Articles » How To » Cracking BIOS Password
Cracking BIOS Password
Posted on 2002-02-11 07:55:00 - #Hits : 505

This article is for educational purpose only. Author is not responsible for any damages these informations could cause. They are therefore not recommended for inexperienced users! YOU HAVE BEEN WARNED.

Note This article is based on my published article " BACKUP, RESET DAN RESTORE CMOS", published by "Majalah Ilmiah Informatika - STIMIK AKI Semarang, April - June 1999, Vol. I/2/1999). Some materials are taken from Elf Qrin website.
Resetting CMOS

There are many ways to reset your CMOS password, I will explain them one by one clearly.

  • Wait until battery is empty
    This is very conventional method, you don't do anything, you only wait and wait and wait until your CMOS battery is empty. If battery is empty, all CMOS settings will be restored to default settings, include password. But unfortunately, you can't estimate the battery life because it depend on the power saved in battery. If its power is almost empty, wow you're very lucky. But how if your battery is long life power? Hummm if so, its better to throw your motherboard to trash and replace with new one! (hey, just kidding)
  • Using manufacturer's password
    You can bypass password by using the manufacturer's backdoor password.

    AWARD SW, AWARD_SW, Award SW, AWARD PW, _award, awkward, J64, j256, j262, j332, j322, 01322222, 589589, 589721, 595595, 598598, SER, SKY_FOX, aLLy, aLLY, Condo, CONCAT, TTPTHA, aPAf, HLT, KDD, ZBAAACA, ZAAADA, ZJAAADC, djonet


    Other passwords you may try (for AMI/AWARD or other BIOSes)
    LKWPETER, lkwpeter, BIOSTAR, biostar, BIOSSTAR, biosstar, ALFAROME, Syxz, Wodj

    Those codes is not absolutely true, you can try one by one if fail.
  • Using jumpers
    This method is plug, unplug, or switch a jumper on the motherboard This jumper is not always located near to the BIOS, but could be anywhere on the motherboard.

    To find the correct jumper you should read the motherboard's manual. Once you've located the correct jumper, switch it (or plug or unplug it, depending from what the manual says) while the computer is turned OFF. Wait a couple of seconds then put the jumper back to its original position. In some motherboards it may happen that the computer will automatically turn itself on, after resetting the BIOS. In this case, turn it off, and put the jumper back to its original position, then turn it on again. Other motherboards require you turn the computer on for a few seconds to reset BIOS. If you don't have the motherboard's manual, you'll have to "bruteforce" it... trying out all the jumpers. In this case, try first the isolated ones (not in a group), the ones near to the BIOS, and the ones you can switch (as I explained before). If all them fail, try all the others. However, you must modify the status of only one jumper per attempt, otherwise you could damage the motherboard (since you don't know what the jumper you modified is actually meant for). If the password request screen still appear, try another one. If after resetting BIOS, the computer won't boot when you turn it on, turn it off, and wait some seconds before to retry.
  • Removing battery
    If you can't find the jumper to reset the BIOS or if such jumper doesn't exist, you can remove the battery that keeps the BIOS memory alive. It's a button-size battery somewhere on the motherboard (on elder computers the battery could be a small, typically blue, cylinder soldered to the motherboard, but usually has a jumper on its side to disconnect it, otherwise you'll have to unsolder it and then solder it back). Take it away for 15-30 minutes or more, then put it back and the data contained into the BIOS memory should be volatilized. I'd suggest you to remove it for about one hour to be sure, because if you put it back when the data aren't erased yet you'll have to wait more time, as you've never removed it. If at first it doesn't work, try to remove the battery overnight.

    Important note: in laptop and notebooks you don't have to remove the computer's power batteries (which would be useless), but you should open your computer and remove the CMOS battery from the motherboard.

    Warning : Usually, the battery is protected with seal. if you remove the battery, you broke the seal, and its mean you loose the warranty from your vendor.
  • Short-circuiting the chip
    Another way to clear the CMOS RAM is short circuiting two pins of the BIOS chip for a few seconds. But you must clearly know which pins have function to clear CMOS RAM. You can short circuiting the chip with a small piece of electric wire or with a bended paper clip. Always make sure that computer is turned OFF before to try this operation. Be careful, because this operation may damage the chip.
  • Replacing the chip
    If nothing works, you could replace the existing BIOS chip with a new one you can buy from your specialized electronic shop or your computer supplier. It's a quick operation if the chip is inserted on a base and not soldered to the motherboard, otherwise you'll have to unsolder it and then put the new one. In this case would be more convenient to solder a base on which you'll then plug the new chip, in the eventuality that you'll have to change it again. If you can't find the BIOS chip specifically made for your motherboard, you should buy one of the same type (probably one of the ones shown above) and look in your motherboard manufacturer's website to see if there's the BIOS image to download. Then you should copy that image on the chip you bought with an EEPROM (Electrically Erasable Read Only Memory) programmer. This is called BIOS flashing. Be careful with BIOS flashing, bacause it can damage you BIOS chip and motherboard.
  • Resetting by software
    If you have access to the computer when it's turned on, you could try one of those programs that remove the password from the BIOS, by invalidating its memory. However, it might happen you don't have one of those programs when you have access to the computer, so you'd better learn how to do manually what they do.

P o r t In order to resetting CMOS by software, you must program the CMOS port. If you don't know about port yet, I'll give a short description.

Port can be defined as a place / terminal which connecting computer and other peripherals, for example disk drive, keyboard, monitor, speaker, etc. Because port is direct linked to peripherals, we must know how to access them. Some ports have read only priveledge, write only priveledge, or read write priveledge.

Port based on data processed can be divided to:

  1. Byte based port
    This port use one byte data in their operation. If the data accesed is word based, the data will be procced byte by byte, Most Significant Byte (MSB) first, and then Least Significant Byte (LSB) or viceversa which had decided before.
  2. Word based port
    This port use word data in their operation.

The CMOS port is Read/Write priveledge port which their index is located at address 70 (hexadecimal) and the data is 256 bytes long which located at address 71 (hexadecimal). To perform read or write operation at CMOS port, we should program the port 70 first by send the index / address the data will be filled and then send the data to port 71.

It is more convenient if I show you the algorithm to program CMOS port I've mentioned above.
For example we want to fill the 50th data from CMOS index with 10, so the algorithm is:

  1. port70 <- 50
  2. port71 <- 10

If we want to read the 50th data from CMOS index, we should:
  1. port70 <- 50
  2. your_variable <- port71

Ok, that's a very little description about port. Now we back again to our discussion. Every BIOS vendors, place the CMOS password at different location, so you must know the CMOS structure. I have very old version CMOS structure which maybe can help you to explore the CMOS data.

The shortest way to reset the CMOS is by invalidating CMOS. To invalidate the CMOS you must change the CMOS checksum value, which located at address 2E and 2F. You can fill the address 2E with FF. This command should work on all AT motherboards.

Ok, now its time to go to the implementation. I choose to use DOS Debug command with assembly language to implement this trick. Wow, you may be ask me "Why do you do not use more friendly language such as C, Pascal, BASIC, etc?". Ok, to answer the question above I have the strong argument.

Lets pay attention to my argument. Not all computers you have found has interpreter or compiler for your language desired to use such as C, Pascal, BASIC, etc. For example, if you want to use Pascal language, you must have Turbo Pascal, If you want to use C language, you must use Turbo / Microsoft C, and so on. You're very lucky if the computer you accessed have the compiler or interpreter you needed. But how if it is not present? So, you need the interpreter or compiler which always present in every computer, and it is Debug utility. Every computer which operated by MS DOS operating system, it has debug utility.

Well, its time to go to the code.

  • start your debug utility.
  • type this command "o 70, 2e" without quotes of course
  • type "o 71, ff"
  • type "o 70, 2f"
  • type "o 71, ff"
  • And finally exit debug
Yes.... it works....

Closing I suggest you to reset BIOS by software, the safest method and minimal damage risk could cause. The alternate method and maybe more convenient for you is use manufacturer's backdoor password. This is almost have no potential damage risk. but you should try one by one the passwords list above if fail, and they are not absolutely can solve the password.

Whether is the method you use, when you reset the BIOS not only the password, but also all the other configuration data will be reset to the factory defaults, so when you are booting for the first time after reset BIOS, you should enter the CMOS configuration menu and fix up some things.

So be careful and use it with your own risk.

Best viewed with XHTML1 and CSS2 compliant browser @ 1024x768x32 Misc. Info
Copyright © 2003 - 2005, Bayu Prasetio.