Jump to content

Recommended Posts

It was posted to Reddit a little bit ago.

https://old.reddit.com/r/AtariVCS/comments/l1miv3/atari_vcs_bios_exposed/

 

Piano18482

 

I was able to use it to remove the password on my VCS.

Edited by Angrymoleratsbaggle
  • Like 4
  • Thanks 1
1 minute ago, Angrymoleratsbaggle said:

It was posted to Reddit a little bit ago.

https://old.reddit.com/r/AtariVCS/comments/l1miv3/atari_vcs_bios_exposed/

 

Piano18482

 

I was able to use it to remove the password on my VCS.

Ha, cat is out of the bag.  Though doesn't mean an AtariOS update won't change it, and I don't know if they are required by any laws that they have to keep it locked.  For PCI compliance or something (since they have a store).  One would think that all goes over the web though and they should allow purchases over the web.

8 minutes ago, Angrymoleratsbaggle said:

It was posted to Reddit a little bit ago.

https://old.reddit.com/r/AtariVCS/comments/l1miv3/atari_vcs_bios_exposed/

 

Piano18482

 

I was able to use it to remove the password on my VCS.

Good, means I didn't have to reveal it.  :)

Secure boot is a dumb thing anyhow and is more about control than it is security.  Mind you on the VCS it isn't something that most people will mess with.  Maybe?  Hard to tell at this stage how many will use it as a Mini-PC vs a game console.  Only time will tell.

  • Like 1
18 minutes ago, Angrymoleratsbaggle said:

It was posted to Reddit a little bit ago.

https://old.reddit.com/r/AtariVCS/comments/l1miv3/atari_vcs_bios_exposed/

 

Piano18482

 

I was able to use it to remove the password on my VCS.

That´s it ?....

7 minutes ago, Charles Darwin said:

Funny password...so now Atari really has a problem....because every user can do it.

Yet, I am glad that I do not have to open the VCS anymore...thanks! ;-)

 

Yes, but it´s a Hare and Tortoise game ?.

I´m afraid, ATARI will change the password with the next update....

  • Like 1
19 minutes ago, andymanone said:

Yes, but it´s a Hare and Tortoise game ?.

I´m afraid, ATARI will change the password with the next update....

Let's be fair to them, this was going to get hacked anyhow as they posed it as the 'unconsole' in the first place.  Don't know why they bothered with the secure boot in the first place, beyond it being a requirement from a partner or something.

 

Now someone install GamerOS on it.  :)

  • Like 2

During every boot of the AtariOS it checks for updates and automatically installs them. AtariOS updates AND firmware (Bios) updates. You can be sure that a firmware update will come soon...with a new pw ;-)

Does anyone know, where the password was stored? On the emmc or eeprom?

The AtariOS also (automatically) removes any changes you made to the EFI partitions of the emmc. So they clearly thought about security...and yes, I think it is relevant for the future of the VCS.

  • Like 1
34 minutes ago, Charles Darwin said:

Does anyone know, where the password was stored? On the emmc or eeprom?

As far as I know, on one of the EFI partitions...

I´ve also access to all partitions now from Windows, but I´m not an linux expert,

so I´m not sure, which folder or file I should be looking for it...

 

Any suggestions?

 

Folders01.JPG

Edited by andymanone
Screenshot added
8 hours ago, leech said:

Ha, cat is out of the bag.  Though doesn't mean an AtariOS update won't change it, and I don't know if they are required by any laws that they have to keep it locked.  For PCI compliance or something (since they have a store).  One would think that all goes over the web though and they should allow purchases over the web.

 

Yeah, I figure it was already getting posted around anyways.

 

I wouldn't think that it would be required for PCI compliance, otherwise stores like Steam and Origin wouldn't be allowed to run.

 

An interesting tidbit, the RetroAxisTV script uses efivar to read it from SystemSupervisorPW from the UEFI well the system is running.

 

The password can also be found in the firmware files, in plain text.

The files are located /usr/share/fwupd/remotes.d/vendor/firmware

 

If you run UEFITool you can do a string search for defsetuppswd and find the password there in plain text as well.

 

  • Like 1
  • Thanks 1
  • Haha 2

@andymanone

I think this is the main partition of the emmc, you are looking at. The EFI partitions are EFI-A, EFI-B and EFI-recovery. There are some other strange partitions...verity-A, verity-B, rootfs-A, rootfs-B...which look more promising. Thanks to your boot-from-emmc-disable thing, I dont need any other BIOS setting changes right now. I can use VirtualBox and my VCS boots from the m.2 drive, despite having an original emmc (AtariOS). I am happy with my VCS...life is good ?

 

 

 

 

  • Thanks 2
1 hour ago, Angrymoleratsbaggle said:

 

Yeah, I figure it was already getting posted around anyways.

 

I wouldn't think that it would be required for PCI compliance, otherwise stores like Steam and Origin wouldn't be allowed to run.

 

What it comes down to is secure boot is just another method of control to try to make us not 'own' our own hardware.

  • Like 1
47 minutes ago, leech said:

What it comes down to is secure boot is just another method of control to try to make us not 'own' our own hardware.

 

On the unconsole?  With its open Linux and suchlike?  Say it ain't so!

 

Realistically, the reason for enabling secure boot was probably so that people would keep their grubby little fingers out of the BIOS.  Fingers in BIOS == bricked systems == greater support load == denied warranty claims == (another) PR nightmare waiting to happen.

 

Think of it this way: by locking it down, any responsibility for screwing up the system is now moved onto the user who bypasses Secure Boot.  If Fauxtari didn't do that, the press would have a field day with them for releasing a device which people had broken without effort and who were now being told to go pound sand when requesting a replacement.

 

I'm 100% positive that this had nothing to do with controlling the hardware and everything to do with trying to not look completely incompetent.  Unfortunately, storing EFI passwords in cleartext in user-accessible parts of the filesystem pretty much negates that philosophy.

Edited by x=usr(1536)
  • Like 2
6 hours ago, andymanone said:

As far as I know, on one of the EFI partitions...

I´ve also access to all partitions now from Windows, but I´m not an linux expert,

so I´m not sure, which folder or file I should be looking for it...

 

Any suggestions?

 

Folders01.JPG

Huh, did you install an ext4 driver?  or are the partitions actually NTFS?  (I didn't think they were...)

1 hour ago, x=usr(1536) said:

 

On the unconsole?  With its open Linux and suchlike?  Say it ain't so!

 

Realistically, the reason for enabling secure boot was probably so that people would keep their grubby little fingers out of the BIOS.  Fingers in BIOS == bricked systems == greater support load == denied warranty claims == (another) PR nightmare waiting to happen.

 

Think of it this way: by locking it down, any responsibility for screwing up the system is now moved onto the user who bypasses Secure Boot.  If Fauxtari didn't do that, the press would have a field day with them for releasing a device which people had broken without effort and who were now being told to go pound sand when requesting a replacement.

 

I'm 100% positive that this had nothing to do with controlling the hardware and everything to do with trying to not look completely incompetent.  Unfortunately, storing EFI passwords in cleartext in user-accessible parts of the filesystem pretty much negates that philosophy.

Ha, I wasn't referring specifically to the AtariVCS as yes this is meant as a console type system which 'just works' and your average person isn't going to be digging around the bios for settings or really should they be.  So it's fine that us that know more can hack around it and play, kind of the intention I think of the VCS.  I'm talking in general, the whole spec around Secure Boot on the PCs are for locking people out from being able to run their own choice in operating system.  This is why some Linux distributions, despite now having the ability to get signed keys to support it, simply refuse to because it doesn't give any security and only limits on what kernels you can boot.

  • Like 1

The password was not actually stored on the filesystem, as I checked /dev/mmcblk0p1 p2 and p3, which are the 3 EFI partitions from the factory. I received a tip that it was stored within the EFI Bios itself.  I remembered from SPARC and PPC they had a command line interface to the OpenFirmware that let you perform get and set operations on the parameters.  There are EFI Tools available for Linux and using these, I was able to locate the password. In theory, this would still work even if Atari changes the PW in a future update unless they start to encrypt the string in the BIOS. So for now, no need to fry your motherboards.

  • Like 7
  • Thanks 1
19 minutes ago, leech said:

Huh, did you install an ext4 driver?  or are the partitions actually NTFS?  (I didn't think they were...)

To mount ext4 partitions and similars, I use  this little great tool with Win10 ?:

 

-> Diskinternals Linux-Reader

 

It works fine for me all the time, I use it since a couple of years...

Edited by andymanone
  • Like 2
6 minutes ago, RetroAxis said:

The password was not actually stored on the filesystem, as I checked /dev/mmcblk0p1 p2 and p3, which are the 3 EFI partitions from the factory. I received a tip that it was stored within the EFI Bios itself.  I remembered from SPARC and PPC they had a command line interface to the OpenFirmware that let you perform get and set operations on the parameters.  There are EFI Tools available for Linux and using these, I was able to locate the password. In theory, this would still work even if Atari changes the PW in a future update unless they start to encrypt the string in the BIOS. So for now, no need to fry your motherboards.

I searched through all the filesystems to see if it was stored in a script or database previously.

Was confused when people were claiming it was stored on the filesystem after your video came out, so went and looked again.

Then I looked at your script and saw you were pulling it with efivar, which made sense.

 

Only place close to on the filesystem it is stored is within the .bin firmware images in the fwupdmgr folders.

I was able to pull it from the images where its stored in plain text in defsetuppswd

 

  • Like 2
32 minutes ago, andymanone said:

To mount ext4 partitions and similars, I use  this little great tool with Win10 ?:

 

-> Diskinternals Linux-Reader

 

It works fine for me all the time, I use it since a couple of years...

Cool, I knew there were various tools (I've used that myself) was just wondering if Win10 had silently added support without me knowing.  On the flip side, Paragon is trying to upstream their ntfs driver to the Linux kernel, so it should be a lot more performant and stable (though I have had good luck with NTFS-3G driver).

1 hour ago, RetroAxis said:

... In theory, this would still work even if Atari changes the PW in a future update unless they start to encrypt the string in the BIOS. So for now, no need to fry your motherboards.

The Macronix chip is very robust...believe me...I really tortured it with a paperclip...as long as you just connect CLK with the data output, it just blocks the communication...and you can safely enter the bios...although in a virgin state only...it does not show you the changed settings.

  • Like 1

I have a Lenovo business laptop, which has a similar chip for the security of the BIOS. (Fingerprint etc.)
There is also supposed to be a fix momentarily shorting 2 pins on the EEPROM, but uh...
Unfortunately, for that laptop, if there is a problem with the chip, the motherboard is bricked, totally.
Although I really want to alter an advanced setting (it's 2nd-hand) I daren't risk that. ?
I'm so glad that the password became available, for the VCS. I definitely can't afford to brick THAT.

  • Like 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...