08.25.06

Omnibook XE3: Resetting a BIOS password the hard(ware) way

Posted in diy, hardware, howto at 2:39 am by brainstorm

Everything started with the following question:

Hi dude, tomorrow I’m going to Helsinki and I don’t remember this laptop’s password, can you help me ?

A few searches looking for the typical master or universal passwords didn’t help much (nope, “admin” does not work as a backdoor bios password as most sites say, really). The owner was really fed up with HP support and it was quite late at night, so calling nor sending emails were going to help either.

Searching a bit deeper on forums, people were complaining about the same problem without solution: “Cannot reset omnibook xe3 bios password”, and the well known common thrick to erase the bios password was futile (removing the CMOS battery for a while to erase the password and settings). According to some posts, the password was actually stored on a 24C16 EEPROM close to the BIOS chip… So there we go :-)

First, locate and remove the smd chip (excuse me for the poor quality of the picture :-/):

Omnibook motherboard

Second, solder wires with metal legs (taken from spare resistors, for instance) to the chip to adapt it to a TE20 programmer:

TE20 programmer with 24C16 attached

Third, download icprog and configure it properly (I use TE20 which is recognized as a JDM programmer, but YMMV). Now, it comes the most interesting part… figuring out where is the password from the eeprom hexdump… will it be human readable ? cyphered ? Let’s see:

ICprog screenshot 2 ICprog screenshot one

The first number matches with the laptop’s serial number, good… there’s garbage in the middle (perhaps a ciphered password?) and then more serial numbers found on the chassis (some of them partially) and one unknown string: 15371K… perhaps the cleartext password ?

I was running out of time so I decided to write the eeprom filling the strange middle characters with 0’s in an attempt to clear a possibly ciphered password… and if the laptop prompted for a password, I would try 15371K… None of these finally occured:

Re-soldered the chip back, reassembled the laptop (a painful task, lot’s of screws !) and switched it on. The initial boot screen was frozen on the first 2 reboots, without password prompt, just a static HP logo in the middle of the screen with no response, but wait, don’t panic !

After rebooting for three times on a row, the laptop complained about corrupted bios, one more reboot and I was able to enter the BIOS ! :-) Happy end, isn’t it ? Well, sort of, there are some pending curiosity issues here:

  • It seems that the bios detected corrupted data on 24C16 and then restored or cleared its contents, then:
    1. Which was the actual password ? The cleartext one or the “ciphered” one ?
    2. Was the password really inside this particular eeprom or somewhere else ?
  • Perhaps this process was not necessary and the forums guys were wrong about the uselessness of the battery trick

Nevermind, the laptop is now 100% functional with Ubuntu installed and flying to Helsinki ;-)

10 Comments »

  1. brainstorm said,

    August 31, 2006 at 5:20 pm

    Perhaps it would have been easier to ground the 24C16 address pin like TCNiSO team did in one of their hacks:

    http://tcniso.net/Nav/Tutorials/290DevMenu/

  2. Aurelio Ramos Alfaro said,

    September 4, 2006 at 1:42 pm

    Hello, I have this problem in my laptop omnibook xt6200, can I do it in my laptop?
    Excuse me for my poor Inglish, I’m from Spain.

  3. Aurelio Ramos Alfaro said,

    September 4, 2006 at 7:08 pm

    Hello again, the bios chip of my laptop is the SST39SF040, if can I do anything with it, tell me, please.
    THANKS.

  4. brainstorm said,

    September 4, 2006 at 7:53 pm

    I’m from spain also ;-) To follow my method (which I don’t really know if it’s applicable to your hardware), you first have to find a 24C* eeprom nearby your bios chip, not the bios chip itself.

    Anyway, have you tried to remove your bios battery (AND the laptop’s battery) for a while, say, 10 minutes ?

  5. Eduardo Massinga said,

    November 15, 2006 at 10:48 am

    Please i need more information about how i can remove bios password on laptop hp ,like OmniBookEx3

  6. brainstorm said,

    November 16, 2006 at 12:48 am

    So please, state your specific doubts or questions…

  7. Eman said,

    March 10, 2007 at 2:58 pm

    I cannot find any bios battery in my omibook xe3. Is there any bios battery?

  8. brainstorm said,

    March 10, 2007 at 4:23 pm

    Sure, it was there in my case. Take another look at the photo: look for a red circled component labeled as “Batt”. You have to remove all the screws to get access to the bios battery, did you do so ? It’s a little button-sized battery, covered with brown plastic to avoid shortcircuits.

    Perhaps your laptop has another mainboard layout revision and it’s somewhere else (unlikely), keep looking and you will find it.

  9. dhalsiim said,

    September 13, 2007 at 3:03 pm

    Do you know if the laptop would boot without the 24C16 chip. Or if it is improperly installed? My soldering skills are not up to par. Now the laptop won’t boot any more. I know all the connections are right. It’s silly to mention but at least the CD player works with the front controls!

  10. brainstorm said,

    September 13, 2007 at 5:51 pm

    Did you read/write the 24C16 editing the (supposed) password field ?

    Sorry but I don’t really know if it’s gonna boot without even finding where the password is stored… I never tried this :/

    Good luck and feel free to share your results here ;)

Leave a Comment