Bypassing Acer Security
Posted by whyamistilltyping on April 16, 2008
Today I came across an ACER PC (M1610) at work that needed restored back to the manufacturer’s settings. Acer ship their desktop systems with part of the hard drive hidden in a recovery partition that can range in size from 6 Gb to 20 Gb depending on the specific PC model. The problem was the customer who owned the PC had set a password on the recovery interface and had promptly forgotten it. I had a chat with Acer who were naturally very happy to take the PC and charge the customer to reformat and re-image the entire drive. Unfortunately I spoke with a rather arrogant technician at Acer who claimed there was no way to get around this password, those that know me will know this is like mixing firecrackers with a kid with matches. I decided to fix the issue myself.
What you will need:
1 - A bootable CD with some live or preinstalled environment (e.g. WinPE/BartPE CD or any Linux live CD with NTFS 3G although I would recommend the former given the flakiness of Linux NTFS drivers.)
2 - About ten minutes.
Recovery tools are glorified branded imaging/cloning tools (like Ghost or Acronis True Image.) They have three main components, the program binaries (i.e. the GUI/UI and low level formatting/writing tools), the configuration files and the backed up / imaged data itself inside an image file. This image file can be one large multi gigabyte file or lots of smaller chunks and it contains not only all the files and folders, but NTFS file table system/ bootloader and MBR information. This means the entire image can be written onto a hard disk (or hard disk partition) and after reboot, the user could be presented with a fully functional system. Its for this simplicity that companies like Acer do their recovery in this manner.
I booted using a WinPE XP cd (but you can use anything mentioned above) and took a look at the partitions on the hard drive finding the following:
C: NTFS 69.5Gb (Formatted total)
D: NTFS (although reported as unformatted) 69.8Gb (Formatted total)
Hidden (Not mounted by default) NTFS 9.8Gb (Formatted total)
4Gb Unallocated space. (Wasted)
I mounted the hidden partition and eventually after some trial and error, found the file containing the password and password hint details. This was the file called “aimdrs.dat” (found on the root of the recovery partition) and could be opened in notepad (although I used and would recommend a good hex editor) and showed a very simple file layout as shown below:
[MyData]..PD=12345..HT=abcd efgh..
Where “12345″ is the password, encapsulated between the equals and two full stops. “abcd efgh” was the hint. This was literally the entire file.
Changing either of these simple strings is very easy and after a reboot into the recovery software (via [Alt] and [F10] during BIOS POST) you will once again be able to access the recovery software. I would recommend you do not change anything else in this hidden partition unless you know exactly what you are doing.
I hope this helps someone stuck in a similar position and is likely applicable to many more systems than just Acer PCs.
April 26, 2008 at 4:11 pm
Is this the password for the ghost files or for the erecovery? I’m trying to recover from ghost files directly, as erecovery offers an option to recover from hdd when in windows, but as soon as it reboots to msdos, it does not allow me to select that option.
The only way to recover is directly from ghost files… Any ideas?
April 26, 2008 at 6:02 pm
The password is for the recovery manager. I have not tried opening the image files, although I doubt they would contain their own password. The image is not in the ghost format, you could try hexediting the first chunk of the image file to find a media descriptor and cross reference that against known imaging tools. Post the first few bytes of the hex on here and I will see if I can do some digging.
April 26, 2008 at 6:59 pm
Thanks, mate, I found how to make the erecovery work.
The image files seem to have some kind of protection though. If i open them with ghost explorer, it requests a password.
I did find aimdrs.dat and it did contain erecovery password
Cheers!
April 26, 2008 at 9:22 pm
Interesting, I didn’t think Ghost Explorer would open them. Was the recovery software password the same as the image password?
If not, try 000000 or 00000 as those are the default Acer passwords.
April 26, 2008 at 9:37 pm
No, I could not open the recovery files at all, they seem to have a different password.
April 26, 2008 at 9:44 pm
Either that or they are a proprietary image format. Let me do some digging…
EDIT: It appears that Acer did use vanilla Ghost images although most recent article I found was a couple of years old. Lots of pages about the recovery process, almost none on the technology behind it. Unless they are using a proprietary system, it will just be a rebranded version of either Ghost or TrueImage. If you post a hex dump of the header of the first image file I can look into it further.
June 8, 2008 at 11:20 am
Hi! If you are still searching for the password, I found it on the system cd (labeled Disk 1, the bootable one). There is a RECOVERY.EXE file in the root folder, which contains the password for the .HDD file.
Just open the .exe in notepad and search for “PWD”, then you’ll see PWD=XXXXXX. When you copy the .HDD + all the .GHS files of the 3 CD’s in one folder, Ghost Explorer has no problem with reading the image.
Good luck!
July 5, 2008 at 3:30 am
Hi Whyamistilltyping,
What is meant by ‘mounting’ a hidden partition/PQService. I intend to boot from a Live Ubuntu CD.
Thanks for the time.
J-Jay
July 9, 2008 at 9:32 pm
Well, your post makes sense except for one detail. You can’t boot from a cd when the hdd password is set. EVen changing boot order in bios gets you nowhere. I’ve tried hirams boot. Winternals, etc. And the zeros don’t work
July 10, 2008 at 12:01 am
There is no reason that I am aware of that would stop you being able to boot from a CD even with a ‘hdd password’. Unless you mean user access BIOS password which would preclude any booting from taking place. Luckily you can just reset the CMOS by removing the battery. I am away ACER have changed their default password - I will find out what it is and post it here.