Bypassing Acer Security
Today I came across an ACER PC (M1610) at work that needed restored back to the manufacturer’s settings. Acer ship their desktop systems with part of the hard drive hidden in a recovery partition that can range in size from 6 Gb to 20 Gb depending on the specific PC model. The problem was the customer who owned the PC had set a password on the recovery interface and had promptly forgotten it. I had a chat with Acer who were naturally very happy to take the PC and charge the customer to reformat and re-image the entire drive. Unfortunately I spoke with a rather arrogant technician at Acer who claimed there was no way to get around this password, those that know me will know this is like mixing firecrackers with a kid with matches. I decided to fix the issue myself.
What you will need:
2 – About ten minutes.
Recovery tools are glorified branded imaging/cloning tools (like Ghost or Acronis True Image.) They have three main components, the program binaries (i.e. the GUI/UI and low level formatting/writing tools), the configuration files and the backed up / imaged data itself inside an image file. This image file can be one large multi gigabyte file or lots of smaller chunks and it contains not only all the files and folders, but NTFS file table system/ bootloader and MBR information. This means the entire image can be written onto a hard disk (or hard disk partition) and after reboot, the user could be presented with a fully functional system. Its for this simplicity that companies like Acer do their recovery in this manner.
I booted using a WinPE XP cd (but you can use anything mentioned above) and took a look at the partitions on the hard drive finding the following:
C: NTFS 69.5Gb (Formatted total)
D: NTFS (although reported as unformatted) 69.8Gb (Formatted total)
Hidden (Not mounted by default) NTFS 9.8Gb (Formatted total)
4Gb Unallocated space. (Wasted)
I mounted the hidden partition and eventually after some trial and error, found the file containing the password and password hint details. This was the file called “aimdrs.dat” (found on the root of the recovery partition) and could be opened in notepad (although I used and would recommend a good hex editor) and showed a very simple file layout as shown below:
Where “12345” is the password, encapsulated between the equals and two full stops. “abcd efgh” was the hint. This was literally the entire file.
Changing either of these simple strings is very easy and after a reboot into the recovery software (via [Alt] and [F10] during BIOS POST) you will once again be able to access the recovery software. I would recommend you do not change anything else in this hidden partition unless you know exactly what you are doing.
I hope this helps someone stuck in a similar position and is likely applicable to many more systems than just Acer PCs.