Announcement

Collapse
No announcement yet.

HP Compaq 6200 BIOS Unlock

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    HP Compaq 6200 BIOS Unlock

    Hi,

    recently I got an old decommissioned HP Compaq 6200 SFF PC. Unfortunately, it had a password-protected BIOS, preventing me from installing a fresh OS.

    I decided to dump the flash straight away (therefore desoldered the chip and added a botched socket so I can do easy experiments).
    Click image for larger version Name: mb_top.jpg Views: 0 Size: 173.1 KB ID: 3211291Click image for larger version Name: mb_spi_flash_extension.jpg Views: 0 Size: 242.2 KB ID: 3211292

    First thing I did is to reflash the chip with the latest bios ( J01_0223.bin - https://support.hp.com/ee-en/drivers...tor-pc/5037900) . This was successful, at least the system booted, however it seems to have wiped out some machine information (Serial/chassis numbers), as well as some GbE information (integrated LAN MAC was FFFFFFFF). I did managed to install win OS, but the intel 85278 adapter would return a fail code 10 (device would not not start or something similar).

    I tried some tools (like Intel Flash image tool v7) to try to build a flash image with a different combinations of GbE/ME/BIOS regions, but either I get a locked bios and working GbE, or a fresh bios that cannot run the ethernet adapter.


    Could you please help me find a way to uncover or remove the BIOS password, or build a good flash image that enables the operation of the ethernet adapter.

    Thanks,
    Dimitar
    Tags: None
    #2
    https://www.badcaps.net/forum/troubl...before-posting

    Post the PC serial number,and your bios backup.
    All donations to badcaps are welcome, click on this link to donate. Thanks to all supporters

    Comment

      #3
      Hi,

      Apologies, I thought I had the flash uploaded, but alas ...
      Anyhow, PC serial is CZC1317KLS

      -
      Dimitar

      Last edited by Vesko356; 02-06-2024, 11:28 AM. Reason: Bios removed. Already posted!!!

      Comment

        #4
        Hi again,

        so I've been doing some digging, mostly reading thru the forum and browsing the dumps using the EFITool.
        From what was mostly hinted, the AMITSESetup holds some information related to passowrd. However, the I don't know how to interpret the hex section.
        Click image for larger version Name: orig_bios_AMITSE_setupdata.png Views: 537 Size: 126.6 KB ID: 3212742

        I then tried flashing a clean flash image of a newer version (J01_0221_clean.BIN) and then booting and setting a password. I then read the flash chip again, saving as J01_0221_ding1Dang2DONG.BIN ( ding1Dang2DONG being the password string).
        Then extracting the images using EFIExtract gave me the breakdown of sections, so I could do a diff. What I observe is 3 section differ.
        1. Body - I guess it contains the write protect bit fields.
        Click image for larger version Name: clen_vs_passworded_body_diff.png Views: 435 Size: 85.5 KB ID: 3212743
        2. GbE region - there are some changes there but I cannot attribute them to anything password-related.

        Click image for larger version Name: clen_vs_passworded_GbE_diff.png Views: 434 Size: 89.3 KB ID: 3212744
        3. Bios/Padding - most changes are diffed here. As if there is some repeating sections appended to the original file, as well as some fields being overwritten in the original file. Tthe AMITSESetup zone is still not giving me much hints in this dump.
        Click image for larger version Name: clen_vs_passworded_padding0_diff.png Views: 431 Size: 160.2 KB ID: 3212745

        I have also tried using some starndard CRC/MD5/SHAs to try and find a has of the passphrase, but no luck so far.

        So, may I please ask for some guidance and help on locating / removing the password of the original bios bin file?

        (I have attached a zip of the clean and passworded flash images).

        Best regards,
        Dimitar

        Comment

          #5
          Hi again,

          after numerous attempts to recover the known passwords from the above experiment, I finally gave up trying to unlock the old BIOS.

          Since the original problem I faced was that the network adapter would not start (Code 10) after a clean bios reflash, I though the GbE section may be the culprit for storing valuable init data, as well as the MAC address. So using the trusty CH341A and the UEFITool 0.21.5 , I first extracted the original GbE section and then replaced in in a clean BIOS image with the same version (in my case older J01_0206).

          This worked somewhat as expected - the serial numbers and passwords are wiped. After booting Win10 OS, however, the device manager complaints that Intel ME interface driver cannot start (STATUS_DEVICE_POWER_FAILURE). I found a good description of the problem and some proposed solutions here, although I will not attempt to fix that now.

          Regards,
          Dimitar



          Comment

            #6
            Try that all it has no password and give feedback..
            Attached Files

            Comment

              #7
              Hi rex98

              many thanks for sharing. Unfortunately I read your suggestion too late as I have already set up the machine and no longer able to tweak with it.

              Comment

              Previous template Next
              Working...
              X