diff options
| -rw-r--r-- | cmospwd.c | 771 | ||||
| -rw-r--r-- | cmospwd.txt | 36 |
2 files changed, 382 insertions, 425 deletions
@@ -102,38 +102,38 @@ #define IOCTL_IOPL CTL_CODE( FILE_DEVICE_UNKNOWN, 0xA01, METHOD_BUFFERED, FILE_ANY_ACCESS ) struct ioperm_data { - unsigned long from; - unsigned long num; - int turn_on; + unsigned long from; + unsigned long num; + int turn_on; }; struct iopl_data { - int value; + int value; }; int ioperm( unsigned long from, unsigned long num, int turn_on ) { - HANDLE h; - struct ioperm_data ioperm_data; - DWORD BytesReturned; - BOOL r; - h = CreateFile( "\\\\.\\ioperm", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); - if (h == INVALID_HANDLE_VALUE) { - errno = ENODEV; - return -1; - } + HANDLE h; + struct ioperm_data ioperm_data; + DWORD BytesReturned; + BOOL r; + h = CreateFile( "\\\\.\\ioperm", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); + if (h == INVALID_HANDLE_VALUE) { + errno = ENODEV; + return -1; + } - ioperm_data.from = from; - ioperm_data.num = num; - ioperm_data.turn_on = turn_on; + ioperm_data.from = from; + ioperm_data.num = num; + ioperm_data.turn_on = turn_on; - r = DeviceIoControl( h, IOCTL_IOPERM, &ioperm_data, sizeof ioperm_data, NULL, 0, &BytesReturned, NULL ); - if (!r) - errno = EPERM; + r = DeviceIoControl( h, IOCTL_IOPERM, &ioperm_data, sizeof ioperm_data, NULL, 0, &BytesReturned, NULL ); + if (!r) + errno = EPERM; - CloseHandle( h ); + CloseHandle( h ); - return r ? 0 : -1; + return r ? 0 : -1; } #endif @@ -205,46 +205,10 @@ FILE *cmos_fd; #define VAL_NON_STOP 256 #define VAL_STOP 257 #define VAL_UNK 258 -int get32(int position, const uint8_t *data_src); -void aff_hexa(const unsigned char*buffer,const unsigned int lng); -void aff_result(const unsigned int *src, const unsigned int lng); -void table2val(unsigned int*dst, const uint8_t *src, const unsigned int lng, const unsigned int *table); -int check_crcadd(int position, int size, int pos_crc); -int check_filled(const unsigned int*value, const unsigned int lng, const unsigned int filled_value); -void award_backdoor(void); -void generic_acer(unsigned int *dst, const unsigned int lng); -int generic_ami(unsigned int *data, const unsigned int lng, const int methode); -void generic_award6(unsigned int *value, const unsigned int lng); -void generic_basic(const unsigned int offset, const unsigned int lng, const int algo,const unsigned int val_stop,const int mode_aff, const uint8_t *data_src); -void generic_compaq(unsigned int *value, const unsigned int lng); -void generic_crc(int algo, int position, const uint8_t *data_src); -void generic_dtk(unsigned int*value, const unsigned int lng); -void generic_packard(unsigned int *value, const unsigned int lng); -void generic_phoenix_add(unsigned int *value, const unsigned int lng); -void generic_phoenix_shift(unsigned int *value, const unsigned int lng); -void generic_phoenix_xor(unsigned int *value, const unsigned int lng); -void generic_unknown(unsigned int*value, const unsigned int lng); -void generic_table(unsigned int *value, const unsigned int lng, const int algo,const unsigned int val_stop,const int mode_aff); - -void convert_scancode2ascii(unsigned int*dst, const unsigned int lng); -uint8_t scan2ascii(uint8_t); -unsigned char filtre(unsigned char); -void dumpcmos(const int cmos_size, const int scancode); -int ask_YN(const char*); -uint8_t parity_test(uint8_t val); -uint16_t rol(uint16_t); -uint8_t rcl8(uint8_t); -uint8_t rcl8n(uint8_t, unsigned int); -uint8_t brute_awa(uint16_t, uint16_t, uint8_t); -uint8_t brute_award(uint16_t); -void set_permissions(void); -void unset_permissions(void); -uint16_t do_tosh(uint16_t, uint8_t); -uint8_t brute_tosh(uint16_t, uint16_t, uint8_t); -uint8_t brute_toshiba(uint16_t); -void keyb_mem(); + #define m_acer "\nAcer/IBM " #define m_ami_old "\nAMI BIOS " +#define m_ami_2005 "\nAMI BIOS 2005 " #define m_ami_winbios "\nAMI WinBIOS (12/15/93) " #define m_ami_winbios25 "\nAMI WinBIOS 2.5 " #define m_ami_unk "\nAMI ? " @@ -261,6 +225,7 @@ void keyb_mem(); #define m_ibm_thinkpad_765_380z "\nThinkpad 765/380z EEPROM " #define m_ibm_thinkpad_560x "\nThinkpad 560x EEPROM " #define m_ibm_thinkpad_x20_570_t20 "\nThinkpad x20/570/t20 EEPROM " +#define m_insyde "\nInsyde " #define m_packardbell "\nPackard Bell Supervisor/User " #define m_phoenixa08 "\nPhoenix A08, 1993 " #define m_phoenix "\nPhoenix 1.00.09.AC0 (1994) " @@ -277,60 +242,6 @@ void keyb_mem(); #define m_samsung_P25 "\nSamsung P25 " #define m_Sony_Vaio "\nSony Vaio EEPROM " #define m_Keyb_Mem "\nKeyboard BIOS memory " -void acer(void); -void ami_old(void); -void ami_winbios(void); -void ami_winbios2(void); -void ami_unk(void); -void award(void); -void award_medallion(void); -void award6(void); -void compaq(void); -void compaq2(void); -void compaq_deskpro(void); -void dtk(void); -void phoenixa08(void); -void ibm(void); -void ibm_thinkpad(void); -void ibm_thinkpad2(void); -void ibm_300(void); -void packardbell(void); -void phoenix(void); -void phoenix_1_04(void); -void phoenix_1_10(void); -void phoenix4(void); -void phoenix_40_r_60(void); -void phoenix_1_03(void); -void phoenix405(void); -void phoenix406(void); -void gateway_ph(void); -void toshiba(void); -void zenith_ami(void); -void samsung(void); -void sony_vaio(void); -void keyb_mem(void); -void (*tbl_func[])(void)={acer, - ami_old,ami_winbios,ami_winbios2,ami_unk, - award, award_medallion, award6, - compaq,compaq_deskpro,compaq2, - dtk, - ibm,ibm_thinkpad,ibm_thinkpad2,ibm_300, - packardbell, - phoenix,phoenix_1_03,phoenix_1_04,phoenix_1_10,phoenix4,phoenix_40_r_60,phoenix405,phoenix406, - phoenixa08, - gateway_ph, - samsung, - sony_vaio, - toshiba, - zenith_ami, - keyb_mem}; -#define nbr_func sizeof(tbl_func)/sizeof(*tbl_func) -int kill_cmos(const int cmos_size); -int load_cmos(const int cmos_size); -int restore_cmos(const int cmos_size,const int choix); -int load_backup(const char*); -int save_backup(const int cmos_size, const char* name); -unsigned int get_table_pb(unsigned int val); typedef struct s_cmos_f t_cmos_f; typedef struct s_cmos_l t_cmos_l; @@ -375,16 +286,16 @@ static __inline__ uint8_t inportb(uint16_t port) #endif enum {KEYB_US,KEYB_FR, KEYB_DE}; -int keyb=KEYB_US; -uint8_t cmos[TAILLE_CMOS_MAX]; +static int keyb=KEYB_US; +static uint8_t cmos[TAILLE_CMOS_MAX]; -int get32(int position, const uint8_t *data_src) +static int get32(int position, const uint8_t *data_src) { return ((data_src[position+1] <<8) | data_src[position]); } /* CONVERTION ET FILTRAGE */ -uint8_t scan2ascii(uint8_t car) +static uint8_t scan2ascii(uint8_t car) { static const uint8_t tbl_fr[255]= { ' ',' ','1','2','3','4','5','6', @@ -441,59 +352,58 @@ uint8_t scan2ascii(uint8_t car) return ' '; } -unsigned char filtre(unsigned char lettre) +static unsigned char filter(const unsigned char c) { - if ((lettre>=32) && (lettre <=125)) - return lettre; - else - switch(lettre) - { - case(131): - case(132): - case(133): - case(134): - case(160): - return 'a'; - case(130): - case(136): - case(137): - case(138): - return 'e'; - case(139): - case(140): - case(141): - case(161): - return 'i'; - case(164): - return 'n'; - case(147): - case(148): - case(149): - case(162): - return 'o'; - case(150): - case(151): - case(163): - return 'u'; - case(152): - return 'y'; - case(142): - case(143): - return 'A'; - case(144): - return 'E'; - case(165): - return 'N'; - case(153): - return 'O'; - case(154): - return 'U'; - default: - return ' '; - } + if (c>=32 && c <=125) + return c; + switch(c) + { + case(131): + case(132): + case(133): + case(134): + case(160): + return 'a'; + case(130): + case(136): + case(137): + case(138): + return 'e'; + case(139): + case(140): + case(141): + case(161): + return 'i'; + case(164): + return 'n'; + case(147): + case(148): + case(149): + case(162): + return 'o'; + case(150): + case(151): + case(163): + return 'u'; + case(152): + return 'y'; + case(142): + case(143): + return 'A'; + case(144): + return 'E'; + case(165): + return 'N'; + case(153): + return 'O'; + case(154): + return 'U'; + default: + return ' '; + } } -unsigned int get_table_pb(unsigned int val) +static unsigned int get_table_pb(unsigned int val) { switch(val) { @@ -520,16 +430,16 @@ unsigned int get_table_pb(unsigned int val) return VAL_UNK; } -void dump(const void *data_original, const unsigned int*data_processed,unsigned int lng) +static void dump(const void *data_original, const unsigned int*data_processed,unsigned int lng) { unsigned int i,j; unsigned int nbr_line; unsigned char car; nbr_line=(lng+0x10-1)/0x10; - for (i=0; (i<nbr_line); i++) + for (i=0; i<nbr_line; i++) { - printf("%03X: ",i*0x10); - for(j=0; j< 0x10;j++) + printf("%03X: ", i*0x10); + for(j=0; j< 0x10; j++) { if(i*0x10+j<lng) { @@ -545,7 +455,7 @@ void dump(const void *data_original, const unsigned int*data_processed,unsigned if(i*0x10+j<lng) { car=data_processed[i*0x10+j]; - printf("%c", filtre(car)); + printf("%c", filter(car)); } else printf(" "); @@ -554,16 +464,8 @@ void dump(const void *data_original, const unsigned int*data_processed,unsigned } } - -void aff_hexa(const unsigned char*buffer,const unsigned int lng) -{ - int i; - for(i=0;i<lng;i++) - printf("%02X ",buffer[i]); -} - /* test et manipulation binaire */ -uint8_t parity_test(uint8_t val) +static uint8_t parity_test(uint8_t val) { int res=0; int i; @@ -576,12 +478,12 @@ uint8_t parity_test(uint8_t val) return res; } -uint8_t rcl8(uint8_t num) +static uint8_t rcl8(uint8_t num) { return (num<<1)|(num >> 7); } -uint8_t rcl8n(uint8_t num, unsigned int n) +static uint8_t rcl8n(uint8_t num, unsigned int n) { unsigned int i; uint8_t res=num; @@ -591,7 +493,7 @@ uint8_t rcl8n(uint8_t num, unsigned int n) return res; } -uint16_t rol(uint16_t n) +static uint16_t rol(uint16_t n) { return (n<<2)| ((n & 0xC000) >> 14); } @@ -615,30 +517,30 @@ enum { ALGO_AMI_F0, ALGO_AMI, ALGO_AMI_80, ALGO_UNKNOW, ALGO_AWARD, ALGO_AWARD6, enum { AFF_SCAN,AFF_ASCII}; -void table2val(unsigned int*dst, const uint8_t *src, const unsigned int lng, const unsigned int *table) +static void table2val(unsigned int*dst, const uint8_t *src, const unsigned int lng, const unsigned int *table) { int i; - for(i=0;i<lng;i++) + for(i=0; i<lng; i++) { dst[i]=src[table[i]]; } } -void aff_result(const unsigned int*src, const unsigned int lng) +static void aff_result(const unsigned int*src, const unsigned int lng) { unsigned int i; putchar('['); - for(i=0;(i<lng) && (src[i]!=VAL_STOP);i++) + for(i=0; i<lng && src[i]!=VAL_STOP; i++) { if(src[i]==UNKNOWN_CAR) putchar('?'); else - putchar(filtre(src[i])); + putchar(filter(src[i])); } putchar(']'); } -int generic_ami(unsigned int*dst, const unsigned int lng, const int methode) +static int generic_ami(unsigned int*dst, const unsigned int lng, const int methode) { int pos; unsigned char ah,al; @@ -649,7 +551,7 @@ int generic_ami(unsigned int*dst, const unsigned int lng, const int methode) case ALGO_AMI_80: al=0x80; break; default: printf("Bad AMI ALGO"); return 1; } - for(pos=1;pos<lng;pos++) + for(pos=1; pos<lng; pos++) { unsigned int i; if (dst[pos]==VAL_STOP) @@ -674,10 +576,10 @@ int generic_ami(unsigned int*dst, const unsigned int lng, const int methode) return 0; } -void generic_acer(unsigned int *dst, const unsigned int lng) +static void generic_acer(unsigned int *dst, const unsigned int lng) { int i; - for(i=0;(i<lng)&&(dst[i]!=VAL_STOP);i++) + for(i=0; i<lng && dst[i]!=VAL_STOP; i++) { dst[i]=dst[i]>>1; /* ibm_1 */ } @@ -686,25 +588,26 @@ void generic_acer(unsigned int *dst, const unsigned int lng) */ } -void generic_award6(unsigned int *dst, const unsigned int lng) +static void generic_award6(unsigned int *dst, const unsigned int lng) { int i; - for(i=0;(i<lng)&&(dst[i]!=VAL_STOP);i++) + for(i=0; i<lng && dst[i]!=VAL_STOP; i++) dst[i]=rcl8n(dst[i],i); } -void generic_unknown(unsigned int*dst, const unsigned int lng) +static void generic_unknown(unsigned int*dst, const unsigned int lng) { int i; - for(i=0;(i<lng)&&(dst[i]!=VAL_STOP);i++) + for(i=0; i<lng && dst[i]!=VAL_STOP; i++) dst[i]=UNKNOWN_CAR; } -int check_filled(const unsigned int*value, const unsigned int lng, const unsigned int filled_value) +#if 0 +static int check_filled(const unsigned int*value, const unsigned int lng, const unsigned int filled_value) { int i; int etat=0; - for(i=0;i<lng;i++) + for(i=0; i<lng; i++) { switch(etat) { @@ -719,129 +622,30 @@ int check_filled(const unsigned int*value, const unsigned int lng, const unsigne } return 0; } +#endif -void generic_phoenix_shift(unsigned int *value, const unsigned int lng) +static void generic_phoenix_shift(unsigned int *value, const unsigned int lng) { unsigned int i; - for(i=0;(i<lng)&&(value[i]!=VAL_STOP);i++) + for(i=0; i<lng && value[i]!=VAL_STOP; i++) value[i]=rcl8n(value[i],i+1); } -void generic_phoenix_xor(unsigned int *value, const unsigned int lng) +static void generic_phoenix_xor(unsigned int *value, const unsigned int lng) { unsigned int i; - for(i=0;(i<lng)&&(value[i]!=VAL_STOP);i++) + for(i=0; i<lng && value[i]!=VAL_STOP; i++) value[i]=(value[i] ^ 0xF0) + i; } -void generic_phoenix_add(unsigned int *value, const unsigned int lng) +static void generic_phoenix_add(unsigned int *value, const unsigned int lng) { unsigned int i; - for(i=0;(i<lng)&&(value[i]!=VAL_STOP);i++) + for(i=0; i<lng && value[i]!=VAL_STOP; i++) value[i]+=0x20; } -void generic_basic(const unsigned int offset, const unsigned int lng, const int algo,const unsigned int val_stop,const int mode_aff, const uint8_t *data_src) -{ - unsigned int i; -#if defined(__MSDOS__) || defined(WIN32) - unsigned int value[10]; -#else - unsigned int value[lng]; -#endif - for(i=0;i<lng;i++) - value[i]=data_src[offset+i]; - generic_table(value, lng, algo, val_stop, mode_aff); -} - -void generic_table(unsigned int *value, const unsigned int lng, const int algo,const unsigned int val_stop,const int mode_aff) -{ - { - unsigned int i; - for(i=0;i<lng;i++) - if(value[i]==val_stop && algo!=ALGO_COMPAQ) - value[i]=VAL_STOP; - } - switch(algo) - { - case ALGO_AMI_F0: - case ALGO_AMI: - case ALGO_AMI_80: - generic_ami(value,lng,algo); - break; - case ALGO_UNKNOW: - generic_unknown(value,lng); - break; - case ALGO_ACER: - generic_acer(value,lng); - break; - case ALGO_AWARD6: - generic_award6(value,lng); - break; - case ALGO_PACKARD: -// check_filled(value,lng,val_stop); - generic_packard(value,lng); - break; - case ALGO_NONE: - break; - case ALGO_PHOENIX_SHIFT: - generic_phoenix_shift(value,lng); - break; - case ALGO_PHOENIX_XOR: - generic_phoenix_xor(value,lng); - break; - case ALGO_PHOENIX_ADD: - generic_phoenix_add(value,lng); - break; - case ALGO_DTK: - generic_dtk(value,lng); - break; - case ALGO_COMPAQ: - generic_compaq(value,lng); - break; - default: - printf("BAD ALGO\n"); - return; - } - if(mode_aff==AFF_SCAN) - convert_scancode2ascii(value,lng); - aff_result(value,lng); -} - -/* ================================================================= */ -int check_crcadd(int position, int size, int pos_crc) -{ - int i; - int crc=0; - for(i=position;i<position+size;i++) - crc+=cmos[i]; - return ((crc & 0xFF) == cmos[pos_crc]); -} - -void generic_packard(unsigned int *value, const unsigned int lng) -{ - int i; - for(i=1;(i<lng)&&(value[i]!=VAL_STOP);i++) /* Ecrase le "CRC ?" */ - { - value[i-1]=get_table_pb(value[i]); - } - value[i-1]=VAL_STOP; -} - -void generic_crc(int algo, int position, const uint8_t *data_src) -{ - switch(algo) - { - case ALGO_AWARD: - brute_award(get32(position,data_src)); - break; - case ALGO_TOSHIBA: - brute_toshiba(get32(position,data_src)); - break; - } -} - -void generic_compaq(unsigned int *value, const unsigned int lng) +static void generic_compaq(unsigned int *value, const unsigned int lng) { unsigned int i,j; #if defined(__MSDOS__)||defined(WIN32) @@ -943,7 +747,7 @@ void generic_compaq(unsigned int *value, const unsigned int lng) value2[4*i+3]=value[4*i+2]&0x7F; } } - for(i=0;i<lng;i++) + for(i=0; i<lng; i++) { if(value2[i]==0) value[i]=VAL_STOP; @@ -952,7 +756,7 @@ void generic_compaq(unsigned int *value, const unsigned int lng) } } -void generic_dtk(unsigned int *value, const unsigned int lng) +static void generic_dtk(unsigned int *value, const unsigned int lng) { unsigned int i; #if defined(__MSDOS__)||defined(WIN32) @@ -960,7 +764,7 @@ void generic_dtk(unsigned int *value, const unsigned int lng) #else unsigned int value2[lng]; #endif - for(i=0;i<lng;i++) + for(i=0; i<lng; i++) { int b; switch(i%4) @@ -978,7 +782,7 @@ void generic_dtk(unsigned int *value, const unsigned int lng) else value2[i]=b-1+'A'; } - for(i=0;i<lng;i++) + for(i=0; i<lng; i++) { if(value2[i]==0) value[i]=VAL_STOP; @@ -987,7 +791,8 @@ void generic_dtk(unsigned int *value, const unsigned int lng) } } -void generic_7bit(unsigned int *value, const unsigned int lng) +#if 0 +static void generic_7bit(unsigned int *value, const unsigned int lng) { unsigned int i; #if defined(__MSDOS__)||defined(WIN32) @@ -1003,7 +808,7 @@ void generic_7bit(unsigned int *value, const unsigned int lng) value2[5]=(((value2[2]<<5)&0xff)|(value[3]>>3))&0x7f; value2[6]=(((value2[1]<<6)&0xff)|(value[2]>>2))&0x7f; value2[7]=(((value2[0]<<7)&0xff)|(value[1]>>1))&0x7f; - for(i=0;i<lng;i++) + for(i=0; i<lng; i++) { if(value2[i]==0) value[i]=VAL_STOP; @@ -1011,74 +816,172 @@ void generic_7bit(unsigned int *value, const unsigned int lng) value[i]=value2[i]; } } +#endif + +static void generic_packard(unsigned int *value, const unsigned int lng) +{ + int i; + for(i=1; i<lng && value[i]!=VAL_STOP; i++) /* Ecrase le "CRC ?" */ + { + value[i-1]=get_table_pb(value[i]); + } + value[i-1]=VAL_STOP; +} + +static void convert_scancode2ascii(unsigned int*dst, const unsigned int lng) +{ + unsigned int i; + for (i=0; i<lng && dst[i]!=VAL_STOP; i++) + if(dst[i]!=VAL_UNK) + dst[i]=scan2ascii(dst[i]); +} + + +static void generic_table(unsigned int *value, const unsigned int lng, const int algo,const unsigned int val_stop,const int mode_aff) +{ + { + unsigned int i; + for(i=0; i<lng; i++) + if(value[i]==val_stop && algo!=ALGO_COMPAQ) + value[i]=VAL_STOP; + } + switch(algo) + { + case ALGO_AMI_F0: + case ALGO_AMI: + case ALGO_AMI_80: + generic_ami(value,lng,algo); + break; + case ALGO_UNKNOW: + generic_unknown(value,lng); + break; + case ALGO_ACER: + generic_acer(value,lng); + break; + case ALGO_AWARD6: + generic_award6(value,lng); + break; + case ALGO_PACKARD: +// check_filled(value,lng,val_stop); + generic_packard(value,lng); + break; + case ALGO_NONE: + break; + case ALGO_PHOENIX_SHIFT: + generic_phoenix_shift(value,lng); + break; + case ALGO_PHOENIX_XOR: + generic_phoenix_xor(value,lng); + break; + case ALGO_PHOENIX_ADD: + generic_phoenix_add(value,lng); + break; + case ALGO_DTK: + generic_dtk(value,lng); + break; + case ALGO_COMPAQ: + generic_compaq(value,lng); + break; + default: + printf("BAD ALGO\n"); + return; + } + if(mode_aff==AFF_SCAN) + convert_scancode2ascii(value,lng); + aff_result(value,lng); +} + +static void generic_basic(const unsigned int offset, const unsigned int lng, const int algo,const unsigned int val_stop,const int mode_aff, const uint8_t *data_src) +{ + unsigned int i; +#if defined(__MSDOS__) || defined(WIN32) + unsigned int value[10]; +#else + unsigned int value[lng]; +#endif + for(i=0; i<lng; i++) + value[i]=data_src[offset+i]; + generic_table(value, lng, algo, val_stop, mode_aff); +} + + +/* ================================================================= */ +static int check_crcadd(int position, int size, int pos_crc) +{ + int i; + int crc=0; + for(i=position; i<position+size; i++) + crc+=cmos[i]; + return ((crc & 0xFF) == cmos[pos_crc]); +} /* Brute force Award */ -int awa_pos; -char awa_res[9]; +static int awa_pos; +static char awa_res[9]; -uint8_t brute_awa(uint16_t but, uint16_t somme, uint8_t lng) +static uint8_t brute_awa(uint16_t but, uint16_t somme, uint8_t lng) { uint8_t p; static uint8_t const tbl_car[]={'0','1','2','3','4','5','6'}; - if (lng==0) return (but==somme); - else - for (p=0;p<4;p++) - if (brute_awa(but, rol(somme) + tbl_car[p], lng-1)) - { - awa_res[awa_pos++]=tbl_car[p]; - return 1; - } + for (p=0; p<4; p++) + { + if (brute_awa(but, rol(somme) + tbl_car[p], lng-1)) + { + awa_res[awa_pos++]=tbl_car[p]; + return 1; + } + } return 0; } -uint8_t brute_award(uint16_t but) +static uint8_t brute_award(uint16_t but) { int i; uint8_t res; awa_pos=0; - for(i=0;i<9;i++) + for(i=0; i<9; i++) awa_res[i]='\0'; - for (i=1;i<=8;i++) + for (i=1; i<=8; i++) { res=brute_awa(but, 0,i); if (res) break; } #ifndef TEST printf("["); - for (i=awa_pos-1;i>=0;i--) printf("%c", awa_res[i]); + for (i=awa_pos-1 ;i>=0; i--) printf("%c", awa_res[i]); printf("]"); #endif return res; } /* Brute force Toshiba */ -uint16_t do_tosh(uint16_t valcrc, uint8_t car) -{ - register uint8_t ah,al,dh,dl; - al=(uint8_t)valcrc; - ah=valcrc>>8; - ah^=car; /* xor ah,[bx] */ - dl=ah; /* mov dl,ah */ - dl<<=4; /* shl dl,4 C0 E2 04 */ - ah^=dl; /* xor ah,dl 32 E2 */ - dl=ah; /* mov dl,ah 8A D4 */ - dl>>=5; /* shl dl,5 */ - dl^=ah; /* xor dl,ah */ - dh=ah; - ah<<=3; - ah^=al; - dh>>=4; - ah^=dh; - al=dl; - return (ah<<8)|al; -} - -int tosh_pos; -char tosh_res[11]; - -uint8_t brute_tosh(uint16_t but, uint16_t valcrc, uint8_t lng) +static uint16_t do_tosh(uint16_t valcrc, uint8_t car) +{ + register uint8_t ah,al,dh,dl; + al=(uint8_t)valcrc; + ah=valcrc>>8; + ah^=car; /* xor ah,[bx] */ + dl=ah; /* mov dl,ah */ + dl<<=4; /* shl dl,4 C0 E2 04 */ + ah^=dl; /* xor ah,dl 32 E2 */ + dl=ah; /* mov dl,ah 8A D4 */ + dl>>=5; /* shl dl,5 */ + dl^=ah; /* xor dl,ah */ + dh=ah; + ah<<=3; + ah^=al; + dh>>=4; + ah^=dh; + al=dl; + return (ah<<8)|al; +} + +static int tosh_pos; +static char tosh_res[11]; + +static uint8_t brute_tosh(uint16_t but, uint16_t valcrc, uint8_t lng) { unsigned int p; static uint8_t const tbl_car[]={0x10,0x11,0x12,0x13,0x14,0x20}; @@ -1091,7 +994,7 @@ uint8_t brute_tosh(uint16_t but, uint16_t valcrc, uint8_t lng) } else { - for (p=0;p<sizeof(tbl_car);p++) + for (p=0; p<sizeof(tbl_car); p++) if (brute_tosh(but, do_tosh(valcrc,tbl_car[p]), lng-1)) { tosh_res[tosh_pos++]=tbl_car[p]; @@ -1101,7 +1004,7 @@ uint8_t brute_tosh(uint16_t but, uint16_t valcrc, uint8_t lng) return 0; } -uint8_t brute_toshiba(uint16_t but) +static uint8_t brute_toshiba(uint16_t but) { int i; uint8_t res; @@ -1111,9 +1014,9 @@ uint8_t brute_toshiba(uint16_t but) printf("[KEY floppy]"); return 1; } - for(i=0;i<10;i++) + for(i=0; i<10; i++) tosh_res[i]='\0'; - for (i=1;i<=10;i++) + for (i=1; i<=10; i++) { res=brute_tosh(but, 0,i); if (res) break; @@ -1121,7 +1024,7 @@ uint8_t brute_toshiba(uint16_t but) if(res) { putchar('['); - for (i=tosh_pos-1;i>=0;i--) + for (i=tosh_pos-1 ;i>=0; i--) putchar(scan2ascii(tosh_res[i])); putchar(']'); } @@ -1130,26 +1033,40 @@ uint8_t brute_toshiba(uint16_t but) return res; } -void acer() /* ACER */ +static void generic_crc(int algo, int position, const uint8_t *data_src) +{ + switch(algo) + { + case ALGO_AWARD: + brute_award(get32(position,data_src)); + break; + case ALGO_TOSHIBA: + brute_toshiba(get32(position,data_src)); + break; + } +} + + +static void acer() /* ACER */ { printf(m_acer); generic_basic(0x27, 7, ALGO_ACER,0,AFF_SCAN,cmos); generic_basic(0x100, 7, ALGO_ACER, 0,AFF_ASCII,cmos); } -void ami_old() /* AMI */ +static void ami_old() /* AMI */ { printf(m_ami_old); generic_basic(0x37, 1+6, ALGO_AMI_F0,0,AFF_ASCII,cmos); } -void ami_winbios() +static void ami_winbios() { printf(m_ami_winbios); generic_basic(0x37, 1+6, ALGO_AMI,0,AFF_SCAN,cmos); } -void ami_winbios2() +static void ami_winbios2() { printf(m_ami_winbios25); generic_basic(0x37, 1+6, ALGO_AMI_80,0,AFF_SCAN,cmos); @@ -1161,7 +1078,14 @@ void ami_winbios2() } -void ami_unk() +static void ami_2005() +{ + /* wasta */ + printf(m_ami_2005); + generic_basic(0x84, 1+6, ALGO_AMI_80,0,AFF_SCAN,cmos); +} + +static void ami_unk() { /* Philippe Biondi */ printf(m_ami_unk); @@ -1174,7 +1098,7 @@ void ami_unk() generic_basic(0x50, 1+7, ALGO_AMI_80,0,AFF_SCAN,cmos); } -void samsung() +static void samsung() { printf(m_samsung_P25); generic_basic(0xE3,7,ALGO_NONE,0,AFF_SCAN,cmos); @@ -1182,7 +1106,7 @@ void samsung() generic_basic(0xF8,7,ALGO_NONE,0,AFF_SCAN,cmos); } -void sony_vaio() +static void sony_vaio() { printf(m_Sony_Vaio); generic_basic(0x00,7,ALGO_ACER,0,AFF_ASCII,cmos); @@ -1207,7 +1131,7 @@ void sony_vaio() /* AMI @art.fr CRC+Crypted adm pwd at 38-3F, filled with 00 * user pwd at 0x40-47 */ -void zenith_ami() +static void zenith_ami() { printf(m_zenith_ami); generic_basic(0x38+1, 7, ALGO_UNKNOW,0,AFF_ASCII,cmos); @@ -1218,7 +1142,7 @@ void zenith_ami() /* AWARD */ -void award() +static void award() { printf(m_award); generic_crc(ALGO_AWARD,0x1C,cmos); @@ -1231,7 +1155,7 @@ void award() generic_crc(ALGO_AWARD,0x3E,cmos); /* User slug(at)navigator.lv */ } -void award_medallion() +static void award_medallion() { /* Pencho Penchev <ppencho@hotmail.com> Hewllett Packard Brio system @@ -1243,7 +1167,7 @@ void award_medallion() generic_crc(ALGO_AWARD,0x71,cmos); /* Lewis DH */ } -void award6() +static void award6() { printf(m_award6); /* Tompa Lorand-Mihaly, april 2003 */ @@ -1257,13 +1181,13 @@ void award6() } /* COMPAQ */ -void compaq() +static void compaq() { printf(m_compaq); generic_basic(0x38, 8, ALGO_NONE,0,AFF_SCAN,cmos); } -void compaq2() +static void compaq2() { printf(m_compaq2); generic_basic(0x51, 7, ALGO_NONE,0,AFF_SCAN,cmos); /* setup */ @@ -1271,7 +1195,7 @@ void compaq2() } -void compaq_deskpro() +static void compaq_deskpro() { printf(m_compaq_deskpro); /* - Luka "The /\/\ighty \/\/izzy" @@ -1286,20 +1210,20 @@ void compaq_deskpro() /* IBM */ -void ibm() +static void ibm() { printf(m_ibm); generic_basic(0x48, 7, ALGO_NONE,0,AFF_SCAN,cmos); generic_basic(0x38, 7, ALGO_NONE,0,AFF_SCAN,cmos); } -void ibm_thinkpad() +static void ibm_thinkpad() { printf(m_ibm_thinkpad); generic_basic(0x38, 7, ALGO_NONE,0,AFF_SCAN,cmos); /* pwd boot */ } -void ibm_thinkpad2() +static void ibm_thinkpad2() { printf(m_ibm_thinkpad_x20_570_t20); generic_basic(0x338, 7, ALGO_NONE,0,AFF_SCAN,cmos); @@ -1312,13 +1236,19 @@ void ibm_thinkpad2() generic_basic(0x40, 7, ALGO_NONE,0,AFF_SCAN,cmos); } -void ibm_300() +static void ibm_300() { printf(m_ibm_300); generic_basic(0x48, 7, ALGO_NONE,0,AFF_SCAN,cmos); } -void packardbell() /* PACKARD BELL */ +static void insyde(void) +{ + printf(m_insyde); + /* HP DV7T-6100 Quad Edition */ +} + +static void packardbell() /* PACKARD BELL */ { printf(m_packardbell); generic_basic(0x38, 1+7, ALGO_PACKARD,0xFF,AFF_ASCII,cmos); @@ -1326,7 +1256,7 @@ void packardbell() /* PACKARD BELL */ generic_basic(0x40, 1+7, ALGO_PACKARD,0xFF,AFF_ASCII,cmos); } -void phoenix() /* PHOENIX */ +static void phoenix() /* PHOENIX */ { static const int tbl_phoenix[8]={0x39,0x3C,0x3B,0x3F,0x38,0x3E,0x3D,0x3A}; unsigned int value[8]; @@ -1338,7 +1268,7 @@ void phoenix() /* PHOENIX */ printf("["); for (i=0;i<7 && value[i]!=0;i++) { - printf("%c",filtre(res[i])); + printf("%c",filter(res[i])); res[i]=(value[i] ^ 0xF0) + i; crc+=res[i]; } @@ -1347,7 +1277,7 @@ void phoenix() /* PHOENIX */ printf(" CRC pwd err"); } -void phoenix_1_03() +static void phoenix_1_03() { printf(m_phoenix_1_03); if(((cmos[0x60]==0)||(cmos[0x60]==1))&&(cmos[0x61]<=7)) @@ -1360,14 +1290,14 @@ void phoenix_1_03() * */ } -void phoenix_1_04() +static void phoenix_1_04() { printf(m_phoenix_1_04); generic_basic(0x50, 7, ALGO_NONE,0,AFF_SCAN,cmos); /* setup */ generic_basic(0x48, 7, ALGO_NONE,0,AFF_SCAN,cmos); } -void phoenix_1_10() +static void phoenix_1_10() { /* Phoenix Bios V1.10 A03 / Dell GXi */ printf(m_phoenix_1_10); if(!check_crcadd(0x1D,7,0x1D+7) || !check_crcadd(0x38,7,0x38+7)) @@ -1379,13 +1309,13 @@ void phoenix_1_10() generic_basic(0x38, 7, ALGO_NONE,0,AFF_SCAN,cmos); } -void phoenix4() +static void phoenix4() { printf(m_phoenix4); generic_basic(0x35, 7, ALGO_NONE,0,AFF_SCAN,cmos); /* user */ } -void phoenix405() +static void phoenix405() { static const int tbl[8]={0x45,0x52,0x4b,0x4a,0x50,0x4F,0x4D,0x48}; static const int tbl2[8]={0x4c,0x51,0x49,0x54,0x53,0x47,0x46,0x4E}; @@ -1397,12 +1327,12 @@ void phoenix405() generic_table(value, 8, ALGO_NONE,0,AFF_SCAN); } -void phoenix406() +static void phoenix406() { printf(m_phoenix406); generic_basic(0x45, 8, ALGO_NONE,0,AFF_SCAN,cmos); } -void phoenix_40_r_60() +static void phoenix_40_r_60() { printf(m_phoenix_40_r_60); generic_basic(0x35, 7, ALGO_PHOENIX_SHIFT,0,AFF_SCAN,cmos); @@ -1412,7 +1342,7 @@ void phoenix_40_r_60() generic_basic(0x98, 8, ALGO_PHOENIX_SHIFT,0,AFF_SCAN,cmos); } -void dtk() +static void dtk() { printf(m_dtk); generic_basic(0x38,4,ALGO_DTK,0,AFF_ASCII,cmos); @@ -1420,21 +1350,21 @@ void dtk() } -void gateway_ph() +static void gateway_ph() { /* Gateway Solo */ printf(m_gateway_ph); generic_basic(0x40, 7, ALGO_NONE,0,AFF_SCAN,cmos); generic_basic(0x47, 7, ALGO_NONE,0,AFF_SCAN,cmos); } -void phoenixa08() +static void phoenixa08() { printf(m_phoenixa08); generic_basic(0x23, 7, ALGO_NONE,0,AFF_SCAN,cmos); generic_basic(0x42, 7, ALGO_NONE,0,AFF_SCAN,cmos); } -void toshiba() +static void toshiba() { printf(m_toshiba); generic_crc(ALGO_TOSHIBA,0x35,cmos); @@ -1442,7 +1372,7 @@ void toshiba() } -void set_permissions() +static void set_permissions() { #if defined(__linux__) if (ioperm(PORT_CMOS_0,4*2,IO_READ|IO_WRITE)) @@ -1511,7 +1441,7 @@ HANDLE h; #endif } -void unset_permissions() +static void unset_permissions() { #ifdef __linux__ ioperm(PORT_CMOS_0,4*2,0); @@ -1521,7 +1451,7 @@ void unset_permissions() } uint8_t read_cmos(const unsigned int cell); -void write_cmos(const unsigned int cell, const uint8_t value); +static void write_cmos(const unsigned int cell, const uint8_t value); uint8_t read_cmos(const unsigned int cell) { if(cell<128) @@ -1549,7 +1479,7 @@ uint8_t read_cmos(const unsigned int cell) return 0; } -void write_cmos(const unsigned int cell, const uint8_t value) +static void write_cmos(const unsigned int cell, const uint8_t value) { if(cell<128) { @@ -1577,7 +1507,7 @@ void write_cmos(const unsigned int cell, const uint8_t value) } } -int kill_cmos(const int cmos_size) +static int kill_cmos(const int cmos_size) { int i; char car; @@ -1605,7 +1535,7 @@ int kill_cmos(const int cmos_size) return 0; } -int load_cmos(const int cmos_size) +static int load_cmos(const int cmos_size) { int i; set_permissions(); @@ -1615,7 +1545,7 @@ int load_cmos(const int cmos_size) return 0; } -int restore_cmos(const int cmos_size,const int choix) +static int restore_cmos(const int cmos_size,const int choix) { int i; char car='2'; @@ -1643,7 +1573,7 @@ int restore_cmos(const int cmos_size,const int choix) return 0; } -int load_backup(const char* name) +static int load_backup(const char* name) { FILE *fb; unsigned char buffer[TAILLE_BUFFER+1]; @@ -1921,7 +1851,7 @@ int load_backup(const char* name) return cmos_size; } -int save_backup(const int cmos_size, const char* name) +static int save_backup(const int cmos_size, const char* name) { FILE *fb; fb=fopen(name,"wb"); @@ -1940,7 +1870,7 @@ int save_backup(const int cmos_size, const char* name) } #ifdef __linux__ -void award_backdoor() +static void award_backdoor() { int i; char car; @@ -1953,14 +1883,14 @@ void award_backdoor() for(i=0;i<8;i++) { fread(&car,1,1,fb); - putchar(filtre((car<<5)|(car>>5)|(car&0x18))); + putchar(filter((car<<5)|(car>>5)|(car&0x18))); } fclose(fb); printf("]\n"); } #endif -void keyb_mem() +static void keyb_mem() { #ifdef __linux__ FILE *fb; @@ -1975,34 +1905,46 @@ void keyb_mem() printf(m_Keyb_Mem); printf("["); for(i=0;i<sizeof(mem) && mem[i]!=0;i+=2) - printf("%c", filtre(scan2ascii(mem[i]))); + printf("%c", filter(scan2ascii(mem[i]))); printf("]\n"); #endif } -void wait_key() +static void wait_key() { printf("\nPress Enter key to continue"); fflush(stdout); getchar(); } -void convert_uchar2uint(unsigned int *dst, const unsigned char *src, const unsigned int cmos_size) +static void convert_uchar2uint(unsigned int *dst, const unsigned char *src, const unsigned int cmos_size) { unsigned int i; for(i=0;i<cmos_size;i++) dst[i]=src[i]; } -void convert_scancode2ascii(unsigned int*dst, const unsigned int lng) -{ - unsigned int i; - for (i=0;i<lng && dst[i]!=VAL_STOP;i++) - if(dst[i]!=VAL_UNK) - dst[i]=scan2ascii(dst[i]); -} +static void (*tbl_func[])(void)= +{ + acer, + ami_old, ami_2005, ami_winbios, ami_winbios2, ami_unk, + award, award_medallion, award6, + compaq,compaq_deskpro,compaq2, + dtk, + ibm,ibm_thinkpad,ibm_thinkpad2,ibm_300, + insyde, + packardbell, + phoenix,phoenix_1_03,phoenix_1_04,phoenix_1_10,phoenix4,phoenix_40_r_60,phoenix405,phoenix406, + phoenixa08, + gateway_ph, + samsung, + sony_vaio, + toshiba, + zenith_ami, + keyb_mem +}; +#define nbr_func sizeof(tbl_func)/sizeof(*tbl_func) -/* MAIN PROGRAM */ int main(int argc, char *argv[]) { int arg_load_filename=-1; @@ -2011,7 +1953,8 @@ int main(int argc, char *argv[]) int do_dump=0; int cmos_size=TAILLE_CMOS; enum {MODE_NORM,MODE_HELP,MODE_LOAD, MODE_SAVE, MODE_KILL, MODE_RESTORE, MODE_RESTORE_FORCE} mode=MODE_NORM; - printf("CmosPwd - BIOS Cracker 5.1, Februar 2008, Copyright 1996-2008\n" + + printf("CmosPwd - BIOS Cracker 5.2, November 2012, Copyright 1996-2012\n" "GRENIER Christophe, grenier@cgsecurity.org\n" "http://www.cgsecurity.org/\n"); memset(cmos, 0, sizeof(cmos)); @@ -2198,9 +2141,7 @@ int main(int argc, char *argv[]) dump(cmos,cmos_processed,cmos_size); free(cmos_processed); } -#ifndef __MSDOS__ printf("\n"); fflush(stdout); -#endif return 0; } diff --git a/cmospwd.txt b/cmospwd.txt index c027109..fd652f6 100644 --- a/cmospwd.txt +++ b/cmospwd.txt @@ -1,12 +1,11 @@ ========================================================================= CmosPwd -Christophe GRENIER -grenier@cgsecurity.org -http://www.cgsecurity.org +Christophe GRENIER <grenier@cgsecurity.org> +http://www.cgsecurity.org/wiki/CmosPwd ========================================================================= CmosPwd is a cmos/bios password recovery tool. -CmosPwd is under GNU Public License. You can freely distribute it. +CmosPwd is under GNU General Public License. You can freely distribute it. It can be compiled under Dos, Windows, Linux, FreeBSD and NetBSD. Platforms @@ -184,9 +183,6 @@ Differents passwords give the same 32-bit CRC, so CmosPwd can only give one of them. Use the numeric keypad. - COMPAQ LTE 5300 notebook Tolga Sinan Guney: there is a reset jumper on the motherboard -- Dialogue Flybook V5 -M.Delsupexhe: cmospwd /k works - - DIGITAL PC300, Phoenix 4.0 Rel 6.0,0 Rene Pocisk: cmospwd /k works - Fujitsu ICL @@ -194,31 +190,52 @@ aksion: passwords are stored in EEPROM - Fujitsu Point 1600 William Simcox: "I was able to clear the password and reset BIOS to default values using CMOSPWD /K" +- Fujitsu Siemens E4010D +Open the memory compartiment. Next to the memory are a few circuits where two +points are marked CL with a rectangle around the points. Short circuit it. - Phoenix There is a backdoor in old version of Phoenix BIOS, the universal password is "phoenix". +- Lenovo G400 +Revi Hendra: "cmospwd /k" removes the password. - Siemens Nixdorf PCD-4ND, Michael: You can clear the password of this phoenix 1.03 with "cmospwd /k" +PCD-5ND, "cmospwd /k" clears the password Scenic Mobil 700, Josef Benda: "cmospwd /k" works! Phoenix Note BIOS v4.0 Scenic Mobile 510AGP, Bernd: "cmospwd /k" works! Phoenix 4.0 R6 Version 3F31 dated 9.2.2000 +- Acer Aspire 1355LC +Filip van Neuman: "cmospwd /k" removes the password. +- Acer Aspire 1682 +"cmospwd /k" removes the password. +- Acer Aspire One +"cmospwd /k" removes the password. - Acer Travelmate 530 "cmospwd /k" removes the password. +- Acer travelmate 2350 +"cmospwd /k" removes the password. - Acer travelmate 2450 "cmospwd /k" removes the password. - Sony Vaio PCG505HS Brad Frisbie: "cmospwd /k" works, Phoenix 6 R4 - Sony Vaio PCG-FR105 Andrea Michele Zoia: 'cmospwd_win /k' removes the password. +- Sony Vaio PGC-K115b +Tony Kennedy: "cmospwd /k" works - IBM NetVista 8303-41G Roel: CmosPwd /k works, Phoenix Bios 4.0 Release 6.0. - Panasonic CF-25 Stefan Stevens: CmosPwd /k works +- Panasonic CF-W2 +Patrick Gendron: CmosPwd /k works - Tulip Vision Line bn 100 CmosPwd /k works, PhoenixBios 4.0 Release 6.0 11/03/01 - LG GS50-5FY notebook Angelika Jurkiewicz: CmosPwd /k can remove supervisor password. - TI Extensa 600CD Dathan Alley: CmosPwd /k works +- NEC Versa E2000 +CmosPwd /k works + What to do if you can't use cmospwd to clear your cmos ? Under Dos/Win9x, you can use debug to reset cmos CRC stored at 0x2E-0x2F debug @@ -291,7 +308,6 @@ and to all the guys, who provided information about cmos and reported bugs. If you have problems or questions about cmospwd, please mail me. -Christophe GRENIER -grenier@cgsecurity.org -http://www.cgsecurity.org +Christophe GRENIER <grenier@cgsecurity.org> +http://www.cgsecurity.org/wiki/CmosPwd |