TrackSomebody.com

october27thgroup.com pentesting, pci, red team

illmob.org

How to Bypass BIOS Passwords

September 6th, 2008 by Dev Team in Apple, BIOS, Linux, Password Info, Uncategorized, windows

BIOS passwords can be add extra layer of security for desktop and laptop computers, and are used to either prevent a user from changing the BIOS settings or to prevent the PC from booting without a password. BIOS passwords can also be a liability if a user forgot their passwords, or if a malicious user changes the password. Sending the unit back to the manufacturer to have the BIOS reset can be expensive and is usually not covered in an a typical warranty. However, there are a few known backdoors and other tricks of the trade that can be used to bypass or reset the BIOS password on most systems.

To enter the BIOS Setup try these keystrokes:

  • AMI BIOS:  Del key during the POST
  • DTK BIOS:  Esc key during the POST
  • Award BIOS:  Ctrl-Alt-Esc
  • misc BIOS:  Ctrl-Esc
  • Phoenix BIOS:  Ctrl-Alt-Esc or Ctrl-Alt-S
  • IBM PS/2 BIOS:  Ctrl-Alt-Ins after Ctrl-Alt-Del

Backdoor Passwords

Many BIOS manufacturers have provided backdoor passwords that can be used to access the BIOS setup in the event you have lost your password. These passwords are case sensitive, so you may wish to try a variety of combinations.

WARNING: Some BIOS configurations will lock you out of the system completely if you type in an incorrect password more than 3 times. Read your manufacturers documentation for the BIOS setting before you begin typing in passwords.

Award BIOS backdoor passwords:

ALFAROME BIOSTAR KDD ZAAADA
ALLy CONCAT Lkwpeter ZBAAACA
aLLy CONDO LKWPETER ZJAAADC
aLLY Condo PINT 01322222
ALLY d8on pint 589589
aPAf djonet SER 589721
_award HLT SKY_FOX 595595
AWARD_SW J64 SYXZ 598598
AWARD?SW J256 syxz
AWARD SW J262 shift + syxz
AWARD PW j332 TTPTHA
AWKWARD j322
awkward

AMI BIOS Backdoor Passwords:

AMI BIOS PASSWORD HEWITT RAND
AMI?SW AMI_SW LKWPETER CONDO

Phoenix BIOS Backdoor Passwords:

phoenix PHOENIX CMOS BIOS

Misc. Common Passwords

ALFAROME BIOSTAR biostar biosstar
CMOS cmos LKWPETER lkwpeter
setup SETUP Syxz Wodj

Other BIOS Passwords by Manufacturer

Manufacturer Password
VOBIS & IBM merlin
Dell Dell
Biostar Biostar
Compaq Compaq
Enox xo11nE
Epox central
Freetech Posterie
IWill iwill
Jetway spooml
Packard Bell bell9
QDI QDI
Siemens SKY_FOX
TMC BIGO
Toshiba Toshiba

Toshiba BIOS

Most Toshiba laptops and some desktop systems will bypass the BIOS password if the left shift key is held down during boot

IBM Aptiva BIOS

Press both mouse buttons repeatedly during the boot

Motherboard “Clear CMOS” Jumper or Dipswitch settings

Many motherboards feature a set of jumpers or dipswitches that will clear the CMOS and wipe all of the custom settings including BIOS passwords. The locations of these jumpers / dipswitches will vary depending on the motherboard manufacturer and ideally you should always refer to the motherboard or computer manufacturers documentation. If the documentation is unavailable, the jumpers/dipswitches can sometimes be found along the edge of the motherboard, next to the CMOS battery, or near the processor. Some manufacturers may label the jumper / dipswitch CLEAR – CLEAR CMOS – CLR – CLRPWD – PASSWD – PASSWORD – PWD. On laptop computers, the dipswitches are usually found under the keyboard or within a compartment at the bottom of the laptop.

Please remember to unplug your PC and use a grounding strip before reaching into your PC and touching the motherboard. Once you locate and rest the jumper switches, turn the computer on and check if the password has been cleared. If it has, turn the computer off and return the jumpers or dipswitches to its original position.

Removing the CMOS Battery

The CMOS settings on most systems are buffered by a small battery that is attached to the motherboard. (It looks like a small watch battery). If you unplug the PC and remove the battery for 10-15 minutes, the CMOS may reset itself and the password should be blank. (Along with any other machine specific settings, so be sure you are familiar with manually reconfiguring the BIOS settings before you do this.) Some manufacturers backup the power to the CMOS chipset by using a capacitor, so if your first attempt fails, leave the battery out (with the system unplugged) for at least 24 hours. Some batteries are actually soldered onto the motherboard making this task more difficult. Unsoldering the battery incorrectly may damage your motherboard and other components, so please don’t attempt this if you are inexperienced. Another option may be to remove the CMOS chip from the motherboard for a period of time.

Note: Removing the battery to reset the CMOS will not work for all PC’s, and almost all of the newer laptops store their BIOS passwords in a manner which does not require continuous power, so removing the CMOS battery may not work at all. IBM Thinkpad laptops lock the hard drive as well as the BIOS when the supervisor password is set. If you reset the BIOS password, but cannot reset the hard drive password, you may not be able to access the drive and it will remain locked, even if you place it in a new laptop. IBM Thinkpads have special jumper switches on the motherboard, and these should be used to reset the system.

Use the Debug command

Boot to MS- DOS prompt, run through the below example, this example is perfectly fine to run on any PC Computer running MS-DOS / Windows and will not harm anything.

DEBUG script that will just reset the password only

Type debug and press enter.   (ex.  A:\>debug )

After typing debug you will get “-” as a prompt ,type these exactly how they are written.

o 70 10
o 71 20
quit

Explanation of code:

DEBUG    ; Run DEBUG, “-” will appear on each line then type:
o 70 20     ; Send 70 to address 18
o 71 21     ; Send 71 to address FF
q              ; Quit DEBUG

or you can use this alternate DEBUG script that will just reset the the BIOS

A <ENTER>
MOV AX,0 <ENTER>
MOV AX,CX <ENTER>
OUT 70,AL <ENTER>
MOV AX,0 <ENTER>
OUT 71,AL <ENTER>
INC CX <ENTER>
CMP CX,100 <ENTER>
JB 103 <ENTER>
INT 20 <ENTER>
<ENTER> Note: Nothing is typed on this line
G <ENTER> By pressing G this will execute the above script
Q <ENTER>

Then reboot and you will get a Setup Checksum Error. Go into setup, correct all the incorrect values, time, date…


Alternatively you can use the program WipeCMOS from a boot floppy

Use the Decoding software

CmosPwd by CGSecurity – This is probably the most up to date and popular CMOS decryption tool. CmosPwd decrypts password stored in cmos used to access BIOS SETUP, you can also backup, restore and erase/kill cmos.You will have to be logged in as administrator, run ioperm -i command and then run cmospwd_win.exe

PC CMOS Cleaner – PC CMOS Cleaner is an easy-to-use tool to recover, delete, decode and display the superior passwords stored in BIOS whatever the brand is. It’s an bootable CD that runs on x86 and x86_64 computers. It can display the superior passwords of the BIOS, remove BIOS password(will set the BIOS to default status, need reset date).

10 Responses to ' How to Bypass BIOS Passwords '

Subscribe to comments with RSS or TrackBack to ' How to Bypass BIOS Passwords '.

  1. Bob said,

    on September 26th, 2008 at 9:17 pm

    Sup, Whats the chance of getting indexed in Google? They never approve!!!BTW, Nice blog, but I do not like how free blogs work. They deleted mine….~BOB

  2. Dev Team said,

    on September 26th, 2008 at 10:52 pm

    This isn’t hosted by wordpress we just use the blog. And getting indexed by google goes quicker when you are using google apps for your domain mail etc

  3. Thomas said,

    on July 21st, 2009 at 5:05 am

    None these programs work to clear the supervisor password if you have Intel Security TPM chip on your laptop.

  4. mark said,

    on October 25th, 2009 at 6:54 am

    A. By Using the Motherboard Jumper:

    In most motherboards CMOS battery is soldered, which makes it difficult to remove the battery. In this case we use another method.

    Almost all motherboards contain a jumper that can clear all CMOS settings along with the BIOS password. The location of this jumper varies depending upon the motherboard brand. You should read your motherboard manual to check its location. If you don’t have the manual then look for the jumpers near the CMOS battery. Most of the manufacturer label the jumper as CLR, CLEAR, CLEAR CMOS, etc.

    When you find the jumper, look carefully. There will be 3 pins and the jumper will be joining the center pin to either left or right pin. What you need to do, is remove the jumper and join the center pin to the opposite pin. e.g. if the jumper joins center pin to left pin, then remove it and join center pin to right pin. Now wait for a few seconds and then again remove the jumper and join the center pin to left pin.

    Make sure to turn the PC off before opening the cabinet and resetting the jumper.

  5. Ranggiguy said,

    on December 28th, 2009 at 1:11 pm

    hello i am using acer extensa 4630z.
    the bios type INSYDEH20 REV.3.5
    i forgor the hdd passwd.
    please anyone help me…

  6. Jonny Marc said,

    on August 14th, 2011 at 5:35 pm

    Very nice site, we are very lucky that you share this type of content with us. Keep the good work.

  7. Mr. Shikhar Joshi said,

    on December 18th, 2011 at 10:03 pm

    As regards my experience of Computer Hardware Micro Chip Level Technician, In case of laptops such as dell Toshiba Ibm etc there are one another eeprom except bios chip. EEPROM is one kind of memory where bios changes and supervisor password are written permanently. if you forget these passwords you can’t access your laptop.

    Note: The software(PCCleaner) won’t work if you forgot supervisor. There is another way of unlocking these types of problems. The way is Completely related on Hardware method. The E-EPROM need to be erased & re-programmed by Programming kit. Which facility is available in my Computer Hardware Lab. There is not any kinds of risk using this method, but it is necessary that The task do only Hardware Micro-Chip Level professional only.

    If you want to unlock the laptop having supervisor password you can contact me

    My Address: SHIKHAR COMPUTER HARDWARE, Kathmandu, Nepal.
    Contact: +977-9849018615, +977-9721241453
    Email: shikharjoshi@yahoo.com
    shikahrjoshi1@gmail.com
    My name : Mr. Shikhar Joshi
    Authorized and certified technician by NCCA, CTEVT Nepal. etc

    Residence: New Baneshwor, Kathmandu, Nepal

  8. Phill Thorne said,

    on December 20th, 2011 at 7:30 am

    I hear this is possible for the Sony Vaio too. Is there anyone with any good links? I also have WinPIC and a Velleman P8048 programmer but don’t know if it will do what is required. If it will can someone suggest a tut as I’m not skilled in this area. I do have good solder skills though.

  9. Ambroise said,

    on December 26th, 2014 at 9:28 am

    I have IBM Lenovo R60 that have password in the bios, time and date are also wrong.
    impossible to boot on CD or USB, what do I do? please help me!

  10. aov said,

    on July 27th, 2015 at 5:39 am

    acer aspire 5250 laptop bios backdoor recovery

Leave a reply