Author Topic: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)  (Read 17788 times)

0 Members and 1 Guest are viewing this topic.

Offline iamdarkyoshiTopic starter

  • Frequent Contributor
  • **
  • Posts: 381
  • Country: us
-Mods, if this topic is against the rules, please let me know. I figured the forums would be interested in such an odd technique-

So my job has like 100 HP Probook 6570B's in storage, but they were all bios locked.


 I was unable to unlock them with any tools, and dumping the bios was a lost cause, since the machine scrambles the bios contents on every power cycle. |O

I couldn't just dump the image from a clean unlocked machine on here, because then the UUID and serial would all be changed to the clean one's image.

About to give up, I tried something crazy, and it ended up actually working!



What we'll need is a CH341A programmer and a clip that allows me to clip onto the chip without desoldering, this setup is popular with Coreboot users. We'll also need a dremmel or sidecutters to nip out some plastic on this particular model to gain access to the bios chip.



The first step was to dump the bios from the machine. So I unplugged power, and set it down, connected my programmer, and opened up the software.


Hitting autodetect to make sure I've got a good connection


Reading the contents of the chip


Verifying that what I grabbed matches the chip...


And saving the image as the last four characters of the serial (helps me keep track)


Once we have a good dump of the machine's bios, we can erase the chip.


And then we flash a dump from an unlocked laptop of the same model, I found my image online. Sorry, not going to host it here. Its not hard to find if you understand how to use google.


After this completes, it'll auto verify.



Now that we have a clean image, (with the wrong ids and stuff) we can disconnect our clip and boot up the machine into the BIOS settings.


And now we close the machine, still running, and put the clip back on.



Now we erase the chip again...


And open the original bios image we grabbed from it at the start, and flash it back onto the running machine, where it will auto verify.


Now that we've got the original bios back onto the chip, but have gotten past the password prompt by using the other bios, all we need to do now is save and exit


After rebooting, we're greeted with this confirmation...


After making a selection, we're now back in the BIOS, with no password, and we've got all of the original IDs! From here I'd suggest doing a security and settings reset, and then updating the bios to the latest version.



Presumably what happened was the laptop loaded whatever settings it wanted from the clean image, and stored them in RAM. I noticed once idle in the bios, the machine is not reading or writing to the chip. This is why I was able to live flash it.

When I hit save and exit, it applied the settings it had loaded into RAM into the original copy of the bios, overwriting the password and anything else the machine had enabled.

I have done about 10 of these machines so far and they have all worked perfectly. I've even updated the BIOSes after this and they all took it, no complaints.

I'm going to try the same on some dells that have a bonus of being computrace enabled. Not sure if it'll work, but it sure won't hurt to try.



As of right now, I do not know of any other method of erasing the bios password on these machines that retains all the original UUIDs, serial numbers, etc, so let me know if you've got any machines to try, I'd be interested to see your results!
« Last Edit: April 26, 2018, 04:57:20 am by iamdarkyoshi »
 
The following users thanked this post: TerraHertz, edavid, PKTKS, TERRA Operative, MrMobodies

Offline capt bullshot

  • Super Contributor
  • ***
  • Posts: 3033
  • Country: de
    • Mostly useless stuff, but nice to have: wunderkis.de
Thanks, that is quite interesting (though I don't have any machine to unlock).

Just a thought: If you can flash a clean (no password set) image into the BIOS chip, serial etc. would be the same as the "donor", but the machine would be unlocked? If so, wouldn't that be a way to create identical clones of the machine, that can't be distinguished by whatever OS? I can't see any necessity to be able to distinguish the machines by unique IDs, IMO it would be better for privacy or whatsoever if the machines were'nt easily identifyable.
Safety devices hinder evolution
 

Offline iamdarkyoshiTopic starter

  • Frequent Contributor
  • **
  • Posts: 381
  • Country: us
Thanks, that is quite interesting (though I don't have any machine to unlock).

Just a thought: If you can flash a clean (no password set) image into the BIOS chip, serial etc. would be the same as the "donor", but the machine would be unlocked? If so, wouldn't that be a way to create identical clones of the machine, that can't be distinguished by whatever OS? I can't see any necessity to be able to distinguish the machines by unique IDs, IMO it would be better for privacy or whatsoever if the machines were'nt easily identifyable.


Yeah it will create identical clones, but it also messes with the MAC address on some machines and breaks networking.

Also, these machines will be sold with legitimate copies of windows on them. Windows uses the UUID to know what license belongs to which motherboard.

The machine stores settings such as boot order in NVRAM, but stores the password in the bios, which is why the password moves with the bios image and doesn't get cleared when you remove the battery.
 

Online amyk

  • Super Contributor
  • ***
  • Posts: 8405
The "scrambles the bios contents on every power cycle" might not be a security thing. If it's U/EFI based, that could just be the natural wear leveling of the embedded filesystem, unless you're actually seeing different and random-looking data each time.

You could figure out where/how it stores the unique identifiers etc. so you can set them in a clean image before flashing. I'm pretty sure the manufacturers have tools for this --- and I have used ones for older BIOSes --- but don't know if the ones for this particular series have made it to the public.

Regardless, nice work :-+
 

Offline CJay

  • Super Contributor
  • ***
  • Posts: 4136
  • Country: gb
You could, if you can prove you bought the machines, speak to HP support and they'll give you an unlock for them but your way is an awful lot more fun :)
 
The following users thanked this post: iamdarkyoshi

Offline iamdarkyoshiTopic starter

  • Frequent Contributor
  • **
  • Posts: 381
  • Country: us
The "scrambles the bios contents on every power cycle" might not be a security thing. If it's U/EFI based, that could just be the natural wear leveling of the embedded filesystem, unless you're actually seeing different and random-looking data each time.

You could figure out where/how it stores the unique identifiers etc. so you can set them in a clean image before flashing. I'm pretty sure the manufacturers have tools for this --- and I have used ones for older BIOSes --- but don't know if the ones for this particular series have made it to the public.

Regardless, nice work :-+

Its pretty nuts what it does, just dumping the bios before and after connecting and disconnecting the charger, the dump seems completely different. Areas that were null now have contents, lines get shifted around, etc.

I could try to find some old dumps from a test machine if you're interested.
« Last Edit: April 25, 2018, 04:19:49 pm by iamdarkyoshi »
 

Online amyk

  • Super Contributor
  • ***
  • Posts: 8405
Yes, that sounds like wear-leveling.

It's been a while since I did BIOS RE but sure, I don't mind taking a look.
 

Offline iamdarkyoshiTopic starter

  • Frequent Contributor
  • **
  • Posts: 381
  • Country: us
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #7 on: April 26, 2018, 05:04:27 am »
Updated thread with more detailed instructions, with images too.

I'm on machine number 15 now, still not a single issue.
 

Offline TerraHertz

  • Super Contributor
  • ***
  • Posts: 3958
  • Country: au
  • Why shouldn't we question everything?
    • It's not really a Blog
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #8 on: April 26, 2018, 12:17:16 pm »
Interesting.
I have around 60 Lenovo IdeaPad  S10e, all BIOS locked, and with Computrace.
Plus about 100 other Lenovo Thinkpads, also locked & computrace.

Also thanks for the CH341A info. Ordered, and the clip.
« Last Edit: April 26, 2018, 12:50:28 pm by TerraHertz »
Collecting old scopes, logic analyzers, and unfinished projects. http://everist.org
 

Offline CJay

  • Super Contributor
  • ***
  • Posts: 4136
  • Country: gb
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #9 on: April 26, 2018, 12:31:20 pm »
Interesting.
I have around 60 Lenovo IdeaPad  S10e, all BIOS locked, and with Computrace.
Plus about 100 other Lenovo Thinkpads, also locked & computrace.

The Computrace might not be removeable if it's been fully activated though I don't know where the code 'lives' so a reflash could well fix that problem too.

I have used this guy's services in the past, he's very personable and helpful

http://www.ja.axxs.net/keymaker_kmx1.htm

But, it would be very interesting to see if IamDarkYoshi's proecdure works.

* Edit*, Joe might not be helpful, seems he's still dealing with the 24RF08, I don;t know exactly how the newer Thinkpads handle passwords so YMMV, definitely needs investigation.
« Last Edit: April 26, 2018, 12:38:57 pm by CJay »
 

Offline iamdarkyoshiTopic starter

  • Frequent Contributor
  • **
  • Posts: 381
  • Country: us
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #10 on: April 26, 2018, 04:12:14 pm »
Interesting.
I have around 60 Lenovo IdeaPad  S10e, all BIOS locked, and with Computrace.
Plus about 100 other Lenovo Thinkpads, also locked & computrace.

The Computrace might not be removeable if it's been fully activated though I don't know where the code 'lives' so a reflash could well fix that problem too.

I have used this guy's services in the past, he's very personable and helpful

http://www.ja.axxs.net/keymaker_kmx1.htm

But, it would be very interesting to see if IamDarkYoshi's proecdure works.

* Edit*, Joe might not be helpful, seems he's still dealing with the 24RF08, I don;t know exactly how the newer Thinkpads handle passwords so YMMV, definitely needs investigation.

From what I've heard, the only two ways to remove computrace is to concact computrace and tell them you bought a machine with CT enabled, and they may just give you an unlock code

The other option is to build a coreboot bios, which supports many thinkpads.
 

Offline TerraHertz

  • Super Contributor
  • ***
  • Posts: 3958
  • Country: au
  • Why shouldn't we question everything?
    • It's not really a Blog
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #11 on: May 15, 2018, 08:32:06 am »
My CH341Pro units arrived.
Drivers installed, and I found a copy of the programming utility at https://www.laboneinside.com/ch341a-mini-programmer-software/
It works with a random 24C16 I had lying around, so the PCB works.
But the programming utility is Ver 1.18  2004 - very old.
I've emailed SkyGz@QQ.com about obtaining a current version ($10.) But there are suggestions that may only run under Win10. I use WinXP mostly.

@iamdarkyoshi, what version is yours, where from, and what OS compatibility does it have?
Collecting old scopes, logic analyzers, and unfinished projects. http://everist.org
 

Offline ricktendo

  • Regular Contributor
  • *
  • Posts: 115
  • Country: hn
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #12 on: May 15, 2018, 06:11:36 pm »
Flashcat USB is a good alternative, especially the new PCB version 2.2 this can better handle in circuit reading of the SPI flash because of increase power over the past versions. Supports tons of flash types and software/firmware is updated regularly.
« Last Edit: May 15, 2018, 06:33:08 pm by ricktendo »
 
The following users thanked this post: radzeck

Offline TerraHertz

  • Super Contributor
  • ***
  • Posts: 3958
  • Country: au
  • Why shouldn't we question everything?
    • It's not really a Blog
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #13 on: May 17, 2018, 08:20:46 am »
Flashcat USB is a good alternative, especially the new PCB version 2.2 this can better handle in circuit reading of the SPI flash because of increase power over the past versions. Supports tons of flash types and software/firmware is updated regularly.

Looks nice, and also affordable. (Edit: Nope, the programming software uses MS .NET. That rules it out for me.)

The CH341 units have the great advantage of being dirt cheap. US $2.44 each, I bought 4. They are disposable.

My workhorse device programmer for years has been a TopMax, but the last software update for that was in Dec 2004 so it's getting long in the tooth.
But I depend on it, and I'm definitely not going to run wires between the socket of that, and a laptop motherboard.

Anyway, I am thinking of getting a current device programmer.
Has anyone bought one of these -

https://www.banggood.com/RT809H-EMMC-Nand-Flash-Extremely-Fast-Universal-Programmer-Kit-Programmer-29-Adapters-With-Cables-p-1239058.html
  RT809H EMMC-Nand Flash Extremely Fast Universal Programmer Kit Programmer + 29pcs Adapters With Cables
  Price: AU$ 271.58

https://www.aliexpress.com/item/Free-shipping-100-original-RT809H-EMMC-Nand-FLASH-Extremely-fast-universal-Programmer-RT809H-better-than-RT809F/32831933145.html
  US $175.00
« Last Edit: May 17, 2018, 08:29:02 am by TerraHertz »
Collecting old scopes, logic analyzers, and unfinished projects. http://everist.org
 

Offline TerraHertz

  • Super Contributor
  • ***
  • Posts: 3958
  • Country: au
  • Why shouldn't we question everything?
    • It's not really a Blog
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #14 on: May 19, 2018, 11:54:15 am »
An update.
I received the latest version (1.34) of the programming software from the author, SkyGz@QQ.com
It's still compatible with WinXP. (and the rest)
It has hardware-keyed registration. You run the util, it reports a hardware key.
You post that and the name you want the sofware registered for, to the author.
He sends you a registration key.  Keys and software upgrades are free.
The author has minimal English, so don't expect to have a conversation.

In my case I asked for three keys (for 3 PCs) and received them OK. The programmer works.

Pretty good value really.  Programmers are US $2.44 each, software is US $10.

https://www.aliexpress.com/item/CH341A-programmer-USB-motherboard-routing-BIOS-LCD-FLASH-2425-burner/32599473821.html

One thing to beware of - apparently these 'Black PCB' CH341APro boards have the chip orientation in the ZIF socket reversed from some previous PCBs. So the chip orientation shown in the programmer software is backwards. Go by the silkscreen diagram on the PCB.


« Last Edit: May 19, 2018, 06:08:14 pm by TerraHertz »
Collecting old scopes, logic analyzers, and unfinished projects. http://everist.org
 

Offline SqPegRndHole

  • Newbie
  • Posts: 1
  • Country: gb
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #15 on: November 30, 2019, 03:23:06 pm »
I know this topic has been dead for a long time, but I have a joblot of 6570b Probooks, bios locked. After following the guide in this thread, I'm unable to write the original bios file (dump) to the chip in the last stage of the process. With the machine turned on with the good bios installed I'm able to access the bios, with the serial no. and uuid no. being incorrect. When I try to write to the bios it times out instantly. I'm I doint something wrong?
Hopefully Iamdarkyoshi reads this post. :D
 

Offline iamdarkyoshiTopic starter

  • Frequent Contributor
  • **
  • Posts: 381
  • Country: us
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #16 on: March 28, 2020, 10:02:30 am »
I know this topic has been dead for a long time, but I have a joblot of 6570b Probooks, bios locked. After following the guide in this thread, I'm unable to write the original bios file (dump) to the chip in the last stage of the process. With the machine turned on with the good bios installed I'm able to access the bios, with the serial no. and uuid no. being incorrect. When I try to write to the bios it times out instantly. I'm I doint something wrong?
Hopefully Iamdarkyoshi reads this post. :D

Can you post a pic of the programmer you're using? Apologies for the delays in reading the thread, I've been busy, and just recently jobless...

An update.
I received the latest version (1.34) of the programming software from the author, SkyGz@QQ.com
It's still compatible with WinXP. (and the rest)
It has hardware-keyed registration. You run the util, it reports a hardware key.
You post that and the name you want the sofware registered for, to the author.
He sends you a registration key.  Keys and software upgrades are free.
The author has minimal English, so don't expect to have a conversation.

In my case I asked for three keys (for 3 PCs) and received them OK. The programmer works.

Pretty good value really.  Programmers are US $2.44 each, software is US $10.

https://www.aliexpress.com/item/CH341A-programmer-USB-motherboard-routing-BIOS-LCD-FLASH-2425-burner/32599473821.html

One thing to beware of - apparently these 'Black PCB' CH341APro boards have the chip orientation in the ZIF socket reversed from some previous PCBs. So the chip orientation shown in the programmer software is backwards. Go by the silkscreen diagram on the PCB.




I managed to find a dump of tons of different versions of the software, but I've actually started to use linux for these tasks. Turns out, unsurprisingly, that these programmers can be used with the linux terminal and one software package, and they have so much more support in linux. If interested, I could dig out the dump of windows software on my windows chromebook.
 

Offline prakashbafna

  • Newbie
  • Posts: 1
  • Country: in
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #17 on: April 15, 2022, 06:34:51 am »
Hello...I have HP Probbook 6560b, it has been purchased from ebay with unknown bios password. I have been searching for a perfect reset method without erasing original UUID & serial no. I tried several things suggested on internet but no positive outcome, i found your solution most convincing & logical so i have ordered for the programmer & connector clamp set. I just wanted to know if it is necessary to re-write original dump on running machine, have you tried it with machine shut off. I know its an old topic but can you help me out...
Thanks in advance... :) :)
 

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1766
  • Country: br
Thanks, that is quite interesting (though I don't have any machine to unlock).

Just a thought: If you can flash a clean (no password set) image into the BIOS chip, serial etc. would be the same as the "donor", but the machine would be unlocked? If so, wouldn't that be a way to create identical clones of the machine, that can't be distinguished by whatever OS? I can't see any necessity to be able to distinguish the machines by unique IDs, IMO it would be better for privacy or whatsoever if the machines were'nt easily identifyable.


Yeah it will create identical clones, but it also messes with the MAC address on some machines and breaks networking.

Also, these machines will be sold with legitimate copies of windows on them. Windows uses the UUID to know what license belongs to which motherboard.

The machine stores settings such as boot order in NVRAM, but stores the password in the bios, which is why the password moves with the bios image and doesn't get cleared when you remove the battery.

in other words ... MS claims property of everyone hardware as theirs to do whatever they need to milk their cash cow...   at the expense of all their "customers" which they put  hands on pockets..

This was on e the most brilliant and efficient ideas i saw recently...  ::)

I assume they will soon force push their own "CHIP PROCESSOR" paid by the idiot users...

And such methods will no longer even be available...
Paul
 

Offline CJay

  • Super Contributor
  • ***
  • Posts: 4136
  • Country: gb
Thanks, that is quite interesting (though I don't have any machine to unlock).

Just a thought: If you can flash a clean (no password set) image into the BIOS chip, serial etc. would be the same as the "donor", but the machine would be unlocked? If so, wouldn't that be a way to create identical clones of the machine, that can't be distinguished by whatever OS? I can't see any necessity to be able to distinguish the machines by unique IDs, IMO it would be better for privacy or whatsoever if the machines were'nt easily identifyable.


Yeah it will create identical clones, but it also messes with the MAC address on some machines and breaks networking.

Also, these machines will be sold with legitimate copies of windows on them. Windows uses the UUID to know what license belongs to which motherboard.

The machine stores settings such as boot order in NVRAM, but stores the password in the bios, which is why the password moves with the bios image and doesn't get cleared when you remove the battery.

in other words ... MS claims property of everyone hardware as theirs to do whatever they need to milk their cash cow...   at the expense of all their "customers" which they put  hands on pockets..

This was on e the most brilliant and efficient ideas i saw recently...  ::)

I assume they will soon force push their own "CHIP PROCESSOR" paid by the idiot users...

And such methods will no longer even be available...
Paul

Don't be silly, nothing abut a UUID or even the serial number and MAC mean MS claim ownership, they're just identifying marks that should be unique to every machine which MS use for licence management.

 

 

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1766
  • Country: br
Re: New Way To Reset Laptop BIOS Passwords (Probook 5670B) (NEW Images)
« Reply #20 on: April 17, 2022, 08:36:13 am »
The way i see things  changed over time
..  keeping pace with the methods they have used to exclude competition and take vertical control over all things..

Way too much... the idea of keeping system running to overwrite screwed crippled bios is brilliant.. 

Unfortunately things like the tpm chip and the pluto chip are here to change the bios itself..  as they tried with uefi..  and locked boots..

Nothing silly about MS They have been the worst group of jerk assholes in IT since day one..

Nothing  changed... but obviously the methods are getting worse.

Thanks very much the author for the brilliant  idea..  appreciated

Paul
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf