Delete Delete Delete

[edavid]

I work for a computer repair shop and they have given me the task to remove a bios password from a Toshiba Tecra R10 (PTRB3C-ES109C). They didn't give me a laptop charger (made my own already with a homemade bench power supply), HDD, and they didn't give me a laptop display (using an external VGA monitor seems to work). They also have no clue what the password of the machine is.

If it doesn't even have a screen, why are you bothering to reset it?  Is it some kind of test?

I've looked around the motherboard a bit, looking for the BIOS chips, and i've come across to different chips, and i'm not sure which is the bios. Links for datasheets of both:
https://www.sos.sk/productdata/76/10/0/76100/AT25DF321.pdf
http://www.atmel.com/images/doc5175.pdf

Obviously the BIOS is in the big chip, and the password is probably in the small chip.

So build a simple reader for the small chip, and see what's in there:

http://www.lancos.com/prog.html

You could also buy one of these:

http://www.ebay.com/itm/25-SPI-Series-24-EEPROM-CH341A-BIOS-Writer-Routing-LCD-Flash-USB-Programmer/131861626827

[mikerj]

Years ago this trick worked with the Philips coded radios that they fitted to Opel cars.

Years ago plenty of people tried to suggest this tricked worked, but it didn't (along with numerous other dubious methods that never worked).  I used to repair head units for a living, the Philips units had either a 24C02 or a 24C16 that had to be dumped and edited, or overwritten with an image holding a known password.

[CJay]

Joe in Australia worked out the pins on the dock connector for a lot of IBM machines and developed a programmer using a couple of TTL chips which would dump the 24RF08 chip, you sent him the image and he sent you back the password.

Pretty simple to work out for yourself though with a bit of knowledge.

The drive passwords are on each drive, not on the 24RF08 chip.   Each drive password can be different from the two other BIOS passwords.   Pretty simple to understand that, a procedure like that may have been able to unlock the actual machine, but not get to unlock the drives.   One would have to replace the drives.

Yes, they are, but I was referring to the BIOS password, not the drive security.

My bad if I misread something.

There are ways around those drive passwords too, some of which are easier than others and not guaranteed for all drives/security levels but I've personally unlocked two Seagates.

I will admit the method I used is spine tingling and rather risky.

[mcinque]

Assuming he have/purchase the programmer, he should have the original bios file to dump, right? (Or another identical bios to use as a "good" dump)

[edavid]

Assuming he have/purchase the programmer, he should have the original bios file to dump, right? (Or another identical bios to use as a "good" dump)

No, the password is probably not in the same device as the BIOS.

[mcinque]

oh, so he should program/clear/edit the nvram/device where the pass is set?

[knks]

I have used Thinkpads since they came out.   Lots of them because of my employer.   I do not know about other brands, but on the Thinkpads, there was the option to secure (we were required to) the hard drives.   The pasword is actually stored in a special place in the drive.   It is supported by an ATA(?) command.   Long time ago, after a machine upgrade to serial drives, after moving the data, inadvertently, I was left with a parallel drive with the PW on it.   I could never figure out how to unlock it.  It was a 60GB unit.   After a while the interest on it faded becuse of obsolescence.   It is probably in a drawer somewhere.

I think you can issue ATA command to unlock the drive (without entering the password). If will erase all data first, and then unlock it.

[pinyoro]

I have not looked into your motherboard model  but on some newer boards the BIOS and  CMOS is in the South bridge which is  BGA device. In that case you may end up having to replace the BGA itself.

[Losserty]

I worked refurbishing IBM laptops. 

All these people who post "jumper 2 pins" "remove the battery"  are all wet.  20 years ago this stuff worked, not any more.

You are correct, there is a password stored on the drive.  In fact there can be up to 4 passwords.   When the drive powers up, you have 4 chances to enter the correct password.  After that the HD powers down and you have to go through a complete power down/ power up cycle before it will accept passwords to test.

There is also a password on the mother board.  There was a "joe in Australia" who could zero out the password for you.  You had to pull the eprom off the motherboard and send it to him.  Don't know if he is still in business anymore.

Joe in Australia worked out the pins on the dock connector for a lot of IBM machines and developed a programmer using a couple of TTL chips which would dump the 24RF08 chip, you sent him the image and he sent you back the password.

Pretty simple to work out for yourself though with a bit of knowledge.

The same problem I've had before, at the time, I forgot password and I was going to reset it , everything in front is going well,but when you enter the drive, you will never be able to complete the password test and receive no hints , i thought my computer was dead ,

[paulca]

I would assume you don't want anything off the hard-disk either?

I believe if you reset the CMOS or non-volatile memory aiming to reset the password you will also reset the encryption keys for the hard-disk meaning you can access it again.  I do not believe the keys can be retrieved to be backed up.

[Mr. Scram]

I would assume you don't want anything off the hard-disk either?

I believe if you reset the CMOS or non-volatile memory aiming to reset the password you will also reset the encryption keys for the hard-disk meaning you can access it again.  I do not believe the keys can be retrieved to be backed up.

Is the password stored in the TPM?

[HoracioDos]

There was a "joe in Australia" who could zero out the password for you.  You had to pull the eprom off the motherboard and send it to him.  Don't know if he is still in business anymore.

http://www.ja.axxs.net/

[paulca]

I would assume you don't want anything off the hard-disk either?

I believe if you reset the CMOS or non-volatile memory aiming to reset the password you will also reset the encryption keys for the hard-disk meaning you can access it again.  I do not believe the keys can be retrieved to be backed up.

Is the password stored in the TPM?

I don't know.  I'm assuming that, as the BIOS is password protected that the hard disk encryption may also be enabled.  The BIOS password is to prevent people from getting to the decryption phase.  I am also assumng if you were to reset the non-volatile storage you would lose the encryption keys for the disk as well.

Remember these things are designed to keep you out of the data stored on the disk at all costs.  Also note some some hard-disks have a security erase jumper. If set, in the even the disk is powered on and the correct sequence is not sent to the drive within an amount of time the disk will go into self-destruct mode and erase itself.

Also note that there have been several precedent cases in the UK of people being charged and jailed for "Circumventing effective technological security mechanisms.", though I'm not sure how well this would apply in this case if there is no criminal intent.

[CJay]

There was a "joe in Australia" who could zero out the password for you.  You had to pull the eprom off the motherboard and send it to him.  Don't know if he is still in business anymore.

http://www.ja.axxs.net/

That's the guy, lovely bloke.

[ciccio]

Years ago a friend came to me with the HP laptop of one of his customers, an Algerian businessman. He had fired one employee and this one, before leaving, had set a new password on every PC in the office,  including the server and this specific  laptop. A local technician was able to restore all the other PC, but not this.
I called HP support, who confirmed that the password was stored both in the BIOS and in the HDD, and offered to restore it for a fee, but asked for a proof-of-purchase.
If I remember well, they said that they could generate a "master" password by knowing the serial number.
The laptop was bought second-hand, from a guy in France who seemed vanished (maybe it was stolen?), so: no proof of purchase > no password recovery.
The laptop is still sitting in my friend's office..
I think that this level of security is excessive: humans make mistakes and their memory is limited, so...

[paulca]

I think that this level of security is excessive: humans make mistakes and their memory is limited, so...

Don't store anything you can't afford to lose on a user end-point.

The data should be backup securely elsewhere so that it can be restored.  Should a laptop be stolen is is far more important that the data does not fall into the wrong hands.

[KuchateK]

I don't have up to date knowledge, but...

I think newer Toshiba laptops don't have those reset pads around RAM slots. I did it a few times on (very) old ones, usually they weren't marked and only single pad that required shorting to ground.

In laptops passwords are not stored in BIOS. They use external EEPROM where they also keep information such as serial number. This way it is persistent when the BIOS is reprogrammed and they don't have to use any batteries to store settings.

I had locked ThinkPad once and I found about that EEPROM hack. Some time after I did it on an HP and it also worked. The password was in the exact same location (EEPROM address) as on the ThinkPads. I hacked that laptop using nothing else than an Arduino. In the end, I was able to reprogram that EEPROM while it was soldered on the motherboard. Desoldering it was a waste of time.

Look for an EEPROM chip on the motherboard. If you have one it is easy to do.