[HOME(Mark Whitis)] [Contact] [Resume] [Browser Friendly] [No Spam] [FEL] [DBD]

Backdoor and default passwords

Many BIOSes have built in backdoor passwords to use to bypass a BIOS password which has been lost. This is, of course, an unacceptable way of handling this. No machine should have a backdoor password; this is a massive security hole. Instead, the machine should have a hardware jumper or dip switch located in a secure location that is not accessible when the case is locked. For desktops, the switch can be located on the motherboard and a locking case screw will prevent access. For notebooks, there switch should not be inside a compartment which can not be opened when the security cable slot is engaged.

Award BIOSes
"Condo", "AWARD_SW", "J332", and "589589", "AWARD?SW", "lkwpeter", "aLLY", "j262", "j332". Some more are availible at pwcrack.com After 1996-12-19, Award required each OEM to set their own password.
AMI BIOSes There is a program to reveal backdoor passwords in AMI BIOSes was posted on bugtraq Some backdoor passwords used include "A.M.I.", "AMI_SW", "AMI?SW". Some more are availible at pwcrack.com .
Phoenix BIOSes
"phoenix"
Toshiba notebooks
Toshiba has a trapdoor password to bypass the bios password. The company has adopted a truly asinine attitude regarding this password.
It turns out that if the first five bytes of sector 1 (the second sector) of a floppy in drive a are "4B 45 59 00 00" then you can bypass the password (type enter when asked for the password and you will be asked to set the password again).
Thinkpad Notebooks

Thinkpads have special pads to short. Removing the battery, or letting it go dead, can wipe out the hard disk encryption key. See http://www.pwcrack.com/BIOS/bios.html for more details.

Other BIOSes
"biostar", "biosstar", LKWPETER", "BIOSTAR", "j262", j256", "Syxx", "Wodj"
Clearing BIOS password using debug:
O70,1E O71,FF O70,1F O71,FF
emachines
At least some emachines have a dip switch on the motherboard to clear the passwords.
More info on BIOS backdoor passwords and clearing CMOS. I supplemented the info on this page with stuff from there.
Discharging CMOS RAM
There is usually a jumper near the battery for this. This is often a three pin jumper and you move it from 1-2 to 2-3 or vice versa. If there is no jumper, you can acomplish the same results by shorting a particular pin on the CMOS RTC chip to ground for a few seconds while the power is turned off.
```
Dallas 1287           24 Pin DIP   replace chip
Dallas 1287A          24 Pin DIP   Short pins 12 and 21
Chips&Tech P82C206    PLCC         Short pins 74 and 75 (upper left corner)
Opti       P82C206    PLCC         Short pins 3 and 26 (bottom row)
Motoroola MC146818AP               unplug chip
Dallas DS12885S    24 pin DIP      short pins 12 and 20
Bechmarq bq325aS   24 pin SIP      short pins 12 and 20
```
Actually, you could just wipe a grounded cliplead accross all the pins of the chip you suspect is the CMOS RTC/RAM chip. This is usally a 24 pin DIP. If the functionality is handled by the motherboard chipset, just do the same for all the motherboard chipset pins. Note that if there is no series current limiting resistor on the external battery, it may have enough power to melt a trace off the board; this trace will be the battery power to the CMOS RTC/RAM and you can solder in a piece of wire to replace the trace. I have never heard of this happening on a motherboard and it would be pretty common the way they are handled.
It should also be noted that you can look up the manufacturer's data sheet for the chip on their web site to find out how to erase the RAM.
CmosPwd

CmosPwd

Cisco routers
Cisco routers prevent remote logon unless the passwords have been set.
3 Com
Lanplex/corebuilder line: Login=debug, Password=synnet
Linkswitch 2700, superstack 2700, cellplex 7000: login=tech, password=tech
Superstack II hub and switches don't respond to the above but do have user=tech, password=tech or user=monitor, password=monitor.
IBM 8237 Hub Has backdoor password in cleartext in the image. No way to change the password without editing firmware image and hacking the checksum.
Quake servers
rcon password is "tms"; appears to require that you masquerade as 192.246.40.* to use.
IRC scripts There are many trojan IRC scripts with backdoor passwords.
Unix(tm)
One of the more famous and clever backdoors existed in early unix systems. Denis richie added hidden self-replicating object code to the C compiler that modified both the C compiler and the Login program when they were recompiled. So even if you recompiled the complete system from sources and inspected the sources there was still a hidden backdoor.
Early systems had a default root password of "gnomes".
many distributions had default passwords
Windows 95 screen lock
You can bypass the screen lock on any windows 95 box if it has autorun enabled on the CD-ROM drive. Insert a special CD and it will be autorun even though the screen is locked. The autorun program can copy sensitive data to a floppy and/or kill the screen saver process. ftp://null.angel.nu/projects/95sscrk.zip is one of the programs which can be used to decrypt the screen saver password. This appears to also be a problem on windows NT machines. Autorun.inf is the magic file.
Motorola cell phones
The DPC-550 cell phone has a backdoor password to unlock the phone. Typically "000000000000" or "123456123456".
UT Lexar Telephone switches
Default login used by maintenance personal was "lexar", no password; customers were required by contract to maintain a dialup line.
Backdoor login was "DESIGNED_BY_IC_KF". Their technicians knew that this backdoor existed but were not given its value.
These deficiencies were reported to Lexar a decade ago. If they haven't fixed them by now, tough.
Lexar switches print some distinctive escape codes followed by a "login:" prompt and are easy prey for war dialers. I broke into one almost by accident when it got added to a list of BBSes as a C/unix.

Credits

Much of this information was posted on the bugtraq mailing list.

This file is maintained by Mark Whitis (whitis@freelabs.com).