Más Siguiente blog» laziali@gmail.

com Escritorio Salir

Dogbert's Blog

Saturday, May 2, 2009 Recent Comments

BIOS Password Backdoors in Laptops

Synopsis: The mechanics of BIOS password locks present in current generation laptops are
Skweez
briefly outlined. Trivial mechanisms have been put in place by most vendors to bypass such
passwords, rendering the protection void. A set of master password generators and hands-on Worked great, thank you
instructions are given to disable BIOS passwords. very much!!

http://dogber1.blogspot.co
When a laptop is locked with password, a checksum of that password is stored to a so-called m/2010/05/dell-2a7b-
keygen.html · 3 days ago
FlashROM - this is a chip on the mainboard of the device which also contains the BIOS code
and other settings, e.g. memory timings.

For most brands, this checksum is displayed after entering an invalid password for the third
time:
Dogbert

no: I've just decided not to

feed the rats anymore

Dogbert's Blog: BIOS

Password Backdoors in
Laptops · 4 days ago

The dramatic 'System Disabled' message is just scare tactics: when you remove all power from
the laptop and reboot it, it will work just as before. From such a checksum (also called "hash"),
valid passwords can be found by means of brute-forcing.
Norbert
Kawka
The bypass mechanisms of other vendors work by showing a number to the user from which a
master password can be derived. This password is usually a sequence of numbers generated What happened? Why u
wont release this? someone
randomly. threaten you?

Some vendors resort to storing the password in plain text onto the FlashROM, and instead of Dogbert's Blog: BIOS
Password Backdoors in
printing out just a checksum, an encrypted version of the password is shown. Laptops · 4 days ago

Other vendors just derive the master password from the serial number. Either way, my scripts
can be used to get valid passwords.

A few vendors have implemented obfuscation measures to hide the hash from the end user - for Dogbert
instance, some FSI laptops require you to enter three special passwords for the hash to show up
I don't know. I am not
(e.g. "3hqgo3 jqw534 0qww294e", "enable master password" shifted one up/left on the selling on ebay nor do I
keyboard). Some HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed endorse people/companies
prior to entering an invalid password for the last time. who do.

Dogbert's Blog: BIOS

Depending on the "format" of the number code/hash (e.g. whether only numbers or both Password Backdoors in
Laptops · 5 days ago
numbers and letters are used, whether it contains dashes, etc.), you need to choose the right
script - it is mostly just a matter of trying all of them and finding the one that fits your laptop. It
does not matter on what machine the script are executed, i.e. there is no reason to run them on
the locked laptop.
This is an overview of the algorithms that I looked at so far:

Example of Hash ilse vervoort

Vendor Hash Encoding Scripts
Code/Serial hello, what about the
adverts on ebay - I suppose
pwgen-5dec.py
Compaq 5 decimal digits 12345 they have the calculator?
Windows binary
Dogbert's Blog: BIOS
1234567­595B Password Backdoors in
Dell serial number 1234567­D35B Windows Laptops · 5 days ago
1234567­2A7B binary&source
pwgen-5dec.py Donate
Fujitsu-Siemens 5 decimal digits 12345
Windows binary
8 hexadecimal pwgen-fsi-hex.py
Fujitsu-Siemens DEADBEEF
digits Windows binary
5x4
AAAA­BBBB­CCCC­ pwgen-fsi-hex.py
Fujitsu-Siemens hexadecimal
DEAD­BEEF Windows binary
digits
pwgen-fsi- Blogroll
5x4 decimal 1234­4321­1234­4321­
Fujitsu-Siemens 5x4dec.py
digits 1234 Abort, Retry, Hack?
Windows binary Projects
2 months ago
pwgen-5dec.py
Hewlett-Packard 5 decimal digits 12345 Amendae
Windows binary
bunnie's blog
Hewlett-Packard/Compaq pwgen-hpmini.py
10 characters CNU1234ABC Name that Ware, July 2015
Netbooks Windows binary 4 weeks ago

pwgen-insyde.py debugmode
Insyde H20 (generic) 8 decimal digits 03133610 What’s Inside: Tektronix
Windows binary
DPO5034
pwgen-5dec.py 2 years ago
Phoenix (generic) 5 decimal digits 12345
Windows binary Flylogic's Analytical Blog
Change of guard at Infineon
pwgen-sony- 1 year ago
7 digit serial
Sony 1234567 serial.py
number The Squirrel's Nest
Windows binary
pwgen- Blog Archive
12 hexadecimal
Samsung 07088120410C0000 samsung.py
digits ► 2015 (1)
Windows binary
► 2014 (1)
► 2012 (1)
The .NET runtime libraries are required for running the Windows binary files (extension .exe). ► 2011 (9)
If the binary files (.exe) don't work out for you, install Python 2.6 (not 3.x) and run the .py
► 2010 (20)
script directly by double-clicking them. Make sure that you correctly read each letter (e.g.
number '1' vs letter 'l'). ▼ 2009 (10)
► December (1)
ȼɹɱɟɫɥɚɜ Ȼɚɱɟɪɢɤɨɜ has also converted my scripts to javascript so you can calculate the ► November (1)
passwords with your browser: http://bios-pw.org/ (sources).
► October (1)
► July (1)
Please leave a comment below on what make/model the scripts work. Also, be aware that some
vendors use different schemes for master passwords that require hardware to be reset - among ► June (2)
them are e.g. IBM/Lenovo. If you find that your laptop does not display a hash or the scripts do ▼ May (1)
not work for you for whatever reason, try to: BIOS Password
Backdoors in Laptops
use a USB keyboard for entering the password for avoiding potential defects of the
 built-in keyboard, ► April (3)
run CmosPwd to remove the password if you can still boot the machine,
overwrite the BIOS using the emergency recovery procedures. Usually, the About Me
emergency flash code is activated by pressing a certain key combination while
dogbert
powering on the machine. You also need a specially prepared USB memory stick
View my complete
containing the BIOS binary. The details are very much dependent on your
profile
particular model. Also, be aware that this can potentially brick your device and
should only be done as a last measure.
Some dell service tags are missing the suffix - just try the passwords for all suffices
by adding -595B, -2A7B and -D35B to your service tags.
The passwords for some HP laptops are breakable with this script.
Unlocking methods for some Toshiba laptops are described here.
Some older laptop models have service manuals that specify a location of a jumper
/ solder bridge that can be set for removing the password.

If none of the generators/methods above works, please use the vendor support. Please
understand that my motivation for reverse-engineering comes purely from a personal interest. I
will not accept offers to look at the specifics of certain models.

Posted by dogbert at 8:33 AM 2760 Comments

Labels: 2a7b, 595b, acer, advent, backdoor, bios, bypass, circumvent, compaq, dell, fjs, fsi, fujitsu siemens, hp, key
generator, keygen, override, password, recovery, samsung

2760 Comments Dogbert's Blog  Jose Romero

 Recommend 194 ⤤ Share Sort by Newest

Join the discussion…

Zach • 5 days ago

Thank you! Thank you! Thank you!!!!!
I had been looking for a FREE solution to unlocking my laptop for 2 months now.
I tried your pwgen­insyde program with an unlock key and bam! Able to access my bios
again :))))))
For some reason, after I updated my bios from acer a few months ago, that pesky enter
password kept coming up when trying to access bios. SO AGAIN THANK YOU SOOO
SOOOOOOOO SOOOOOOOOOOO MUCH!!!!!!
△ ▽ • Reply • Share ›

ilse vervoort • 11 days ago

Hi, thought I found the holy grale for my wife's laptop (dell e6330 system id .....­1D3B) that I
need to reinstall completely but it's got the dreaded administrative password in order to
change the boot seq to usb...
I used the http://bios­pw.org but the passwords generated there don't work.

Aside from calling dell which isn't an option as I don't have the transfer owner thing, is there
anything I could try?
△ ▽ • Reply • Share ›

Dogbert Mod > ilse vervoort • 9 days ago

I'm afraid you have to rely on the dell service

△ ▽ • Reply • Share ›

ilse vervoort > Dogbert • 5 days ago

hello, what about the adverts on ebay ­ I suppose they have the calculator?
△ ▽ • Reply • Share ›
 Dogbert Mod > ilse vervoort • 5 days ago

I don't know. I am not selling on ebay nor do I endorse

people/companies who do.
△ ▽ • Reply • Share ›

Norbert Kawka > Dogbert • 5 days ago

What happened? Why u wont release this? someone threaten you?
△ ▽ • Reply • Share ›

Dogbert Mod > Norbert Kawka • 4 days ago

no: I've just decided not to feed the rats anymore

△ ▽ • Reply • Share ›

eevyaj_23 • 18 days ago

HI.. i have a mini HP 110 and I tried the script... (redacted)
(redacted) ­­­­ doen't work.... T_T
help please...

solve it....
the 3rd character is a small "L"
hahaha....

thanks...
thanks...
and many thanks....
△ ▽ • Reply • Share ›

Anne Trotter • 22 days ago

Dude, thank you. We had a customer bring back a laptop with an admin password on it for
maintenance ­ they're supposed to remove that before turn­in but nope. Nothing I had was
working. You rock socks.
△ ▽ • Reply • Share ›

Bibbins • a month ago

Hi Dogbert,

I'm trying to sort my neighbour's Lenovo G550 ­ the HDD and the BIOS have suddenly
started asking for passwords (he recently had relatives staying!). I tried HDD Unlock and
AFF Reapir Station on the HDD, but neither worked (it's an Hitachi HDD) so I've left it in to a
repair shop. I realise that there is no way to remove the BIOS supervisor password safely
(CmosPwd failed), but I have one concern: if I get the HDD unlocked, will the BIOS lock it
again automatically? Cheers.
△ ▽ • Reply • Share ›

Dogbert Mod > Bibbins • 23 days ago

I'm afraid I have no idea.

△ ▽ • Reply • Share ›

Güven Kurt • a month ago

SAMSUNG WORKED THANKS BRO
△ ▽ • Reply • Share ›

LWillms • a month ago

65534 is the code shown with the "System Disabled" message. Your software says that this
is an invalid hash. A search on the web with "system disabled 65534" shows that this laptop
is not alone with that problem.

This is about a Belinea o.book 2.1 with an Phoenix BIOS "Phoenix TrustedCore(tm) NB",
BIOS Version 1.05, KBC Version 1.03, Build Time 09/07/07 11:12:05, i.e. eight years old...
There is a sticker on the board of the laptop mentioning "Foxconn", so it has probably been
manufactured by Foxconn.

I exchanged the CMOS battery, and left the laptop without CMOS battery over night, but the
problem remained.

Vendor support is questionable, since Maxdata, the company marketing those Belinea
branded products went bankrupt and out of business many years ago.

Any idea about the hash really shown but considered as invalid by your algorithm?
△ ▽ • Reply • Share ›

Dogbert Mod > LWillms • a month ago

that's a bios bug that has bricked countless machines. I've published a few patched
bioses for FSI machines, but since it's only affecting really old laptops, I can't be
bothered to fix more models.
△ ▽ • Reply • Share ›

Andrei • a month ago

hello mate ! I have a Sony Vayo laptop that has a password on the BIOS . A friend of mine
took it to someone to install a new Windows on it and it came back with a password on the
BIOS and that person is not to be found .

I put the wrong password in 3 times, then it asked me for the Onetime Password from
manufacturer ( obviously wrong aswell ) but then it says "System Disabled" but no code
...........................

What can I do in this situation?

△ ▽ • Reply • Share ›

Dogbert Mod > Andrei • a month ago

I'm afraid you have to deal with the customer support of the vendor
△ ▽ • Reply • Share ›

Desmond Miles • a month ago

Hi, I really appreciate what you are doing here. I have laptop Fujitsu Lifebook AH532 and the
code that BIOS gave me after entering "hqgo3 jqw534 0qww294e" is "0F17­3739­8151­
3247­0292­8642" ­ that is 6x4 that does not fit in any category shared above and I am kind of
perplexed what to do with it. Any idea?
△ ▽ • Reply • Share ›

Dogbert Mod > Desmond Miles • a month ago

please ask the fujitsu support for help

△ ▽ • Reply • Share ›

MonicaW • a month ago

Our renters left behind a Dell D830 that they no longer wanted. I thought it would be nice to
donate to someone on FreeCycle. Thanks for allowing me to get rid of the password and
making this useable again.
△ ▽ • Reply • Share ›

Doctorate Chickies Mp • a month ago

thanks for helping me with such a tool that saved me time working in my repairs shop,i used
to re­programe the bios chip afresh
△ ▽ • Reply • Share ›

Jorge O Aguirre Tapia • a month ago

Hi Dogbert maybe can you point in the right direction I have a m14x R2 with Insyde h2o and
have a 16 digits hash, i think the generic can open the setup password, but maybe i must do
an adjust can you help ? thanks in advance
△ ▽ • Reply • Share ›

Dogbert Mod > Jorge O Aguirre Tapia • a month ago

haven't tackled this yet so your best bet is the vendor support
△ ▽ • Reply • Share ›

Jorge O Aguirre Tapia > Dogbert • a month ago

Ok I try it, thanks for take time to answer me, best regards
△ ▽ • Reply • Share ›

h2surplus • a month ago

Just a note to say Thanks! We recycle and refurbish systems for inner city schools and a
douchbag IT guy changed all the passwords before he was let go from a school. The
douchbag IT guy changed all the passwords before he was let go from a school. The
software you wrote has helped me reset all the Dell D620's they have. It saved a ton of time
on the phone with Dell.
△ ▽ • Reply • Share ›

DellPhoenixBIOSw00t • a month ago

Just wanted to share.. Was having issues with a Dell Inspiron 1501 with PhoenixBIOS
Setup Utility (BIOS Version 2.6.1).. I downloaded the generic phoenix bios, entered the error
code/hash/checksum whatever as directed, it gave me a list of possible passwords (only
one of which matched the description of my machine), typed it in, and BAM, into BIOS I
went.. THANKS.
△ ▽ • Reply • Share ›

Mardre • a month ago

Dear Dogbert, maybe this is a stupid question, but: Where should I enter the generated
master password? Is see just the screen with the Hash & System disabled, but if I reboot,

the generated master password is not accepted. (FSC LifeBook E751)

I am stuck at this point.

△ ▽ • Reply • Share ›

Dogbert Mod > Mardre • a month ago

I'm afraid you have to ask the vendor support then

△ ▽ • Reply • Share ›

Mardre • a month ago

Dear Dogbert, maybe this is a stupid question, but: Where should I enter the generated
master password? Is see just the screen with the Hash & System disabled, but if I reboot,
the generated master password is not accepted. (FSC LifeBook E751)
I am stuck at this point.
△ ▽ • Reply • Share ›

Dogbert Mod > Mardre • a month ago

the laptop is too new then: please use the vendor support to obtain a working master
password
△ ▽ • Reply • Share ›

Dino Mainjerk • 2 months ago

Hallo i have an Fujitsu laptop and my girlfriend somehow locked bios wit password which
she don't know anymore. Hash is 6 x 4 digits and i cant find that one on this site. Is there a
way to fix this?
△ ▽ • Reply • Share ›

Dogbert Mod > Dino Mainjerk • a month ago

please use the vendor support

△ ▽ • Reply • Share ›

Nunya • 2 months ago

Dogbert (love the name) is there a way to search the comments? I'm trying to figure out if
this will work on a Dell precision M 4700. Thanks.
△ ▽ • Reply • Share ›

Dogbert Mod > Nunya • 2 months ago

you might want to try searching with google, limiting your search to the domain of the
blog
△ ▽ • Reply • Share ›

Yannick Hack • 2 months ago

Thank You! It worked you are Cool!
△ ▽ • Reply • Share ›

Dave Kellermanns • 2 months ago

Dogbert ­ any chance you can help me with me Dell? The System Number is
(redacted)­1D3B, but the script does not work for me ...
△ ▽
△ ▽ • Reply • Share ›

Dogbert Mod > Dave Kellermanns • 2 months ago

please use the dell support

△ ▽ • Reply • Share ›

Neelam Fatima • 2 months ago

love you f...k you great work dogbert..........munhhhhhhhhhhhhhhh
△ ▽ • Reply • Share ›

Menasheh • 2 months ago

Successfully used Insyde generic script to unlock an Acer Aspire netbook's HDD. Note that
the code generated only worked on the screen showing the hash, not on the default
password entry screen. Also, that was only accessible if F12 had been pressed on the initial
start­up screen ­­ otherwise it would just shut down after three attempts. I saw most of these
points as possibilities for other models in the blog, so it really helped. Thanks!
△ ▽ • Reply • Share ›

michel • 2 months ago

Hello Dogbert, Hi all !
I recently bought on eBay a job lot of 4 Getac B300­X signed by NCS Technologies, two of
which had a BIOS password secured in the TPM chip. (Phoenix SecureCore R1.04.170502)
Having tried a few utilities without success I had given up and then found your blog: I
followed your advice and got a dump file which was processed by brute force with Kali Linux
utilities in GPU mode.
I stopped it after 3 hours without a result
I followed your link to bios­pw.org
Entering the codes gaves me 3 results for the 1st machine and 5 for the second in a blink of
an eye. In both cases, the first master password unlocked fully the machine.
All that was left for me to do is reset the BIOS admin password and clear the TPM memory.
So it also works on military grade secured machines.
Anyway, thanks for the tips and also for motivating me to try again !
Regards from France
△ ▽ • Reply • Share ›

Larry Hanson > michel • a month ago

This worked for me, too. I have an older b300 and I was able to get one that worked
in the 2d set of passwords.
△ ▽ • Reply • Share ›

edgarngg • 2 months ago

Hello I have a fairly new model of Vaio laptop, and need the Onetime PAss, but the script
only works for old models with 7 digit tag, can anyone confirm the only way is to ask
assistance from sony? thank you for your help.
△ ▽ • Reply • Share ›

Dogbert Mod > edgarngg • 2 months ago

pretty much: I have decided against releasing stuff for newer models
1△ ▽ • Reply • Share ›

BadgerXtreme • 2 months ago

Hi Dogbert, I'd need help with an Acer Aspire switch 10, I'd want to know what script will I
use for Acer PC's, because i don't have a clue which one of them should I use on my PC.
Please help.
△ ▽ • Reply • Share ›

Dogbert Mod > BadgerXtreme • 2 months ago

for a PC, you probably have some other means to reset the BIOS password
△ ▽ • Reply • Share ›

Emanuel Unconditional Love Was • 2 months ago

THANK YOU SOOOOO MUCH..... if anyone new is reading this.. woundering if it's tru.. I'm
here to tell ya.. it's tru.. Had an Dell from an client, bios was locked.. I entered the tag.. got
the code.. BLINNG!... unlocked..
△ ▽ • Reply • Share ›
 △ ▽ • Reply • Share ›

Nop • 3 months ago

Thanks so much! A friend's Aspire 5720 was both BIOS & HDD locked by her !$#@! ex BF.
I managed to reset the BIOS PW by shorting the (soldered in) battery, but that didn't clear
the HDD passwords. The Insyde H20 (generic) script to recover worked perfectly!
And as a bonus, I ran it in an xterm on my Linux machine, so I didn't have to screw around
with bootable DOS disks, etc.
△ ▽ • Reply • Share ›

Menasheh > Nop • 2 months ago

Once I saw there were no scripts for Acer, I had almost given up, until I saw this!
Thank you so much!
△ ▽ • Reply • Share ›

marie • 3 months ago

Hi dogbert,
I have a problem in getting bio password for my mini HP. I followed the HP link and it didnt
work at all..Would you help please?
△ ▽ • Reply • Share ›

Dogbert Mod > marie • 2 months ago

please use the HP support

△ ▽ • Reply • Share ›

Nin Yia • 3 months ago

really great work. Thankz for sharing
△ ▽ • Reply • Share ›

Load more comments

✉ Subscribe d Add Disqus to your site ὑ Privacy

Newer Post Home Older Post

Copyright (c) dogbert. Simple template. Powered by Blogger.