mbirth/wiki.mbirth.de
1
0
Fork 0
mirror of https://github.com/mbirth/wiki.git synced 2024-09-19 06:23:25 +01:00
Code Issues Releases Wiki Activity
gh-pages
wiki.mbirth.de/know-how/hacking/bios-password/_posts/2008-07-20-sony-vaio.md

4.5 KiB
Raw Permalink Blame History

created layout layout_old redirect_to tags title toc updated
2008-07-20 15:44:48 +0200 redirect default https://blog.mbirth.de/archives/2008/07/20/sony-vaio.html
know-how
hacking
hardware
bios
passwords
sony
vaio
SONY VAIO false 2008-07-20 17:34:22 +0200

In the newer SONY VAIO Notebooks, the BIOS password is no longer stored in the volatile CMOS-area but on an EEPROM.

Jean Delvare has published his results of an analysis of various Sony Vaio EEPROM dumps on his homepage. There you can see that the BIOS password is stored encrypted in the first 7 Bytes of the EEPROM and, if no password is set, these Bytes are 00h. So if you delete the whole chip - like you can do with DELL notebooks - you should get rid of the password.

Unfortunately, this would delete all other informations like e.g. serial number, model name, etc., so that specific Sony-Applications might cause trouble or even don't accept the notebook as a SONY-device.

If you are still able to boot up the notebook, but only can't get into the BIOS setup, you can approach the password the following way:

  • download and extract the DOS-version of HWiNFO
  • copy the program GETSMBUS.EXE from HWiNFO to a FAT(32)-partition on the target computer or on a floppy.
  • boot up a DOS-based operating system, e.g. from a Win98/WinME-Installation-CD.
  • run the program GETSMBUS.EXE.

The file SMBUS57.DAT created by GETSMBUS.EXE contains a complete dump of the EEPROM at address 0x57 - in 99% the SONY VAIO chip. The EEPROM can be read easily through the so-called SMBus. Usually the SMBus is used to query e.g. the RAM-modules for Vendor and Speed-Infos (they have a similar EEPROM). Also temperatures and fan-speeds can be read through the SMBus.

Now you have the encrypted password and only have to decrypt it.

Alternatively, you can desolder the EEPROM (likely of Type 93C46) and read it with an EEPROM-Programmer. Or just overwrite the first 7 Bytes with 00h. But it seems as if the EEPROM is built onto the bottom side of the mainboard and therefore it's hard to reach.

Decrypt the password

If you take a look onto the encrypted Bytes with a Hex-Editor, you'll soon notice that each Byte is an even number. So just divide by 2 and take a look at the character with this ASCII-code.

I also wrote a small Program which is able to parse the file SMBUS57.DAT or even query the SMBus directly. From the obtained data it shows informations about the SONY Vaio-notebook - even the password(s). Here is a screen-shot:

![]({{ site.url }}/assets/sva.png)

Download here: [Sony VAIO Analyzer]({{ site.url }}/assets/sony_vaio_analyzer.zip)

Interior views

PCG-Z1XEP

This is an interior view of a SONY VAIO Z1:

![]({{ site.url }}/assets/sonyvaio.jpg)

(The DIP-switches below the keyboard are probably for setting the used TFT-panel. You can not delete the password with them anyway!)

PCG-V505

This is a naked SONY VAIO V505:

![]({{ site.url }}/assets/sonyv505.jpg)

[Back to overview.]({% post_url 2009-10-30-bios-passwords %})

*[EEPROM]: Electrically Erasable Programmable Read-Only Memory *[DIP]: Dual In-Line Package *[BIOS]: Basic Input/Output System *[CMOS]: Complementary Metal-Oxide-Semiconductor *[SMBus]: System Management Bus *[ASCII]: American Standard Code for Information Interchange *[DOS]: Disk Operating System *[VAIO]: Visual Audio Intelligent Organizer, formerly: Video Audio Integrated Operation *[CD]: Compact Disc *[FAT]: File Allocation Table *[RAM]: Random Access Memory *[TFT]: Thin Film Transistor