How I Cracked The Sega ALLS MX2 BIOS Password
HTML-код
- Опубликовано: 20 июн 2023
- Original Sega ALLS video: • Sega Accidentally Made...
For business inquiries, please email bringusstudios@intheblackmedia.com
Ways you can be part of the Bringus Studios community and support the creation of new videos:
Join the Discord:
/ discord
Subscribe to Bringus Studios (my main channel):
/ @bringusstudios
Check out my Patreon: I occasionally post exclusive videos here for my supporters, who also get access to every video early:
www.patreon.com/user?u=78877687
Buy me a coffee (one time donations):
www.buymeacoffee.com/bringusstut
Follow me on Twitch:
/ bringusstudios
The "units" for runtime_start and runtime_stop and epoch. you can convert them easily online but its basically the number ofseconds since Jan 1st 1970 00:00.
Anyway, you started cracking at 2023-06-19 at 7:21:32 UTC and finished at 2023-06-19 at 7:44:06 UTC -- so it took about 23 minutes.
This is called Unix Timestamp.
I just subtracted the first value from the second value, divided it by 60 and got 22,56
@@Looki2000Yeah so 22 minutes and 34 seconds
@@renakunisaki If you're going to be technical (which this is the internet, so we definitely are), it's a timestamp, whose epoch is the unix epoch, namely the start of Jan 1st 1970 in whatever timezone you've arbitrarily set it to (typically UTC). Since we only care about the delta between the two timestamps (to produce a duration rather than a timestamp) the timezone doesn't matter as long as both timestamps share the same timezone (which they do) and even the epoch doesn't matter as once again it's only important if they differ. Subtracting the start from the stop gives us a value of 1,354 seconds between them, or 22 minutes and 34 seconds.
Representing a specific point in time is a surprisingly difficult problem to solve and there are a ridiculous number of ways you can screw that up. Thankfully representing the difference between two points in time is significantly easier and much harder to screw up.
@@renakunisaki to be really technical since this is the internet, the unit is actually seconds.
A SuperIO chip basically just integrates into a single physical chip a whole bunch of peripherals that would have traditionally been discrete. Things like serial ports, parallel port, keyboard and mouse controller etc, maybe even floppy controllers, real time clocks etc, or some combination of all that stuff.
It all gets squeezed into one smaller form factor chip rather than being spread out as several.
Pretty much what I was going to post, u beat me to it, on a system that modern it would be effectively adding stuff that's not already built into the pch or extra of things already built into the pch (like usb)
I've seen some of those chips with IBM joystick, fan controller, and power monitoring as well.
@absalomdraconis hmmm...yeah, I have/had a board (can't remember which one) and in the bios config it had a setting for joystick port, probably has a header somewhere for that...
@@robloxian1585 yeah, superIO is just where they stick literally anything and almost everything that they don't want to implement in discrete logic, so its a random crapshoot what can be in some of them lol
I see you are a cultured individual as well. It was such a delight hearing Turnabout Sisters once again
It looks like it took around 1200 units. And my guess it's not an ms, but seconds. So around 20 minutes
They are POSIX timestamps so the number of seconds since January 1, 1970 UTC
@@JordanWerthmanActually it is epoch time, more specifically Unix epoch time
Little Sega easter egg I noticed on the case sticker. If you look at the ALLS logo upside down it bears a striking similarity to the STTV arcade board logo that Sega had in the 90s.
wearr here! Glad I could help :) Didn't realize that you shouted us out at the end until someone in a completely different discord mentioned it lol. Thanks for all the videos you've made bringus!
Bios for
Amusement
Linkage
Live
System
h a c k e d
balls hacked
@@LambdaMiscellaneous the enrichment center computers from the 90s
h a c k e d
That's some amazing work, man! If I ever get my hands on a SEGA ALLS MX2, this will definitely come in handy! Thanks to you and everyone who contributed.
(Update 6/30: I'm getting mine in a few weeks. So hooray!!!)
Hey, did it work for you? Wanted to make sure the password works for all of the MX2's
Yup, it worked for mine.
@@RedYoshiYT Do you happen to know if it also works for other types of ALLS? Say, the ALLS UX?
@@flottenheimer I don't own any other models than the MX2, so I'm not exactly sure.
@@RedYoshiYT Mine is on its way. Don't know the model/version yet. Just trying to prepare ;D ...
I found your 2nd channel through RUclipss "new to you" thing. I am shocked it was actually useful! This was great, I had actually wondered how you were going to address the bios password issue! Very nice work!
I tried to help, Tecchie in your channel. I’m glad you got the password issue sorted !!
These are the UNIX timestamps, counting the seconds from the epoch (1/1/1970 - 00:00).
And you can just simply remove the runtime_stop value from the runtime_start, which will give you 1354 seconds - so it's around 22 minutes and 30-40 seconds
Mad science being done here! I’m impressed you went to this much effort.
Bus Pirates are also a good option for use with flashrom, less expensive than a pi and has buffers on the outputs and logic level options, but writing larger bios images can be a bit on the slow side.
@@superusermode can you detail a bit the explanations please ?
@@temp-anon_3690 Sorry, I mis-spoke. VGA (plus HDMI and DVI) uses DDC (basically I2C), . You can find plenty of information on that.
your videos are a must-watch for anyone looking to learn and enjoy!
i was not expecting this but hi bringus i'm glad i found your second channel
man I'm glad I stumbled across your channel! I'm going to see if I can get into that PC in our Mai Mai tomorrow. heheheheehehehe
Late to the party, but the bios reset via the 2 leads you touch with a screwdriver thing, you literally have to be touching it when the machine is powered off, and continue holding it there while powering it on. I've had to do that on a few older laptops in the past. It's nuts but works.
He tried it in full video, didnt work
Worth probably pointing out about motherboard based "RAID", it is not hardware raid on amd or intel motherboards. It is a feature you enable on your motherboard yes, but how they do it is in software. If you dont have an actual raid card or a sufficiently enterprise server with one integrated, it does not have hardware raid. Even if it did btfs and zfs are both a lot more performant. And unlike traditional raid they actually check file integrity actively rather than only whine when a disk fails.
What I mean to say is 'real raid' hasn't been worth it for genuinely protecting your data in years, theres been a lot learned about doing it better at a filesystem level.
I came to the comments to see if anyone would say this. Hardware RAID is pointless in a home NAS in 2023 and honestly probably even in most enterprise use cases as well.
That's a very good point, I've still got the "mobo raid = hardware" misconception stuck in my head from somewhere
it's also totally useless if your drives are mismatched. You need to use freenas or something similar what that is the case.
That motherboard has been manufactured by GigaIPC, which is the OEM division of Gigabyte for major companies. With that info, I must to say that this is a completely requested motherboard for SEGA.
I'm pretty sure the super IO chip is just onboard Serial/Parallel ports
This is seriously scary: a 4080 can crack an 8 characters password with lowercase, uppercase and numbers in 20 minutes.
Time to step up our password game I guess...
I wonder how much time would it take to crack a 12 character password with lowercase, uppercase, numbers and special characters.
Probably knowing how long the password is beforehand helped out the process.
Firstly, always a good idea to have unique passwords for every instance where one is required. I lax on things that are unimportant / don't access personal data, but otherwise I use an offline "password safe" and just generate a random password. So even if one is compromised, it doesn't open up anything else. But it's also worth noting that the password hash was backdoored here, and I mean, if an attacker has enough access to get into a database to steal password hashes, they've probably already compromised other data anyway.
On length alone, the time it takes to randomly bruteforce a password increases exponentially. Even with something as simple as a lowercase only password, increasing the length from 8 to 12 results in the total combinations possible going from 26^8 to 26^12. Even though the length is only +50% longer, the actual amount of combinations that have to be tried increases by the order of hundreds of thousands of times more. While it'd take only a few minutes to at worst an hour or so to crack the first password, the latter one would take upwards of 200 years to crack. Factor in the latter including uppercase letters, numbers, special characters, and so on, and the difference between the two goes from hundreds of thousands to hundreds of millions.
That 20 minutes means basically nothing btw. You can actually crack someone's password in less than a second if you get lucky enough and the length doesn't matter. A more accurate way of measuring it would have been to see how long it takes to generate every single password and then divide it in half.
Yeah, it's time to upgrade to 30+ character passwords, whether xkcd-style or random. More length = better
@@valshapedThat doesn’t really give you security. What gives you security is multi factor auth.
some bALLS you got there lol, seen the vid bout it yesterday and was hoping it would be cracked soon... not this soon tho 😂
Didn't see it anywhere in the other comments I scanned through, but having turbo mode on intel Core i-whatever processors is normal. It's a feature of the processor where it will temporarily boost the clock speed above the "base" clock speed for extra performance. Totally safe & normal, the processor will throttle back to base clock or below if it gets too warm. I think the idea is that with the standard coolers they come with the base clock is semi-guaranteed to be suitable all day long and the turbo speed is something it can use situationally. If you have a higher quality aftermarket cooler, especially with more midrange CPUs often you can put lots of load on it and it can run at its max turbo speed indefinitely.
on this channel you should "feature" your main channel so people can find it in the channels tab
You install WinXP onto a machine with only AHCI controller, but you will the AHCI driver either seeded onto the CD install or available by floppy (seeded option is easier). But XP will not boot on EFI, will require the legacy boot option.
Good video!
Great. Now about IDA-diving into key protection
Lmao that BIOS screen is the same of my Asus laptop. It's a mixed legacy/non legacy BIOS with a legacy interface exactly like that "Aptio Setup Utility".
Mine is version 316 (Copyright 2019) though.
5:52 I think CSM is only available if you switch off UEFI, which in turn may enable other SATA modes, like IDE or Raid.
Grab a cheap medium like a $20 sata ssd, copy the bios content onto it, so youc an always reset to original,
but also copy the original drive into a file on that cheap medium, so you can restore that too.
Make sure it reads ALL data, including hidden partitions and such. (sector copy to file, whole drive.)
Excellent!
All this time I was thinking you were a goofy dumby. I stand corrected. You're a brilliant, goofy, dumby. Just like me. Good work, my dude.
I have my moments LOL. I'd love to get more technical with things but I'm worried it might shed off the less technical audience members. Luckily idgaf when it comes to this channel though
@@JonBringus yeah. I definitely subbed to this one after discovering it and after watching this. I like the more technical stuff but yeah. I totally get it. There is an audience for the technical stuff. It's just not a very big audience.
4:35 You can erase the password by changing it into an empty string. That may reversely
lead to changing this with any bios, by writing the same hash into the memory containing
the hash, while keeping the rest exactly the same.
Awesome news 👍
you can boot xp, just slipstream the intel ahci drivers onto the iso
SuperIO, well if you break it out ya can connect a d-ISA-pointment to it.
Bad idea I had: Grab a ALLS board and turn it into the Teradrive successor nobody wanted.
Awesome!
Nice, for a 'B' type board it is not bad.
I noticed the password for the BIOS was referencing Initial D Arcade Stage 7, DAX being Double Aces Cross, or as commonly referred to as AAX.
Would you bae able to change the password hash to a hash of a password you know and upload it back to the bios chip? And then when it compares the hash to the string you type in it would be comparing it to your hash not the default one
I would just change bios and flash a new one now you're ahead of me
i watched both these vids & subbed to both these channels :) really cool!!!! HEY, i just noticed, LTT may have stolen your video idea??????? did you see that? It's in my recommended right now
We worked on our videos at the same time, I actually spoke to them about it at LTX, it's all good
This is so cool.
Any update on what’s on the ssd that came with the saga alls ? I’m mega curious about that
Clocking in at 16MB is huge. For a bios, it should have a heluvalotta features. You could fit 8 EFI compatible BIOSes on that. A normal BIOS containing a setup block and boot block + microcode could be as small as 128K and still boot a PC in legacy mode all day long. A boot block bios with microcode only could be as small as 64KB for most boards.
I have to wonder if you bridged the clr CMOS before this rather complicated affair
New Sub! Dryden, Mich.
That was Awesome, hashcat, Check!
Very nice im.impressed
you should dump the software for the arcade game and send it over to the teknoparrot devs so they can add support in their emulator
Hello sir so I been watching ur videos for a couple weeks now so I have a usb stick that was Linux and I put it in my windows pc didn’t know it would delete the contents on it so I was wondering since ur real good with computers if I was to send it to u if u could find a way to get the stuff back on there I have went trough a few partition wizard the content is still there but unfortunately I ain’t trying to pay like 99 bucks to recover one usb is there a way u could help
I cringed a little when you cleared the password. I got locked out of a laptop once by doing that. Instead of clearing, it actually set a zero-character password... but the password entry wouldn't accept anything until you typed a character. 💀
I wasn't about to pay $$$ to reset a "forgotten" password so I actually found the backdoor password generator online. Suck it, Gateway.
That's a terrible design. But in any case, this BIOS actually prompted that it was going to clear it. Also from the previous video, apparently clearing CMOS kept the password, so I'm guessing even if something weird like that happened, clearing CMOS would've put the stock password back in.
That's spooky damn, luckily if I really need to I can resolder back onto the chip and restore my original dump
@@CaptainSouthbird That clearly would not work. He could get the password hash by dumping the Flash (EEPROM) chip, so the password is stored in there. And at 1:49 you can see that it is in a region labelled "NVRAM" - non-volatile random access memory. That's how UEFI does it, there is no "CMOS" = battery-backed (S)RAM for storing non-volatile settings anymore like in the BIOSes of old, so you cannot reset it by taking out a battery or bridging a jumper. If you somehow managed to get the UEFI to reset the NVRAM, then it would most likely be wiped/cleared, meaning no password at all instead of a "stock password".
what laptop was it?
@@amarokorama wrong. Clearing the CMOS means clearing the user area. Which means the password does not go to empty, but rather it goes to the default rom password. Which for consumer motherboards is empty. But it is not the same thing, like in this board.
What a adventure...Whooooooo....Thumb up......
I have tried on one ALLS from my friend several years ago, but did not got the BIOS password apparently. At that time, I found 2 rules of the boot order, one is it will boot to the last boot drive, and another one is it will fallover to the only bootable drive if the last boot drive doesn't exist, and these 2 rules exactly matches the settings in this video. And what I did is removed all the hard drive and leave a single USB drive on it, boot once, shutdown, then plug the hard drive back, and then will boot into the USB with hard drive attached.
Can someone tell me what the background song was in the final part of the video? It sounds oddly nostalgic to me but I can't quite remember what it is.
I'm pretty sure it's Fey's theme from Ace Attorney (turnabout sisters)
sega balls sega balls
Love the ace attorney music that shit slaps
Glad you solved that I hope you can some how bypass that was it Key pass thing to acess the game on the SSD and maybe Archive it. Sure horse betting game in JP is maybe not something people are dying to play but archiving it still a good idea seeing as it´s still part of gaming history.
What's the point in cracking the password when you could just replace that hashed string with your hashed password when you know where's this string located anyway?
Actually yeah that would have been pretty smart & quick to do now that I think about it. That probably would have got me in no problem but I also really wanted to find the password because every single one of these Alls MX2 units shares a password. So now anybody that has one can use it.
ah rad!
Secure boot set to custom is interesting
I'm curious if it's possible to flash the standard Gigabyte BIOS onto the motherboard?
Yo Bro can we have LTT?
Nah Dog we good LTT in the hood.
LTT In the Hood
you are a nice guy
NICE!!! I've got an ALLS computer (I think thats what it is) in a Mai Mai that wont let me boot anything but its factory drive. I wonder if they used the same password on all of the computers???
Be careful, if you are using the original Sega software. Your system propably uses Bitlocker with the key stored in the TPM chip.
Image the Disk and try booting that image in a different machine or VM. If windows requests a Bitlocker recovery, you are on thin ice.
If you mess with the hardware or BIOS it could trigger the TPM to no longer provide the disk encryption key. Bricking the system.
@@da1l616 I've already dupped the disk and it will boot on another platform but because specific I/O is missing it wont boot into the game.
Welp... So much for that idea. I've got a RingEdge2 PC in my Mai Mai. :( Its got a custom Sega mobo with only micro USB on it too. Ugh. Stuck with an non english version of Mai Mai I guess.
That area of the board that says CLR_CMOS, you can short those pins and reset the bios to default.... and clear any password...
The units look like Unix epoch
"This is just a Pi 4"
Meanwhile I'm still using my Pi 2 for flashrom
pi 3 is supreme, priced good and decent specs
I use the almighty CH341A
I wonder if there are more passwords that match that hash edit: didn’t realise it was SHA256, there will be no other passwords for this hash
Secure boot protects the PC from viruses or malware that would attack the BIOS or drivers and would therefore be hard or impossible to detect by an antivirus since it would have Ring0 privileges from the get go before the OS is even booted.
ofc goilup had a hand in this lol, nice
why couldn't you use rainbow tables with that hash you were able to recover?
Pretty simple fix get the bios for the consumer version. And flash it to this board
question: I know that the password is more valuable then just access, but assuming all I wanted was access: Could I not simply pick any password and overwrite the flash section containing the password? OK, I would risk there being a checksum and again: the password is more valuable as it works on all machines.
I THINK that you could replace the default hash with your own hash that you know the password for, but like you said it's better to know the password so that everyone with an Alls MX2 has a password they can use too now
Just watched the first one. I’m lucky
should validate that card with gpuz
Turn it into a steam cache server please
I'm really surprise. Almost always, a desktop-style PC has a jumper on the board that bypasses the bios password. On this device, assuming yours has the MDH11BM motherboard, resetting the bios with the jumper clears the password.
He tried that already. Either Sega had them disable that on this board, or the process is more complicated (such as it enabling a "OEM password" instead of clearing the user's password).
what are those clippy thingies actually named? xD
It's a hash, you can't do anything with it. Also there's a thing you can do with it.
Secure boot is what it says it is
Stops malicious boots
16mb. Bloody Hell I remember them being 3 mb 😂 God I'm old
Sega BALLS
So, if you have connected the bios chip to thy pi, why couldn't you have flashed clean bios from the public revision of that board, since you know exactly what it is?
In case the bios has sega specific settings, and not wanting to risk corrupting anything if the bios flash failed
I did try that actually. I tried the F6 version BIOS for this identical board but it wouldn't boot up afterwards. Not sure why. I tried some consumer H310 boards as well but none of those BIOS's would let this thing boot up
you can use the password on any machine/board you find the wild, without having to solder to it.
@@JonBringus guess that's something we'll never know the answer too
Finally I can fully use my bALLS
Bro if someone found your house and broke in all they would have to do to get past any and all security is say gaming
hello jon bringus or anyone here can tell how can i get the usb keyboard model number i kinda like it thanks ?!
If you mean the Cherry keyboard it's a MX 11900
Nice hacking, I saw a vid where someone hacked a Lenovo bios by shorting 2 of the pins for BIOS communication after boot initiated and before the Bios flash screen. I wonder if that would work also. The bios chips aren't the same. But they both had the 8 solder pin config, so identifying those pins for the chip would be required. But I'd love to see if different chips would have the same effect.
Iirc he tried that in the main channel video on this unit but I'm not entirely sure
That only works with older Lenovo laptops, because these store password in separate security chip from BIOS.
You think it'll be the same password for every unit? Or will they have been each programmed individually from the factory?
Historically Sega has used the same bios password for all of their PC-based units, so every Alls MX2 SHOULD be using this password
@@JonBringus ah, interesting. I guess the bios password isn't that huge of a security thing. Probably just to prevent theft.
@@Aeduo: More to prevent arcade owners from doing unscrupulous things, I think.
NO WAY!!!
Couldn't you just hash an arbitrary password and replace it in the bios rom and reflash it
He said CP Iboss .
Couldn’t you just delete the password instead of cracking it if your goal is just to get into setup? Zero out the password flash dump back onto the rom and it’ll boot back up.
Having the password could work an all machines without soldering to the board.
Deleting the password only works on one machine.
There also could be a checksum somewhere. Or the BIOS developer could have gone full nuts and make multilevel checksums. That would not be "secure", but surely annoying.
bro, a cheap ch134a would've been way easier lol. but as a fellow cheapskate/use-what-you-have-on-hander, I understand.
😲
Ok, But whats on the ssd?
A lot of bitlocker'd partitions that I don't have the keys to
@@JonBringus :(
These days hardware RAID isn't the best idea. ZFS is great!
Actual content. Nice. The previous video was disappointing.
It's tough to get into the weeds of the slightly more technical stuff without shaking off the more general audience on my main channel. Luckily that's what this channel is for
Using that as a NAS, hardware RAID sucks anyways. Just use the CPU for ZFS, which puts hardware RAID to shame with the amount of features.
The clip is kinda Hard to use. Soldering is much better
Ok