Archives

All posts for the month February, 2019

One of the pitfalls of getting previously-used equipment is that there can be an unexpected roadblock to doing something trivial, like a BIOS update.

While testing the INTEL-SA-00086 Detection Tool, which is a simple and easy way to see whether or not your system is vulnerable to the Spectre and Meltdown vulnerabilities (as they’re currently defined), I found a system that was running the A20 version of the BIOS. A22 is the current version.

Trying to run the update utility resulted in a request for me to enter the BIOS admin password. This is a piece of equipment that I got from another area, and while I could contact them, the Latitude E6530 is old enough that I figured someone had reverse-engineered the BIOS password reset algorithm. I was not wrong.

As soon as I saw the interface for the site that solved my problem, I recognized it after seeing it several years before to resolve the same issue.

Going in to the BIOS, and entering the Security tab, and entering an incorrect password gives me what’s called the serial number, or service number, in the format of “1234567-595B “. This code, when used at https://bios-pw.org will give you a bunch of different passwords to try. Thankfully, these older machines have no attempt countermeasures, so one can simply mash in numbers over and over.

The second or third entry was the key for my machine, and instead of letting me change the password, or just unlocking it, the code removed the password entirely. Handy! Bummer, however, for people who think that an admin password is any more than a WEP-level block against access to a system or changing of settings.

The neat thing about the site is that it seems to be based on research from a few people, and that it’s source code is available on GitHub: https://github.com/bacher09/pwgen-for-bios