Angrymoleratsbaggle Posted January 21, 2021 Share Posted January 21, 2021 (edited) It was posted to Reddit a little bit ago. https://old.reddit.com/r/AtariVCS/comments/l1miv3/atari_vcs_bios_exposed/ Piano18482 I was able to use it to remove the password on my VCS. Edited January 21, 2021 by Angrymoleratsbaggle 4 1 Quote Link to comment Share on other sites More sharing options...
leech Posted January 21, 2021 Share Posted January 21, 2021 1 minute ago, Angrymoleratsbaggle said: It was posted to Reddit a little bit ago. https://old.reddit.com/r/AtariVCS/comments/l1miv3/atari_vcs_bios_exposed/ Piano18482 I was able to use it to remove the password on my VCS. Ha, cat is out of the bag. Though doesn't mean an AtariOS update won't change it, and I don't know if they are required by any laws that they have to keep it locked. For PCI compliance or something (since they have a store). One would think that all goes over the web though and they should allow purchases over the web. Quote Link to comment Share on other sites More sharing options...
leech Posted January 21, 2021 Share Posted January 21, 2021 8 minutes ago, Angrymoleratsbaggle said: It was posted to Reddit a little bit ago. https://old.reddit.com/r/AtariVCS/comments/l1miv3/atari_vcs_bios_exposed/ Piano18482 I was able to use it to remove the password on my VCS. Good, means I didn't have to reveal it. Secure boot is a dumb thing anyhow and is more about control than it is security. Mind you on the VCS it isn't something that most people will mess with. Maybe? Hard to tell at this stage how many will use it as a Mini-PC vs a game console. Only time will tell. 1 Quote Link to comment Share on other sites More sharing options...
andymanone Posted January 21, 2021 Author Share Posted January 21, 2021 18 minutes ago, Angrymoleratsbaggle said: It was posted to Reddit a little bit ago. https://old.reddit.com/r/AtariVCS/comments/l1miv3/atari_vcs_bios_exposed/ Piano18482 I was able to use it to remove the password on my VCS. That´s it ?.... Quote Link to comment Share on other sites More sharing options...
Charles Darwin Posted January 21, 2021 Share Posted January 21, 2021 Funny password...so now Atari really has a problem....because every user can do it. Yet, I am glad that I do not have to open the VCS anymore...thanks! 2 Quote Link to comment Share on other sites More sharing options...
andymanone Posted January 21, 2021 Author Share Posted January 21, 2021 7 minutes ago, Charles Darwin said: Funny password...so now Atari really has a problem....because every user can do it. Yet, I am glad that I do not have to open the VCS anymore...thanks! Yes, but it´s a Hare and Tortoise game ?. I´m afraid, ATARI will change the password with the next update.... 1 Quote Link to comment Share on other sites More sharing options...
leech Posted January 21, 2021 Share Posted January 21, 2021 19 minutes ago, andymanone said: Yes, but it´s a Hare and Tortoise game ?. I´m afraid, ATARI will change the password with the next update.... Let's be fair to them, this was going to get hacked anyhow as they posed it as the 'unconsole' in the first place. Don't know why they bothered with the secure boot in the first place, beyond it being a requirement from a partner or something. Now someone install GamerOS on it. 2 Quote Link to comment Share on other sites More sharing options...
Charles Darwin Posted January 21, 2021 Share Posted January 21, 2021 During every boot of the AtariOS it checks for updates and automatically installs them. AtariOS updates AND firmware (Bios) updates. You can be sure that a firmware update will come soon...with a new pw Does anyone know, where the password was stored? On the emmc or eeprom? The AtariOS also (automatically) removes any changes you made to the EFI partitions of the emmc. So they clearly thought about security...and yes, I think it is relevant for the future of the VCS. 1 Quote Link to comment Share on other sites More sharing options...
andymanone Posted January 21, 2021 Author Share Posted January 21, 2021 (edited) 34 minutes ago, Charles Darwin said: Does anyone know, where the password was stored? On the emmc or eeprom? As far as I know, on one of the EFI partitions... I´ve also access to all partitions now from Windows, but I´m not an linux expert, so I´m not sure, which folder or file I should be looking for it... Any suggestions? Edited January 21, 2021 by andymanone Screenshot added Quote Link to comment Share on other sites More sharing options...
Angrymoleratsbaggle Posted January 21, 2021 Share Posted January 21, 2021 8 hours ago, leech said: Ha, cat is out of the bag. Though doesn't mean an AtariOS update won't change it, and I don't know if they are required by any laws that they have to keep it locked. For PCI compliance or something (since they have a store). One would think that all goes over the web though and they should allow purchases over the web. Yeah, I figure it was already getting posted around anyways. I wouldn't think that it would be required for PCI compliance, otherwise stores like Steam and Origin wouldn't be allowed to run. Quote Link to comment Share on other sites More sharing options...
Angrymoleratsbaggle Posted January 21, 2021 Share Posted January 21, 2021 An interesting tidbit, the RetroAxisTV script uses efivar to read it from SystemSupervisorPW from the UEFI well the system is running. The password can also be found in the firmware files, in plain text. The files are located /usr/share/fwupd/remotes.d/vendor/firmware If you run UEFITool you can do a string search for defsetuppswd and find the password there in plain text as well. 1 1 2 Quote Link to comment Share on other sites More sharing options...
Charles Darwin Posted January 21, 2021 Share Posted January 21, 2021 @andymanone I think this is the main partition of the emmc, you are looking at. The EFI partitions are EFI-A, EFI-B and EFI-recovery. There are some other strange partitions...verity-A, verity-B, rootfs-A, rootfs-B...which look more promising. Thanks to your boot-from-emmc-disable thing, I dont need any other BIOS setting changes right now. I can use VirtualBox and my VCS boots from the m.2 drive, despite having an original emmc (AtariOS). I am happy with my VCS...life is good ? 2 Quote Link to comment Share on other sites More sharing options...
leech Posted January 21, 2021 Share Posted January 21, 2021 1 hour ago, Angrymoleratsbaggle said: Yeah, I figure it was already getting posted around anyways. I wouldn't think that it would be required for PCI compliance, otherwise stores like Steam and Origin wouldn't be allowed to run. What it comes down to is secure boot is just another method of control to try to make us not 'own' our own hardware. 1 Quote Link to comment Share on other sites More sharing options...
+x=usr(1536) Posted January 21, 2021 Share Posted January 21, 2021 (edited) 47 minutes ago, leech said: What it comes down to is secure boot is just another method of control to try to make us not 'own' our own hardware. On the unconsole? With its open Linux and suchlike? Say it ain't so! Realistically, the reason for enabling secure boot was probably so that people would keep their grubby little fingers out of the BIOS. Fingers in BIOS == bricked systems == greater support load == denied warranty claims == (another) PR nightmare waiting to happen. Think of it this way: by locking it down, any responsibility for screwing up the system is now moved onto the user who bypasses Secure Boot. If Fauxtari didn't do that, the press would have a field day with them for releasing a device which people had broken without effort and who were now being told to go pound sand when requesting a replacement. I'm 100% positive that this had nothing to do with controlling the hardware and everything to do with trying to not look completely incompetent. Unfortunately, storing EFI passwords in cleartext in user-accessible parts of the filesystem pretty much negates that philosophy. Edited January 21, 2021 by x=usr(1536) 2 Quote Link to comment Share on other sites More sharing options...
leech Posted January 21, 2021 Share Posted January 21, 2021 6 hours ago, andymanone said: As far as I know, on one of the EFI partitions... I´ve also access to all partitions now from Windows, but I´m not an linux expert, so I´m not sure, which folder or file I should be looking for it... Any suggestions? Huh, did you install an ext4 driver? or are the partitions actually NTFS? (I didn't think they were...) Quote Link to comment Share on other sites More sharing options...
leech Posted January 21, 2021 Share Posted January 21, 2021 1 hour ago, x=usr(1536) said: On the unconsole? With its open Linux and suchlike? Say it ain't so! Realistically, the reason for enabling secure boot was probably so that people would keep their grubby little fingers out of the BIOS. Fingers in BIOS == bricked systems == greater support load == denied warranty claims == (another) PR nightmare waiting to happen. Think of it this way: by locking it down, any responsibility for screwing up the system is now moved onto the user who bypasses Secure Boot. If Fauxtari didn't do that, the press would have a field day with them for releasing a device which people had broken without effort and who were now being told to go pound sand when requesting a replacement. I'm 100% positive that this had nothing to do with controlling the hardware and everything to do with trying to not look completely incompetent. Unfortunately, storing EFI passwords in cleartext in user-accessible parts of the filesystem pretty much negates that philosophy. Ha, I wasn't referring specifically to the AtariVCS as yes this is meant as a console type system which 'just works' and your average person isn't going to be digging around the bios for settings or really should they be. So it's fine that us that know more can hack around it and play, kind of the intention I think of the VCS. I'm talking in general, the whole spec around Secure Boot on the PCs are for locking people out from being able to run their own choice in operating system. This is why some Linux distributions, despite now having the ability to get signed keys to support it, simply refuse to because it doesn't give any security and only limits on what kernels you can boot. 1 Quote Link to comment Share on other sites More sharing options...
RetroAxis Posted January 21, 2021 Share Posted January 21, 2021 The password was not actually stored on the filesystem, as I checked /dev/mmcblk0p1 p2 and p3, which are the 3 EFI partitions from the factory. I received a tip that it was stored within the EFI Bios itself. I remembered from SPARC and PPC they had a command line interface to the OpenFirmware that let you perform get and set operations on the parameters. There are EFI Tools available for Linux and using these, I was able to locate the password. In theory, this would still work even if Atari changes the PW in a future update unless they start to encrypt the string in the BIOS. So for now, no need to fry your motherboards. 7 1 Quote Link to comment Share on other sites More sharing options...
andymanone Posted January 21, 2021 Author Share Posted January 21, 2021 (edited) 19 minutes ago, leech said: Huh, did you install an ext4 driver? or are the partitions actually NTFS? (I didn't think they were...) To mount ext4 partitions and similars, I use this little great tool with Win10 ?: -> Diskinternals Linux-Reader It works fine for me all the time, I use it since a couple of years... Edited January 21, 2021 by andymanone 2 Quote Link to comment Share on other sites More sharing options...
Angrymoleratsbaggle Posted January 21, 2021 Share Posted January 21, 2021 6 minutes ago, RetroAxis said: The password was not actually stored on the filesystem, as I checked /dev/mmcblk0p1 p2 and p3, which are the 3 EFI partitions from the factory. I received a tip that it was stored within the EFI Bios itself. I remembered from SPARC and PPC they had a command line interface to the OpenFirmware that let you perform get and set operations on the parameters. There are EFI Tools available for Linux and using these, I was able to locate the password. In theory, this would still work even if Atari changes the PW in a future update unless they start to encrypt the string in the BIOS. So for now, no need to fry your motherboards. I searched through all the filesystems to see if it was stored in a script or database previously. Was confused when people were claiming it was stored on the filesystem after your video came out, so went and looked again. Then I looked at your script and saw you were pulling it with efivar, which made sense. Only place close to on the filesystem it is stored is within the .bin firmware images in the fwupdmgr folders. I was able to pull it from the images where its stored in plain text in defsetuppswd 2 Quote Link to comment Share on other sites More sharing options...
leech Posted January 21, 2021 Share Posted January 21, 2021 32 minutes ago, andymanone said: To mount ext4 partitions and similars, I use this little great tool with Win10 ?: -> Diskinternals Linux-Reader It works fine for me all the time, I use it since a couple of years... Cool, I knew there were various tools (I've used that myself) was just wondering if Win10 had silently added support without me knowing. On the flip side, Paragon is trying to upstream their ntfs driver to the Linux kernel, so it should be a lot more performant and stable (though I have had good luck with NTFS-3G driver). Quote Link to comment Share on other sites More sharing options...
Manwichman Posted January 21, 2021 Share Posted January 21, 2021 The password is Piano18482. I'm serious. Try it. I immediately put my own password on and switched to legacy haha. Quote Link to comment Share on other sites More sharing options...
Charles Darwin Posted January 21, 2021 Share Posted January 21, 2021 @Manwichman You are a bit late 1 Quote Link to comment Share on other sites More sharing options...
Manwichman Posted January 21, 2021 Share Posted January 21, 2021 Ha yeah I know I registered an account here this morning but it didn't let me log in till now ? Quote Link to comment Share on other sites More sharing options...
Charles Darwin Posted January 21, 2021 Share Posted January 21, 2021 1 hour ago, RetroAxis said: ... In theory, this would still work even if Atari changes the PW in a future update unless they start to encrypt the string in the BIOS. So for now, no need to fry your motherboards. The Macronix chip is very robust...believe me...I really tortured it with a paperclip...as long as you just connect CLK with the data output, it just blocks the communication...and you can safely enter the bios...although in a virgin state only...it does not show you the changed settings. 1 Quote Link to comment Share on other sites More sharing options...
justclaws Posted January 21, 2021 Share Posted January 21, 2021 I have a Lenovo business laptop, which has a similar chip for the security of the BIOS. (Fingerprint etc.) There is also supposed to be a fix momentarily shorting 2 pins on the EEPROM, but uh... Unfortunately, for that laptop, if there is a problem with the chip, the motherboard is bricked, totally. Although I really want to alter an advanced setting (it's 2nd-hand) I daren't risk that. ? I'm so glad that the password became available, for the VCS. I definitely can't afford to brick THAT. 2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.