How to remove BIOS password in notebooks, with a screwdriver

On both desktops and notebooks, there is an option to set a password BIOS. It can prove useful to prevent access to the system by unauthorized users and avoid changes on the fundamental aspects that have to do with the computer operation.

We have seen how to enter the BIOS on any device and how it is advisable to move carefully between them adjustments. Some BIOSes allow you to adjust the tensions not frequencies of some hardware components. This advanced feature allows users to customize system behavior as well optimize performance according to your needs. Then there are the memory settings: The BIOS allows you to configure clock frequency, latency times and profiles overclocking. You can also learn about power management, connected devices, hardware virtualization options, boot sequence. For this it can be useful set a password on the BIOS to avoid unauthorized and sometimes even potentially dangerous changes.

Where the BIOS password is stored on notebooks

It can happen, however, of forget your password of the BIOS or to purchase a system that uses it without being aware of the string set to protect the machine. How to do in these cases? Many users immediately think of the temporary removal of the backup battery on the motherboard.

The fact is that in the vast majority of cases, disconnecting the CMOS battery does not bring any results. In recent years manufacturers have started to store BIOS passwords on one non-volatile memory physically connected to the motherboard.

The experts of the cybersecurity company CyberCX used a simple screwdriver to solve the problem and pass the password set at the BIOS level. How did they do it? We explain this in the following paragraph.

BIOS password: how to delete it with a screwdriver

We said that the simple removal of the backup battery it now has no effect on removing the BIOS password. Taking into consideration some notebook Lenovo, CyberCX researchers initially turned their attention to the EEPROM chips installed on the motherboard. The goal was obviously to locate the chip EEPROM responsible for storing the BIOS password. The assumption was that excluding this module would result in thecancellation of protection.

From CyberCX it is noted that the EEPROM chips in question can be present, on Lenovo-branded notebooks, in various “forms” (see image below).

Clear BIOS password: EEPROM

EEPROM chips used on many notebook models (source: Ablic Inc.)

Having found the right chip on the laptop system’s motherboard, CyberCX then located the pin SCL e SDA. I pin SCL (Serial Clock Line) e SDA (Serial Data Line) are used for serial communication with the EEPROM chip. The SCL pin is the serial clock line it is used for synchronize the communication between the control device and the EEPROM chip; SDA is used for transfer data between the controller and the chip. Through this line, the controller sends i data to write in memory or requests data from light from the EEPROM.

Shorting the pins SCL and SDA at the right time, you can achieve the desired effect: BIOS no longer has any password and you can gain full control over system configuration.

Reset password BIOS: cortocircuitare PIN EEPROM

The trick described by CyberCX works on the older laptops, not only those from Lenovo but also from other manufacturers. More recently, in fact, laptop motherboards host chips that combine the BIOS and EEPROM functions. They are also SMD-type devices (Surface Mount Devices), electronic components mounted directly on the printed circuit board that have small dimensions and a flat shape, so as to be ultra-compact.

On modern laptops, therefore, bypass BIOS password would require a off-chip attack, which is significantly more difficult to perform, especially for normal users. A off-chip attack it should exploit vulnerabilities in external components with the aim of altering, as a consequence, the functioning of the BIOS.

The opening image is taken from the analysis published by CyberCX.


Please enter your comment!
Please enter your name here