Resetting your HP BIOS password by modifying the main BIOS chip

Mon, Feb 17, 2020

      My inner security expert turned on the BIOS password on an HP laptop (EliteBook 840 G1), right after I bought it, around 6 years ago. Of course I forgot what the password was after a while, since I did not have a reason to change any of the settings, but this changed recently. I really wanted to play with WSL2 (Windows subtype for Linux) and Docker for Windows, and one of the prerequisites for both is to enable Hyper-V which is a setting in BIOS.
      Is there a way I can remove the BIOS password? This blog post describes my attempts which have finally resulted in success.

Solutions I decided not to go for

      These are the solutions I have considered, but ended up not going for, because they weren’t reasonable or were simply no longer applicable (due to the discountinued HP support). Note, that both item 4 and the solution I ended up with need the BIOS chip to be desoldered. This might sound scary, but it’s actually quite simple with a little bit of hardware skills and the necessary equipment (or having a friend with both).

1. Contact official HP support
2. Buy a new laptop
3. HP BIOS Unlock
4. Buy an unlocked BIOS chip on Ebay

Contact official HP support

      This was the way to go until HP decided to stop providing the solution sometime in the middle of 2019. The process was to send HP the serial number of your laptop, for which they would generate a SMC.bin file and provide the instructions how to override the existing BIOS. Note that any SMC.bin files you will find on the internet, will not work for you, because the serial numbers will not match. I assume the serial number in the binary file is encrypted, which makes it impossible for you to replace.

Buy a new laptop

      To much of an overkill, even though the laptop is 6 years old I7 with 16 GB of RAM it is still in mint condition and does everything I need.

HP BIOS Unlock tool

      There is a tool that works with some HP models, but not all of them. I think the newer HP models have extra security that does not allow you to flash the BIOS just like this tool does.
      This is not the same tool as mentioned and used later in the solution.

Buy unlocked BIOS chip on Ebay

      This involves replacing the main BIOS chip on your motherboard with an unlocked one you buy on Ebay. In fact the seller recommended replacing two chips. Main BIOS chip + EC (Embed Controller) chip, but they don’t explain why.
      You also need to let them know the SKU, serial number and the model of your laptop. BIOS image dumps are not transferable, you can’t use the same dump on two machines - even if they are of exactly the same model. They will take this information to initialize the ME region (Data section).
      I have not decided to go for this solution because I found a more elegant one. Solution presented below will specifically target only the BIOS password and will leave the ME Data region unchanged.

Solution

      In the end I decided to go with the least invasive solution that doesn’t involve changing any hardware parts or making massive modifications to the BIOS dump file.
      None of the work in this post is my own. This post is just an aggregate of everything I learned during my research, that gave me the understanding and confidence I needed to get the job done. The amount of information you can find about the hardware components is incredible. Next time one of my gadgets breaks, I will definitely put more effort into trying to get it fixed rather than throwing it away and buying a new one :). You can find all the links to hardware forums used in this project down below.

The final solution includes:

1. Identifying the correct chip
2. Desoldering main bios chip
3. Modifying the content
4. Putting the main BIOS chip back

Identifying the correct chip

      There are two BIOS flash memory chips and first we need to identify which out of the two we need. I’m not sure why there are motherboards with multiple BIOS chips. Separation of concerns, I guess. Anyone interested in this can read about it here. As I already mentioned, some sellers on Ebay are offering 2 unlocked bios chips, but after reading up online, I learnt this is not necessary.
      In my case the correct chip was marked with a red dot, and was located right above the CMOS battery.

Desoldering main BIOS chip

      This step is easy if you have the right tools and experience (it took a hobby enthusiast 10 minutes). Place the chip into the adapter and plug it into an EEPROM programmer. In my case the main BIOS chip was a “Winbond 25Q128FVSQ-1318” and when copied its contents I got a dump of size 16MB. You can find all of the equipment used in the post listed below. Make sure you keep a copy of your original BIOS dump…just in case!!

Modifying the content

      It is easy if you know what you need to do. In my case I had to clear 87 bytes starting at address 0DB3470. I learned this on HP EliteBook 840 G1 BIOS Admin Password, there is also an elegant Python application called HP BIOS unlock tool. I ended up using the Python script. The application takes a single argument which should be the path to your 16MB BIOS image. After running it, the script should create an unlocked version of your original image. You can view the result in the hex editor below (unlocked vs. locked BIOS dump content).

Putting the main BIOS chip back

      Not much to add here. Clean the pads a bit and solder the chip back. Make sure you pay attention to markings on the motherboard in order to connect pin 1 correctly (or just take a picture of the chip’s rotation before you desolder it).

That’s it, you have successfully unlocked your BIOS.

Bitlocker

      First thing I did after removing the BIOS password was upgrading the BIOS version (you can’t upgrade your BIOS if your BIOS is locked). I was swapping between two primary hard-drives and after I re-connected the bootable drive that was encrypted using Bitlocker I could not boot anymore without providing the Bitlocker backup key.
      It was either upgrading the BIOS or modifying the BIOS dump that changed the fingerprint of my laptop, so make sure you have the Bitlocker backup key ready in case your hard drive is encrypted using this technology.

Equipment Used

• Adapter - SOIC8 SOP8 to DIP8 Wide-body Seat Wide 150mil 200mil Programmer Adapter
• Programmer - TL866A Tall Speed in-circuit Programmer USB
• Soldering station - soldering iron + hot air gun
• HP Unlocking tool

Conclusion

      It took me a while to realise the main BIOS chip will have to be taken off the motherboard. My main concern was this “surgical” procedure would render the laptop useless. But it turned out that the 8 pin memory chip is quite big, easy to work with and located separately from all critical components. And if there had been a problem with the modified BIOS dump, I could just copy back the original content I backed up before the modification.

      Two online resources I got a lot of information from:

• Badcaps Forums - Salvation For Your Electronics!
• My Digital Life Forums