The F2 key will get you into the Phoenix BIOS.
Unfortunately for me when I got my X90L in 2011 I found that the BIOS was password protected and wasn't able to get into it. The usual default Wyse password of Fireport did not work. The Linux utility dmidecode told me:
BIOS Information Vendor: Phoenix Technologies LTD Version: 6.00 Release Date: 08/22/2008 Address: 0xE8300 Runtime Size: 97536 bytes ROM Size: 512 kB Characteristics: ISA is supported PCI is supported PNP is supported APM is supported BIOS is upgradeable BIOS shadowing is allowed ESCD support is available Boot from CD is supported BIOS ROM is socketed Boot from PC Card (PCMCIA) is supported ACPI is supported USB legacy is supported LS-120 boot is supported ATAPI Zip drive boot is supported BIOS boot specification is supported Targeted content distribution is supported
The journey at that time was interesting....
These days laptops do not store the information relating to passwords in battery backed CMOS memory - it's held in some EEPROM somewhere. (There is NO additional backup battery on most laptop's mother board. Removing all power and the laptop's battery for an extended period has no effect).
Generally PCs do not actually store passwords. What they squirrel away is a hash of the password. In this case the password is reduced to a 16-bit value (see on). As an 8 character password is equivalent to ~48-bits you do end up with a large number of passwords that will give you the right 16-bit hash code. However, if the hash algorithm used is half decent, you still only have a 1 in 60,000 odd chance of coming up with a password that will let you in. From the point of view of somebody sitting in front of the laptop at the keyboard this is still a huge problem.
Obviously users can forget passwords and there needs to be some reasonably low-cost way to get around the problem. (Note: Here the requirement is to stop the casual user from fiddling with the laptop's settings. We're not trying to protect the Nation's secrets.). In this case the answer is on the screen after the third failed attempt:
What looks like a system error code is actually the hash value that the BIOS has stored. In this case it is decimal 15015 which is 3AA7 in hex. Equipped with this value it is relatively straight forward to run a program that will generate random passwords until it finds one that produces that hash value. With the sorts of hash algorithms used in the BIOS and the power of modern computers it is only a matter of a few seconds to find a password.
For every step forward there is often one or more backwards....
For the program to work we need to know exactly what hash algorithm is being used and what the input values are. Dogbert's Blog has some information on this and a python script to do the searching. Unfortunately the passwords produced by the script do not work for the Phoenix BIOS on the Wyse....so we're left with the problem of determining the algorithm that is used in the Wyse Xn0L BIOS (and any seed value) so we can write our own password cracker.
Options for discovering the password hashing algorithm are:
One final option was to find and clear the password hash - or the flag that says there is a password set. One possible storage area is the EEPROM that is associated with the ethernet chip. These usually have plenty of spare space after the area used by the ethernet chip to store its basic operating parameters (such as the MAC address). Once again I hit the "...unfortunately..." as the standard Linux tool ethtool (at least from within Tiny Core) could not access any EEPROM memory associated with the RTL8169 ethernet chip.
In May 2014 Mark very kindly sent me eight password/hash pairs for the X90L and, armed with these, it didn't take very long to work out what was going on. Using the form on this page will find you a matching password within a few seconds.
The Xn0L runs Windows XPe SP2. Mine came with an unknown password set for the Administrator's account and auto-logged-in as the user User with User's password set to User.
Luckily it easy to reset the Administrator's password - or at least it was in the way mine was configured.
From the auto logged on user:
At this point the hack is only temporary as the 'write filter' is in place and any changes you make are just held in RAM and not written back to the flash. You need to log out and log back in as the Administrator using the password you've just set. Holding down the Left-Shift key when you logout disables the auto-login feature and brings up a conventional "Welcome to Windows" box with an invitation to press Ctrl-Alt-Delete to login. Having logged in as Administrator double-click on the FBWF disable icon to turn off the write filter.
The system will reboot at this point and you'll back to square one. However, as you go through the steps outlines above, this time the new Administrator password will be written to flash.
You can also take this opportunity to make other changes to the system - such as setting the network details for your local wireless network.
Once you're happy with the changes double click on the FBWF Enable icon to turn the write filter back on.
Any comments? email me. Added December 2011 Last update May 2017