Announcement

**imranromi** · 10-07-2019, 09:35 AM

Re: 840 G1 , 840 G3 and 8470p

Originally posted by frozen_neo View Post

Hi Guys. I've bought a big lot of laptops (840 G1, 840 G3 and 8470p). My problem is that all of them came with a BIOS password. I´ve already done the reprogram in one of each and it's working fine, but i still have something like 100 Laptops to reprogram.....

Do you know if there is a way of decrypt a bin dump file , by reading it with HxD or something like that, or if there is a easier way to do this? i've got a very short schedule and i'm afraid i cannot deliver the product to my client in time

I send you file or clue you can work all laptop this methods this 1 is easy i think
i send you file search in hex this 1st hex data like this (24 56 53 53 B8) or find original lock just replace and done.
Or without reading bios chip no have solution always read bios chip and then remove

Attached Files

HP 8470P.rar (4.9 KB, 57 views)

**frozen_neo** · 10-07-2019, 10:55 AM

Re: 840 G1 , 840 G3 and 8470p

Originally posted by imranromi View Post

I send you file or clue you can work all laptop this methods this 1 is easy i think
i send you file search in hex this 1st hex data like this (24 56 53 53 B8) or find original lock just replace and done.
Or without reading bios chip no have solution always read bios chip and then remove

Thanks for your response imranromi. I already have one copy of each dump file of each laptop. This way i can program, but my issue here is that i need to do this for each one of them (take out, reprogram, put back in) times 100... By reading the bin file isn't it possible to check the password?

**imranromi** · 10-07-2019, 10:59 AM

Re: 840 G1 , 840 G3 and 8470p

Originally posted by frozen_neo View Post

Thanks for your response imranromi. I already have one copy of each dump file of each laptop. This way i can program, but my issue here is that i need to do this for each one of them (take out, reprogram, put back in) times 100... By reading the bin file isn't it possible to check the password?

But 840 g1 or g40 g3 you copy bios give late display.
No you always put and back step repeat no have other solution

**RethoricalCheese** · 10-07-2019, 11:17 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Hey! I have sent you a tool via email that might speed things up for you. It is still in testing phase so I would like you to test and report back before I upload the tool in the forums.

**frozen_neo** · 10-08-2019, 05:47 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

RethoricalCheese Thank you so much for your reply. It might be a good solutions in case i dont find a dump file,and i will keep it to test in a different model someday in the future. In this case i would really need the password. All the laptops i've got have the same password, so the idea here was to try to decrypt the file somehow.

**imranromi** · 10-08-2019, 05:59 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Originally posted by frozen_neo View Post

RethoricalCheese Thank you so much for your reply. It might be a good solutions in case i dont find a dump file,and i will keep it to test in a different model someday in the future. In this case i would really need the password. All the laptops i've got have the same password, so the idea here was to try to decrypt the file somehow.

Hp laptop cannot find the password the file hp RSA file.Lenovo some model find the password..

**imranromi** · 10-08-2019, 06:02 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Originally posted by RethoricalCheese View Post

Hey! I have sent you a tool via email that might speed things up for you. It is still in testing phase so I would like you to test and report back before I upload the tool in the forums.

Hello friend i want to check tool i have lock laptop different model
If you send my email:********************* i wait thanks

**RethoricalCheese** · 10-08-2019, 09:36 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Will post it soon.

Anyway, on the topic. A quick search found this: https://www.serializing.me/2016/10/1...ds-decryption/

Maybe it can be used somehow to decrypt passwords stored in bios.

I don't have an HP at home right now so I can't test with known passwords.

If it really works then I think it is possible to make a windows/dos program which retrieves and decrypts the password and eithers just shows it or maybe sends that data to an arduino and after restarting and pushing a button on arduino it writes that same password in bios password prompt and does the rest of the unlocking automatically. Atleast that's what I would try to make

**frozen_neo** · 10-09-2019, 04:43 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Originally posted by RethoricalCheese View Post

Will post it soon.

Anyway, on the topic. A quick search found this: https://www.serializing.me/2016/10/1...ds-decryption/

Maybe it can be used somehow to decrypt passwords stored in bios.

I don't have an HP at home right now so I can't test with known passwords.

If it really works then I think it is possible to make a windows/dos program which retrieves and decrypts the password and eithers just shows it or maybe sends that data to an arduino and after restarting and pushing a button on arduino it writes that same password in bios password prompt and does the rest of the unlocking automatically. Atleast that's what I would try to make

Yeah it does work, but not directly. The password has to be created by the HP software and the dump file that it creates afterwards can be decrypted. The BIOS one although is a little different. By finding the code in BIOS where the password is stored it might work i hope.... but i didn't find it yet

Anyway, if someone wants the code already compiled, i leave here the file

Attached Files

HP.zip (4.2 KB, 66 views)

**fyaagoub** · 10-09-2019, 04:57 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

HELLO TRY THIS

https://github.com/texhex/BiosSledgehammer

**RethoricalCheese** · 10-09-2019, 05:10 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Originally posted by frozen_neo View Post

Yeah it does work, but not directly. The password has to be created by the HP software and the dump file that it creates afterwards can be decrypted. The BIOS one although is a little different. By finding the code in BIOS where the password is stored it might work i hope.... but i didn't find it yet

Anyway, if someone wants the code already compiled, i leave here the file

Well, I guess the password in bios is stored after BIOSAdminScanCode between 00 00 00 and aa 55. But that decrypt tool wasn't able to decrypt that.

**frozen_neo** · 10-10-2019, 03:16 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Originally posted by fyaagoub View Post

HELLO TRY THIS

https://github.com/texhex/BiosSledgehammer

This is the kind of solution i'm looking for.

The last day i've been trying to use it. I even made a Batch file to create passwords in Bin format individualy with the HPQPSWD tool. I'm still trying to find a way to force the reading with this program. Tried in a laptop with a password that i know of (EX:11112222) and when the program reads the bin file with that same password, it gives me an 666 error, which means is not reaching the BIOS. Anyone tryed already this with sucess?

**frozen_neo** · 10-14-2019, 03:40 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Ok, i manage to create a batch file which uses both HPQPswd and BiosConfigUtility from HP and after some thinking, it started accessing th BIOS. The program uses combinations and try to bruteforce it. the only problem is it's way too slow. It tests something like 62 words a minute... anyone knows a way of opening the BiosConfigUtility faster? i can leave what i have done here if you want to check

Attached Files

BIOS Configuration Utility (2).zip (3.71 MB, 95 views)

**frozen_neo** · 10-17-2019, 03:50 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Anyone can help me with this issue? still looking for solutions....

**biospwd** · 10-29-2019, 02:54 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Send here bios dump then i unlock.

**RethoricalCheese** · 10-29-2019, 03:07 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Originally posted by biospwd View Post

Send here bios dump then i unlock.

He doesn't want unlocking, he wants to find out what the password is.

**biospwd** · 10-29-2019, 03:27 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Originally posted by RethoricalCheese View Post

He doesn't want unlocking, he wants to find out what the password is.

)))

@frozen_neo send 100-200 dump. I unlock all fast by soft.

HP password are in bios in different place.

U can search in dump words like: Admin, passphrase etc. but you will lose a lot of time editing.

So if u have XXX laptop , the best way will be to do bios backup and upload here then i unlock all.

**RethoricalCheese** · 10-29-2019, 04:41 AM

Re: 840 G1 , 840 G3 and 8470p bios passwords

Originally posted by biospwd View Post

)))

@frozen_neo send 100-200 dump. I unlock all fast by soft.

HP password are in bios in different place.

U can search in dump words like: Admin, passphrase etc. but you will lose a lot of time editing.

So if u have XXX laptop , the best way will be to do bios backup and upload here then i unlock all.

Well, he already has my software to unlock them but because all the laptops have same password, it could be much faster to find out the password instead of unlocking using dump. Read the topic from the beginning.

**EineWildeStehlampe** · 12-30-2021, 12:48 PM

Re: 840 G1 , 840 G3 and 8470p bios passwords

I know this thread is somewhat old but I've been experimenting with those HP laptops with the HP_BIOSAdminScancode structure a bit today and found out that it is in fact quite easy to brute force them given a certain maximum character length.

The encrption mechanism works like this:
The entered password is firstly stored as a Scancode string (see https://www.scs.stanford.edu/10wi-cs...s-1.html#ss1.4 for example), so "q" becomes 0x10, "w" becomes "0x11", etc.
That hex string of scancodes is then simply hashed with SHA1.

So to decrypt them we can just use something like Hashcat running on a GPU. For example for a password of maximum 8 characters length only using letters and numbers we can use:
"hashcat -m 100 -a 3 --hex-charset --increment -1 101112131415161718191e1f202122232425262c2d2e2f30313202030405060708090a0b sha1.txt ?1?1?1?1?1?1?1?1"
where "sha1.txt" simply contains the SHA1 value we can extract from the "HP_BIOSAdminScancode" NVRAM variable body. The resulting string will be in Scancode format and has to be converted back, again using the Scancode table.
I tried this with a few HP images I found on the web and luckily most of them were less than 8 characters, only containing letters and numbers so I was able to test this a few times.

Announcement

840 G1 , 840 G3 and 8470p bios passwords

840 G1 , 840 G3 and 8470p bios passwords

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment