Warning

Warnind! Your warranty is now void. I am not responsible for bricked laptops. Please do some research if you have any concerns about features included in this articles before following it! YOU are choosing to make these modifications.

Saturday, March 5, 2016

How to reset HP ProBook 4540s bios password

Hi, my name is Ivan and I am the owner of HP ProBook 4540s. More A couple years ago, I have fun with bios configuration, and set the BIOS admin password. Of course, some later I forgot thepassword, but there was no need to make configuration in bios and I continued to live with no access to bios. Nevertheless, over time I noticed, that more and more there was some cases when Ineeded virtualization and other features with was disable in bios and I decided to find out how it can be possible to restore the password.

If you found this page over the internet than it is likely you have similar problem ant trying to figure out the solution. I spend many hours doing the same with no results. However, a few days ago I solved the problem and restore access to bios. Therefore, I decided to write an article and share with my experience with you.
As I mentioned before, the goal of this blog is show, how to restore access to bios. In the end, the password will be completely reset and all unique data, including UUID, model, S/N, tracking number and others will be kept. As a result, there will be full access to modify settings in BIOS, including enabling and disabling Intel VTx. And the main achievement – experience, so you can help other people with this solution.

As there are many articles and discussion on this topic, it makes sense to say, how I did the trick and why it is better than others are. I think you probably know, that the easiest way described on the forums is to replace the BIOS chip with new one without the password. And if price in small enough (about $20), the necessity of disordering the chip makes scared, because there are dozens of small component around bios chip with high probability of causing damage during the soldering process. Instead, I decided not to use soldering, but just connect to the bios chip, read all data, remove the password and write it back.

To complete such a simple task you need HP ProPook 4540s, of course, screwdriver set, any programmer for 25xx chips (or any other device with ISP and knowledge, how to use it), test clip (you can construct your own solution to connect the chip to the programmer), other laptop to read, modify and write data, your favorite HEX editor (I suppose you have one J) and some time. I used chip programmer CH341A that supports most of 24xx/25xx EEPROM chips with CH341A programm v1.18, but any other is ok. IT IS A HIGH PROBABILITY, THAT THIS METHOD IS ACCEPTABLE FOR ANY OTHER LAPTOP FROM PROBOOK SERIES.

CH341A and test clip


The main reference for this article is a topic on tonymacx86.com , without that post, I wouldn’t have written this. There you can find out which chip is used in your laptop and memory addresses where the bios image is stored in EEPROM to find the password.

In the next part you find how to use this solution for your laptop.

Connecting to bios chip with test clip                         Editing the bios EEPROM


Steps:

  1. Disassemble laptop. You need to have direct access to bios chip. There are many articles in the internet how to do that, but you can go with my article [to be written] I wrote special for this case.
  2. When you have just the motherboard, you must find a bios chip. Usually, it is located near processor and have 8 pins in SOIC package. You can see one from ProBook 4540s below.
  3. On another computer install necessary drivers and run the software which provides with the programmer.
  4. Connect the programmer to the computer and check that programmer discovers correctly. Disconnect programmer for now. 
  5. Next, you must connect the chip to the programmer. I used test clip, which is simple to use and really save the time. Insert programmer again into working computer and press Detect. It took me time to work, I don’t know why, but the programmer is hard to be discovered for computer. Check, that discovered chip is really yours.
  6. Now you must read original bios raw data into a program by pressing button Read. It took near minute to read the whole chip while there is 8MB. Just for being safe, click Check button, the program will compare if the read data are the same as on chip. Save the data into the file. 
  7. Make copy of the file for safety and open one. I use plugin for Notepad++ that has cool possibilities, like any other. Now starts the most interesting part. You must find where the password is. Please notice, that it is not stored as plain text, but in some kind of encrypted form. Location depends of many factors, and removing wrong data may cause bricking. At the time of editing, I have bios version F.31. If you have the same, you can check addresses on the picture above first. If you have an other bios version on laptop model, then just find for hexadecimal value “aa 55 7f” (indicates the end of value) (about 60 occurs in whole document). You can find out, that there are stores all information about your computer, including name, model and many others. Your target strings on screen must be “H P _ T e m p B I O S A d m i n S c a n c o d e” and “H P _ B i o s U s e r 0 0 B I O S A d m i n i s t r a t o r” (yes, with spaces). The structure of name-values is next: 
    66 9d c5 [.. here some other chars and text] 00 00 00 [here is value (probably, encrypted password)] aa 55 7f
    You must remove value of all three fields, starting from three nulls and to the start of next value (or nulls before it). In my case, it was 14 bytes in first occurs, 48 in second and 14 in the third. 
  8. After you complete the editing, save copy of your bin file and remember the file name. Go back to the programmer software, load modified bin file, check, that controller still connected (if not, just repeat step 5) and press Program. More careful way to flash data is to clear chip first and then rite new data, but I get an error when tried to clean the chip. Writing is a little longer than reading data, so now you have a time for coffee. After process completes, press Check again.
  9. On this step your bios chip stores no password. Now, you can assemble your laptop, just repeat the first step in reverse order.
  10. Now it is a time to test the bios. After plugging battery, laptop will power on and... there is an error about CMOS battery. You can ignore it and wait until system reboot again. Press F10 to start bios during boot animation. The password screen must not appear and you must see bios setting screen.
  11. Almost done. You can find than the most of items are grayed out. If they do then you must set password in the second tab (this option is available) and for asking for current password just leave empty string, and provide new one (but please, do not forget it again). If you restart bios, then nothing must change. Remove password in the same way, as you set it, and restart bios again. Now you have access to all settings!
  12. If you have an older version of bios, it is time to update. Check bios update on the HP website for your laptop. Now, your restore is complete.
Remember, if you have troubles with computer after flashing the bios, it doesn't start or show errors, please report your actions in comment and flash backup. May by someone can help you.

P.S. It is possible to read EEPROM with any compatible with ISP IC, for example Arduino or Raspberry PI, just remember, that bios chip in most cases works with 3.3 V.

P.P.S. If you find any errors, please let me know.

If you decided to follow these steps, please leave a comment, it will help other people and express your thankfulness.