Hacking Dell Redux

A few months ago, I learned of a simple paperclip trick to remove power-on passwords from Dell laptops. I’ve since discovered that it doesn’t work on every Dell (even models that were previously susceptible to the attack), and that extreme measures may be necessary. Also, if the only password set is an Administrator password, it can easily be removed with an internal Dell utility that has found its way onto the internet.

Administrator passwords only hinder certain changes to the BIOS settings such as boot sequence. Often, though, the option to boot the floppy or optical drive is still enabled, so Dell’s svctag.exe can be used. Svctag erases the EEPROM chip (usually a 256 byte Atmel 24C02) and removes the Administrator password along with the Service Tag. Dell’s asset.com can then be used to reprogram the proper Service Tag. Finally, if your laptop is a Latitude C610 or Inspiron 4100, nicset.exe must also be run to re-enable onboard Ethernet. That last bug caused much frustration, as the onboard Ethernet “enable bit” is inexplicably stored on the EEPROM as well. For now, a complete bootable CD can be obtained here. (As this utility is intended to be used by Dell technicians only, I don’t plan on hosting it myself to avoid legal action.)

The absolute most reliable way of removing passwords I’ve found is to make a copy of an EEPROM from an unprotected laptop of the same model. With the GALEP-4 flash/EEPROM programmer and a SOIC to DIP chip adapter (which are quite affordable, unlike the programmer itself), reading the data from an EEPROM is a piece of cake. A copy can then be made onto any number of blank EEPROM chips, available from outlets like Jameco and Digi-Key. The copy can replace the password-locked EEPROM and allow full access to the machine again. As expected, the “hacked” laptop will display the Service Tag of the machine with the source EEPROM, but it can be changed using the steps above for Administrator password removal.

With a little more time and effort, I may be able to figure out how the passwords are stored in the EEPROM, as they’re not simple plaintext like the Service Tag. I suspect Dell is doing a simple mathematical bit operation like XOR to hide the passwords from view, but more experimentation will be necessary to uncover the secret (i.e. if I change the power-on password by one character, does the whole “encrypted” password string change, or just one character?).

Removing passwords from laptops is not a trivial task and often requires complete disassembly, but with patience and the right tools, nothing is impossible.

Advertisements
Hacking Dell Redux

18 thoughts on “Hacking Dell Redux

  1. Martin says:

    Hi, Good info here. I’d like to do similar with the DELL battery eeprom info too…

    I floundered around with Rapidshare.com to get that bootcd.iso file. In the end it said I’d got it already when I hadn’t. Have you seen this file anywhere more accessable ?

    Thanks
    Martin

    Like

  2. Just visit the RapidShare link and click the “Free” button. It just worked for me. I might be able to put a copy of the CD up on a torrent site somewhere…

    Like

  3. badman says:

    superb matey had a fake STag now inserted the correct one……once again top dog!

    PS looked all over to try and get some programs to do this but as usual very hard to find

    Like

  4. Matt says:

    Collin,

    I had the screen replaced on my Inspiron 1150 and the capable technician apparently had to erase my password EPROM. I have used the asset utility to reinstall the service tag, but the onboard NIC is almost never recognized. I tried using the nicset.exe utility from a DOS CD, but does not seem to work. Any recommends please send to mbaker@edgeresearch.net. Thanks.

    Like

  5. MrStrongHold says:

    DELL INSPIRON 1150
    Service Tag – 4977y51-a95b

    Does any one have a for sure way of Erasing the EEPROM CHIP so that I can change the booting sequence. Id like to reinstall windows on this pc. But I can’t get pass the message:
    “This Computer System, is protected by a password Authentication System. You Cannot Access The Data On This Computer Without The Correct Password”

    If there is any HELP!!! out there please contact me jetermr78@yahoo.com

    Like

  6. Tony says:

    Hi
    Purchased a Dell Latitude D630 from an auction website but cannot access the damn thing as it is Bios password locked. This was meant to be for my kids to play with and thus the reason why I did not thinl of spending too much cash on it (hmmm, now i wonder if I did the right thing). I have been informed that even though the laptop is still under warranty that the seller cannot help me as he got this from someone else. Anyway a dispute is going on about this on the auction website.

    I have searched high and low for something to help me. I know there are password generators out there but I cannot access them. Its not that I dont mind paying $5 or $10 for it but what concerns me with these websites is that they want credit card details and that I am not to keen on.

    The Tag number is: 8W2DN3J-595B

    I would be greateful if you could please help me out on this.

    Thanks

    Like

  7. Tony says:

    Sorry, the email address I provided in my previous comment was incorrect. The email in this reply is the correct email address.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s