
Defeating a Laptop's BIOS Password - Avery3R
https://github.com/skysafe/reblog/blob/master/0000-defeating-a-laptops-bios-password/README.md
======
1_player
I "cracked" my father's laptop's password when he passed away 15 years ago by
buying a similar, broken laptop on eBay for cheap, and unsoldering and
switching the ROM/EEPROM containing the BIOS.

Probably one of the coolest things I've done as a teenager.

~~~
big_chungus
Why re-solder the chip? It seems as though it would be easier to recover data
by just yanking the drive, especially since full-disk encryption was quite
rare fifteen years ago. Failing that, couldn't you have used a SPI flasher
with the existing chip?

~~~
winternett
Can't you still just remove the battery on the mother board for a few seconds?
I used to do that all the time back when I was a repair tech...

~~~
1_player
EEPROMs are non-volatile. They don't need power to keep their data. AFAIK
removing the battery just resets the real time clock.

------
beart
A lot of passwords can be derived from the serial number. This website will do
a lot of the work for you.

[https://bios-pw.org/](https://bios-pw.org/)

~~~
dogber1
That's a great re-implementation from some stuff I did eons ago [0].

BIOS passwords are indeed a complete joke as means to secure access. There are
a bunch of vendors out there who moved the authentication off from the
BIOS/CPU to the KBC (keyboard controller) - Toshiba and Lenovo are among them.
Still, it's ludicrously easy to circumvent these.

[0] [https://dogber1.blogspot.com/2009/05/table-of-reverse-
engine...](https://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-
bios.html)

~~~
ratiolat
The linked article did not have info about Thinkpads. I wonder how nowadays
one can skip BIOS password of a T series thinkpad. So far it has always ended
up with a motherboard change for me.

~~~
rustybolt
There is a trick that work for some (most?) models in the T-series: if you
short the pins of some chip with the right timing, you can bypass the password
check. See, for example:
[https://amp.reddit.com/r/thinkpad/comments/b7jbqq/reset_bios...](https://amp.reddit.com/r/thinkpad/comments/b7jbqq/reset_bios_password_on_thinkpad_t420/)

~~~
numpad0
I believe you force BIOS to think that it had been lucky but checksums don’t
match and EEPROM save is corrupt, then load default and let password go.

Works for straightforward ones like most Lenovo, but not for weirdos like
Toshiba. Sometimes I see lots of Toshiba office laptops with locked BIOS
waiting to be recycled as the result.

~~~
DanBC
Older Toshibas have pins near the RAM that can be shorted to clear the
passwords. There's a big list here: [https://biosbypass.com/how-to-clear-
toshiba-bios-password/](https://biosbypass.com/how-to-clear-toshiba-bios-
password/)

------
ineedasername
Way back in the first years of the 00's, working IT support in college, BIOS
passwords were common (though not mandatory) on the Faculty/Staff desktops.
So, forgetting passwords was common as well, and at the time we could reset
them by opening them up and swapping a jumper to another set of pins. It
struck me as fairly useless to have a BIOS password at the time.

Forever after, on bootup, "Warning! Case has been opened!" would flash up on
the screen. I assumed that was for warranty purposes, but our IT department
was certified for repairs so it didn't really matter.

~~~
da_chicken
The BIOS should have a reset option for the case open switch. It's just a
warning you toggle off in the BIOS. The idea is that only a tech would know
the BIOS password to turn it off, so that's how you know that someone knows
about it.

It's also unusual that discharging the CMOS removed the boot password. It
shouldn't do that. I also worked on similar desktops (they were IBM desktops
from before they were spun off) and they didn't have this problem that I can
recall. Very few systems had boot passwords, however.

I'm certain that the BIOS passwords didn't clear this way, however, because we
had a few systems that had old passwords that nobody knew. Instead, we had a
copy of the tech software used to program the BIOS. You had to boot that
program and use it to clear the password. HP had a similar program, but that
stopped working around 2010 when the computers started to ship with a TPM and
you could no longer just clear the content.

~~~
hunter2_
> HP had a similar program, but that stopped working around 2010

Can I obtain this somehow? I have a business grade HP laptop from 2006 (nw8440
I think) and I forgot my BIOS setup password. I need to enable the NX bit to
upgrade from win7 to win10! Removing the CMOS battery overnight (and all other
power) did not help.

~~~
shakna
You place a file you _may_ be able to get from support (called SMC.bin) onto a
FAT32 USB drive, and then:

1\. Power off.

2\. Hold the Windows, Up arrow and Down arrow keys all at the same time. Only
then hit the power button to start.

3\. Release all buttons and press F10.

4\. You should see something about "SMC Command" starting.

5\. Press File, press "Reset BIOS security defaults" or similar.

The only way to get the SMC.bin file, that I know of, is directly from HP
Business Support.

------
archi42
For my Lenovo Helix 2nd Gen I just need to wait until the battery runs out.
This clears the BIOS, including the password.

------
Razengan
> _Even today 's modern 64-bit CPUs begin execution in 16-bit mode. In UEFI,
> this is called the SEC phase._

Is that true even for the T2 Macs and such?

~~~
onedognight
Apple has been moving their defenses earlier and earlier in the boot process.
According to this talk[0] they are even able to foil malicious option ROM[1]
and other early boot attacks. I don’t recall if they mention boot passwords
specifically, but they claim to lead the industry in this regard.

[0] [https://youtu.be/3byNNUReyvE](https://youtu.be/3byNNUReyvE)

[1] [https://www.blackhat.com/us-19/briefings/schedule/#behind-
th...](https://www.blackhat.com/us-19/briefings/schedule/#behind-the-scenes-
of-ios-and-mac-security-17220)

~~~
Avery3R
Verification of option roms as a part of secure boot is a part of the normal
uefi spec, however some vendors forgot to implement it

[https://docs.microsoft.com/en-us/windows-
hardware/manufactur...](https://docs.microsoft.com/en-us/windows-
hardware/manufacture/desktop/uefi-validation-option-rom-validation-guidance)

------
Causality1
There are quite a few laptops on ebay at considerable discounts because the
seller doesn't know the BIOS password. This could come in handy.

~~~
selectodude
I'm not sure buying stolen laptops is really the direction we want to go in
here.

~~~
mschuster91
Stolen? I wouldn't jump to that conclusion so fast. A large source for these
are mass sell-offs of old corporate or government gear after the usual 2-5
year upgrade cycle or government sales of impounded devices.

~~~
jotm
Funny story, I bought a system board on eBay that had a BIOS password on it.
The seller didn't answer my messages asking for the password, so I assumed he
knew there was a password, but didn't know it (and didn't say in the item
description). He just ghosted me. Returning it seemed like a hassle, I really
needed it and this was the only one on sale in Europe.

Found the former owner of the laptop where the board came from thanks to the
corporate/user name displayed on the password prompt. It was a small IT
company.

Contacted them on LinkedIn asking for the password and detailing the
situation. Didn't get the password, but the CEO/owner of the company certainly
had a surprise.

Turned out one of their guys was selling parts from their laptops/hardware
without permission.

Suddenly, the seller on eBay found the message feature and wrote to me, saying
I got them in trouble. Shouldn't have ghosted me, then? Just a "sorry, didn't
know it had one" and I would've just proceeded to replace the BIOS chip, which
was my plan B and it's what I ended up doing.

------
jasonhansel
Question: how secure are BIOS passwords, really? If you have full-disk
encryption anyway, is the BIOS password adding anything?

~~~
Galanwe
The BIOS does control the boot order sequence for instance.

I guess if you have access to it, you could force boot from a malicious USB
stick, or the network, that would simulate the disk decryption prompt.

I guess you could also remove security measures that your company put in place
to e.g. prevent the usage of USB to prevention information leak.

~~~
jasonhansel
But to do that you could also just (say) clone the disk drive and install the
fake prompt on the disk drive itself, right?

~~~
Galanwe
Not if secure boot is enabled, your boot loader most likely would not have a
trusted signature.

------
TrueDuality
I'm curious if TPM measurements would catch these kind of manipulations. It's
probably system specific but the configuration of the BIOS should (as far as I
understand it) be captured as part of the measurement process.

If requisite credentials or remote attestation is sealed against a certain
measurement value it should protect the system.

~~~
Avery3R
The way locking a TPM to firmware config works is that the TPM has several
registers called PCRs that contain a hash value. Anything can send data to the
TPM and have it update the hash value, and you can lock TPM keys to the PCRs
such that you can only use the key when the PCRs you choose have a specific
value. The TCG spec defines some of these PCRs to be sent certain information
[0], but it's up to the firmware to send it, the TPM doesn't magically know
what the state is. If there's even a single setting or nvram variable that you
can change to gain code execution that isn't part of the data that's sent to
the PCRs that the crypto key is locked to, it's game over.

[0]: [https://trustedcomputinggroup.org/wp-content/uploads/TCG-
EFI...](https://trustedcomputinggroup.org/wp-content/uploads/TCG-EFI-Platform-
Specification.pdf)

~~~
russfink
BIOS code is PCR 0, config is PCR 1. Software can "extend" certain PCRs as
well. Look up Core Root of Trust for Measurement (CRTM) - lot of articles out
there. BitLocker can use the capability you describe to protect the hard drive
encryption keys. The TPM helps make sure the correct software is in control of
the platform before releasing secrets.

~~~
TACIXAT
It helps but unless you are using the secure channel setup (no one is to my
knowledge) attackers can intercept the PCRExtend operations and replace the
data being extended.

------
Legogris
I was of the impression that BIOS passwords were in general not something one
should rely even as a layer when assuming physical access. In the (not that)
old days it was usually just a matter of removing the internal battery to
reset it. Has this assumption changed in past years?

~~~
unnouinceput
A bit, as posted in this blog, but for most part having physical unlimited
access to a device it's game over. Hence why encrypting your sensitive data
should be the norm (I am aware that is not the norm, not by far)

~~~
Legogris
Sure, it's just that the only situation I see a BIOS password making sense is
in the presence of some intrusion-detection mechanism that would perform some
kind of destruction/lockdown/alarm so that attempting to bypass it would not
be without consequences.

~~~
tomlong
They are good for stopping people fiddling in large scale corporate
deployments where someones nephew knows how to make the work laptop go faster.

------
mikorym
Does this also hold for Macbooks?

Edit: A more precise question would be: What is the analogy to Secure Boot and
the hardware being locked on a Macbook?

~~~
diffeomorphism
Is there anything actually different? A Macbook is a relatively standard Intel
laptop that happens to run MacOS.

The only additional complication might be the T2 chip in the same way that
TPMs might be an additional issue in other business laptops.

~~~
mikorym
I don't know. The reason why I ask this is that I want to replace my Macbook's
startup chime with something else.

------
cashy
we just use this on the dells at work [https://bios-pw.org/](https://bios-
pw.org/)

------
mafriese
can someone tell me which flash programmer is used here? I also want to play
around with UEFI.

~~~
cure
Not sure what they used, but even a Raspberry Pi + a Pomona clip will do the
trick. Have a look at the flashrom wiki, see
[https://flashrom.org/ISP](https://flashrom.org/ISP).

~~~
HHad3
Careful though, and read the datasheet first! AM4, for example, uses 1.8V SPI
flash chips. Connecting them to Raspberry Pi directly will at the very least
fry the chip, if not the whole board.

------
ben_bai
TL;DR but why not "open laptop, disconnect BIOS battery for 10 sec,
reassemble, done"

~~~
abainbridge
I think the article explains that the state they needed to change was stored
in flash.

------
throwawaynothx
TLDR; remove battery.

~~~
NullPrefix
This is about laptops, not desktops. Battery removal only resets the clock,
but the password stays on.

~~~
numpad0
Doesn’t matter if it’s laptop or desktop, depends more on how old PC is. I
think UEFI machines use NAND or NOR ROM as actually nonvolatile NVRAM.

------
yNeolh
> We found a laptop laying around the office that had BIOS password enabled.

I really wanted to be a laptop from someone on vacation and that at his come
back finds this post instead of the laptop xD

------
dschuetz
Oh sure, to defeat a BIOS password I'm supposed to have IDA Pro lying around,
with license.

~~~
busterarm
So use ghidra or radare2 or free other alternatives instead?

------
anaisbetts
This is cool, but if this is how SkySafe engineers spend their time, they're
not gonna be a business for long. There's absolutely zero way that
NUM_ENGINEERS * SALARY_PER_HOUR * HOURS_SPENT for this task is even remotely
sane compared to just tossing the laptop and buying a new one.

I get that this is kind of content marketing for their engineering department,
but damn if they could've prooooobably spent that money on something with more
impact

~~~
tastroder
According to crunchbase they've been around since 2015 and had their last
funding round in mid 2017. I doubt they're in such a crunch that they can't
spend a few days for the team to focus on a fun and common interest without
breaking the company.

~~~
thaumasiotes
But if you let them have fun once, they're going to want to have fun ALL THE
TIME. ;D

