Hacking Dell Redux
May 26, 2006
A few months ago, I learned of a simple paperclip trick to remove power-on passwords from Dell laptops. I’ve since discovered that it doesn’t work on every Dell (even models that were previously susceptible to the attack), and that extreme measures may be necessary. Also, if the only password set is an Administrator password, it can easily be removed with an internal Dell utility that has found its way onto the internet.
Administrator passwords only hinder certain changes to the BIOS settings such as boot sequence. Often, though, the option to boot the floppy or optical drive is still enabled, so Dell’s svctag.exe can be used. Svctag erases the EEPROM chip (usually a 256 byte Atmel 24C02) and removes the Administrator password along with the Service Tag. Dell’s asset.com can then be used to reprogram the proper Service Tag. Finally, if your laptop is a Latitude C610 or Inspiron 4100, nicset.exe must also be run to re-enable onboard Ethernet. That last bug caused much frustration, as the onboard Ethernet “enable bit” is inexplicably stored on the EEPROM as well. For now, a complete bootable CD can be obtained here. (As this utility is intended to be used by Dell technicians only, I don’t plan on hosting it myself to avoid legal action.)
The absolute most reliable way of removing passwords I’ve found is to make a copy of an EEPROM from an unprotected laptop of the same model. With the GALEP-4 flash/EEPROM programmer and a SOIC to DIP chip adapter (which are quite affordable, unlike the programmer itself), reading the data from an EEPROM is a piece of cake. A copy can then be made onto any number of blank EEPROM chips, available from outlets like Jameco and Digi-Key. The copy can replace the password-locked EEPROM and allow full access to the machine again. As expected, the “hacked” laptop will display the Service Tag of the machine with the source EEPROM, but it can be changed using the steps above for Administrator password removal.
With a little more time and effort, I may be able to figure out how the passwords are stored in the EEPROM, as they’re not simple plaintext like the Service Tag. I suspect Dell is doing a simple mathematical bit operation like XOR to hide the passwords from view, but more experimentation will be necessary to uncover the secret (i.e. if I change the power-on password by one character, does the whole “encrypted” password string change, or just one character?).
Removing passwords from laptops is not a trivial task and often requires complete disassembly, but with patience and the right tools, nothing is impossible.