Saturday, April 21, 2012

Remove the BIOS password on the Probook 6560b

Okay, I admit it. I forgot the BIOS password on my HP Probook 6560b laptop. Dur... I took this as a challenge though: “Oh goody, I get to kill my BIOS password!” So I booted into UBCD and tried my favorite BIOS password murdering tools like cmospwd. Didn’t go very well. Every time I would reboot out of the tool it would error out at a BIOS checksum error and not let me get into the BIOS. It would then force a reboot at which time it would restore the BIOS password. Lots of googling didn’t do it. Lots. Apparently the TPM chip stores the password and can restore it to the CMOS if it sees that it is gone. Security feature. Hmmm.

Sometimes the best hack is manufacturer support, lol. The first time I contacted HP they said I needed to drive 2 hours to an authorized vendor who I could pay to flash the TPM. That wasn’t what I wanted to hear. So I waited about 4 months and then contacted them again. Heh.

This time the chat support rep had someone from “HP Complex Problem Resolution & Quality” email me some cool instructions. As I say, sometimes the best hack comes from the manufacturer. It worked very hunkydorily. Below are instructions to clear the TPM and reset the BIOS, with my added juicy detail. This can't be found anywhere on the internet at the time of this post from what I can tell. The needed smc.bin can be found on my Google Sites storage here:

UPDATE: You must contact HP chat support directly and give them your UUID (easy to do) in order to get a smc.bin file which is generated for your specific device. Once you have this, you can proceed with the instructions below. Read the comments on this post for more information.

1.Save smc.bin to the root of a USB thumb drive “(or save the file to the root of drive D: HP_TOOLS)” -- I used a USB drive, btw...
2. Power the laptop off
3. Hold down Windows key + up arrow + down arrow and power the laptop on
4. Let go of the keys at the HP splashscreen
5. Press F10 repeatedly at the screen that shows up with "SMC command handled successfully"
6. This should bring you into the BIOS where you need to choose “Reset BIOS security to factory default” and confirm by choosing yes (duh)
7. Exit the BIOS, saving changes (duh)
8. When the laptop reboots, you will see the coveted prompt to clear the TPM, which is shown below.
9. Press F1 (duh again)
10. When the laptop reboots, the BIOS password is goners.
11. Feel hunkydory!




Really easy. HP didn't make me prove I was the owner or anything.

I opened the smc.bin file with Notepad 'cause I'm curious like that and some info that didn't seem like it was perhaps intended to be in there showed itself, lol:

AMERICAS\KNadeem
<Unavailable>
SMCServer
16.83.149.195
16.83.145.98
16.83.145.98


An nslookup on these IPs showed internal-host.americas.hpqcorp.net. Curiously strong, bro. Is americas a Windows domain name then? A whois shows that 16.0.0.0/8 belongs to HP. I didn't get all crazy and port scan 'em or anything but it's pretty funny that what looks like an internal domain name, internal username and two possibly internally accessed public IPs made it into this 807 byte file. #wazatsupozzedtohappen?

Doing some googling based on that username of KNadeem did show some interesting results, including a few possible matches of former/current HP employees on LinkedIn. (This was not the username of the support rep who emailed me.) Enough fun with that, though. The lesson on this one is that there are times to engage the vendor in your hacking endeavors. Ciao!