Wednesday, December 23, 2009

Wednesday, November 4, 2009

An Information Campaign

The very same applies to all other cell phone and BIOS unlocking:

Saturday, October 31, 2009

Shmuck of the Week:

Looks like the award goes to china once again:

Saturday, July 11, 2009

Unlocking LG Phones with the EGold chipset

Recently I bought a dirt-cheap LG phone which had a netlock. After some poking around, I've stumbled across its firmware which I was able to disassemble, so I've written a small script that reads out the netlock code required for unlocking the phone. The phone is interfaced via RS232 which operates at TTL levels: a max232, pl2303 or an equivalent chip should do the job. There are usually soldering points for RXD, TXD and GND on the logic board. Most phones also have pins with these signals at their connector.

The script can save the contents of the flashrom and the so-called "eeprom" (which is just a section of the flashrom containing all the juicy bits) to a file. I've tested it on an LG GB102 and a LG KP100 - it should also work for most other Egold Lite based phones, possibly even from other vendors.
The script has been released under GPL - I wonder how many idiots will ignore this. Anyway, here it is: 
As always, it's a python script that operates on the command line interface. For unlocking your phone, do the following things:
  1. Connect TxD, RxD and GND from your serial port interface to the serial port of your cell phone. Keep in mind that you need TTL levels, so you must not use the regular RS232 port of your PC! On your cell phone, there are usually test points where the cable can be directly soldered onto. The battery still has to fit onto the device once your cable has been soldered on. Also, the total length of the cables between the convert chip and the cell phone has to be as short as possible! Alternatively, you can just use a flasher cable (KE500 type for the GB102, KG800 for the KP100).
  2. Install Python 2.6.x, then pywin32, and then pyserial.
  3. Copy the script to a folder on your hard drive.  
  4. Two additional files are required: boot-1st-stage.bin and boot-2nd-stage.bin. I can't distribute them for obvious legal reasons, so you have to find them elsewhere. The sha1 sum of both files is checked during the initialization of the script.
  5. Open a command shell and navigate to that folder.
  6. Start the script with the parameter specifying the port of your serial interface, e.g. --port COM4 -e
  7. Press the 'ON' button of your cell phone. You'll receive the unlock code and instructions how to use it from the script. 

Sunday, June 28, 2009

Shmuck of the Week:

The sneakiness of some low-life deadbeats never ceases to amaze me - I've just stumbled across this:

Observe the conveniently removed name after the copyright notice of the script and the lack of any attribution whatsoever.

So, the shmuck of the week goes to - congratulations!

Thursday, June 25, 2009

Fix for Amilo P / X models

I've released a new version of the 5dec script which fixes the password calculation for FSI Amilo Pi / Pa / Xi models. The URLs remain unchanged (see previous posts).

Thanks to everyone who provided me with the information that allowed me to reverse-engineer it!

Saturday, May 2, 2009

BIOS Password Backdoors in Laptops

Synopsis: The mechanics of BIOS password locks present in current generation laptops are briefly outlined. Trivial mechanisms have been put in place by most vendors to bypass such passwords, rendering the protection void. A set of master password generators and hands-on instructions are given to disable BIOS passwords.

When a laptop is locked with password, a checksum of that password is stored to a so-called FlashROM - this is a chip on the mainboard of the device which also contains the BIOS code and other settings, e.g. memory timings.

For most brands, this checksum is displayed after entering an invalid password for the third time:

The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, it will work just as before. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing.

The bypass mechanisms of other vendors work by showing a number to the user from which a master password can be derived. This password is usually a sequence of numbers generated randomly.

Some vendors resort to storing the password in plain text onto the FlashROM, and instead of printing out just a checksum, an encrypted version of the password is shown.

Other vendors just derive the master password from the serial number. Either way, my scripts can be used to get valid passwords.

A few vendors have implemented obfuscation measures to hide the hash from the end user - for instance, some FSI laptops require you to enter three special passwords for the hash to show up (e.g. "3hqgo3 jqw534 0qww294e", "enable master password" shifted one up/left on the keyboard). Some HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for the last time.

Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a matter of trying all of them and finding the one that fits your laptop. It does not matter on what machine the script are executed, i.e. there is no reason to run them on the locked laptop.
This is an overview of the algorithms that I looked at so far:

VendorHash EncodingExample of Hash Code/SerialScripts
Compaq5 decimal
Windows binary
Dellserial number1234567-595B
Fujitsu-Siemens5 decimal
Windows binary
Fujitsu-Siemens8 hexadecimal
Windows binary
Fujitsu-Siemens5x4 hexadecimal
Windows binary
Fujitsu-Siemens5x4 decimal
Windows binary
Fujitsu-Siemens6x4 decimal
Hewlett-Packard5 decimal
Windows binary
Hewlett-Packard/Compaq Netbooks10
Windows binary
Insyde H20 (generic)8 decimal
Windows binary
Phoenix (generic)5 decimal
Windows binary
Sony4x4 hexadecimal
Sony7 digit serial
Windows binary
Samsung12 hexadecimal
Windows binary

Here are some other folks' efforts (python/ocaml/javascript):

VendorHash EncodingExample of Hash Code/SerialScripts
HP8 decimal digitsi1234578
Acer/Insyde10 decimal digits123457890

The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the binary files (.exe) don't work out for you, install Python 2.7 (not 3.x) and run the .py script directly by double-clicking them. Make sure that you correctly read each letter (e.g. number '1' vs letter 'l').

Вячеслав Бачериков has also converted my scripts to javascript so you can calculate the passwords with your browser: (sources).

Please leave a comment below on what make/model the scripts work. Also, be aware that some vendors use different schemes for master passwords that require hardware to be reset - among them are e.g. IBM/Lenovo. If you find that your laptop does not display a hash or the scripts do not work for you for whatever reason, try to:
  • use a USB keyboard for entering the password for avoiding potential defects of the built-in keyboard,
  • run CmosPwd to remove the password if you can still boot the machine,
  • overwrite the BIOS using the emergency recovery procedures. Usually, the emergency flash code is activated by pressing a certain key combination while powering on the machine. You also need a specially prepared USB memory stick containing the BIOS binary. The details are very much dependent on your particular model. Also, be aware that this can potentially brick your device and should only be done as a last measure.
  • Some dell service tags are missing the suffix - just try the passwords for all suffices by adding -595B, -2A7B and -D35B to your service tags. 
  • The passwords for some HP laptops are breakable with this script.
  • Unlocking methods for some Toshiba laptops are described here (edit: gone). 
  • Some older laptop models have service manuals that specify a location of a jumper / solder bridge that can be set for removing the password.

If none of the generators/methods above works, please use the vendor support. Please understand that my motivation for reverse-engineering comes purely from a personal interest. I will not accept offers to look at the specifics of certain models.

Wednesday, April 22, 2009

Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit, Part Trois

Last, but not least, here's the version for the 5 decimal code:
Windows Binaries

Please report back on what models the script works.

Edit: A more thorough explanation is here.

Thursday, April 9, 2009

Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit, Part Deux

Apparently, FSI hasn't done a much better job for the Amilo Pro series: this time, they've used the table of the CCIT-CRC16 algorithm (!) for a rather simplistic hashing algorithm. Lesson learned: never trust your data with security schemes which rely purely on obfuscation.
I have released the script and binaries for Windows under the GPL.

I want to thank blAck for providing me with some memory dumps which have made the reverse engineering considerably easier.

Update: I've made slight adaptions to the script so it should also work for 5x4 hexadecimal codes.

Edit: A more thorough explanation is here.

Monday, April 6, 2009

Hacking the BIOS of Fujitsu Siemens Laptops for Fun and Profit

Some time ago, I managed to get a base unit of a Fujitsu Siemens notebook for little money from a seller who runs a business repairing defective laptops. Because both the supervisor and the user password have been set in the BIOS of the notebook's mainboard, he didn't have any use for it. The manufacturer offers quite an expensive service to remove the password, and the fee for this greatly exceeds the overall value of the board. Hence he was happy to sell it to me.
I welcomed the challenge to hack the board, and finally I had some free time to get my hands dirty. After a deep dive into the gruesome world of 16 bit assembly, I have found a way to override any password: if a certain sequence of passwords is entered (3hqgo3, jqw534, 0qww294e), you get a 5x4 digits code from which a master password can be calculated. Finding the hashing function was just a matter of time, and I've written a small script which re-implements the algorithm. It's been released under GPL here: Binaries for Windows are available here. The script should work for most Lifebook and Amilo series laptops.

Overall, the password protection is much weaker than I anticipated: there's a custom IC on the board (MB90378) which could have easily been used for checking the password in a much more secure manner, but apparently their security relies on the somewhat inherent obfuscation of the BIOS. Not their brightest call...

Edit: A more thorough explanation is here.