Omnibook 800CT Garage sale find, help me unlock it
Posted by Informal_Ad_6718@reddit | vintagecomputing | View on Reddit | 56 comments
Hey, i picked this cool laptop on a garage sale , its that one with the cute mouse that pops out, has a pretty amazing keyboard and terrific display for 1995, and overall look so 90's that i personally go "waw" everytime i look at it.
I Powered it up and was so happy to see pixels light up, but a second later, i was greated to this like 8 character alphanumerical password prompt.From there, i thought ok that might be an easy fix, but that's actually not. I looked around and there is close to no informations on this specific problem appart from the dead forum thread that lead to nothing.
To explain why it's a tough issue, i included an image of the manual that explains the bios lock feature of this model (here is a link to the manual online if u want to see it: https://www.elhvb.com/mobokive/edwin/laptops/hp/omnibook/service/OB800_sm.pdf )
As you can see, i will not be able to call HP and ask for the reset of the password, not only cuz it's a model from like 1995 but also cuz i have no paper for it.
I tried looking in the box and pages of the booklets for a potential password, sadly there isnt anything. As to the bios menu, i can access it, but to change the password you need the password (of course -_-) and there is nothing else i could really tough there.
Also tried asking claude, but ofc its useless as ever and spits only infos i already have found or lead me to false leads.
I cannot find the owner, bought it from a guy that had a truck full of stuff he gathered from estate sales etc
-One solution that im looking at is disconnecting the CMOS battery, problem is, there is no "coin" style battery that u would expect, its actually a tantalum capacitor that works in it's place. (Here is a video for visuals, the narrator says there is no cmos battery but just missed that its a capacitor: https://youtu.be/ulYT60wqu5o?t=448 )
So, i could short it, but, huh that's kinda scary no? Especially for a solution that i'm not sure about. The reason i'm saying that is i picked it up in it's retail box, that seemed to have been in a garage for many years, batteries, even the capacitor one, should have run dry. Also i powered it up 2 days ago, bios date was 1jan 1980, unplugged the battery for 12h the next day, powered it up, and the date in bios is again 1jan 1980, that's telling me that the bios ran out of juice and did reset. Would shorting the capacitor (same as removing the cmos battery) have any other effects? I doubt the lock is than easy to defeat tbh considering HP went strong with its security on this model.
-Other solution i've read about is that people have retro engineered the master password feature that HP had for those. So i might be able to find that somewhere. But first, i would have to be able to open the pop up window that show my devide specific key (as described in the manual), its suppose to be ALT SHIFT F10 during password screen, but its not doing anything on mine. Apparently some versions had alternative key combination or methods. I tried a lot of other combination of keys so far to no result.
-The other option is guessing the password (lol), i already tried the usual suspects like admin, 1234, 0000, farts etc etc, any other suggestions? (previous owner was french)
Thank you for your attention, i'm eager to see your ideas to solve this issue!
DazSchplotz@reddit
Maybe you can generate a masterpassword: https://bios-pw.org/
jussuumguy@reddit
Have you tried entering the password as a blank (just hit enter) You would be surprised how many times that has worked for me. Some other usual suspects would be anything written on the Computer itself...Model Numbers, Windows95, omnibook, 800CT, work sucks etc..
Informal_Ad_6718@reddit (OP)
Haha yeah i tried that, and all the stuff that the user could have been looking at, where they might have lived (area codes) and stuff like that. But, i'm probably gonna attempts more of these when i feel the motivation for it.
Very unlikely to find it but its worth trying
bhiga@reddit
If you have the dock and it doesn't reboot or time lock after a certain number of failures you could use an Arduino, RasPi, or USB crash cart or KVM to just brute force it through the PS/2 port or some other way to type at it - specs say there's a USB card but no clue whether it accepts USB keyboard input in the BIOS/boot.
Informal_Ad_6718@reddit (OP)
I thought about that, but without any real knowledge as to how to achieve it, i would have thought that u just cant connect to the keyboard. If you feel that it could work through any port, i might be willing to get a Pi and ask my programmer friend to help me with the brute forcing software part.
Tbh, that would be quite fun to do, more fun that messing with the hardware and soldering etc
bhiga@reddit
Given the vintage of the machine, it'd probably have to be through the PS/2 keyboard port, and I think you need a dock for that, though if you're lucky you can find the pinout and compatible connector to wire to the keyboard port.
Informal_Ad_6718@reddit (OP)
I found the right accesories for the Pi, "DollaTek MAX3232 RS232 Serial Port to TTL Converter Modul DB9 Connector W / 4 Jump Cables" should let me use a keyboard (let me know if im wrong tho, im not the most savy with that stuff)
bhiga@reddit
I'm not very Arduino/Pi savvy either...
DirectionFragrant207@reddit
Did you try to remove the RAM? Sometimes it's all you need to do.
Informal_Ad_6718@reddit (OP)
The 8MB of RAM is made of 4 chips on the board sadly, the only removable ram is the additional ram u can add, but mine doesnt have any https://youtu.be/ulYT60wqu5o?t=489
DirectionFragrant207@reddit
https://bios-pw.org/ Check this! I hope it will do the work for you to reset the password.
Informal_Ad_6718@reddit (OP)
Thanks! i was able to enter my serial and get a code, not sure if thats the right one, i cant try it anyway until i figure out the alternative for ALT SHIFT F10 (wich doesnt work on mine)
Im still looking around and asking in different place, so far no result
DirectionFragrant207@reddit
You're half a way! Get some isopropyl alcohol pull the buttons and clean them good with q-tip and why not a small brush.
Business-Help-7876@reddit
to an economical standpoint, it's cheaper to bruteforce if the password is simple, more expensive to reprogram the bios, or look for a donor motherboard from a broken one.
or you can look into obscure and lost information, it should be possible to reset it or boot in some special mode somehow, only HP knows
Informal_Ad_6718@reddit (OP)
Yeah it seem cheaper than getting a new board for sure.
I've looked quite a lot, so far havnt really found anyone state that they actually did it tho. I'm asking in other forums as of now, will see if i get another lead.
yes i tried booting without battery or HDD, and did leave it 12h with no battery or AC plugged.
Well i must say this goes far beyond my technical knowledge to attempt that sadly, i can see what u mean but would have no clue how to actual proceed forward.
jdx6511@reddit
If you've only tried a handful of the usual passwords, you could try looking up lists of common passwords, you might get lucky before you run out of patience.
If you're willing to consider extreme measures, I'm thinking unsolder the BIOS chip, dump the BIOS, disassemble, patch over the password check, flash revised BIOS, resolder.
Informal_Ad_6718@reddit (OP)
I see, i think i would rather just resell it than attempt something like that, i can desolder big components but not tiny chips, it require some special tools and knowledge i dont have rn
LordJohnVella@reddit
Where in the world do you live? If you're thinking about selling it I might be interested in buying it.
Informal_Ad_6718@reddit (OP)
in the EU, is that far?
LordJohnVella@reddit
I'm in the UK, so I'm guessing it would cost an arm, a leg, and probably a kidney to ship, assuming you decided to sell it, obviously.
Ganjuro@reddit
Back in the day (\~2004), I had to bypass the BIOS on an HP Satellite laptop. The method I came up with at the time was to build a dongle that plugged into the parallel port (as far as I remember) located on the back of the laptop. It consisted of a few wires soldered into the plug that shorted certain connectors. After turning on the laptop with the dongle plugged in, the BIOS was accessible without a password. There may be a similar method for this computer. Hope this helps.
Informal_Ad_6718@reddit (OP)
I do have accesss to the BIOS, its between the step of BIOS startup and booting that the password appears. And technically i wouldnt know what to short really.
From the feedback here it seems that shorting something wont work sadly, as the bios might be smart enought to block a boot if the password was bypassed.
Mysterious_Rule_7487@reddit
Those actually had small bios 'memory chip' for holding it... One way is to flash a new bios from zero... But you need a programmator... In my view not worth saving.... You wont be able to 'soft mod' to reset it...
Informal_Ad_6718@reddit (OP)
That's pretty crazy but understandable if that's the case, its actually good security. But yeah, i dont even know what a programmator really is tbh haha
EIsydeon@reddit
You can get essentially a usb adapter with a clip that clips on to the chip. Assuming it uses spi flash for instance you can clip it in and dump the contents of the data on the chip.
If you search on amazon for a ch341 flasher you would find one. You would want either an 8 or 16 pin clip depending on the size of the chip.
That all depends on if it has it on flash and not the hard drive which was walls a thing done back then. To be honest I really don’t think cutting the capacitor is going to do anything as it likely sat on a shelf a long time. The Xbox clock capacitor for instance would drain in about 8 hours with out wall power. Caps don’t hold power for very long. The only way cutting would help is if leaving the pin it connects to floating makes the chip not able to read the password from a chip or something.
THEtechknight@reddit
Laptops were notorious about security back in this era. That password is hashed and is written into a part of NVRAM storage of the NAND memory, or if youre lucky, it is written into an 8 pin serial EEPROM. Trouble is those BIOSes are smart enough to know that if you try and 00 out the password, or etc it will fail the hash check and force a password prompt anyways requiring the master password.
The only solution to this problem is a nice fresh dump from a working 800CT or a new motherboard.
Informal_Ad_6718@reddit (OP)
I see, in your view its pretty much uncrackable, that's quite unfortunate, do u think the whole drive is protected as well? Cuz what would be the point of such insane security if u can just pop out the drive and read it to access datas? I'm going to dissasemble but im not sure i have the correct device to read it externally and see for myself (i have an win 95 IBM tho).
Another thing that puzzle me is, HP declared that the descrambled software was distributed in 6 copies for their call centers, after 30 years, you would expect that at least one got in the hand of the public.
I've read that descrambling tech like that have been reverse engineered before. I'm thinking of asking there: https://forum.vcfed.org/ and https://www.hpmuseum.org/forum/index.php
Firstly i guess i should find how to access the machine specific scrambled password that ppl used to send to HP, the ALT SHIFT F10 just doesnt work on mine.
Switching the board would be the less painfull path, its just financially painfull tho, people are asking quite a lot of money for these computers and if a board poped up on ebay im sure they would ask 100+ euros
THEtechknight@reddit
Well see, thats the job of the ATA password, which is yet a seperate password. That gets stored into the drive. Really laptops were high theft items so they just didn't want you using the machine if it was stolen essentially. If you still get this password nag without the HDD connected, then yeah its the system password and not the HDD password.
You would think that stuff leaked out, but I have noticed in the "password reset" community, its all heavily gatekept and has been since I was messing with it back then. Im sure its floating around out there but its equally possible that it may not be.
Anywho. You could use a programmer and dump the BIOS, do some reverse engineering/patching to figure out the algorithm.
Informal_Ad_6718@reddit (OP)
I see, i will try that, although it seems to me its a bios password as it's also asking a 8 character password in the bios to reset the password. Im assuming its the same thing but its worth a try nontheless.
Reverse engineering is totally out of my abilities i think, but another user here suggested something interesting, to brute force the password with a RaspberryPi using the PS/2 interface, i'm looking at the hardware i would need for that right now.
But the thing is, its a 8 key alphanumerical password, so it would take litterally 69million years to try every combination at 3 try per second.
A dictionary base attempt is around 5hours tho. what do you think about this idea? Kinda doomed from the start or a possiblity?
THEtechknight@reddit
Thats a thought as long as the BIOS doesnt have the 3-attempt lockout that later BIOSes do.
Informal_Ad_6718@reddit (OP)
It doesnt, i can spam manually with no restriction it seems, so that shouldnt be a barrier.
THEtechknight@reddit
Oh perfect! Looks like you just found your solution. You just have to write a method to detect success from failure. Maybe a camera and OpenCV could help here.
Informal_Ad_6718@reddit (OP)
I was thinking about that! Cuz indeed i want to detect the success if it happens. Was theinking either a camera either or go by "try 1000 attempts and wait for keypress from me for 1000 more", bit tidious but i wouldnt mind too much.
Now that im thinking about it, it emits a sound when the password is wrong, so maybe a microphone, but i think i couldnt do more than 2 attempt a second that way (so sound dont overlap or lag), might be a bit silly lol
THEtechknight@reddit
VGA capture or camera would be better/easier. Train an OpenCV module to pick it up and use it in your loop routine.
Informal_Ad_6718@reddit (OP)
VGA capture, i didnt think about that! After some research, it would be more costly and more complicated than the camera method, so i think the camera wins overall. I like the vga capture idea tho\^\^
Thanks again for helping me, i very much appreciate it!!!
probably_platypus@reddit
This is security through obscurity. I get that you don't have the skills, but it's a tractable problem that can be solved by many. It'd be a fun challenge if you were 10 minutes from me.
Keep us informed on your progress!
Informal_Ad_6718@reddit (OP)
I definitely will! Im looking at the brute force password method with a Pi and some claude AI to help me write a python script. It seems manageable with some learning on my side, and can be a fun project tbh.
If you got any idea not mentionned here yet let me know tho.
Will try other things before that's set up, and will share what i experience. Could be usefull for the next guy.
Yeah it would definitely be great if i could get irl help, well, in any case i'm in France.
Connection-Terrible@reddit
I feel like this is something Adrian Black would be able to get past.
Informal_Ad_6718@reddit (OP)
i googled them and its a ... singer?
Souta95@reddit
Not that one. Look up Adrian's Digital Basement on YouTube.
stuffitystuff@reddit
I can't remember if I "fixed" that one or one of the 300s I have but there's some battery-looking thing on the main board and I just used a pair of wirecutters to flex one of the leads off. Boom, no more password. I suppose I got lucky but whatever.
I absolutely hated the 800CT keyboard...woof, maybe mine was weird but it's so stiff
Informal_Ad_6718@reddit (OP)
Would u mind looking if u still have it? You'r the second person i see talking about cutting a leg on the capacitor. I would consider doing this more if i had a second person confirming it worked.
I like the keyboard, cuz i like stiff ones that click loud, i guess its a matter of tastes \^\^
stuffitystuff@reddit
Nope, I sold the 800CT not long after I got it to someone who was going to use it to write a novel. Good luck though!
lukeh990@reddit
What in the Gravity Falls looking computer is that?
ViktorRzh@reddit
One of so called Palmtops. A bastard of laptop and PDA concepts. Later evolved into netbooks(for thouse who need PC features) and smartphones.
Here you can see a few features like lack of trackpad or niple. Memory, cpu mostly meh. Usualy DOS compatable or has it's own OS. Productivity focus, stuff like this has somewhat of small following for people who like "simpler" devices.
miniscant@reddit
No, that is not a palmtop. It’s considerably bigger - enough to actually type on its keyboard. The size is more in line with UMPC (ultra-mobile PC) or subnotebook class.
bhiga@reddit
I had a 600 - that pop out mouse was surprisingly functional as long as you had the laptop on a flat surface. It was fun for DOS stuff.
Informal_Ad_6718@reddit (OP)
I think its so funny, definitely a talking point
Mysterious_Rule_7487@reddit
Oh, I forgot... Acer and NEC were known to also do that, but HP is 'the worst case', because those new were expensive and usually had really juicy info... therefore such type of password safety
Informal_Ad_6718@reddit (OP)
Actual security it seems yeah, pretty impressive in terms of engineering and general foresightness
Js987@reddit
Unfortunately, as far as I know, the HP descramble call was the only solution, and it’s no longer viable as HP techs no longer have access or awareness of it.
Informal_Ad_6718@reddit (OP)
Companies not bothering about their own history is not surprising but unfortunate
miniscant@reddit
Why not go ask on the HP Forums? There might be somebody who frequents the message boards there with the right history to fix this.
https://www.hpmuseum.org/forum/index.php
Informal_Ad_6718@reddit (OP)
Thanks i'll try to ask there too!
EIsydeon@reddit
Shorting a capacitor like that isn’t scary at all. It isn’t like a capacitor on the fly ack transformer like a monitor.
But if it is holding the password after all these years when presumably the cmos battery would have died that means it is actually written to somewhere the password. Maybe the hard drive? Maybe a tiny bit of flash storage? I haven’t researched that model.
Informal_Ad_6718@reddit (OP)
Hey that's a good reasoning thanks. I'll try to disasemble it in a few days depending on the feedback i get here. But trying to boot it without a drive can be a easy attempt at least. I'll try to see if there is some kind of flash drive, i'm just not the best at identifying components, especially those that dont look like they usually look like, but that's a good idea as well.
Then, i might try to short that capacitor when i find its location, i really dont want to damage the board but that's a fair point, its not a big capacitor at all.