Surprisingly, it was even easier than older models:
Dell Laptop Master Password Generator.
Copyright (C) 2011 dogbert; 2007-2010 hpgl
Short service tag should be right padded with '*' up to length 7 chars
HDD serial number is right 11 chars from real HDDSerNum left padded with '*'
Some BIOSes has left pad HDD serial number with spaces instead '*'
Input: #ABCDEFG-1D3B
09.10.2011 22:42 DELL service tag: ABCDEFG-1D3B password: xvn0qEeftqyrkG52
In light of this (and this), a pack of monkeys looks sophisticated in comparison to Dell engineers. Also, please don't even bother to send me emails: you're just wasting both our time.
P.S.: DELL service tag: #NOSOUP4-3A5B password: zvd97y9h
P.P.S.: http://www.bios-pw.org has a free password generator.
Showing posts with label bios. Show all posts
Showing posts with label bios. Show all posts
Sunday, October 9, 2011
Sunday, March 6, 2011
Shmuck of the Month: Sony
Two types of companies exist: those which are growing and those which are dying. Sony clearly belongs to the latter for over a decade now. The high level of engineering that once made their products excel has been replaced by bland mediocrity and delusional control ideas that are manifested in recent Sony products such as Bluray, the PS3, etc. In their latest act of desperation, they are suing a couple of guys who have successfully hacked the PS3 to bring Linux back to the console after it has been illegally removed in a firmware update. The flaws they used to obtain access to the multi-millon dollar security system can almost solely be attributed to crass design blunders that would have been completely avoidable in the first place.
Sony has a line of laptops ("Vaio") which compete mainly in the high value market segments. They implemented a master password bypass which is rather sane in comparison to the rest of the bunch:
python pwgen-sony.py
Master Password Generator for Sony laptops (16 characters otp)
Copyright (C) 2009-2010 dogbert
After entering the wrong password for the third time, you will receive a code from which the password can be calculated,
e.g. 73KR-3FP9-PVKH-K29R
Please enter the code:
D63K-XFVF-TK7H-RJKX
The password is: 43878945
I'm not the first one who discovered this: hpgl also reversed this scheme quite a while back. There are even some idiots on eBay who sell these master passwords.
Update: released here
Sony has a line of laptops ("Vaio") which compete mainly in the high value market segments. They implemented a master password bypass which is rather sane in comparison to the rest of the bunch:
- The randomly generated master password is only stored in RAM, e.g. it's lost after the next reboot ("one time password").
- RSA is used for encrypting the password which is then converted to a human-readable form (4x4 characters/8 bytes/64 bits).
- Their customer support apparently allows for one free password generation per device which is pretty decent by the industry standard.
python pwgen-sony.py
Master Password Generator for Sony laptops (16 characters otp)
Copyright (C) 2009-2010 dogbert
After entering the wrong password for the third time, you will receive a code from which the password can be calculated,
e.g. 73KR-3FP9-PVKH-K29R
Please enter the code:
D63K-XFVF-TK7H-RJKX
The password is: 43878945
I'm not the first one who discovered this: hpgl also reversed this scheme quite a while back. There are even some idiots on eBay who sell these master passwords.
Update: released here
Sunday, January 23, 2011
Tuesday, December 21, 2010
Facepalm.jpg
I've been poking around in the BIOS of a Fujitsu Lifebook A530 (source).
What is wrong with this function:
What is wrong with this function:
Saturday, September 11, 2010
Another One Bites the Dust: HP/Compaq Mini Netbooks
That was suprisingly easy:
As always, the script (Windows binary) is released under the binding terms of the GPL - let's sit back and watch the decline of eBay prices and the sudden appearance of my code in the tools of the GSM idiots.
Update: I got a couple of emails from folks for which the generated passwords didn't seem to work. It turned out that they confused the number "l" for the letter "1" and vice versa. If you find that it doesn't work for you, copy and paste the generated password from the script into an editor which has a legible typeface.
As always, the script (Windows binary) is released under the binding terms of the GPL - let's sit back and watch the decline of eBay prices and the sudden appearance of my code in the tools of the GSM idiots.
Update: I got a couple of emails from folks for which the generated passwords didn't seem to work. It turned out that they confused the number "l" for the letter "1" and vice versa. If you find that it doesn't work for you, copy and paste the generated password from the script into an editor which has a legible typeface.
Sunday, July 4, 2010
How to protect better: Secure BIOS Passwords for Laptops
Since I get a lot of visitors from within the networks of computer vendors (hi guys!), I might as well just give you some hints on how to implement a laptop password in a more secure way. I understand that a lot of your customers forget their passwords and that it's just too expensive for you and your customers to swap the mainboards each time this happens. Also, you are prone to use the lame password implementations of the BIOS vendors. Don't - do your own stuff. Here are a few advices free of charge on how to do better:
- Use better hashing functions for the passwords. CRC16, CRC32, etc. are a bad choice - they are invertible, and even if they weren't, a modern machine can find a hash collision within seconds because the keyspace is only 2^32 in size. Various implementations of better algorithms such as MD6 and SHA2 are readily available.
- Use the machine's serial number in conjunction with the MAC address of the network card to salt the password before hashing it. If the password isn't set, just use both of these to check a hash stored in your 'NVRAM' anyway. This makes it a bit harder to just clone an EEPROM, FlashROM, or any other chip.
- Try to calculate some portions of the algorithm not on the main CPU, but on the keyboard controller - this puts a physical obstacle on reversing the code. Also, provide a secure path for updating the code if the need arises - you don't want to have unencrypted code in your update binaries that can be easily disassembled and reverse-engineered.
- If the password can't be verified, generate a random number from the RTC the third time an invalid password has been entered. Salt it heavily with serial numbers (laptop, MAC, CPU, etc.). Then hash it to generate a one-time password (OTP). Use public-key cryptography on the OTP, e.g. elliptic curves. DO NOT STORE THE PRIVATE KEY IN THE BIOS. Output the result to the screen, making sure that it is properly encoded ('O' vs '0', checksums). Do not save the one-time password anywhere. In fact, wipe it from the memory just after it has been encrypted. Make sure that it's really zero'd out everywhere (CPU cache).
- When a customer calls the support and asks for a password reset, verify that he is indeed the owner of the laptop. Let him read the encrypted and encoded OTP to you, then calculate the OTP by decoding and decrypting it using your private key.
- Do not hand out service tools to your service team which contain the private key. Instead, run a central password service on a server which is secured and can only be accessed with proper authentication. Actively monitor each and every access.
- Do not charge customers for resetting a password. That's just lame.
Sunday, May 2, 2010
Dell 2A7B Keygen
A slight modification and the keygen generates now valid passwords for Dell 2A7B serials as well as for the -595B serials.
Source Code & Binaries
Quick How-To:
Source Code & Binaries
Quick How-To:
- Download the archive of the keygen from the link above. It contains two files: a C file (source code) and an executable. If you are on Windows, just unpack and double-click the executable. If you are on Mac/Linux/BSD, compile the C file:
gcc -o dell dell.c - You are asked to enter the serial number of your device. Use ONLY CAPITALS for the serial number.
- Press Enter
and you'll get the password. Keep in mind that the passwords are encoded for a QWERTY-type keyboard layout (US-EN). Also, some models require you to press Ctrl+Enter after entering the password.
Update: Here's is an online version.
Saturday, April 24, 2010
Fix for the -595B Keygen
Apparently, only some of my readers have been able to derive the fix necessary to generate valid HDD passwords. It's been easily guessable that the prehashing scheme needed some minor modification. Before I get countless requests now, here's the C source code for hpgl's keygen:
http://pastebin.com/cu9ijqM1
You need a C compiler to generate the executable (d'uh), e.g. gcc/mingw32, Visual C, lcc, etc., or you can just use the binaries linked below.
Update: Windows binaries...
http://pastebin.com/cu9ijqM1
You need a C compiler to generate the executable (d'uh), e.g. gcc/mingw32, Visual C, lcc, etc., or you can just use the binaries linked below.
Update: Windows binaries...
Tuesday, April 13, 2010
Dell -595B Keygen
Before I get spammed with even more emails, here are the C sources for a keygen suitable for -595B and other dells (courtesy of hpgl):
http://pastebin.com/yEsiqyQy
You need a regular C compiler for compiling an executable (e.g. mingw32/gcc).
So now let's sit back and watch the inflation happen...
Update: small fix (Windows binaries) - see this post.
Quick How-To:
http://pastebin.com/yEsiqyQy
You need a regular C compiler for compiling an executable (e.g. mingw32/gcc).
So now let's sit back and watch the inflation happen...
Update: small fix (Windows binaries) - see this post.
Quick How-To:
- Download the archive of the keygen from the link above. It contains two files: a C file (source code) and an executable. If you are on Windows, just unpack and double-click the executable. If you are on Mac/Linux/BSD, compile the C file:
gcc -o dell dell.c - You are asked to enter the serial number of your device. Use ONLY CAPITALS for the serial number.
- Press Enter
and you'll get the password. Keep in mind that the passwords are encoded for a QWERTY-type keyboard layout (US-EN). Also, some models require you to press Ctrl+Enter after entering the password.
Saturday, May 2, 2009
BIOS Password Backdoors in Laptops
Synopsis: The mechanics of BIOS password locks present in current generation laptops are briefly outlined. Trivial mechanisms have been put in place by most vendors to bypass such passwords, rendering the protection void. A set of master password generators and hands-on instructions are given to disable BIOS passwords.
When a laptop is locked with password, a checksum of that password is stored to a so-called FlashROM - this is a chip on the mainboard of the device which also contains the BIOS code and other settings, e.g. memory timings.
For most brands, this checksum is displayed after entering an invalid password for the third time:
The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, it will work just as before. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing.
The bypass mechanisms of other vendors work by showing a number to the user from which a master password can be derived. This password is usually a sequence of numbers generated randomly.
Some vendors resort to storing the password in plain text onto the FlashROM, and instead of printing out just a checksum, an encrypted version of the password is shown.
Other vendors just derive the master password from the serial number. Either way, my scripts can be used to get valid passwords.
A few vendors have implemented obfuscation measures to hide the hash from the end user - for instance, some FSI laptops require you to enter three special passwords for the hash to show up (e.g. "3hqgo3 jqw534 0qww294e", "enable master password" shifted one up/left on the keyboard). Some HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for the last time.
Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a matter of trying all of them and finding the one that fits your laptop. It does not matter on what machine the script are executed, i.e. there is no reason to run them on the locked laptop.
This is an overview of the algorithms that I looked at so far:
Here are some other folks' efforts (python/ocaml/javascript):
The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the binary files (.exe) don't work out for you, install Python 2.7 (not 3.x) and run the .py script directly by double-clicking them. Make sure that you correctly read each letter (e.g. number '1' vs letter 'l').
Вячеслав Бачериков has also converted my scripts to javascript so you can calculate the passwords with your browser: http://bios-pw.org/ (sources).
Please leave a comment below on what make/model the scripts work. Also, be aware that some vendors use different schemes for master passwords that require hardware to be reset - among them are e.g. IBM/Lenovo. If you find that your laptop does not display a hash or the scripts do not work for you for whatever reason, try to:
If none of the generators/methods above works, please use the vendor support. Please understand that my motivation for reverse-engineering comes purely from a personal interest. I will not accept offers to look at the specifics of certain models.
When a laptop is locked with password, a checksum of that password is stored to a so-called FlashROM - this is a chip on the mainboard of the device which also contains the BIOS code and other settings, e.g. memory timings.
For most brands, this checksum is displayed after entering an invalid password for the third time:
The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, it will work just as before. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing.
The bypass mechanisms of other vendors work by showing a number to the user from which a master password can be derived. This password is usually a sequence of numbers generated randomly.
Some vendors resort to storing the password in plain text onto the FlashROM, and instead of printing out just a checksum, an encrypted version of the password is shown.
Other vendors just derive the master password from the serial number. Either way, my scripts can be used to get valid passwords.
A few vendors have implemented obfuscation measures to hide the hash from the end user - for instance, some FSI laptops require you to enter three special passwords for the hash to show up (e.g. "3hqgo3 jqw534 0qww294e", "enable master password" shifted one up/left on the keyboard). Some HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for the last time.
Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a matter of trying all of them and finding the one that fits your laptop. It does not matter on what machine the script are executed, i.e. there is no reason to run them on the locked laptop.
This is an overview of the algorithms that I looked at so far:
| Vendor | Hash Encoding | Example of Hash Code/Serial | Scripts |
|---|---|---|---|
| Asus | Machine Date | 01-01-2011 | pwgen-asus.py |
| Compaq | 5 decimal digits | 12345 | pwgen-5dec.py Windows binary |
| Dell | serial number | 1234567-595B 1234567-D35B 1234567-2A7B | bios-pw.org |
| Fujitsu-Siemens | 5 decimal digits | 12345 | pwgen-5dec.py Windows binary |
| Fujitsu-Siemens | 8 hexadecimal digits | DEADBEEF | pwgen-fsi-hex.py Windows binary |
| Fujitsu-Siemens | 5x4 hexadecimal digits | AAAA-BBBB-CCCC-DEAD-BEEF | pwgen-fsi-hex.py Windows binary |
| Fujitsu-Siemens | 5x4 decimal digits | 1234-4321-1234-4321-1234 | pwgen-fsi-5x4dec.py Windows binary |
| Fujitsu-Siemens | 6x4 decimal digits | 8F16-1234-4321-1234-4321-1234 | pwgen-fsi-6x4dec.py |
| Hewlett-Packard | 5 decimal digits | 12345 | pwgen-5dec.py Windows binary |
| Hewlett-Packard/Compaq Netbooks | 10 characters | CNU1234ABC | pwgen-hpmini.py Windows binary |
| Insyde H20 (generic) | 8 decimal digits | 03133610 | pwgen-insyde.py Windows binary |
| Phoenix (generic) | 5 decimal digits | 12345 | pwgen-5dec.py Windows binary |
| Sony | 4x4 hexadecimal digits | 1234-1234-1234-1234 | pwgen-sony-4x4.py |
| Sony | 7 digit serial number | 1234567 | pwgen-sony-serial.py Windows binary |
| Samsung | 12 hexadecimal digits | 07088120410C0000 | pwgen-samsung.py Windows binary |
Here are some other folks' efforts (python/ocaml/javascript):
| Vendor | Hash Encoding | Example of Hash Code/Serial | Scripts |
|---|---|---|---|
| HP | 8 decimal digits | i1234578 | https://gist.github.com/Rdp3389 |
| Acer/Insyde | 10 decimal digits | 123457890 | https://github.com/let-def/insydious |
The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the binary files (.exe) don't work out for you, install Python 2.7 (not 3.x) and run the .py script directly by double-clicking them. Make sure that you correctly read each letter (e.g. number '1' vs letter 'l').
Вячеслав Бачериков has also converted my scripts to javascript so you can calculate the passwords with your browser: http://bios-pw.org/ (sources).
Please leave a comment below on what make/model the scripts work. Also, be aware that some vendors use different schemes for master passwords that require hardware to be reset - among them are e.g. IBM/Lenovo. If you find that your laptop does not display a hash or the scripts do not work for you for whatever reason, try to:
- use a USB keyboard for entering the password for avoiding potential defects of the built-in keyboard,
- run CmosPwd to remove the password if you can still boot the machine,
- overwrite the BIOS using the emergency recovery procedures. Usually, the emergency flash code is activated by pressing a certain key combination while powering on the machine. You also need a specially prepared USB memory stick containing the BIOS binary. The details are very much dependent on your particular model. Also, be aware that this can potentially brick your device and should only be done as a last measure.
- Some dell service tags are missing the suffix - just try the passwords for all suffices by adding -595B, -2A7B and -D35B to your service tags.
- The passwords for some HP laptops are breakable with this script.
- Unlocking methods for some Toshiba laptops are described here (edit: gone).
- Some older laptop models have service manuals that specify a location of a jumper / solder bridge that can be set for removing the password.
If none of the generators/methods above works, please use the vendor support. Please understand that my motivation for reverse-engineering comes purely from a personal interest. I will not accept offers to look at the specifics of certain models.
Wednesday, April 22, 2009
Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit, Part Trois
Last, but not least, here's the version for the 5 decimal code:
Script
Windows Binaries
Please report back on what models the script works.
Edit: A more thorough explanation is here.
Script
Windows Binaries
Please report back on what models the script works.
Edit: A more thorough explanation is here.
Thursday, April 9, 2009
Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit, Part Deux
Apparently, FSI hasn't done a much better job for the Amilo Pro series: this time, they've used the table of the CCIT-CRC16 algorithm (!) for a rather simplistic hashing algorithm. Lesson learned: never trust your data with security schemes which rely purely on obfuscation.
I have released the script and binaries for Windows under the GPL.
I want to thank blAck for providing me with some memory dumps which have made the reverse engineering considerably easier.
Update: I've made slight adaptions to the script so it should also work for 5x4 hexadecimal codes.
Edit: A more thorough explanation is here.
I have released the script and binaries for Windows under the GPL.
I want to thank blAck for providing me with some memory dumps which have made the reverse engineering considerably easier.
Update: I've made slight adaptions to the script so it should also work for 5x4 hexadecimal codes.
Edit: A more thorough explanation is here.
Monday, April 6, 2009
Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit
Some time ago, I managed to get a base unit of a Fujitsu Siemens notebook for little money from a seller who runs a business repairing defective laptops. Because both the supervisor and the user password have been set in the BIOS of the notebook's mainboard, he didn't have any use for it. The manufacturer offers quite an expensive service to remove the password, and the fee for this greatly exceeds the overall value of the board. Hence he was happy to sell it to me.
I welcomed the challenge to hack the board, and finally I had some free time to get my hands dirty. After a deep dive into the gruesome world of 16 bit assembly, I have found a way to override any password: if a certain sequence of passwords is entered (3hqgo3, jqw534, 0qww294e), you get a 5x4 digits code from which a master password can be calculated. Finding the hashing function was just a matter of time, and I've written a small script which re-implements the algorithm. It's been released under GPL here: http://sites.google.com/site/dogber1/blog/pwgen-fsi-5x4dec.py. Binaries for Windows are available here. The script should work for most Lifebook and Amilo series laptops.
Overall, the password protection is much weaker than I anticipated: there's a custom IC on the board (MB90378) which could have easily been used for checking the password in a much more secure manner, but apparently their security relies on the somewhat inherent obfuscation of the BIOS. Not their brightest call...
Edit: A more thorough explanation is here.
I welcomed the challenge to hack the board, and finally I had some free time to get my hands dirty. After a deep dive into the gruesome world of 16 bit assembly, I have found a way to override any password: if a certain sequence of passwords is entered (3hqgo3, jqw534, 0qww294e), you get a 5x4 digits code from which a master password can be calculated. Finding the hashing function was just a matter of time, and I've written a small script which re-implements the algorithm. It's been released under GPL here: http://sites.google.com/site/dogber1/blog/pwgen-fsi-5x4dec.py. Binaries for Windows are available here. The script should work for most Lifebook and Amilo series laptops.
Overall, the password protection is much weaker than I anticipated: there's a custom IC on the board (MB90378) which could have easily been used for checking the password in a much more secure manner, but apparently their security relies on the somewhat inherent obfuscation of the BIOS. Not their brightest call...
Edit: A more thorough explanation is here.
Subscribe to:
Posts (Atom)