flat assembler
Message board for the users of flat assembler.

Index > Heap > About BIOS-paswords

Author
Thread Post new topic Reply to topic
MCD



Joined: 21 Aug 2004
Posts: 604
Location: Germany
MCD
Recently, I have found something interesting about Pheenix-Awkward passwords on some of my friends computer.

He asked me if I somehow could retrieve his lost BIOS password.
After having unsuccessfully tried all known master passwords, he came up with a little tool to extract the BIOS password via the DMI/ESCD configuration.

Hopefully, I found something that actually worked as password.
Funnily, it only contained numbers from 0 to 3 and my friend said, that it was not his password.

So I thought that this might be some yet unknown master password.
So I played a bit with changing his BIOS passwords again, and strangely, the password with all numbers in it which we discovered with his tool didn't work anymore.

It turned out that these passwords are some kind of "backup" passwords that are newly created each time you change the actual BIOS password. Here are some examples I got:

Code:
entered password / generated backup password:

Bulldog / 20031221
Bernesse / 02202322
Shepard / 11211003
    

I find these backup passwords are a clever way of dealing with the situation where someone lost his password and he wants to get back into his BIOS without unrevealing his actual password.

Unfortunately, these backup passwords depends only on the password entered by the user, and there is nothing like salt, timestamp, hardware timing entropy in it, so you can use this backup password anytime as long as you don't change the actual password.

But there is an even worse problem with it: the backup passwords only have a length of 8 numbers of 4 different symbols, which give you only 4^8 = 65536 different possible passwords. I guess it's no problem at all to brute-force them.

_________________
MCD - the inevitable return of the Mad Computer Doggy

-||__/
.|+-~
.|| ||
Post 01 Feb 2008, 05:54
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2914
Location: [RSP+8*5]
bitRAKE
Wonder if it'll work on my Toughbook BIOS - suppose to be a very secure computer with TPM/harddrive lock/encryption, etc. It's Pheonix BIOS 5.5. The service manual explains how to bypass the password with a special cable connected between the parallel and serial ports, iirc.

I have never really counted on the passwords to protect me. There are tons of stolen computers on eBay / Craig's List for sale all the time. Obvious stuff where one can clearly see the laptop was broke out of a bracket - guess if someone is dumb enough to break the computer when stealing it why should they demonstrate any intelligence in hiding the fact, lol. Laughing

It doesn't really surprise me there are back doors past security measures. In many cases government or law enforcement requires such measure to give an advantage over criminals (not good criminals, just the lame ones).
Post 01 Feb 2008, 06:46
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
MCD wrote:
Funnily, it only contained numbers from 0 to 3 and my friend said, that it was not his password.

(...)
Code:
entered password / generated backup password:

Bulldog / 20031221
Bernesse / 02202322
Shepard / 11211003
    
(...)

the backup passwords only have a length of 8 numbers of 4 different symbols, which give you only 4^8 = 65536 different possible passwords. I guess it's no problem at all to brute-force them.
In all probability, these passwords are numbers noted in numeral system with base equal to 4 (quaternary numeral system).
Post 01 Feb 2008, 07:35
View user's profile Send private message Visit poster's website Reply with quote
MCD



Joined: 21 Aug 2004
Posts: 604
Location: Germany
MCD
MHajduk wrote:
In all probability, these passwords are numbers noted in numeral system with base equal to 4 (quaternary numeral system).

exactly

I remember someone posted a link to a good BIOS disassembling guide somewhere here, where was that again?
Post 01 Feb 2008, 09:10
View user's profile Send private message Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1605
Location: Ukraine
shoorick
Post 01 Feb 2008, 10:43
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
MCD

I think that these "backup passwords" (8-digit quaternary sequences) are rather some kind of 16-bit hashes (every quaternary digit is described in 2 bits), i.e. these are usual 16-bit numbers written that way.
Post 01 Feb 2008, 12:15
View user's profile Send private message Visit poster's website Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
my old PC (about 10 years ago) with Award Bios used an algorythm something like this to create a password from an input

si=password
cld
xor ax,ax
xor bx,bx
L0:
shl bx,2
lodsb
add bx,ax
adc bx,0
cmp si,end_of_password
jnz L0
bx=hash, this word was stored in CMOS at location 1Ch, 1Dh

I discovered the algo wery easily, I put password 'a', backuped the whole CMOS, then password 'b', backup, then password 'aa', backup, then 'aaa' etc. I just compared dumped cmos and observed what changed. Note that checksums change too (offset 3Fh etc.)
Wiping out the password was very easily, after altering any bit, the checksum was incorrect and BIOS cleared the password. But I also developped an algo to find a password from 2 bytes of a hash. There were about 100 different working passwords composed from letters a-z max 8 chars long for a word hash stored at 1C-1D in CMOS.
Post 01 Feb 2008, 12:25
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
Feryno

Interesting, your algorithm gives values similar to presented above:
Code:
            Hex    Quaternary
-------------------------------------------
Bulldog     8363    20031203
Bernesse    28A1    02202201
Shepard     593C    11210330    
Smile
Post 01 Feb 2008, 15:25
View user's profile Send private message Visit poster's website Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo
http://www.cgsecurity.org/wiki/CmosPwd

Quote:

CmosPwd decrypts password stored in cmos used to access BIOS SETUP.
Works with the following BIOSes

* ACER/IBM BIOS
* AMI BIOS
* AMI WinBIOS 2.5
* Award 4.5x/4.6x/6.0
* Compaq (1992)
* Compaq (New version)
* IBM (PS/2, Activa, Thinkpad)
* Packard Bell
* Phoenix 1.00.09.AC0 (1994), a486 1.03, 1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06 rev 1.13.1107
* Phoenix 4 release 6 (User)
* Gateway Solo - Phoenix 4.0 release 6
* Toshiba
* Zenith AMI

With CmosPwd, you can also backup, restore and erase/kill cmos.
Post 01 Feb 2008, 20:58
View user's profile Send private message Visit poster's website Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 454
Location: Czech republic, Slovak republic
Feryno
To MHajduk - yes, the algorithm is extremely easy and unsecure. The hash has only 16 bits, so the security is poorer than the simplest toy for children.
To all - to wipe out cmos password, you can do it using debug command under DOS or windows - usually altering any byte at offset 10h-3Fh in CMOS is enough. After reboot, BIOS prints CMOS checksum error, loading default settings... and password is also disabled by default. I'm not sure whether Win NT platform, (NT 4.0, win 2000, XP) doesn't protect CMOS ports by accessing them by debug.exe
This is not any advice. This is the last possibility to recover when other methods fail. You can perhaps damage something by improper CMOS setting.
Post 06 Feb 2008, 12:08
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Raedwulf



Joined: 13 Jul 2005
Posts: 375
Location: United Kingdom
Raedwulf
But usually a default BIOS setting shouldn't hurt... or can it?
Post 08 Feb 2008, 14:14
View user's profile Send private message MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.