Skip to main content

Hacking the Toshiba T4800CT (a love story)

With St. Valentine's Day on the way, here's a little story about love (and technology).

Back in 1995 I needed a laptop for my girlfriend. She was thousands of miles away in Europe and I was in California and the phone bills (and the shenanigans with messing around inside international phone switches) were getting too much. I knew that we'd be able to communicate cheaply if I paid for a CompuServe account in the US and gave her a machine that had a PCMCIA 14.4Kbps modem in it. She'd be able to dial a local call and send and receive email from me in California.

Only trouble was, I didn't have enough money to buy her a laptop. So I kept searching around for deals and happened upon a Toshiba T4800CT in The Good Guys! in San Jose, CA. It was an older model and being sold off for a reasonable price. And it was a suitable machine.

So, I decided to buy it. But I couldn't because the machine was locked. There was some software that locked down Windows completely and required a password that they'd forgotten. You could play around with the installed software (more on that later) but not access anything else.

No access to File Manager, no way to get a COMMAND.COM prompt, just a bunch of productivity apps and demos. No way to run a program that wasn't in Program Manager already. And AOL, of course.

Everything was locked down.

The salesperson went away to find the password while I messed around with the machine. In doing so, I found a way in that would enable me to delete the SYS file that was used to implement the locking of the machine. I tried it out while no one was looking.

The salesperson came back to tell me that no one knew the password. So, I said: "If I can break into this machine right now, will you give me another $250 off?". He looked amused and said "Sure". With $250 off I could really afford the machine and that $250 would go on my next plane ticket to see my girlfriend.

So, I said "OK. Watch this." And I just stood there. About two minutes later a COMMAND.COM shell popped up on screen from nowhere. I quickly changed to C:\WINDOWS and deleted the offending .SYS file, and removed a reference to it from CONFIG.SYS using Notepad. I rebooted the machine and crossed my fingers.

The machine booted cleanly, didn't ask for any password and Windows started. The salesperson was good enough to honour the $250 offer. He walked with me to the sales desk to tell the story of what he'd just seen.

Of course, now you want to know how I made COMMAND.COM appear by magic.

The machine had a copy of Lotus Organizer on it. Organizer is a 'Filofax' type program that includes a calendar. The calendar allows you to set appointments. The appointments have various options related to what to do when it's time for the appointment (e.g. pop up a message, play a sound).

Image courtesy of BM Software

One of the options buried deep in the program was "Run a program" and it allowed selection of the program using the Open File Common Dialog Box which was not locked down at all.

All I'd done was set an appointment for about five minutes in the future (IIRC the granularity was something like 5 minutes) that ran COMMAND.COM.

PS We married a few years later after many exchanged emails.

Comments

dangerous said…
There was a very similar loophole in early versions of Word's help system. You would navigate to the help topic on command line and there was link that fired up a prompt. We used it at school to load up doom. The sys admin could never figure it out.

Popular posts from this blog

Your last name contains invalid characters

My last name is "Graham-Cumming". But here's a typical form response when I enter it:


Does the web site have any idea how rude it is to claim that my last name contains invalid characters? Clearly not. What they actually meant is: our web site will not accept that hyphen in your last name. But do they say that? No, of course not. They decide to shove in my face the claim that there's something wrong with my name.

There's nothing wrong with my name, just as there's nothing wrong with someone whose first name is Jean-Marie, or someone whose last name is O'Reilly.

What is wrong is that way this is being handled. If the system can't cope with non-letters and spaces it needs to say that. How about the following error message:

Our system is unable to process last names that contain non-letters, please replace them with spaces.

Don't blame me for having a last name that your system doesn't like, whose fault is that? Saying "Your last name …

All the symmetrical watch faces (and code to generate them)

If you ever look at pictures of clocks and watches in advertising they are set to roughly 10:10 which is meant to be the most attractive (smiling!) position for the hands. They are actually set to 10:09.14 if the hands are truly symmetrical. CC BY 2.0image by Shinji
I wanted to know what all the possible symmetrical watch faces are and so I wrote some code using Processing. Here's the output (there's one watch face missing, 00:00 or 12:00, because it's very boring):



The key to writing this is to figure out the relationship between the hour and minute hands when the watch face is symmetrical. In an hour the minute hand moves through 360° and the hour hand moves through 30° (12 hours are shown on the watch face and 360/12 = 30).
The core loop inside the program is this:   for (int h = 0; h <= 12; h++) {
    float m = (360-30*float(h))*2/13;
    int s = round(60*(m-floor(m)));
    int col = h%6;
    int row = floor(h/6);
    draw_clock((r+f)*(2*col+1), (r+f)*(row*2+1), r, h, floor(m…

Importing an existing SSL key/certificate pair into a Java keystore

I'm writing this blog post in case anyone else has to Google that. In Java 6 keytool has been improved so that it now becomes possible to import an existing key and certificate (say one you generated outside of the Java world) into a keystore.

You need: Java 6 and openssl.

1. Suppose you have a certificate and key in PEM format. The key is named host.key and the certificate host.crt.

2. The first step is to convert them into a single PKCS12 file using the command: openssl pkcs12 -export -in host.crt -inkey host.key > host.p12. You will be asked for various passwords (the password to access the key (if set) and then the password for the PKCS12 file being created).

3. Then import the PKCS12 file into a keystore using the command: keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks -srcstoretype pkcs12. You now have a keystore named host.jks containing the certificate/key you need.

For the sake of completeness here's the output of a full session I performe…