Friday, February 04, 2011

Hacking the Toshiba T4800CT (a love story)

With St. Valentine's Day on the way, here's a little story about love (and technology).

Back in 1995 I needed a laptop for my girlfriend. She was thousands of miles away in Europe and I was in California and the phone bills (and the shenanigans with messing around inside international phone switches) were getting too much. I knew that we'd be able to communicate cheaply if I paid for a CompuServe account in the US and gave her a machine that had a PCMCIA 14.4Kbps modem in it. She'd be able to dial a local call and send and receive email from me in California.

Only trouble was, I didn't have enough money to buy her a laptop. So I kept searching around for deals and happened upon a Toshiba T4800CT in The Good Guys! in San Jose, CA. It was an older model and being sold off for a reasonable price. And it was a suitable machine.

So, I decided to buy it. But I couldn't because the machine was locked. There was some software that locked down Windows completely and required a password that they'd forgotten. You could play around with the installed software (more on that later) but not access anything else.

No access to File Manager, no way to get a COMMAND.COM prompt, just a bunch of productivity apps and demos. No way to run a program that wasn't in Program Manager already. And AOL, of course.

Everything was locked down.

The salesperson went away to find the password while I messed around with the machine. In doing so, I found a way in that would enable me to delete the SYS file that was used to implement the locking of the machine. I tried it out while no one was looking.

The salesperson came back to tell me that no one knew the password. So, I said: "If I can break into this machine right now, will you give me another $250 off?". He looked amused and said "Sure". With $250 off I could really afford the machine and that $250 would go on my next plane ticket to see my girlfriend.

So, I said "OK. Watch this." And I just stood there. About two minutes later a COMMAND.COM shell popped up on screen from nowhere. I quickly changed to C:\WINDOWS and deleted the offending .SYS file, and removed a reference to it from CONFIG.SYS using Notepad. I rebooted the machine and crossed my fingers.

The machine booted cleanly, didn't ask for any password and Windows started. The salesperson was good enough to honour the $250 offer. He walked with me to the sales desk to tell the story of what he'd just seen.

Of course, now you want to know how I made COMMAND.COM appear by magic.

The machine had a copy of Lotus Organizer on it. Organizer is a 'Filofax' type program that includes a calendar. The calendar allows you to set appointments. The appointments have various options related to what to do when it's time for the appointment (e.g. pop up a message, play a sound).

Image courtesy of BM Software

One of the options buried deep in the program was "Run a program" and it allowed selection of the program using the Open File Common Dialog Box which was not locked down at all.

All I'd done was set an appointment for about five minutes in the future (IIRC the granularity was something like 5 minutes) that ran COMMAND.COM.

PS We married a few years later after many exchanged emails.

1 comment:

dangerous said...

There was a very similar loophole in early versions of Word's help system. You would navigate to the help topic on command line and there was link that fired up a prompt. We used it at school to load up doom. The sys admin could never figure it out.