# cracking hp probook bios 2

After a failed attempt (see my previous post) to re-gain access to my HP-probook 5310m laptop due to a bios pre-boot authentication, I decided to give it another go.

First of all, we needed to dump the bios chip, but as it it is not easily accessible, we need to take the machine apart.

then I added some wires to the probook’s bios chip, but as it I couldn’t get consistent bios dumps, I removed the bios chip and soldered wires to it: [

but any two dumps of the chip (using flashrom and a buspirate), it’s checksum differed. Therefore, decided to create really short wires(2cm),  solder them to the chip’s legs and put the header directly on my programmer (Don’t forget to pull the Hold pin to VCC in order to communicate with the chip ;) ). This resulted in consisted reads :), so know we were ready to start poking around in the bios dump.

I used flashrom from git, as the stable version didn’t properly detect flash chip, and beta firmware for the busprite so it could run on 8mhz spi mode).

flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=8m -c MX25L1608d/MX25L1673E -r dump.bin


I’ve stated up my Linux-Mint desktop and the Hex editor Okteta. I remembered I set at some point the tag-name of the computer to my name, so tried to find my name somewhere in the dump, no success. After some fiddling around, I noticed that all human readable strings consisted of their ASCII value, and a second byte 0x00. So when I searched for my name again, but this time, added after every char (in ASCII notation) a 0x00, I could find it back in the  file.

After this, I stared searching for password related strings like “USER, passwords,…”, As it turns out, the bios has some kind of multi-user registry, don’t ask me why, but you can create multiple users with different roles (for bios access)._

Then I encountered some very promising fields: * B.i.o.s.U.s.e.r.0.3.., * B.i.o.s.U.s.e.r.0.1, * and H.a.r.d.D.i.s.k.S.e.c.u.r.i.t.y

These strings where all separated by 3x 0x00, then some values usually two bytes, and a whole set of 0xFF’s, this range was then delimited by a AA 55 F7.

I altered the bytes into 0xFF after the prefix and the delimiter, and saved the bios file.

Then we flash the altered bios file in the chip:

And solder it back into the laptop.

RESULT!!!

This time, i got a strange login-screen, no mouse-cursor.. so we definitively changed something. I pressed enter and could actually log into the bios, and boot some OS.

I recovered windows from my HP recovery disk I had lying around, and started the HP-protect tools, figuring I could fix this strange looking login screen. I enabled the administrator account and the user account for the Pre-Boot authentication. This fixed the login indeed. But I didn’t like the login bit, so i removed the accounts. Finally i removed all accounts via the administrator account in the bios, this lead to a normal boot procedure.

So no i was able to write this blog, via my unbricked laptop :)