OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Toshiba NoteBooks BIOS Password Backdoor - Password Cracker
From: Nick FitzGerald (nickVIRUS-L.DEMON.CO.UK)
Date: Fri Feb 25 2000 - 18:38:33 CST

> If you can boot, it is possible to get a password with the same checksum
> and enter the Bios. The checksum value is stored in Cmos. If you create a
> recovery disk, this value is stored after the word "KEY" in the 1 first
> sector (sector 0 is boot sector).

Maybe you missed Oscar's point? His description explains how to
break *power-on* security on a Tosh notebook. If you can boot it
from a floppy, all bets are off...

It appears Toshiba has been practising "security through obscurity"
as in the past we were always told that the only way to recover from
a lost/corrupted power-on password was to send the machine to Toshiba
(*not* a Toshiba authorized service centre, to a genuine Toshiba
service centre). Seems they were not splitting the cases and doing
some extra magical internal hardware twiddling after all, but simply
sitting on a stock of "magic disks".

Of course, if anyone was "depending" on power-on passwords to protect
their Tosh (or any other) notebook, they were slightly delusional to
start with, as described in the usual dicta regarding attackers
having physical access to a machine...

> To crack Toshiba password (Award, AMI and some others models), you can
> try CmosPwd (Dos/Win9x, WinNT, Linux versions) avaible at
> http://www.esiea.fr/public_html/Christophe.GRENIER/

*If* you have boot access, this is a very handy little util! (If
you don't have boot access, a screw-driver and a good memory for
mainboard layouts and jumper positions helps...) 

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854