKey)

if ( (rawSignature has correct format) and (rawSignature contains both SHA1_hash(norID+chipID), SHA1_hash(chipID)) and (Lock status byte in rawSignature is OK) )

.. accept every SIM card

else

.. block non-authorized SIMs

A correct NCK key can be stored the application processor part of device. When a certain flag is set, the application firmware (iOS) feeds the NCK into the baseband modem during the boot-up. If the decrypted rawSignature passes the check, the baseband unlocks. This is what happens in factory-unlocked devices and iPhones which have been officially unlocked. It remains unknown whether some iPhones can never be unlocked by design even with the knowledge of the correct NCK: in the US, AT&T does not give out NCKs for any iPhone, even for those devices on which the contract has run out. This practice suggests that AT&T iPhones have a permanent barrier.

On top of this, a WildcardTicket mechanism has been implemented on 3G and later devices. However, it is quite noteworthy that the WildcardTicket mechanism is overriden if the NCK can be verified (3G/3GS).

Various lessons can be learned from this:

The NCK is only stored indirectly on the device in a protected area.
The signature which contains the information about the NCK is directly linked to the device. Hence, replicating a signature from another device will not work.
The NCK is a 15 digit number which is presumably not dependent on the IMEI or any other serial number, but completely random.
Brute force attacks are foiled because a few expensive operations are necessary just to verify the code and the key space is large, e.g. the number of possible key combinations is big.
A valid signature is implicitly required for an unlocked device. Factory-unlocked devices are shipped with such a signature, and during the official unlock process, this signature is generated.
A fake signature for a device with known norID, chipID and NCK can not be generated because the private RSA key is unknown.
Consequent code signing makes permanent firmware patches impossible.
Interestingly, the signature check itself is executed in the bootloader which isn't touched during a firmware upgrade.

As a result, the protection withstands most attacks commonly used for unlocking.

EDIT: Here is the re-implementation in python.

Shmuck of the Week: mrkhangba

2010-06-01T10:30:00.000-07:00

Among the many, many, many auctions put up by people who are trying to make a buck from the stuff on my blog, I found this gem:

mrkhangba has hence won the prestigious 'Shmuck' award - congratulations!

Dell 2A7B Keygen

2010-05-02T01:12:00.001-07:00

A slight modification and the keygen generates now valid passwords for Dell 2A7B serials as well as for the -595B serials.

Source Code & Binaries

Quick How-To:

Download the archive of the keygen from the link above. It contains two files: a C file (source code) and an executable. If you are on Windows, just unpack and double-click the executable. If you are on Mac/Linux/BSD, compile the C file:
gcc -o dell dell.c
You are asked to enter the serial number of your device. Use ONLY CAPITALS for the serial number.
Press Enter and you'll get the password. Keep in mind that the passwords are encoded for a QWERTY-type keyboard layout (US-EN). Also, some models require you to press Ctrl+Enter after entering the password.

Shmuck of the Week: reda

2010-04-30T00:47:00.000-07:00

From: reda (mmaimouni@hotmail.com)
To: dogber1@gmail.com
Subject: pleez help
Date: 04/29/2010 01:59:28 PM

hi ,iam interested in what u do, it is very helpful for us, this is why i ask u , i need a dell password generator for all the latest editions 2a7b and a95b, and if possible the hp 10 digits pass.pleaase help me.ur my only chance.thanks

Translation:

I shamelessly use the results of your free work to generate parts of my income. I ask you to perform work for which I am both too stupid and lazy. I am not willing to pay you a dime, but I am actually planning on using it for my personal financial gain.

Mhhh... no.

Fix for the -595B Keygen

2010-04-24T01:53:00.000-07:00

Apparently, only some of my readers have been able to derive the fix necessary to generate valid HDD passwords. It's been easily guessable that the prehashing scheme needed some minor modification. Before I get countless requests now, here's the C source code for hpgl's keygen:
http://pastebin.com/cu9ijqM1

You need a C compiler to generate the executable (d'uh), e.g. gcc/mingw32, Visual C, lcc, etc., or you can just use the binaries linked below.

Update: Windows binaries...

More crap from Martech.pl

2010-04-16T03:14:00.000-07:00

I gotta admit, they have been incredibly fast at stealing the stuff this time:

Martech SBS Tools V3.2.5.0 - DELL FREE

What's new:

- Bios & HDD for DELL 595B, 2A7B, D35B free for users
You can unlock 5 per day without needed payments.

Application is payable, it cost 39 EUR / 52 USD

Download it: SBS Service Tools

Be ready! For next updates :)
Martech Team

That news item is dated one day after I published the previous blog post and two days after I completed the source code for the keygen on a known forum.

Dell -595B Keygen

2010-04-13T02:06:00.000-07:00

Before I get spammed with even more emails, here are the C sources for a keygen suitable for -595B and other dells (courtesy of hpgl):
http://pastebin.com/yEsiqyQy

You need a regular C compiler for compiling an executable (e.g. mingw32/gcc).

So now let's sit back and watch the inflation happen...

Update: small fix (Windows binaries) - see this post.

Quick How-To:

Download the archive of the keygen from the link above. It contains two files: a C file (source code) and an executable. If you are on Windows, just unpack and double-click the executable. If you are on Mac/Linux/BSD, compile the C file:
gcc -o dell dell.c
You are asked to enter the serial number of your device. Use ONLY CAPITALS for the serial number.
Press Enter and you'll get the password. Keep in mind that the passwords are encoded for a QWERTY-type keyboard layout (US-EN). Also, some models require you to press Ctrl+Enter after entering the password.

Unlock Code Generator for ZTE Cell Phones

2010-03-16T22:36:00.000-07:00

Here's a script which can generate unlock codes for ZTE cell phones:
zte-unlock.py
The script implements an algorithm reverse-engineered by the collaborative effort of elcapitel and y3kt. You need python 2.x to run the script.
Supported Models: GX760, GX761, SFR 232, SFR 341, SFR 342, X760, X761, Orange Vegas, Vodafone Indie, T-Mobile Vairy Touch.

Unlocker for Huawei Modems

2010-03-16T14:09:00.000-07:00

I've finished a quick and dirty implementation of a script which calculates unlock codes ("NCK") for Huawei modems:
huawei-unlock.py
The algorithm has been published a while ago, and there are a lot of other tools out there which do just the same thing. You need python 2.x to run the script.
This is a list of devices for which the unlock code ought to work:
Huawei: E156, E155, E1550, E1552, E156G, E160, E160G, E161, E166, E169, E169G, E170, E172, E176, E1762, E180, E182E, E196, E226, E270, E271, E272, E510, E612, E618, E620, E630, E630+, E660, E660A, E800, E870, E880, EG162, E880, EG162, EG162G, EG602, EG602G
Vodafone: K2540, K3515, K3520, K3565, K3520, K3565

A method to unlock the popular E220 devices has been published here.

Shmucks of the Week: Martech.pl & Kulankendi.com

2010-02-28T19:26:00.001-08:00

This time, the "shmuck of the week" goes to Poland: in a rather shameless fashion, the idiots from Martech.pl and Kulandkendi.com have literally stolen my GPL'd password generators: Martech has implemented them into a shitty piece of software called "Martech SBS Service Tools" which they are trying to sell. They didn't even bother to hide their theft: the message in the screenshot below is copied verbatim from one of my scripts:

Kulankendi.com are trying to sell the passwords themselves for 50 USD each:

Shmuck of the Week: Felix Hernandez

2010-02-22T21:03:00.000-08:00

Felix runs a shady business by basically selling the results my GPL'd work to naive people. Since I'm such a dandy fellow, he wants me to help him fill his pockets some more by reverse-engineering the password schemes used in Sony and Dell laptops:

From: Felix Hernandez (felixlapbios@gmail.com)
To: dogber1@gmail.com
Subject: HELP BIOS PASSWORD TO DELL THANKS
Date: 02/22/2010 08:46:55 PM

Hello Friend I'm Mexican and my truth because just like you I like the
community help me ah been very helpful all you've developed programs to
generate the master passwords
That's why I want to give the link to unlock the sony vaio to send the
disabled system error

Only need the last serial number of the laptop to come on back

http://hpgl.googlegroups.com/web/SONY_Form1.rar?gda=73_AtUAAAADBratxJI3TcN2SnEOtgI52Or9i_fMM3dcP7Nz297qKnGJHTKS9woYaVuufKj-4-9ttxVPdW1gYotyj7-X7wDON

Hear also want to see if you can help me learn how to unlock sony vaio
onetime password and dell 595B 2A7B A95B

HELP ME PLEASE TO UNLOCK BIOS TO DELL THANKS

Guess what, Felix...

Shmucks of the Month

2010-02-20T10:35:00.001-08:00

So I stumbled across these sellers on eBay who seek to gain financial profit from my work:

I get emails every now and then which strongly suggests that the eBay stuff is merely the tip of the iceberg. For instance, one guy complained that he paid a substantial amount of money to obtain the scripts which I have released under the terms of the GPL for free. Apparently, I'm fueling a small industry.
That being said, I want to make clear one thing: I'm not interested in financial profit, but merely in the technical challenge which lies in breaking these security systems (or rather 'obscurity systems').

Unlocker for Option GI0225 3G Modems

2010-01-01T13:42:00.001-08:00

A couple of months ago, I bought a dirt-cheap 3G modem labeled as 'T-Mobile Web'n'Walk' stick. It's actually a relabeled Option Globetrotter Icon 225 which supports both 3G and CDMA networks. The provider installed an annoying netlock on the device - breaking it was quite tough. Here's a quick how-to for Windows for people who want to free their devices:

Install python 2.6.x (32 bit version): http://www.python.org/download/releases/2.6/
Install pywin32 for python 2.6: http://sourceforge.net/projects/pywin32/files/
Install pyserial: http://sourceforge.net/projects/pyserial/files/
Download the unlocker (http://sites.google.com/site/dogber1/blag/msm-unlock-v1.6.zip) and unpack it (e.g. into the directory C:\msm)
Download a firmware update for the 3G modem from Option or T-Mobile
Unpack the firmware update into the directory used above (e.g. C:\msm)
IMPORTANT: The superfire.exe file of the update is packed. ~~Unpack the Superfire.exe file of the firmware update once again (e.g. WinRAR can do that).~~ For the newest update, the superfire.exe can be used as it is.
Remove the SIM card from the modem and plug it in . Make sure that you have the latest drivers from the option website installed before you start msm_unlock.py. Also, close all the tools for the stick ('connection manager' etc.).
Write down the unlock code. Unplug the stick, replug it and apply the unlock code with msm_apply.py. If the unlock code is not accepted, search the comments for a posting by "muxx" - he has given detailed instructions on how to manually enter the unlock code.
Unplug and replug the stick once more and you've got yourself an unlocked 3G modem.

The script should also work for Linux, MacOS, BSD and any other system which has drivers for the modem and a python interpreter. Also, it might work for other devices from Option. I'd like to know whether this worked for you, so please leave a comment. Also, all sources of the unlocker have been released under the terms of the GPL. Feel free to hack away with them.

Audiophile Audiophoolery

2009-12-23T08:52:00.000-08:00

An Information Campaign

2009-11-04T18:45:00.000-08:00

The very same applies to all other cell phone and BIOS unlocking:
http://iphonejtag.blogspot.com/2009/11/information-campaign.html

Shmuck of the Week: biosrepair.com

2009-10-31T19:22:00.000-07:00

Looks like the award goes to china once again:

Unlocking LG Phones with the EGold chipset

2009-07-11T10:42:00.000-07:00

Recently I bought a dirt-cheap LG phone which had a netlock. After some poking around, I've stumbled across its firmware which I was able to disassemble, so I've written a small script that reads out the netlock code required for unlocking the phone. The phone is interfaced via RS232 which operates at TTL levels: a max232, pl2303 or an equivalent chip should do the job. There are usually soldering points for RXD, TXD and GND on the logic board. Most phones also have pins with these signals at their connector.

The script can save the contents of the flashrom and the so-called "eeprom" (which is just a section of the flashrom containing all the juicy bits) to a file. I've tested it on an LG GB102 and a LG KP100 - it should also work for most other Egold Lite based phones, possibly even from other vendors.
The script has been released under GPL - I wonder how many idiots will ignore this. Anyway, here it is:
lg-unlock.py
As always, it's a python script that operates on the command line interface. For unlocking your phone, do the following things:

Connect TxD, RxD and GND from your serial port interface to the serial port of your cell phone. Keep in mind that you need TTL levels, so you must not use the regular RS232 port of your PC! On your cell phone, there are usually test points where the cable can be directly soldered onto. The battery still has to fit onto the device once your cable has been soldered on. Also, the total length of the cables between the convert chip and the cell phone has to be as short as possible! Alternatively, you can just use a flasher cable (KE500 type for the GB102, KG800 for the KP100).
Install Python 2.6.x, then pywin32, and then pyserial.
Copy the script to a folder on your hard drive.
Two additional files are required: boot-1st-stage.bin and boot-2nd-stage.bin. I can't distribute them for obvious legal reasons, so you have to find them elsewhere. The sha1 sum of both files is checked during the initialization of the script.
Open a command shell and navigate to that folder.
Start the script with the parameter specifying the port of your serial interface, e.g. lg-unlock.py --port COM4 -e
Press the 'ON' button of your cell phone. You'll receive the unlock code and instructions how to use it from the script.

Shmuck of the Week: rebios.net

2009-06-28T04:24:00.000-07:00

The sneakiness of some low-life deadbeats never ceases to amaze me - I've just stumbled across this:

Observe the conveniently removed name after the copyright notice of the script and the lack of any attribution whatsoever.

So, the shmuck of the week goes to rebios.net - congratulations!

Fix for Amilo P / X models

2009-06-25T05:10:00.000-07:00

I've released a new version of the 5dec script which fixes the password calculation for FSI Amilo Pi / Pa / Xi models. The URLs remain unchanged (see previous posts).

Thanks to everyone who provided me with the information that allowed me to reverse-engineer it!

BIOS Password Backdoors in Laptops

2009-05-02T08:33:00.000-07:00

Synopsis: The mechanics of BIOS password locks present in current generation laptops are briefly outlined. Trivial mechanisms have been put in place by most vendors to bypass such passwords, rendering the protection void. A set of master password generators and hands-on instructions are given to disable BIOS passwords.

When a laptop is locked with password, a checksum of that password is stored to a so-called FlashROM - this is a chip on the mainboard of the device which also contains the BIOS code and other settings, e.g. memory timings.

For most brands, this checksum is displayed after entering an invalid password for the third time:

The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, it will work just as before. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing.

The bypass mechanisms of other vendors work by showing a number to the user from which a master password can be derived. This password is usually a sequence of numbers generated randomly.

Some vendors resort to storing the password in plain text onto the FlashROM, and instead of printing out just a checksum, an encrypted version of the password is shown.

Other vendors just derive the master password from the serial number. Either way, my scripts can be used to get valid passwords.

A few vendors have implemented obfuscation measures to hide the hash from the end user - for instance, some FSI laptops require you to enter three special passwords for the hash to show up (e.g. "3hqgo3 jqw534 0qww294e", "enable master password" shifted one up/left on the keyboard). Some HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for the last time.

Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a matter of trying all of them and finding the one that fits your laptop. It does not matter on what machine the script are executed, i.e. there is no reason to run them on the locked laptop.
This is an overview of the algorithms that I looked at so far:

Vendor	Hash Encoding	Example of Hash Code/Serial	Scripts
Compaq	5 decimal digits	12345	pwgen-5dec.py Windows binary
Dell	serial number	1234567-595B 1234567-D35B 1234567-2A7B	Windows binary&source
Fujitsu-Siemens	5 decimal digits	12345	pwgen-5dec.py Windows binary
Fujitsu-Siemens	8 hexadecimal digits	DEADBEEF	pwgen-fsi-hex.py Windows binary
Fujitsu-Siemens	5x4 hexadecimal digits	AAAA-BBBB-CCCC-DEAD-BEEF	pwgen-fsi-hex.py Windows binary
Fujitsu-Siemens	5x4 decimal digits	1234-4321-1234-4321-1234	pwgen-fsi-5x4dec.py Windows binary
Hewlett-Packard	5 decimal digits	12345	pwgen-5dec.py Windows binary
Hewlett-Packard/Compaq Netbooks	10 characters	CNU1234ABC	pwgen-hpmini.py Windows binary
Insyde H20 (generic)	8 decimal digits	03133610	pwgen-insyde.py Windows binary
Phoenix (generic)	5 decimal digits	12345	pwgen-5dec.py Windows binary
Sony	7 digit serial number	1234567	pwgen-sony-serial.py Windows binary
Samsung	12 hexadecimal digits	07088120410C0000	pwgen-samsung.py Windows binary

The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the binary files (.exe) don't work out for you, install Python 2.6 (not 3.x) and run the .py script directly by double-clicking them. Make sure that you correctly read each letter (e.g. number '1' vs letter 'l').

Вячеслав Бачериков has also converted my scripts to javascript so you can calculate the passwords with your browser: http://bios-pw.org.ua/ (sources).

Please leave a comment below on what make/model the scripts work. Also, be aware that some vendors use different schemes for master passwords that require hardware to be reset - among them are e.g. IBM/Lenovo. If you find that your laptop does not display a hash or the scripts do not work for you for whatever reason, try to:

use a USB keyboard for entering the password for avoiding potential defects of the built-in keyboard,
run CmosPwd to remove the password if you can still boot the machine,
overwrite the BIOS using the emergency recovery procedures. Usually, the emergency flash code is activated by pressing a certain key combination while powering on the machine. You also need a specially prepared USB memory stick containing the BIOS binary. The details are very much dependent on your particular model. Also, be aware that this can potentially brick your device and should only be done as a last measure.
Some dell service tags are missing the suffix - just try the passwords for all suffices by adding -595B, -2AB7 and -D35B to your service tags.
The passwords for some HP laptops are breakable with this script.
Unlocking methods for some Toshiba laptops are described here.
Some older laptop models have service manuals that specify a location of a jumper / solder bridge that can be set for removing the password.

If none of the above methods work, please use the vendor support. Please understand that my motivation for reverse-engineering comes from a personal interest - I will not accept offers to look at the specifics of certain models.

Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit, Part Trois

2009-04-22T02:59:00.000-07:00

Last, but not least, here's the version for the 5 decimal code:
Script
Windows Binaries

Please report back on what models the script works.

Edit: A more thorough explanation is here.

Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit, Part Deux

2009-04-09T15:41:00.001-07:00

Apparently, FSI hasn't done a much better job for the Amilo Pro series: this time, they've used the table of the CCIT-CRC16 algorithm (!) for a rather simplistic hashing algorithm. Lesson learned: never trust your data with security schemes which rely purely on obfuscation.
I have released the script and binaries for Windows under the GPL.

I want to thank blAck for providing me with some memory dumps which have made the reverse engineering considerably easier.

Update: I've made slight adaptions to the script so it should also work for 5x4 hexadecimal codes.

Edit: A more thorough explanation is here.

Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit

2009-04-06T05:20:00.000-07:00

Some time ago, I managed to get a base unit of a Fujitsu Siemens notebook for little money from a seller who runs a business repairing defective laptops. Because both the supervisor and the user password have been set in the BIOS of the notebook's mainboard, he didn't have any use for it. The manufacturer offers quite an expensive service to remove the password, and the fee for this greatly exceeds the overall value of the board. Hence he was happy to sell it to me.
I welcomed the challenge to hack the board, and finally I had some free time to get my hands dirty. After a deep dive into the gruesome world of 16 bit assembly, I have found a way to override any password: if a certain sequence of passwords is entered (3hqgo3, jqw534, 0qww294e), you get a 5x4 digits code from which a master password can be calculated. Finding the hashing function was just a matter of time, and I've written a small script which re-implements the algorithm. It's been released under GPL here: http://sites.google.com/site/dogber1/blog/pwgen-fsi-5x4dec.py. Binaries for Windows are available here. The script should work for most Lifebook and Amilo series laptops.

Overall, the password protection is much weaker than I anticipated: there's a custom IC on the board (MB90378) which could have easily been used for checking the password in a much more secure manner, but apparently their security relies on the somewhat inherent obfuscation of the BIOS. Not their brightest call...

Edit: A more thorough explanation is here.