Cracking
BIOS Password
Posted on 2002-02-11 07:55:00 - #Hits : 505
This article is for
educational purpose only.
Author is not responsible for any damages these informations
could cause.
They are therefore not recommended for inexperienced users!
YOU HAVE BEEN WARNED.
Note
This
article is based on my published article "
BACKUP, RESET
DAN RESTORE
CMOS", published by "Majalah Ilmiah Informatika -
STIMIK AKI
Semarang, April - June 1999, Vol. I/2/1999). Some materials
are taken from
Elf Qrin website.
Resetting CMOS
There are many ways to reset your
CMOS password, I will explain them one
by one clearly.
- Wait until battery is empty
This is very conventional method, you don't do
anything, you only
wait and wait and wait until your CMOS battery is empty. If
battery
is empty, all CMOS settings will be restored to default settings,
include password. But unfortunately, you can't estimate the battery
life because
it depend on the power saved in battery. If its power
is almost empty, wow you're
very lucky. But how if your battery is
long life power? Hummm if so, its better to
throw your motherboard
to trash and replace with new one! (hey, just kidding)
- Using manufacturer's password
You can bypass password
by using the manufacturer's
backdoor password.
AWARD
BIOS
AWARD SW, AWARD_SW, Award SW, AWARD PW, _award, awkward, J64,
j256, j262, j332, j322, 01322222, 589589, 589721, 595595, 598598,
SER, SKY_FOX,
aLLy, aLLY, Condo, CONCAT, TTPTHA, aPAf, HLT, KDD,
ZBAAACA, ZAAADA, ZJAAADC,
djonet
AMI BIOS
AMI, A.M.I.,
AMI SW, AMI_SW, BIOS, PASSWORD, HEWITT RAND, Oder
Other
passwords you may try (for AMI/AWARD or other BIOSes)
LKWPETER, lkwpeter,
BIOSTAR, biostar, BIOSSTAR, biosstar, ALFAROME,
Syxz, Wodj
Those codes is not absolutely true, you can try one by one if fail.
- Using jumpers
This method is plug, unplug, or switch a
jumper on the motherboard
This jumper is not always located near to the BIOS, but
could be
anywhere on the motherboard.
To
find the correct jumper you should read the motherboard's manual.
Once you've
located the correct jumper, switch it (or plug or
unplug it, depending from what the
manual says) while the computer
is turned OFF. Wait a couple of seconds then put the
jumper back to
its original position. In some motherboards it may happen that the
computer will automatically turn itself on, after resetting the
BIOS. In
this case, turn it off, and put the jumper back to its
original position, then turn
it on again. Other motherboards require
you turn the computer on for a few seconds to
reset BIOS. If you
don't have the motherboard's manual, you'll have to
"bruteforce"
it... trying out all the jumpers. In this case, try first the
isolated ones (not in a group), the ones near to the BIOS, and the
ones you can
switch (as I explained before). If all them fail, try
all the others. However, you
must modify the status of only one
jumper per attempt, otherwise you could damage the
motherboard
(since you don't know what the jumper you modified is actually meant
for). If the password request screen still appear, try another one.
If
after resetting BIOS, the computer won't boot when you turn it
on, turn it off, and
wait some seconds before to retry.
- Removing battery
If you can't find the jumper to reset the BIOS or if such jumper
doesn't exist,
you can remove the battery that keeps the BIOS
memory alive. It's a button-size
battery somewhere on the
motherboard (on elder computers the battery could be a
small,
typically blue, cylinder soldered to the motherboard, but usually
has a jumper on its side to disconnect it, otherwise you'll have to
unsolder it
and then solder it back). Take it away for 15-30 minutes
or more, then put it back
and the data contained into the BIOS
memory should be volatilized. I'd suggest you
to remove it for about
one hour to be sure, because if you put it back when the data
aren't
erased yet you'll have to wait more time, as you've never removed it.
If at first it doesn't work, try to remove the battery overnight.
Important note: in laptop and notebooks you don't have to remove
the computer's power batteries (which would be useless), but you
should open your
computer and remove the CMOS battery from the
motherboard.
Warning : Usually, the battery is protected with seal. if you
remove the battery, you broke the seal, and its mean you loose
the warranty from your
vendor.
- Short-circuiting the chip
Another way
to clear the CMOS RAM is short circuiting two pins of
the BIOS chip for a few
seconds. But you must clearly know which
pins have function to clear CMOS RAM. You
can short circuiting the
chip with a small piece of electric wire or with a bended
paper
clip. Always make sure that computer is turned OFF before to try
this operation. Be careful, because this operation may damage the
chip.
- Replacing the chip
If nothing works, you could replace the
existing BIOS chip with a
new one you can buy from your specialized electronic shop
or your
computer supplier. It's a quick operation if the chip is inserted
on a base and not soldered to the motherboard, otherwise you'll
have to unsolder
it and then put the new one. In this case would
be more convenient to solder a base
on which you'll then plug the
new chip, in the eventuality that you'll have to
change it again.
If you can't find the BIOS chip specifically made for your
motherboard, you should buy one of the same type (probably one of
the ones
shown above) and look in your motherboard manufacturer's
website to see if there's
the BIOS image to download. Then you
should copy that image on the chip you bought
with an EEPROM
(Electrically Erasable Read Only Memory) programmer. This is
called
BIOS flashing. Be careful with BIOS flashing, bacause it can damage
you BIOS chip and motherboard.
- Resetting by software
If you have access to the computer when it's turned on, you could
try one
of those programs that remove the password from the BIOS,
by invalidating its memory.
However, it might happen you don't have
one of those programs when you have access
to the computer, so
you'd better learn how to do manually what they do.
P o r t
In
order to resetting CMOS by software, you must program the CMOS port.
If you don't know
about port yet, I'll give a short description.
Port can be
defined as a place / terminal which connecting computer and
other peripherals, for
example disk drive, keyboard, monitor, speaker,
etc. Because port is direct linked to
peripherals, we must know how to
access them. Some ports have read only priveledge, write
only
priveledge, or read write priveledge.
Port based
on data processed can be divided to:
- Byte based port
This port use one byte data in their operation. If the data
accesed is word based, the data will be procced byte by byte,
Most Significant Byte
(MSB) first, and then Least Significant
Byte (LSB) or viceversa which had decided
before.
- Word based port
This port use
word data in their operation.
The CMOS
port is Read/Write priveledge port which their index is
located at address 70
(hexadecimal) and the data is 256 bytes long
which located at address 71 (hexadecimal).
To perform read or write
operation at CMOS port, we should program the port 70 first by
send the
index / address the data will be filled and then send the data to port 71.
It is more convenient if I show you the algorithm to program CMOS
port
I've mentioned above.
For example we want to fill the
50th data from CMOS index
with 10, so the algorithm is:
- port70 <- 50
- port71 <- 10
If we want to read the 50
th data from CMOS index, we
should:
- port70 <- 50
- your_variable <-
port71
Ok, that's a very little description about port.
Now we back again to
our discussion. Every BIOS vendors, place the CMOS password at
different location, so you must know the CMOS structure. I have very
old version
CMOS structure which maybe can help you to explore the CMOS
data.
The shortest way to reset the CMOS is by
invalidating CMOS. To invalidate
the CMOS you must change the CMOS
checksum value, which located at address 2E and 2F. You
can fill the
address 2E with FF. This command should work on all AT motherboards.
Ok, now its time to go to the implementation. I choose to use DOS
Debug
command with assembly language to implement this trick. Wow, you may be
ask me "Why do you do not use more friendly language such as C, Pascal,
BASIC, etc?". Ok,
to answer the question above I have the strong argument.
Lets pay
attention to my argument. Not all computers you have found has
interpreter or compiler
for your language desired to use such as C, Pascal,
BASIC, etc. For example, if you want
to use Pascal language, you must have
Turbo Pascal, If you want to use C language, you
must use Turbo / Microsoft C,
and so on. You're very lucky if the computer you accessed
have the compiler or
interpreter you needed. But how if it is not present? So, you need
the
interpreter or compiler which always present in every computer, and it is
Debug utility. Every computer which operated by MS DOS operating system,
it has debug
utility.
Well, its time to go to the code.
- start your debug utility.
- type this command "o 70, 2e"
without quotes of course
- type "o 71, ff"
- type "o 70,
2f"
- type "o 71, ff"
- And finally exit debug
Yes.... it works....
Closing
I suggest you to reset
BIOS by software, the safest method and
minimal damage risk could cause. The alternate
method and maybe more
convenient for you is use manufacturer's backdoor password. This
is
almost have no potential damage risk. but you should try one by one
the
passwords list above if fail, and they are not absolutely can solve
the password.
Whether is the method you use, when you reset the BIOS not only the
password, but also all the other configuration data will be reset to
the factory
defaults, so when you are booting for the first time after
reset BIOS, you should enter
the CMOS configuration menu and fix up
some things.
So
be careful and use it with your own risk.