Menu
Logo

Wyse Xn0L: Firmware 


 


 

 



BIOS

The F2 key will get you into the Phoenix BIOS.

Unfortunately for me when I got my X90L in 2011 I found that the BIOS was password protected and wasn't able to get into it. The usual default Wyse password of Fireport did not work. The Linux utility dmidecode told me:

BIOS Information
	Vendor: Phoenix Technologies LTD
	Version: 6.00
	Release Date: 08/22/2008
	Address: 0xE8300
	Runtime Size: 97536 bytes
	ROM Size: 512 kB
	Characteristics:
		ISA is supported
		PCI is supported
		PNP is supported
		APM is supported
		BIOS is upgradeable
		BIOS shadowing is allowed
		ESCD support is available
		Boot from CD is supported
		BIOS ROM is socketed
		Boot from PC Card (PCMCIA) is supported
		ACPI is supported
		USB legacy is supported
		LS-120 boot is supported
		ATAPI Zip drive boot is supported
		BIOS boot specification is supported
		Targeted content distribution is supported

The journey at that time was interesting....

These days laptops do not store the information relating to passwords in battery backed CMOS memory - it's held in some EEPROM somewhere. (There is NO additional backup battery on most laptop's mother board. Removing all power and the laptop's battery for an extended period has no effect).

Generally PCs do not actually store passwords. What they squirrel away is a hash of the password. In this case the password is reduced to a 16-bit value (see on). As an 8 character password is equivalent to ~48-bits you do end up with a large number of passwords that will give you the right 16-bit hash code. However, if the hash algorithm used is half decent, you still only have a 1 in 60,000 odd chance of coming up with a password that will let you in. From the point of view of somebody sitting in front of the laptop at the keyboard this is still a huge problem.

Obviously users can forget passwords and there needs to be some reasonably low-cost way to get around the problem. (Note: Here the requirement is to stop the casual user from fiddling with the laptop's settings. We're not trying to protect the Nation's secrets.). In this case the answer is on the screen after the third failed attempt:

BIOS disabled message

What looks like a system error code is actually the hash value that the BIOS has stored. In this case it is decimal 15015 which is 3AA7 in hex. Equipped with this value it is relatively straight forward to run a program that will generate random passwords until it finds one that produces that hash value. With the sorts of hash algorithms used in the BIOS and the power of modern computers it is only a matter of a few seconds to find a password.

For every step forward there is often one or more backwards....

For the program to work we need to know exactly what hash algorithm is being used and what the input values are. Dogbert's Blog has some information on this and a python script to do the searching. Unfortunately the passwords produced by the script do not work for the Phoenix BIOS on the Wyse....so we're left with the problem of determining the algorithm that is used in the Wyse Xn0L BIOS (and any seed value) so we can write our own password cracker.

Options for discovering the password hashing algorithm are:

  1. Assuming the BIOS uses a CRC style algorithm for the hash there is a program (crcbfs.pl) that will tell us what polynomial is used. To find the polynomial it needs a minimum of three password/CRC combinations to work on. So, if you are reading this and have a Xn0L, can I ask you to:
    • Set a BIOS Setup password.
    • Reboot and hit F2.
    • Enter an incorrect password three times and then record the error code.
    • Repeat the above at with least three different passwords.
    • Send me the results of password+hash pairs.
    Thank you.
  2. Disassemble the BIOS - or at least the relevant code in the BIOS. Unfortunately the flashrom program could not read the BIOS chip on the X90L. I had a half-hearted grope around in the linux /dev/mem with partial success. (I needed to be more methodical...). It did look like it used a standard CRC16 polynomial. However I wasn't able to find where the routine was called from so I had no idea of exactly what is being hashed.

One final option was to find and clear the password hash - or the flag that says there is a password set. One possible storage area is the EEPROM that is associated with the ethernet chip. These usually have plenty of spare space after the area used by the ethernet chip to store its basic operating parameters (such as the MAC address). Once again I hit the "...unfortunately..." as the standard Linux tool ethtool (at least from within Tiny Core) could not access any EEPROM memory associated with the RTL8169 ethernet chip.

BIOS Password

In May 2014 Mark very kindly sent me eight password/hash pairs for the X90L and, armed with these, it didn't take very long to work out what was going on. Using the form on this page will find you a matching password within a few seconds.

Firmware

The Xn0L runs Windows XPe SP2. Mine came with an unknown password set for the Administrator's account and auto-logged-in as the user User with User's password set to User.

Luckily it easy to reset the Administrator's password - or at least it was in the way mine was configured.

From the auto logged on user:

At this point the hack is only temporary as the 'write filter' is in place and any changes you make are just held in RAM and not written back to the flash. You need to log out and log back in as the Administrator using the password you've just set. Holding down the Left-Shift key when you logout disables the auto-login feature and brings up a conventional "Welcome to Windows" box with an invitation to press Ctrl-Alt-Delete to login. Having logged in as Administrator double-click on the FBWF disable icon to turn off the write filter.

The system will reboot at this point and you'll back to square one. However, as you go through the steps outlines above, this time the new Administrator password will be written to flash.

You can also take this opportunity to make other changes to the system - such as setting the network details for your local wireless network.

Once you're happy with the changes double click on the FBWF Enable icon to turn the write filter back on.

 


Any comments? email me. Added December 2011    Last update May 2017