Reported OEM BIOS Hacks


I know many of you are aware of reports of hacks that attempt to exploit our OEM BIOS based activation. We’re aware of this type of hack and I wanted to take a minute to describe how these work and how we plan to respond.

First, what is OEM BIOS based activation?


Here’s a little more information on how OEM BIOS based activation works. This form of product activation is also known as OEM Activation or just OA, which is how Microsoft refers to it and how I will refer to it in this post. Back at the launch of Windows XP when Microsoft introduced Windows Product Activation, we recognized that as easy as end-user activation is, it still represented an extra step. In an effort to reduce the impact of even that extra step but maintain the overall effectiveness of product activation, Microsoft worked with OEMs to develop an implementation that would work best for them and their customers while keeping the goals of product activation clearly in focus. As we looked to develop a solution, it was important to ensure that product activation technology could still deliver an acceptable degree of protection, while at the same time, reduce the need for an extra step by the end user. A couple of key factors stand out as enabling the OA 1.0 solution that was delivered in Windows XP. 


Large OEMs tend to ship large numbers of PCs with Windows preinstalled. They also have the ability during their manufacturing processes to identify systems that will ship with Windows pre-installed.


Also, because of the direct relationship Microsoft has with those OEMS, the company has a higher degree of confidence that a genuine COA will be attached to each PC and that there will be accurate reporting of the number of units shipped preinstalled with Microsoft Windows.


These factors lead Microsoft and the major OEMs to place a marker in the BIOS of the OEM’s motherboard to identify OEM systems that were to be pre-installed with licensed copies of Windows XP. This marker, which is added to a specific location in the BIOS of the motherboard, enables a copy of Windows XP to look for that known value in the BIOS of the motherboard and, when found, confirm it was booting on a PC that was sold by a specific OEM and licensed to boot Windows.  


Not the first time


Over the years we’ve seen examples of BIOS editors that, with some work, allowed people to make an edited BIOS appear to be an OEM BIOS. In Windows XP this kind of BIOS editing wasn’t as difficult as it is in Windows Vista and frankly, because there were easier ways to pirate Windows XP, I don’t think much attention was ever paid to it. However, because Windows Vista can’t be pirated as easily as Windows XP,  it’s possible that the increased pressure will result in more interest in efforts to hack the OEM Activation 2.0 implementation.


Windows Vistas OEM Hacks


There appear to be two primary variants of OA 2.0 hacks circulating. One is similar to the XP approach I described above where actual editing of the BIOS on the motherboard is done to make the motherboard appear to be from an OEM. It is a pretty labor-intensive process and quite risky. If you mess up editing the BIOS of any motherboard, you can quite easily render it permanently useless. So while this method works today, it’s potentially hazardous and really doesn’t scale well to large numbers of systems, which makes it less of a threat.


The second variant does not change anything in the BIOS itself, but uses a software-based approach to fool the OS into thinking it’s running on OA 2.0-enabled hardware. And while this method is easier to implement for the end user, it’s also easier to detect and respond to than a method that involves directly modifying the BIOS of the motherboard.


I do want to say something here about how we plan our responses. As I’ve said in the past, we focus on hacks that pose threats to our customers, partners and products.  It’s worth noting we also prioritize our responses, because not every attempt deserves the same level of response. Our goal isn’t to stop every “mad scientist” that’s on a mission to hack Windows.  Our first goal is to disrupt the business model of organized counterfeiters and protect users from becoming unknowing victims.   This means focusing on responding to hacks that are scalable and can easily be commercialized, thereby making victims out of well-intentioned customers.


 

Comments (19)

  1. Tlippy says:

    I have a legit copy of XP pro, let that be said right now. As a business owner here I need a copy of Vista for practice on how to repair the multitude of problems that are going to occur with my customers machines. I however am NOT going to give you $400 for a piece of software which I would be hard pressed to justify the price of $150 for. You priced yourself’s out of the market for the average customer. Did you ever consider that people wouldnt be putting forth the extreme effort to pirate this software if you were not gouging them by the eyeballs? How much money would you make at $50-$100 a pop, hundreds of millions, instead of half a billion? Vista underlies why people pirate your sofware, you over charge and under deliver. I’m going to continue to use a bios emulated Vista as a testing machine, while sticking with my legit XP as primary, mostly because Vista is inferior to XP currently, and possibly in perpetuity, and I refuse to pay 4X more for an inferior OS.  Did you ever think that by simply lowering the price of your OS, instead of constantly trying to counter the piracy aspect you just might actually increase sales? If you make it hard to copy, but cheap to buy, people will buy it. If you make it $400, well, then you just make piracy more attractive. It’s that simple folks, you can try to come up with all sorts of defenses about why you HAVE to charge this, and piracy is evil plain and simple, but point is you’re greedy. You’ve priced yourselfs out of what the majority of the population is willing to pay, and you’ve made piracy that much more attractive. I’d have paid for an upgrade to Vista Ultimate, but now why bother. Paradox has given you your just desserts, and I hope the public gets fat on that, as opposed to your bank accounts getting fat with the hard earned money of the average consumer.

  2. Cyraq says:

    Alex, will you stop your poorly written defensive/offensive stances on the various Vista cracks out there and realize that it’s been pirated and that there’s nothing you can do about it? I’m using a cracked copy right now (and ever since early February), and I can use Windows update and everything is working perfectly. I have an ISO complete with crack on the internet. All my friends without exception are using a cracked copy.

    What are you going to do about it?

  3. Alex Kochis, a Microsoft Senior Product Manager, Windows Genuine Advantage blogs yesterday regarding

  4. rdamiani says:

    One of the stated goals of WGA is to reduce or eliminate pre-loading by unscrupulous computer manufacturers. The main advantage WGA supposedly offers to end users who have to deal with it is the knowledge that thier software is ‘genuine’.

    With that in mind, lets say that I am an unscrupulous computer vendor. With XP, I could use VLKs and volume media to bypass activation alltogether. If I was both kinda dumb (used the same key over and over again) and kinda successful (sold lots of computers) eventually the on-line validation system might flag the key I was using and I’d get busted. If I’m not mistaken, MS has caught a few folks exactly that way, so we’ll call that a win for WGA 1.0.

    Now lets suppose I’m a slightly smarter, but still unscrupulous, box builder. I used many different VLKs that I got through various means, so even though I was kinda successful, I managed to fly under the radar of on-line verification. It’s kinda nervous-making though. If my supply of VLKs drys up (or my VLK supplier is also unscrupulous and sells me bad or overused keys) or I get careless, on-line verification is gonna catch on and I’ll get busted. We’ll call that mostly a win, because once I get successful and nervous enough, I’m gonna convince myself that I better get legit.

    Now let’s look at WGA 2.0. VLKs aren’t much good to me now, ’cause VLKs also need activation, and they have a limit on the number of activations. If I acquire one and start using it, someone is gonna notice quickly. So what to do? Go legit? Nah. I’ll use OA 2.0. It was a bit too much bother with OA 1.0 ’cause VLKs were easy. With OA 2.0, though, I can mod ACPI tables in bulk as I build systems. I don’t even need to figure out how on my own, ‘casue there are on-line toolkits and instructions for it. Since OEMs apparently use the same (small) set of CD Keys over and over again, I don’t have to worry about on-line verification catching one of my customers. Now I’m not nervous anymore, because I don’t need a source of VLKs. Unless my numbers get big enough to rival a ‘name brand’ builder, my little subterfuge is undetectable. Result? We’ll call that a loss for WGA 2.0. It fails to have an effect on one of the main reasons we, as consumers and VARs, have been told that WGA is for our own good.

    The way I see it, MS needs to either stop with the doublespeak about the ‘advantage’ that WGA offers and present it as what it is – software licensing – or it needs to figure out how to put this particular genie back into it’s bottle. Good luck with that.

  5. war59312 says:

    About time Microsoft has responded to the paradox crack for Windows Vista.

    This crack can easily be made wide scale and just as easy to commercialize it. Already seen a few aholes trying to sell pre cracked Vista dvds.

    So yeah you better do something about this one!

  6. Customer#985 says:

    About time you responded

    So, when will the ban go into affect? Vista needs to ban more methods than just the old token.dat one. Timerstop, etc all need to be banned in addition to this one.

  7. Teamzille.de says:

    Schon seit längerer Zeit exisieren Möglichkeiten, um die die Aktivierung von Windows Vista zu umgehen. Da Microsoft an OEM-Partner Lizenzschlüssel ausliefert, die nicht aktiviert werden müssen, lassen sich über diesen Weg alle

  8. feuvan says:

    So it means that the simulation way to fool OA-2.0 would be broken one day?

    And it’s interesting to call them "mad scientist".

  9. Thursday is now officially Delay Day. Both Apple and Microsoft took their lumps for delaying products

  10. Thursday is now officially Delay Day. Both Apple and Microsoft took their lumps for delaying products

  11. MadDoggyca says:

    Just Give up… I don;t want to sound nagitive but face it. the only reson why windows ownz the desktop market is becuz most user do infact use a hacked verion… I be more focuing on Price Competeing with apple OSX at 104$USD

    the only reson why OSX never gets hacked attack is becuz a avg user will pay out 104$USD ever 2 years. and they have no naging actvation BS…

    now that I sound like a Apple fan boy I infact do not own a mac and I bought the 499$ Ultamite edition as I can not stand being jipped out of feture that a user should not have to pay for…. and I don’t have the time to fiddle with hacks and rehacks ever time they come out with patches…

    but honestly give up.. drop Ultamite Eiditon to aroudn 150$ ..drop all over Version alltogher…. and start regain people respect… in the end the most Revenu From windows COmes form Corpation anywazs and OEM Sales…

    homeuser could proable care less of upgrading anywazs. If it isn;t borken don’t fix it..and if Steve gets smart and relases OSX under x86 x64 hardware windows will be running for its money,,,

    my 2 cents in

  12. Lleva algún tiempo circulando a través de Internet un crack que evita el proceso de activación de Windows Vista.La efectividad del crack ha sido reconocida por Alex Kochisen, Senior Product Manager de Microsoft, que ha admitido la existencia de un fallo

  13. In response to widespread chatter on blogs and forums, Microsoft has acknowledged the presence of hacks

  14. rdamiani says:

    One of the stated goals of WGA is to reduce or eliminate pre-loading by unscrupulous computer manufacturers. The main advantage WGA supposedly offers to end users who have to deal with it is the knowledge that thier software is ‘genuine’.

    With that in mind, lets say that I am an unscrupulous computer vendor. With XP, I could use VLKs and volume media to bypass activation alltogether. If I was both kinda dumb (used the same key over and over again) and kinda successful (sold lots of computers) eventually the on-line validation system might flag the key I was using and I’d get busted. If I’m not mistaken, MS has caught a few folks exactly that way, so we’ll call that a win for WGA 1.0.

    Now lets suppose I’m a slightly smarter, but still unscrupulous, box builder. I used many different VLKs that I got through various means, so even though I was kinda successful, I managed to fly under the radar of on-line verification. It’s kinda nervous-making though. If my supply of VLKs drys up (or my VLK supplier is also unscrupulous and sells me bad or overused keys) or I get careless, on-line verification is gonna catch on and I’ll get busted. We’ll call that mostly a win, because once I get successful and nervous enough, I’m gonna convince myself that I better get legit.

    Now let’s look at WGA 2.0. VLKs aren’t much good to me now, ’cause VLKs also need activation, and they have a limit on the number of activations. If I acquire one and start using it, someone is gonna notice quickly. So what to do? Go legit? Nah. I’ll use OA 2.0. It was a bit too much bother with OA 1.0 ’cause VLKs were easy. With OA 2.0, though, I can mod ACPI tables in bulk as I build systems. I don’t even need to figure out how on my own, ‘casue there are on-line toolkits and instructions for it. Since OEMs apparently use the same (small) set of CD Keys over and over again, I don’t have to worry about on-line verification catching one of my customers. Now I’m not nervous anymore, because I don’t need a source of VLKs. Unless my numbers get big enough to rival a ‘name brand’ builder, my little subterfuge is undetectable. Result? We’ll call that a loss for WGA 2.0. It fails to have an effect on one of the main reasons we, as consumers and VARs, have been told that WGA is for our own good.

    The way I see it, MS needs to either stop with the doublespeak about the ‘advantage’ that WGA offers and present it as what it is – software licensing – or it needs to figure out how to put this particular genie back into it’s bottle. Good luck with that.

  15. Ürün müdürlerinden Alex Kochis, Windows Genuine Advantage blog sayfalarında , yapılan hack işlemi hakkında

  16. 13BIT.com.ar says:

    With SP1, Microsoft plans to ditch the Vista kill switch

  17. peace101 says:

    hi, i been fighting this worm since aug/sep of 2008.

    its the most advanced worm i seen.  

    undetectable, breaks through any security i put up so far, erases tracks of itself and the hacker that logs on as remote anonymous user

    someone has intent behind this one.

    no matter what i do, i for the first time have no control over my computers.  

    after low level formating my drives and finding linux and windows PE, and 17 other partitions, when i try to install the new restore disk i just purchased, i get same results.  it seems everything is still intercepted and replaced.  the only thing i havnt done yet cause i dont know how is to check the bios and firmware for the hardware.  

    can anyone guide me in the right direction.

    this hacker uses my machines to break into a lot of others.  i believe it uses a virtual computer in locked memory loaded from the first master boot record in sector zero.  but even when i wipe it clean, i find its very dug in.  

    i believe it uses PING methods to spread to others.  it mostly infecting phone companys, internet companys and cable companys.  

    the hackers finaly made mistakes and i reported them.  and one in a lawsuit for cybercrimes.  but for now, i cant get to the worm cause it has to be in the firmware or bios.  and spreading through dns servers.

    this has to be the apr first worm and they made the mistake on march 31st and i talked to the hackers.  the way its written seems to be like its from the FBI, but i learned later, its not, but they are on the case…

    how can i check the bios and the firmware storage area, and if possible, i may need also to get into my hubs and routers and dont know how.   the hacker seems to use telnet..

    thanks in advanced