mirror of
https://github.com/mbirth/wiki.git
synced 2024-11-14 14:06:46 +00:00
120 lines
4.5 KiB
Markdown
120 lines
4.5 KiB
Markdown
---
|
|
title: SONY VAIO
|
|
layout: default
|
|
created: 2008-07-20 15:44:48 +0200
|
|
updated: 2008-07-20 17:34:22 +0200
|
|
toc: false
|
|
tags:
|
|
- know-how
|
|
- hacking
|
|
- hardware
|
|
- bios
|
|
- passwords
|
|
- sony
|
|
- vaio
|
|
---
|
|
In the newer SONY VAIO Notebooks, the BIOS password is no longer stored in the volatile CMOS-area but on an EEPROM.
|
|
|
|
Jean Delvare has published [his results](http://khali.linux-fr.org/vaio/eeprom.html) of an analysis of various Sony
|
|
Vaio EEPROM dumps on [his homepage](http://www.ensicaen.ismra.fr/~delvare/). There you can see that the BIOS password
|
|
is stored encrypted in the first 7 Bytes of the EEPROM and, if no password is set, these Bytes are 00h. So if you
|
|
delete the whole chip - like you can do with DELL notebooks - you should get rid of the password.
|
|
|
|
Unfortunately, this would delete all other informations like e.g. serial number, model name, etc., so that specific
|
|
Sony-Applications might cause trouble or even don't accept the notebook as a SONY-device.
|
|
|
|
If you are still able to boot up the notebook, but only can't get into the BIOS setup, you can approach the password
|
|
the following way:
|
|
|
|
* download and extract the DOS-version of [HWiNFO](http://www.hwinfo.com)
|
|
* copy the program GETSMBUS.EXE from HWiNFO to a FAT(32)-partition on the target computer or on a floppy.
|
|
* boot up a DOS-based operating system, e.g. from a Win98/WinME-Installation-CD.
|
|
* run the program GETSMBUS.EXE.
|
|
|
|
The file `SMBUS57.DAT` created by GETSMBUS.EXE contains a complete dump of the EEPROM at address 0x57 - in 99% the SONY
|
|
VAIO chip. The EEPROM can be read easily through the so-called SMBus. Usually the SMBus is used to query e.g. the
|
|
RAM-modules for Vendor and Speed-Infos (they have a similar EEPROM). Also temperatures and fan-speeds can be read
|
|
through the SMBus.
|
|
|
|
Now you have the encrypted password and only have to decrypt it.
|
|
|
|
Alternatively, you can desolder the EEPROM (likely of Type 93C46) and read it with an EEPROM-Programmer. Or just
|
|
overwrite the first 7 Bytes with 00h. But it seems as if the EEPROM is built onto the bottom side of the mainboard and
|
|
therefore it's hard to reach.
|
|
|
|
|
|
Decrypt the password
|
|
====================
|
|
|
|
If you take a look onto the encrypted Bytes with a Hex-Editor, you'll soon notice that each Byte is an even number. So
|
|
just divide by 2 and take a look at the character with this ASCII-code.
|
|
|
|
<script type="text/javascript">
|
|
document.write('<p>I wrote a small JavaScript to demonstrate it. After entering the 7 Bytes with the encrypted password, it calculates the password in cleartext.</p>');
|
|
document.write('<p><form name="sony">Enter 7 Bytes as Hex: <input type="text" name="vaio" maxlength=20 size=20 value="a8 ca e6 e8 00 00 00" /><input type="button" value="Calculate password" onClick="ShowPwd();" /></form></p>');
|
|
|
|
function ShowPwd() {
|
|
var xBytes = document.sony.vaio.value.toLowerCase();
|
|
var xHexset = new String('0123456789abcdef');
|
|
var xPwd = '';
|
|
var xVal = 0;
|
|
|
|
for (var i=0;i<=6;i++) {
|
|
xCA1 = xBytes.charAt(i*3);
|
|
xCA2 = xBytes.charAt(i*3+1);
|
|
xVal1 = xHexset.indexOf(xCA1);
|
|
xVal2 = xHexset.indexOf(xCA2);
|
|
xVal = (xVal1*16 + xVal2) / 2;
|
|
if (xVal>0) { xPwd += String.fromCharCode(xVal); } else { break; }
|
|
}
|
|
|
|
alert('The BIOS-password is: "'+xPwd+'"');
|
|
}
|
|
</script>
|
|
|
|
I also wrote a small Program which is able to parse the file `SMBUS57.DAT` or even query the SMBus directly. From the
|
|
obtained data it shows informations about the SONY Vaio-notebook - even the password(s). Here is a screen-shot:
|
|
|
|
![]({{ site.url }}/assets/sva.png)
|
|
|
|
**Download here:** [Sony VAIO Analyzer]({{ site.url }}/assets/sony_vaio_analyzer.zip)
|
|
|
|
|
|
Interior views
|
|
==============
|
|
|
|
PCG-Z1XEP
|
|
---------
|
|
|
|
This is an interior view of a SONY VAIO Z1:
|
|
|
|
![]({{ site.url }}/assets/sonyvaio.jpg)
|
|
|
|
(The DIP-switches below the keyboard are probably for setting the used TFT-panel. You can not delete the password with
|
|
them anyway!)
|
|
|
|
|
|
PCG-V505
|
|
--------
|
|
|
|
This is a naked SONY VAIO V505:
|
|
|
|
![]({{ site.url }}/assets/sonyv505.jpg)
|
|
|
|
|
|
[Back to overview.]({% post_url 2009-10-30-bios-passwords %})
|
|
|
|
|
|
*[EEPROM]: Electrically Erasable Programmable Read-Only Memory
|
|
*[DIP]: Dual In-Line Package
|
|
*[BIOS]: Basic Input/Output System
|
|
*[CMOS]: Complementary Metal-Oxide-Semiconductor
|
|
*[SMBus]: System Management Bus
|
|
*[ASCII]: American Standard Code for Information Interchange
|
|
*[DOS]: Disk Operating System
|
|
*[VAIO]: Visual Audio Intelligent Organizer, formerly: Video Audio Integrated Operation
|
|
*[CD]: Compact Disc
|
|
*[FAT]: File Allocation Table
|
|
*[RAM]: Random Access Memory
|
|
*[TFT]: Thin Film Transistor
|