|
Hacking Your Password -
Password Checking
Option and Clearing Chips
Password Checking Option
You can use a password during the computer's startup sequence. The options
are:
-
Always, which means every time the system is started.
-
Setup, which only protects the BIOS routine from being tampered with, or
-
Disabled.
You can still boot from a floppy and alter things with a diagnostic
program, though.
The original AMI BIOS did not encrypt the password, so any utility
capable of reading the CMOS should be able to edit it. The AMI WinBIOS uses a simple
substitution system.
You get three attempts to get in, after which the system will have to be
rebooted. The default is usually the manufacturer's initials (try ami), or biostar, biosstar,
AWARD?SW, AWARD?PW, LKWPETER, 589589, aLLy, condo, djonet, lkwpeter, j262 SWITCHES?SW,
AWARD_SW, or Shift + S Y X Z for Award (before 19 Dec 96), but if this doesn't work, or you
forget your own password, you must discharge the CMOS. One way to do this is simply to wait
for five years until the battery discharges (ten if you've got a Dallas clock chip)! You
could also remove the CMOS chip or the battery and just hang on for twenty minutes or so.
Look for the chips mentioned below, under Clearing Chips.
You could try flooding the
keyboard buffer to crash the password routine -
just wait for the password prompt, then
keep pressing esc.
Note: Since 19 Dec 96, Award Software has not used a default
password, leaving it for OEMs. Discharging the battery will not clear the OEM password.
Note:
When CMOS RAM loses power, a bit is set which indicates this to the BIOS during the POST
test. As a result, you will normally get slightly more aggressive default values.
If your battery is soldered in, you could discharge it enough so the CMOS
loses power, but make sure it is rechargeable so you can get it up to speed again. To
discharge it, connect a small resistor (say 39 ohms, or a 6v lantern lamp) across the battery
and leave it for about half an hour.
Some motherboards use a jumper for discharging
the CMOS; it may be marked CMOS DRAIN. Sometimes, you can connect P15 of the keyboard
controller (pin 32, usually) to GND and switch the machine on. This makes the POST run, which
deletes the password after one diagnostic test. Then reboot.
Very much a last resort
is to get a multi-meter and set it to a low resistance check (i.e. 4 ohms), place one probe
on pin 1 of the chip concerned, and draw the other over the other pins. This will shock out
the chip and scramble its brains. This is not for the faint hearted, and only for the
desperate-use a paperclip or desolder the battery first! We assume no responsibility for
damage!
The minimum standby voltage for the 146818 is 2.7v, but your settings can
remain even down to around 2.2v. Usually, the clock will stop first, as the oscillator needs
a higher voltage to operate. 3v across a CMOS is common with 3.6v nicad & lithium
batteries, as the silicon diodes often used in the battery changeover circuit have a voltage
drop of 0.6v (3.6v-.6v = 3v). If your CMOS settings get lost when you switch off and the
battery is OK, the problem may be in the changeover circuit - the 146818 can be sensitive to
small spikes caused by it at power down.
Clearing Chips
The CMOS can mostly be cleared by shorting together appropriate pins with
something like a bent paperclip (with the power off!). You could try a debug script if you
are able to boot:
A:\DEBUG
- o 70 2E
- o 71 FF
- q
The CMOS RAM is often incorporated into larger chips:
P82C206 (Square)
Also has 2 DMA controllers, 2 Interrupt
controllers, a Timer, and RTC (Real-Time Clock). It's usually marked CHIPS, because it's made
by Chips and Technologies. Clear by shorting together pins 12 and 32 on the bottom edge or
pins 74 and 75 on the upper left corner.
F82C206 (Rectangular)
Usually marked OPTi (the
manufacturer). Has 2 DMA Controllers, 2 Interrupt Controllers, Timer, and Real Time Clock.
Clear by shorting pins 3 and 26 on the bottom edge (third pin in from left and 5th pin from
right).
Dallas DS1287,DS1287A
Benchmarq bp3287MT, bq3287AMT.
The
DS1287 andDS1287A (and compatible Benchmarq bp3287MT and bq3287AMT chips) have a built-in
battery, which should last up to 10 years. Clear the 1287A and 3287AMT chips by shorting pins
12 and 21-you cannot clear the 1287 (and 3287MT), so replace them (with a 1287A!). Although
these are 24-pin chips, the Dallas chips may be missing 5, which are unused anyway.
Motorola MC146818AP or compatible.
Rectangular
24-pin DIP chip, found on older machines. Compatibles are made by several manufacturers
including Hitachi (HD146818AP) and Samsung (KS82C6818A), but the number on the chip should
have 6818 in it somewhere. Although pin-compatible with the 1287/1287A, there is no built-in
battery, which means it can be cleared by just removing it from the socket, but you can also
short pins 12 and 24.
Dallas DS12885S or
Benchmarq bq3258S
Clear by
shorting pins 12 and 20, on diagonally opposite corners; lower right and upper left (try also
pins 12 and 24).
For reference, the bytes in the CMOS of an AT with ISA bus are arranged thus:
00
Real Time Clock
10-2F ISA Configuration Data
30-3F BIOS-specific information
40-7F
Ext CMOS RAM/Advanced Chipset info
The AMI password is in 37h-3Fh, where the
(encrypted) password is at 38h-3Fh. If byte 0Dh is set to 0, the BIOS will think the battery
is dead and treat what's in the CMOS as invalid.
One other point, if you have a foreign keyboard (that is, outside the United
States) - the computer expects to see a USA keyboard until your keyboard driver is loaded, so
DON'T use anything in your password that is not in the USA keyboard!
This is an article from
Phil Croucher, author of
"The BIOS Companion" Phil
has a way of explaining in "plain" English. The information is well presented
and is well above A+ standard. For more info on all of his works, go to
"The BIOS Companion" Home Page.
|
