Thursday, April 28, 2016


Here's a bunch of frequently asked questions:

Q: My laptop is blocked with a BIOS password. Can you unlock it?
A: If the stuff here does not work, please use the vendor support. Please note that I have chosen not to publish generators for newer models.

Q: I have used your generators, but the generated passwords fail to unlock my laptop. Can you help?
A: No: please use the vendor support.

Q: Can I buy passwords/generators from you?
A: No.

Q: Can you unlock my hard drive/Windows installation/cell phone/apartment door?
A: No.

Q: Can you teach me how to defeat BIOS password protection?
A: No.

Friday, November 13, 2015

In the wake of recent events...

It's not that hard, really.

Monday, January 12, 2015

Je suis Charlie

Freedom of expression will always trump infantile spite, i.e. 'religious feelings'.

Tuesday, July 29, 2014

Dell 1F66

Bypassing the BIOS password of newer Dell models with a service tag ending in -1F66 is still only a trivial exercise in patience:

DELL service tag: DELLSUX-1F66 password: qHXaL0ntli6Gu4c0

The algorithm used to derive the password from the service tag is just a minor modification of the crap seen before. Is public-key cryptography really that hard to understand?

Saturday, January 21, 2012

Password Recovery for FSI Amilo Pi Laptops

I received numerous emails in the past from owners of Fujitsu-Siemens Amilo Pi laptops that got locked up beyond recovery: in a nutshell, a BIOS update or some other minor event has caused the password checksum to be overwritten by a seemingly random number above 2^14 (16384). In conjunction with the butchered CRC16 implementation courtesy of Phoenix, this basically means that there are no valid passwords for checksums above that number, i.e. the laptop has become an expensive paperweight.

However, there is a small backdoor, and that is the BIOS emergency recovery: it's basically the last resort to recover from a bad BIOS update. I've patched out the password check from the binary so it can be used to reset the machine  to a valid password. Here's a quick how-to:
  1. Get a USB floppy drive and a floppy disk - format the disk to FAT16.
  2. Copy the BIOS file (pi1505, pi1536, pi1556, pa2510) as "bios.wph" to the root directory of the floppy.
  3. Remove the battery and power cord from the laptop.
  4. Connect the USB floppy drive to the laptop, then insert the battery, then the power cord.
  5. Press both Ctrl+Home keys while actuating the power button. Keep Ctrl+Home  pressed for another 2-3 minutes.
  6. The BIOS is being reflashed - after that, the machine should reboot on its own.
  7. When it boots up, go to setup and set new passwords. If you get asked for a password, just enter a few random characters.
  8. Boot the laptop up again, re-flash the vendor BIOS.
  9. Go to the BIOS, reset all passwords.
That should unbrick your laptop.

mtmarco has posted alternative instructions on

Tuesday, December 27, 2011

Conrado strikes again

Another fraud victim has sent me an email with this:
It has the same quality as Conrado Davila's previous fraud: he modified my code a bit (removing the GPL license, attributions, etc.), claiming this time that it can calculate Toshiba unlock codes, and sold it to some guy for $460. Interesting, the payment went to "Luis Eugenio Davila de Garate". He probably has burned his personal paypal account and is tapping into the account of a relative now.

In other news, here are some of his clumsy attempts to advertise on youtube, and here is a fan site which he created with all of his skills in a pretty lame attempt to extort me to retract all the information about his scams...

Update 11/1/12: Conrado's getting desperate:

Update 7/5/12: Another victim...

Sunday, October 9, 2011

Dell 1D3B

Surprisingly, it was even easier than older models:
Dell Laptop Master Password Generator.
Copyright (C) 2011 dogbert; 2007-2010 hpgl
Short service tag should be right padded with '*' up to length 7 chars
HDD serial number is right 11 chars from real HDDSerNum left padded with '*'
Some BIOSes has left pad HDD serial number with spaces instead '*'
Input: #ABCDEFG-1D3B
09.10.2011 22:42 DELL service tag: ABCDEFG-1D3B password: xvn0qEeftqyrkG52

In light of this (and this), a pack of monkeys looks sophisticated in comparison to Dell engineers. Also, please don't even bother to send me emails: you're just wasting both our time.

P.S.: DELL service tag: #NOSOUP4-3A5B password: zvd97y9h

P.P.S.: has a free password generator.

Monday, September 5, 2011

"Donate" Button

I've been asked a few times to accept donations. Please find a button linking to Animal Rescue International on the right side - I'm quite certain that your donations are better off with them.

Sunday, July 31, 2011

Free Unlocker for Palm/HP Phones

A few weeks back, I ditched my iPhone for good and got my hands on a used Palm Pre. Unfortunately, it was net-locked by the provider. Fortunately, the modem is Qualcomm device and hence, all security features can be bypassed so easily that they appear meaningless in the first place. I've written unlocking scripts that work on every webOS phone, i.e. Palm Pre (Plus), Palm Pre2, Palm Pixi (Plus), HP Veer, or HP Pre3. You do not need a SIM card for obtaining the unlock code, and the unlock is perfectly safe, i.e. you can't brick your device. Here's a quick how-to:
  1. Install python 2.6.x (32 bit/x86 version): Python 3.x will not work.
  2. Windows: Install pywin32 for python 2.6:
  3. Install pyserial:
    Linux: Use your packet manager to install the required libraries, e.g. sudo apt-get install python-serial for Debian based distributions (Ubuntu, Mint, etc.) 
  4. Download the unlocker (Pre/Pre2/Pixi, or Pre3/Veer) and unpack it (e.g. into the directory C:\unlock)
  5. Calculate the USB passthrough key: go to device info, write down the "Serial Number", and use to generate the key from this number. The serial number is also printed on the back of your device and/or underneath the battery.
  6. Start the phone without a SIM card, then start the dialer. If the phone has not been activated before, you can either select "emergency call" with the icon from the notification area at the bottom (Pre, Pre2, Pixi) and delete the number (911, 112 etc.), or just type "BZ" (#*) blindly on the keyboard (Veer, Pre3). Enter "#*USBPASS# (#*8727277#) in the dialer application and press the dial icon.  A window will appear which asks you to enter the passthrough key. After you've done that, select "Diag" for the "USB PORT 1" (only for that port, the rest has to be set to "None").
    If you have trouble enabling the passthrough mode, bypass the activation, install Preware and install the "Enable USB Passthrough" application from Preware.
  7. Windows: Connect your phone to your machine and install these drivers for the serial diagnostics port (not the R-ACM or any other device). The first time you plug in the phone in diagnostics mode, Windows will ask you for drivers. You can also force the driver installation in the device manager by right-clicking the unknown serial port under "Other devices" and selecting "Update drivers". You might have to acknowledge a few warnings about broken driver signatures.
    Linux: Insert the module usbserial module with vendor and product parameters matching the vendor and product ID (lsusb), e.g. sudo modprobe usbserial vendor=0x0830 product=0x8043. You have to make the device file (usually /dev/ttyUSB0) accessible to regular users, or you have to run the unlock script with root privileges.
  8. Run / and write down your network unlock code.
    If the serial port is not found automatically or if the search is stuck, you can specify it as a command line parameter. Open up a command prompt, navigate to the directory (cd \unlock) and run the unlocker, e.g. --diagPort COM5
    If the firmware version has not been recognized, update your device to either the latest webOS 1.4.x or 2.x version. If you don't have a Palm account, you can obtain the updater here.
  9. Disable the passthrough mode: enter "#*USBPASS# (#*8727277#) and press the dial icon again. Set "None" for "USB PORT 1".
  10. Shutdown the phone. Put in a SIM card that is not accepted by the phone and boot it up again. You might have to bypass the activation mechanism.
  11. Carefully enter the network unlock code obtained in step 8. If it gets rejected, please contact me with the perso.txt file that has been saved to the directory of the script. Reboot and enjoy your unlocked phone.
    If and only if the unlock code does not work for you ("Enter Unblock Code"), try running the script with the parameter --writeBack from the command prompt, e.g. --writeBack. After it has completed successfully, reboot your phone and it should be unlocked.
    If you need to activate your phone, but your carrier does not support data services, you can try this.
The script should also work for Linux, MacOS, BSD and any other system which has drivers for the USB diagnostics mode and a python interpreter. I'd like to know whether this worked for you, so please leave a comment. Also, all sources of the unlocker have been released under the terms of the GPL. Feel free to hack away with them.

Tuesday, April 26, 2011

Shmuck of the Week: Alexis Toledo / novatec / biosremoval

Here's another guy selling passwords to people for ludicrous prices: $35 for 2 minutes of work - not bad. You'd think that he can afford a nice website by now, but it still looks like the final project of a community college web design class in the nineties:

Thankfully, his apparent lack of discernible technical knowledge made it very easy to find docs:
alexis toledo 
422 mystic ave
somerville, MA 02145

Another address of someone who is involved with this is: 
Edisley Sousa
6xx American Legion Hwy
Rosindale, MA 02131 

There's a bunch of websites and accounts he operates under:

I've been collecting his stuff long ago, but never had the time to award him properly until he sent me this reminder:
Guess what...

If you ever have been foolish enough to send this guy money, please contact the paypal fraud department.

Update 1: I just love emails like that.

Update 2: Alexis resorts to empty threats in LARGE LETTERING. I won't be able to sleep tonight :(.

Update 3: Another victim has come forward...

Thursday, March 31, 2011

Roll Call - State of Electronics

The trailer of Karl von Moller's latest documentary gets my mouth watering:

Roll Call - State of Electronics from karl von moller on Vimeo.

Hopefully, it'll be out soon.

Sunday, March 6, 2011

Shmuck of the Month: Sony

Two types of companies exist: those which are growing and those which are dying. Sony clearly belongs to the latter for over a decade now. The high level of engineering that once made their products excel has been replaced by bland mediocrity and delusional control ideas that are manifested in recent Sony products such as Bluray, the PS3, etc. In their latest act of desperation, they are suing a couple of guys who have successfully hacked the PS3 to bring Linux back to the console after it has been illegally removed in a firmware update. The flaws they used to obtain access to the multi-millon dollar security system can almost solely be attributed to crass design blunders that would have been completely avoidable in the first place.

Sony has a line of laptops ("Vaio") which compete mainly in the high value market segments. They implemented a master password bypass which is rather sane in comparison to the rest of the bunch:
  • The randomly generated master password is only stored in RAM, e.g. it's lost after the next reboot ("one time password").
  • RSA is used for encrypting the password which is then converted to a human-readable form (4x4 characters/8 bytes/64 bits).
  • Their customer support apparently allows for one free password generation per device which is pretty decent by the industry standard.
However, they screwed up by choosing a key length that is just 64 bit and hence too small: an unoptimized python implementation of a general number sieve yields the factors of the key in less than a minute. With these, writing the generator script is an easy exercise:
Master Password Generator for Sony laptops (16 characters otp)
Copyright (C) 2009-2010 dogbert

After entering the wrong password for the third time, you will receive a code from which the password can be calculated,
e.g. 73KR-3FP9-PVKH-K29R

Please enter the code:
The password is: 43878945

I'm not the first one who discovered this: hpgl also reversed this scheme quite a while back. There are even some idiots on eBay who sell these master passwords. 

Update: released here

    Wednesday, February 9, 2011

    Shmuck of the Month: Conrado Davila /

    Among the many contestants for this award, there are always some who stand out as exceptionally smug. Conrado has successfully gained access to this select class of people. This is an email from the first time he tried to contact me:
    By stating that he is "involved in the world of laptop hacking", he actually means that he defrauds people by selling them my stuff for only 40-50 $/password on his website:

    Among the clusterfuck of typographical mistakes and perspective errors in his graphics, he has thankfully put his full name and address in the whois record of the domain: #17036
    conrado davila (
    eugenio sue 1279 colinas de san jeronimo
    Tel. +34.955842323
    NAME: Conrado Dávila de Gárate
    ADRESS: La Luisiana #3
    POSTAL CODE: 41600
    I'm sure that the local DA has an extensive record on him.

    The icing on the cake, however, is his sale of my GPL'd code to some gullible sucker for big bucks. That guy actually wanted to buy a generator for the Sony one-time-password stuff from him, so Conrado just modified my 5dec script to the effect that it seems to generate the password from the Sony one-time key. Suffice to say that it doesn't work at all since he has no technical expertise whatsoever. The other thing that he conveniently removed is my authorship of the script. Here's his delivery email:
    So this month, the prestigious "Shmuck" award goes to Spain. Congratulations - you earned it!

    Sunday, January 23, 2011

    Yet Another BIOS Broken by Design: InsydeH20

    Seriously, guys? The master password generator is linked in the other post...