BIOS password

Networking/Security Forums -> Security Related Software

Author: cardiniaconsulting PostPosted: Wed Dec 14, 2011 5:18 am    Post subject: BIOS password
A client came to me with his old Dell C610 laptop, it has a password on the BIOS & he's forgotten it, comes up first before any hardware is loaded. Tried pulling the battery to reset the BIOS, but the pass word is set in the backup BIOS, even accessed the m/board but the chip is hard soldered. I have an updated BIOS on CD to over write the existing one, only I can't get pass the initial stage to use the CD or FDD. An clues on how to block this password.

Author: Mongrel PostPosted: Mon Jan 02, 2012 5:38 pm    Post subject:
Hi cardiniaconsulting,

According to THIS DISCUSSION on Dell's Community Discussion, you need to
call DELL, prove you are a valid user/owner, and they will help you.
It may cost $$.

See for the Out Of Warrantee" support phone number for
your area and equipment.
Quote from DELL Community Discussion:

"Hi All,

Am stuck with the unlocking of bios setting. plz help me out if anyone have a solution.


I'm assuming that you can not remember the password that you set. You will need to contact dell by phone, prove you are the owner of the notebook and then they will give you a master password for your system."

Author: KaosuLocation: United States PostPosted: Tue Feb 21, 2012 10:17 am    Post subject:
From what I have read, the C610 should be using a service tag of 595B. If this information is correct, below is source code that will let you generate the correct master BIOS password for your Dell service tag. The code supports the 595B and 2A7B tags. If for some reason your service tag varies (The last portions of the code generated at the BIOS password screen, normally separated by a hyphen. Ex: 1234567890-595b) then you can easily find the algorithm to generate a master password for that specific service tag on the Internet. There is really no reason to pay anyone to do it for you.

Also, if this is an important recovery and you feel comfortable doing so, just grab an eeprom programmer. For the C610, the eeprom location you're looking for is: 24c02, and the password is stored within the scan code: 0x00, 0x10, 0x80 and 0x90

I hope I was able to help.


#include <stdio.h>
#include <string.h>
#include <time.h>
#define mystr "My own utility. Copyright (C) 2007-2010 hpgl, Russia"
#define allow595B
#define allowA95B
#define allow2A7B
#define fSVCTAG 0
#define fHDDSN 1
#define fHDDold 2
#define t595B 0
#define tD35B 1
#define tA95B 2
#define t2A7B 3
#ifdef allow595B
#define f595B
#ifdef allowA95B
#define f595B
#ifdef allow2A7B
#define f595B
char bSuffix[]="595BD35BA95B2A7B";
char scancods[]="\00\0331234567890-=\010\011qwertyuiop[]\015\377asdfghjkl;'`\377\\zxcvbnm,./";
char encscans[]={0x05,0x10,0x13,0x09,0x32,0x03,0x25,0x11,0x1F,0x17,0x06,0x15, \
                 0x30,0x19,0x26,0x22,0x0A,0x02,0x2C,0x2F,0x16,0x14,0x07,0x18, \
#ifdef allow2A7B
char chartabl2A7B[72]="012345679abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ0";
unsigned int MD5magic[64]={
0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821,
0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a,
0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x4881d05,
0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665,
0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391};
unsigned char inData[23],outData[16];
char buf1output[32], buf1input[20];
char bug4;
void calcsuffix(char bfunc, char btype, char *outbuf);
void initData(void) {
   *(int *)(&outData[0]) =0x67452301;
   *(int *)(&outData[4]) =0xEFCDAB89;
   *(int *)(&outData[8]) =0x98BADCFE;
   *(int *)(&outData[12])=0x10325476;
typedef int (encfuncT1) (int num1, int num2, int num3);
#ifdef f595B
int enc0F2(int num1, int num2, int num3) {return (((~num3 ^ num2) & num1) ^ ~num3);}
int enc0F4(int num1, int num2, int num3) {return (( ~num2 ^ num1) ^ num3); }
int enc0F5(int num1, int num2, int num3) {return (( ~num1 | ~num3) ^ num2); }
int enc1F2(int num1, int num2, int num3) {return ((( num3 ^ num2) & num1) ^ num3);}
int enc1F4(int num1, int num2, int num3) {return (( num2 ^ num1) ^ num3); }
int enc1F5(int num1, int num2, int num3) {return (( num1 | ~num3) ^ num2); }
int encF3 (int num1, int num2, int num3) {return ((( num1 ^ num2) & num3) ^ num2);}
typedef int (encfuncT2)(encfuncT1 func, int num1, int num2, int num3, int key);
int enc1F1 (encfuncT1 func, int num1, int num2, int num3, int key)
   return func(num1,num2,num3)+key;
#ifdef f595B
int enc0F1 (encfuncT1 func, int num1, int num2, int num3, int key)
   return func(num1,num2,num3)-key;
unsigned int rol(unsigned int t, int bitsrot)
   return (t >> (32-bitsrot)) | (t << bitsrot);
void blockEncodeF(int *outdata, int *encblock, encfuncT2 func1,
                  encfuncT1 func2, encfuncT1 func3, encfuncT1 func4, encfuncT1 func5 )
   char S[4][4] = {{ 7, 12, 17, 22 },{ 5, 9, 14, 20 },{ 4, 11, 16, 23 },{ 6, 10, 15, 21 }};
   int A,B,C,D,t,i;
   for (i=0;i<64;i++) {       t=MD5magic[i];       switch (i>>4) {
         case 0: t=A+func1(func2,B,C,D, t+encblock[(i) & 15]); break;
         case 1: t=A+func1(func3,B,C,D, t+encblock[(i*5+1) & 15]); break;
         case 2: t=A+func1(func4,B,C,D, t+encblock[(i*3+5) & 15]); break;
         case 3: t=A+func1(func5,B,C,D, t+encblock[(i*7) & 15]); break;
      A=D; D=C; C=B; B+=rol(t,S[i>>4][i&3]);
void blockEncode(char *outdata, int *encblock, char btype) {
   if (btype==tD35B)
      blockEncodeF((int *)outdata,encblock,enc1F1,enc1F2,encF3,enc1F4,enc1F5);
#ifdef f595B
      blockEncodeF((int *)outdata,encblock,enc0F1,enc0F2,encF3,enc0F4,enc0F5);
void encode(char *inbuf,int cnt,char btype) {
   int encBlock[16];
   char *ptr;
   ptr=&((char *)encBlock)[cnt];
   encBlock[16-2]=((unsigned int)cnt << 3);
void psw(char bfunc, char btype, char *outbuf) {
   int cnt,i,lenpsw,r;
   if (bfunc==fHDDold) {
//      calcsuffix(bfunc,btype,outbuf);
      for (cnt=0;cnt<8;cnt++)          outbuf[cnt]= scancods[ outbuf[cnt] ];    } else {       memset(inData,0,sizeof(inData));       if (bfunc==fSVCTAG) cnt=7;       else cnt=11;       if ((bfunc==fHDDSN) && (btype==tA95B))          memcpy(inData,&buf1input[3],cnt-3);       else          memcpy(inData,buf1input,cnt);       if (btype==t595B) memcpy(&inData[cnt],&bSuffix[0],4); else       if (btype==tD35B) memcpy(&inData[cnt],&bSuffix[4],4); else       if (btype==tA95B) memcpy(&inData[cnt],&bSuffix[0],4); else       if (btype==t2A7B) memcpy(&inData[cnt],&bSuffix[12],4);       cnt += 4;       inData[cnt] = inData[4] & 0x1F;       inData[cnt+1] = ((inData[4] >> 5) | (((inData[3] >> 5) | (inData[3] << 3)) & 0xF1) & 0x1F);       inData[cnt+2] = ((inData[3] >> 2) & 0x1F);
      inData[cnt+3] = (inData[3] >> 7) | ((inData[2] << 1) & 0x1F);       inData[cnt+4] = (inData[2] >> 4) | ((inData[1] << 4) & 0x1F);       inData[cnt+5] = (inData[1] >> 1) & 0x1F;
      inData[cnt+6] = (inData[1] >> 6) | ((inData[0] << 2) & 0x1F);       inData[cnt+7] = (inData[0] >> 3) & 0x1F;
      for (i=cnt;i<8+cnt;i++) {
         r = 0xAA;
         if (inData[i] & 1)
            r ^= inData[4];
         if (inData[i] & 2)
            r ^= inData[3];
         if (inData[i] & 4)
            r ^= inData[2];
         if (inData[i] & 8)
            r ^= inData[1];
         if (inData[i] & 16)
            r ^= inData[0];
         inData[i] = encscans[r % sizeof(encscans)];
      cnt = 23;
      r = outData[0] % 9;
      lenpsw = 0;
      for (cnt=0;cnt<16;cnt++) {
         if ((r <= cnt) && (lenpsw<8)) {             buf1output[lenpsw++] = scancods[encscans[outData[cnt] % sizeof(encscans)]];          }       }    } } int main(int argc, char *argv[]) {    unsigned char len,len1,bfunc,eol=1,echo=0, *minus,s2[20];    signed char btype; int argn=0;    if (argc>1)
   if (!echo)
      fputs("" mystr "\n" \
        "Short service tag should be right padded with '*' up to length 7 chars\n" \
        "HDD serial number is right 11 chars from real HDDSerNum left padded with '*'\n" \
        "Some BIOSes has left pad HDD serial number with spaces instead '*'\n",stdout);
   while (!feof(stdin)) {
      if ((argc<=1) && argn) break;       fputs("Input: #",stdout);       if (argc>1) {
      else {
         if (!eol) while (!feof(stdin) && (fgetc(stdin)!='\n')); eol=0;
         if (fgets(buf1input,16+1+1,stdin)==NULL) {
            if (echo) fputs("\n",stdout);
      if (len && (buf1input[len-1]=='\n')) {len--;eol=1;buf1input[len]=0;}
      if (echo) {fputs(buf1input,stdout);fputs("\n",stdout);}
      if (len==11) {
         if (minus!=NULL) {
            fputs("- Incorrect input\n",stdout);
         fputs("By HDD serial number for older BIOS: ",stdout);
      } else {
         if (len==0) break;
         if (minus==NULL) {
            fputs("- No BIOS type found in input string, must be followed by -595B and other registered\n",stdout);
         len1=minus-(unsigned char*)buf1input;
#ifdef allow595B
         if (strncmp(&buf1input[len1+1],&bSuffix[0],4)==0) btype=t595B;
         if (strncmp(&buf1input[len1+1],&bSuffix[4],4)==0) btype=tD35B;
#ifdef allowA95B
         if (strncmp(&buf1input[len1+1],&bSuffix[8],4)==0) btype=tA95B;
#ifdef allow2A7B
         if (strncmp(&buf1input[len1+1],&bSuffix[12],4)==0) btype=t2A7B;
         if (btype<0) {
            fputs("- Invalid service tag in input string, allowed only -D35B and other registered\n",stdout);
         struct tm *time1; time_t timer1=time(NULL);
         strftime(s2,sizeof(s2),"%d.%m.%Y %H:%M",time1);
         fputs(" DELL ",stdout);
         if (len1==7) {
            fputs("service tag: ",stdout);
         } else
         if (len1==11) {
            fputs("HDD serial number: ",stdout);
         else {
            fputs("- Incorrect input, must be 7 chars service tag or 11 chars HDD serial number\n",stdout);
      fputs(" password: ",stdout);
      if (bug4) fputs(" !bug4 warning - password may not work!",stdout);
      if (btype==t595B) if (bfunc==fSVCTAG) { //to check if A95B bug
         char mpw1[20];
         if (strcmp(mpw1,buf1output)!=0) {
            fputs(" passwordA95B: ",stdout);
   return 0;

Networking/Security Forums -> Security Related Software

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group