tag:blogger.com,1999:blog-15235130194301201182024-03-18T19:44:19.149-07:00Dogbert's Blogdogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comBlogger44125tag:blogger.com,1999:blog-1523513019430120118.post-67380640642942604372016-04-28T12:51:00.002-07:002016-04-28T12:55:21.181-07:00FAQHere's a bunch of frequently asked questions:<br />
<br />
<i>Q: My laptop is blocked with a BIOS password. Can you unlock it?</i><br />
A: If the stuff <a href="http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html">here</a> does not work, please use the vendor support. Please note that I have chosen not to publish generators for newer models.<br />
<br />
<i><i>Q: I have used your generators, but the generated passwords fail to unlock my laptop. Can you help?</i></i><br />
A: No: please use the vendor support.<i><i><br /></i></i><br />
<i><i> </i> </i><br />
<i>Q: Can I buy passwords/generators from you?</i><br />
A: No.<br />
<br />
<i>Q: Can you unlock my hard drive/Windows installation/cell phone/apartment door?</i><br />
A: No.<br />
<br />
<i>Q: Can you teach me how to defeat BIOS password protection</i>?<br />
A: No.<br />
<br />
dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-65585749776799199102015-11-13T19:15:00.001-08:002015-11-13T19:15:22.796-08:00In the wake of recent events...<div class="separator" style="clear: both; text-align: center;">
<a href="https://i.imgur.com/TiBkKSX.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="139" src="https://i.imgur.com/TiBkKSX.jpg" width="320" /></a></div>
It's not that hard, really.dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-51172651951536604942015-01-12T14:49:00.002-08:002015-01-12T14:49:52.888-08:00Je suis Charlie<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.danielpipes.org/pics/new/large/1904.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.danielpipes.org/pics/new/large/1904.jpg" height="320" width="256" /></a></div>
Freedom of expression will always trump infantile spite, i.e. 'religious feelings'.dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-67609665795923846602014-07-29T03:34:00.003-07:002014-07-29T03:35:36.276-07:00Dell 1F66Bypassing the BIOS password of newer Dell models with a service tag ending in -1F66 is still only a trivial exercise in patience:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">DELL service tag: DELLSUX-1F66 password: qHXaL0ntli6Gu4c0</span><br />
<br />
<span style="font-family: inherit;">The algorithm used to derive the password from the service tag is just a minor modification of the <a href="http://dogber1.blogspot.com/2011/10/dell-1d3b.html" target="_blank">crap seen before</a>. Is <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" target="_blank">public-key cryptography</a> really that hard to understand?</span>dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-80192253291110526282012-01-21T16:36:00.000-08:002016-02-05T19:23:36.537-08:00Password Recovery for FSI Amilo Pi LaptopsI received numerous emails in the past from owners of Fujitsu-Siemens Amilo Pi laptops that got locked up beyond recovery: in a nutshell, a BIOS update or some other minor event has caused the password checksum to be overwritten by a seemingly random number above 2^14 (16384). In conjunction with the butchered CRC16 implementation courtesy of Phoenix, this basically means that there are no valid passwords for checksums above that number, i.e. the laptop has become an expensive paperweight.<br />
<br />
However, there is a small backdoor, and that is the BIOS emergency recovery: it's basically the last resort to recover from a bad BIOS update. I've patched out the password check from the binary so it can be used to reset the machine to a valid password. Here's a quick how-to:<br />
<ol>
<li><div>
Get a USB floppy drive and a floppy disk - format the disk to FAT16.</div>
</li>
<li><div>
Copy the BIOS file (<a href="http://www.multiupfile.com/f/eaea6109fe" target="_blank">pi1505</a>, <a href="http://www.multiupfile.com/f/3673d7d7" target="_blank">pi1536</a>, <a href="http://www.mirrorcreator.com/files/HQWFIU2H/pi1556-fixed.zip_links" target="_blank">pi1556</a>, <a href="http://www.multiupfile.com/f/c131c840" target="_blank">pa2510</a>) as "bios.wph" to the root directory of the floppy.</div>
</li>
<li>Remove the battery and power cord from the laptop.</li>
<li>Connect the USB floppy drive to the laptop, then insert the battery, then the power cord.</li>
<li>Press both <span style="font-family: "courier new" , "courier" , monospace;">Ctrl</span>+<span style="font-family: "courier new" , "courier" , monospace;">Home</span> keys while actuating the power button. Keep <span style="font-family: "courier new" , "courier" , monospace;">Ctrl</span>+<span style="font-family: "courier new" , "courier" , monospace;">Home</span> pressed for another 2-3 minutes.</li>
<li>The BIOS is being reflashed - after that, the machine should reboot on its own.</li>
<li>When it boots up, go to setup and set new passwords. If you get asked for a password, just enter a few random characters.</li>
<li>Boot the laptop up again, re-flash the vendor BIOS.</li>
<li>Go to the BIOS, reset all passwords.</li>
</ol>
That should unbrick your laptop.<br />
<br />
mtmarco has posted alternative instructions on <a href="http://www.amilo-forum.com/topic,2382,-PI-1536-BIOS-update-failed.html" target="_blank">amilo-forum.com</a>.dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-57368399533217594322011-12-27T23:56:00.000-08:002012-05-07T08:15:40.497-07:00Conrado strikes againAnother fraud victim has sent me an email with this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSVjTgHXciCaqTx3VyBmT073avxzAv-d_UK9h6p78XaLBd0htn1hstciqTCcVFNkKyDcIF1g0sg_I3Wh8BHnMT3H47oIGF18_-mDHcaRi3EtyXLI6Q5disYoZ1_coScmdh5m0mqRFDoL8/s1600/tt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="26" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSVjTgHXciCaqTx3VyBmT073avxzAv-d_UK9h6p78XaLBd0htn1hstciqTCcVFNkKyDcIF1g0sg_I3Wh8BHnMT3H47oIGF18_-mDHcaRi3EtyXLI6Q5disYoZ1_coScmdh5m0mqRFDoL8/s400/tt.jpg" width="400" /></a></div>
It has the same quality as <a href="http://dogber1.blogspot.com/2011/02/shmuck-of-month-conrado-davila.html">Conrado Davila's previous fraud</a>: he modified my code a bit (removing the GPL license, attributions, etc.), claiming this time that it can calculate Toshiba unlock codes, and sold it to some guy for $460. Interesting, the payment went to "Luis Eugenio Davila de Garate". He probably has burned his personal paypal account and is tapping into the account of a relative now.<br />
<br />
In other news, <a href="http://www.youtube.com/user/laptips">here</a> are some of his clumsy attempts to advertise on youtube, and <a href="http://dogber1dogbert1.blogspot.com/">here</a> is a fan site which he created with all of his skills in a pretty lame attempt to extort me to retract all the information about his scams...<br />
<br />
<b><i>Update 11/1/12</i></b>: Conrado's getting desperate:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjODS9x-WOE8OI_eKSYARTwwzrHHkfhuKx27F0Zg2TpcaIWAtGPbdn-9-1SJvUteZ75y8hErLrbQCGf7M6jIPnSIqWCngs5tOIaoR2K2aQYbKCBzlSFpNdy4-yoUdAAAwPmzRQ2XdCWH94/s1600/retard.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjODS9x-WOE8OI_eKSYARTwwzrHHkfhuKx27F0Zg2TpcaIWAtGPbdn-9-1SJvUteZ75y8hErLrbQCGf7M6jIPnSIqWCngs5tOIaoR2K2aQYbKCBzlSFpNdy4-yoUdAAAwPmzRQ2XdCWH94/s320/retard.png" width="320" /></a></div>
<br />
<br />
<strong><em>Update 7/5/12</em></strong>: Another <a href="http://dogber1.blogspot.com/2011/04/shmuck-of-week-alexis-toledo-novatec.html#comment-521627796" target="_blank">victim</a>...dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-18088341592558076082011-10-09T15:48:00.000-07:002016-09-30T18:55:23.075-07:00Dell 1D3BSurprisingly, it was even easier than older models:<br />
<span class="Apple-style-span" style="font-family: "courier new" , "courier" , monospace;">Dell Laptop Master Password Generator.</span><br />
<span class="Apple-style-span" style="font-family: "courier new" , "courier" , monospace;">Copyright (C) 2011 dogbert; 2007-2010 hpgl</span><br />
<span class="Apple-style-span" style="font-family: "courier new" , "courier" , monospace;">Short service tag should be right padded with '*' up to length 7 chars</span><br />
<span class="Apple-style-span" style="font-family: "courier new" , "courier" , monospace;">HDD serial number is right 11 chars from real HDDSerNum left padded with '*'</span><br />
<span class="Apple-style-span" style="font-family: "courier new" , "courier" , monospace;">Some BIOSes has left pad HDD serial number with spaces instead '*'</span><br />
<span class="Apple-style-span" style="font-family: "courier new" , "courier" , monospace;">Input: #ABCDEFG-1D3B</span><br />
<span class="Apple-style-span" style="font-family: "courier new" , "courier" , monospace;">09.10.2011 22:42 DELL service tag: ABCDEFG-1D3B password: xvn0qEeftqyrkG52</span><br />
<br />
In light of this (and <a href="http://dogber1.blogspot.com/2010/07/how-to-protect-better-secure-bios.html">this</a>), a pack of monkeys looks sophisticated in comparison to Dell engineers. Also, please don't even bother to send me emails: you're just wasting both our time.<br />
<br />
P.S.: <span style="font-family: "courier new" , "courier" , monospace;">DELL service tag: #NOSOUP4-3A5B password: zvd97y9h</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: inherit;"><span style="font-family: "Courier New", Courier, monospace;">P.P.S.:</span><span style="font-family: "Courier New", Courier, monospace;"> <a href="http://www.bios-pw.org/">http://www.bios-pw.org</a> </span><span style="font-family: "Courier New", Courier, monospace;">has a free password generator.</span></span>dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-70499332740345892312011-09-05T22:12:00.000-07:002011-09-05T22:12:24.069-07:00"Donate" ButtonI've been asked a few times to accept donations. Please find a button linking to <a href="http://en.wikipedia.org/wiki/International_Animal_Rescue">Animal Rescue International </a>on the right side - I'm quite certain that your donations are better off with them.dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-9168268878020955082011-07-31T09:40:00.000-07:002014-01-09T11:56:13.858-08:00Free Unlocker for Palm/HP PhonesA few weeks back, I ditched my iPhone for good and got my hands on a used Palm Pre. Unfortunately, it was net-locked by the provider. Fortunately, the modem is Qualcomm device and hence, all security features can be bypassed so easily that they appear meaningless in the first place. I've written unlocking scripts that work on every webOS phone, i.e. <b>Palm Pre (Plus), Palm Pre2, Palm Pixi (Plus), HP Veer, or HP Pre3. You do not need a SIM card for obtaining the unlock code, and the unlock is perfectly safe, i.e. you can't brick your device. </b>Here's a quick how-to:<br />
<ol>
<li>Install python 2.6.x (32 bit/x86 version): <a href="http://www.python.org/download/releases/2.6/" target="_blank">http://www.python.org/download/releases/2.6/</a>. Python 3.x will not work.</li>
<li><i>Windows:</i> Install pywin32 for python 2.6: <a href="http://sourceforge.net/projects/pywin32/files/" target="_blank">http://sourceforge.net/projects/pywin32/files/</a></li>
<li>Install pyserial: <a href="http://sourceforge.net/projects/pyserial/files/" target="_blank">http://sourceforge.net/projects/pyserial/files/</a><br /><i>Linux:</i> Use your packet manager to install the required libraries, e.g. <span style="font-family: "Courier New", "Courier", monospace;">sudo apt-get install python-serial</span> for Debian based distributions (Ubuntu, Mint, etc.) </li>
<li>Download the unlocker (<a href="http://sites.google.com/site/dogber1/blag/pre-unlock-v1.9.zip" target="_blank">Pre/Pre2/Pixi</a>, or <a href="http://sites.google.com/site/dogber1/blag/pre3-veer-unlock-v1.6.zip" target="_blank">Pre3/Veer</a>) and unpack it (e.g. into the directory <span style="font-family: "Courier New", "Courier", monospace;">C:\unlock</span>)</li>
<li>Calculate the USB passthrough key: go to device info, write down the "Serial Number", and use <span style="font-family: "Courier New", "Courier", monospace;">pre_keygen.py</span> to generate the key from this number. The serial number is also printed on the back of your device and/or underneath the battery.</li>
<li>Start the phone without a SIM card, then start the dialer. If the phone has not been activated before, you can either select "emergency call" with the icon from the notification area at the bottom (Pre, Pre2, Pixi) and delete the number (<span style="font-family: "Courier New", "Courier", monospace;">911</span>, <span style="font-family: "Courier New", "Courier", monospace;">112</span> etc.), or just type "<span style="font-family: "Courier New", "Courier", monospace;">BZ</span>" (<span style="font-family: "Courier New", "Courier", monospace;">#*</span>) blindly on the keyboard (Veer, Pre3). Enter "#*USBPASS# (<span style="font-family: "Courier New", "Courier", monospace;">#*8727277#</span>) in the dialer application and press the dial icon. A window will appear which asks you to enter the passthrough key. After you've done that, select "Diag" for the "<span style="font-family: "Courier New", "Courier", monospace;">USB PORT 1</span>" (only for that port, the rest has to be set to "<span style="font-family: "Courier New", "Courier", monospace;">None</span>").<br />If you have trouble enabling the passthrough mode, <a href="https://developer.palm.com/content/resources/develop/developing_on_an_unactivated_device.html" target="_blank">bypass</a> the activation, install <a href="http://www.webos-internals.org/wiki/Preware#Installing_Preware" target="_blank">Preware</a> and install the "Enable USB Passthrough" application from Preware.</li>
<li><i>Windows:</i> Connect your phone to your machine and install <a href="https://sites.google.com/site/dogber1/blag/passthru-drivers.zip">these drivers</a> for the serial diagnostics port (not the R-ACM or any other device). The first time you plug in the phone in diagnostics mode, Windows will ask you for drivers. You can also force the driver installation in the device manager by right-clicking the unknown serial port under "Other devices" and selecting "Update drivers". You might have to acknowledge a few warnings about broken driver signatures.<br /><i>Linux:</i> Insert the module <span style="font-family: "Courier New", "Courier", monospace;">usbserial</span> module with vendor and product parameters matching the vendor and product ID (<span style="font-family: "Courier New", "Courier", monospace;">lsusb</span>), e.g. <span style="font-family: "Courier New", "Courier", monospace;">sudo modprobe usbserial vendor=0x0830 product=0x8043.</span><span style="font-family: inherit;"> You have to make the device file (usually </span><span style="font-family: "Courier New", "Courier", monospace;">/dev/ttyUSB0</span><span style="font-family: inherit;">) accessible to regular users, or you have to run the unlock script with root privileges.</span></li>
<li>Run <span style="font-family: "Courier New", "Courier", monospace;">pre_unlock.py</span> / <span style="font-family: "Courier New", "Courier", monospace;">pre3_veer_unlock.py </span>and write down your network unlock code.<br />If the serial port is not found automatically or if the search is stuck, you can specify it as a command line parameter. Open up a <a href="http://www.bleepingcomputer.com/tutorials/windows-command-prompt-introduction/" target="_blank">command prompt</a>, navigate to the directory (<span style="font-family: "Courier New", "Courier", monospace;">cd \unlock</span>) and run the unlocker, e.g. <span style="font-family: "Courier New", "Courier", monospace;">pre_unlock.py --diagPort COM5</span><span style="font-family: inherit;"><br />If the firmware version has not been recognized, <a href="http://www.palm.com/ROM" target="_blank">update your device</a> to either the latest webOS 1.4.x or 2.x version. If you don't have a Palm account, you can obtain the updater <a href="http://www.webos-internals.org/wiki/WebOS_Doctor_Versions" target="_blank">here</a>.</span></li>
<li>Disable the passthrough mode: enter "#*USBPASS# (<span style="font-family: "Courier New", "Courier", monospace;">#*8727277#</span>) and press the dial icon again. Set "None" for "<span style="font-family: "Courier New", "Courier", monospace;">USB PORT 1</span>".</li>
<li>Shutdown the phone. Put in a SIM card that is not accepted by the phone and boot it up again. You might have to <a href="https://developer.palm.com/content/resources/develop/developing_on_an_unactivated_device.html" target="_blank">bypass the activation mechanism</a>.</li>
<li>Carefully enter the network unlock code obtained in step 8. If it gets rejected, please contact me with the <span style="font-family: "Courier New", "Courier", monospace;">perso.txt</span> file that has been saved to the directory of the script. Reboot and enjoy your unlocked phone.<br /><i>If and only if<b> </b></i>the unlock code does not work for you ("<span style="font-family: "Courier New", "Courier", monospace;"><b><i>Enter Unblock Code</i></b>"</span>), try running the script with the parameter <span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">--writeBack</span> from the <a href="http://www.bleepingcomputer.com/tutorials/windows-command-prompt-introduction/" target="_blank">command prompt</a>, e.g. <span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">pre3_veer_unlock.py --writeBack.</span> After it has completed successfully, reboot your phone and it should be unlocked.<br />If you need to activate your phone, but your carrier does not support data services, you can try <a href="https://developer.palm.com/content/resources/develop/developing_on_an_unactivated_device.html" target="_blank">this</a>.</li>
</ol>
The script should also work for Linux, MacOS, BSD and any other system which has drivers for the USB diagnostics mode and a python interpreter. I'd like to know whether this worked for you, so please leave a comment. Also, all sources of the unlocker have been released under the terms of the GPL. Feel free to hack away with them.dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-56232823978313366162011-04-26T19:08:00.000-07:002012-05-07T08:14:33.244-07:00Shmuck of the Week: Alexis Toledo / novatec / biosremovalHere's another guy selling <a href="http://dogber1.blogspot.com.br/2009/05/table-of-reverse-engineered-bios.html" target="_blank">passwords</a> to people for ludicrous prices: <span id="goog_26245717">$35 for 2 minutes of work - not bad. You'd think that he can afford a nice website by now, but it still looks like the final project of a community college web design class in the nineties:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMju9SLm5q0xHQJ6Jx-rhyb8DjoQdQhj6XSFw1zpROP2jDCGzr-Is4wDd0y8IYYfGgKReflI5vfFstvSFrpMh8bbZnETuJBrUWNuzn3VayAWo6VXLX17r4xKewqutoFwrIinsm8u8R84U/s1600/wat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMju9SLm5q0xHQJ6Jx-rhyb8DjoQdQhj6XSFw1zpROP2jDCGzr-Is4wDd0y8IYYfGgKReflI5vfFstvSFrpMh8bbZnETuJBrUWNuzn3VayAWo6VXLX17r4xKewqutoFwrIinsm8u8R84U/s320/wat.png" width="243" /></a></div>
<br />
<span id="goog_26245717"><br />
</span><br />
<span id="goog_26245717">Thankfully, his apparent lack of discernible technical knowledge made it very easy to find docs:</span><br />
<span id="goog_26245717">alexis toledo </span><br />
<span id="goog_26245717">422 mystic ave</span><span id="goog_26245717"><br />
somerville, MA 02145<br />
US<br />
781-330-1378</span><br />
<br />
<span id="goog_26245717">Another address of someone who is involved with this is:</span><span id="goog_26245717"> </span><br />
<span id="goog_26245717">Edisley Sousa</span><br />
<span id="goog_26245717">6xx American Legion Hwy</span><br />
<span id="goog_26245717">Rosindale, MA 02131 </span><br />
<span id="goog_26245717">US</span><br />
<br />
<span id="goog_26245717"></span><br />
<span id="goog_26245717">There's a bunch of websites and accounts he operates under:</span><br />
<span id="goog_26245717">biosremoval.com</span><br />
<span id="goog_26245717">novatecdirect.com</span><br />
<span id="goog_26245717">revertendotecnologia.com.br</span><br />
<span id="goog_26245717">palmastec@gmail.com</span><br />
<span id="goog_26245717">hi5geeksolutions@gmail.com</span><br />
<span id="goog_26245717">biosremoval@gmail.com</span><br />
<span id="goog_26245717">youtube.com/user/alexisakaedisley</span><br />
<span id="goog_26245717"><br />
</span>I've been collecting his stuff long ago, but never had the time to award him properly until he sent me this reminder:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiutSeEfEKDCEzYP-FOUwT64iUS1dL28wmCrzXZx9q0NIaXfE3sj448LInm01gjxDN-E0NEIZb-QgtyMdR3zXwSmt6PFCz_qkxDJd2DeJnf8demheu9x9T0zxZKpnest70aJykH2JPA_Sw/s1600/wat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiutSeEfEKDCEzYP-FOUwT64iUS1dL28wmCrzXZx9q0NIaXfE3sj448LInm01gjxDN-E0NEIZb-QgtyMdR3zXwSmt6PFCz_qkxDJd2DeJnf8demheu9x9T0zxZKpnest70aJykH2JPA_Sw/s320/wat.png" width="320" /></a></div>
Guess what...<br />
<br />
If you ever have been foolish enough to send this guy money, please contact the <a href="https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Help/general/TopQuestion4-outside">paypal fraud department</a>.<br />
<br />
<b><i>Update 1:</i></b> I just love emails like that.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqM-B887mzMqChV8ZUeHV6F5DGNnmRWUdujZ30iP6mWvjTdEHelialnwStX1EWXE45NNKozPPSg8e-3E6FWegpfoBidlbIvhr2-faUNlmYjjIZ2zf0wCsuAPpbYAOhkXItx-Ct2ISYuSk/s1600/alex.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqM-B887mzMqChV8ZUeHV6F5DGNnmRWUdujZ30iP6mWvjTdEHelialnwStX1EWXE45NNKozPPSg8e-3E6FWegpfoBidlbIvhr2-faUNlmYjjIZ2zf0wCsuAPpbYAOhkXItx-Ct2ISYuSk/s320/alex.png" width="320" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
<b><i>Update 2:</i></b> Alexis resorts to empty threats in <span style="font-size: large;">LARGE LETTERING</span>. I won't be able to sleep tonight :(.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXfrfKQAdJTDNDDdznOsZ7WMUo8mAOFifVrDq14l02ZtGeJRw7EqFAiGtKY2gZK5CJcipCx3MFUnjXlcGX91V0d33n3DyLAHToFUs5deqMWHN8VWjxT9QVolyB5BgpyFfDdRHqFuRLEyU/s1600/alex.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXfrfKQAdJTDNDDdznOsZ7WMUo8mAOFifVrDq14l02ZtGeJRw7EqFAiGtKY2gZK5CJcipCx3MFUnjXlcGX91V0d33n3DyLAHToFUs5deqMWHN8VWjxT9QVolyB5BgpyFfDdRHqFuRLEyU/s320/alex.png" width="320" /></a></div>
<b><i><br />
</i></b><br />
<b><i>Update 3: </i></b>Another <a href="http://dogber1.blogspot.com/2011/04/shmuck-of-week-alexis-toledo-novatec.html#comment-521627796" target="_blank">victim</a> has come forward...<b><i><br />
</i></b>dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-42274027801428083882011-03-31T16:52:00.000-07:002011-03-31T16:52:01.763-07:00Roll Call - State of ElectronicsThe trailer of <a href="http://www.karlvonmoller.com/blog/">Karl von Moller</a>'s latest documentary gets my mouth watering:<br />
<br />
<iframe frameborder="0" height="225" src="http://player.vimeo.com/video/21424290" width="400"></iframe><br />
<a href="http://vimeo.com/21424290">Roll Call - State of Electronics</a> from <a href="http://vimeo.com/karlvonmoller">karl von moller</a> on <a href="http://vimeo.com/">Vimeo</a>.<br />
<br />
<br />
Hopefully, it'll be out soon.dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-60283088216755664282011-03-06T10:30:00.000-08:002017-12-06T17:38:34.882-08:00Shmuck of the Month: SonyTwo types of companies exist: those which are growing and those which are dying. Sony clearly belongs to the latter for over a decade now. The high level of engineering that once made their products excel has been replaced by bland mediocrity and delusional control ideas that are manifested in recent Sony products such as Bluray, the PS3, etc. In their latest act of desperation, they are suing a couple of guys who have successfully hacked the PS3 to bring Linux back to the console after it has been illegally removed in a firmware update. The flaws they used to obtain access to the multi-millon dollar security system can almost solely be attributed to crass design blunders that would have been completely avoidable in the first place.<br />
<br />
Sony has a line of laptops ("Vaio") which compete mainly in the high value market segments. They implemented a master password bypass which is rather sane in comparison to the rest of the bunch:<br />
<ul>
<li>The randomly generated master password is only stored in RAM, e.g. it's lost after the next reboot ("one time password").</li>
<li>RSA is used for encrypting the password which is then converted to a human-readable form (4x4 characters/8 bytes/64 bits).</li>
<li>Their customer support apparently allows for one free password generation per device which is pretty decent by the industry standard.</li>
</ul>
However, they screwed up by choosing a key length that is just 64 bit and hence too small: an unoptimized python implementation of a general number sieve yields the factors of the key in less than a minute. With these, writing the generator script is an easy exercise:<br />
<span style="font-family: "courier new" , "courier" , monospace;">python pwgen-sony.py<br />
Master Password Generator for Sony laptops (16 characters otp)<br />
Copyright (C) 2009-2010 dogbert <dogber1 gmail.com=""><br />
<br />
After entering the wrong password for the third time, you will receive a code from which the password can be calculated,<br />
e.g. 73KR-3FP9-PVKH-K29R<br />
<br />
Please enter the code:<br />
D63K-XFVF-TK7H-RJKX<br />
The password is: 43878945</dogber1></span><span style="font-family: inherit;"><br />
</span><span style="font-family: inherit;"> </span><br />
<span style="font-family: inherit;">I'm not the first one who discovered this: </span><a href="http://hpgl.blog.ru/"><span style="font-family: inherit;">hpgl</span></a><span style="font-family: inherit;"> also reversed this scheme quite a while back. There are even some idiots on eBay who sell these master passwords. </span><br />
<br />
<span style="font-family: inherit;"><i><b>Update:</b></i> released <a href="https://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html" target="_blank">here </a></span><br />
<ul></ul>
dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-53898099805066604022011-02-09T19:00:00.000-08:002012-02-23T22:49:29.620-08:00Shmuck of the Month: Conrado Davila / laptoprebirth.comAmong the many contestants for this award, there are always some who stand out as exceptionally smug. Conrado has successfully gained access to this select class of people. This is an email from the first time he tried to contact me:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie5krf9K6_-7lreHNY4niRosWbcWOozSchHsi-wv0Htdidb7oKfG-PNp3woQOc_gDV2Li6KcZnm8QqQ1URkTfb_1rqrnRS1gXqX1keL9YjFEy2hbRDAL8XWnca2jKJF4ZnhtWv5R0e21w/s1600/tard-email.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie5krf9K6_-7lreHNY4niRosWbcWOozSchHsi-wv0Htdidb7oKfG-PNp3woQOc_gDV2Li6KcZnm8QqQ1URkTfb_1rqrnRS1gXqX1keL9YjFEy2hbRDAL8XWnca2jKJF4ZnhtWv5R0e21w/s320/tard-email.png" width="320" /></a></div>
By stating that he is "involved in the world of laptop hacking", he actually means that he defrauds people by selling them <a href="http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html" target="_blank">my stuff</a> for only 40-50 $/password on his website:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT4Ul5cMWbzleQxwoTW7wKlkHGcuhJg2clIXnR1FJC2tKsSnWnEQfd0WeyHzsScqbVWG2eB1hmFGIDPFWADabSN-3RVNx6fgMF7dcza5bZH9_6rW5w6t9KWZiSyHfXW3RtiXxC8e_y_n4/s1600/shitsite.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT4Ul5cMWbzleQxwoTW7wKlkHGcuhJg2clIXnR1FJC2tKsSnWnEQfd0WeyHzsScqbVWG2eB1hmFGIDPFWADabSN-3RVNx6fgMF7dcza5bZH9_6rW5w6t9KWZiSyHfXW3RtiXxC8e_y_n4/s320/shitsite.png" width="320" /></a></div>
<br />
Among the clusterfuck of typographical mistakes and perspective errors in his graphics, he has thankfully put his full name and address in the whois record of the domain:<br />
<blockquote>
laptoprebirth.com #17036<br />
conrado davila (conradodav@hotmail.com)<br />
eugenio sue 1279 colinas de san jeronimo<br />
Monterrey<br />
,41600<br />
ES<br />
Tel. +34.955842323</blockquote>
respectively<br />
<blockquote>
NAME: Conrado Dávila de Gárate<br />
ADRESS: La Luisiana #3 <br />
CITY: ARAHAL (SEVILLA) <br />
COUNTRY: SPAIN <br />
POSTAL CODE: 41600</blockquote>
I'm sure that the local DA has an extensive record on him.<br />
<br />
The icing on the cake, however, is his sale of my GPL'd code to some gullible sucker for big bucks. That guy actually wanted to buy a generator for the Sony one-time-password stuff from him, so Conrado just modified my 5dec script to the effect that it seems to generate the password from the Sony one-time key. Suffice to say that it doesn't work at all since he has no technical expertise whatsoever. The other thing that he conveniently removed is my authorship of the script. Here's his delivery email:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie1wU5LqhsusedKbe9w2h_74ZvVXJ5kExiWromHHWuu4jU8olJ0RHQCD6w3Whj96pVgCosSO_3iCsxWxVPhsVSy8sz60_c9oibqaHFGIpevylrHldmGutpBVZSXeeHebl1vTuJd3Aeky8/s1600/tard-email.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie1wU5LqhsusedKbe9w2h_74ZvVXJ5kExiWromHHWuu4jU8olJ0RHQCD6w3Whj96pVgCosSO_3iCsxWxVPhsVSy8sz60_c9oibqaHFGIpevylrHldmGutpBVZSXeeHebl1vTuJd3Aeky8/s320/tard-email.png" width="320" /></a></div>
So this month, the prestigious "Shmuck" award goes to Spain. Congratulations - you earned it!dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-69274353752136450172011-01-23T19:37:00.000-08:002011-01-23T19:38:56.337-08:00Yet Another BIOS Broken by Design: InsydeH20<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgas8UTmbKbuP3jUPcjxkdWIi6tWFhn18AQzLGWXhOZzGCd8B_fWRw1_t5n1xXAaOLyOMgYEY9imSlPCI1zut44aEYeH2kAPLvzy_NBzpejg73GuZ-rGIDtOVXIRoKw_VxhhaOhUvEvd4A/s1600/insyde.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgas8UTmbKbuP3jUPcjxkdWIi6tWFhn18AQzLGWXhOZzGCd8B_fWRw1_t5n1xXAaOLyOMgYEY9imSlPCI1zut44aEYeH2kAPLvzy_NBzpejg73GuZ-rGIDtOVXIRoKw_VxhhaOhUvEvd4A/s400/insyde.png" width="376" /> </a></div><br />
<br />
Seriously, guys? The master password generator is linked in the <a href="http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html">other post</a>...dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-74114188972369804442010-12-22T19:37:00.000-08:002012-08-20T09:35:58.207-07:00Atmel SecureMemory Key CrackerA couple of years ago, Atmel started selling EEPROM chips dubbed as "SecureMemory" (<a href="http://www.atmel.com/dyn/resources/prod_documents/doc1016.pdf">AT88SC153</a>, <a href="http://www.atmel.com/dyn/resources/prod_documents/doc0971.pdf">AT88SC1608</a>). These chips are still in use today on many <a href="http://en.wikipedia.org/wiki/Smart_card">contact smartcards</a> and other devices.<br />
Data sectors on that device can be read-/write-protected by requiring a proprietary challenge-response authentication. In addition, these devices also feature a basic password protection which is reasonably easy to circumvent as<a href="http://www.flylogic.net/blog/?p=25" target="_blank"> flylogic has demonstrated</a>. The challenge-response authentication algorithm is vulnerable to a unroll/meet-in-the-middle attack to the effect that the secret key can be guessed from only a few eavesdropped authentication sessions - researchers from the Radboug University Nijmwegen have published a <a href="http://eprint.iacr.org/2010/169.pdf">paper</a> on this a couple of months ago.<br />
I've <a href="https://sites.google.com/site/dogber1/blag/crack-securememory.tar.gz">implemented their attack</a> and recovered keys of several such devices successfully. However, an even more primitive, yet effective vulnerability is a man-in-the-middle attack: an attacker can easily take control of the bus after the authentication / password verification has taken place and inject data at his will. It's not hard to come up with <a href="http://www.citi.umich.edu/projects/smartcard/leon.html">some piece of hardware</a> that does just that. This is also a successful attack against the successor family, the <a href="http://www.atmel.com/products/SecureMem/default.asp?family_id=646">AT88SC...C </a>devices, which implements a slightly better authentication scheme.dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-31193126717748163522010-12-21T11:54:00.000-08:002010-12-21T11:54:56.234-08:00Facepalm.jpgI've been poking around in the BIOS of a Fujitsu Lifebook A530 (<a href="http://www.fujitsu.com/downloads/COMP/fpcap/drivers/BIOS/AH530_A530/v1.16/AH530_Intel_v116.exe">source</a>).<br />
What is wrong with this function:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyU2iXH4C9YKuXqfwpCSU2Qg1IT97g1h9wXVAyfe8xZj2ZnjSd2riXM8qxxRUkmLH-sWeDhvorv3vP6QeITnxSjdJT70GBRX1ZwgUS6GKR_AvjajUHybTws2NoapsGNu4_dsxXTUYVvS0/s1600/a530.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyU2iXH4C9YKuXqfwpCSU2Qg1IT97g1h9wXVAyfe8xZj2ZnjSd2riXM8qxxRUkmLH-sWeDhvorv3vP6QeITnxSjdJT70GBRX1ZwgUS6GKR_AvjajUHybTws2NoapsGNu4_dsxXTUYVvS0/s400/a530.png" width="400" /></a></div>dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-4688021698756315402010-10-20T23:07:00.000-07:002011-01-26T22:19:43.111-08:00Shmuck of the Week: 3_2_1_4you / bluechip82Here's another gem from eBay that a reader has sent me:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFzdeLhI0pbE_SOPy8X12ML9_3L6hp0ItHdOLrCHm6Fu-TD_lkvPAR3Is7RWqb5SdCvnDOpvo3OCZXSHAWAIKHBxuADAI7GjgV4F4rGG1wpByr3JTCBqzwjDC-WVrcmDCTsFoakTIB7cg/s1600/C:%5Cfakepath%5Cebay-loser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFzdeLhI0pbE_SOPy8X12ML9_3L6hp0ItHdOLrCHm6Fu-TD_lkvPAR3Is7RWqb5SdCvnDOpvo3OCZXSHAWAIKHBxuADAI7GjgV4F4rGG1wpByr3JTCBqzwjDC-WVrcmDCTsFoakTIB7cg/s320/C:%5Cfakepath%5Cebay-loser.png" width="320" /></a></div><br />
3_2_1_4you's apparent lack of technological knowledge ("dos box tools" etc.) is just the icing on the cake. The epitome of his chutzpah, however, is the price at which he's trying to sell my stuff: $85 - just wow. That easily earns him the glorious "Shmuck of the Week" award.<br />
<br />
<em>Update:</em> Apparently, he's now going with the username "<a href="http://shop.ebay.com/bluechip82/m.html">bluechip82</a>".dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-85754742733104980482010-09-11T13:55:00.000-07:002010-09-14T10:22:48.137-07:00Another One Bites the Dust: HP/Compaq Mini NetbooksThat was suprisingly easy:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpeZVcT5eN95qHSIzLwYEc2zrJ-CJCnDoyuYFdO7o2qxMr-VPEldvHJoYJEKpcgqQi9-8jChYaUdKUxFNpicdwiIjGsEJ63ner984rkcdBzhaAp0swaF4ap47W4AlESuAWgoIYa70R7F4/s1600/C:%5Cfakepath%5Chpmini.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpeZVcT5eN95qHSIzLwYEc2zrJ-CJCnDoyuYFdO7o2qxMr-VPEldvHJoYJEKpcgqQi9-8jChYaUdKUxFNpicdwiIjGsEJ63ner984rkcdBzhaAp0swaF4ap47W4AlESuAWgoIYa70R7F4/s400/C:%5Cfakepath%5Chpmini.png" width="400" /></a></div><br />
<br />
As always, the <a href="https://sites.google.com/site/dogber1/blog/pwgen-hpmini.py">script</a> (<a href="https://sites.google.com/site/dogber1/blog/pwgen-hpmini.zip">Windows binary</a>) is released under the binding terms of the GPL - let's sit back and watch the decline of <a href="http://shop.ebay.com/i.html?_nkw=HP+mini+password&_armrs=1&_from=&_ipg=">eBay prices</a> and the sudden appearance of my code in the tools of the <a href="http://dogber1.blogspot.com/search/label/shmuck">GSM idiots</a>.<br />
<br />
<b><i>Update</i></b>: I got a couple of emails from folks for which the generated passwords didn't seem to work. It turned out that they confused the number "<span class="Apple-style-span" style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">l</span>" for the letter "<span class="Apple-style-span" style="font-family: 'Helvetica Neue', Arial, Helvetica, sans-serif;">1</span>" and vice versa. If you find that it doesn't work for you, copy and paste the generated password from the script into an editor which has a legible typeface.dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-25464918250403170602010-09-08T23:35:00.000-07:002011-09-26T09:06:16.945-07:00Shmuck of the Week: Jason Smith / mastermindit.bizHere's a screenshot of Jason's awful site:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgD6ywu8uJ9y2imn963VQy-6hx5HNmRJlsrWiy7xgKUCbdfy_0K-WdZwGnzK5PVW6SEwUXq4HgXnv_gW9j-e_GFZj9P-rXf65LqIrkzLxwVTQI_c-PbA64nysv_DFcAbEqAUitmS41FkQ/s1600/C:%5Cfakepath%5Cshithead.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgD6ywu8uJ9y2imn963VQy-6hx5HNmRJlsrWiy7xgKUCbdfy_0K-WdZwGnzK5PVW6SEwUXq4HgXnv_gW9j-e_GFZj9P-rXf65LqIrkzLxwVTQI_c-PbA64nysv_DFcAbEqAUitmS41FkQ/s320/C:%5Cfakepath%5Cshithead.png" width="231" /></a></div>
Designed like it's hosted on Geocities in 1995 - check. Shitty ads - check. Asking for donations without mentioning my site for the extremely hard task of running <a href="http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html">my stuff</a> - check. So the Shmuck award goes to you, Jason - congratulations, you earned it!dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-29739795817176283792010-07-10T10:46:00.000-07:002010-07-10T11:10:09.016-07:00Shmuck of the Week: jebishereAmong the <a href="http://www.google.com/search?q=1234-4321-1234-4321-1234">many</a>, <a href="http://www.google.com/search?q=AAAA-BBBB-CCCC-DEAD-BEEF">many</a>, <a href="http://www.google.com/search?q=07088120410C0000">many</a> douchebags who just want to make a quick buck from the work of others, a reader of my blog found this gem on eBay:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjcWux0SO2y5yoV_Eued6RFpJHvEXm9oXOiP2yDiPROBnn89gDJz84n8aNl9RmhX27BrMvqfBeif4twAqJkkDCA_tlOxwlZqmZcPvxoRw5C9BGh15Fk4QER1rbkfYZe7J37AmKG-xa25Q/s1600/C:%5Cfakepath%5Cschmuck.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="309" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjcWux0SO2y5yoV_Eued6RFpJHvEXm9oXOiP2yDiPROBnn89gDJz84n8aNl9RmhX27BrMvqfBeif4twAqJkkDCA_tlOxwlZqmZcPvxoRw5C9BGh15Fk4QER1rbkfYZe7J37AmKG-xa25Q/s320/C:%5Cfakepath%5Cschmuck.png" width="320" /></a></div>This is outstandingly presumptuous, and so the 'Shmuck' award goes to <a href="http://myworld.ebay.com/jebishere">jebishere</a> - congratulations!dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-57841680178607623432010-07-04T16:15:00.000-07:002011-08-30T20:59:37.522-07:00How to protect better: Secure BIOS Passwords for LaptopsSince I get a lot of visitors from within the networks of computer vendors (hi guys!), I might as well just give you some hints on how to implement a laptop password in a more secure way. I understand that a lot of your customers forget their passwords and that it's just too expensive for you and your customers to swap the mainboards each time this happens. Also, you are prone to use the lame password implementations of the BIOS vendors. Don't - do your own stuff. Here are a few advices free of charge on how to do better:<br />
<ul>
<li>Use better hashing functions for the passwords. CRC16, CRC32, etc. are a bad choice - they are <a href="http://en.wikipedia.org/wiki/Inverse_function">invertible</a>, and even if they weren't, a modern machine can find a hash collision within seconds because the keyspace is only 2^32 in size. Various implementations of better algorithms such as MD6 and SHA2 are readily available.</li>
<li>Use the machine's serial number in conjunction with the MAC address of the network card to salt the password before hashing it. If the password isn't set, just use both of these to check a hash stored in your 'NVRAM' anyway. This makes it a bit harder to just clone an EEPROM, FlashROM, or any other chip.</li>
<li>Try to calculate some portions of the algorithm not on the main CPU, but on the keyboard controller - this puts a physical obstacle on reversing the code. Also, provide a secure path for updating the code if the need arises - you don't want to have unencrypted code in your update binaries that can be easily disassembled and reverse-engineered.</li>
<li>If the password can't be verified, generate a random number from the RTC the third time an invalid password has been entered. Salt it heavily with serial numbers (laptop, MAC, CPU, etc.). Then hash it to generate a one-time password (OTP). Use public-key cryptography on the OTP, e.g. <a href="http://en.wikipedia.org/wiki/Elliptic_curve_cryptography">elliptic curves</a>. <i>DO NOT STORE THE PRIVATE KEY IN THE BIOS</i>. Output the result to the screen, making sure that it is properly encoded ('O' vs '0', checksums). Do not save the one-time password anywhere. In fact, wipe it from the memory just after it has been encrypted. Make sure that it's really zero'd out everywhere (CPU cache).</li>
<li>When a customer calls the support and asks for a password reset, verify that he is indeed the owner of the laptop. Let him read the encrypted and encoded OTP to you, then calculate the OTP by decoding and decrypting it using your private key.</li>
<li>Do not hand out service tools to your service team which contain the private key. Instead, run a central password service on a server which is secured and can only be accessed with proper authentication. Actively monitor each and every access.</li>
<li>Do not charge customers for resetting a password. That's just lame.</li>
</ul>
So.. I'm eager to see something more advanced than your current lame attempts at password protection.dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-61732348068359674092010-06-26T17:09:00.000-07:002011-11-26T21:26:14.828-08:00How to protect better: The Apple iPhoneApple's iPhone is a prime example for a well-engineered netlock protection. To this day, it has remained uncracked in principle: all current and past unlock solutions just patch the firmware running on the baseband modem to the effect that the netlock checks are overriden. These solutions basically inject code into the firmware 'on the fly' by exploiting buffer/heap overflows. A small piece of homebrew code runs on the application processor for just doing that - a jailbreak is therefore a prerequisite for an unlock. These firmware patches can't be permanently applied to the firmware of 3G and later devices because it is signature-checked by the baseband bootloader before it is executed. Whenever Apple decides to update the baseband firmware, they fix the injection holes. Firmware downgrades are blocked, so a way to permanently unlock the baseband has yet to be found for models other than the first iPhone 2G. In a nutshell, the protection works like this:<br />
<ul>
<li>Two identification numbers unique to each device are generated from the NOR flash and baseband CPU serials: the <span style="font-family: "Courier New", "Courier", monospace;">norID</span> and the <span style="font-family: "Courier New", "Courier", monospace;">chipID</span>, 8 respectively 12 bytes in size.</li>
<li>The device-specific <span style="font-family: "Courier New", "Courier", monospace;">deviceKey</span> is generated from truncating a <a href="http://en.wikipedia.org/wiki/Sha1">SHA1 hash</a> of the concatenated and padded <span style="font-family: "Courier New", "Courier", monospace;">norID</span> and <span style="font-family: "Courier New", "Courier", monospace;">chipID</span>. </li>
<li>A supposedly random NCK ('network control key') is SHA1-hashed. With the hashed NCK and the <span style="font-family: "Courier New", "Courier", monospace;">norID</span> and <span style="font-family: "Courier New", "Courier", monospace;">chipID</span>, the second key <span style="font-family: "Courier New", "Courier", monospace;">nckKey</span> is generated. The hashing algorithm uses <a href="http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm">Tiny Encryption Algorithm (TEA)</a>. The <span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">nckKey</span> is also device-specific since both the <span style="font-family: "Courier New", "Courier", monospace;">norID</span> and <span style="font-family: "Courier New", "Courier", monospace;">chipID</span> are used.</li>
<li>A device-specific RSA signature is generated: two SHA1 hashes are generated from the <span style="font-family: "Courier New", "Courier", monospace;">norID</span> and <span style="font-family: "Courier New", "Courier", monospace;">chipID</span>. The status that the lock has after the correct NCK has been entered is also embedded into this message. The PCKS 1.5 format is used to pad the hashes and the status from (2*160+32) bit to 2048 bit (256 byte).</li>
<li>The asymmetric <a href="http://en.wikipedia.org/wiki/RSA">RSA algorithm</a> is used for the encryption of the unlock signature. Keep in mind that the algorithm uses two different keys: a private key for encryption and a public key for decryption. With the private RSA key, the signature is encrypted and stored in protected memory.</li>
<li>This signature is encrypted with TEA once again using the device-specific <span style="font-family: "Courier New", "Courier", monospace;">deviceKey</span> in CBC mode.</li>
</ul>
In pseudo code, it looks like this:<br />
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">deviceKey = SHA1_hash(norID+chipID)</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">rawSignature = generateSignature(SHA1_hash(norID+chipID), SHA1_hash(chipID))</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">Signature = RSA_encrypt(rawSignature, privateRSAkey)</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">encryptedSignature = TEA_encrypt_cbc(Signature, nckKey)</span> </blockquote>
The <span style="font-family: "Courier New", "Courier", monospace;">encryptedSignature</span> is then saved to a protected memory area - the device has been locked. This happens when Apple issues the <span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">AT+CLCK="PN",1,"<i>NCK</i>"</span> command presumably directly after manufacturing the phone.<br />
<br />
When testing a network code key, the baseband firmware reads the <span style="font-family: "Courier New", "Courier", monospace;">encryptedSignature</span>, calculates the <span style="font-family: "Courier New", "Courier", monospace;">deviceKey</span> and the <span style="font-family: "Courier New", "Courier", monospace;">nckKey</span> from the entered NCK, decrypts the <span style="font-family: "Courier New", "Courier", monospace;">encryptedSignature</span> with the <span style="font-family: "Courier New", "Courier", monospace;">nckKey</span> using TEA, decrypts it once more with the public RSA key and verifies the signature with the SHA1 hashes of the <span style="font-family: "Courier New", "Courier", monospace;">chipID</span> / <span style="font-family: "Courier New", "Courier", monospace;">norID</span>. Here's the pseudo code:<br />
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">deviceKey = SHA1_hash(norID+chipID)</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">encryptedSignature = readEncryptedSignature()</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">Signature = TEA_decrypt_cbc(encryptedSignature, nckKey)</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">rawSignature = RSA_decrypt(Signature, publicRSAKey)</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">if ( (rawSignature has correct format) and (rawSignature contains both </span><span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">SHA1_hash(norID+chipID), SHA1_hash(chipID)</span><span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">) and (Lock status byte in rawSignature is OK) )</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">.. accept every SIM card</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">else</span></blockquote>
<blockquote>
<span style="font-family: "Courier New", "Courier", monospace;">.. block non-authorized SIMs</span></blockquote>
<br />
A correct <span style="font-family: "Courier New", "Courier", monospace;">NCK</span> key can be stored the application processor part of device. When a certain flag is set, the application firmware (iOS) feeds the NCK into the baseband modem during the boot-up. If the decrypted <span style="font-family: "Courier New", "Courier", monospace;">rawSignature</span> passes the check, the baseband unlocks. <strike>This is what happens in factory-unlocked devices and iPhones which have been officially unlocked. It remains unknown whether some iPhones can never be unlocked by design even with the knowledge of the correct NCK: in the US, AT&T does not give out NCKs for any iPhone, even for those devices on which the contract has run out. This practice suggests that AT&T iPhones have a permanent barrier</strike>.<br />
<br />
On top of this, a <a href="http://theiphonewiki.com/wiki/index.php?title=WildcardTicket">WildcardTicket</a> mechanism has been implemented on 3G and later devices. However, it is quite noteworthy that the WildcardTicket mechanism is overriden if the NCK can be verified (3G/3GS).<br />
<br />
Various lessons can be learned from this:<br />
<ol>
<li>The <span style="font-family: "Courier New", "Courier", monospace;">NCK</span> is only stored indirectly on the device in a <span style="font-family: inherit;">protected</span> area.</li>
<li>The <span style="font-family: "Courier New", "Courier", monospace;">signature</span> which contains the information about the <span style="font-family: "Courier New", "Courier", monospace;">NCK</span> is directly linked to the device. Hence, replicating a <span style="font-family: "Courier New", "Courier", monospace;">signature</span> from another device will not work.</li>
<li>The <span style="font-family: "Courier New", "Courier", monospace;">NCK</span> is a 15 digit number which is presumably not dependent on the IMEI or any other serial number, but completely random. </li>
<li>Brute force attacks are foiled because a few expensive operations are necessary just to verify the code and the key space is large, e.g. the number of possible key combinations is big.</li>
<li>A valid <span style="font-family: "Courier New", "Courier", monospace;">signature</span> is implicitly required for an unlocked device. Factory-unlocked devices are shipped with such a <span style="font-family: "Courier New", "Courier", monospace;">signature</span>, and during the official unlock process, this <span style="font-family: "Courier New", "Courier", monospace;">signature</span> is generated.</li>
<li>A fake <span style="font-family: "Courier New", "Courier", monospace;">signature</span> for a device with known <span style="font-family: "Courier New", "Courier", monospace;">norID</span>, <span style="font-family: "Courier New", "Courier", monospace;">chipID</span> and <span style="font-family: "Courier New", "Courier", monospace;">NCK</span> can not be generated because the private RSA key is unknown. </li>
<li>Consequent code signing makes permanent firmware patches impossible.</li>
<li>Interestingly, the signature check itself is executed in the bootloader which isn't touched during a firmware upgrade.</li>
</ol>
<span class="Apple-style-span" style="font-family: inherit;">As a result, the protection withstands most attacks commonly used for unlocking.</span><br />
<span class="Apple-style-span" style="line-height: 18px;"><b><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></b></span><br />
<span class="Apple-style-span" style="line-height: 18px;"><b><span class="Apple-style-span" style="font-family: inherit;">EDIT</span></b></span><span class="Apple-style-span" style="line-height: 18px;"><span class="Apple-style-span" style="font-family: inherit;">: </span></span><span class="Apple-style-span" style="line-height: 18px;"><a href="http://sites.google.com/site/dogber1/blag/baseband-crypt.py" style="color: #940c0c; text-decoration: none;"><span class="Apple-style-span" style="font-family: inherit;">Here</span></a></span><span class="Apple-style-span" style="line-height: 18px;"><span class="Apple-style-span" style="font-family: inherit;"> is the re-implementation in python. </span></span>dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-86162589718406534322010-06-01T10:30:00.000-07:002010-06-01T10:30:05.203-07:00Shmuck of the Week: mrkhangbaAmong the <a href="http://shop.ebay.com/?_from=R40&_trksid=m570&_nkw=Fujitsu+password">many</a>, <a href="http://shop.ebay.com/i.html?_nkw=HP+password&_sacat=0&_dmpt=Motherboards&_odkw=Fujitsu+password&_osacat=0&_trksid=p3286.c0.m270.l1313">many</a>, <a href="http://shop.ebay.com/i.html?_nkw=595B&_sacat=0&_dmpt=Motherboards&_odkw=HP+password&_osacat=0&_trksid=p3286.c0.m270.l1313">many</a> auctions put up by people who are trying to make a buck from the stuff on my blog, I found this gem:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMnLpM_DznAGT0Q304FeW90K2glAOywsfDmxtjo2ubV4IuZvUBtlpd6wkEOp2nLZJ-7eTPhx-pM8tayU5MvgLeq4Y5Ta7m_9P0eQ-s8LJwLI5DvN0PNBXQmx-7yX0UZ17RnI7eF-DJHgU/s1600/asswipe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMnLpM_DznAGT0Q304FeW90K2glAOywsfDmxtjo2ubV4IuZvUBtlpd6wkEOp2nLZJ-7eTPhx-pM8tayU5MvgLeq4Y5Ta7m_9P0eQ-s8LJwLI5DvN0PNBXQmx-7yX0UZ17RnI7eF-DJHgU/s320/asswipe.png" width="320" /></a></div><b><a href="http://myworld.ebay.com/mrkhangba/" title="Member id mrkhangba"><b><span class="mbg-nw">mrkhangba</span></b></a> </b><span class="mbg-nw"><span style="font-family: inherit;">has hence won the prestigious 'Shmuck' award - congratulations!</span></span><b><b><span class="mbg-nw"><br />
</span></b></b>dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-53004459013239997872010-05-02T01:12:00.001-07:002015-02-05T11:34:11.989-08:00Dell 2A7B KeygenA slight modification and the keygen generates now valid passwords for Dell 2A7B serials as well as for the -595B serials.<br />
<br />
<a href="http://flashmirrors.com/files/0syogdbug5nsgih/dell_595b_2a7b_keygen.zip" target="_blank">Source Code & Binaries</a><br />
<br />
Quick How-To:<br />
<ol>
<li>Download the <a href="http://flashmirrors.com/files/0syogdbug5nsgih/dell_595b_2a7b_keygen.zip" target="_blank">archive of the keygen</a> from the link above. It contains two files: a C file (source code) and an executable. If you are on Windows, just unpack and double-click the executable. If you are on Mac/Linux/BSD, compile the C file:<br />
<span style="font-family: "Courier New", "Courier", monospace;">gcc -o dell dell.c</span> </li>
<li>You are asked to enter the serial number of your device. Use ONLY CAPITALS for the serial number.</li>
<li>Press Enter <enter>and you'll get the password. Keep in mind that the passwords are encoded for a QWERTY-type keyboard layout (US-EN). Also, some models require you to press <ctrl>Ctrl+Enter<enter> after entering the password.<span id="goog_512645170"></span><span id="goog_512645171"></span><a href="http://draft.blogger.com/"></a></enter></ctrl></enter></li>
</ol>
<br />
<div>
<b><i>Update:</i></b> <a href="http://bios-pw.org/" target="_blank">Here's</a> is an online version.</div>
dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.comtag:blogger.com,1999:blog-1523513019430120118.post-51838365984701996892010-04-30T00:47:00.000-07:002010-05-02T05:19:52.381-07:00Shmuck of the Week: reda<blockquote>From: reda (mmaimouni@hotmail.com)<br />
To: dogber1@gmail.com<br />
Subject: pleez help<br />
Date: 04/29/2010 01:59:28 PM<br />
<br />
hi ,iam interested in what u do, it is very helpful for us, this is why i ask u , i need a dell password generator for all the latest editions 2a7b and a95b, and if possible the hp 10 digits pass.pleaase help me.ur my only chance.thanks</blockquote>Translation:<br />
<blockquote>I shamelessly use the results of your free work to generate parts of my income. I ask you to perform work for which I am both too stupid and lazy. I am not willing to pay you a dime, but I am actually planning on using it for my personal financial gain.</blockquote>Mhhh... no.dogberthttp://www.blogger.com/profile/17573247308505768594noreply@blogger.com