Instructables

Bypass BIOS Boot or OS Login to "most" any computer ... with console access

ANY system where you have access to it's console will give you an opportunity to where you can login and see files, run your own browser or copy files. By modifying the BIOS or "Flash'ing" new BIOS you can override both BIOS protected passwords and reboot from other devices or peripherials...Reboot with any OS you choose and browse NTFS (via http://www.ntfs-linux.com/) or FAT files on their 'secured' hard drive.

Internet Cafe', Public Library and Schools with "locked" PC's are usually accessible...

If you can MODIFY the BIOS to boot from USB, CD or DVD.

Insert your USB Boot image (ISO). How...See my instructables...

Beginners Background:

The BIOS (Basic Input-Output System) is a small piece of code 'burned' into a EPROM/CMOS (Erasable Programmable Read Only Memory). This is the hard coded instructions to "boot" your PC.

Even "locking" the BIOS is no longer safe as "Flash" programs can 'reprogram' most any BIOS. Shorts or restes can 'fry' and many sites offer replacements/swaps.

File systems:
Computers all have files. File systems are the way data is encoded on the hard drive. It's not encrypted nor protected except for EFS or secured shadowed and hidden file systems using triple DES and PGP.

Steps:

Press F2 or F10 as the reboot prompt asks.
Modify as below the "Boot order"

Insert a CD/DVD or USB boot drive and your in!

(see instructables for ISo images or USB thumb drive)

 
Remove these adsRemove these ads by Signing Up
1-40 of 79Next »
mrmath7 years ago
I work for IBM Global Technology Services. They provide us with IBM/Lenovo laptops. Our security policy states we must have a power on password set in our bios. You can't get to the bios to change to boot to another device (USB) without first knowing the power on password. If you could get to the bios to change the boot order, you couldn't boot to any device without knowing the power on password. Our security policy also requires we have a hard drive password. This password is asked for at power up. If you don't know it, you can't get to the hard drive. That means that even if you could power it up, and boot it from USB, you couldn't mount the drive if you don't know the hard drive password. There is no way around this. I know this because when we return our old computers, and we forget to remove these hard drives, they call us to get them. If we don't remember them, the laptop and the hard drive are toast. Even as the company that manufactures the machine (back when IBM did that), we couldn't remove the power on or hard drive passwords. So, while your method will work on a machine not protected with a power on password or a hard drive password, it will NOT work on every machine.
erckgillis (author)  mrmath7 years ago
I work for HP, we hack your old laptops all time time:

Power-on BIOS passwords hack:

1) IBM - Press BOTH mouse keys repeatedly during power up.
2) "Backdoor" BIOS passwords ( from IBM Manuals) try 'merlin' or see http://www.uktsupport.co.uk/reference/biosp.htm
3) Remove BIOS battery backup...drain and rest
4) Attach floppy and "Flash" BIOS to new version without passwords...

Harddrive Power On passwords.
1) Read HDD in Hex editor and do a "Ghost" copy to non-password HDD
2) Remove IDE/SATA or SCSI controller from HDD. Use a non-locked controller
3) Perform forensic binary transfer to HDD without lock HW enabled.

Easy cheesy...do it weekly...

don't be fooled that no-one can get your data...if I get the platters your toast...

E
Do you still use this site erckgillis?
Are you talking about the hard drive password that is set within the laptop or something? That makes sense but you wont be getting much from encrypted drives and files.
You mean "you're toast", and yes, if you get my platters, and have the exact same hard drive, and can get the platters from one of them to the other, I'm toast.
erckgillis (author)  mrmath7 years ago
Power on passwords are stored on the hard drive and read at power on from the hard drives controller (IDE/SCSI or SATA). I replace your controller with one not enabled for hardware power-on and tada! No passwords. Only issue is the controller 'remembers' all bad sectors and "spared" cylinders...so my "NEW" controller will often try to read or spare out valid or invalid sectors and cylinders...so a HEX or Binary copy to a drive with a 'clean' controller and new HDD works best... Then I browse the old data. Way cool is tto "swap" someones drive in a laptop when they are not aware...Use a dead one... then take your time to recover all the sensitive data...in theory... oops....
This is not the case on IBM/Lenovo laptops. I have two hard drives in my machine. When I got the new one, it was larger than the original one, so I yanked that one, and put in the new one. Still came up with the power on password. If it were stored in the hard drive, it wouldn't have come up. Don't know how many times I have to say it. Even as the manufacturer, IBM/Lenovo can not remove power on or hard disk passwords.
awace mrmath5 years ago
why didnt you just remove the password before you upgraded drive like i did!!!
erckgillis (author)  mrmath7 years ago
dude wrong...sorry... BIOS Passwords: These are on the EPROM CMOS not the HDD and is backed up by a small NiMH battery. Remove that and it forgets BIOS passwords. Or use master passwd and reset via jumper on motherboard. Harddrive passwords: I DO IT AT WORK...send me your harddrive! I'll send back your password(s). You admit you know not how it's done. IBM no longer make these drives you say? If it's NOT on your harddrive it would be USLESS as I put it in another PC and I see your data...duh The HDD passwd is on the ALT Bootstrap sector and read by the controller...replace that and it "forgets". Only encryption works...PGP or DES... E
erckgillis (author)  erckgillis7 years ago
(removed by author or community request)
On most laptops the bios is on an EEPROM, but this isn't backed up by battery; EEPROMs are non-volatile, and so will keep the password without power. But I agree about the part that the passwords are easy to remove; if the bios is reading the data from an EEPROM, then there is nothing to stop someone building a simple reader circuit , soldering to appropriate pins on the EEPROM and stripping the data off; the password is almost always weakly encrypted, and can then be extracted. Look at allservice.ro to see what I mean. Regarding the instructable itself, what are you aiming to show, and who are you writing it for?There seems to be very little actual instructing going on-most people who are not already aware of what you are writing about would probably struggle to boot Windows XP/Knoppix off a USB flash drive, or mess about with a console in either Windows or linux. Even if the purpose of the instructable was to warn people to encrypt their data, you should do this by showing them explicitly step by step how easy it is recover their data. Otherwise write it on a blog, or wiki. Pictures...I think that 2 pictures that add little more than colour to the page is plenty-10 is a little OTT. Not one of the pictures above is explicitly referred to in the text, nor demonstrates substancially what is going on in the text. And last comment...please take the time to proof read your work for typos and spelling/grammar errors; this only takes a few minutes or so.
erckgillis (author)  ningo7 years ago
(removed by author or community request)
Hi, the main point I was making about the instructable is that having read it, I wasn't sure just what you were trying to show me. Are you trying to show people how to boot their own OS on a public PC, or show people how to retrieve data/how easily data may be recovered? Just a little restructuring would fix this. For instance, the intro needs to be separate from the discussion on the BIOS,which deserves its own section.The BIOS section needs more information i.e. common keys to enter bios, the fact that not all BIOSes support booting from USB flash drives, and some boards are notoriously flakey in their support for booting from usb flash drives and need all other boot devices disabling, legacy usb support toggling etc. Neither this instructable nor your instructable on USB Knoppix address these issues;these are not specifics, but rather giving enough information for the discussion to be useful. Also worth pointing out is that none of the Windows ISOs listed will read an NTFS partition as is. Also, is this written for beginners, or people with a moderate computing background?Whilst you might think "duh easy dude", do people that also share that point of view even need this instructable?Most of the useful technical discussion for such people has occured in the replies after the actual instructable. For instance, I highly doubt that anyone that required the link to the mount command could feasibly use the link given to use it without consulting other sources. The pictures comment was perhaps a little unfair...but without referring to the pictures or labelling them, they are little more than eye candy, and I still think those on step 2 and 3 are unnecessary.
erckgillis (author)  ningo7 years ago
Then write something better...
Without getting you in trouble with your work, is there a way you can share with us how to reset a BIOS password on a tc4400? I really don't want to send it in ... Thanks
awace laxamar5 years ago
toshiba hold esc during boot to get into c-mos!!!!!!! ., otherwise there could be three c-mos batteries witch hold passwords.. othewise youcould short.
You work for HP eh? :o)
I have an Omnibook 900 eBay bargain that has a locked BIOS and windows 2000 with a password on it, how can I reset that then? Serious question.

All I've found are places that want to charge £90* for a replacement BIOS chip. I've tried HP tech-support who asked me for photo-id/a signed declaration that I own the laptop/receipt/proof of address/sworn affidavit that I will hand-over my first born etc that I've sent, but not heard anything else : /

I've read that with the serial number HP can tell me the "master" BIOS password for the laptop. Is that true?

The only other option at the moment that I can see is to get a laptop->IDE cable and use dd to copy a disc-image onto the hard drive. I've already tried using a LNX BBC LiveCD but the external CD drive is obviously not set up as a boot device in the BIOS.

*This is a £30 donor laptop for (Yet Another) digital photo-frame mod so I'm loathe to spend £90 for someone with a PIC programmer to flip a bit on the BIOS chip.
ikem adamazing6 years ago
Windows 2000 and XP has the same way to handle users and passwords. To reset a Windows XP password there is a Mini-Linux:

Offline NT Password & Registry Editor
http://home.eunet.no/~pnordahl/ntpasswd/
Here's the torrent download link for a bootable image file that will remove your Windows admin passwords. You'll need Azureus or something to read the torrent. Burn the iso file as an image onto cdr and boot off it. Works on 2000 & XP.. haven't tried it on any other versions.

http://www.isohunt.com/download/16593302/windows+password+reset
spoty23 mrmath1 year ago
hey i know about the lenovo password for i have recently tried to change the bios and i got put on password screen but i just pushed enter and it let me in but i couldnt modify the bios boot order. i was trying to test my kon-boot usb on my computer but i couldnt do it because i couldnt add the usb 2.0 to the boot order which is wut i needed to do. so yeah ur right it wont work. :'(
7Stacks mrmath6 years ago
This is true. Those IBM/Lenovo laptops are very secure in that aspect. And you get one shot at HDD password and then it locks you up and kicks you out of BIOS setup.
That isnt exclusive to IBM, startup BIOS passwords can't be circumvented unless you reset the BIOS to default since you wont get to any portion of the startup that lets you make any changes without knowing the password.
Taotaoba mrmath7 years ago
If the passwords are stored in CMOS, then remove the battery will do. I don't know if the manufacturers store passwords in flash memory. If so, then maybe re-flash it will do. Definitely it will not as easy as this instructable shows. I don't know about hard disk password.
mrmath Taotaoba7 years ago
I can't speak for other manufactures, or give you the technical details of how IBM/Lenovo do it (because I don't know--not because I'm not allowed), but I can say that if the power on password is set on an IBM/Lenovo laptop, and you don't know it, it will not power up, and you can't do any flashing, or battery removal to get rid of the password. Like I said, even as the manufacturer of the machine, IBM/Lenovo can't do it.
you can always flash the epprom or read its data....
awace mrmath5 years ago
I told you you have to short the c-mos chip w out batteries and only the power pack plugged in this will remove the programming in there flash c-mos chip it wont keep drive lock password so drive will still be locked but c-mos will be accessable meaning you could boot to new drive or optical drives making laptop not obsolete whocares about drive
awace mrmath5 years ago
this doesnt work once you short the c-mos chip it reset the c-mos chip to its original programming and c-mos options remane not set witch bypasses youre drive lock password you have not tried to short the c-mos chip correctly then !!!!!!!!!! try it
awace awace5 years ago
this wont let you into the drive but it will allow you do throw the harddrive away and reuse the laptop... also I bet if you knew the drive lock password then took new drive and added it to a new machine new harddrive then replaced w locked drive it would boot but you would have to know original drive lock password this would only help if laptop was trashed but drive wasntr SO MRMATH is any of what i said true I would assume the c-mos would be true cause I did it on a DFARS IBM once already and was able to format harddrive as new and the other one I couldnt get into drive cause it was click clakcing and i threw it away the ibm i just reformatted it didnt have c-mos drive lock but did have a c-mos password locking me out of c-mos witch i cleared w shorting .. I didnt care about the stuff on drive cause i just reloaded os onto it..
ninjanody awace3 years ago
you can read the data of the eprom but you have to dissasemple the laptop and solder jump wires into the motherboard, assemple it back, connect the eprom reader or programmer, power up the laptop and read its data. the password was stored in the hex that the epprom reader take from the mobo. . I had already done it at a ibm laptop but it been atleast 2 years and i dont remember the source of info & utility that read the hex and give me the pass..
micronxd mrmath7 years ago
almost every mobo has a circuit that, when closed, will return the BIOS to factory settings. That would take care of the BIOS factory problem, but i'm curious how this HD password works... technically there are still ways of reading a HD's data no matter what... But yea... this method is pretty much useless unless the computer doesn't have a BIOS password, or unless you have access to the MoBo (which is most situations lol)
erckgillis (author)  micronxd7 years ago
HD data is encrypted with a hash and written to the platters. Removal of the drive renders it unreadable and even a removal of the platters just produces jumbled characters. A 64 bit hash can be decrypted by a supercomputer in 15 days, a 128 bith hash in 13 months and a double DES2 in 19.5 years... However if you use the same controller and reset the BIOS and firmware to match it will easily spew ASCII data on demand... Ed
DNR erckgillis5 years ago
how to open n close dvd drive through cmd....
I'd like to know where the hard-drive password is stored. Coz if it's not stored in the hard drive, we can only replace that part of it and then pry the data out of it. This is completely theoretical... I'd like to try it out if i knew....
vaiden mrmath7 years ago
The methods to password protect hard drives are crackable my friend, even if your IT doesnt know it. A laptop can be cracked open to clear cmos just as a desktop can for the bios pass. If someone steals a laptop from you guys they can be in it in hours, and have all your little lanman hashes in brute-force cracking. Linux will be the OS used to have your data. The guy in a nearby cubicle that started yesterday will watch you type all your passwords. Then he'll steal your laptop, and he'll have full access to your data. That guy didnt last long did he? He already quit.
erckgillis (author)  vaiden7 years ago
I know... they don't BELIVE ME... we do it every day. If I take your "encrypted" platters, dump your controls firware update and flash the eproms on a new card the I HAVE PASSWORDS for then I got your harddrive...all your data and in some cases access to EVERYPLACE you have ever logged onto. oh my... E
richardnot9 months ago

PCUnlocker (http://www.top-password.com)
should be added to the Live CD list above. It can also boot in EFI/UEFI
mode, and bypass admin passwords on all versions of Windows. To remove a
BIOS password, I probably change the jumper settings or remove CMOS
battery.

g-weebens1 year ago
This method will not work on OpenFirmware, OpenBoot, or other similar systems. The loader environment has to be accessed through a key combination.
BIOS is not the standard on all systems.
awace5 years ago
you can short out c-mos on dallas chip you have to chunk into epoxy blob and remove lion battery then sandpaper connections left to battrey and then solder new battery to chip I have done this before also look here
http://www.mcamafia.de/mcapage0/dsrework.htm
he did it the hard way all you have to do is find the battery then hack it out using a small blue type snippers works best obvibously the color of snipers wont matter anwyay just get to battery then using snippers unpeal like sardine can the bigger solder tab unwrap it till it comes off fully keeping as long as peice as you can but since there is picture of chip on the mcamafia site you should beable to get to pin needed for battery anyway! then get other side off the same way keeping as mutch connection space as needed. then sicne pins went up thats why shorting them wont work i think they thought keeping people away from c-mos chip they could keep them away but when battery dies computer wont boot and locks up I learned this from a gateway ride ready c-mos hi and low chip old 486 board all were bad rev #1 fun 1 no video this means the nickel cad batterys were shorted then i snipped battery off and it continued booting! to solder to pins just get some new 3m sponge scrubbie brand scratch pad then use small sandpaper file to sandpaper the pins or the connections left from battery it actually will for shure solder then after you scratch down to brass it will take solder most battery terminal solder tabs wont solder to the coating . i did that and computer works great . I also know if you have a compaq protable II suitcase computer take a nokia 3589i
Nokia BLC-2 battery and use phone to charge to charge complete then add solder blobs to battery + - terminals leave other terminals alone so you can recharge it in phone you must unsolder from computer to recharge in phone
then use a kid toy battery compartment wire for wire or comprable wire to solder and replace battery in compaq portable II suit case comuter then download c-mos utility called setup this file is for a floppy so you may have to use dos 0.72 to load up dos and make floppy then remove compaq II whole drive caddy with old 5¼ and replace miniscribe IDE drive w cavair 2g or 1g or 500Mb cause you only get 259Mb anyway I forget witch drive it is but it looks like 1024 16 63 and it works with 259Mb sicne all my 850Mb caviar wd hd's are bad i just used a 2g anwyay then load up new computer w usb stick w setup on it boot to usb device or memmory stick device and then format b:/s
then copy dos to floppy then steal compaq setup.exe file then take format.com
sys.com
edit.com
attrib.exe
edit.hlp
fdisk.exe
format.com
cdtech.sys
mscdex.exe
I havent tried cdrom cause c-mos not comatible w more than 1 drive.
then hook b: to big computer remove usb stick and boot from 3¼ floppy you just made w compaq setup on it then format b: /f:360 /s
then it formats crappy compaq c-mos type floppy bootable it can be win98 but since computer has crappy memory just use win95 actaully dos version does not matter qwbasic still runs then after you make a boot fisk for it using its own floppy drive or a nother /f:360 floppy witch its c-mos is looking for then you can put back into compaq portable w nokia battery as c-mos not hooked to phone remember charging is in phone as normal then solder blobs should beable to connect good when charging.
then put caviar wd 2g drive into big machne boot from 3¼ floppy put sys on it
then put into compaq II and boot from 360 floppy run setup detect 259M drive
then reboot then format c:/q/s
you might need more floppys from usb or big machine to fit all dos format utiltys on then once you format c:/q/s s being system and q being fast
I use win98 cause its faster and lets you use large.
then once you get it to boot to win98 dos you will see the win98 thing in GREEN its so cool you can remove ide drive and put basica qwbasic and other stuff on it in xp using usb to ide stick or just put as d drive then since miniscribe is usb you should beable to do the same on xp.
on n610 or most square dram chips the side opposite pin one can be shorted no batteries must be hooked c-mos or big battery then only hook up power pack to laptop then short c-mos chip then unplug power pack super fast then wait 5 minnutes then replace all batteries and c-mos will clear.
now I had a keyboard w ide video and floppy it was called a hide ccomputer it was a vga card w ide on it and a small form factor 486 texas instruments 386 chip but it was a 486 on a 386 motherboard so it was a 486 but was a square 486 chip and over heated easyly cause no heat sink lame anyway its c-mos chip was a normal 28 pin chip and if you set password even if you cleared password when it didnt have one it would just screw FUC_ it up it would just show ☺ for 1st try and then ☺ so you would get
☺☺☺ and it would lock up after 3rd password try my dad said when he gave it to me he said DONT put password into it I said ok cool free computer.
I turned it on then removed a smaller chip next to the c-mos chip then replaced it and for some reason when it was on if i turned it back off and on again this procedure would clear c-mos password witch you still needed to stay out of password menu in c-mos and it would work great untill you tried to add password.
thats when i learned about shorting batterys and clearing c-mos .
on most chips the 2nd to last and the 3rd to last pins usually clears every thing DONOT DO THIS ON A arcade space invaders motherboard cause you will lose eeprom info remember c-mos for comuters is 2 fold 1st the program is loaded then the .bin file is loaded into the chip but the chip is formated a certian way so you can copy one in burner but not just send it a file
you need to run awdflash.exe and use the /d the /d option saves original info and only writes new info updating file i have more success this way also the new one always back up c-mos on nother floppy and always choose update instead of replace.
and always good luck.
if you have ontracks/krolls seagates dm disk manager just load to f8
then type in a:/command.com
you cant just type command.com on dr dos you have to do the a:\command.com
then steal dm.exe and all needed files for this file to run
then load to dos w autoexec.bat having dm.exe /x/m
then /x does not load the xbios.ovl file witch tells diskmanager to do ceritan drive once you do the /x it works and disables looking for drive type it came w drive so you can use with any type drive not just seagate drive i got utility from
ontrack dont like this but I dont care i use utilty all the time to reformat drives
1st once it sees drive check dos to see what win98 dos sees as fdisk
then choose autodetect in c-mos on new computer then run dm /x /m
then if it dont see drive as whole amount of mb then goto c-mos in computer choose chs and manual and choose 1024 16 63 then
goto dos format as what ever you can get in dos reboot then format /q/s then reboot soo it boot to dos w system on it
then reboot change c-mos to autodetect check dm to see if it sees whole thing if it chooses to format more than 27 volumes let it then reboot use dos what ever it sees choose no to big w fdisk then delete all partitions then reboot then fdisk again /mbr reboot then choose no to large on fdisk then add partition donot add logical partitions just choose 500mb then push 2 to activate then reboot leave autodetect on auto then dos format c:/q/s
/q quick and /s system remember to have sys.com format.com edit.exe edit.hlp
and attrib.exe and all dos files to make c drive boot also cdtech.sys or a cdrom driver and mscdex.exe
also you need
config.sys
device=himem.sys
device-cdtech.sys /d:cd
autoexec.bat
mscdex.exe /d:cd
set blaster=a220 i5 d1 t330 t being midi port
then format c:/q/s
then reboot then check dm.exe /m/x
then delete all partitions leave win98 w dm.exe that you booted in for sys
then choose check partitions delete all partitions using alt c then add new push b for bootble then leave 1 meg free i usually leave some more than that then format partition let it do then reboot then dos format /q/s this way it marks bad file alloction tables and quick formats the 1st time you quick format it will fail and just say yes to unconditional format /u
then reboot and run dm.exe /x dont put the /m just automaticly fat32 win98
format it quick then reboot and format /q/s then you can boot from xp disk and it will see it as new delete win98 then you have new ntfs you can make
i always chose fast and leave my self a d drive as a fat32 partition then reboot not using it and put winxp on the ntfs partition 60% 40% d is always 40 % and usually fat32 and c is ntfs now i just use ntfs cause i have usb to ide now.
if you have the msdn version of xp media center you need to use difernt verison of xp to detect more than 300G .

(removed by author or community request)
I have a Dell Optiplex 745 with a smartcard reader keyboard. I want to get into BIOS to access the machine to create a media center computer. It needs a card which I don't have. HELP PLEASE!
1-40 of 79Next »