Dell BIOS Passwords

Discussion in 'BIOS Mods' started by ABM, Mar 4, 2011.

  1. ABM

    ABM MDL Novice

    Mar 16, 2010
    5
    0
    0
    Not my work, just passing this along. if its not needed, or in the wrong place, please delete it.




    I noticed that several eBay sellers were providing these master passwords for a small fee. Obviously, this meant that the means to generate these codes oneself was available somewhere on the internet. That’s when I ran across some source code created by Russian hacker hpgl who found the algorithm Dell was using to generate these master passwords for the 595b and 2a7b-type BIOS. You can find the code below:

    Quote

    #include <stdio.h>
    #include <string.h>
    #include <time.h>

    #define mystr "My own utility. Copyright © 2007-2010 hpgl, Russia"

    #define allow595B
    #define allowA95B
    #define allow2A7B

    #define fSVCTAG 0
    #define fHDDSN 1
    #define fHDDold 2
    #define t595B 0
    #define tD35B 1
    #define tA95B 2
    #define t2A7B 3

    #ifdef allow595B
    #define f595B
    #endif
    #ifdef allowA95B
    #define f595B
    #endif
    #ifdef allow2A7B
    #define f595B
    #endif

    char bSuffix[]="595BD35BA95B2A7B";

    char scancods[]="\00\0331234567890-=\010\011qwertyuiop[]\015\377asdfghjkl;'`\377\\zxcvbnm,./";
    char encscans[]={0x05,0x10,0x13,0x09,0x32,0x03,0x25,0x11,0x1F,0x17,0x06,0x15, \
    0x30,0x19,0x26,0x22,0x0A,0x02,0x2C,0x2F,0x16,0x14,0x07,0x18, \
    0x24,0x23,0x31,0x20,0x1E,0x08,0x2D,0x21,0x04,0x0B,0x12,0x2E};

    #ifdef allow2A7B
    char chartabl2A7B[72]="012345679abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ0";
    #endif

    unsigned int MD5magic[64]={
    0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
    0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
    0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
    0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821,
    0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
    0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
    0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
    0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a,
    0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
    0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
    0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x4881d05,
    0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665,
    0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
    0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
    0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
    0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391};

    unsigned char inData[23],outData[16];
    char buf1output[32], buf1input[20];
    char bug4;

    void calcsuffix(char bfunc, char btype, char *outbuf);

    void initData(void) {
    *(int *)(&outData[0]) =0x67452301;
    *(int *)(&outData[4]) =0xEFCDAB89;
    *(int *)(&outData[8]) =0x98BADCFE;
    *(int *)(&outData[12])=0x10325476;
    }

    typedef int (encfuncT1) (int num1, int num2, int num3);

    #ifdef f595B
    int enc0F2(int num1, int num2, int num3) {return (((~num3 ^ num2) & num1) ^ ~num3);}
    int enc0F4(int num1, int num2, int num3) {return (( ~num2 ^ num1) ^ num3); }
    int enc0F5(int num1, int num2, int num3) {return (( ~num1 | ~num3) ^ num2); }
    #endif
    int enc1F2(int num1, int num2, int num3) {return ((( num3 ^ num2) & num1) ^ num3);}
    int enc1F4(int num1, int num2, int num3) {return (( num2 ^ num1) ^ num3); }
    int enc1F5(int num1, int num2, int num3) {return (( num1 | ~num3) ^ num2); }
    int encF3 (int num1, int num2, int num3) {return ((( num1 ^ num2) & num3) ^ num2);}

    typedef int (encfuncT2)(encfuncT1 func, int num1, int num2, int num3, int key);

    int enc1F1 (encfuncT1 func, int num1, int num2, int num3, int key)
    {
    return func(num1,num2,num3)+key;
    }

    #ifdef f595B
    int enc0F1 (encfuncT1 func, int num1, int num2, int num3, int key)
    {
    return func(num1,num2,num3)-key;
    }
    #endif

    unsigned int rol(unsigned int t, int bitsrot)
    {
    return (t >> (32-bitsrot)) | (t << bitsrot);
    }

    void blockEncodeF(int *outdata, int *encblock, encfuncT2 func1,
    encfuncT1 func2, encfuncT1 func3, encfuncT1 func4, encfuncT1 func5 )
    {
    char S[4][4] = {{ 7, 12, 17, 22 },{ 5, 9, 14, 20 },{ 4, 11, 16, 23 },{ 6, 10, 15, 21 }};
    int A,B,C,D,t,i;

    A=outdata[0];
    B=outdata[1];
    C=outdata[2];
    D=outdata[3];

    for (i=0;i<64;i++) { t=MD5magic; switch (i>>4) {
    case 0: t=A+func1(func2,B,C,D, t+encblock[(i) & 15]); break;
    case 1: t=A+func1(func3,B,C,D, t+encblock[(i*5+1) & 15]); break;
    case 2: t=A+func1(func4,B,C,D, t+encblock[(i*3+5) & 15]); break;
    case 3: t=A+func1(func5,B,C,D, t+encblock[(i*7) & 15]); break;
    }
    A=D; D=C; C=B; B+=rol(t,S[i>>4][i&3]);
    };

    outdata[0]+=A;
    outdata[1]+=B;
    outdata[2]+=C;
    outdata[3]+=D;
    }

    void blockEncode(char *outdata, int *encblock, char btype) {
    if (btype==tD35B)
    blockEncodeF((int *)outdata,encblock,enc1F1,enc1F2,encF3,enc1F4,enc1F5);
    #ifdef f595B
    else
    blockEncodeF((int *)outdata,encblock,enc0F1,enc0F2,encF3,enc0F4,enc0F5);
    #endif
    }

    void encode(char *inbuf,int cnt,char btype) {
    int encBlock[16];
    char *ptr;
    initData();
    memcpy(encBlock,inbuf,cnt);
    ptr=&((char *)encBlock)[cnt];
    *ptr++=0x80;
    memset(ptr,0,64-1-cnt);
    encBlock[16-2]=((unsigned int)cnt << 3);
    blockEncode(outData,encBlock,btype);
    }

    void psw(char bfunc, char btype, char *outbuf) {
    int cnt,i,lenpsw,r;
    if (bfunc==fHDDold) {
    memcpy(inData,buf1input,11);
    // calcsuffix(bfunc,btype,outbuf);
    for (cnt=0;cnt<8;cnt++) outbuf[cnt]= scancods[ outbuf[cnt] ]; } else { memset(inData,0,sizeof(inData)); if (bfunc==fSVCTAG) cnt=7; else cnt=11; if ((bfunc==fHDDSN) && (btype==tA95B)) memcpy(inData,&buf1input[3],cnt-3); else memcpy(inData,buf1input,cnt); if (btype==t595B) memcpy(&inData[cnt],&bSuffix[0],4); else if (btype==tD35B) memcpy(&inData[cnt],&bSuffix[4],4); else if (btype==tA95B) memcpy(&inData[cnt],&bSuffix[0],4); else if (btype==t2A7B) memcpy(&inData[cnt],&bSuffix[12],4); cnt += 4; inData[cnt] = inData[4] & 0x1F; inData[cnt+1] = ((inData[4] >> 5) | (((inData[3] >> 5) | (inData[3] << 3)) & 0xF1) & 0x1F); inData[cnt+2] = ((inData[3] >> 2) & 0x1F);
    inData[cnt+3] = (inData[3] >> 7) | ((inData[2] << 1) & 0x1F); inData[cnt+4] = (inData[2] >> 4) | ((inData[1] << 4) & 0x1F); inData[cnt+5] = (inData[1] >> 1) & 0x1F;
    inData[cnt+6] = (inData[1] >> 6) | ((inData[0] << 2) & 0x1F); inData[cnt+7] = (inData[0] >> 3) & 0x1F;
    for (i=cnt;i<8+cnt;i++) {
    r = 0xAA;
    if (inData & 1)
    r ^= inData[4];
    if (inData & 2)
    r ^= inData[3];
    if (inData & 4)
    r ^= inData[2];
    if (inData & 8)
    r ^= inData[1];
    if (inData & 16)
    r ^= inData[0];
    inData = encscans[r % sizeof(encscans)];
    }
    cnt = 23;
    encode(inData,cnt,btype);
    r = outData[0] % 9;
    lenpsw = 0;
    for (cnt=0;cnt<16;cnt++) {
    if ((r <= cnt) && (lenpsw<8)) { buf1output[lenpsw++] = scancods[encscans[outData[cnt] % sizeof(encscans)]]; } } } } int main(int argc, char *argv[]) { unsigned char len,len1,bfunc,eol=1,echo=0, *minus,s2[20]; signed char btype; int argn=0; if (argc>1)
    echo=1;

    if (!echo)
    fputs("" mystr "\n" \
    "Short service tag should be right padded with '*' up to length 7 chars\n" \
    "HDD serial number is right 11 chars from real HDDSerNum left padded with '*'\n" \
    "Some BIOSes has left pad HDD serial number with spaces instead '*'\n",stdout);

    while (!feof(stdin)) {
    if ((argc<=1) && argn) break; fputs("Input: #",stdout); if (argc>1) {
    strncpy(buf1input,argv[++argn],sizeof(buf1input));argc--;
    }
    else {
    if (!eol) while (!feof(stdin) && (fgetc(stdin)!='\n')); eol=0;
    if (fgets(buf1input,16+1+1,stdin)==NULL) {
    if (echo) fputs("\n",stdout);
    break;
    }
    }
    len=strlen(buf1input);
    if (len && (buf1input[len-1]=='\n')) {len--;eol=1;buf1input[len]=0;}
    if (echo) {fputs(buf1input,stdout);fputs("\n",stdout);}
    minus=strchr(buf1input,'-');
    if (len==11) {
    if (minus!=NULL) {
    fputs("- Incorrect input\n",stdout);
    continue;
    }
    bfunc=fHDDold;
    fputs("By HDD serial number for older BIOS: ",stdout);
    } else {
    if (len==0) break;
    if (minus==NULL) {
    fputs("- No BIOS type found in input string, must be followed by -595B and other registered\n",stdout);
    continue;
    }
    len1=minus-(unsigned char*)buf1input;

    btype=-1;
    #ifdef allow595B
    if (strncmp(&buf1input[len1+1],&bSuffix[0],4)==0) btype=t595B;
    else
    #endif
    if (strncmp(&buf1input[len1+1],&bSuffix[4],4)==0) btype=tD35B;
    else
    #ifdef allowA95B
    if (strncmp(&buf1input[len1+1],&bSuffix[8],4)==0) btype=tA95B;
    else
    #endif
    #ifdef allow2A7B
    if (strncmp(&buf1input[len1+1],&bSuffix[12],4)==0) btype=t2A7B;
    #endif
    if (btype<0) {
    fputs("- Invalid service tag in input string, allowed only -D35B and other registered\n",stdout);
    continue;
    }
    struct tm *time1; time_t timer1=time(NULL);
    time1=gmtime(&timer1);
    strftime(s2,sizeof(s2),"%d.%m.%Y %H:%M",time1);
    fputs(s2,stdout);
    fputs(" DELL ",stdout);

    if (len1==7) {
    bfunc=fSVCTAG;
    fputs("service tag: ",stdout);
    fputs(buf1input,stdout);
    } else
    if (len1==11) {
    bfunc=fHDDSN;
    fputs("HDD serial number: ",stdout);
    fputs(buf1input,stdout);
    }
    else {
    fputs("- Incorrect input, must be 7 chars service tag or 11 chars HDD serial number\n",stdout);
    continue;
    }
    }
    psw(bfunc,btype,buf1output);
    fputs(" password: ",stdout);
    fputs(buf1output,stdout);
    if (bug4) fputs(" !bug4 warning - password may not work!",stdout);

    if (btype==t595B) if (bfunc==fSVCTAG) { //to check if A95B bug
    char mpw1[20];
    strcpy(mpw1,buf1output);
    psw(bfunc,tA95B,buf1output);
    if (strcmp(mpw1,buf1output)!=0) {
    fputs(" passwordA95B: ",stdout);
    fputs(buf1output,stdout);
    }
    }
    fputs("\n",stdout);
    }
    return 0;
    }
     
  2. ABM

    ABM MDL Novice

    Mar 16, 2010
    5
    0
    0
    You can also find a compiled Windows binary here:
    http-www-megaupload-com/?d=U5PWXFGL
    Password: hope
    I entered my service tag into the software, and out popped some random letters and numbers. I tried the generated characters in the BIOS and it worked!
    Good Luck!
     
  3. LostED

    LostED MDL MIRROR Hardlink

    Jul 30, 2009
    3,937
    9,521
    120
    #3 LostED, Mar 4, 2011
    Last edited by a moderator: Apr 20, 2017
    the real job

    Code:
    http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html