Already reported this in IRC, but was asked to send it to the mailing list:

I managed to flash a password protected BIOS on an HP TC4400 without actually knowing the password, resulting in a complete erase of the whole Eeprom, including it's password and all system related information(serial number, model, etc.).

The vendor tools both for DOS(rompaq) and Windows(hpqflash) won't let me do it without having to enter the password, thus I gave flashrom a try. Here's what I did(not a very elegant approach, though it worked)

1. Get Ubuntu onto USB the usual way(see System --> Sysem management --> Create 2. Create a FreeDOS floppy disk with peritools on it. Here's one containing it: http://stashbox.org/665101/DIYVDock-conf.RAR 3. Boot into Ubuntu 4. sudo setpci -s 0:1f.0 f0 5. sudo setpci -s 0:1f.0 f1 6. sudo setpci -s 0:1f.0 f2 7. sudo setpci -s 0:1f.0 f3 8. f3+f2+f1+f0 = Offset for RBCA, e.g. 0xFED90001 9. Feature flags are at RBCA+0x3418, e.g. 0xFED93418 10. Boot from floppy 11. pt MEM read 4 RBCAOffset, e.g.: pt MEM read 4 0xFED93418 12. Sample Output: 0x003400E9 13. Bit 4 from right is for SMBus --> Change to 0x003400E1: 14. pt MEM write 4 0xFED93418 0x003400E1 15. Chainload Ubuntu from FreeDOS: 16. edit A:\grub.cfg 17. add line: title Ubuntu USB 18. add line: root (hd0,0) 19. add line: kernel /casper/vmlinuz noprompt cdrom-detect/try-usb=true persistent file=/cdrom/preseed/ubuntu.seed boot=casper quiet 20. add line: initrd /casper/initrd.lz 21. start grub: grub --config-file=grubmenu.cfg 22. Boot Ubuntu by selecting it from the menu 23. sudo apt-get install subversion 24. sudo apt-get install pcilib-dev 25. Build flashrom from svn, instructions: http://www.flashrom.org/Downloads 26. flashrom -w rom.bin -V

Explanations for all steps:

1: Designated for running flashrom 2: Used with a certain software(peritool) to change some contents in memory before chainbooting Ubuntu 3-14: Enable the SMBus controller. Usually, the Embedded Controller disables it, preventing certain SPI communication. In detail: 3-9: Determine offset for the Function Disable Register 10-14: Read out the current register value and change the Bit 3 to 0 (means SMBus enabled) 15-22: Chainload Ubuntu 23-25: Build current flashrom trunk 26: Flash the BIOS

For backround information and an alternative, floppyless method regards 3-14, see here: http://forum.notebookreview.com/showpost.php?p=5479271&postcount=283

The most interesting part was that flashrom v0.9.1-r706 didn't do the job. It's the version which installs via apt-get install flashrom. Only the trunk version was able to do it. It failed at first try, however it used a different function to erase the Eeprom, and then was able to write it.

It looks like the Embedded Controller it's doing it's job to block the usual erase function, but not the second one. That's a pretty ugly flaw. Maybe 3-14 weren't necessary at all, however I wanted to make sure there's no missing part for SPI communication. Maybe someone could verify this with another laptop.

I've attached verbose output from both flashrom versions.