Semi-new BIOS pw recovery technique
Posted: Sat Mar 25, 2006 10:27 am
I scored a pair of BIOS-locked A31p's on eBay last week, and finally got them last night. I've got the parts lying around, but I was too lazy to go solder up the 'standard' method of recovering the BIOS password, and succeeded without having to burn myself:
I reasoned that the BIOS probably accesses the EEPROM through SMBus. Sure enough, four 256 byte pages at addresses 0x54-0x57. Unfortunately, the first 128 bytes of the last page were inaccessible (That's where the pw is). The access control registers were at address 0x5c, but of course, page 6 (counting from 0) is set to inaccessible and the BIOS sets the sticky bits right after boot.
The sticky bits get reset after the chip loses power though, so I shorted pins 3-4 together for a second (ground and PROT), and sure enough, the sticky bits came unstuck, and I was able to set page 6 to full access, and aquire the scancodes for the password.
I was too unmotivated to figure out the scancodes, so I just dd'd up a 1k file of 0's, hexedited the scancodes to where the IBMpass program expects them, and ran it under wine. Sure enough, some dumbass set the password to WIN2KOK. Cute.
At any rate, I don't think this'd work on my T22 -- the piix smbus driver won't load if you've got an IBM -- mutters something about damaging the EEPROM. And you've still got to take the laptop apart, but the second one wasn't nearly as bad as the first (because I knew where the [censored] chip was).
This won't work, obviously, if you can't boot into Linux on the machine, but the second one only took me about 10, 12 minutes from touching the first screw to putting the last one back in.
I reasoned that the BIOS probably accesses the EEPROM through SMBus. Sure enough, four 256 byte pages at addresses 0x54-0x57. Unfortunately, the first 128 bytes of the last page were inaccessible (That's where the pw is). The access control registers were at address 0x5c, but of course, page 6 (counting from 0) is set to inaccessible and the BIOS sets the sticky bits right after boot.
The sticky bits get reset after the chip loses power though, so I shorted pins 3-4 together for a second (ground and PROT), and sure enough, the sticky bits came unstuck, and I was able to set page 6 to full access, and aquire the scancodes for the password.
I was too unmotivated to figure out the scancodes, so I just dd'd up a 1k file of 0's, hexedited the scancodes to where the IBMpass program expects them, and ran it under wine. Sure enough, some dumbass set the password to WIN2KOK. Cute.
At any rate, I don't think this'd work on my T22 -- the piix smbus driver won't load if you've got an IBM -- mutters something about damaging the EEPROM. And you've still got to take the laptop apart, but the second one wasn't nearly as bad as the first (because I knew where the [censored] chip was).
This won't work, obviously, if you can't boot into Linux on the machine, but the second one only took me about 10, 12 minutes from touching the first screw to putting the last one back in.