Hacking laptop (and BIOS in general) passwords

Sometimes a laptop appears that gets bought cheaply or acquired in a similar way that has a BIOS password set, which needs to be removed.

The BIOS configuration data are usually hidden in a small EEPROM chip. Which usually looks like a 8-pin SMD part, with 24C... or 93C... labeling. Common part, with available datasheets. Usually with I2C bus.

The clock and data lines can be tapped by soldering thin wires on the chip's pins. The activity on them can be sensed by a 'scope, an I2C bus analyzer, or even a plain old LED. By grounding the lines, the reading of the chip can be disabled at the right moment. Depending on the BIOS, it is possible to force it to think the machine just went down from the assembly line and should initialize to defaults, or just force zeros to the bus when reading the password, making the BIOS think it has zero length. The bus behavior can be observed and further guessed by trial and error while watching the bus activity; a scope is useful here, a LED can be sufficient.

Alternatively, the chip can be desoldered, read, written, soldered back. Or just the traffic from the chip can be monitored, and the password decoded from it.

When only the BIOS setup password is set, it is possible to use debug.exe (or linux eeprom tools) to directly set some bytes in the EEPROM to wrong values. At next boot, the BIOS checksum fails and defaults are set.

This applies generally to many things using I2C bus and configuration EEPROMs. Closeup shots at a technician deftly soldering thin shiny wires on tiny chip pins could look nice in a movie. Other attractive-looking things may be waveforms on an oscilloscope, or some sort of color-highlighted scrolling logs or decoded bus traffic. Chipping of devices, from game consoles to DVD players, also often requires direct access to the hardware on component level.

For a sample of oscilloscope screenshots with videosignal, check out this:
http://en.wikipedia.org/wiki/Analogue_television_synchronization
(Especially with CRT-based scopes, adjusting the brightness and ambient light to look good on camera may take a while of experimenting.)

A young, unemployed technician who desperately needs money often won't ask many questions before whipping out the soldering iron.

...after gaining access, said technician may poke around the hard drive, find something of value (confidential data, or saved access passwords to websites or a VPN...), attempt to extract the value, and set off an unexpected avalanche of events. (The same can be done with data found on a purchased non-wiped or poorly-wiped secondhand disk/machine, or as a breach of trust when said technician is hired to do data recovery.)