CmosPwd

From CGSecurity
Jump to navigation Jump to search

En.png English It.png Italiano


Cmospwd.png CmosPwd decrypts password stored in cmos used to access BIOS SETUP.
Works with the following BIOSes

  • ACER/IBM BIOS
  • AMI BIOS
  • AMI WinBIOS 2.5
  • Award 4.5x/4.6x/6.0
  • Compaq (1992)
  • Compaq (New version)
  • IBM (PS/2, Activa, Thinkpad)
  • Packard Bell
  • Phoenix 1.00.09.AC0 (1994), a486 1.03, 1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06 rev 1.13.1107
  • Phoenix 4 release 6 (User)
  • Gateway Solo - Phoenix 4.0 release 6
  • Toshiba
  • Zenith AMI

With CmosPwd, you can also backup, restore and erase/kill cmos.


CmosPwd Download

CmosPwd is free, it's distributed under GPL

Cmos password recovery tools 5.0

  • DOS/Windows 9x and Windows NT/W2K/XP/2003/... versions, zip
  • Source only tar.bz2

CmosPwd works and compiles under

  • Dos-Win9x
  • Windows NT/W2K/XP/2003/...
  • Linux
  • FreeBSD and NetBSD

CmosPwd Development

To get information about new CmosPwd release or development, subscribe to cmospwd.

Hints for various manufacturers

Unlock code generator

Check http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html it contains programs to unlock some

  • Compaq
  • Dell
  • Fujitsu-Siemens
  • Hewlett-Packard
  • Insyde H20
  • Phoenix
  • Sony
  • Samsung

EEPROM on laptops

On laptops, the password is usually stored in an eeprom on the motherboard and not in the cmos. You need an eeprom programmer/eeprom reader (electronic device) to retrieve the password. If you erase the cmos (ie. cmospwd /k) and if the password is really stored in an eeprom, you won't be able to boot anymore.

You can get/buy eeprom programmer in electronic shops or labs, you need another PC to use it. You can desolder the eeprom with hot air or you can try to "clip" the eeprom. With the eeprom programmer, backup your eeprom and run cmospwd /d /l eeprom_backup. If you don't see the password, you can try to fill the eeprom with zero or FF, don't forget the reset the cmos.

Acer

  • Acer 630: eeprom 93c56 ?
  • Acer Aspire 1522: Under the keyboard, search for switch SW1 on the left of the fan jack, switch the pin 1 to on, turn on the notebook, press F2 and set a new supervisor password, turn off and switch back SW1.
  • Acer Travelmate 280: search for SW1 switch on the motherboard and enable the switch 3 to disable the password request.
  • Acer Travelmate 6592g: Disconnect the yellow cmos battery (near the DVD bay but hard to access) and reconnect it after a few hours , hold F2 during first boot.

Award BIOS

  • AWARD 4.50 have a backdoor, a generic password : AWARD_SW
  • SOYO motherboard have "SY_MB" as master password for Award 4.51.
  • CmosPwd give equivalent passwords for Award BIOS, not original one.

Dell

The official method is to contact Dell Technical Support. Dell Technical Support will request the Service Tag and Express Service Code from the bottom of the Latitude. If the current user is not the original Latitude owner, Dell will transfer the used Latitude’s registration from the original owner with only the Service Tag and Express Service Code from the tag on the laptop.

  • Dell Inspiron 5100: eeprom 93lc46, password in scan code at 0x310
  • Dell Inspiron 7500: eeprom 24c164
  • Dell Inspiron 8100: eeprom 24c02
  • Dell Latitude C600: eeprom 24c02, password in scan code at 0x00, 0x10 and 0x90
  • Dell Latitude C610: eeprom 24c02, password in scan code at 0x00, 0x10, 0x80 and 0x90
  • Dell Latitude C640: eeprom 24c04, password in scan code at 0x100 and 0x180
  • Dell Latitude CPI: eeprom 24c02, password in scan code at 0x00, 0x10, 0x80
  • Dell D600: eeprom 24c04, password in scan code at 0x110
  • Dell Optiplex: Remove the PSWD jumper
  • For most Dell Dimension desktops, the steps to reset a BIOS password and clear all CMOS settings are:
    • Locate the 3-pin CMOS password reset jumper on the system board.
    • Remove the jumper plug from pins 1 and 2.
    • Place the jumper plug on pins 2 and 3 and wait approximately 5 seconds.
    • Replace the jumper plug on pins 1 and 2.

HP / Compaq

  • Compaq M700: eeprom 24C02
  • HP NX9010 24C02
  • HP Omnibook 900,2100,4150,7150: eeprom AT24c164, 0x6D-0x7F area, unknow algo

put a 00 at 0x7F to clear admin password

  • HP Omnibook 6000: eeprom 24c08 or 24c164 0x50-0xBF area (maybe 0x50-0x6F only), unknow algo
  • HP Omnibook 6100: eeprom 24c08
  • HP Omnibook XE3: eeprom 24c16
  • HP Omnibook 770x: eeprom 24c01
  • HP Pavilion ze4455ea: eeprom 24c08

IBM

  • IBM Thinkpad X20: eeprom 24RFC08CN, password in scan code at 0x338
  • IBM TP 240: eeprom ?, password in scan code at 0x338.
  • IBM TP 380Z: eeprom 24c01, password in scan code at 0x38 and 0x40
  • IBM TP 390: eeprom 24c03 (be carrefull, there are two eeprom)
  • IBM TP 560X: eeprom 24c01, password in scan code at 0x38 and 0x40
  • IBM TP 570: eeprom ?, password in scan code at 0x338 and 0x3B8.
  • IBM TP 750C,755CX,760C,765D: eeprom 93c46, password in scan code at 0x38 and 0x40

OKI M811b may be written on the chip. Search near pcmcia slot or adjacent the floppy connector on the top side of the board

  • IBM TP 770: eeprom 24c01
  • IBM TP 600E, T21, T23: 14 PIN 24RF08
  • IBM TP T20,X20,X30: 24RF08, password in scan code at 0x338 and 0x340

Sony

  • Sony pcg-fx950: eeprom 93c46 ?
  • VAIO 641: eeprom 24c02 write zero at 0x0

Be careful, there are two eeprom you must unsolder one to the pci controller it is in the down side of the board

  • VAIO 8851: eeprom 24c02 (ic 903) write zero at address 0x0, the down side of the board
  • VAIO srx 87: eeprom 2408 write zero at 0x0. The ic is behind the modem in the top side of the board
  • VAIO PCG-FX150, eeprom 24c04 near the reference IC1103
  • VAIO PCG-GRX560, eeprom 24c04 near the reference IC1001
  • VAIO PCG-FR415S, "cmospwd /k" removes the password.

Toshiba

  • To reset the password of a very old Toshiba, you can use KeyDisk.
  • If the keydisk doesn't work, you can try to build the Toshiba Parallel loopback.

To make a simple device that you connect to your parallel port, a lot of Toshiba computers remove the password when you boot it up. The device, named "loopback" by some, could be made out of any parallell wire with 25pins connectors (db25). You should connect these pins: 1-5-10, 2-11, 3-17, 4-12, 6-16, 7-13, 8-14, 9-15, 18-25
Db25m.png

  • Toshiba 74600C: eeprom 93c56
  • Toshiba Satellite A100: The BIOS password can be removed by erasing the cmos content with cmospwd /k.

Links

Sponsored links