On Tue, 19 Nov 2002 13:54:10 +1000, John <[EMAIL PROTECTED]> wrote:
>Mark L. Kahnt wrote:
>
>>Anyone remember how to clear a password on a BIOS? I've got a box from a
>>client that has stopped booting from CD, and this client is ready to
>>move to dual-booting but this is his main desktop box and it needs some
>>cuffing around the BIOS. The password was put on by the vendor of the
>>box, who then went broke three months later. I need to get Windows
>>working (certain key files were clobbered by yet another virus -
>>including explorer.exe - likely others, but I'm finding them
>>one-at-a-time) to at least extract some key data before re-partitioning,
>>and currently, for some strange reason, Windows can't see the cd-rom at
>>all (while 2DiskXWin does, so I know that the hardware is okay - only M$
>>is $crewed ;)
>>
>>Yeah, it's all complicated - simply put, I need to clear the BIOS
>>password, and I've forgotten the normal trick (other than removing the
>>battery and disconnecting the power supply, and hoping the CMOS is
>>static RAM rather than EEPROM - which one guy I know used a number of
>>years back for his garage-built line of boxes.)
>>
>>
>You can also get at the BIOS contents via port 70 (you need to write the
>address you want to access there) and port 71 (which you read and write
>data from/to).
>
>You'll need to track down exactly what addresses you'll need to touch
>via the web somehow, then boot a DOS disk and use DEBUG to toggle the
>address which says a password is set. As I seem to recall it's a binary
>flag inside a byte somewhere. It's a long time since I did any of this
>stuff, so I cant tell you anymore details. A clever Linux hackor could
>probably do it as root via /proc, but I have no idea how to get there.
>
This lot may help you - it's all the stuff I could find in CMOS.LST
from Ralf Brown's Interrupt List about AMI BIOSes. It's a bit old but
probably not unusably so. Sorry for the length.
Don't forget to hit the appropriate checksum in 2E/2F or 3E/3F.
Personally, I'd pull the battery.
An alternative method is to unplug the BIOS ROM, plug it into a spare
ROM socket in a machine that's old enough to have one, dump the
contents, disassemble it and hunt through for the password check. The
machine I did this on had its password hard-coded into the BIOS ROM,
so I didn't have much choice.
Pigeon
============================================================
----------R2D--------------------------------
CMOS 2Dh - AMI WinBIOS - flags
Bitfields for AMI WinBIOS flags:
Bit(s) Description (Table C0033)
7 Weitek Installed
6 bootsector virus protection enabled
5 mouse enabled
4 password checking (0 setup, 1 always)
3 parity error check enabled
2-1 boot order (00 = C:A:, 01 = A:C:)
0 turbo switch enabled
----------R34--------------------------------
CMOS 34h - AMI - SHADOWING & BOOT PASSWORD
Bitfields for AMI shadowing control 1:
Bit(s) Description (Table C0037)
7-6 password selection
00b Disable
10b Reserved
01b Set
11b Boot
5 C8000h Shadow ROM (Bit 1 = On)
4 CC000h Shadow ROM (Bit 1 = On)
3 D0000h Shadow ROM (Bit 1 = On)
2 D4000h Shadow ROM (Bit 1 = On)
1 D8000h Shadow ROM (Bit 1 = On)
0 DC000h Shadow ROM (Bit 1 = On)
----------R37--------------------------------
CMOS 37h - AMI WinBIOS - SETUP COLORS, PASSWORD SEED
Bitfields for AMI WinBIOS setup colors and password seed:
Bit(s) Description (Table C0044)
7-4 password seed
3-0 WinBIOS/AMIBIOS setup color options
--------y-R383D------------------------------
CMOS 38h-3Dh - AMI - Encrypted Password
--------!---Note-----------------------------
The second group of values extends from address 10h to 2Dh. The word
at
2Eh-2Fh is a byte-wise summation of the values in these bytes. Most
BIOSes
will generate a CMOS Checksum error if this value is invalid however
many
programs ignore the checksum and report the apparent value. The
current
version of MSD reports my XT as having 20+ MB of extended memory.
----------R3E--------------------------------
CMOS 3Eh - AMI - Extended CMOS Checksum, High Byte
Note: this checksum covers locations 34h - 3Dh, but is not used by
some
later AMI BIOSes
----------R3F--------------------------------
CMOS 3Fh - AMI - Extended CMOS Checksum, Low Byte
Note: this checksum covers locations 34h - 3Dh, but is not used by
some
later AMI BIOSes
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
