Home > How To, Linux, PC, Random, Windows > Bypassing Acer Security

Bypassing Acer Security

Today I came across an ACER PC (M1610) at work that needed restored back to the manufacturer’s settings. Acer ship their desktop systems with part of the hard drive hidden in a recovery partition that can range in size from 6 Gb to 20 Gb depending on the specific PC model. The problem was the customer who owned the PC had set a password on the recovery interface and had promptly forgotten it. I had a chat with Acer who were naturally very happy to take the PC and charge the customer to reformat and re-image the entire drive. Unfortunately I spoke with a rather arrogant technician at Acer who claimed there was no way to get around this password, those that know me will know this is like mixing firecrackers with a kid with matches. I decided to fix the issue myself.

What you will need:

1 – A bootable CD with some live or preinstalled environment (e.g. WinPE/BartPE CD or any Linux live CD with NTFS 3G although I would recommend the former given the flakiness of Linux NTFS drivers.)

2 – About ten minutes.

Recovery tools are glorified branded imaging/cloning tools (like Ghost or Acronis True Image.) They have three main components, the program binaries (i.e. the GUI/UI and low level formatting/writing tools), the configuration files and the backed up / imaged data itself inside an image file. This image file can be one large multi gigabyte file or lots of smaller chunks and it contains not only all the files and folders, but NTFS file table system/ bootloader and MBR information. This means the entire image can be written onto a hard disk (or hard disk partition) and after reboot, the user could be presented with a fully functional system. Its for this simplicity that companies like Acer do their recovery in this manner.

I booted using a WinPE XP cd (but you can use anything mentioned above) and took a look at the partitions on the hard drive finding the following:

C: NTFS 69.5Gb (Formatted total)

D: NTFS (although reported as unformatted) 69.8Gb (Formatted total)

Hidden (Not mounted by default) NTFS 9.8Gb (Formatted total)

4Gb Unallocated space. (Wasted)

I mounted the hidden partition and eventually after some trial and error, found the file containing the password and password hint details. This was the file called “aimdrs.dat” (found on the root of the recovery partition) and could be opened in notepad (although I used and would recommend a good hex editor) and showed a very simple file layout as shown below:

[MyData]..PD=12345..HT=abcd efgh..

Where “12345” is the password, encapsulated between the equals and two full stops. “abcd efgh” was the hint. This was literally the entire file.

Changing either of these simple strings is very easy and after a reboot into the recovery software (via [Alt] and [F10] during BIOS POST) you will once again be able to access the recovery software. I would recommend you do not change anything else in this hidden partition unless you know exactly what you are doing.
I hope this helps someone stuck in a similar position and is likely applicable to many more systems than just Acer PCs.

  1. Stephanie
    April 26, 2008 at 4:11 pm

    Is this the password for the ghost files or for the erecovery? I’m trying to recover from ghost files directly, as erecovery offers an option to recover from hdd when in windows, but as soon as it reboots to msdos, it does not allow me to select that option.
    The only way to recover is directly from ghost files… Any ideas?

  2. April 26, 2008 at 6:02 pm

    The password is for the recovery manager. I have not tried opening the image files, although I doubt they would contain their own password. The image is not in the ghost format, you could try hexediting the first chunk of the image file to find a media descriptor and cross reference that against known imaging tools. Post the first few bytes of the hex on here and I will see if I can do some digging.

  3. Stephanie
    April 26, 2008 at 6:59 pm

    Thanks, mate, I found how to make the erecovery work.

    The image files seem to have some kind of protection though. If i open them with ghost explorer, it requests a password.

    I did find aimdrs.dat and it did contain erecovery password πŸ™‚


  4. April 26, 2008 at 9:22 pm

    Interesting, I didn’t think Ghost Explorer would open them. Was the recovery software password the same as the image password?

    If not, try 000000 or 00000 as those are the default Acer passwords.

  5. Stephanie
    April 26, 2008 at 9:37 pm

    No, I could not open the recovery files at all, they seem to have a different password.

  6. April 26, 2008 at 9:44 pm

    Either that or they are a proprietary image format. Let me do some digging…

    EDIT: It appears that Acer did use vanilla Ghost images although most recent article I found was a couple of years old. Lots of pages about the recovery process, almost none on the technology behind it. Unless they are using a proprietary system, it will just be a rebranded version of either Ghost or TrueImage. If you post a hex dump of the header of the first image file I can look into it further.

  7. Gondil
    June 8, 2008 at 11:20 am

    Hi! If you are still searching for the password, I found it on the system cd (labeled Disk 1, the bootable one). There is a RECOVERY.EXE file in the root folder, which contains the password for the .HDD file.
    Just open the .exe in notepad and search for “PWD”, then you’ll see PWD=XXXXXX. When you copy the .HDD + all the .GHS files of the 3 CD’s in one folder, Ghost Explorer has no problem with reading the image.

    Good luck!

  8. J-Jay
    July 5, 2008 at 3:30 am

    Hi Whyamistilltyping,

    What is meant by ‘mounting’ a hidden partition/PQService. I intend to boot from a Live Ubuntu CD.

    Thanks for the time.


  9. July 9, 2008 at 9:32 pm

    Well, your post makes sense except for one detail. You can’t boot from a cd when the hdd password is set. EVen changing boot order in bios gets you nowhere. I’ve tried hirams boot. Winternals, etc. And the zeros don’t work

  10. July 10, 2008 at 12:01 am

    There is no reason that I am aware of that would stop you being able to boot from a CD even with a ‘hdd password’. Unless you mean user access BIOS password which would preclude any booting from taking place. Luckily you can just reset the CMOS by removing the battery. I am away ACER have changed their default password – I will find out what it is and post it here. πŸ™‚

  11. Diaa Sami
    January 21, 2009 at 12:28 am

    Thanks Gondil a lot for the PWD=XXXXX tip, my password was ‘aim1r8’, without the quotes of course, found it in CD2D.exe, I used AgentRansack to find it, Don’t know what the hell it means but it works πŸ™‚

  12. Dan Wilkinson
    January 28, 2009 at 10:40 pm

    Diaa Sami – You just did me such a huge favour! My mother had her laptop stolen, she has no idea what model number it was, and the original disks and documentation are long since gone. The drive had all her photos on it, and for some reason about 6 months ago I ran a backup using the built in eRecovery software onto a spare drive. OK, it’s not totally up to date, but it means she has only lost 6 months of data, not 5 years….

    As I only had the ghost image to go by, I was stumped, but then I found your post. Thanks so much for actually putting the password up there, not just saying “I got it!”…

  13. AJ
    February 28, 2009 at 3:19 pm

    post 7 off Gondil is the right solution for de Ghost password. The image file from the PQservice partition is used with D2D.exe. So you can find PWD in here

  14. Jeoff
    March 18, 2009 at 1:43 pm

    Thanks Gondil, but also Diaa Sami!
    The Ghost password on my Acer recovery disks was also aim1r8 !

  15. Btech
    May 10, 2009 at 1:34 pm

    Thanks everyone,

    The Ghost password on all Acer recovery disks in my shop inventory is aim1r8

    Beaver Lake Tech Group

  16. WoodMouze
    May 17, 2009 at 6:37 pm

    Hi, I stumbled on this webpage, thought to let you know, that my ACER disks also have “aim1r8” as password on the images.
    I can’t restore the normal way, found a true ghost explorer, and am using Legacy Ghost Images to restore my laptop.

    So far, it seems to be working just great ! I presume my dvd/cdrom is broken for large transfers somehow.

  17. MorbiouS
    September 14, 2009 at 10:35 pm

    I found all this very helpfull but i think vigulanti was right the hdd password always pops up and if incorrect pwd is enterd then all reads/writes are stopped but then you can boot of cd…ect but then hdd is locked out ie no reads/writes so….

    How did you get around this have removed CMOS pwd’s and am ready to get to work on hdd…

    any and all help will be very much aprechiated

  18. John
    December 16, 2009 at 7:22 pm

    I have an old Acer Travelmate 220, the ghost image password for it is “ACERMSU”

    • Rick
      April 7, 2011 at 9:11 pm

      Thank you very much John!
      With this i resolve my problem with an Acer Travelmate 740.

  19. wong
    April 12, 2010 at 8:43 am

    I was recovering my notebook when the recovery failed. This left the notebook unbootable. My WinPE hangs so I tried other ways and here is one which did work. no password needed.

    1. boot the first backup DVD.
    2. when the DVD stops reading press enter.
    3. wait about a minute and press enter again.
    4. the restore shld start. insert other DVDs when the drive ejects.
    5. when the last DVD is done power OFF/ON.

    note: during the recovery the screen is blank.

  20. brave wolf
    November 24, 2010 at 8:08 pm

    ah yo so simple just use windows 7 disk boot up or anything to boot when you access the drive with the aimdrs.dat just delete it why bother go editing it for password it will just jump check password step when that is deleted.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: