Complete CMOS Cracking Manual
cartoonboy (11/03/1999)
1)As for CMOS, I believe everyone is no longer unfamiliar with it. There are also quite a few articles on cracking CMOS passwords. Here I (cartoonboy), based on my own experience and referring to related articles in the digest section, will explain how to unlock a CMOS password:
First, let me explain some of the CMOS structure:
00000000H 30 00 | FF 00 | 39 00 | FF 00 | 12 00 | FF 00 | 01 00 | 18 00
sec | sec alarm| min | min alarm | hour | hour alarm | week | day
00000010H 11 00 | 98 00 | 26 00 | 02 00 | 70 00 | 80 00 | 00 00 | 00 00
month| year | register A| register B| register C| register D| diagnosis| power-off
00000020H 40 00 | 7E 00 | F0 00 | 03 00 | 0F 00 | 80 00 | 02 00 | 00 00
floppy drive| password area| hard disk| unknown| device| base memory| expansion
00000030H 7C 00 | 2E 00 | 00 00 | 7F 00 | 15 00 | 86 00 | 00 00 | 00 00
memory| hard disk type| unknown | password data bits | unknown
00000040H 00 00 | 00 00 | 00 00 | 00 00 | 00 00 | 00 00 | E2 00 | 22 00
unknown
00000050H 0F 00 | FF 00 | FF 00 | E1 00 | 22 00 | 3F 00 | 08 00 | 59 00
unknown
00000060H 00 00 | 7C 00 | 19 00 | 80 00 | FF 00 | FF 00 | FF 00 | FF 00
unknown| century value | unknown
00000070H 7D 00 | 81 00 | AA 00 | 0F 00 | 39 00 | 9B 00 | E8 00 | 19 00
unknown
The above content was taken from other materials, so it may not be completely correct. Among these four bytes, 38H-3BH, since the two bytes 39H and 3BH are always 00H, we can skip them, so the key to the CMOS password is concentrated in the two bytes 38H and 3AH. First let me introduce a bit of Award's password rules. Award allows passwords from one to eight characters, and the range of each character is 20H-7FH, that is, from space to ASCII 127. I suppose everyone has already noticed that to fit eight characters into two bytes, it seems impossible without some compression. Indeed, Award compresses it, but not in the ordinary way. I think Award also intended to encrypt it, because there is still plenty of empty space in CMOS, and storing eight bytes would not really be a problem. But a password left that naked would be even more useless. Usual compression methods include lossless compression such as zip, arj, etc., or lossy compression such as mpeg, jpeg, etc. But for just a few bytes, those methods have no place to show their strengths, and compressed data ought to be restorable, otherwise there would be no point in compressing it. Award's method is different. It not only uses a super-lossy compression, it uses a HASH algorithm, and this compression cannot be reversed. Below is its encryption/compression method (the following values and calculations are all based on hexadecimal): suppose there is a password, eight characters long, written as: ABCDEFGH (the value range of each character is 20H-7FH). Calculate it according to the following formula: H+4*G+10*F+40*E+100*D+400*C+1000*B+4000*A , store the result from low to high into the bytes H1,H2,H3, then store H2 at address 3AH, and store the sum of H1 and H3 at 38H. If the password is fewer than eight characters, and so on.
Now for an example: my password is r*vte, whose ASCII codes are 72H, 2AH, 76H, 74H, 65H. Calculating by the formula gives: 72*100 + 2A*40 + 76*10 + 74*4 + 65=8615, so H1=00H, H2=86H, H3=15H, therefore the value at 3AH is 86H, and the value at 38H is 15H. So the password seems to be that simple. Every time you enter the password, BIOS calculates it and compares it with the value in CMOS. If they are the same, you pass; otherwise, no chance. That's the process, but there are still some things to explain. First let's calculate how many kinds of passwords two bytes can represent: 16^4=65536 kinds, while an eight-character password, with 96 choices for each character, can represent: 96^8≈7.2×10^15 kinds of passwords, so theoretically, for each password, you can find about 10^11 passwords that have the same effect. But in fact not everyone uses an eight-character password, so maybe the number is not quite that frighteningly large, though it is still quite a lot. For example, for my password alone, there are already more than 250,000 five-character passwords with the same effect, and even more six-, seven-, and eight-character ones. The exact number is unknown, because I've never finished calculating them all. It takes too long, and I can't afford it.
2)About universal passwords:
Only versions before Award4.51 have universal passwords,
wantgirl
Syxz(pay attension to the capital letter)
dirrid
wnatgirl
3)Here I will also introduce the cracking programs from Fudan netizens: (those with poor morals and those whose skill is not deep enough may skip this)
(零)
This is the method that I, moderator cartoonboy, used to break more than ten machines in a row without ever failing. Treasure it
you try (under dos)
debug
o 70 2e
o 71 00
o 70 2f
o 71 00
note: under windowsNT, many cracking programs cannot be used, because the DOS in WindowsNT is emulated and forbids writing to CMOS. Please take note.
(一)
(二)
The BIOS password decryption algorithm for AMI motherboards mentioned above has been tested successfully on microcomputers with BIOS dates 91.5.5, 91.7.7, 91.12.12, 92.6.6, and 92.11.11. For easier understanding, the C code of the decryption algorithm is listed below:
cartoonboy (11/03/1999)
1)As for CMOS, I believe everyone is no longer unfamiliar with it. There are also quite a few articles on cracking CMOS passwords. Here I (cartoonboy), based on my own experience and referring to related articles in the digest section, will explain how to unlock a CMOS password:
First, let me explain some of the CMOS structure:
00000000H 30 00 | FF 00 | 39 00 | FF 00 | 12 00 | FF 00 | 01 00 | 18 00
sec | sec alarm| min | min alarm | hour | hour alarm | week | day
00000010H 11 00 | 98 00 | 26 00 | 02 00 | 70 00 | 80 00 | 00 00 | 00 00
month| year | register A| register B| register C| register D| diagnosis| power-off
00000020H 40 00 | 7E 00 | F0 00 | 03 00 | 0F 00 | 80 00 | 02 00 | 00 00
floppy drive| password area| hard disk| unknown| device| base memory| expansion
00000030H 7C 00 | 2E 00 | 00 00 | 7F 00 | 15 00 | 86 00 | 00 00 | 00 00
memory| hard disk type| unknown | password data bits | unknown
00000040H 00 00 | 00 00 | 00 00 | 00 00 | 00 00 | 00 00 | E2 00 | 22 00
unknown
00000050H 0F 00 | FF 00 | FF 00 | E1 00 | 22 00 | 3F 00 | 08 00 | 59 00
unknown
00000060H 00 00 | 7C 00 | 19 00 | 80 00 | FF 00 | FF 00 | FF 00 | FF 00
unknown| century value | unknown
00000070H 7D 00 | 81 00 | AA 00 | 0F 00 | 39 00 | 9B 00 | E8 00 | 19 00
unknown
The above content was taken from other materials, so it may not be completely correct. Among these four bytes, 38H-3BH, since the two bytes 39H and 3BH are always 00H, we can skip them, so the key to the CMOS password is concentrated in the two bytes 38H and 3AH. First let me introduce a bit of Award's password rules. Award allows passwords from one to eight characters, and the range of each character is 20H-7FH, that is, from space to ASCII 127. I suppose everyone has already noticed that to fit eight characters into two bytes, it seems impossible without some compression. Indeed, Award compresses it, but not in the ordinary way. I think Award also intended to encrypt it, because there is still plenty of empty space in CMOS, and storing eight bytes would not really be a problem. But a password left that naked would be even more useless. Usual compression methods include lossless compression such as zip, arj, etc., or lossy compression such as mpeg, jpeg, etc. But for just a few bytes, those methods have no place to show their strengths, and compressed data ought to be restorable, otherwise there would be no point in compressing it. Award's method is different. It not only uses a super-lossy compression, it uses a HASH algorithm, and this compression cannot be reversed. Below is its encryption/compression method (the following values and calculations are all based on hexadecimal): suppose there is a password, eight characters long, written as: ABCDEFGH (the value range of each character is 20H-7FH). Calculate it according to the following formula: H+4*G+10*F+40*E+100*D+400*C+1000*B+4000*A , store the result from low to high into the bytes H1,H2,H3, then store H2 at address 3AH, and store the sum of H1 and H3 at 38H. If the password is fewer than eight characters, and so on.
Now for an example: my password is r*vte, whose ASCII codes are 72H, 2AH, 76H, 74H, 65H. Calculating by the formula gives: 72*100 + 2A*40 + 76*10 + 74*4 + 65=8615, so H1=00H, H2=86H, H3=15H, therefore the value at 3AH is 86H, and the value at 38H is 15H. So the password seems to be that simple. Every time you enter the password, BIOS calculates it and compares it with the value in CMOS. If they are the same, you pass; otherwise, no chance. That's the process, but there are still some things to explain. First let's calculate how many kinds of passwords two bytes can represent: 16^4=65536 kinds, while an eight-character password, with 96 choices for each character, can represent: 96^8≈7.2×10^15 kinds of passwords, so theoretically, for each password, you can find about 10^11 passwords that have the same effect. But in fact not everyone uses an eight-character password, so maybe the number is not quite that frighteningly large, though it is still quite a lot. For example, for my password alone, there are already more than 250,000 five-character passwords with the same effect, and even more six-, seven-, and eight-character ones. The exact number is unknown, because I've never finished calculating them all. It takes too long, and I can't afford it.
2)About universal passwords:
Only versions before Award4.51 have universal passwords,
wantgirl
Syxz(pay attension to the capital letter)
dirrid
wnatgirl
3)Here I will also introduce the cracking programs from Fudan netizens: (those with poor morals and those whose skill is not deep enough may skip this)
(零)
This is the method that I, moderator cartoonboy, used to break more than ten machines in a row without ever failing. Treasure it
you try (under dos)
debug
o 70 2e
o 71 00
o 70 2f
o 71 00
note: under windowsNT, many cracking programs cannot be used, because the DOS in WindowsNT is emulated and forbids writing to CMOS. Please take note.
(一)
//AMIPWD.CPP --- Show AMI Password String
//Compile with SMALL model Tel:027-7800172 7404402(H)
//Email:mecad@server20.hust.edu.cn
#include
#include
#define BYTE unsigned char
char AMI_unEncrypt( BYTE key,BYTE c2){
asm xor di,di
asm mov bl,key
asm mov cl,c2
lab1:
asm test bl,0xc3
asm jpe lab2
asm stc
lab2:
asm rcr bl,1
asm inc di
asm cmp bl,cl
asm jne lab1:
return _DI;
}
BYTE rbyte(int port){
outp(0x70,port);
outp(0xed, port);
return inp(0x71);
}
// 0x38-3d password code 0x37 initial value
void main(){
int i, length;
static BYTE secret[7];
char str[22]="";
for(length=0; length<7; length++)
secret[length] = rbyte(0x37+length);
secret[0] &= 0xf0;
for(i=0; i0; i++)
str[i] = AMI_unEncrypt(secret[i], secret[i+1]);
str[i+1]=0;
if (secret[1]==0)
printf("No password\n"
;
else
printf("Password=%s\n",str);
return;
(二)
The BIOS password decryption algorithm for AMI motherboards mentioned above has been tested successfully on microcomputers with BIOS dates 91.5.5, 91.7.7, 91.12.12, 92.6.6, and 92.11.11. For easier understanding, the C code of the decryption algorithm is listed below:
char AMI_unEncrypt( BYTE key,BYTE c2){
BYTE num[]={ 0,1,1,2 };
int di=0,c;
do{
c=num[key>>6]+num[key&3];
if (c&1) key=0x80+(key>>1);
else key>>=1;
di++;
}whi
我的网志
http://hzmys.blog.163.com/
我的网盘
firststep.qjwm.com
fsmys.ys168.com
ssmys.ys168.com
www.brsbox.com/fsmys
www.brsbox.com/ssmys
www.brsbox.com/ccdos
http://hzmys.blog.163.com/
我的网盘
firststep.qjwm.com
fsmys.ys168.com
ssmys.ys168.com
www.brsbox.com/fsmys
www.brsbox.com/ssmys
www.brsbox.com/ccdos
