Print PDF
Favorite
Email
Step 6BIOS Backdoors
Bybassing BIOS Solutions:
1. BIOS passwords secure different levels of system access. Lowest level is access control for power management functions, next for BIOS access (BIOS password) and highest level is for PC access (Administrator password).
2. BIOS password is stored in a non-erasable part of the CMOS ('BIOS memory'). On desktop PC's this CMOS is buffered by an onboard battery. Depending on your mainboard layout you'll see a seperate battery or won't see it as it will be integrated in a multifunction chip housing battery, real time clock (RTC) and other components (usually a small black brick on the mainboard).
Keeping that in mind different ways of removing the password are possible.
Remove password with some kind of software
This works only if you have access to your PC and can run software (meaning no Administrator password is set).
CMOSpwd www.cgsecurity.org/index.html?cmospwd.html
Remove password by manually invalidating CMOS content
When CMOS RAM loses power, a bit is set to indicate this, which should cause the BIOS to detect that the CMOS RAM is invalid and will normally result in the loading of default values. The same results can be obtained by using a simple DEBUG script to invalidate CMOS RAM. This may be much more convenient than shorting pins on a chip in cases where it is possible to boot to a DOS prompt to run DEBUG.Here is a DEBUG script to invalidate CMOS RAM.
This should work on all AT / ATX motherboards (some systems do not have CMOS RAM)
Boot from floppy with DOS or USb thumb drive.
A:\>DEBUG
- o 70 2E
- o 71 FF
- q (Quits to DOS)
Remove password using common master passwords
Please be aware that most BIOS releases lock your PC completely after entering 3 wrong passwords !
American Megatrends BIOS
AMI, A.M.I, AMI_SW, aammii, AMI!SW, AMI.KEY, ami.key, AMI~, AMIAMI, AMIDECOD, AMIPSWD, amipswd, AMISETUP, BIOSPASS
Award BIOS
?award, awkward, award, award_?, award.sw, award sw, AWARD_SW, AWARD SW, admin, alfarome, aLLy, aPAf, BIOS, biosstar, biostar, CONTACT, condo, CONDO, g6PJ, h6BB, HELGA-S, HLT, j09F, j64, j262, j256, j322, lkw peter, lkwpeter, LKWPETER, PASSWORD, SER, setup, SKY_FOX, SWITCHES_SW, Sxyz, SZYX, t0ch20x, t0ch88, TTPTHA, TzqF, wodj, zbaaaca, 1322222, 256256
Phoenix
phoenix
SystemSoft PnP BIOS
system
manufacturer preset ones
VOBIS & IBM: merlin
Dell: Dell
Biostar: Biostar
Compaq: Compaq
Enox: xo11nE
Epox: central
Freetech: Posterie
IWill: iwill
Jetway: spooml
Packard Bell: bell9
QDI: QDI
Siemens: SKY_FOX
TMC: BIGO
Toshiba: Toshiba
Remove password on certain PC's and notebooks
IBM PC's and notebooks
Toshiba notebooks
HP notebooks
Remove password using Clear CMOS jumper on your mainboard
Please refer to your manual to locate this jumper. Clearing CMOS will erase all passwords set but all your user defined settings like harddisk type, RAM timings etc, too. You'll have to set these values again after clearing CMOS.
Remove password by clearing CMOS due to disconnected power
CMOS content is buffered by an onboard battery. If you disconnect this power supply your CMOS clears automatically as the content can't be refreshed due to the missing power. This works easily if you see the onboard battery. Remove the battery for at least 5 minutes an insert it again in it's socket.
Remove password by clearing CMOS within RTC chip
Depending on the RTC chip used on your mainboard you can reset CMOS content by connecting two pins on the RTC chip. A paperclip bent into a U shape is a good tool for this. For all the following activities your PC has to be powered off.
Chips & Technologies P82C206
This is usually a square PLCC chip, sometimes soldered onto the motherboard, sometimes in a socket. CMOS RAM on this chip is cleared by shorting together pins 12 (GND) and 32 (5.0V) or pins 74 (GND) and 75 (5.0V) for a few seconds.
Pins 12 and 32 are the first and last pins on the bottom edge of the chip, pins 74 and 75 are the 2 corner pins on the upper left corner.
OPTi F82C206
This is a small rectangular PLCC chip usually soldered onto the board. CMOS RAM is cleared on this chip by shorting together pins 3 and 26 on bottom edge of chip for a few seconds.
Pin 3 is third pin from left side and pin 26 5th pin from right side, both on bottom edge.
Dallas DS1287 and benchmarq bp3287MT
CMOS RAM can't be cleared. Instead you can replace RTC chip with a new one. You can even use an updated version (DS1287A or bq3287AMT) which support CMOS clearing.
Dallas DS1287A and benchmarq bq3287AMT
This battery should last up to 10 years. Any motherboard using these chips should not have an additional battery. CMOS RAM can be cleared on the DS1287A and bq3287AMT by shorting pins 12 (GND) and 21 (RAM Clear).
Pins are labeled 1 to 24 running counter clockwise starting left of bottom edge. Pin 12 is first pin from right side on bottom edge and Pin 21 is third pin from left side on top edge.
Motorola MC146818AP or compatible
This is a rectangular 24-pin DIP chip, usually in a socket. Compatible chips are made by several manufacturers including Hitachi (HD146818AP) and Samsung (KS82C6818A). The number on the chip should end in 6818. Although this chip is pin-compatible with the Dallas 1287/1287A, there is no built-in battery. This means that CMOS RAM can be cleared on this chip by just removing it from the socket for a few seconds and replacing it.
Dallas DS12885S and benchmarq bq3258S
CMOS RAM is cleared on this chip by shorting pins 12 (GND) and 20. Even shorting pin 12 (GND) and 24 (5.0V) will help.
Pins are labeled 1 to 24 running counter clockwise starting left of bottom edge. Pin 12 is first pin from right side on bottom edge and Pin 21 is third pin from left side on top edge. Pin 24 is first pin from left on top edge.
Additional BIOS passwords and hints can be found here:
http://www.11a.nu/ibios.htm
1. BIOS passwords secure different levels of system access. Lowest level is access control for power management functions, next for BIOS access (BIOS password) and highest level is for PC access (Administrator password).
2. BIOS password is stored in a non-erasable part of the CMOS ('BIOS memory'). On desktop PC's this CMOS is buffered by an onboard battery. Depending on your mainboard layout you'll see a seperate battery or won't see it as it will be integrated in a multifunction chip housing battery, real time clock (RTC) and other components (usually a small black brick on the mainboard).
Keeping that in mind different ways of removing the password are possible.
Remove password with some kind of software
This works only if you have access to your PC and can run software (meaning no Administrator password is set).
CMOSpwd www.cgsecurity.org/index.html?cmospwd.html
Remove password by manually invalidating CMOS content
When CMOS RAM loses power, a bit is set to indicate this, which should cause the BIOS to detect that the CMOS RAM is invalid and will normally result in the loading of default values. The same results can be obtained by using a simple DEBUG script to invalidate CMOS RAM. This may be much more convenient than shorting pins on a chip in cases where it is possible to boot to a DOS prompt to run DEBUG.Here is a DEBUG script to invalidate CMOS RAM.
This should work on all AT / ATX motherboards (some systems do not have CMOS RAM)
Boot from floppy with DOS or USb thumb drive.
A:\>DEBUG
- o 70 2E
- o 71 FF
- q (Quits to DOS)
Remove password using common master passwords
Please be aware that most BIOS releases lock your PC completely after entering 3 wrong passwords !
American Megatrends BIOS
AMI, A.M.I, AMI_SW, aammii, AMI!SW, AMI.KEY, ami.key, AMI~, AMIAMI, AMIDECOD, AMIPSWD, amipswd, AMISETUP, BIOSPASS
Award BIOS
?award, awkward, award, award_?, award.sw, award sw, AWARD_SW, AWARD SW, admin, alfarome, aLLy, aPAf, BIOS, biosstar, biostar, CONTACT, condo, CONDO, g6PJ, h6BB, HELGA-S, HLT, j09F, j64, j262, j256, j322, lkw peter, lkwpeter, LKWPETER, PASSWORD, SER, setup, SKY_FOX, SWITCHES_SW, Sxyz, SZYX, t0ch20x, t0ch88, TTPTHA, TzqF, wodj, zbaaaca, 1322222, 256256
Phoenix
phoenix
SystemSoft PnP BIOS
system
manufacturer preset ones
VOBIS & IBM: merlin
Dell: Dell
Biostar: Biostar
Compaq: Compaq
Enox: xo11nE
Epox: central
Freetech: Posterie
IWill: iwill
Jetway: spooml
Packard Bell: bell9
QDI: QDI
Siemens: SKY_FOX
TMC: BIGO
Toshiba: Toshiba
Remove password on certain PC's and notebooks
IBM PC's and notebooks
Toshiba notebooks
HP notebooks
Remove password using Clear CMOS jumper on your mainboard
Please refer to your manual to locate this jumper. Clearing CMOS will erase all passwords set but all your user defined settings like harddisk type, RAM timings etc, too. You'll have to set these values again after clearing CMOS.
Remove password by clearing CMOS due to disconnected power
CMOS content is buffered by an onboard battery. If you disconnect this power supply your CMOS clears automatically as the content can't be refreshed due to the missing power. This works easily if you see the onboard battery. Remove the battery for at least 5 minutes an insert it again in it's socket.
Remove password by clearing CMOS within RTC chip
Depending on the RTC chip used on your mainboard you can reset CMOS content by connecting two pins on the RTC chip. A paperclip bent into a U shape is a good tool for this. For all the following activities your PC has to be powered off.
Chips & Technologies P82C206
This is usually a square PLCC chip, sometimes soldered onto the motherboard, sometimes in a socket. CMOS RAM on this chip is cleared by shorting together pins 12 (GND) and 32 (5.0V) or pins 74 (GND) and 75 (5.0V) for a few seconds.
Pins 12 and 32 are the first and last pins on the bottom edge of the chip, pins 74 and 75 are the 2 corner pins on the upper left corner.
OPTi F82C206
This is a small rectangular PLCC chip usually soldered onto the board. CMOS RAM is cleared on this chip by shorting together pins 3 and 26 on bottom edge of chip for a few seconds.
Pin 3 is third pin from left side and pin 26 5th pin from right side, both on bottom edge.
Dallas DS1287 and benchmarq bp3287MT
CMOS RAM can't be cleared. Instead you can replace RTC chip with a new one. You can even use an updated version (DS1287A or bq3287AMT) which support CMOS clearing.
Dallas DS1287A and benchmarq bq3287AMT
This battery should last up to 10 years. Any motherboard using these chips should not have an additional battery. CMOS RAM can be cleared on the DS1287A and bq3287AMT by shorting pins 12 (GND) and 21 (RAM Clear).
Pins are labeled 1 to 24 running counter clockwise starting left of bottom edge. Pin 12 is first pin from right side on bottom edge and Pin 21 is third pin from left side on top edge.
Motorola MC146818AP or compatible
This is a rectangular 24-pin DIP chip, usually in a socket. Compatible chips are made by several manufacturers including Hitachi (HD146818AP) and Samsung (KS82C6818A). The number on the chip should end in 6818. Although this chip is pin-compatible with the Dallas 1287/1287A, there is no built-in battery. This means that CMOS RAM can be cleared on this chip by just removing it from the socket for a few seconds and replacing it.
Dallas DS12885S and benchmarq bq3258S
CMOS RAM is cleared on this chip by shorting pins 12 (GND) and 20. Even shorting pin 12 (GND) and 24 (5.0V) will help.
Pins are labeled 1 to 24 running counter clockwise starting left of bottom edge. Pin 12 is first pin from right side on bottom edge and Pin 21 is third pin from left side on top edge. Pin 24 is first pin from left on top edge.
Additional BIOS passwords and hints can be found here:
http://www.11a.nu/ibios.htm
| « Previous Step | Download PDFView All Steps | Next Step » |
http://www.mcamafia.de/mcapage0/dsrework.htm
he did it the hard way all you have to do is find the battery then hack it out using a small blue type snippers works best obvibously the color of snipers wont matter anwyay just get to battery then using snippers unpeal like sardine can the bigger solder tab unwrap it till it comes off fully keeping as long as peice as you can but since there is picture of chip on the mcamafia site you should beable to get to pin needed for battery anyway! then get other side off the same way keeping as mutch connection space as needed. then sicne pins went up thats why shorting them wont work i think they thought keeping people away from c-mos chip they could keep them away but when battery dies computer wont boot and locks up I learned this from a gateway ride ready c-mos hi and low chip old 486 board all were bad rev #1 fun 1 no video this means the nickel cad batterys were shorted then i snipped battery off and it continued booting! to solder to pins just get some new 3m sponge scrubbie brand scratch pad then use small sandpaper file to sandpaper the pins or the connections left from battery it actually will for shure solder then after you scratch down to brass it will take solder most battery terminal solder tabs wont solder to the coating . i did that and computer works great . I also know if you have a compaq protable II suitcase computer take a nokia 3589i
Nokia BLC-2 battery and use phone to charge to charge complete then add solder blobs to battery + - terminals leave other terminals alone so you can recharge it in phone you must unsolder from computer to recharge in phone
then use a kid toy battery compartment wire for wire or comprable wire to solder and replace battery in compaq portable II suit case comuter then download c-mos utility called setup this file is for a floppy so you may have to use dos 0.72 to load up dos and make floppy then remove compaq II whole drive caddy with old 5¼ and replace miniscribe IDE drive w cavair 2g or 1g or 500Mb cause you only get 259Mb anyway I forget witch drive it is but it looks like 1024 16 63 and it works with 259Mb sicne all my 850Mb caviar wd hd's are bad i just used a 2g anwyay then load up new computer w usb stick w setup on it boot to usb device or memmory stick device and then format b:/s
then copy dos to floppy then steal compaq setup.exe file then take format.com
sys.com
edit.com
attrib.exe
edit.hlp
fdisk.exe
format.com
cdtech.sys
mscdex.exe
I havent tried cdrom cause c-mos not comatible w more than 1 drive.
then hook b: to big computer remove usb stick and boot from 3¼ floppy you just made w compaq setup on it then format b: /f:360 /s
then it formats crappy compaq c-mos type floppy bootable it can be win98 but since computer has crappy memory just use win95 actaully dos version does not matter qwbasic still runs then after you make a boot fisk for it using its own floppy drive or a nother /f:360 floppy witch its c-mos is looking for then you can put back into compaq portable w nokia battery as c-mos not hooked to phone remember charging is in phone as normal then solder blobs should beable to connect good when charging.
then put caviar wd 2g drive into big machne boot from 3¼ floppy put sys on it
then put into compaq II and boot from 360 floppy run setup detect 259M drive
then reboot then format c:/q/s
you might need more floppys from usb or big machine to fit all dos format utiltys on then once you format c:/q/s s being system and q being fast
I use win98 cause its faster and lets you use large.
then once you get it to boot to win98 dos you will see the win98 thing in GREEN its so cool you can remove ide drive and put basica qwbasic and other stuff on it in xp using usb to ide stick or just put as d drive then since miniscribe is usb you should beable to do the same on xp.
on n610 or most square dram chips the side opposite pin one can be shorted no batteries must be hooked c-mos or big battery then only hook up power pack to laptop then short c-mos chip then unplug power pack super fast then wait 5 minnutes then replace all batteries and c-mos will clear.
now I had a keyboard w ide video and floppy it was called a hide ccomputer it was a vga card w ide on it and a small form factor 486 texas instruments 386 chip but it was a 486 on a 386 motherboard so it was a 486 but was a square 486 chip and over heated easyly cause no heat sink lame anyway its c-mos chip was a normal 28 pin chip and if you set password even if you cleared password when it didnt have one it would just screw FUC_ it up it would just show : for 1st try and then : so you would get
::: and it would lock up after 3rd password try my dad said when he gave it to me he said DONT put password into it I said ok cool free computer.
I turned it on then removed a smaller chip next to the c-mos chip then replaced it and for some reason when it was on if i turned it back off and on again this procedure would clear c-mos password witch you still needed to stay out of password menu in c-mos and it would work great untill you tried to add password.
thats when i learned about shorting batterys and clearing c-mos .
on most chips the 2nd to last and the 3rd to last pins usually clears every thing DONOT DO THIS ON A arcade space invaders motherboard cause you will lose eeprom info remember c-mos for comuters is 2 fold 1st the program is loaded then the .bin file is loaded into the chip but the chip is formated a certian way so you can copy one in burner but not just send it a file
you need to run awdflash.exe and use the /d the /d option saves original info and only writes new info updating file i have more success this way also the new one always back up c-mos on nother floppy and always choose update instead of replace.
and always good luck.
if you have ontracks/krolls seagates dm disk manager just load to f8
then type in a:/command.com
you cant just type command.com on dr dos you have to do the a:\command.com
then steal dm.exe and all needed files for this file to run
then load to dos w autoexec.bat having dm.exe /x/m
then /x does not load the xbios.ovl file witch tells diskmanager to do ceritan drive once you do the /x it works and disables looking for drive type it came w drive so you can use with any type drive not just seagate drive i got utility from
ontrack dont like this but I dont care i use utilty all the time to reformat drives
1st once it sees drive check dos to see what win98 dos sees as fdisk
then choose autodetect in c-mos on new computer then run dm /x /m
then if it dont see drive as whole amount of mb then goto c-mos in computer choose chs and manual and choose 1024 16 63 then
goto dos format as what ever you can get in dos reboot then format /q/s then reboot soo it boot to dos w system on it
then reboot change c-mos to autodetect check dm to see if it sees whole thing if it chooses to format more than 27 volumes let it then reboot use dos what ever it sees choose no to big w fdisk then delete all partitions then reboot then fdisk again /mbr reboot then choose no to large on fdisk then add partition donot add logical partitions just choose 500mb then push 2 to activate then reboot leave autodetect on auto then dos format c:/q/s
/q quick and /s system remember to have sys.com format.com edit.exe edit.hlp
and attrib.exe and all dos files to make c drive boot also cdtech.sys or a cdrom driver and mscdex.exe
also you need
config.sys
device=himem.sys
device-cdtech.sys /d:cd
autoexec.bat
mscdex.exe /d:cd
set blaster=a220 i5 d1 t330 t being midi port
then format c:/q/s
then reboot then check dm.exe /m/x
then delete all partitions leave win98 w dm.exe that you booted in for sys
then choose check partitions delete all partitions using alt c then add new push b for bootble then leave 1 meg free i usually leave some more than that then format partition let it do then reboot then dos format /q/s this way it marks bad file alloction tables and quick formats the 1st time you quick format it will fail and just say yes to unconditional format /u
then reboot and run dm.exe /x dont put the /m just automaticly fat32 win98
format it quick then reboot and format /q/s then you can boot from xp disk and it will see it as new delete win98 then you have new ntfs you can make
i always chose fast and leave my self a d drive as a fat32 partition then reboot not using it and put winxp on the ntfs partition 60% 40% d is always 40 % and usually fat32 and c is ntfs now i just use ntfs cause i have usb to ide now.
if you have the msdn version of xp media center you need to use difernt verison of xp to detect more than 300G .