mbirth/wiki.mbirth.de
1
0
Fork 0
mirror of https://github.com/mbirth/wiki.git synced 2024-11-09 13:16:45 +00:00
Code Issues Releases Wiki Activity
99e41e7a92
wiki.mbirth.de/know-how/hacking/bios-password/_posts/2008-07-20-sony-vaio.md

120 lines
4.5 KiB
Markdown
Raw Blame History

---
title: SONY VAIO
layout: default
created: 2008-07-20 15:44:48 +0200
updated: 2008-07-20 17:34:22 +0200
toc: false
tags:
- know-how
- hacking
- hardware
- bios
- passwords
- sony
- vaio
---
In the newer SONY VAIO Notebooks, the BIOS password is no longer stored in the volatile CMOS-area but on an EEPROM.
Jean Delvare has published [his results](http://khali.linux-fr.org/vaio/eeprom.html) of an analysis of various Sony
Vaio EEPROM dumps on [his homepage](http://www.ensicaen.ismra.fr/~delvare/). There you can see that the BIOS password
is stored encrypted in the first 7 Bytes of the EEPROM and, if no password is set, these Bytes are 00h. So if you
delete the whole chip - like you can do with DELL notebooks - you should get rid of the password.
Unfortunately, this would delete all other informations like e.g. serial number, model name, etc., so that specific
Sony-Applications might cause trouble or even don't accept the notebook as a SONY-device.
If you are still able to boot up the notebook, but only can't get into the BIOS setup, you can approach the password
the following way:
* download and extract the DOS-version of [HWiNFO](http://www.hwinfo.com)
* copy the program GETSMBUS.EXE from HWiNFO to a FAT(32)-partition on the target computer or on a floppy.
* boot up a DOS-based operating system, e.g. from a Win98/WinME-Installation-CD.
* run the program GETSMBUS.EXE.
The file `SMBUS57.DAT` created by GETSMBUS.EXE contains a complete dump of the EEPROM at address 0x57 - in 99% the SONY
VAIO chip. The EEPROM can be read easily through the so-called SMBus. Usually the SMBus is used to query e.g. the
RAM-modules for Vendor and Speed-Infos (they have a similar EEPROM). Also temperatures and fan-speeds can be read
through the SMBus.
Now you have the encrypted password and only have to decrypt it.
Alternatively, you can desolder the EEPROM (likely of Type 93C46) and read it with an EEPROM-Programmer. Or just
overwrite the first 7 Bytes with 00h. But it seems as if the EEPROM is built onto the bottom side of the mainboard and
therefore it's hard to reach.
Decrypt the password
====================
If you take a look onto the encrypted Bytes with a Hex-Editor, you'll soon notice that each Byte is an even number. So
just divide by 2 and take a look at the character with this ASCII-code.
<script type="text/javascript">
document.write('<p>I wrote a small JavaScript to demonstrate it. After entering the 7 Bytes with the encrypted password, it calculates the password in cleartext.</p>');
document.write('<p><form name="sony">Enter 7 Bytes as Hex: <input type="text" name="vaio" maxlength=20 size=20 value="a8 ca e6 e8 00 00 00" /><input type="button" value="Calculate password" onClick="ShowPwd();" /></form></p>');
function ShowPwd() {
var xBytes = document.sony.vaio.value.toLowerCase();
var xHexset = new String('0123456789abcdef');
var xPwd = '';
var xVal = 0;
for (var i=0;i<=6;i++) {
xCA1 = xBytes.charAt(i*3);
xCA2 = xBytes.charAt(i*3+1);
xVal1 = xHexset.indexOf(xCA1);
xVal2 = xHexset.indexOf(xCA2);
xVal = (xVal1*16 + xVal2) / 2;
if (xVal>0) { xPwd += String.fromCharCode(xVal); } else { break; }
}
alert('The BIOS-password is: "'+xPwd+'"');
}
</script>
I also wrote a small Program which is able to parse the file `SMBUS57.DAT` or even query the SMBus directly. From the
obtained data it shows informations about the SONY Vaio-notebook - even the password(s). Here is a screen-shot:
![]({{ site.url }}/assets/sva.png)
**Download here:** [Sony VAIO Analyzer]({{ site.url }}/assets/sony_vaio_analyzer.zip)
Interior views
==============
PCG-Z1XEP
---------
This is an interior view of a SONY VAIO Z1:
![]({{ site.url }}/assets/sonyvaio.jpg)
(The DIP-switches below the keyboard are probably for setting the used TFT-panel. You can not delete the password with
them anyway!)
PCG-V505
--------
This is a naked SONY VAIO V505:
![]({{ site.url }}/assets/sonyv505.jpg)
[Back to overview.]({% post_url 2009-10-30-bios-passwords %})
*[EEPROM]: Electrically Erasable Programmable Read-Only Memory
*[DIP]: Dual In-Line Package
*[BIOS]: Basic Input/Output System
*[CMOS]: Complementary Metal-Oxide-Semiconductor
*[SMBus]: System Management Bus
*[ASCII]: American Standard Code for Information Interchange
*[DOS]: Disk Operating System
*[VAIO]: Visual Audio Intelligent Organizer, formerly: Video Audio Integrated Operation
*[CD]: Compact Disc
*[FAT]: File Allocation Table
*[RAM]: Random Access Memory
*[TFT]: Thin Film Transistor
Reference in New Issue View Git Blame Copy Permalink