Hacking Your Password -

**Anilrgowda** · 17-Dec-2006, 08:21 AM

Password Checking Option

You can use a password during the computer's startup sequence. The options are:

Always, which means every time the system is started.
Setup, which only protects the BIOS routine from being tampered with, or
Disabled.

You can still boot from a floppy and alter things with a diagnostic program, though.
The original AMI BIOS did not encrypt the password, so any utility capable of reading the CMOS should be able to edit it. The AMI WinBIOS uses a simple substitution system.

You get three attempts to get in, after which the system will have to be rebooted. The default is usually the manufacturer's initials (try ami), or biostar, biosstar, AWARD?SW, AWARD?PW, LKWPETER, 589589, aLLy, condo, djonet, lkwpeter, j262 SWITCHES?SW, AWARD_SW, or Shift + S Y X Z for Award (before 19 Dec 96), but if this doesn't work, or you forget your own password, you must discharge the CMOS. One way to do this is simply to wait for five years until the battery discharges (ten if you've got a Dallas clock chip)! You could also remove the CMOS chip or the battery and just hang on for twenty minutes or so. Look for the chips mentioned below, under Clearing Chips.

You could try flooding the keyboard buffer to crash the password routine -
just wait for the password prompt, then keep pressing esc.

Note: Since 19 Dec 96, Award Software has not used a default password, leaving it for OEMs. Discharging the battery will not clear the OEM password.

Note: When CMOS RAM loses power, a bit is set which indicates this to the BIOS during the POST test. As a result, you will normally get slightly more aggressive default values.

If your battery is soldered in, you could discharge it enough so the CMOS loses power, but make sure it is rechargeable so you can get it up to speed again. To discharge it, connect a small resistor (say 39 ohms, or a 6v lantern lamp) across the battery and leave it for about half an hour.

Some motherboards use a jumper for discharging the CMOS; it may be marked CMOS DRAIN. Sometimes, you can connect P15 of the keyboard controller (pin 32, usually) to GND and switch the machine on. This makes the POST run, which deletes the password after one diagnostic test. Then reboot.

Very much a last resort is to get a multi-meter and set it to a low resistance check (i.e. 4 ohms), place one probe on pin 1 of the chip concerned, and draw the other over the other pins. This will shock out the chip and scramble its brains. This is not for the faint hearted, and only for the desperate-use a paperclip or desolder the battery first! We assume no responsibility for damage!

The minimum standby voltage for the 146818 is 2.7v, but your settings can remain even down to around 2.2v. Usually, the clock will stop first, as the oscillator needs a higher voltage to operate. 3v across a CMOS is common with 3.6v nicad & lithium batteries, as the silicon diodes often used in the battery changeover circuit have a voltage drop of 0.6v (3.6v-.6v = 3v). If your CMOS settings get lost when you switch off and the battery is OK, the problem may be in the changeover circuit - the 146818 can be sensitive to small spikes caused by it at power down.

Clearing Chips
The CMOS can mostly be cleared by shorting together appropriate pins with something like a bent paperclip (with the power off!). You could try a debug script if you are able to boot:

A:\DEBUG
- o 70 2E
- o 71 FF
- q

The CMOS RAM is often incorporated into larger chips:

P82C206 (Square)
Also has 2 DMA controllers, 2 Interrupt controllers, a Timer, and RTC (Real-Time Clock). It's usually marked CHIPS, because it's made by Chips and Technologies. Clear by shorting together pins 12 and 32 on the bottom edge or pins 74 and 75 on the upper left corner.

F82C206 (Rectangular)
Usually marked OPTi (the manufacturer). Has 2 DMA Controllers, 2 Interrupt Controllers, Timer, and Real Time Clock. Clear by shorting pins 3 and 26 on the bottom edge (third pin in from left and 5th pin from right).

Dallas DS1287,DS1287A
Benchmarq bp3287MT, bq3287AMT.
The DS1287 andDS1287A (and compatible Benchmarq bp3287MT and bq3287AMT chips) have a built-in battery, which should last up to 10 years. Clear the 1287A and 3287AMT chips by shorting pins 12 and 21-you cannot clear the 1287 (and 3287MT), so replace them (with a 1287A!). Although these are 24-pin chips, the Dallas chips may be missing 5, which are unused anyway.

Motorola MC146818AP or compatible.
Rectangular 24-pin DIP chip, found on older machines. Compatibles are made by several manufacturers including Hitachi (HD146818AP) and Samsung (KS82C6818A), but the number on the chip should have 6818 in it somewhere. Although pin-compatible with the 1287/1287A, there is no built-in battery, which means it can be cleared by just removing it from the socket, but you can also short pins 12 and 24.

Dallas DS12885S or
Benchmarq bq3258S
Clear by shorting pins 12 and 20, on diagonally opposite corners; lower right and upper left (try also pins 12 and 24).

For reference, the bytes in the CMOS of an AT with ISA bus are arranged thus:

00 Real Time Clock
10-2F ISA Configuration Data
30-3F BIOS-specific information
40-7F Ext CMOS RAM/Advanced Chipset info

The AMI password is in 37h-3Fh, where the (encrypted) password is at 38h-3Fh. If byte 0Dh is set to 0, the BIOS will think the battery is dead and treat what's in the CMOS as invalid.

One other point, if you have a foreign keyboard (that is, outside the United States) - the computer expects to see a USA keyboard until your keyboard driver is loaded, so DON'T use anything in your password that is not in the USA keyboard!

17-Dec-2006, 08:21 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,702 Join Date: Jan 2006 Rep Power: 10 IM:	Hacking Your Password - Password Checking Option You can use a password during the computer's startup sequence. The options are: Always, which means every time the system is started. Setup, which only protects the BIOS routine from being tampered with, or Disabled. You can still boot from a floppy and alter things with a diagnostic program, though. The original AMI BIOS did not encrypt the password, so any utility capable of reading the CMOS should be able to edit it. The AMI WinBIOS uses a simple substitution system. You get three attempts to get in, after which the system will have to be rebooted. The default is usually the manufacturer's initials (try ami), or biostar, biosstar, AWARD?SW, AWARD?PW, LKWPETER, 589589, aLLy, condo, djonet, lkwpeter, j262 SWITCHES?SW, AWARD_SW, or Shift + S Y X Z for Award (before 19 Dec 96), but if this doesn't work, or you forget your own password, you must discharge the CMOS. One way to do this is simply to wait for five years until the battery discharges (ten if you've got a Dallas clock chip)! You could also remove the CMOS chip or the battery and just hang on for twenty minutes or so. Look for the chips mentioned below, under Clearing Chips. You could try flooding the keyboard buffer to crash the password routine - just wait for the password prompt, then keep pressing esc. Note: Since 19 Dec 96, Award Software has not used a default password, leaving it for OEMs. Discharging the battery will not clear the OEM password. Note: When CMOS RAM loses power, a bit is set which indicates this to the BIOS during the POST test. As a result, you will normally get slightly more aggressive default values. If your battery is soldered in, you could discharge it enough so the CMOS loses power, but make sure it is rechargeable so you can get it up to speed again. To discharge it, connect a small resistor (say 39 ohms, or a 6v lantern lamp) across the battery and leave it for about half an hour. Some motherboards use a jumper for discharging the CMOS; it may be marked CMOS DRAIN. Sometimes, you can connect P15 of the keyboard controller (pin 32, usually) to GND and switch the machine on. This makes the POST run, which deletes the password after one diagnostic test. Then reboot. Very much a last resort is to get a multi-meter and set it to a low resistance check (i.e. 4 ohms), place one probe on pin 1 of the chip concerned, and draw the other over the other pins. This will shock out the chip and scramble its brains. This is not for the faint hearted, and only for the desperate-use a paperclip or desolder the battery first! We assume no responsibility for damage! The minimum standby voltage for the 146818 is 2.7v, but your settings can remain even down to around 2.2v. Usually, the clock will stop first, as the oscillator needs a higher voltage to operate. 3v across a CMOS is common with 3.6v nicad & lithium batteries, as the silicon diodes often used in the battery changeover circuit have a voltage drop of 0.6v (3.6v-.6v = 3v). If your CMOS settings get lost when you switch off and the battery is OK, the problem may be in the changeover circuit - the 146818 can be sensitive to small spikes caused by it at power down. Clearing Chips The CMOS can mostly be cleared by shorting together appropriate pins with something like a bent paperclip (with the power off!). You could try a debug script if you are able to boot: A:\DEBUG - o 70 2E - o 71 FF - q The CMOS RAM is often incorporated into larger chips: P82C206 (Square) Also has 2 DMA controllers, 2 Interrupt controllers, a Timer, and RTC (Real-Time Clock). It's usually marked CHIPS, because it's made by Chips and Technologies. Clear by shorting together pins 12 and 32 on the bottom edge or pins 74 and 75 on the upper left corner. F82C206 (Rectangular) Usually marked OPTi (the manufacturer). Has 2 DMA Controllers, 2 Interrupt Controllers, Timer, and Real Time Clock. Clear by shorting pins 3 and 26 on the bottom edge (third pin in from left and 5th pin from right). Dallas DS1287,DS1287A Benchmarq bp3287MT, bq3287AMT. The DS1287 andDS1287A (and compatible Benchmarq bp3287MT and bq3287AMT chips) have a built-in battery, which should last up to 10 years. Clear the 1287A and 3287AMT chips by shorting pins 12 and 21-you cannot clear the 1287 (and 3287MT), so replace them (with a 1287A!). Although these are 24-pin chips, the Dallas chips may be missing 5, which are unused anyway. Motorola MC146818AP or compatible. Rectangular 24-pin DIP chip, found on older machines. Compatibles are made by several manufacturers including Hitachi (HD146818AP) and Samsung (KS82C6818A), but the number on the chip should have 6818 in it somewhere. Although pin-compatible with the 1287/1287A, there is no built-in battery, which means it can be cleared by just removing it from the socket, but you can also short pins 12 and 24. Dallas DS12885S or Benchmarq bq3258S Clear by shorting pins 12 and 20, on diagonally opposite corners; lower right and upper left (try also pins 12 and 24). For reference, the bytes in the CMOS of an AT with ISA bus are arranged thus: 00 Real Time Clock 10-2F ISA Configuration Data 30-3F BIOS-specific information 40-7F Ext CMOS RAM/Advanced Chipset info The AMI password is in 37h-3Fh, where the (encrypted) password is at 38h-3Fh. If byte 0Dh is set to 0, the BIOS will think the battery is dead and treat what's in the CMOS as invalid. One other point, if you have a foreign keyboard (that is, outside the United States) - the computer expects to see a USA keyboard until your keyboard driver is loaded, so DON'T use anything in your password that is not in the USA keyboard!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)