20

Are there any reliable methods that allow an attacker to bypass a BIOS password, or alter BIOS settings without entering the password?

A few ideas come to mind:

  • The old battery trick (remove battery, wait an hour, plug battery back in)
  • Swap the BIOS chip. On some boards you can do this without desoldering.
  • Crack the BIOS password. Is this even possible?

Are any of these viable in modern machines? Are there any other ways to break into the BIOS?

(slighly off topic, but still an interesting question: are datasheets usually available for BIOS chips?)

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • see this page all related to bios reset and bios http://superuser.com/search?q=bios+password well from superuser.se i found two usefull tools http://www.11a.nu/security/pc-bios-security-password-recovery/ – BlueBerry - Vignesh4303 Sep 03 '12 at 10:24
  • 3
    Some motherboards have a jumper you have to short to clear the BIOS. – Iszi Sep 04 '12 at 13:44
  • @Iszi The BIOS reset jumper doesn't always reset the password. Sometimes it's on an external NVRAM IC. – Polynomial Sep 04 '12 at 13:55
  • It looks like (for the most part) modern motherboards use standard(ish) SPI flash chips to store the BIOS data. For instance, An ASUS LGA1155 P8PXX series motherboard could have [this chip](http://www.aliexpress.com/store/product/W25Q32BVAIG-DIP-8-WINBOND-IC-SPI-FLASH-32MBIT-8DIP/503973_561020387.html). Which means they no longer need RAM or even NVRAM chips. At any rate you can find a pretty comprehensive list of chips [here](http://bios-repair.com/Programmed-BIOS/Programmed.html) if you know the manufacturer and the model number of the motherboard in question. – David Freitag Aug 21 '13 at 16:59
  • Right, except you linked to DIP ICs, and the ones on the board are SOIC. A DIP could easily be removed and re-soldered, but doing the same on a fine-pitch SOIC would be significantly difficult without damaging the pads. Even moreso when you consider that many motherboards have under-pad vias, which can easily be damaged by resoldering efforts. – Polynomial Aug 26 '13 at 22:36
  • Not worth an answer but I have a quick bit of input. Depending on the make, some BIOS installations implement a grace period, the grace period allows the user to gain access to the computer without entering a password, notifying the user that they'll have to enter it sometime later. From here you can likely re-flash the BIOS from the main OS. Rare occurance, but I've seen it happen. – esnowrackley Aug 09 '14 at 04:51
  • There seems to be some confusion about the BIOS and BIOS chips. usually BIOS chip refers to the chip with the BIOS firmware in it. They're usually Flash. David Freitag links to some pages about this type of BIOS chip. However the BIOS settings are normally stored somewhere else, traditionally in some battery backed RAM which is on the same chip as the battery backed clock. But they could be in an EEPROM chip. –  Aug 08 '14 at 13:12

2 Answers2

18

It depends on how the BIOS chip stores the password.

If the BIOS chip stores the password in battery-backed RAM then removing the battery will clear the RAM which will restore the BIOS defaults. For most chips the BIOS default is to not require a password.

If the BIOS chip stores the password in an external Non-Volatile Memory chip (usually EEPROM) the it is usually possible to remove the NVM chip and read the password directly from the chip. Another option is to clear the NVM chip to restore the BIOS defaults.

If the BIOS chip stores the password in on-chip ROM then the password is the same for all chips and it is usually possible to Google the password. Likewise, many BIOS chips have a backup password in ROM which can be found using Google.

There may be BIOS chip which store the password in on-chip non-volatile memory (most likely One Time Programmable ROM). If such chips exist (I'm not aware of any) then the best bet would be to try and brute force the BIOS password using something like this. Of course, if someone went to the trouble (and expense) of using on-chip NVM to store passwords they might also limit the number of password attempts in a given period of time.

Things get more complicated if the BIOS password is protected by a TPM (Trusted Platform Module). For that see Tamper-proof BIOS password & settings storage with Trusted Platform Module?.

Community
  • 1
David Wachtfogel
  • 5,512
  • 21
  • 35
  • 3
    +1 for that Arduino project. I actually considered that as an option, but it seems someone beat me to it! :) – Polynomial Sep 03 '12 at 12:17
1

Most BIOS chips I've encountered can have the password reset by a simple jumper setting or some similar approach if you have direct physical access to the computer. In general however, this will result in a wipe of the data in the BIOS, or at least any security related information (such as TPM (Trusted Platform Module) keys). In general, if you are trying to protect something via a BIOS password, you will additionally need a system with a TPM and encryption where the decryption key is stored or protected by the TPM.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110