On Tue, 2002-11-19 at 19:31, Pigeon wrote: > On Tue, 19 Nov 2002 13:54:10 +1000, John <johnpf@atnet.net.au> wrote: > > >Mark L. Kahnt wrote: > > > >>Anyone remember how to clear a password on a BIOS? I've got a box from a > >>client that has stopped booting from CD, and this client is ready to > >>move to dual-booting but this is his main desktop box and it needs some > >>cuffing around the BIOS. The password was put on by the vendor of the > >>box, who then went broke three months later. I need to get Windows > >>working (certain key files were clobbered by yet another virus - > >>including explorer.exe - likely others, but I'm finding them > >>one-at-a-time) to at least extract some key data before re-partitioning, > >>and currently, for some strange reason, Windows can't see the cd-rom at > >>all (while 2DiskXWin does, so I know that the hardware is okay - only M$ > >>is $crewed ;) > >> > >>Yeah, it's all complicated - simply put, I need to clear the BIOS > >>password, and I've forgotten the normal trick (other than removing the > >>battery and disconnecting the power supply, and hoping the CMOS is > >>static RAM rather than EEPROM - which one guy I know used a number of > >>years back for his garage-built line of boxes.) > >> > >> > >You can also get at the BIOS contents via port 70 (you need to write the > >address you want to access there) and port 71 (which you read and write > >data from/to). > > > >You'll need to track down exactly what addresses you'll need to touch > >via the web somehow, then boot a DOS disk and use DEBUG to toggle the > >address which says a password is set. As I seem to recall it's a binary > >flag inside a byte somewhere. It's a long time since I did any of this > >stuff, so I cant tell you anymore details. A clever Linux hackor could > >probably do it as root via /proc, but I have no idea how to get there. > > > > This lot may help you - it's all the stuff I could find in CMOS.LST > from Ralf Brown's Interrupt List about AMI BIOSes. It's a bit old but > probably not unusably so. Sorry for the length. > > Don't forget to hit the appropriate checksum in 2E/2F or 3E/3F. > > Personally, I'd pull the battery. > > An alternative method is to unplug the BIOS ROM, plug it into a spare > ROM socket in a machine that's old enough to have one, dump the > contents, disassemble it and hunt through for the password check. The > machine I did this on had its password hard-coded into the BIOS ROM, > so I didn't have much choice. > > Pigeon > ============================================================ > ----------R2D-------------------------------- > CMOS 2Dh - AMI WinBIOS - flags > > Bitfields for AMI WinBIOS flags: > Bit(s) Description (Table C0033) > 7 Weitek Installed > 6 bootsector virus protection enabled > 5 mouse enabled > 4 password checking (0 setup, 1 always) > 3 parity error check enabled > 2-1 boot order (00 = C:A:, 01 = A:C:) > 0 turbo switch enabled > ----------R34-------------------------------- > CMOS 34h - AMI - SHADOWING & BOOT PASSWORD > > Bitfields for AMI shadowing control 1: > Bit(s) Description (Table C0037) > 7-6 password selection > 00b Disable > 10b Reserved > 01b Set > 11b Boot > 5 C8000h Shadow ROM (Bit 1 = On) > 4 CC000h Shadow ROM (Bit 1 = On) > 3 D0000h Shadow ROM (Bit 1 = On) > 2 D4000h Shadow ROM (Bit 1 = On) > 1 D8000h Shadow ROM (Bit 1 = On) > 0 DC000h Shadow ROM (Bit 1 = On) > ----------R37-------------------------------- > CMOS 37h - AMI WinBIOS - SETUP COLORS, PASSWORD SEED > > Bitfields for AMI WinBIOS setup colors and password seed: > Bit(s) Description (Table C0044) > 7-4 password seed > 3-0 WinBIOS/AMIBIOS setup color options > --------y-R383D------------------------------ > CMOS 38h-3Dh - AMI - Encrypted Password > --------!---Note----------------------------- > > The second group of values extends from address 10h to 2Dh. The word > at > 2Eh-2Fh is a byte-wise summation of the values in these bytes. Most > BIOSes > will generate a CMOS Checksum error if this value is invalid however > many > programs ignore the checksum and report the apparent value. The > current > version of MSD reports my XT as having 20+ MB of extended memory. > ----------R3E-------------------------------- > CMOS 3Eh - AMI - Extended CMOS Checksum, High Byte > Note: this checksum covers locations 34h - 3Dh, but is not used by > some > later AMI BIOSes > ----------R3F-------------------------------- > CMOS 3Fh - AMI - Extended CMOS Checksum, Low Byte > Note: this checksum covers locations 34h - 3Dh, but is not used by > some > later AMI BIOSes Okay, very useful, but I've finally pinned down that it is an Award BIOS, and I was able to nuke that password (gotta love places that believe a sticker on the back and BIOS password are the way to ensure they do the warranty work without user meddling.) Next is a defrag, parted'ing, and installing a dual-booting until my friend can be fully weened from minature software (as in micro-soft.) -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: kahnt@hosehead.dyndns.org
Attachment:
signature.asc
Description: This is a digitally signed message part