• Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

BIOS password

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Security Related Software

View previous topic :: View next topic  
Author Message
Just Arrived
Just Arrived

Joined: 02 Jul 2009
Posts: 0


PostPosted: Wed Dec 14, 2011 5:18 am    Post subject: BIOS password Reply with quote

A client came to me with his old Dell C610 laptop, it has a password on the BIOS & he's forgotten it, comes up first before any hardware is loaded. Tried pulling the battery to reset the BIOS, but the pass word is set in the backup BIOS, even accessed the m/board but the chip is hard soldered. I have an updated BIOS on CD to over write the existing one, only I can't get pass the initial stage to use the CD or FDD. An clues on how to block this password.
Back to top
View user's profile Send private message
SF Mod
SF Mod

Joined: 30 May 2002
Posts: 8


PostPosted: Mon Jan 02, 2012 5:38 pm    Post subject: Reply with quote

Hi cardiniaconsulting,

According to THIS DISCUSSION on Dell's Community Discussion, you need to
call DELL, prove you are a valid user/owner, and they will help you.
It may cost $$.

See support.dell.com for the Out Of Warrantee" support phone number for
your area and equipment.
Quote from DELL Community Discussion:

"Hi All,

Am stuck with the unlocking of bios setting. plz help me out if anyone have a solution.


I'm assuming that you can not remember the password that you set. You will need to contact dell by phone, prove you are the owner of the notebook and then they will give you a master password for your system."
Back to top
View user's profile Send private message
Just Arrived
Just Arrived

Joined: 03 Oct 2004
Posts: 0
Location: United States


PostPosted: Tue Feb 21, 2012 10:17 am    Post subject: Reply with quote

From what I have read, the C610 should be using a service tag of 595B. If this information is correct, below is source code that will let you generate the correct master BIOS password for your Dell service tag. The code supports the 595B and 2A7B tags. If for some reason your service tag varies (The last portions of the code generated at the BIOS password screen, normally separated by a hyphen. Ex: 1234567890-595b) then you can easily find the algorithm to generate a master password for that specific service tag on the Internet. There is really no reason to pay anyone to do it for you.

Also, if this is an important recovery and you feel comfortable doing so, just grab an eeprom programmer. For the C610, the eeprom location you're looking for is: 24c02, and the password is stored within the scan code: 0x00, 0x10, 0x80 and 0x90

I hope I was able to help.


#include <stdio.h>
#include <string.h>
#include <time.h>
#define mystr "My own utility. Copyright (C) 2007-2010 hpgl, Russia"
#define allow595B
#define allowA95B
#define allow2A7B
#define fSVCTAG 0
#define fHDDSN 1
#define fHDDold 2
#define t595B 0
#define tD35B 1
#define tA95B 2
#define t2A7B 3
#ifdef allow595B
#define f595B
#ifdef allowA95B
#define f595B
#ifdef allow2A7B
#define f595B
char bSuffix[]="595BD35BA95B2A7B";
char scancods[]="\00\0331234567890-=\010\011qwertyuiop[]\015\377asdfghjkl;'`\377\\zxcvbnm,./";
char encscans[]={0x05,0x10,0x13,0x09,0x32,0x03,0x25,0x11,0x1F,0x17,0x06,0x15, \
                 0x30,0x19,0x26,0x22,0x0A,0x02,0x2C,0x2F,0x16,0x14,0x07,0x18, \
#ifdef allow2A7B
char chartabl2A7B[72]="012345679abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ0";
unsigned int MD5magic[64]={
0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821,
0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a,
0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x4881d05,
0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665,
0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391};
unsigned char inData[23],outData[16];
char buf1output[32], buf1input[20];
char bug4;
void calcsuffix(char bfunc, char btype, char *outbuf);
void initData(void) {
   *(int *)(&outData[0]) =0x67452301;
   *(int *)(&outData[4]) =0xEFCDAB89;
   *(int *)(&outData[8]) =0x98BADCFE;
   *(int *)(&outData[12])=0x10325476;
typedef int (encfuncT1) (int num1, int num2, int num3);
#ifdef f595B
int enc0F2(int num1, int num2, int num3) {return (((~num3 ^ num2) & num1) ^ ~num3);}
int enc0F4(int num1, int num2, int num3) {return (( ~num2 ^ num1) ^ num3); }
int enc0F5(int num1, int num2, int num3) {return (( ~num1 | ~num3) ^ num2); }
int enc1F2(int num1, int num2, int num3) {return ((( num3 ^ num2) & num1) ^ num3);}
int enc1F4(int num1, int num2, int num3) {return (( num2 ^ num1) ^ num3); }
int enc1F5(int num1, int num2, int num3) {return (( num1 | ~num3) ^ num2); }
int encF3 (int num1, int num2, int num3) {return ((( num1 ^ num2) & num3) ^ num2);}
typedef int (encfuncT2)(encfuncT1 func, int num1, int num2, int num3, int key);
int enc1F1 (encfuncT1 func, int num1, int num2, int num3, int key)
   return func(num1,num2,num3)+key;
#ifdef f595B
int enc0F1 (encfuncT1 func, int num1, int num2, int num3, int key)
   return func(num1,num2,num3)-key;
unsigned int rol(unsigned int t, int bitsrot)
   return (t >> (32-bitsrot)) | (t << bitsrot);
void blockEncodeF(int *outdata, int *encblock, encfuncT2 func1,
                  encfuncT1 func2, encfuncT1 func3, encfuncT1 func4, encfuncT1 func5 )
   char S[4][4] = {{ 7, 12, 17, 22 },{ 5, 9, 14, 20 },{ 4, 11, 16, 23 },{ 6, 10, 15, 21 }};
   int A,B,C,D,t,i;
   for (i=0;i<64;i++) {       t=MD5magic[i];       switch (i>>4) {
         case 0: t=A+func1(func2,B,C,D, t+encblock[(i) & 15]); break;
         case 1: t=A+func1(func3,B,C,D, t+encblock[(i*5+1) & 15]); break;
         case 2: t=A+func1(func4,B,C,D, t+encblock[(i*3+5) & 15]); break;
         case 3: t=A+func1(func5,B,C,D, t+encblock[(i*7) & 15]); break;
      A=D; D=C; C=B; B+=rol(t,S[i>>4][i&3]);
void blockEncode(char *outdata, int *encblock, char btype) {
   if (btype==tD35B)
      blockEncodeF((int *)outdata,encblock,enc1F1,enc1F2,encF3,enc1F4,enc1F5);
#ifdef f595B
      blockEncodeF((int *)outdata,encblock,enc0F1,enc0F2,encF3,enc0F4,enc0F5);
void encode(char *inbuf,int cnt,char btype) {
   int encBlock[16];
   char *ptr;
   ptr=&((char *)encBlock)[cnt];
   encBlock[16-2]=((unsigned int)cnt << 3);
void psw(char bfunc, char btype, char *outbuf) {
   int cnt,i,lenpsw,r;
   if (bfunc==fHDDold) {
//      calcsuffix(bfunc,btype,outbuf);
      for (cnt=0;cnt<8;cnt++)          outbuf[cnt]= scancods[ outbuf[cnt] ];    } else {       memset(inData,0,sizeof(inData));       if (bfunc==fSVCTAG) cnt=7;       else cnt=11;       if ((bfunc==fHDDSN) && (btype==tA95B))          memcpy(inData,&buf1input[3],cnt-3);       else          memcpy(inData,buf1input,cnt);       if (btype==t595B) memcpy(&inData[cnt],&bSuffix[0],4); else       if (btype==tD35B) memcpy(&inData[cnt],&bSuffix[4],4); else       if (btype==tA95B) memcpy(&inData[cnt],&bSuffix[0],4); else       if (btype==t2A7B) memcpy(&inData[cnt],&bSuffix[12],4);       cnt += 4;       inData[cnt] = inData[4] & 0x1F;       inData[cnt+1] = ((inData[4] >> 5) | (((inData[3] >> 5) | (inData[3] << 3)) & 0xF1) & 0x1F);       inData[cnt+2] = ((inData[3] >> 2) & 0x1F);
      inData[cnt+3] = (inData[3] >> 7) | ((inData[2] << 1) & 0x1F);       inData[cnt+4] = (inData[2] >> 4) | ((inData[1] << 4) & 0x1F);       inData[cnt+5] = (inData[1] >> 1) & 0x1F;
      inData[cnt+6] = (inData[1] >> 6) | ((inData[0] << 2) & 0x1F);       inData[cnt+7] = (inData[0] >> 3) & 0x1F;
      for (i=cnt;i<8+cnt;i++) {
         r = 0xAA;
         if (inData[i] & 1)
            r ^= inData[4];
         if (inData[i] & 2)
            r ^= inData[3];
         if (inData[i] & 4)
            r ^= inData[2];
         if (inData[i] & 8)
            r ^= inData[1];
         if (inData[i] & 16)
            r ^= inData[0];
         inData[i] = encscans[r % sizeof(encscans)];
      cnt = 23;
      r = outData[0] % 9;
      lenpsw = 0;
      for (cnt=0;cnt<16;cnt++) {
         if ((r <= cnt) && (lenpsw<8)) {             buf1output[lenpsw++] = scancods[encscans[outData[cnt] % sizeof(encscans)]];          }       }    } } int main(int argc, char *argv[]) {    unsigned char len,len1,bfunc,eol=1,echo=0, *minus,s2[20];    signed char btype; int argn=0;    if (argc>1)
   if (!echo)
      fputs("" mystr "\n" \
        "Short service tag should be right padded with '*' up to length 7 chars\n" \
        "HDD serial number is right 11 chars from real HDDSerNum left padded with '*'\n" \
        "Some BIOSes has left pad HDD serial number with spaces instead '*'\n",stdout);
   while (!feof(stdin)) {
      if ((argc<=1) && argn) break;       fputs("Input: #",stdout);       if (argc>1) {
      else {
         if (!eol) while (!feof(stdin) && (fgetc(stdin)!='\n')); eol=0;
         if (fgets(buf1input,16+1+1,stdin)==NULL) {
            if (echo) fputs("\n",stdout);
      if (len && (buf1input[len-1]=='\n')) {len--;eol=1;buf1input[len]=0;}
      if (echo) {fputs(buf1input,stdout);fputs("\n",stdout);}
      if (len==11) {
         if (minus!=NULL) {
            fputs("- Incorrect input\n",stdout);
         fputs("By HDD serial number for older BIOS: ",stdout);
      } else {
         if (len==0) break;
         if (minus==NULL) {
            fputs("- No BIOS type found in input string, must be followed by -595B and other registered\n",stdout);
         len1=minus-(unsigned char*)buf1input;
#ifdef allow595B
         if (strncmp(&buf1input[len1+1],&bSuffix[0],4)==0) btype=t595B;
         if (strncmp(&buf1input[len1+1],&bSuffix[4],4)==0) btype=tD35B;
#ifdef allowA95B
         if (strncmp(&buf1input[len1+1],&bSuffix[8],4)==0) btype=tA95B;
#ifdef allow2A7B
         if (strncmp(&buf1input[len1+1],&bSuffix[12],4)==0) btype=t2A7B;
         if (btype<0) {
            fputs("- Invalid service tag in input string, allowed only -D35B and other registered\n",stdout);
         struct tm *time1; time_t timer1=time(NULL);
         strftime(s2,sizeof(s2),"%d.%m.%Y %H:%M",time1);
         fputs(" DELL ",stdout);
         if (len1==7) {
            fputs("service tag: ",stdout);
         } else
         if (len1==11) {
            fputs("HDD serial number: ",stdout);
         else {
            fputs("- Incorrect input, must be 7 chars service tag or 11 chars HDD serial number\n",stdout);
      fputs(" password: ",stdout);
      if (bug4) fputs(" !bug4 warning - password may not work!",stdout);
      if (btype==t595B) if (bfunc==fSVCTAG) { //to check if A95B bug
         char mpw1[20];
         if (strcmp(mpw1,buf1output)!=0) {
            fputs(" passwordA95B: ",stdout);
   return 0;
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Security Related Software All times are GMT + 2 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register