How I Removed my Forgotten BIOS Administrator Password?
Disclaimer: All the methods used in the article has been performed on my device and I have shared it purely for educational purposes only. I am not responsible for any sort of damage to intellectual property, assets or otherwise caused through misuse of the below information.
Hello guys… This is my first post on Medium, and I hope you will find it useful. I wanted to share this story of mine because I think some people are stuck on this problem. So without wasting any more time, Let’s start.
What is BIOS?
BIOS is a non-volatile(type of a memory that retains stored data after the power-off state) firmware used to perform hardware initialization before calling the boot loader to start the OS. It is like a computer hardware setting that allows us to view or modify settings like changing the boot order or Virtualization.
What is a BIOS Password?
In BIOS, You can set up two types of password:
- Administrator Password: The Computer will prompt this password only when you are trying to access the BIOS. It is used to prevent others from changing the BIOS settings.
- System Password: This will be prompted before the operating system can boot up. It can stop someone from powering up your computer.
Story:
I have always been serious about security and stuff. So, To avoid unauthorized access to my Laptop(I can’t mention my laptop name but it is a Premium Series Laptop), I set up this BIOS Administrator Password in 2019. In March 2020, I got curious about the hardware of the laptop and opened it up from behind to have a look at it. But when I put all the things together and booted the laptop expecting a grub screen(My laptop was on a dual boot with Linux and Windows 10) but I got a blue screen instead, some security violation error and a Shim UEFI Management screen(i don’t know what it is) pops up. Still, I was able to boot to my Windows 10.
After some searching on google, I got to know that it is because my secure boot is ON. So, I tried to access the BIOS, but I don’t remember my password. Then for some work, I decided to access a VM, But It was also not working, and here I got to know that somehow my BIOS got into default settings means Secure Boot ON and Virtualization technology OFF(NO Linux). It means I cannot use VMs, docker, WSL-2. I can’t use Linux on my system(locally, and I don’ t like WSL-1).
Failed Approaches:
- Googled Approach: I googled some tricks to reset the BIOS password, but most of them were old techniques that don’t work now like removing CMOS battery or shorting the motherboard jumpers or using tools like CmosPwd. I found a working solution that, after entering the wrong password three times, you will get a system disabled code, and it can be used to generate the backdoor BIOS password, but it was working for only Consumer laptops(mid-range laptops). For Premium laptops instead of System disabled code, a SpareKey Recovery is used which is a USB based solution.
2. Service Center: Now, from some company support forums, I got to know that the company provides the smc.bin file to reset the password of BIOS. So, I called the service center, and they told me that the company changed its policy in 2019, and they can only resolve this issue by replacing the motherboard now(the price of which is around $450+). I am not spending that much amount of money.
3. Reverse Engineering: There’s software provided by HP for system administrators to configure the BIOS just by executing a script in the system, i.e., HP BIOS Configuration Utility(BCU). It’s a command-line tool that can change the BIOS passwords and other configurations. So, I thought to look into it to see if I can do something with it. I disassembled the BCU.exe file and tried to understand the code and It took me some days to get the idea of its working. I came across some WMI Namespaces of windows, which was working as some sort of functions, which makes the input as current password and New password. It was a dead-end for me. I was just trying to access the BIOS memory through windows, but I failed (I am a total beginner in reverse engineering).
Working Approach:
After desperately searching on the internet, I found some forums that solve this kind of problem. I came across two solutions:
- Replace the BIOS chip on the motherboard with a pre-programmed BIOS Chip. (I found one on eBay for just $24 from Taiwan)
- Reprogram the current BIOS with the correct dump of BIOS with no password. (if the wrong dump is used then it could fry the motherboard)
I went for the 2nd option because the international delivery was not available due to COVID-19, and it was costly too because I had to spend more on the technician who will replace the BIOS chip(also involves desoldering and all). So not an option.
The 2nd option was good because all they(forum guy) require was the dump of BIOS with the Administrator password, and they will just remove the password from it and send the dump back. We just need to reprogram the BIOS chip from that dump (the service was paid $15 ).
Now, how to take the dump of BIOS chip?
To take the dump of a BIOS-Chip, we require two devices:
- CH341A EEPROM USB Programmer($7)
- SOIC8 Clip($6)
I waited one month(till June) for the devices to get delivered, thanks to COVID-19, the amazon service was not available. During this time, I thought to look into the dumps of other laptops BIOS to see how the password can be removed from a BIOS dump. I searched for BIOS dumps on every platform, and I found many dumps on Telegram and Facebook groups. These dumps were unlocked and put there to help technicians solve the issue related to BIOS. I tried my luck by looking BIOS dump for my Laptop but didn’t found the right version.
Process of Creating BIOS Dump:
Note:- Before starting, Please copy the configuration of BIOS of your Laptop using BCU utility as it will be used in future and after that make sure your battery is disconnected from the motherboard and your Laptop is not connected to a power cable.
Step 1: Connecting the devices:
Connect the clip carefully to the BIOS chip(the pink wire should have griped on the DOT side of BIOS chip). Now, Connect the other end of the clip to the ch341a USB Programmer(25 series). Connect USB programmer to the other laptop(if the BIOS chip has correctly griped with the chip, then the left-hand side red light will glow. Otherwise, the right side light will glow).
Step 2: Download the ch341a Programmer software and its drivers from Google on that other laptop.
- Now here, click on Detect. All the details like Type, Manu, Name will automatically be fetched.
- After that, click on Read and wait for some minutes. All the Hex field will get filled with the data of BIOS.
- Save the file as a bin file.
Step 3: Now, To write the data into the BIOS chip:
- Click on Erase
- Open the BIOS dump file you want to write.
- Click on verify to check the integrity.
Now here is the impressive turnaround, When I created the dump of the BIOS chip, I thought to test the BIOS update, which was available on the Company’s support page(Drivers and firmware Page). I downloaded the latest update(exe file) and extracted the bin file. Now the size of the extracted bin file and the dump file was the same(16mb). So, I decided to write that bin file in the BIOS chip and after a restart……. BOOM!!!!!!!!!!
My Linux machine booted up(followed by some random messages), but there was no grub option to select between Windows and Linux. So when I restarted it, an error was shown that the manufacturing mode is on, but after some prompts, I was able to boot only Windows 10. I tried to access the BIOS, and there was no password. It means that BIOS is fresh now, but there was no serial number and product number written in the BIOS. So, For that purpose, I used the configuration file I created before starting this process to modify the BIOS settings using BCU Utility.
Thanks, everyone for reading:)
My LinkedIn:- https://www.linkedin.com/in/namantamboli/
