READ EVEYTHING BEFORE YOU USE ANY METHOD LISTED BELOW
Basic BIOS password crack - works 9.9 times out of ten
This is a password hack but it clears de BIOS such that de next time you start de PC, de CMOS does not ask for any password. Now if you are able to brin’ de DOS prompt up, den you will be able to change de BIOS settin’ to de default. To clear de CMOS do de followin’:
Get DOS prompt and type:
DEBUG hit enter
-o 70 2e hit enter
-o 71 ff hit enter
-q hit enter
exit hit enter
Restart de computer. It works on most versions of de AWARD BIOS.
Accessin’ information on de hard disk
When you turn on de host machine, enter de CMOS setup menu (usually you have to press F2, or DEL, or CTRL+ALT+S durin’ de boot sequence) and go to STANDARD CMOS SETUP, and set de channel to which you have put de hard disk as TYPE=Auto, MODE=AUTO, den SAVE & EXIT SETUP. Now you have access to de hard disk.
Standard BIOS backdoor passwords
The first, less invasive, attempt to bypass a BIOS password is to try on of dese standard manufacturer’s backdoor passwords:
AWARD BIOS
AWARD SW, AWARD_SW, Award SW, AWARD PW, _award, awkward, J64, j256, j262, j332, j322, 01322222, 589589, 589721, 595595, 598598, HLT, SER, SKY_FOX, aLLy, aLLY, Condo, CONCAT, TTPTHA, aPAf, HLT, KDD, ZBAAACA, ZAAADA, ZJAAADC, djonet
AMI BIOS
AMI, A.M.I., AMI SW, AMI_SW, BIOS, PASSWORD, HEWITT RAND, Oder
Oder passwords you may try (for AMI/AWARD or oder BIOSes)
LKWPETER, lkwpeter, BIOSTAR, biostar, BIOSSTAR, biosstar, ALFAROME, Syxz, Wodj
Note that de key associated to “_” in de US keyboard corresponds to “?” in some European keyboards (such as Italian and German ones), so — for example — you should type AWARD_SW when usin’ those keyboards. Also remember that passwords are Case Sensitive. The last two passwords in de AWARD BIOS list are in Russian.
Flashin’ BIOS via software
If you have access to de computer when it’s turned on, you could try one of those programs that remove de password from de BIOS, by invalidatin’ its memory. However, it might happen you don’t have one of those programs when you have access to de computer, so you’d better learn how to do manually what dey do. You can reset de BIOS to its default values usin’ de MS-DOS tool DEBUG (type DEBUG at de command prompt. You’d better do it in pure MS-DOS mode, not from a MS-DOS shell window in Windows). Once you are in de debug environment enter de followin’ commands:
AMI/AWARD BIOS
O 70 17
O 71 17
Q
PHOENIX BIOS
O 70 FF
O 71 17
Q
GENERIC
Invalidates CMOS RAM.
Should work on all AT moderboards
(XT moderboards don’t have CMOS)
O 70 2E
O 71 FF
Q
Note that de first letter is a “O” not de number “0″. The numbers which follow are two bytes in hex format.
Flashin’ BIOS via hardware
If you can’t access de computer when it’s on, and de standard backdoor passwords didn’t work, you’ll have to flash de BIOS via hardware. Please read de important notes at de end of this section before to try any of dese methods.
Usin’ de jumpers
The canonical way to flash de BIOS via hardware is to plug, unplug, or switch a jumper on de moderboard (for “switchin’ a jumper” I mean that you find a jumper that joins de central pin and a side pin of a group of three pins, you should den unplug de jumper and den plug it to de central pin and to de pin on de opposite side, so if de jumper is normally on position 1-2, you have to put it on position 2-3, or vice versa). This jumper is not always located near to de BIOS, but could be anywhere on de moderboard. To find de correct jumper you should read de moderboard’s manual. Once you’ve located de correct jumper, switch it (or plug or unplug it, dependin’ from what de manual says) while de computer is turned OFF. Wait a couple of seconds den put de jumper back to its original position. In some moderboards it may happen that de computer will automatically turn itself on, after flashin’ de BIOS. In this case, turn it off, and put de jumper back to its original position, den turn it on again. Oder moderboards require you turn de computer on for a few seconds to flash de BIOS. If you don’t have de moderboard’s manual, you’ll have to “brute force” it… tryin’ out all de jumpers. In this case, try first de isolated ones (not in a group), de ones near to de BIOS, and de ones you can switch (as I explained before). If all them fail, try all de oders. However, you must modify de status of only one jumper per attempt, oderwise you could damage de moderboard (since you don’t know what de jumper you modified is actually meant for). If de password request screen still appear, try anoder one. If after flashin’ de BIOS, de computer won’t boot when you turn it on, turn it off, and wait some seconds before to retry.
Removin’ de battery
If you can’t find de jumper to flash de BIOS or if such jumper doesn’t exist, you can remove de battery that keeps de BIOS memory alive. It’s a button-size battery somewhere on de moderboard (on elder computers de battery could be a small, typically blue, cylinder soldered to de moderboard, but usually has a jumper on its side to disconnect it, oderwise you’ll have to unsolder it and den solder it back). Take it away for 15-30 minutes or more, den put it back and de data contained into de BIOS memory should be volatilized. I’d suggest you to remove it for about one hour to be sure, because if you put it back when de data aren’t erased yet you’ll have to wait more time, as you’ve never removed it. If at first it doesn’t work, try to remove de battery overnight.
Important note: in laptop and notebooks you don’t have to remove de computer’s power batteries (which would be useless), but you should open your computer and remove de CMOS battery from de moderboard.
Short-circuitin’ de chip
Anoder way to clear de CMOS RAM is to reset it by short circuitin’ two pins of de BIOS chip for a few seconds. You can do that with a small piece of electric wire or with a bent paper clip. Always make sure that de computer is turned OFF before to try this operation.
Here is a list of EPROM chips that are commonly used in de BIOS industry. You may find similar chips with different names if dey are compatible chips made by anoder brand. If you find de BIOS chip you are workin’ on matches with one of de followin’ you can try to short-circuit de appropriate pins. Be careful, because this operation may damage de chip.
CHIPS P82C206 (square)
Short togeder pins 12 and 32 (de first and de last pins on de bottom edge of de chip) or pins 74 and 75 (de two pins on de upper left corner).
gnd
74
|__________________
5v 75–| |
| |
| |
| CHIPS |
1 * | |
| P82C206 |
| |
| |
|___________________|
| |
| gnd | 5v
12 32
OPTi F82C206 (rectan’ular)
Short togeder pins 3 and 26 (third pin from left side and fifth pin from right side on de bottom edge).
80 51
|______________|
81 -| |- 50
| |
| |
| OPTi |
| |
| F82C206 |
| |
100-|________________|-31
|| | |
1 || | | 30
3 26
Dallas DS1287, DS1287A
Benchmarq bp3287MT, bq3287AMT
The Dallas DS1287, DS1287A and Benchmarq bp3287MT, bq3287AMT chips have a built-in battery. This battery should last up to ten years. Any moderboard usin’ dese chips should not have an additional battery (this means you can’t flash de BIOS by removin’ a battery). When de battery fails, de RTC chip would be replaced. CMOS RAM can be cleared on de 1287A and 3287AMT chips by shortin’ pins 12 and 21. The 1287 (and 3287MT) differ from de 1287A in that de CMOS RAM can’t be cleared. If dere is a problem such as a forgotten password, de chip must be replaced. (In this case it is recommended to replace de 1287 with a 1287A). Also de Dallas 12887 and 12887A are similar but contain twice as much CMOS RAM storage.
__________
1 -| * U |- 24 5v
2 -| |- 23
3 -| |- 22
4 -| |- 21 RCL (RAM Clear)
5 -| |- 20
6 -| |- 19
7 -| |- 18
8 -| |- 17
9 -| |- 16
10 -| |- 15
11 -| |- 14
gnd 12 -|__________|- 13
NOTE: Although dese are 24-pin chips, de Dallas chips may be missin’ 5 pins, dese are unused pins. Most chips have unused pins, though usually dey are still present.
Dallas DS12885S
Benchmarq bq3258S
Hitachi HD146818AP
Samsun’ KS82C6818A
This is a rectan’ular 24-pin DIP chip, usually in a socket. The number on de chip should end in 6818. Although this chip is pin-compatible with de Dallas 1287/1287A, dere is no built-in battery. Short togeder pins 12 and 24.
5v
24 20 13
|___________|____________________|
| |
| DALLAS |
|> |
| DS12885S |
| |
|__________________________________|
| |
1 12
gnd
Motorola MC146818AP
Short pins 12 and 24. These are de pins on diagonally opposite corners - lower left and upper right. You might also try pins 12 and 20.
__________
1 -| * U |- 24 5v
2 -| |- 23
3 -| |- 22
4 -| |- 21
5 -| |- 20
6 -| |- 19
7 -| |- 18
8 -| |- 17
9 -| |- 16
10 -| |- 15
11 -| |- 14
gnd 12 -|__________|- 13
Replacin’ de chip
If nothin’ works, you could replace de existin’ BIOS chip with a new one you can buy from your specialized electronic shop or your computer supplier. It’s a quick operation if de chip is inserted on a base and not soldered to de moderboard, oderwise you’ll have to unsolder it and den put de new one. In this case would be more convenient to solder a base on which you’ll den plug de new chip, in de eventuality that you’ll have to change it again. If you can’t find de BIOS chip specifically made for your moderboard, you should buy one of de same type (probably one of de ones shown above) and look in your moderboard manufacturer’s website to see if dere’s de BIOS image to download. Then you should copy that image on de chip you bought with an EPROM programmer.
Important
Wheder is de method you use, when you flash de BIOS not only de password, but also all de oder configuration data will be reset to de factory defaults, so when you are bootin’ for de first time after a BIOS flash, you should enter de CMOS configuration menu (as explained before) and fix up some thin’s.
Also, when you boot Windows, it may happen that it finds some new device, because of de new configuration of de BIOS, in this case you’ll probably need de Windows installation CD because Windows may ask you for some external files. If Windows doesn’t see de CD-ROM try to eject and re-insert de CD-ROM again. If Windows can’t find de CD-ROM drive and you set it properly from de BIOS config, just reboot with de reset key, and in de next run Windows should find it. However most files needed by de system while installin’ new hardware could also be found in C:WINDOWS, C:WINDOWSSYSTEM, or C:WINDOWSINF .
Key Disk for Toshiba laptops
Some Toshiba notebooks allow to bypass BIOS by insertin’ a “key-disk” in de floppy disk drive while bootin’. To create a Toshiba Keydisk, take a 720Kb or 1.44Mb floppy disk, format it (if it’s not formatted yet), den use a hex editor such as Hex Workshop (***.bpsoft.com/downloads/index.html) to change de first five bytes of de second sector (de one after de boot sector) and set them to 4B 45 59 00 00 (note that de first three bytes are de ASCII for “KEY” followed by two zeroes). Once you have created de key disk put it into de notebook’s drive and turn it on, den push de reset button and when asked for password, press Enter. You will be asked to Set Password again. Press Y and Enter. You’ll enter de BIOS configuration where you can set a new password.
Key protected cases
A final note about those old computers (up to 486 and early Pentiums) protected with a key that prevented de use of de mouse and de keyboard or de power button. All you have to do with them is to follow de wires connected to de key hole, locate de jumper to which dey are connected and unplug it.
