Hacking Dell Redux

A few months ago, I learned of a simple paperclip trick to remove power-on passwords from Dell laptops. I’ve since discovered that it doesn’t work on every Dell (even models that were previously susceptible to the attack), and that extreme measures may be necessary. Also, if the only password set is an Administrator password, it can easily be removed with an internal Dell utility that has found its way onto the internet.

Administrator passwords only hinder certain changes to the BIOS settings such as boot sequence. Often, though, the option to boot the floppy or optical drive is still enabled, so Dell’s svctag.exe can be used. Svctag erases the EEPROM chip (usually a 256 byte Atmel 24C02) and removes the Administrator password along with the Service Tag. Dell’s asset.com can then be used to reprogram the proper Service Tag. Finally, if your laptop is a Latitude C610 or Inspiron 4100, nicset.exe must also be run to re-enable onboard Ethernet. That last bug caused much frustration, as the onboard Ethernet “enable bit” is inexplicably stored on the EEPROM as well. For now, a complete bootable CD can be obtained here. (As this utility is intended to be used by Dell technicians only, I don’t plan on hosting it myself to avoid legal action.)

The absolute most reliable way of removing passwords I’ve found is to make a copy of an EEPROM from an unprotected laptop of the same model. With the GALEP-4 flash/EEPROM programmer and a SOIC to DIP chip adapter (which are quite affordable, unlike the programmer itself), reading the data from an EEPROM is a piece of cake. A copy can then be made onto any number of blank EEPROM chips, available from outlets like Jameco and Digi-Key. The copy can replace the password-locked EEPROM and allow full access to the machine again. As expected, the “hacked” laptop will display the Service Tag of the machine with the source EEPROM, but it can be changed using the steps above for Administrator password removal.

With a little more time and effort, I may be able to figure out how the passwords are stored in the EEPROM, as they’re not simple plaintext like the Service Tag. I suspect Dell is doing a simple mathematical bit operation like XOR to hide the passwords from view, but more experimentation will be necessary to uncover the secret (i.e. if I change the power-on password by one character, does the whole “encrypted” password string change, or just one character?).

Removing passwords from laptops is not a trivial task and often requires complete disassembly, but with patience and the right tools, nothing is impossible.

Hacking Dell Redux

Tales From Packaging Hell

The stubborn plastic casing around the Microsoft Xbox 360 faceplate seemed to laugh first at the kitchen scissors and then the steak knife that tried to penetrate it. When 14-year-old Daniel Mroue’s attempt to open the thing with a long, serrated bagel knife failed, his parents became concerned.

Mroue’s father, George, took over with a pair of box-cutters, which did the trick. But George Mroue also ended up with a wad of bandages shoring up the damage after slicing his palm open on a sharpened piece of plastic.

“It was ridiculous,” groused George Mroue of the February incident. “There was nothing anywhere telling us how to open the (darn) thing. I don’t understand why they make it so goddamn hard to open these things.”

That’s an increasingly common question these days. From Psyclone electronics cables encased in impenetrable layers of thick plastic to DigiPower camera batteries coated with packaging several times the size of the item itself, the hardest part of buying electronics these days is opening the products when you get them home. In many cases, it makes solving Halo 2 seem like a kindergarten project.

This article on Wired perfectly illustrates my frustration with today’s hard-to-open consumer electronics products. People should not be getting injured while trying to open a new gadget — that’s a sure sign that something has gone horribly wrong. I’m in favor of other packaging methods mentioned, such as recyclable paper containers like HP ink cartridge boxes or PVC containers “bolted” at the top. Hampering shoplifters is all well and good, but forcing consumers to resort to knives and box-cutters is too much, especially after paying for it in the first place.

Tales From Packaging Hell

Xbox 360 DVD-ROM Hack

Yesterday, a clever hacker released a modified firmware file for the Xbox 360’s DVD drive which essentially causes it to lie to the console about the type of media off which games are running. This comes not long after the release of a similar firmware for the original Xbox, allowing an unmodified (i.e. no modchip) console to run games off a burned DVD. While both of these hacks are impressive, they currently offer no advances towards running unsigned code, particularly on the Xbox 360. Despite that, I’ll soon picking up a 360 to hack around with. This is the first crack in the wall I’ve been waiting for.

Xbox 360 DVD-ROM Hack

Intel MacBook

Taking a hint from the wildly popular black and white iPod nano models, Apple just released the Intel-based MacBook “consumer” portables. These new Macs are bound to be the most popular ones Apple has ever created, sporting all the must-have features of the MacBook Pro line, but with an unbelievably affordable price tag. Starting at $1099, the MacBooks include the Intel Core Duo chip, which is quickly turning out to be the single best processor choice Apple ever made. Not only do you get stellar Mac OS X performance, you also have the option of running Windows and x86-based Linuxes. Choices, speed, and connectivity are all great, and the MacBook line has plenty to go around. One of these will undoubtedly be my next Mac, although I have yet to decide on a shade. These are going to be huge.

Intel MacBook

Cloning HP Digital Senders

HP offers a neat series of devices called Digital Senders, which have the capability to scan papers and email a PDF all with the touch of a button. While the newer models like the 9200c work, the older — and discontinued — 9100c is still far more popular in office environments. As with all things digital, they occasionally decide to stop working, often at the most inconvenient time. The most common point of failure in Digital Senders is the built-in hard drive, which is used for storing the operating system, address book, and other critical information. HP offers replacement drives, but they cost a small fortune. Fortunately, the replacements are run-of-the mill 3 to 10 GB hard drives (worth only a fraction of the price HP would have you pay).

If you have more than one 9100c, a spare hard drive, a standard desktop PC, and a copy of Norton Ghost 2003, you can clone the working Digital Sender and bring the broken one back to life. Personally, I’ve had great success cloning 9100c hard drives using Ghost, however it took a bit of work to get that far.

By default, Norton Ghost clones partitions between hard drives while simultaneously resizing them such that the destination uses all available space — a feature usually taken for granted. This is great when moving an install of Windows XP from one hard drive to another, but having the maximum available space is hardly a concern in a Digital Sender. This feature can also cause some cloned drives to fail, as the device expects the partition sizes to be within certain ranges. Thankfully, a simple “-IR” (Image Raw) switch can force Ghost to do a bit-for-bit copy, ignoring partitions and unused data alike. When using this option, the destination partitions remain the same size despite the likely increase in total available disk space. After all, a 5 or 10 GB IDE hard drive is impossible to find in stores, these days.

Using a working 9100c Digital Sender hard drive as a source disk, it’s a good idea to first upgrade the software on it using HP’s tools and reset it to factory defaults in the Shift-Alt-Green, Tools menu. While this is not a necessary step, it’s generally good practice to have the newest Digital Sender software, and to get the configuration as close to the defaults as possible to avoid any conflicts. After resetting it to factory defaults, the Digital Sender will reboot. While the initial RAM test is onscreen, switch it off (similar to pulling the plug on a desktop computer while it’s running POSTs — before the system begins to load and the hard drive gets changed in any way).

With an “untouched” and factory-default 9100c hard drive in hand, it can then be attached to the IDE bus of your computer in Master configuration (the default for 9100c Digital Senders). Then, connect a Slave drive of slightly larger size, as the -IR switch can only copy a drive to one of exactly equal or greater size. Make a Ghost boot disk, and when prompted for any additional switches, enter “-IR”. In the disk creation summary, you can see that ghost.exe is being called by “ghost.exe -IR”. Once the disk is made, boot the computer and use Ghost’s “To Disk” command to copy the 9100c drive to the larger one. Be very careful not to overwrite your good hard drive with the blank one! Since the -IR switch is set, Ghost will pay no attention to partitions as it usually does. Cloning the disk will take a good 10 minutes, since it will be copying several gigabytes bit-for-bit. When done, set the newly cloned Slave drive to Master, and the 9100c should boot off of it without a hitch.

Symantec maintains a list of useful Ghost commands here. Note that the -IR switch is the most “raw” one available, as it does not modify any portion of the data — not even the partition map (as the -ID switch may). For this reason, your clone destination drive must be the same size or larger. A smaller disk simply cannot contain all the data from the source disk, even if the bits technically aren’t used by the Digital Sender.

So far, my experiments have worked with every brand hard drive I’ve tried, with sizes ranging from 5 to 40 GB. This is, of course, after many hours of testing, trials, and errors. If anyone has questions regarding 9100c hard drive cloning, feel free to comment.

Cloning HP Digital Senders

Flash Programmer

Wanting to get even further into the inner workings of technology, I recently bought a GALEP-4 Flash and EEPROM programmer which makes it easy to read the contents of various storage chips which are often used to hold device firmware. Although that sounds complicated, the way most electronics work is quite logical. For example, somewhere inside your iPod or Xbox is a chip that holds the instructions to make it run. With this programmer, reading out the contents of said chips is a rather easy task, leaving the challenging part up to the future experimenting and hacking. Most PCs also use similar chips, so if any readers have experienced a bad BIOS flash, get in touch and chances are I can help you rewrite the chip with the proper data.

Flash Programmer