Recovery Procedure of the Bios Power-on and Setup Passwords

by A.C. (23/08/2000) http://acc.hop.to

Disclaimer

All trademarks used in this private archive are the property of their respective owners.
All documentation in this archive is for private and non-commercial use.
WARNING
ALL INFORMATION ARE UNTESTED, FLASH AT YOUR RISK!!
I'm NOT RESPONSIBLE for MISTAKES in this archive: BE CAREFUL!!

 

  Index    
  Step 1: Master Password Usage    
  Step 3: Password Decrypt / Erase CMOS:
  1. Software Procedures
  2. Hardware Procedures
    
  Step 3: Tips&Triks about single machines to disable Power-On Password and Setup Password    
  <<__Back to main index    

 

 

Master Passwords

<-- back to Index
Thanks to:
- Eleventh Alliance
- Ankit Fadia ankit@bol.net.in
- Elf Qrin (http://www.elfqrin.com/)
 Note that the key associated to "_" in the US keyboard corresponds to "?" in some European keyboards (such as Italian and German ones), so -- for example -- you should type AWARD?SW when using those keyboards. Also remember that passwords are Case Sensitive.    
Bios Manufacturer / Machine Manufacturer

Master Password
       
Generic Procedure Hold down a key, prefearably ins, del , left Shift, right Shift, or F1. Boot the computer and release the key when the BIOS finishes testing the memory.  
Phoenix Bios phoenix    
Ami Bios A.M.I
aammii
ALFAROME
AM
AMI
AMI!SW
AMI.KEY
AMI.KEZ
AMI?SW
AMI_SW
AMI~
AMIAMI
AMIDECOD
AMIPSWD
amipswd
AMISETUP
BIOSPASS
BIOSSTAR
biosstar
BIOSTAR
biostar
CMOSPWD
HEWITT RAND
LKWPETER
lkwpeter
Syxz
Wodj
wodj
    
Award Bios %девять (Russian)
%шесть (Russian)
?award
?award
_award
1322222
256256
589589
589721
595595
598598
admin
ALFAROME
alfarome
aLLy
aPAf
award
AWARD
Award
award
AWARD PW
AWARD SW
Award SW
award sw
Award SW
award.sw
AWARD?SW
award_?
award_ps
AWARD_PW
AWARD_SW
award_sw
awkward
azaaxx
AZAAXX
BIOS
BIOSSTAR
biosstar
BIOSTAR
biostar
CONCAT
Condo
condo
CONDO
d8on
djonet
efmukl
g6PJ
h6BB
HELGA-S
HEWITT RAND
HLT
пpобелов%
j09F
j256
j262
j322
j332
j64
KDD
lkw peter
LKWPETER
lkwpeter
LKWPETER
PASSWORD
SER
setup
SKY_FOX
SW_AWARD
SWITCHES_SW
Sxyz
Syxz
SZYX
t0ch20x
t0ch88
TTPTHA
ttptha
TzqF
Wodj
wodj
ZAAADA
ZBAAACA
zbaaaca
ZJAAADC
zjaaadc
   
Advanced Integration Advance    
Amptron Polrty
AST SnuFG5
Biostar Biostar
Q54arwms
Compaq Compaq
Concord last
Crystalview Crystal
CTX International CTX_123
CyberMax Congress
Daewoo Daewuu
Daytek Daytec
Dell Dell
Digital Equipment komprie
Enox xo11nE
Epox central
Freetech Posterie
IBM IBM
MBIU0
sertafu
Iwill iwill
JetWay spooml
Joss Technology 57gbzb
technolgi
Leading Edge MASTER
M Technology mMmM
MachSpeed sp99dd
Magic-Pro prost
Megastar star
Micron sldkj754
Micron xyzall
Micronics dn_04rjc
Packard Bell bell9
QDI QDI
Quantex teX1
xljlbj
Research Col2ogro2
Shuttle Spacve
Siemens Nixdorf SKY_FOX
SuperMicro ksdjfg934t
Tinys tiny
TMC BIGO
Toshiba 24Banc81
Toshiba
toshy99
Vextrec Technology Vextrex
Vobis merlin
Zenith 3098z
Zenith
ZEOS zeosx
   
<-- back to Index

 

 

 

Password Decrypt / Erase CMOS:
  <-- back to Index

Thanks to - Elf Qrin (http://www.elfqrin.com/)

If you can't access to the computer when it's turned on, got to
Step B/Procedure B-3

If you have access to the computer when it's turned on, you could try one of those procedures that try to decrypt password or remove it from the BIOS, by invalidating its cmos memory.

Step A] Password Decrypt

Download "CmosPDW" and "Bios310" from "Utilities"-->"Bios Utilities". Run those utilities on your system and try to decrypt your password: don't use "clear cmos" features !

If you can't decrypt your password, try to discover it using "brute force attak" procedures contained in "Bios310" utility.

Invalidates CMOS RAM : Software Procedure: .

Step B] Erase Cmos

If "brute force" attak don't work and if the password isn't stored in eeprom, you can try to invalidate the cmos system memory area, using various software/hardware procedures.Whether is the method you use, when you clear cmos not only the password, but also all the other configuration data will be reset to the factory defaults, so when you are booting for the first time after a cmos reset , you should enter the CMOS configuration menu and fix up some things. Use Bios310 to backup your cmos-configuration.

Procedure B-1] Clear Cmos using Debug

You can reset the BIOS to its default values using the MS-DOS tool DEBUG (type DEBUG at the command prompt. You'd better do it in pure MS-DOS mode, not from a MS-DOS shell window in Windows). Once you are in the debug environment enter the following commands:

( for AMI/AWARD BIOS )

O 70 17

O 71 17

Q

( for PHOENIX BIOS )

O 70 FF

O 71 17

Q

( for Generic bios )

O 70 2E

O 71 FF

Q

Note that the first letter is a "O" not the number "0". The numbers which follow are two bytes in hex format.

Procedure B-2] Clear Cmos using "CmosPWD /k " or "Bios310" clear cmos features.

Download and use these utilities from "Utilities" -->"Bios Utilities" section.

Invalidates CMOS RAM : Hardware Procedure: .

Procedure B-3] Short or Open "Cmos Clear" jumper

<-- back to Index

Try to found the special jumper "clear cmos" or "reset cmos" on your mainboard user's manual and short (or open) it.

Procedure B-4] Remove the Cmos Battery

If you can't found the "clear cmos" jumper , try to remove cmos battery (sometimes this battery is solded in the RTC component ) . It's a button-size battery somewhere on the motherboard (on elder computers the battery could be a small, typically blue, cylinder soldered to the motherboard, otherwise you'll have to unsolder it and then solder it back). Take it away for 15-30 minutes or more, then put it back and the data contained into the CMOS memory should be volatilized.

Procedure B-5] Short-circuiting the chip

Another way to clear the CMOS RAM is to reset it by short circuiting two pins of the BIOS chip (<ndr> RTC chips ..? ) for a few seconds. You can do that with a small piece of electric wire or with a bended paper clip. Always make sure that the computer is turned OFF before to try this operation.
Here is a list of EPROM chips ( <ndr> RTC chips ..? ) that are commonly used in the BIOS industry. You may find similar chips with different names if they are compatible chips made by another brand. If you find the BIOS chip (<ndr> RTC chips ..? ) you are working on matches with one of the following you can try to short-cicuit the appropriate pins. Be careful, because this operation may damage the chip.

CHIPS P82C206 (square)

Short together pins 12 and 32 (the first and the last pins on the bottom edge of the chip) or pins 74 and 75 (the two pins on the upper left corner). 

       gnd
       74
        |__________________
5v 75--|                   |
       |                   |
       |                   |
       |       CHIPS       |
   1 * |                   |
       |      P82C206      |
       |                   |
       |                   |
       |___________________|
        |                 |
        |                 | 5v
        12 gnd            32

OPTi F82C206 (rectangular)

Short together pins 3 and 26 (third pin from left side and fifth pin from right side on the bottom edge). 

    80              51
     |______________|
81 -|                |- 50
    |                |
    |                |
    |      OPTi      |  
    |                |
    |     F82C206    |
    |                |
100-|________________|-31
     ||           | |
   1 ||           | | 30
      3           26


Dallas DS1287, DS1287A
Benchmarq bp3287MT, bq3287AMT

The Dallas DS1287 and DS1287A, and the compatible Benchmarq bp3287MT and bq3287AMT chips have a built-in battery. This battery should last up to ten years. Any motherboard using these chips should not have an additional battery (this means you can't clear cmos by removing a battery). When the battery fails, the RTC chip would be replaced.
CMOS RAM can be cleared on the 1287A and 3287AMT chips by shorting pins 12 and 21.
The 1287 (and 3287MT) differ from the 1287A in that the CMOS RAM can't be cleared. If there is a problem such as a forgotten password, the chip must be replaced. (In this case it is recommended to replace the 1287 with a 1287A). Also the Dallas 12887 and 12887A are similar but contain twice as much CMOS RAM storage. 

         __________
     1 -| *  U     |-  24 5v
     2 -|          |-  23
     3 -|          |-  22
     4 -|          |-  21 RCL (RAM Clear)
     5 -|          |-  20
     6 -|          |-  19
     7 -|          |-  18
     8 -|          |-  17
     9 -|          |-  16
    10 -|          |-  15
    11 -|          |-  14
gnd 12 -|__________|-  13

NOTE: Although these are 24-pin chips,
the Dallas chips may be missing 5 pins,
these are unused pins.
Most chips have unused pins,
though usually they are still present.


Dallas DS12885S
Benchmarq bq3258S
Hitachi HD146818AP
Samsung KS82C6818A

This is a rectangular 24-pin DIP chip, usually in a socket. The number on the chip should end in 6818.
Although this chip is pin-compatible with the Dallas 1287/1287A, there is no built-in battery.
Short together pins 12 and 24. 

 5v
 24          20                   13
 |___________|____________________|
|                                  |
|             DALLAS               |
|>                                 |
|            DS12885S              |
|                                  |
|__________________________________|
 |                                |
 1                                12
                                  gnd


Motorola MC146818AP

Short pins 12 and 24. These are the pins on diagonally opposite corners - lower left and upper right. You might also try pins 12 and 20. 

          __________
     1  -| *  U     |-  24 5v
     2  -|          |-  23
     3  -|          |-  22
     4  -|          |-  21
     5  -|          |-  20
     6  -|          |-  19
     7  -|          |-  18
     8  -|          |-  17
     9  -|          |-  16
    10  -|          |-  15
    11  -|          |-  14
gnd 12  -|__________|-  13
   
  If the 'Erasing Cmos' procedures don't clear your password, the password is stored in the system EEPROM !! Please, see the next section " Tips&Triks about single machine to disable Power-on Password and Setup Password "    
  <-- back to Index    

 

Tips&Triks about single machines to disable Power-on Password and Setup Password
<-- back to Index

Thanks to :

- Christophe GRENIER
grenier@nef.esiea.fr
http://www.esiea.fr/public_html/Christophe.GRENIER/

- IBM Thinkpad informations service
http://servicepac.mainz.ibm.com

Note : CmosPWD is a powerfull tool : download it from "Utilities" --> "Bios Utilities"
Manufacturer Model Tips  
 
Generic Generic Hold down a key, prefearably ins, del , left Shift, right Shift, or F1. Boot the computer and release the key when the BIOS finishes testing the memory.  
COMPAQ LTE 5300 notebook there is a reset jumper on the motherboard  
DIGITAL PC300, Phoenix 4.0 Rel 6.0,0 cmospwd /k works  
Fujitsu ICL passwords are stored in EEPROM  
Hewlett Packard   Passwords are often (always) stored in EEPROM
There are reset jumper on some model		  
IBM PS/2 Aptiva Holding both mouse buttons down at power-up until the first "beep", then releasing the buttons.....which might also reset other Bios settings such as Rapid Resume and the like.  
Thinkpad TP 770 Get eeprom 24c01 contents and run cmospwd on this file  
Thinkpad TP 765D Read eeprom 93c46
Don't try to kill the cmos!		  
IBM Thinkpad Series Power-on password L40SX Use jumper J23  
CL57 connector J12
. | . .
. | . .

or use connector J13 (2-pin connector)

  
Notebook N45SL
 To service a computer with an active, unknown, power-on password, do the following.
1. Power-off the computer and unplug the power cord.
2. Remove the battery pack.
3. Remove the math coprocessor access panel.
4. Locate the two override pins on opposite sides of the socket.
5. Install a jumper wire between the pins.
6. Install the battery pack.
7. Power-on the computer and leave it on until the LEDs blink and the computer locks up.
8. Remove the jumper wire.
9. Press and hold the lid switch, then power-on the computer. 		 
N51XX 1. Power-off the computer and unplug the power cord.
2. Remove the bottom cover and the battery pack.
3. Locate the override connector on the system board.
4. Install a jumper over the pins 1.
5. Power-on the computer to erase the password.
6. After POST completes, remove the jumper. Otherwise, you will not be able to reset a power-on password
  
Model P70, P75 To service a computer with an active, unknown, power-on password do the following.
1. Power-off the computer and unplug the power cord.
2. Remove the system-unit cover.
3. Short the two pins 1 together.
With the pins shorted, power-on the computer. This erases the power-on password. Remove the short after POST is finished. 		 
ThinkPad 2609-240 Short the jumper JP1  
ThinkPad 2610
ThinkPad 365C 365CD 365CS 365CSD 365E and 365ED (2625)
 The following procedure disables user and supervisor passwords.
1. Power-off the computer.
2. Disconnect the AC Adapter.
3. Open the keyboard and remove the battery pack.
4. Remove the Mylar cover. See FRU Removals and Replacements
5. Locate the S2 switch block on the system board.
6. Set Switch 1 to Off.
7. Wait 30 seconds.
8. Set Switch 1 to On.
9. Replace the Mylar cover.
10. Replace the battery.
11. Connect the AC Adapter.
12. Power-on the computer.
13. Go to a DOS full screen.
14. Press Ctrl+Alt+F11 to access the setup screen and reset the passwords. 		 
ThinkPad 2600-310 / 310D / 310E / 310ED Use switch SW2 near CPU socket (second bit switch couting from the lowest side)  
ThinkPad 355x - IBM 2619
ThinkPad 360x - IBM 2620
ThinkPad 370C, 750x, 755C, 755CS - IBM 9545
How to Disable the Power-On Password:
1. Power-off the computer.
2. Open the keyboard and remove the battery pack and the diskette drive.
3. Remove the attachment holder.
For Models 355x and 360x, see >> '1115 Standby Battery'
For Models 370C, 750x, 755C, and 755Cs, see >> '2105 Standby Battery'
4. Install a jumper on the power-on password connector -1- at bottom left side of the system board.
5. Reinstall the diskette drive and the battery pack.
6. Power-on the computer and wait until the POST ends.
7. Verify that the password prompt does not appear.
8. After the service check is completed, remove the jumper		  
ThinkPad 710T (2523) To disable the power-on password:
1. Power-off the computer.
2. Remove the backup battery cover.
3. Locate the security switch beside the backup battery.
4. Move the slide switch to the opposite side.
5. Power-on the computer.		  
730TE (2524) Use the following procedure to disable the power-on password if needed.
1. Power off the system.
2. Remove the Pen Compartment Cover and the Sub Battery cover.
3. Identify the security pin wich is located beside the sub battery.
4. Power on the system while making a short-circuit between the two security pins with a regular screwdriver's flat tip. 		 
(9546, 9547) How to Disable the Power-On Password:
1. Power-off the computer.
2. Open the keyboard, and remove the diskette drive or CD-ROM drive and the battery pack.
3. Install a jumper on the power-on password connector on the left side of the FDD connector.
(See 'Password Connector' for location.)
4. Reinstall the battery pack and the diskette drive/CD-ROM drive.
5. Power-on the computer and wait until the POST ends.
6. Verify that the password prompt does not appear.
7. After the service check is completed, remove the jumper. 		 
TP 300 (2615) To override a password , do the following.
1. Power-off the computer.
2. Remove the access panel.
3. Remove the battery pack.
4. Remove the top assembly (do not disconnect any cables).
5. Connect a jumper to the two pads (R39) at the side of the math coprocessor socket.
6. Reinstall the battery pack.
7. Power-on the computer. Keep the computer on until the LEDs blink and the system locks.
8. Remove the jumper.
9. Press and hold the reset switch, then power-on the computer.
10. Power-off the computer.
11. Replace the top assembly and the access panel. 		 
TP 350, PS/Note 425 (2618) Remove the cmos battery 5 minutes  
(2625 365X, XD) How to Disable the Power-On Password
1. Power off the computer.
2. Open the keyboard and lift the right-most section of the insulator sheet.
3. Push out the small door on the right side of the base cover.
4. Apply a short across the Power-On Password Jumper Pads.
5. With the jumper tool in place, power on the computer to clear the password.
6. Remove the jumper and power off the computer.
7. Power on the computer and verify that the password has been cleared. 		 
2635 380-385 1. Power off the computer.
2. Turn the computer upside down, loosen the DIMM cover screw, remove the DIMM cover, then power-on the computer by applying a short across the power-on password jumper pads 315		  
TP 380XD, 385XD, 380Z - 2635 A. Power off the computer.
B. Turn the computer upside down, loosen the memory-slot cover
screw, and remove the memory-slot cover.
C. Short across the power-on password jumper pads
D. Power on the computer and wait until the POST ends.
E. Reinstall the memory-slot cover, and turn the computer right side up. 		 
ThinkPad i-Series 1400 - 2611 1. Turn off the computer.
2. Unplug the AC Adapter and remove the battery.
3. Remove the keyboard and the thermal plate.
4. Move the password switch (SW2, switch 2) from OFF to ON to bypass the password.
Note: SW2 has four switches, the second upper switch (switch 2) is the password bypass/check switch.
Turning the switch to the left (ON position) is "bypass password", the right (OFF position) is "check password".
5. Plug in the AC adapter and turn on the system.
6. While the ThinkPad logo is being displayed, wait for a beep before pressing F1 to enter the BIOS Utility.
7. Select "System Security" from the BIOS Utility main menu and press Enter.
8. Set the "Power-On Password" setting to "None" to clear the password.
9. Save and exit the BIOS Utility.
10. Turn off the system and unplug the AC Adapter.
11. Move the password switch from ON to OFF to enable the password function.
12. Reinstall the thermal plate and keyboard.
13. Reinstall the battery pack and plug in the AC Adapter. 		 
ThinkPad - 2621 - i Series 1400/1500 If only the power-on pasword is set, do the following to remove it:
1. Power off the computer.
2. Remove the battery and the AC Adapter.
3. Remove the backup battery (RTC) 20 minutes or use the screw driver to touch the backup battery (RTC) 1 sec.
4. Put back the backup battery (RTC).
5. Power on the computer and wait until the POST ends.
6. Verify that the password prompt does not appear. 		 
ThinkPad 390/i Series 1700 - 2626, 2627 390E - 2626
ThinkPad 390X / i 1700 - (2624, 2627)		 A. Power off the computer.
B. Remove the battery pack and AC Adapter.
C. Remove the backup battery (RTC) for 20 minutes or use a screwdriver to touch the backup battery (RTC) for 1 second.
D. Put back the backup battery (RTC).
E. Power on the computer and wait until POST ends.
F. Verifty that the password prompt does not appear.		  
ThinkPad 500 (2603) 1. Power-off the computer.
2. Disconnect all cables attached to the computer.
3. Remove the memory card access panel and memory card (if installed).
4. Power-on the computer.
5. Locate the two pins labeled PAD1-2 on the system board (in the memory card access area).
6. Short the two pins together.
7. Press Ctrl+Alt+F3 to access the System Parameters Setup Menu.
8. Press Esc.
9. Press F5 to reset the parameter to their default values.
10. The System Time, System Date, and Password (if required) parameters need to be set manually.
11. Press Esc, then F4 to save the values, exit the Setup program, and reboot the computer.
12. If a memory card was removed, power-off the computer and install the memory card.
13. Install the memory card access panel. 		 
ThinkPad 510 (2604) 1. Power-off the computer.
2. Disconnect all cables attached to the computer.
3. Remove the memory card access panel and DRAM card (if installed).
4. Power-on the computer.
5. Locate the two pins labeled PAD1-2 on the system board (see 'System Board Connectors').
6. Short the two pins together.
7. Press Ctrl+Alt+F3 to access the System Parameters Setup Menu.
8. Press Esc.
9. Press F5 to reset the parameter to their default values.
10. The System Time, System Date, and Password (if required) parameters need to be set manually.
11. Press Esc, then F4 to save the values, exit the Setup program, and reboot the computer.
12. If a DRAM card was removed, power-off the computer and install the DRAM card.
13. Install the memory card access panel. 		 
ThinkPad 560, 560E (2640) 1. Power off the computer
2. Remove the frame
3. Flip the keyboard over as shown in the figure
4. Jumper the two password jumper pads (R364 or R39) located on the system board
5. Power on the computer to clear the password
6. Replace the keyboard and the frame
When replacing the frame, make sure that the frame fits correctly in place. If it is not in place, the click buttons of the TrackPoint III cannot be pressed. 7. Replace the screws
8. Power on the computer and wait until the POST ends
9. Verify that the password prompt does not appear.
The hard disk password is stoed on the hard disk.		  
ThinkPad 560x (2640-560 - 60x, 70x) 1. Power off the computer
2. Remove the frame
3. Position the keyboard over as shown in the figure
4. Jumper the two password jumper pads (BIT-X) on the system board
5. Power on the computer to clear the password
6. Replace the keyboard and the frame
When replacing the frame, make sure that the frame fits correctly in place. If it is not in place, the click buttons of the TrackPoint III will not work.7. Replace the screws.
8. Power on the computer and wait until the POST ends.
9. Verify that the password prompt does not appear		  
ThinkPad 560Z-2640 1. Power off the computer.
2. Turn the computer upside down.
3. Loosen the DIMM socket lid screw -1- , and remove the DIMM socket lid.
4. Short the power-on password jumper pads (R522).
5. Power on the computer and wait until the POST ends. The password is cleared.
6. Reinstall the DIMM socket lid, and turn the computer right side up.
7. Verify that the password promp does not appear.
8. To reactivate the password, set the password again. 		 
ThinkPad 570 - (2644) 1. Power off the computer.
2. Remove the DIMM cover on the bottom side of the computer.
3. Short-circuit the two password pads.
4. Under the short-circuit condition, power on the computer and wait until the POST ends.
After the POST ends, the password prompt does not appear. The power-on password is removed.
5. Reinstall the DIMM cover. 		 
Model 765D-9546, 765L-9547 1. Power off the computer.
2. Open the keyboard, and remove the battery pack and the diskette or CD-ROM drive.
3. Instal a jumper on the power-on Password connector on the left side of the FDD connector.
4. Reinstall the battery pack and the diskette drive/CD-ROM drive.
5. Power on the computer and wait until POST ends.
6. Verify that the password prompt does not appear.
7. After the service check is completed, remove the jumper. 		 
TP-770 - 9548/49 1. Power off the computer.
2. Remove the DIMM cover.
3. Short-circuit the two password pads or put the jumper (pads near the top of the cover).
4. Under the short-circuit condition, power on the computer and wait until POST ends.
After the POST ends, the password prompt does not appear. The power-on password is removed.
If a jumper has been used for short the password pads, then remove the jumper.
5. Reinstall the DIMM cover. 		 
Siemens Nixdorf PCD-4ND You can clear the password of this phoenix 1.03 with "cmospwd /k"  
Scenic Mobil 700 "cmospwd /k" works! Phoenix Note BIOS v4.0  
Toshiba Ols laptops Hold down left shift key when you start it up  
Laptops

To reset the password of a Toshiba, you can use KeyDisk. (see CmosPWD tool)
If this doesn't work, you can try to build the Toshiba Parallell loopback.
To make a simple device that you connect to your parallell port, a lot of Toshiba computers remove the password when you boot it up.
The device, named "loopback" by some, could be made out of any parallell wire with 25pins connectors (db25). You should connect these pins: 1-5-10, 2-11, 3-17, 4-12, 6-16, 7-13, 8-14, 9-15, 18-25.


A db25 looks like:

Note: The "KeyDisk Creation Utility" is contained in "CmosPWD" tool (downloadable from "Utilities"--> "Bios Utilities" section ). However. to manually create a Toshiba Keydisk, take a 720Kb or 1.44Mb floppy disk, format it , then use a hex editor such as Hex Workshop to change the first five bytes of the second sector (the one after the boot sector) and set them to 4B 45 59 00 00 (note that the first three bytes are the ASCII for "KEY" :) followed by two zeroes). Once you have created the key disk put it into the notebook's drive and turn it on, then push the reset button and when asked for password, press Enter. You will be asked to Set Password again. Press Y and Enter. You'll enter the BIOS configuration where you can set a new password

  
<-- back to Index

 

(C) A.C.Comp. 2000-2001, All Rights Reserved