More than two years ago Dogbert reported that bypassing the Dell 1F66 password validation was a trivial excercise in patience.
Curious I looked deeper and turns out that whatever BIOS engineers were tasked with changing the password hashing algorithm, they did not spend too much time coming up with novel ideas. Just like with the Dell 1D3B they just added more code that does nothing in making hashing more secure. Specifically:
- They changed the character map yet again.
- Changed the number of MD5 iterations
- Duplicated the MD5 loop and switched around the four stages
Interestingly enough the engineers probably realized that simply chainging the code around does not add anything to the security of their algorithms, so when they were tasked with the Dell 6FF1 bios they did not bother to touch the code, but simply change the character map and some constants.
Given that it’s been two years since the original publication, and Dell had a plenty of notice I had pushed the code here. The pull request to free BIOS recovery site is in process. May be they will make the effort and fix the code. Then maybe they will not, but here is a good read to do in the mean time.
A friendly public notice - don’t pay for your BIOS recovery, call your vendor or find a free gen. Or just do it yourself, most vendors are sadly seem to be ignoring proper encryption standards.