Thursday, May 25th, 2006 at 7:37 PM
A few months ago, I learned of a simple paperclip trick to remove power-on passwords from Dell laptops. I’ve since discovered that it doesn’t work on every Dell (even models that were previously susceptible to the attack), and that extreme measures may be necessary. Also, if the only password set is an Administrator password, it can easily be removed with an internal Dell utility that has found its way onto the internet.
Administrator passwords only hinder certain changes to the BIOS settings such as boot sequence. Often, though, the option to boot the floppy or optical drive is still enabled, so Dell’s svctag.exe can be used. Svctag erases the EEPROM chip (usually a 256 byte Atmel 24C02) and removes the Administrator password along with the Service Tag. Dell’s nicset.exe must also be run to re-enable onboard Ethernet. That last bug caused much frustration, as the onboard Ethernet “enable bit” is inexplicably stored on the EEPROM as well. For now, a complete bootable CD can be obtained here. (As this utility is intended to be used by Dell technicians only, I don’t plan on hosting it myself to avoid legal action.)
The absolute most reliable way of removing passwords I’ve found is to make a copy of an EEPROM from an unprotected laptop of the same model. With the GALEP-4 flash/EEPROM programmer and a SOIC to DIP chip adapter (which are quite affordable, unlike the programmer itself), reading the data from an EEPROM is a piece of cake. A copy can then be made onto any number of blank EEPROM chips, available from outlets like Jameco and Digi-Key. The copy can replace the password-locked EEPROM and allow full access to the machine again. As expected, the “hacked” laptop will display the Service Tag of the machine with the source EEPROM, but it can be changed using the steps above for Administrator password removal.
With a little more time and effort, I may be able to figure out how the passwords are stored in the EEPROM, as they’re not simple plaintext like the Service Tag. I suspect Dell is doing a simple mathematical bit operation like XOR to hide the passwords from view, but more experimentation will be necessary to uncover the secret (i.e. if I change the power-on password by one character, does the whole “encrypted” password string change, or just one character?).
Removing passwords from laptops is not a trivial task and often requires complete disassembly, but with patience and the right tools, nothing is impossible.
This entry was posted
on Thursday, May 25th, 2006 at 7:37 pm and is filed under Hacks.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, trackback from your own site, or 
Stumble it!.
fmTuner: Last.fm for WordPress 
ADB Mouse Conversion 
iPod Super
Hi, Good info here. I’d like to do similar with the DELL battery eeprom info too…
I floundered around with Rapidshare.com to get that bootcd.iso file. In the end it said I’d got it already when I hadn’t. Have you seen this file anywhere more accessable ?
Thanks
Martin
Just visit the RapidShare link and click the “Free” button. It just worked for me. I might be able to put a copy of the CD up on a torrent site somewhere…
superb matey had a fake STag now inserted the correct one……once again top dog!
PS looked all over to try and get some programs to do this but as usual very hard to find
Collin,
I had the screen replaced on my Inspiron 1150 and the capable technician apparently had to erase my password EPROM. I have used the asset utility to reinstall the service tag, but the onboard NIC is almost never recognized. I tried using the nicset.exe utility from a DOS CD, but does not seem to work. Any recommends please send to mbaker@edgeresearch.net. Thanks.
Hey can someone please mail me that ISO? cmteisrael@terra.com.br THANKS
I want the cd also cristers@sparay.se Thanks!
Could someone please send me the ISO. Thanks!
willow82@comcast.net
I would like the cd also.
I’d like to get the dell cd refereced above. I need the nicset to enable the ethernet.
Could someone please send me the ISO. Because rapid link is dead.
Thanks!
ta2ctp@mynet.com
or
tb2ctp@hotmail.com
has anyone got the svctag utility that would work on a dell 755?
email me: jawad_hussain786@hotmail.com
thanks
DISABLE THE FIREWALL to download from rapidshare,,, esp if the the down load says .efw instead of .zip
DELL INSPIRON 1150
Service Tag – 4977y51-a95b
Does any one have a for sure way of Erasing the EEPROM CHIP so that I can change the booting sequence. Id like to reinstall windows on this pc. But I can’t get pass the message:
“This Computer System, is protected by a password Authentication System. You Cannot Access The Data On This Computer Without The Correct Password”
If there is any HELP!!! out there please contact me jetermr78@yahoo.com
Plaiiiiiiiiiiiiise help me My latitude D830 required a password bios!!!! and my service tag is #FQWF63J-595B
Mokhtar
January 10th, 2010 at 4:43 AM
your laptop is still under warranty try call in dell they can help u out