Hardware Hacking 101: CyberCX’s Guide to BIOS Password Bypass

Estimated read time 3 min read

If you are a cybersecurity enthusiast, then you must have stumbled upon the complexities tied to forgotten BIOS passwords. An intriguing case study by CyberCX provides insights into how this seemingly minor issue can halt important processes such as device wiping or hardware changes​.

As an Amazon Associate, Cyberwarzone earns from qualifying purchases.

A Quick Recap on BIOS Passwords

Just to set the stage, BIOS passwords are designed to safeguard hardware systems and their configuration from unauthorized access. In the past, a simple method to reset the BIOS would be to remove the coin cell battery, wait a bit, and voilà, the BIOS configuration resets to factory defaults. However, modern systems store the configuration in non-volatile storage on the motherboard, which requires a more sophisticated approach.

The Vulnerability

Enter the Electrically Erasable Programmable Read-Only Memory (EEPROM), a separate entity from the BIOS chip itself on these Lenovo laptops. What’s the hitch? If the CyberCX team can interrupt or intercept the communication between the BIOS chip and the EEPROM, the BIOS password prompt can be bypassed. This vulnerability is publicly well known, and CyberCX is aiming to build on existing research to repurpose these retired laptops​.

Identifying Vulnerable Chips

As the CyberCX team discovered, this setup is not unique to Lenovo. Other manufacturers have the same implementation problem. In the Lenovo laptop motherboards, the EEPROM is an 8-Pin Thin Shrink Small Outline Package (TSSOP), which can come in several configurations. A closer look at each chip on the laptop motherboard allows identification of several SOP, TSSOP, and TMSOP-8 packages. The EEPROM communicates over the Inter-Integrated Circuit (I2C) protocol, and the CyberCX team found that an attack against the Serial Clock (SCL) and Serial Data (SDA) pins can modify or interrupt the communication, thus bypassing the BIOS password​.

How to Bypass BIOS Password

The CyberCX team undertook the process with a Lenovo L440. The steps to perform a successful attack against the BIOS password were as follows:

  1. Locate the correct EEPROM chip.
  2. Locate the SCL and SDA pins.
  3. Short the SCL and SDA pins at the right time​​.

There were three chips that fit the package and pinout criteria on the Lenovo L440. The easiest way to identify if the chip is a candidate is to search for the serial number and the word EEPROM. This process, however, can be challenging as many manufacturers do not use actual serial numbers and have their own standards and versioning systems​.

In this instance, the CyberCX team initially performed the attack against the wrong chip. Still, the attack worked, as demonstrated on a Lenovo X230, showing that the same attack process still applies​.


Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author