Re: Password Setup

[Marc Bevand <marc.bevand () smartjog com>]

Denis Luis de Souza Vieira wrote:
> Hi!
> The password of the setup of PC`s that are not configured for "ALWAYS " is
> removed easily with the command in MS-DOS:
>
> debug
> o 70 2e
> o 71 ff
> q
>
> Does some form exist of breaking the password of SETUP when it is with the
> option "ALWAYS " without removing the batery of the plate?

Actually those "debug commands" means:

  - write 0x2e to I/O port 0x70
  - write 0xff to I/O port 0x71

On the x86 architecture, I/O ports 0x70 and 0x71 control the CMOS RAM
(implemented in the chipsets of modern motherboards). The CMOS RAM is a
128 or 256 bytes battery-backed NV-RAM, it is managed by the BIOS and
stores various datas such as:

  - current date/time
  - various hardware settings
  - BIOS internal datas (password digests/hashes, or encrypted
    passwords, and all the settings that your BIOS allow you to modify)

The "debug commands" above have the effect of writing the byte 0xff at
offset 0x2e in the CMOS RAM. But since the offset 0x2e is located in a
region for which all BIOS maintain a checksum, then on the next reboot,
the BIOS will detect these datas as being corrupted (since the checksum
has not been recomputed after writing 0xff). Typically the BIOS will ask
the user to press a key to reload default settings (as well as disabling
any previous password). Here is why it works.

Under a UNIX OS, the same trick can be used: trash your CMOS RAM, and
your BIOS will reload default settings on the next reboot. Linux
implements a driver for this CMOS RAM: "drivers/char/nvram.c" which is
usually accessed through /dev/nvram.

A long time ago, I wrote a Linux userland tool to play with the CMOS
RAM, to brute force or remove passwords, etc. It is called Bpwd,
see [1] if you are interested.

[1] http://epita.fr/~bevand_m/projs.html

--
Marc Bevand - System and IT Security Engineer - SmartJog
Phone: +33.1.49.96.63.19
Cell:  +33.6.63.97.45.26