Omnibook 800CT BIOS locked

[azhash]

Hello, looks at this nice computer, it's locjed tho, what a shame. It's a Omnibook 800CT, the one with the cute little mouse that comes out.
I have been looking everywhere to unlock this, does anyone have some knowledge on this issue?
When searching on this forum, i've seen a few old thread that seem to have multiple users not finding a solution.

Let me explain in details the nature of the issue for future users with the same issue on a Omnibook:

-The password is 8 alphanumerical characters.

-The bios password is happening after the bios and before the boot (meaning i can access the bios, but the reset password option in the bios is locked by that password i dont have as well so its a dead end)

-The password is located in the eeprom or something of that sort, it's not in the HDD (i removed it and still its locked), its probably not in the ram either, and the ram is 4x 8MB chips soldered on the board anyway.

-There is sites that generate master passwords like Here, but when i enter my machine serial number, it gives me a code that is more than 8 characters, i'm assuming it might be the code u enter after pressing ALT SHIFT F10 usually, but that keypress combination doesnt work, i tried many other alternatives to it, still cant see anything pop up to enter a code (the service manual describe this procedure Manual on page 83 if you want to look into it) Would anyone know the right key combination? my machine was sold in the EU, im wondering if that's related to the azerty keyboard maybe)

-There is forum posts out there that say that the bios password may be stored into a tantalum capacitor, and that shorting it and even cutting a leg might get rid of the password, but, there is absolutely no real proof of that, just vague and old memories from users that cant really confirm that's the way to do that. Other users have mentionned that the bios might be smart enought to still double check a hash or something and notice that the password was not entered, therefore not really solving anything. (security was a main concern back then, they really engineered things smartly on those kind of portable pc)

-After a lot of thinking, my hardware repair skills are not good enought to attempt soldering/cutting on such tiny elements, and i am not comfy with a destructive method so the next best thing i'm thinking, and others have mentionned that, is trying to bruteforce the password with a Pi connected to the PS/2 keyboard, and having a Pi camera with OpenCV to monitor and log sucess if it happens.
Trying every password ever mathematically would take 60million years (yes) at 3 password per second rate.
Trying a dictionary based method is more around 5 hours, and name based and such probably something similar. For info, the bios doesnt lock after many attempt and doesnt delay attempts so its possible to spam passwords.
One question on that, do you think that the password can include capital letters or not? I assume yes but id like to make sure, it would make the brute force method way easier if capital letters were not possible on bios passwords.
Considering all that, i'm thinking to approach the issue this way, it's a gamble for sure, there is no guarantee of sucess ever but that's a good occasion to learn to use a Pi. I might keep this board informed of progress if you'r interested in that.

Do you have a cool idea i didnt think about yet? Especially a key combination instead of the alt shift F10? Or someone who has reverse engineered the descrambling software from HP they use to have. let me know i'm eager to see your answers!

 

[MontyL]

Meltivore

 

[Istarian]

Meltivore

It's humorous that their post even brings up security at all, because all a plain BIOS password generally does is keep you from changing the BIOS settings.

 

[Istarian]

@azhash I think the bios-pw.org is for newer models of laptops which have some sort of override password that is based on the serial number and therefore differs on a per machine basis.

Your HP Omnibook 800CT handles this situation differently.

According to the service manual you linked, pressing ALT+SHIFT+F10 on the password entry screen generates a temporary master password and returns it in an encoded form.

The encoded form is useless without HP's decoder and the password is only valid on that screen at that point in time. If you shut off the computer you would have to generated a new one.

 

[azhash]

Thanks for the answers, i tried the inser and plenty other things. None have produced anything.

@Istarian Yeah but the peculiar thing is that on mine it doesnt work at all, i tried this combination of key and every other combination it could be with no success, nothing ever happens. My keys all work, the keyboard is pristine and everything bip's or can write in bios character inputs as far as i know. Also the password doesnt prevent from accessing bios or changing things, appart from resetting the password wich u need the password to reset. It prevent from booting anything (and no u cant change HDD to boot)

 

[Istarian]

Thanks for the answers, i tried the inser and plenty other things. None have produced anything.

@Istarian Yeah but the peculiar thing is that on mine it doesnt work at all, i tried this combination of key and every other combination it could be with no success, nothing ever happens. My keys all work, the keyboard is pristine and everything bip's or can write in bios character inputs as far as i know. Also the password doesnt prevent from accessing bios or changing things, appart from resetting the password wich u need the password to reset. It prevent from booting anything (and no u cant change HDD to boot)

You have to be at the password entry screen before you press the key combination. And you still need a way to descramble the code it is supposed to give you.

It may be necessary to enter an incorrect password a number of times (3?) first.

The code it is supposed to give you should be composed of eight alphanumeric characters (A-Z,a-z,0-9).

There may be some sort of problem with your laptop or it's keyboard if you don't get the expected result.

You could try disassembling the system and disconnecting/reconnecting the keyboard ribbon cable just in case it's not making good contact.

Other than that, the only think I can think of is having someone desolder the BIOS chip, reflash it with a stock, unmodified copy of the right BIOS rom and reattach it.

 

[azhash]

I did try these, i opened it up already, deisconected reconnected the flex cables.

I have given up on any other solution but the brute forcing via a pi.

On that, i have some questions if anyone knows, i first started on the wrong foot by trying to use the COM port to emulate a ps/2 keyboard, but after finding some pictures of the official HP dock and some research, i think the dock is working as a passthrough for the PS/2 keyboard and using the proprietary port on the right (circled purple).
Meaning i probably should plug into that if i want to brute force via ps/2 inputs.


Would anyone have documented that port/the dock connections so i could get some informations on it? I need to find my multimeter :/
I can totally just plug in the DUpont cables into the pins, its just gonna be impossible to guess i think

Other option is to go through the physical keyboard interface, but same issue, im not sure what those flexible cables are at this point. Any idea what they are and how they are called?

 

[Istarian]

The ports you have circled are as follows:

BLUE - 9-pin Serial Port
GREEN - Infrared (IR) communications
RED - 25-pin Parallel Port (8-bit parallel data, unidirectional/bidirectional, commonly used with printers)
PINK - SCSI+Docking Port

It should be relatively easy to use a multimeter to determine which of the pins carries power and ground. The metal shell of the connector is also usually tied to ground.

In between the two serial ports you have an external floppy drive connector and there is also a special SCSI cable for this machine that connects to the dock port on one side and a SCSI-2 device on the other.

Supposedly the dock supports ISA/PCI cards, but that doesn't mean all the necessary signsls are directly exposed without multiplexing or other interface considerations.

 

[azhash]

PINK - SCSI+Docking Port

Thanks! Having the name spared me some research. And yes i kinda analysed every single pin (80 pins), voltage, resistance and frequency on boot for the ones with no idle voltage output. Two of them had specific frequencies i mesured at 9000Hz on boot with the Pi (10k pprobably with better tools).
Also i couldnt tell if the pins i was after (DATA and CLOCK) were suppose to mesure at 5V or not, its confusing cuz they are pins in a scsi port, and havnt tried mesuring the frequency on boot on those (cuz the Pi without a setup cant handle 5V on GPIO)

From there i tried plenty of possible inputs, with python and C (on the two 10K Hz pins, also tried to reverse them ). But to no result, i couldnt manage to type anything.
It seems something is blocking me from typing with the Pi, maybe the need for the dock to bbe plugged in to allow the ps2 pin to even work (the dock has an eeprom ship etc)
Would anyone have some knowledge on what i could have done wrong to not be able to do that?

Or, have some advice for plugging the Pi to the physical omnibook keyboard flat connectors? I found that i can get some adaptor like " FPC FFC breakout board 0.5mm" to expose the pins.

Would i have any chance trying that?

 

[Istarian]

This is just speculation, but since there are just eighty pins there may be a specific way to signal that you have connected a Dock vs a SCSI-2 device.

I do not know whether the PS/2 port signals (or those for any of the other ports) are directly exposed on the connector or if there is some additional interface circuitry (inside the dock) that is involved.

As for the internal flat (cable? ribbon?) connectors, it could be as simple as row, column connections to the keyboard matrix.

P.S.

HP F1177A Omnibook 800CT 800CS Port Replicator Docking System SCSI

https://www.ebay.com/itm/365126544152

This looks like the dock in question, rather pricy at over $300, but the HP part/product number might be useful for a saved search.

Apparently the laptop is F1175A and there is also an external CD-ROM drive (F1197A)

 

[azhash]

Yeah, quite pricy.
Thank you very much for your answer! The dock seems to just use the SCSI port, so everything goes through it (that is on the back of the dock). No kidding i found so many 5V, GND pins and so many different Hz on each.
I'm thinking that yes there is one of these pins that is just a "dock connected" pin but i wouldnt know how it works or how to identify it so the task might be too difficult for me. Looking at the dock, i cant see another way that the dock would tell the Omnibook that it's plugged in, there isnt much appart from the SCSI and power interface.

I opened the keyboard to note what the flex cables are, i got a small 9pin and a larger 16 pins (that mesure 170mm from copper trace to copper trace). Would that thing be adequate? "FPC ZIF breakout board 16 pin 1mm pitch"
Just a bit confused because of the 9pin one, why is it sepparated? the keyboard doesnt have any LED or anything. It could be an obstacle for me in that project if it's what drives the ENTER key.

I attached some screenshot of a keyboard on ebay, its specificaly this exact one.

 

[Istarian]

There are ~85 keys on the keyboard pictured.

16x9 = 90 + 54 = 144
16x8 = 80 + 48 = 128
16x7 = 70 + 42 = 112
16x6 = 60 + 36 = 96
16x5 = 50 + 30 = 80 ?!

Since there aren't anywhere near 100+ physical keys, the keyboard may not be quite as simple as a square/rectangular grid of just M x N (16 x 9 ?) keyswitches.

However, there could be separate power and ground traces. And at least one of them is likely providing the Power On signal (Fn + On/Off) to the laptop power circuitry.

Moreover, there are additional Fn+Fx functions and also an Fn keyboard.

-----

I suspect the 16 pin connector drives/selects separate groups of keys, while the 9 pin connector is where the communications happen.

You might be able to work some things out by using the multimeter to measure resistance and seeing if the reading changes when a key is held down.

May put a probe on one of the 16 lines and the other on one of the 9 and press each key on the keyboard?
-----

If there are obvious screws/latches/fasteners then you can try disassembling the keyboard.

I can't imagine that they would have put a dedicated microcontroller in there, but there might be resistors, diodes, and potentially some logic gates.

 

[minidos622]

Hi, have you been able to boot from an already inserted (before powerup) DOS floppy or hard drive? or even a networked DOS drive?

If that is the case, you can try running my (well, not mine, but designed upon my requests) program which works on many bioses/motherboards of that era (not all though). It does so by corrupting the cmos password checksum, so that the bios has no choice but to go to factory defaults, breaking the previously saved password. Entering SANE /B from the command line, and then power cycling should do the trick.

 

[azhash]

Hi, have you been able to boot from an already inserted (before powerup) DOS floppy or hard drive? or even a networked DOS drive?

If that is the case, you can try running my (well, not mine, but designed upon my requests) program which works on many bioses/motherboards of that era (not all though). It does so by corrupting the cmos password checksum, so that the bios has no choice but to go to factory defaults, breaking the previously saved password. Entering SANE /B from the command line, and then power cycling should do the trick.

I havent really tried a floppy boot, i dont have an OS on a floppy, what i tried was trying to see if the password prompt would still be there with no HDD inserted. The password seem to happen before any attempt to boot, with no HDD, no difference, it goes from the BIOS start into the password instantly. I can acces the bios settings, but that's pretty much it.

I'm gonna try to find a little usb floppy reader for my actual pc, but i dont have a way to write on floppy as of now.

I suspect the 16 pin connector drives/selects separate groups of keys, while the 9 pin connector is where the communications happen.

You might be able to work some things out by using the multimeter to measure resistance and seeing if the reading changes when a key is held down.

May put a probe on one of the 16 lines and the other on one of the 9 and press each key on the keyboard?

Thanks for the insight, that might come really usefull! And as expected it might also be quite a pain hahaha, i have a simple multimeter yeah, i can try and mesure resitance but as a noobie in electronics im sure it wont be than simple to understand what's going on between the pins and keys. Will try my best to figure it out, im waiting on delivery of some pin adaptor and will get onto that once i have them and some time on my hand.
I'll have to open up the keyboard i think (and yes there is obvious screws) and have a look. If it works as u suspect (and bravo on the analysis i think it makes a lot of sense), i imagine its gonna be real tough to figure out the layout for me but i'll try my best. If its a matter of a bunch of mesuring, it might be manageable.

I'll make sure to keep the thread updated.