Re: [OT] Clearing a BIOS password

To: debian-user@lists.debian.org
Subject: Re: [OT] Clearing a BIOS password
From: Pigeon <jah.pigeon@ukonline.co.uk>
Date: Wed, 20 Nov 2002 00:31:24 +0000
Message-id: <[🔎] qshltukgk4msief7498ae81u7ok91fankc@4ax.com>
Reply-to: jah.pigeon@ukonline.co.uk
In-reply-to: <[🔎] 3DD9B5E2.1050505@atnet.net.au>
References: <[🔎] 3DD9B5E2.1050505@atnet.net.au>

On Tue, 19 Nov 2002 13:54:10 +1000, John <johnpf@atnet.net.au> wrote:

>Mark L. Kahnt wrote:
>
>>Anyone remember how to clear a password on a BIOS? I've got a box from a
>>client that has stopped booting from CD, and this client is ready to
>>move to dual-booting but this is his main desktop box and it needs some
>>cuffing around the BIOS. The password was put on by the vendor of the
>>box, who then went broke three months later. I need to get Windows
>>working (certain key files were clobbered by yet another virus -
>>including explorer.exe - likely others, but I'm finding them
>>one-at-a-time) to at least extract some key data before re-partitioning,
>>and currently, for some strange reason, Windows can't see the cd-rom at
>>all (while 2DiskXWin does, so I know that the hardware is okay - only M$
>>is $crewed ;)
>>
>>Yeah, it's all complicated - simply put, I need to clear the BIOS
>>password, and I've forgotten the normal trick (other than removing the
>>battery and disconnecting the power supply, and hoping the CMOS is
>>static RAM rather than EEPROM - which one guy I know used a number of
>>years back for his garage-built line of boxes.)
>>  
>>
>You can also get at the BIOS contents via port 70 (you need to write the 
>address you want to access there) and port 71 (which you read and write 
>data from/to).
>
>You'll need to track down exactly what addresses you'll need to touch 
>via the web somehow, then boot a DOS disk and use DEBUG to toggle the 
>address which says a password is set. As I seem to recall it's a binary 
>flag inside a byte somewhere. It's a long time since I did any of this 
>stuff, so I cant tell you anymore details. A clever Linux hackor could 
>probably do it as root via /proc, but I have no idea how to get there.
>

This lot may help you - it's all the stuff I could find in CMOS.LST
from Ralf Brown's Interrupt List about AMI BIOSes. It's a bit old but
probably not unusably so. Sorry for the length.

Don't forget to hit the appropriate checksum in 2E/2F or 3E/3F.

Personally, I'd pull the battery.

An alternative method is to unplug the BIOS ROM, plug it into a spare
ROM socket in a machine that's old enough to have one, dump the
contents, disassemble it and hunt through for the password check. The
machine I did this on had its password hard-coded into the BIOS ROM,
so I didn't have much choice.

Pigeon
============================================================
----------R2D--------------------------------
CMOS 2Dh - AMI WinBIOS - flags

Bitfields for AMI WinBIOS flags:
Bit(s)	Description	(Table C0033)
 7	Weitek Installed
 6	bootsector virus protection enabled
 5	mouse enabled
 4	password checking (0 setup, 1 always)
 3	parity error check enabled
 2-1	boot order (00 = C:A:, 01 = A:C:)
 0	turbo switch enabled
----------R34--------------------------------
CMOS 34h - AMI - SHADOWING & BOOT PASSWORD

Bitfields for AMI shadowing control 1:
Bit(s)	Description	(Table C0037)
 7-6	password selection
	00b Disable
	10b Reserved
	01b Set
	11b Boot
 5	C8000h Shadow ROM (Bit 1 = On) 
 4	CC000h Shadow ROM (Bit 1 = On)
 3	D0000h Shadow ROM (Bit 1 = On)
 2	D4000h Shadow ROM (Bit 1 = On)
 1	D8000h Shadow ROM (Bit 1 = On)
 0	DC000h Shadow ROM (Bit 1 = On)
----------R37--------------------------------
CMOS 37h - AMI WinBIOS - SETUP COLORS, PASSWORD SEED

Bitfields for AMI WinBIOS setup colors and password seed:
Bit(s)	Description	(Table C0044)
 7-4	password seed
 3-0	WinBIOS/AMIBIOS setup color options
--------y-R383D------------------------------
CMOS 38h-3Dh - AMI - Encrypted Password
--------!---Note-----------------------------

The second group of values extends from address 10h to 2Dh. The word
at
2Eh-2Fh is a byte-wise summation of the values in these bytes. Most
BIOSes
will generate a CMOS Checksum error if this value is invalid however
many 
programs ignore the checksum and report the apparent value. The
current
version of MSD reports my XT as having 20+ MB of extended memory. 
----------R3E--------------------------------
CMOS 3Eh - AMI - Extended CMOS Checksum, High Byte
Note:	this checksum covers locations 34h - 3Dh, but is not used by
some
	  later AMI BIOSes
----------R3F--------------------------------
CMOS 3Fh - AMI - Extended CMOS Checksum, Low Byte
Note:	this checksum covers locations 34h - 3Dh, but is not used by
some
	  later AMI BIOSes

Reply to:

Follow-Ups:
- Re: [OT] Clearing a BIOS password
  - From: "Mark L. Kahnt" <kahnt@hosehead.dyndns.org>
- Re: [OT] Clearing a BIOS password
  - From: debian@computerdatasafe.com.au

References:
- Re: [OT] Clearing a BIOS password
  - From: John <johnpf@atnet.net.au>

Prev by Date: Can't send email to users on same domain
Next by Date: Re: Ready to take the plunge...
Previous by thread: Re: [OT] Clearing a BIOS password
Next by thread: Re: [OT] Clearing a BIOS password
Index(es):
- Date
- Thread