Tuesday, April 19, 2011

BIOS Master Password Keygenerator for Locked Out BIOS

When a computer or laptop is locked out, you will be presented with a scary “System Disabled“, “Password check failed. Fatal Error. System Halted” message with numbers. Take note of the number because that piece of information is very important to generate the BIOS backdoor password.

System  Disabled

All you need to do is to note down the numbers

BIOS Password Backdoors in Laptops

When a laptop is locked with password, a checksum of that password is stored to a sector of the FlashROM - this is a chip on the mainboard of the device which also contains the BIOS and other settings, e.g. memory timings. For most brands, this checksum is displayed after entering an invalid password for the third time:

The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, there are not new penalties such as additional passwords, locks and so on. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing. Another method commonly used is that instead of a checksum, a number is displayed from which a randomly generated password can be calculated. Quite often, vendors also resort to storing the password in plain text, and instead of printing out just a checksum, an encrypted version of the password is shown. Either way, my scripts can be used to derive valid passwords with the hash.

Some vendors have implemented obfuscation measures to hide the hash from the end user - for instance, some FSI laptops require you to enter three special passwords for the hash to show up (see other post). HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for the last time.

Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a matter of trying all of them and finding the one that matches your laptop. It does not matter on what machine the script are executed, i.e. there is no reason to run them on the locked laptop.
This is an overview of the algorithms that I looked at so far:

VendorHash EncodingExample of Hash Code/SerialScripts
Compaq5 decimal digits12345pwgen-5dec.py
Windows binary
Dellserial number1234567-595B
1234567-D35B
1234567-2A7B

Windows binary&source
Fujitsu-Siemens5 decimal digits12345pwgen-5dec.py
Windows binary
Fujitsu-Siemens8 hexadecimal digitsDEADBEEFpwgen-fsi-hex.py
Windows binary
Fujitsu-Siemens5x4 hexadecimal digitsAAAA-BBBB-CCCC-DEAD-BEEFpwgen-fsi-hex.py
Windows binary
Fujitsu-Siemens5x4 decimal digits1234-4321-1234-4321-1234pwgen-fsi-5x4dec.py
Windows binary
Hewlett-Packard5 decimal digits12345pwgen-5dec.py
Windows binary
Hewlett-Packard/Compaq Netbooks10 charactersCNU1234ABCpwgen-hpmini.py
Windows binary
Insyde H20 (generic)8 decimal digits03133610pwgen-insyde.py
Windows binary
Phoenix (generic)5 decimal digits12345pwgen-5dec.py
Windows binary
Samsung12 hexadecimal digits07088120410C0000pwgen-samsung.py
Windows binary


The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the binary files (.exe) don't work out for you, install Python 2.6 (not 3.0!) and run the .py script directly by double-clicking them. Make sure that you correctly read each letter (e.g. number '1' vs letter 'l').

Please comment on what make/model the scripts work and on what they don't. Also, be aware that some vendors use other schemes for master passwords - among them are e.g. IBM/Lenovo. Please understand that my motivation for reverse-engineering comes from a personal interest. If you find that your laptop does not display a hash or the scripts do not work for you for whatever reason, please use the vendor support. I will not accept offers to look at the specifics of certain models.

After download the correct key generator based on the brand of your computer or laptop. Enter the numbers on the program, hit enter and the master password will be displayed. Then boot up the computer that is locked out and just type in the password which will instantly unlock the computer.

BIOS master password keygenerator

Obviously you have to run the keygenerator on a computer that you can boot in to Windows. If you don’t know which pwgen to use, it is also safe to try all of them until you find the one that matches your laptop. Recently Dogber has even included a python script to generate master password for Sony laptops. You can get that by going to the main page of Dogber’s blog. This guy is a genius!

Password generator
Generates a good random password on the web fast!

No comments:

Post a Comment