loading

Bypass BIOS Boot or OS Login to "most" any computer ... with console access

Picture of Bypass BIOS Boot or OS Login to
c00506021.jpg
14knoppix.jpg
ANY system where you have access to it's console will give you an opportunity to where you can login and see files, run your own browser or copy files. By modifying the BIOS or "Flash'ing" new BIOS you can override both BIOS protected passwords and reboot from other devices or peripherials...Reboot with any OS you choose and browse NTFS (via http://www.ntfs-linux.com/) or FAT files on their 'secured' hard drive.

Internet Cafe', Public Library and Schools with "locked" PC's are usually accessible...

If you can MODIFY the BIOS to boot from USB, CD or DVD.

Insert your USB Boot image (ISO). How...See my instructables...

Beginners Background:

The BIOS (Basic Input-Output System) is a small piece of code 'burned' into a EPROM/CMOS (Erasable Programmable Read Only Memory). This is the hard coded instructions to "boot" your PC.

Even "locking" the BIOS is no longer safe as "Flash" programs can 'reprogram' most any BIOS. Shorts or restes can 'fry' and many sites offer replacements/swaps.

File systems:
Computers all have files. File systems are the way data is encoded on the hard drive. It's not encrypted nor protected except for EFS or secured shadowed and hidden file systems using triple DES and PGP.

Steps:

Press F2 or F10 as the reboot prompt asks.
Modify as below the "Boot order"

Insert a CD/DVD or USB boot drive and your in!

(see instructables for ISo images or USB thumb drive)

 
Remove these adsRemove these ads by Signing Up

Step 1: Console Access...this is essential to browse files

Picture of Console Access...this is essential to browse files
7.gif
C:\Documents and Settings\gillisgi\My Documents\My Pictures\lin4samba2.jpg
Windows Computers are designed to not allow remote access. Firewalls, port stealthing and all the fancy software secures you from outside and network attacks.

No one protects their consoles or laptops nowadays.

Do you have access to a schools computer, library or Internet Cafe' ?

Then you can load and boot many OS and see files on their HDD.

Once the BIOS (bypass BIOS passwords on page 6) is set to boot from other media (USB/CD/DVD) you can load you OWN OS and login.

forget Windows security...load your OWN OS!

Load a small Linux or other OS, fast and easy from USB or CD/DVD (see Live CD or use my instructables)

///post your ideas///! COLLABORATE !

Specific PXE or GRUB boots and small USB drives can boot most any OS you choose.

Step 2: Windows ISO Boot disc(s)...

Free ISO Image Downloads:

These are the ISO boot disk images available from AllBootDisks.
Download the ISO image you need, and if you need assistance creating a bootable CD from this image, visit the how-to page.

Everyone's seen Windows boot screens...ugh think of ALL THE YEARS wasted watch DOS & Windows Boot!

ERCK
________________________________________


DOS4.01_bootdisk.iso

DOS5.0_bootdisk.iso

DOS6.0_bootdisk.iso

DOS6.21_bootdisk.iso

DOS6.22_bootdisk.iso

Win95a_bootdisk.iso

Win95b_bootdisk.iso

Win98SE_bootdisk.iso

Win98SEnoram_bootdisk.iso

Win98_bootdisk.iso

Win98noram_bootdisk.iso

WinMe_bootdisk.iso

WinMenoram_bootdisk.iso

ISO's are well documented already....

Step 3: Live CD distributions to choose from (list)

Picture of Live CD distributions to choose from (list)
C:\Documents and Settings\gillisgi\My Documents\My Pictures\119.jpg
C:\Documents and Settings\gillisgi\My Documents\My Pictures\pebuilder.jpg
Live CD Distributions by # votes (alphabetical)

#Votes Name ISO Size (Mb Min Max) & Primary Function

0 3Anoppix 712 712 Desktop
0 ABC Linux 579 579 Desktop
0 Adios 700 700 Education
0 AdvanceCD 16 16 Gaming
0 AL-AMLUG Live CD 512 512 Desktop
0 AliXe 370 370 Desktop
0 AmaroK Live 289 289 Home Entertainment
0 Ankur 418 418 Desktop
0 Anonym.OS 575 575 Secure Desktop
0 ANTEMIUM 620 620 Desktop
0 Arabbix 550 550 Desktop
0 Archie 325 325 Desktop
0 Arudius 212 212 Security
0 Auditor security collection 538 538 Security
0 Augustux 700 700 Desktop
0 Aurox Live 698 698 Desktop
0 avast! BART CD 155 155 Rescue, Windows Antivirus
0 basilisk 650 650 Desktop
0 BDI-Live 138 138 CNC Metalworking
0 BEERnix 409 409 Desktop
0 BeleniX 637 637 Desktop
0 BerliOS MiniCD 182 182 Desktop
0 bioknoppix 681 681 Bioinformatics, Education
0 Blin Linux 36 160 Desktop
0 Bootable Cluster CD 188 188 Clustering
0 BOSS Live CD 646 646 Security
0 BrutalWareII 117 117 Security
0 Burnix 690 690 Clustering
0 ByzantineOS 43 43 Home Entertainment
0 Caster 545 545 Media Production
0 Càtix 717 717 Desktop
0 CDlinux 18 18 Rescue
0 CDMEDICPACSWEB 195 587 Medical
0 CHAOS 8 8 Clustering
0 CHRONOMIUM 68 68 Windows Antivirus
0 ClusterKnoppix 600 600 Clustering
0 Conectiva Linux Live CD 252 400 Desktop
0 Cool Linux CD 632 632 Desktop
0 Crash Recovery Kit for Linux 80 80 Rescue
0 Danix 683 683 Desktop
0 Dappix 700 700 Desktop
0 DeadCD 92 92 Desktop, Rescue
0 DemoLinux 650 650 Desktop
0 DeMuDi Live 575 575 Media Production
0 DevelopGo 695 695 Development
0 Devil-Linux 88 88 Firewall, Server
0 distccKNOPPIX 38 38 Clustering
0 Dizinha 154 154 Desktop
0 DNALinux 329 329 Bioinformatics
0 ECGL 706 706 Development
0 Echelon Linux 240 240 System Administration
0 eduKnoppix 700 700 Education
0 EduMorphix 643 643 Education
0 ELE 61 61 Secure Desktop
0 eLearnix 90 90 Education
0 elpicx 690 1382 Education
0 Emergency CD 174 174 Rescue
0 eMoviX 10 10 Home Entertainment
0 eZ publish LiveCD 487 487 Server
0 FCCU GNU/Linux Forensic Boot CD 519 563 Forensics
0 ffsearch-LiveCD 194 194 Server
0 FIRE 579 579 Forensics
0 fiubbix 670 670 Desktop, Education
0 Flash Linux 362 362 Desktop
0 FlashMob ISO 63 63 Clustering
0 Flonix 187 187 Desktop
0 floppyfw 2 2 Firewall
0 Formilux 38 160 Server
0 Freeduc 699 699 Desktop, Education, GIS
0 FuguIta 623 623 Desktop
0 GamesGo 698 698 Gaming
0 Gentoox 543 543 Desktop
0 GeoMorphix 672 672 GIS
0 Ging 164 164 Desktop
0 GIS-Knoppix 700 700 GIS
0 GISIX 635 635 GIS
0 GisMorphix 567 567 GIS
0 GNOME LiveCD 629 629 Desktop
0 gnome2live 430 430 Desktop
0 gNOX 242 242 Desktop
0 GNU/Linux Kinneret 623 623 Education
0 GParted LiveCD 52 52 System Administration
0 GPUL 534 534 Education
0 grml 49 696 OS Replacement, Rescue, Security
0 Guadalinex 592 700 Desktop
0 Hakin9 Live 625 625 Security
0 Hax Desktop 611 611 Desktop
0 Helix 701 701 Forensics
0 Hikarunix 182 182 Gaming
0 IndLinux Hindi 532 532 Desktop
0 jollix 506 506 Gaming, Home Entertainment
0 Julex 216 216 Desktop
0 JUX 695 695 Education
0 Kaboot 87 349 Desktop, Rescue, Science
0 Kalango 396 396 Desktop
0 KANOTIX CPX-MINI 230 230 Desktop, OS Replacement
0 Kazit 633 633 Desktop
0 KibZiLLa 288 288 Desktop
0 Klax 382 382 Desktop
0 Knoppel 648 648 Desktop
0 Knoppix 3.3 NY/NYLUG edition 702 702 Desktop
0 Knoppix en español 651 651 Desktop
0 Knoppix for Kids 699 699 Desktop, Education
0 Knoppix Japanese Edition 681 681 Desktop
0 KNOPPIX-BV1AL 685 685 Desktop
0 KNOPPIX-EXTON 665 665 Desktop
0 Knoppix64 600 720 Desktop, Development
0 KnoppixQuake 130 130 Server
0 KnoSciences 661 661 Education
0 Komodo Linux 695 695 Desktop
0 Kororaa 695 695 Desktop, OS Replacement
0 KursLinux 696 696 Education
0 Kurumin 187 187 Desktop
0 LAMPPIX 157 207 Server
0 Legnoppix 380 380 Robotics
0 LFS boot-cd 240 240 OS Replacement, Rescue
0 LFS LiveCD 106 351 Desktop
0 LG3D LiveCD 606 606 Desktop
0 LinspireLive! 659 659 Desktop
0 Linux Live-CD Router 83 83 Firewall
0 Linux Magazine miniCD 185 185 Desktop, Rescue
0 Linux-EduCD 653 653 Education
0 Linuxcare Bootable Toolbox 47 47 Rescue
0 LinuxConsole 58 532 Gaming
0 Lisp Resource Kit 612 612 Development, Education
0 LiveOIO 615 615 Medical
0 LiveZope 697 697 Development, Education
0 LNX-BBC 48 48 Desktop, Rescue
0 Local Area Security Linux 185 210 Desktop, Security
0 Lonix 149 149 Rescue
0 LUC3M 700 700 Desktop
0 Mediainlinux 691 694 Media Production
0 mGSTEP Live CD 88 88 Desktop
0 MiniKazit 180 180 Desktop, OS Replacement
0 MiniKnoppix 198 198 Rescue
0 MIOLUX 678 678 Desktop
0 Mono Live 702 702 Development
0 Monoppix 429 429 Development
0 Morphix-NLP 448 448 Science
0 MoviX 27 42 Home Entertainment
0 MoviX2 49 49 Home Entertainment
0 muLinux 68 68 Desktop
0 Myah OS 374 374 Desktop
0 NetMAX DeskTOP 697 697 Desktop, OS Replacement
0 Network Security Toolkit 262 262 Security
0 NeWBIE 641 641 Desktop
0 NIOde 550 550 Development
0 NordisKnoppix 699 699 Desktop
0 OnebaseGo 671 671 Desktop, OS Replacement
0 OpenGroupware Knoppix CD 546 546 Server
0 OpenVistA VivA 560 560 Medical
0 Operator 570 570 Security
0 Oralux 528 528 Desktop, Desktop
0 PaiPix 1720 1720 Science
0 Pardus Live CD 688 688 Desktop
0 Parsix 697 697 Desktop
0 Parted Magic 31 31 System Administration
0 PCG-C1VN Live CD 457 457 Desktop
0 Penguin Sleuth Bootable CD 689 689 Forensics
0 Pentoo 482 482 Security
0 Phrealon 34 34 System Administration
0 Pilot Linux 66 66 System Administration
0 PLAC 48 48 Forensics, Rescue
0 PLD Live CD 519 519 Desktop
0 PLD RescueCD 51 51 Rescue
0 PLoP Linux 40 40 Rescue
0 PlumpOS 51 51 Clustering
0 Pollix 695 695 Development
0 Public IP ZoneCD 271 271 Firewall
0 PXES 13 13 Thin Client
0 Pyro Live CD 622 622 Robotics
0 QiLinux 657 682 Desktop
0 Quantian 691 1961 GIS, Science
0 Repairlix 11 11 Rescue
0 RIP 9 25 Rescue
0 ROCK Linux 411 458 Desktop
0 Rxlinux 10 10 Server
0 Salvare 18 18 Rescue
0 Santa Fe Desktop Linux 614 614 Desktop
0 SchilliX 411 411 OS Replacement
0 SciLix 480 480 Desktop, Education, Scientific
0 SENTINIX 213 213 Security
0 Sentry Firewall CD 288 288 Firewall
0 Shabdix 680 680 Education
0 Shinux 99 155 Desktop
0 Skolelinux 662 662 Desktop, Education
0 SlackPen 322 322 Security
0 Slackware (Disc 2) 657 657 OS Replacement
0 slavix 624 624 Desktop
0 SLAX Frodo Edition 47 47 Diagnostics
0 Slix 693 693 Desktop
0 Slo-Tech Linux livecd 700 700 Desktop
0 SNAPPIX 553 553 Development
0 Snøfrix 695 695 Education
0 SoL-diag 35 546 Diagnostics, Rescue
0 Stanix Professional 660 660 Desktop
0 StarCD 530 530 GIS
0 StreamBOX-LiveCD 698 698 Media Production
0 StudioGo 692 692 Home Entertainment, Media Production
0 Sulix 700 700 Desktop
0 SuperRescue 701 701 Rescue
0 TeaM-TL 700 1320 Desktop
0 The Backpack Programmer's LiveCD 684 684 Development
0 TheOpenCD 596 596 Desktop
0 Thinstation 9 9 Thin Client
0 Tilix 705 705 Desktop
0 Timo's Rescue CD 55 55 Rescue
0 TiNA Knoppix 644 644 Science
0 tlf-morphix 404 404 Hobby
0 tomsrtbt 3 3 Rescue
0 Toothpix 717 717 Medical
0 TPM Security Server 294 294 Forensics, Security
0 Trinity Rescue Kit 50 50 Rescue
0 Trinux 19 19 Security
0 UHU-Linux Live CD 633 633 Desktop
0 uOS 261 261 OS Replacement
0 UserLinux 456 456 Desktop
0 VigyaanCD 647 647 Bioinformatics, Education
0 Virtual Linux 628 628 Desktop
0 WarLinux 53 53 Security
0 Wolvix 452 452 Desktop
0 WOMP! 13 30 Home Entertainment
0 X-Evian 633 633 Media Production
0 XAMPPonCD 88 88 Development
0 Xebian 269 269 Desktop
0 Xen Demo CD 720 720 Server
0 Xfld 650 650 Desktop
0 XNUXER 697 697 Desktop
0 XoL 700 700 Desktop
0 XORP Live CD 132 132 Firewall
0 Zaurus Development Version of DemoLinux 650 650 Development
1 aquamorph 382 382 Desktop
1 ATMission 530 530 Desktop, Server
1 cdlinux.pl 205 634 Desktop
1 Clusterix 275 275 Clustering
1 Freeduc-games 645 645 Gaming
1 Freepia 36 36 Home Entertainment
1 Frenzy 200 200 Rescue, Security
1 Gnoppix 659 659 Desktop
1 GNUstep live CD 420 420 Desktop
1 Kate OS LIVE 681 681 Desktop
1 knopILS 629 629 Desktop
1 Knoppix-MiB 650 650 Desktop, Secure Desktop
1 KnoppiXMAME 120 120 Gaming
1 KnoppMyth 469 469 Home Entertainment
1 Lin4Astro 595 595 Astronomy
1 LiveBSD 654 654 Desktop, OS Replacement
1 loonix-live 495 495 Desktop
1 Luit Linux 50 74 Desktop
1 Mandriva One 674 674 Desktop
1 MitraX 50 50 Desktop
1 Musix GNU+Linux 700 700 Media Production
1 NavynOs 384 384 Security
1 NetBoz 53 143 Firewall
1 Overclockix 655 700 Desktop, Diagnostics, Rescue
1 ParallelKnoppix 550 550 Clustering
1 Phaeronix 676 676 Desktop, OS Replacement
1 PHLAK 471 471 Security
1 Plan-B 658 658 Forensics, Rescue, Security
1 Sabayon 697 3477 Desktop
1 stresslinux 51 51 Diagnostics
1 STUX 255 650 Desktop
1 Symphony OS 568 568 Desktop, OS Replacement
1 T2 @Live 546 546 Desktop
1 Tao Live 675 675 Desktop
1 Whoppix 687 687 Security
1 Windows PE 0 0 Rescue
1 Zen Linux 307 564 Desktop, OS Replacement
2 austrumi 50 50 Desktop
2 BackTrack 625 625 Security
2 Baltix 703 703 Desktop
2 Benix Kanotix 189 189 Desktop
2 Berry Linux 425 425 Desktop
2 GeeXboX 5 5 Home Entertainment
2 Kurumin Games 708 708 Gaming
2 Morphix 203 648 Desktop, Gaming
2 redWall Firewall 148 154 Firewall
2 SLAX Popcorn Edition 104 104 Desktop
2 SLYNUX 730 730 Desktop, OS Replacement
2 VectorLinux 264 264 Desktop, OS Replacement
3 Feather Linux 63 63 Desktop
3 GoboLinux 634 634 Desktop
3 Kaella 700 700 Desktop, Education
3 KCPenTrix 401 401 Security
3 Knoppix STD 497 497 Security
3 LinuxDefender Live! 515 515 Rescue, Windows Antivirus
3 Mutagenix 99 549 Desktop, Diagnostics, OS Replacement, Rescue
3 SLAMPP 285 285 Server
4 FreeBSD LiveCD 413 413 OS Replacement, Rescue
4 GamesKnoppix 683 683 Gaming
4 Kubuntu 572 619 Desktop
4 m0n0wall 5 5 Firewall
5 BeatrIX Linux 167 167 Desktop
5 GoblinX Mini Edition 149 149 Desktop
5 INSERT 49 49 Rescue, Security
5 LLGP 695 695 Gaming
6 Suse Live-Eval 1446 1451 Desktop
6 SystemRescueCD 92 104 Rescue
7 Elive 200 700 Desktop
7 SLAX KillBill Edition 188 188 Desktop
8 Ultimate Boot CD 121 186 Diagnostics, Rescue
9 WHAX 574 574 Security
10 dyne:bolic 444 444 Clustering, Desktop, Media Production
15 FreeSBIE 596 596 Desktop, OS Replacement
15 Gentoo 50 1815 OS Replacement, Rescue
22 Puppy Linux 60 60 Desktop
23 Ubuntu 699 3553 Desktop, Os Replacement
34 MEPIS 693 693 Desktop, OS Replacement
38 Damn Small Linux 48 48 Desktop, OS Replacement
39 GoblinX 302 302 Desktop, OS Replacement
46 Knoppix 700 700 Desktop, OS Replacement
47 NimbleX 200 200 Desktop
83 PCLinuxOS 299 685 Desktop, OS Replacement
199 Kanotix 503 719 Desktop, OS Replacement
222 SLAX 41 202 Desktop, OS Replacement

Currently displaying 315 LiveCD/DVDs

Key:

Primary Functions:

Desktops: provides a working GUI desktop environment with a collection of desktop programs, such as browsers and text editors. Many also include utilities for other purposes, such as home entertainment, but are only listed here because the additional functions are not their primary focus.

OS Replacement: provides an option to transfer the cd to the hard drive, or to install an OS in a different form

Education: provides a collection of educational programs, or was created to be used in the educational field

Rescue: provides tools needed for data recovery

Clustering: provides tools for making clusters

Security: contains network security tools
Home Entertainment: geared towards playing video and audio

Gaming: video games!

Medical: contains medical programs

Diagnostics: contains utilities for testing hardware

Firewalls: distributions created to be used as firewalls

Forensics: distributions containing forensic tools

Servers: distributions used for various server functions

ISO Size:

The ISO min size and ISO max size refer to distributions which have different size images of the current release. Sizes over 700MB may require overburning to be put onto a CD, or be a LiveDVD ISO. Many LiveCDs can also be copied onto and booted from USB drives.

Architectures

x86: AMD and Intel computers, could include optimizations from the 386 to the Pentium IV to the Athlon XP
x86-64: Computers with chips that use the AMD64 64-bit extensions, known in the Intel camp as EM64T. These chips include the Athlon64, Opteron, Pentium 4 600 series, Pentium D, Core 2 Duo, and modern Xeons
PPC: PowerPC chips, including the Apple G3, G4, and G5 (in 32-bit mode), possibly other IBM Power chips
PPC64: PowerPC 64-bit chips, including the Apple G5, possibly other IBM Power chips
Eden: LiveCDs specifically made for the VIA Eden platform. Because these are based on the x86 instruction set, x86 LiveCDs may work too.
Xbox: Made for the XBox, may require software or hardware mods to run
IA-64: Itanium and Itanium2 platforms
Sparc64: SUN Sparc 64-bit platform
Alpha: Alpha platform, once made by DEC, then Compaq, and now being phased out by HP
Mips: Some SGI platforms
HPPA: Also known as PA-RISC, made by HP, also being phased out

http://www.livecdlist.com

Step 4: Browse any files...NTFS FAT file systems (folders)

logon...browse files....from YOUR OS to their HDD (read only)?

Now [http://gentoo-wiki.com/HOWTO_Auto_mount_filesystems_(AUTOFS) mount] and go see any files, run or copy files and see all folders and directories, no hidden, no protected and most any compression or encryption (EFS) can be recovered and copied.

only the best DES or PGP files systems will prevent visual inspection.

Step 5: Protection ?

Picture of Protection ?
Only way is to triple encrypt (PGP or DES3) your raw data on HDD then upon discard perform a "clean" 23x rewrite "0" zeros and "1" ones then 23x write "1" ones then 23x "0" zeros...

Then burn and chip (~1mm) the platters entire surface and submerge in nitric then sulfuric acids.

DOD and NSA can read data off intact platters via electron scanning or Electron tunneling microscopes but not after the 23x triple re-writes and surface scour as the newer magnetic particles leave zero residual changes in the sub-medium.

Most of the data can never be read.

...don't think so...?

most crooks and bad guys are not that well educated, that's how we catch you...

Step 6: BIOS Backdoors

Bybassing BIOS Solutions:

1. BIOS passwords secure different levels of system access. Lowest level is access control for power management functions, next for BIOS access (BIOS password) and highest level is for PC access (Administrator password).

2. BIOS password is stored in a non-erasable part of the CMOS ('BIOS memory'). On desktop PC's this CMOS is buffered by an onboard battery. Depending on your mainboard layout you'll see a seperate battery or won't see it as it will be integrated in a multifunction chip housing battery, real time clock (RTC) and other components (usually a small black brick on the mainboard).

Keeping that in mind different ways of removing the password are possible.

Remove password with some kind of software
This works only if you have access to your PC and can run software (meaning no Administrator password is set).
CMOSpwd www.cgsecurity.org/index.html?cmospwd.html

Remove password by manually invalidating CMOS content
When CMOS RAM loses power, a bit is set to indicate this, which should cause the BIOS to detect that the CMOS RAM is invalid and will normally result in the loading of default values. The same results can be obtained by using a simple DEBUG script to invalidate CMOS RAM. This may be much more convenient than shorting pins on a chip in cases where it is possible to boot to a DOS prompt to run DEBUG.Here is a DEBUG script to invalidate CMOS RAM.

This should work on all AT / ATX motherboards (some systems do not have CMOS RAM)

Boot from floppy with DOS or USb thumb drive.

A:\>DEBUG
- o 70 2E
- o 71 FF
- q (Quits to DOS)

Remove password using common master passwords
Please be aware that most BIOS releases lock your PC completely after entering 3 wrong passwords !

American Megatrends BIOS
AMI, A.M.I, AMI_SW, aammii, AMI!SW, AMI.KEY, ami.key, AMI~, AMIAMI, AMIDECOD, AMIPSWD, amipswd, AMISETUP, BIOSPASS

Award BIOS
?award, awkward, award, award_?, award.sw, award sw, AWARD_SW, AWARD SW, admin, alfarome, aLLy, aPAf, BIOS, biosstar, biostar, CONTACT, condo, CONDO, g6PJ, h6BB, HELGA-S, HLT, j09F, j64, j262, j256, j322, lkw peter, lkwpeter, LKWPETER, PASSWORD, SER, setup, SKY_FOX, SWITCHES_SW, Sxyz, SZYX, t0ch20x, t0ch88, TTPTHA, TzqF, wodj, zbaaaca, 1322222, 256256

Phoenix
phoenix

SystemSoft PnP BIOS
system

manufacturer preset ones
VOBIS & IBM: merlin
Dell: Dell
Biostar: Biostar
Compaq: Compaq
Enox: xo11nE
Epox: central
Freetech: Posterie
IWill: iwill
Jetway: spooml
Packard Bell: bell9
QDI: QDI
Siemens: SKY_FOX
TMC: BIGO
Toshiba: Toshiba

Remove password on certain PC's and notebooks
IBM PC's and notebooks
Toshiba notebooks
HP notebooks

Remove password using Clear CMOS jumper on your mainboard
Please refer to your manual to locate this jumper. Clearing CMOS will erase all passwords set but all your user defined settings like harddisk type, RAM timings etc, too. You'll have to set these values again after clearing CMOS.

Remove password by clearing CMOS due to disconnected power
CMOS content is buffered by an onboard battery. If you disconnect this power supply your CMOS clears automatically as the content can't be refreshed due to the missing power. This works easily if you see the onboard battery. Remove the battery for at least 5 minutes an insert it again in it's socket.

Remove password by clearing CMOS within RTC chip
Depending on the RTC chip used on your mainboard you can reset CMOS content by connecting two pins on the RTC chip. A paperclip bent into a U shape is a good tool for this. For all the following activities your PC has to be powered off.

Chips & Technologies P82C206
This is usually a square PLCC chip, sometimes soldered onto the motherboard, sometimes in a socket. CMOS RAM on this chip is cleared by shorting together pins 12 (GND) and 32 (5.0V) or pins 74 (GND) and 75 (5.0V) for a few seconds.

Pins 12 and 32 are the first and last pins on the bottom edge of the chip, pins 74 and 75 are the 2 corner pins on the upper left corner.

OPTi F82C206
This is a small rectangular PLCC chip usually soldered onto the board. CMOS RAM is cleared on this chip by shorting together pins 3 and 26 on bottom edge of chip for a few seconds.

Pin 3 is third pin from left side and pin 26 5th pin from right side, both on bottom edge.

Dallas DS1287 and benchmarq bp3287MT
CMOS RAM can't be cleared. Instead you can replace RTC chip with a new one. You can even use an updated version (DS1287A or bq3287AMT) which support CMOS clearing.

Dallas DS1287A and benchmarq bq3287AMT
This battery should last up to 10 years. Any motherboard using these chips should not have an additional battery. CMOS RAM can be cleared on the DS1287A and bq3287AMT by shorting pins 12 (GND) and 21 (RAM Clear).

Pins are labeled 1 to 24 running counter clockwise starting left of bottom edge. Pin 12 is first pin from right side on bottom edge and Pin 21 is third pin from left side on top edge.

Motorola MC146818AP or compatible
This is a rectangular 24-pin DIP chip, usually in a socket. Compatible chips are made by several manufacturers including Hitachi (HD146818AP) and Samsung (KS82C6818A). The number on the chip should end in 6818. Although this chip is pin-compatible with the Dallas 1287/1287A, there is no built-in battery. This means that CMOS RAM can be cleared on this chip by just removing it from the socket for a few seconds and replacing it.

Dallas DS12885S and benchmarq bq3258S
CMOS RAM is cleared on this chip by shorting pins 12 (GND) and 20. Even shorting pin 12 (GND) and 24 (5.0V) will help.

Pins are labeled 1 to 24 running counter clockwise starting left of bottom edge. Pin 12 is first pin from right side on bottom edge and Pin 21 is third pin from left side on top edge. Pin 24 is first pin from left on top edge.

Additional BIOS passwords and hints can be found here:
http://www.11a.nu/ibios.htm

1-40 of 72Next »
OmarK24 months ago

I have my school laptop I want to hack too. But the easy way to take it over is to reset the BIOS password, but I don't want to get caught again, try UBCD or something and Moba Live CD to crack the BIOS or modify it. I originally thought of cracking the BIOS with software, now I found I can modify the BIOS to get the password or not require it temporarily and put it back the original password. Maybe I can use a Linux CD to access the BIOS password Drive. I know how it sucks to have a restricted laptop, I not only want to play games, but run all my programs I do at home and encrypt/hide some of my files too.

jackietheman6 months ago

guys why not talk this about on school labtops im trying to bypass the admin so i can play my games

mrmath8 years ago
I work for IBM Global Technology Services. They provide us with IBM/Lenovo laptops. Our security policy states we must have a power on password set in our bios. You can't get to the bios to change to boot to another device (USB) without first knowing the power on password. If you could get to the bios to change the boot order, you couldn't boot to any device without knowing the power on password. Our security policy also requires we have a hard drive password. This password is asked for at power up. If you don't know it, you can't get to the hard drive. That means that even if you could power it up, and boot it from USB, you couldn't mount the drive if you don't know the hard drive password. There is no way around this. I know this because when we return our old computers, and we forget to remove these hard drives, they call us to get them. If we don't remember them, the laptop and the hard drive are toast. Even as the company that manufactures the machine (back when IBM did that), we couldn't remove the power on or hard drive passwords. So, while your method will work on a machine not protected with a power on password or a hard drive password, it will NOT work on every machine.
erckgillis (author)  mrmath8 years ago
I work for HP, we hack your old laptops all time time:

Power-on BIOS passwords hack:

1) IBM - Press BOTH mouse keys repeatedly during power up.
2) "Backdoor" BIOS passwords ( from IBM Manuals) try 'merlin' or see http://www.uktsupport.co.uk/reference/biosp.htm
3) Remove BIOS battery backup...drain and rest
4) Attach floppy and "Flash" BIOS to new version without passwords...

Harddrive Power On passwords.
1) Read HDD in Hex editor and do a "Ghost" copy to non-password HDD
2) Remove IDE/SATA or SCSI controller from HDD. Use a non-locked controller
3) Perform forensic binary transfer to HDD without lock HW enabled.

Easy cheesy...do it weekly...

don't be fooled that no-one can get your data...if I get the platters your toast...

E
Do you still use this site erckgillis?
Are you talking about the hard drive password that is set within the laptop or something? That makes sense but you wont be getting much from encrypted drives and files.
You mean "you're toast", and yes, if you get my platters, and have the exact same hard drive, and can get the platters from one of them to the other, I'm toast.
erckgillis (author)  mrmath8 years ago
Power on passwords are stored on the hard drive and read at power on from the hard drives controller (IDE/SCSI or SATA). I replace your controller with one not enabled for hardware power-on and tada! No passwords. Only issue is the controller 'remembers' all bad sectors and "spared" cylinders...so my "NEW" controller will often try to read or spare out valid or invalid sectors and cylinders...so a HEX or Binary copy to a drive with a 'clean' controller and new HDD works best... Then I browse the old data. Way cool is tto "swap" someones drive in a laptop when they are not aware...Use a dead one... then take your time to recover all the sensitive data...in theory... oops....
This is not the case on IBM/Lenovo laptops. I have two hard drives in my machine. When I got the new one, it was larger than the original one, so I yanked that one, and put in the new one. Still came up with the power on password. If it were stored in the hard drive, it wouldn't have come up. Don't know how many times I have to say it. Even as the manufacturer, IBM/Lenovo can not remove power on or hard disk passwords.
awace mrmath6 years ago
why didnt you just remove the password before you upgraded drive like i did!!!
erckgillis (author)  mrmath8 years ago
dude wrong...sorry... BIOS Passwords: These are on the EPROM CMOS not the HDD and is backed up by a small NiMH battery. Remove that and it forgets BIOS passwords. Or use master passwd and reset via jumper on motherboard. Harddrive passwords: I DO IT AT WORK...send me your harddrive! I'll send back your password(s). You admit you know not how it's done. IBM no longer make these drives you say? If it's NOT on your harddrive it would be USLESS as I put it in another PC and I see your data...duh The HDD passwd is on the ALT Bootstrap sector and read by the controller...replace that and it "forgets". Only encryption works...PGP or DES... E
Without getting you in trouble with your work, is there a way you can share with us how to reset a BIOS password on a tc4400? I really don't want to send it in ... Thanks
awace laxamar6 years ago
toshiba hold esc during boot to get into c-mos!!!!!!! ., otherwise there could be three c-mos batteries witch hold passwords.. othewise youcould short.
You work for HP eh? :o)
I have an Omnibook 900 eBay bargain that has a locked BIOS and windows 2000 with a password on it, how can I reset that then? Serious question.

All I've found are places that want to charge £90* for a replacement BIOS chip. I've tried HP tech-support who asked me for photo-id/a signed declaration that I own the laptop/receipt/proof of address/sworn affidavit that I will hand-over my first born etc that I've sent, but not heard anything else : /

I've read that with the serial number HP can tell me the "master" BIOS password for the laptop. Is that true?

The only other option at the moment that I can see is to get a laptop->IDE cable and use dd to copy a disc-image onto the hard drive. I've already tried using a LNX BBC LiveCD but the external CD drive is obviously not set up as a boot device in the BIOS.

*This is a £30 donor laptop for (Yet Another) digital photo-frame mod so I'm loathe to spend £90 for someone with a PIC programmer to flip a bit on the BIOS chip.
ikem adamazing7 years ago
Windows 2000 and XP has the same way to handle users and passwords. To reset a Windows XP password there is a Mini-Linux:

Offline NT Password & Registry Editor
http://home.eunet.no/~pnordahl/ntpasswd/
Here's the torrent download link for a bootable image file that will remove your Windows admin passwords. You'll need Azureus or something to read the torrent. Burn the iso file as an image onto cdr and boot off it. Works on 2000 & XP.. haven't tried it on any other versions.

http://www.isohunt.com/download/16593302/windows+password+reset
spoty23 mrmath1 year ago
hey i know about the lenovo password for i have recently tried to change the bios and i got put on password screen but i just pushed enter and it let me in but i couldnt modify the bios boot order. i was trying to test my kon-boot usb on my computer but i couldnt do it because i couldnt add the usb 2.0 to the boot order which is wut i needed to do. so yeah ur right it wont work. :'(
7Stacks mrmath7 years ago
This is true. Those IBM/Lenovo laptops are very secure in that aspect. And you get one shot at HDD password and then it locks you up and kicks you out of BIOS setup.
That isnt exclusive to IBM, startup BIOS passwords can't be circumvented unless you reset the BIOS to default since you wont get to any portion of the startup that lets you make any changes without knowing the password.
Taotaoba mrmath8 years ago
If the passwords are stored in CMOS, then remove the battery will do. I don't know if the manufacturers store passwords in flash memory. If so, then maybe re-flash it will do. Definitely it will not as easy as this instructable shows. I don't know about hard disk password.
mrmath Taotaoba8 years ago
I can't speak for other manufactures, or give you the technical details of how IBM/Lenovo do it (because I don't know--not because I'm not allowed), but I can say that if the power on password is set on an IBM/Lenovo laptop, and you don't know it, it will not power up, and you can't do any flashing, or battery removal to get rid of the password. Like I said, even as the manufacturer of the machine, IBM/Lenovo can't do it.
you can always flash the epprom or read its data....
awace mrmath6 years ago
I told you you have to short the c-mos chip w out batteries and only the power pack plugged in this will remove the programming in there flash c-mos chip it wont keep drive lock password so drive will still be locked but c-mos will be accessable meaning you could boot to new drive or optical drives making laptop not obsolete whocares about drive
awace mrmath6 years ago
this doesnt work once you short the c-mos chip it reset the c-mos chip to its original programming and c-mos options remane not set witch bypasses youre drive lock password you have not tried to short the c-mos chip correctly then !!!!!!!!!! try it
awace awace6 years ago
this wont let you into the drive but it will allow you do throw the harddrive away and reuse the laptop... also I bet if you knew the drive lock password then took new drive and added it to a new machine new harddrive then replaced w locked drive it would boot but you would have to know original drive lock password this would only help if laptop was trashed but drive wasntr SO MRMATH is any of what i said true I would assume the c-mos would be true cause I did it on a DFARS IBM once already and was able to format harddrive as new and the other one I couldnt get into drive cause it was click clakcing and i threw it away the ibm i just reformatted it didnt have c-mos drive lock but did have a c-mos password locking me out of c-mos witch i cleared w shorting .. I didnt care about the stuff on drive cause i just reloaded os onto it..
ninjanody awace4 years ago
you can read the data of the eprom but you have to dissasemple the laptop and solder jump wires into the motherboard, assemple it back, connect the eprom reader or programmer, power up the laptop and read its data. the password was stored in the hex that the epprom reader take from the mobo. . I had already done it at a ibm laptop but it been atleast 2 years and i dont remember the source of info & utility that read the hex and give me the pass..
micronxd mrmath7 years ago
almost every mobo has a circuit that, when closed, will return the BIOS to factory settings. That would take care of the BIOS factory problem, but i'm curious how this HD password works... technically there are still ways of reading a HD's data no matter what... But yea... this method is pretty much useless unless the computer doesn't have a BIOS password, or unless you have access to the MoBo (which is most situations lol)
erckgillis (author)  micronxd7 years ago
HD data is encrypted with a hash and written to the platters. Removal of the drive renders it unreadable and even a removal of the platters just produces jumbled characters. A 64 bit hash can be decrypted by a supercomputer in 15 days, a 128 bith hash in 13 months and a double DES2 in 19.5 years... However if you use the same controller and reset the BIOS and firmware to match it will easily spew ASCII data on demand... Ed
DNR erckgillis6 years ago
how to open n close dvd drive through cmd....
I'd like to know where the hard-drive password is stored. Coz if it's not stored in the hard drive, we can only replace that part of it and then pry the data out of it. This is completely theoretical... I'd like to try it out if i knew....
vaiden mrmath7 years ago
The methods to password protect hard drives are crackable my friend, even if your IT doesnt know it. A laptop can be cracked open to clear cmos just as a desktop can for the bios pass. If someone steals a laptop from you guys they can be in it in hours, and have all your little lanman hashes in brute-force cracking. Linux will be the OS used to have your data. The guy in a nearby cubicle that started yesterday will watch you type all your passwords. Then he'll steal your laptop, and he'll have full access to your data. That guy didnt last long did he? He already quit.
erckgillis (author)  vaiden7 years ago
I know... they don't BELIVE ME... we do it every day. If I take your "encrypted" platters, dump your controls firware update and flash the eproms on a new card the I HAVE PASSWORDS for then I got your harddrive...all your data and in some cases access to EVERYPLACE you have ever logged onto. oh my... E
richardnot1 year ago

PCUnlocker (http://www.top-password.com)
should be added to the Live CD list above. It can also boot in EFI/UEFI
mode, and bypass admin passwords on all versions of Windows. To remove a
BIOS password, I probably change the jumper settings or remove CMOS
battery.

g-weebens2 years ago
This method will not work on OpenFirmware, OpenBoot, or other similar systems. The loader environment has to be accessed through a key combination.
BIOS is not the standard on all systems.
awace6 years ago
you can short out c-mos on dallas chip you have to chunk into epoxy blob and remove lion battery then sandpaper connections left to battrey and then solder new battery to chip I have done this before also look here
http://www.mcamafia.de/mcapage0/dsrework.htm
he did it the hard way all you have to do is find the battery then hack it out using a small blue type snippers works best obvibously the color of snipers wont matter anwyay just get to battery then using snippers unpeal like sardine can the bigger solder tab unwrap it till it comes off fully keeping as long as peice as you can but since there is picture of chip on the mcamafia site you should beable to get to pin needed for battery anyway! then get other side off the same way keeping as mutch connection space as needed. then sicne pins went up thats why shorting them wont work i think they thought keeping people away from c-mos chip they could keep them away but when battery dies computer wont boot and locks up I learned this from a gateway ride ready c-mos hi and low chip old 486 board all were bad rev #1 fun 1 no video this means the nickel cad batterys were shorted then i snipped battery off and it continued booting! to solder to pins just get some new 3m sponge scrubbie brand scratch pad then use small sandpaper file to sandpaper the pins or the connections left from battery it actually will for shure solder then after you scratch down to brass it will take solder most battery terminal solder tabs wont solder to the coating . i did that and computer works great . I also know if you have a compaq protable II suitcase computer take a nokia 3589i
Nokia BLC-2 battery and use phone to charge to charge complete then add solder blobs to battery + - terminals leave other terminals alone so you can recharge it in phone you must unsolder from computer to recharge in phone
then use a kid toy battery compartment wire for wire or comprable wire to solder and replace battery in compaq portable II suit case comuter then download c-mos utility called setup this file is for a floppy so you may have to use dos 0.72 to load up dos and make floppy then remove compaq II whole drive caddy with old 5¼ and replace miniscribe IDE drive w cavair 2g or 1g or 500Mb cause you only get 259Mb anyway I forget witch drive it is but it looks like 1024 16 63 and it works with 259Mb sicne all my 850Mb caviar wd hd's are bad i just used a 2g anwyay then load up new computer w usb stick w setup on it boot to usb device or memmory stick device and then format b:/s
then copy dos to floppy then steal compaq setup.exe file then take format.com
sys.com
edit.com
attrib.exe
edit.hlp
fdisk.exe
format.com
cdtech.sys
mscdex.exe
I havent tried cdrom cause c-mos not comatible w more than 1 drive.
then hook b: to big computer remove usb stick and boot from 3¼ floppy you just made w compaq setup on it then format b: /f:360 /s
then it formats crappy compaq c-mos type floppy bootable it can be win98 but since computer has crappy memory just use win95 actaully dos version does not matter qwbasic still runs then after you make a boot fisk for it using its own floppy drive or a nother /f:360 floppy witch its c-mos is looking for then you can put back into compaq portable w nokia battery as c-mos not hooked to phone remember charging is in phone as normal then solder blobs should beable to connect good when charging.
then put caviar wd 2g drive into big machne boot from 3¼ floppy put sys on it
then put into compaq II and boot from 360 floppy run setup detect 259M drive
then reboot then format c:/q/s
you might need more floppys from usb or big machine to fit all dos format utiltys on then once you format c:/q/s s being system and q being fast
I use win98 cause its faster and lets you use large.
then once you get it to boot to win98 dos you will see the win98 thing in GREEN its so cool you can remove ide drive and put basica qwbasic and other stuff on it in xp using usb to ide stick or just put as d drive then since miniscribe is usb you should beable to do the same on xp.
on n610 or most square dram chips the side opposite pin one can be shorted no batteries must be hooked c-mos or big battery then only hook up power pack to laptop then short c-mos chip then unplug power pack super fast then wait 5 minnutes then replace all batteries and c-mos will clear.
now I had a keyboard w ide video and floppy it was called a hide ccomputer it was a vga card w ide on it and a small form factor 486 texas instruments 386 chip but it was a 486 on a 386 motherboard so it was a 486 but was a square 486 chip and over heated easyly cause no heat sink lame anyway its c-mos chip was a normal 28 pin chip and if you set password even if you cleared password when it didnt have one it would just screw FUC_ it up it would just show ☺ for 1st try and then ☺ so you would get
☺☺☺ and it would lock up after 3rd password try my dad said when he gave it to me he said DONT put password into it I said ok cool free computer.
I turned it on then removed a smaller chip next to the c-mos chip then replaced it and for some reason when it was on if i turned it back off and on again this procedure would clear c-mos password witch you still needed to stay out of password menu in c-mos and it would work great untill you tried to add password.
thats when i learned about shorting batterys and clearing c-mos .
on most chips the 2nd to last and the 3rd to last pins usually clears every thing DONOT DO THIS ON A arcade space invaders motherboard cause you will lose eeprom info remember c-mos for comuters is 2 fold 1st the program is loaded then the .bin file is loaded into the chip but the chip is formated a certian way so you can copy one in burner but not just send it a file
you need to run awdflash.exe and use the /d the /d option saves original info and only writes new info updating file i have more success this way also the new one always back up c-mos on nother floppy and always choose update instead of replace.
and always good luck.
if you have ontracks/krolls seagates dm disk manager just load to f8
then type in a:/command.com
you cant just type command.com on dr dos you have to do the a:\command.com
then steal dm.exe and all needed files for this file to run
then load to dos w autoexec.bat having dm.exe /x/m
then /x does not load the xbios.ovl file witch tells diskmanager to do ceritan drive once you do the /x it works and disables looking for drive type it came w drive so you can use with any type drive not just seagate drive i got utility from
ontrack dont like this but I dont care i use utilty all the time to reformat drives
1st once it sees drive check dos to see what win98 dos sees as fdisk
then choose autodetect in c-mos on new computer then run dm /x /m
then if it dont see drive as whole amount of mb then goto c-mos in computer choose chs and manual and choose 1024 16 63 then
goto dos format as what ever you can get in dos reboot then format /q/s then reboot soo it boot to dos w system on it
then reboot change c-mos to autodetect check dm to see if it sees whole thing if it chooses to format more than 27 volumes let it then reboot use dos what ever it sees choose no to big w fdisk then delete all partitions then reboot then fdisk again /mbr reboot then choose no to large on fdisk then add partition donot add logical partitions just choose 500mb then push 2 to activate then reboot leave autodetect on auto then dos format c:/q/s
/q quick and /s system remember to have sys.com format.com edit.exe edit.hlp
and attrib.exe and all dos files to make c drive boot also cdtech.sys or a cdrom driver and mscdex.exe
also you need
config.sys
device=himem.sys
device-cdtech.sys /d:cd
autoexec.bat
mscdex.exe /d:cd
set blaster=a220 i5 d1 t330 t being midi port
then format c:/q/s
then reboot then check dm.exe /m/x
then delete all partitions leave win98 w dm.exe that you booted in for sys
then choose check partitions delete all partitions using alt c then add new push b for bootble then leave 1 meg free i usually leave some more than that then format partition let it do then reboot then dos format /q/s this way it marks bad file alloction tables and quick formats the 1st time you quick format it will fail and just say yes to unconditional format /u
then reboot and run dm.exe /x dont put the /m just automaticly fat32 win98
format it quick then reboot and format /q/s then you can boot from xp disk and it will see it as new delete win98 then you have new ntfs you can make
i always chose fast and leave my self a d drive as a fat32 partition then reboot not using it and put winxp on the ntfs partition 60% 40% d is always 40 % and usually fat32 and c is ntfs now i just use ntfs cause i have usb to ide now.
if you have the msdn version of xp media center you need to use difernt verison of xp to detect more than 300G .

brandegor7 years ago
OMG. If only I understood this. I bought a Gateway 2000 laptop with Phoenix BIOS, and the danged thing has a BIOS password I cannot for the life of me get past. No way to get into setup. I even bought a floppy drive for it and tried a couple of "swear to god" password cracking software things. It will not boot from CD or floppy. None of the backdoor passwords work. First question - if you blow your first three tries and get locked out, does that mean "forever, or just until you power down and wait for awhile? Since it's a laptop, I've been told that the password is stored in EEPROM, and there's no way around that without expenses I can't afford. I mean the dang thing isn't even worth it in the long run, but it's one of those challenges that is just driving me absolutely nuts. Plus, I'm a 50-year-old noob, so I'm a little left in the dark. Gateway and Phoenix appear to be especially protective of their secrets. Should I just give up on the thing, or is anyone out there smart and kind enough to help me through this and be able to cry "victory"?
IVT brandegor7 years ago
Hi, in your case, check if the motherboard of your laptop has a way to reset cmos chip. Generally all motherboards have jumper pins for that. Shorting (connecting) the pins (the computer should be off while doing this) resets the bios settings wiping out the password also. If there are no cmos reset jumpers etc try this (this may not work but anyway will not harm your computer): Disconnect the laptop from power. Remove its batteries too. Then search for the circular pill shaped little battery on the motherboard of your laptop. This battery backs up the cmos circuitry in case of complete power loss and it is the "magic" behind the bios clock also. Remove the battery carefully. Wait 20 minutes. Then put the battery back. Pack your laptop and test if the bios has finally an amnesia... :)
_soapy_ IVT6 years ago
No, most laptops don't. I've stripped down quite a few, and most don't have any kind of reset jumper these days, to stop thieves from resetting them. The Flash BIOS doesn't care about being put in the freezer nor about having the power turned off for a week, any more than your MP3 player does. Yes, the clock resets, but so what?
IVT _soapy_6 years ago
You clearly know more than I do. It seems I need a little update :). In the good old times pc's had CMOS BIOS. Now they are Flash BIOS... I know no way to reset a Flash BIOS. Except rewriting it but how? :)...
awace IVT6 years ago
the flash bios is just a square chip its still c-mos and like i said directly across from the dot is where you short I am not going to open my laptop just to count piins but you should know what i mean BY the way every device using this would be reset this way I have done this on more than just computers It dont work on cable boxes cause they dont have passwords stored BUT it does remove parental control locked out channels.... thats where i got the idea ..
1-40 of 72Next »