CmosPwd 2.3 is a cmos/bios password recovery tool.
It's freeware. You can freely distribute it.



Bios and history

Acer/IBM                        1.3
AMI BIOS                        1.0
AMI WinBIOS (12/15/93)          1.4d
AMI WinBIOS 2.5                 1.0
Award 4.5x                      1.0 & 1.4c & 2.3
Compaq (1992)                   1.0
Compaq (Try...)                 1.4
Dell version A08, 1993          1.0
IBM (PS/2, Activa ...)          1.3
IBM Thinkpad boot pwd           1.5
IBM 300 GL                      1.5
Packard Bell Supervisor/User    1.4
Phoenix 1.00.09.AC0 (1994)      1.0
Phoenix 1.04                    1.4
Phoenix 1.10 A03/Dell GXi       1.4c
Phoenix 4 release 6 (User)	1.6 & 2.2
Toshiba				2.1
Zenith AMI                      1.5



Usage

cmospwd [/f] [/d]
cmospwd [/f] [/d] /[rlw] cmos_backup_file       restore/load/write
cmospwd /k                                      kill cmos
cmospwd [/f] /m[01]*                            execute selected module

 /f AZERTY keyboard
 /d to dump cmos
 /m0010011 to execute module 3,6 and 7



Platforms
- Dos-Windows version
Well, ... it works!

- Linux version
Users can work on cmos backup but they need root priviledge to
use ioperm function to have full access to cmos.

- Windows NT
Users can work on cmos backup. To work on cmos memory, gwiopm need to be
installed and running.
gwiopm gives direct port I/O access for specified ports to user-mode process
(ring 3) using Ke386SetIoAccessMap and Ke386IoSetAccessProcess kernel functions.
You need administrator priviledges to install this driver
"instdrv gwiopm c:\tmp\gwiopm.sys"
To remove the driver, run "instdrv gwiopm remove".


Divers
- Award 4.50PG
There is an universal password AWARD_SW.
(d8on, 589589 ... works too)
- Award
Differents passwords give the same 32-bit CRC, so CmosPwd can only give one
of them. Use the numeric keypad.
- COMPAQ LTE 5300 notebook
Tolga Sinan Guney: there is a reset jumper on the motherboard
- DIGITAL PC300, Phoenix 4.0 Rel 6.0,0
Rene Pocisk: cmospwd /k works
- DELL Latitude CPi 233ST Notebook
Ole Jensen: passwords are stored in EEPROM
- DELL Latitude CPi D266XT
Robert Rafai: Passwords are stored in an eeprom (24c02).
To remove the password,
  - clear the cmos
  - flash your BIOS: get the file on internet and use an eeprom programmer
  - store 00 00 ... on the eeprom 24c02
- Fujitsu ICL
aksion: passwords are stored in EEPROM
- Hewlett Packard
Passwords are often (always) stored in EEPROM
There are reset jumper on some models
- Phoenix
There is a backdoor in old version of Phoenix BIOS, the universal
password is "phoenix".
- Toshiba
Differents passwords give the same 32-bit CRC, so CmosPwd can only give one
of them.

What to do if you can't use cmospwd to clear your cmos ?
You can use debug to reset cmos CRC stored at 0x2E-0x2F
debug
-o 70 2E
-o 71 0
-q


 
What to do if cmospwd don't work on your PC ?

Try to clear password with cmospwd /k.
If cmospwd /k doesn't work, password is stored in an EEPROM. Try to find a
reset jumper on your motherboard or contact your PC vendor.
If it works, I can try to discover how passwords are encrypted.
I need to know what Bios you used and
some cmos memory backup with their passwords. (cmospwd /w backupfile)
For passwords, choose
some 1 and 2-letter passwords
BBBBBBB
BBBBBBC
BBBBBCB
BBBBCBB
BBBCBBB
BBCBBBB
BCBBBBB
CBBBBBB



Thanks to
- Philippe Garcia-Suarez
- Mark Miller
- Ian Sharpe
- Darren Evans
- Teun van de Berg
- Giovanni
- Robert Rafai
- Guillaume Letessier
- hackvenger
- "PUTA MADRE"
and to all the guys, who provided information about cmos and reported bugs.

gwiopm has been written by Graham Wideman (http://www.wideman-one.com/).
instdrv comes from Microsoft NTDDK.


If you have problems or questions about cmospwd,
please mail me.

Christophe GRENIER
grenier@nef.esiea.fr
http://www.esiea.fr/public_html/Christophe.GRENIER/
