Wyse Xn0L: Passwords 




BIOS Passwords

When I got my X90L in 2011 I found that the BIOS was password protected and wasn't able to get into it. The usual default Wyse password of Fireport did not work. However I was able to boot Tiny Core Linux from USB and to install it on the internal flash memory. This page describes my route through to removing the password.

These days laptops do not store the information relating to passwords in battery backed CMOS memory - it's held in some EEPROM somewhere. (There is NO additional backup battery on most laptop's mother board. Removing all power and the laptop's battery for an extended period has no effect).

Generally PCs do not actually store passwords. What they squirrel away is a hash of the password. In this case the password is reduced to a 16-bit value (see on). As an 8 character password is equivalent to ~48-bits you do end up with a large number of passwords that will give you the right 16-bit hash code. However, if the hash algorithm used is half decent, you still only have a 1 in 60,000 odd chance of coming up with a password that will let you in. From the point of view of somebody sitting in front of the laptop at the keyboard this is still a huge problem.

Obviously users can forget passwords and there needs to be some reasonably low-cost way to get around the problem. (Note: Here the requirement is to stop the casual user from fiddling with the laptop's settings. We're not trying to protect the Nation's secrets). In this case the answer is on the screen after the third failed attempt:

BIOS disabled message

What looks like a system error code is actually the hash value that the BIOS has stored. In this case it is decimal 15015 which is 3AA7 in hex. Equipped with this value it is relatively straight forward to run a program that will generate random passwords until it finds one that produces that hash value. With the sorts of hash algorithms used in the BIOS and the power of modern computers it is only a matter of a few seconds to find a password.

A search brought up Dogbert's Blog which had some information and a python script to do the searching for a password. Unfortunately the passwords produced by that script do not work for the Phoenix BIOS on the Wyse.

So I was left with a number of approaches:

  1. Determine the hash algorithm that is being used and then search for a valid password.
  2. Find and delete the stored hash.
  3. Find the 'flag' that some BIOSs use to mark that a password is set and then reset it.
Option 1 involves either disassembling the BIOS or a cryptographic attack using some known password/hash value pairs.

For every step forward there is often one or more backwards....

  • Linux has a number of utilities such as flashrom that you read/write to the chips that hold the BIOS. Unfortunately the flashrom program could not read the BIOS chip on the X90L.
  • As the X90L does not use the usual 'CMOS' memory poking around in that won't get anywhere.
  • I know some systems use spare space in the EEPROM that is associated with the ethernet chip to hold system configuration data. Once again I hit the "...unfortunately..." as the standard Linux tool ethtool (at least from within Tiny Core) could not access any EEPROM memory associated with the RTL8169 ethernet chip.
  • I had a half-hearted grope around in the linux /dev/mem with partial success. (I needed to be more methodical...). It did look like it used a standard CRC16 polynomial. However I wasn't able to find where the routine was called from so I had no idea of exactly what is being hashed. Anyway the more recent BIOSs have a multi-stage startup process and the early code that performs all the system initialisation is thrown away as the final system BIOS takes over.

So, back in December 2011, I put up the plea

if you are reading this and have a Xn0L, can I ask you to:

  • Set a BIOS Setup password.
  • Reboot and hit F2.
  • Enter an incorrect password three times and then record the error code.
  • Repeat the above at with least three different passwords.
  • Send me the results of password+hash pairs.
Thank you.

BIOS Password - phase two

In May 2014 Mark very kindly sent me eight password/hash pairs for the X90L and, armed with these, it didn't take very long to work out what was going on. Using the form on this page will find you a matching password within a few seconds.


Any comments? email me. Added December 2011    Last update May 2017