WTF *Nix

READ EVERYTHING BEFORE YOU USE ANY METHOD LISTED BELOW

I am NOT held responsible for anything you break, nor my ISP!

Basic BIOS password crack – works nine times out of ten

This is a password hack but it clears the BIOS such that the next time you start the PC, the CMOS does not ask for any password. Now if you are able to bring the DOS prompt up, then you will be able to change the BIOS setting to the default. To clear the CMOS do the following:
Get DOS prompt and type:
DEBUG hit enter
-o 70 2e hit enter
-o 71 ff hit enter
-q hit enter
exit hit enter
Restart the computer. It works on most versions of the AWARD BIOS.

Accessing information on the hard disk

When you turn on the host machine, enter the CMOS setup menu (usually you have to press F2, or DEL, or CTRL+ALT+S during the boot sequence) and go to STANDARD CMOS SETUP, and set the channel to which you have put the hard disk as TYPE=Auto, MODE=AUTO, then SAVE & EXIT SETUP. Now you have access to the hard disk.

Standard BIOS backdoor passwords

The first, less invasive, attempt to bypass a BIOS password is to try on of these standard manufacturer’s backdoor passwords:
AWARD BIOS
AWARD SW, AWARD_SW, Award SW, AWARD PW, _award, awkward, J64, j256, j262, j332, j322, 01322222, 589589, 589721, 595595, 598598, HLT, SER, SKY_FOX, aLLy, aLLY, Condo, CONCAT, TTPTHA, aPAf, HLT, KDD, ZBAAACA, ZAAADA, ZJAAADC, djonet

AMI BIOS

AMI, A.M.I., AMI SW, AMI_SW, BIOS, PASSWORD, HEWITT RAND, Oder
Other passwords you may try (for AMI/AWARD or other BIOSes)
LKWPETER, lkwpeter, BIOSTAR, biostar, BIOSSTAR, biosstar, ALFAROME, Syxz, Wodj

Note that the key associated to “_” in the US keyboard corresponds to “?” in some European keyboards (such as Italian and German ones), so — for example — you should type AWARD?SW when using those keyboards. Also remember that passwords are Case Sensitive.

Flashing BIOS via software

If you have access to the computer when it’s turned on, you could try one of those programs that remove the password from the BIOS, by invalidating its memory.

However, it might happen you don’t have one of those programs when you have access to the computer, so you’d better learn how to do manually what they do. You can reset the BIOS to its default values using the MS-DOS tool DEBUG (type DEBUG at the command prompt. You’d better do it in pure MS-DOS mode, not from a MS-DOS shell window in Windows). Once you are in the debug environment enter the following commands:

AMI/AWARD BIOS

O 70 17
O 71 17
Q

PHOENIX BIOS

O 70 FF
O 71 17
Q

GENERIC
Invalidates CMOS RAM.
Should work on all AT motherboards
(XT motherboards don’t have CMOS)
O 70 2E
O 71 FF
Q

Note that the first letter is a “O” not the number “0″. The numbers which follow are two bytes in hex format.

Flashing BIOS via hardware

If you can’t access the computer when it’s on, and the standard backdoor passwords didn’t work, you’ll have to flash the BIOS via hardware. Please read the important notes at the end of this section before to try any of these methods.

Using the jumpers

The canonical way to flash the BIOS via hardware is to plug, unplug, or switch a jumper on the motherboard (for “switching a jumper” I mean that you find a jumper that joins the central pin and a side pin of a group of three pins, you should then unplug the jumper and then plug it to the central pin and to the pin on the opposite side, so if the jumper is normally on position 1-2, you have to put it on position 2-3, or vice versa). This jumper is not always located near to the BIOS, but could be anywhere on the motherboard.
To find the correct jumper you should read the motherboard’s manual.

Once you’ve located the correct jumper, switch it (or plug or unplug it, depending from what the manual says) while the computer is turned OFF. Wait a couple of seconds then put the jumper back to its original position. In some motherboards it may happen that the computer will automatically turn itself on, after flashing the BIOS. In this case, turn it off, and put the jumper back to its original position, then turn it on again. Other motherboards require you turn the computer on for a few seconds to flash the BIOS.

If you don’t have the motherboard’s manual, you’ll have to “brute force” it… trying out all the jumpers. In this case, try first the isolated ones (not in a group), the ones near to the BIOS, and the ones you can switch (as I explained before). If all them fail, try all the others. However, you must modify the status of only one jumper per attempt, otherwise you could damage the motherboard (since you don’t know what the jumper you modified is actually meant for). If the password request screen still appear, try another one.

If after flashing the BIOS, the computer won’t boot when you turn it on, turn it off, and wait some seconds before to retry.

Removing the Battery

If you can’t find the jumper to flash the BIOS or if such jumper doesn’t exist, you can remove the battery that keeps the BIOS memory alive. It’s a button-size battery somewhere on the motherboard (on elder computers the battery could be a small, typically blue, cylinder soldered to the motherboard, but usually has a jumper on its side to disconnect it, otherwise you’ll have to unsolder it and then solder it back). Take it away for 15-30 minutes or more, then put it back and the data contained into the BIOS memory should be volatilized. I’d suggest you to remove it for about one hour to be sure, because if you put it back when the data aren’t erased yet you’ll have to wait more time, as you’ve never removed it. If at first it doesn’t work, try to remove the battery overnight.

Important note: in laptop and notebooks you don’t have to remove the computer’s power batteries (which would be useless), but you should open your computer and remove the CMOS battery from the motherboard.

Short-circuiting the chip

Another way to clear the CMOS RAM is to reset it by short circuiting two pins of the BIOS chip for a few seconds. You can do that with a small piece of electric wire or with a bent paper clip. Always make sure that the computer is turned OFF before to try this operation.

Here is a list of EPROM chips that are commonly used in the BIOS industry. You may find similar chips with different names if they are compatible chips made by another brand. If you find the BIOS chip you are working on matches with one of the following you can try to short-circuit the appropriate pins. Be careful, because this operation may damage the chip.
CHIPS P82C206 (square)

Short together pins 12 and 32 (the first and the last pins on the bottom edge of the chip) or pins 74 and 75 (the two pins on the upper left corner).

gnd
74
|__________________
5v 75–| |
| |
| |
| CHIPS |
1 * | |
| P82C206 |
| |
| |
|___________________|
| |
| gnd | 5v
12 32

OPTi F82C206 (rectangular)

Short together pins 3 and 26 (third pin from left side and fifth pin from right side on the bottom edge).

80 51
|______________|
81 -| |- 50
| |
| |
| OPTi |
| |
| F82C206 |
| |
100-|________________|-31
|| | |
1 || | | 30
3 26

Dallas DS1287, DS1287A

Benchmarq bp3287MT, bq3287AMT

The Dallas DS1287 and DS1287A, and the compatible Benchmarq bp3287MT and bq3287AMT chips have a built-in battery. This battery should last up to ten years. Any motherboard using these chips should not have an additional battery (this means you can’t flash the BIOS by removing a battery). When the battery fails, the RTC chip would be replaced.

CMOS RAM can be cleared on the 1287A and 3287AMT chips by shorting pins 12 and 21.

The 1287 (and 3287MT) differ from the 1287A in that the CMOS RAM can’t be cleared. If there is a problem such as a forgotten password, the chip must be replaced. (In this case it is recommended to replace the 1287 with a 1287A). Also the Dallas 12887 and 12887A are similar but contain twice as much CMOS RAM storage.
__________
1 -| * U |- 24 5v
2 -| |- 23
3 -| |- 22
4 -| |- 21 RCL (RAM Clear)
5 -| |- 20
6 -| |- 19
7 -| |- 18
8 -| |- 17
9 -| |- 16
10 -| |- 15
11 -| |- 14
gnd 12 -|__________|- 13

NOTE: Although these are 24-pin chips, the Dallas chips may be missing 5 pins, these are unused pins.

Most chips have unused pins, though usually they are still present.

Dallas DS12885S

Benchmarq bq3258S

Hitachi HD146818AP

Samsung KS82C6818A

This is a rectangular 24-pin DIP chip, usually in a socket. The number on the chip should end in 6818.

Although this chip is pin-compatible with the Dallas 1287/1287A, there is no built-in battery.

Short together pins 12 and 24.

5v
24 20 13
|___________|____________________|
| |
| DALLAS |
|> |
| DS12885S |
| |
|__________________________________|
| |
1 12
gnd

Motorola MC146818AP

Short pins 12 and 24. These are the pins on diagonally opposite corners – lower left and upper right. You might also try pins 12 and 20.
__________
1 -| * U |- 24 5v
2 -| |- 23
3 -| |- 22
4 -| |- 21
5 -| |- 20
6 -| |- 19
7 -| |- 18
8 -| |- 17
9 -| |- 16
10 -| |- 15
11 -| |- 14
gnd 12 -|__________|- 13

Replacing the chip

If nothing works, you could replace the existing BIOS chip with a new one you can buy from your specialized electronic shop or your computer supplier. It’s a quick operation if the chip is inserted on a base and not soldered to the motherboard, otherwise you’ll have to unsolder it and then put the new one. In this case would be more convenient to solder a base on which you’ll then plug the new chip, in the eventuality that you’ll have to change it again. If you can’t find the BIOS chip specifically made for your motherboard, you should buy one of the same type (probably one of the ones shown above) and look in your motherboard manufacturer’s website to see if there’s the BIOS image to download. Then you should copy that image on the chip you bought with an EPROM programmer.

Important

Whether is the method you use, when you flash the BIOS not only the password, but also all the other configuration data will be reset to the factory defaults, so when you are booting for the first time after a BIOS flash, you should enter the CMOS configuration menu (as explained before) and fix up some things.

Also, when you boot Windows, it may happen that it finds some new device, because of the new configuration of the BIOS, in this case you’ll probably need the Windows installation CD because Windows may ask you for some external files. If Windows doesn’t see the CD-ROM try to eject and re-insert the CD-ROM again. If Windows can’t find the CD-ROM drive and you set it properly from the BIOS config, just reboot with the reset key, and in the next run Windows should find it. However most files needed by the system while installing new hardware could also be found in C:WINDOWS, C:WINDOWSSYSTEM, or C:WINDOWSINF .

Key Disk for Toshiba laptops

Some Toshiba notebooks allow to bypass BIOS by inserting a “key-disk” in the floppy disk drive while booting. To create a Toshiba Keydisk, take a 720Kb or 1.44Mb floppy disk, format it (if it’s not formatted yet), then use a hex editor such as Hex Workshop (***.bpsoft.com/downloads/index.html) to change the first five bytes of the second sector (the one after the boot sector) and set them to 4B 45 59 00 00 (note that the first three bytes are the ASCII for “KEY” followed by two zeroes). Once you have created the key disk put it into the notebook’s drive and turn it on, then push the reset button and when asked for password, press Enter. You will be asked to Set Password again. Press Y and Enter. You’ll enter the BIOS configuration where you can set a new password.

Key protected cases

A final note about those old computers (up to 486 and early Pentiums) protected with a key that prevented the use of the mouse and the keyboard or the power button. All you have to do with them is to follow the wires connected to the key hole, locate the jumper to which they are connected and unplug it.

WTF Get’r Cleared Already! Be Careful!!!

However many times I have been asked how the Linux boots, well as it turns out, there isn’t much to the boot process, see the following six steps it takes:

1. A boot loader finds the kernel image on the disk, loads it into memory, and starts it.
2. The kernel initializes the devices and its drivers.
3. The kernel mounts the root filesystem.
4. The kernel starts a program called init.
5. init sets the rest of the processes in motion.
6. The last processes that init starts as part of the boot sequence allow you to log in.

Identifying each stage of the boot process is invaluable in fixing boot problems and understanding the system as a whole. To start, zero in on the boot loader, which is the initial screen or prompt you get after the computer does its power-on self-test, asking which operating system to run. After you make a choice, the boot loader runs the Linux kernel, handing control of the system to the kernel.

This writing covers the kernel initialization stage, the stage when the kernel prints a bunch of messages about the hardware present on the system. The kernel starts init just after it displays a message proclaiming that the kernel has mounted the root filesystem:

VFS: Mounted root (ext2 filesystem) readonly.

Soon after, you will see a message about init starting, followed by system service startup messages, and finally you get a login prompt of some sort.

NOTE On Red Hat Linux, the init note is especially obvious, because it “welcomes” you to “Red Hat Linux.” All messages thereafter show success or EPIC failure in brackets at the right-hand side of the screen.

Most of this chit chat deals with init, because it is the part of the boot sequence where you have the most control.

init

There is nothing special about init. It is a program just like any other on the Linux system, and you’ll find it in /sbin along with other system binaries. The main purpose of init is to start and stop other programs in a particular sequence. All you have to know is how this sequence works.

There are a few different variations, but most Linux distributions use the System V style discussed here. Some distributions use a simpler version that resembles the BSD init, but you are unlikely to encounter this.

Runlevels

At any given time on a Linux system, a certain base set of processes is running. This state of the machine is called its runlevel, and it is denoted with a number from 0 through 6. The system spends most of its time in a single runlevel. However, when you shut the machine down, init switches to a different runlevel in order to terminate the system services in an orderly fashion and to tell the kernel to stop. Yet another runlevel is for single-user mode, discussed later.

The easiest way to get a handle on runlevels is to examine the init configuration file, /etc/inittab. Look for a line like the following:

id:5:initdefault:

This line means that the default runlevel on the system is 5. All lines in the inittab file take this form, with four fields separated by colons occurring in the following order:

# A unique identifier (a short string, such as id in the preceding example)

# The applicable runlevel number(s)

# The action that init should take (in the preceding example, the action is to set the default runlevel to 5)

# A command to execute (optional)

There is no command to execute in the preceding initdefault example because a command doesn’t make sense in the context of setting the default runlevel. Look a little further down in inittab, until you see a line like this:

l5:5:wait:/etc/rc.d/rc 5

This line triggers most of the system configuration and services through the rc*.d and init.d directories. You can see that init is set to execute a command called /etc/rc.d/rc 5 when in runlevel 5. The wait action tells when and how init runs the command: run rc 5 once when entering runlevel 5, and then wait for this command to finish before doing anything else.

There are several different actions in addition to initdefault and wait, especially pertaining to power management, and the inittab(5) manual page tells you all about them. The ones that you’re most likely to encounter are explained in the following sections.

respawn

The respawn action causes init to run the command that follows, and if the command finishes executing, to run it again. You’re likely to see something similar to this line in your inittab file:

1:2345:respawn:/sbin/mingetty tty1

The getty programs provide login prompts. The preceding line is for the first virtual console (/dev/tty1), the one you see when you press ALT-F1 or CONTROL-ALT-F1. The respawn action brings the login prompt back after you log out.

ctrlaltdel

The ctrlaltdel action controls what the system does when you press CONTROL-ALT-DELETE on a virtual console. On most systems, this is some sort of reboot command using the shutdown command.

sysinit

The sysinit action is the very first thing that init should run when it starts up, before entering any runlevels.

How processes in runlevels start

You are now ready to learn how init starts the system services, just before it lets you log in. Recall this inittab line from earlier:

l5:5:wait:/etc/rc.d/rc 5

This small line triggers many other programs. rc stands for run commands, and you will hear people refer to the commands as scripts, programs, or services. So, where are these commands, anyway?

For runlevel 5, in this example, the commands are probably either in /etc/rc.d/rc5.d or /etc/rc5.d. Runlevel 1 uses rc1.d, runlevel 2 uses rc2.d, and so on. You might find the following items in the rc5.d directory:

S10sysklogd S20ppp S99gpm

S12kerneld S25netstd_nfs S99httpd

S15netstd_init S30netstd_misc S99rmnologin

S18netbase S45pcmcia S99sshd

S20acct S89atd

S20logoutd S89cron

The rc 5 command starts programs in this runlevel directory by running the following commands:

S10sysklogd start

S12kerneld start

S15netstd_init start

S18netbase start

S99sshd start

Notice the start argument in each command. The S in a command name means that the command should run in start mode, and the number (00 through 99) determines where in the sequence rc starts the command.

The rc*.d commands are usually shell scripts that start programs in /sbin or /usr/sbin. Normally, you can figure out what one of the commands actually does by looking at the script with less or another pager program.

You can start one of these services by hand. For example, if you want to start the httpd Web server program manually, run S99httpd start. Similarly, if you ever need to kill one of the services when the machine is on, you can run the command in the rc*.d directory with the stop argument (S99httpd stop, for instance).

Some rc*.d directories contain commands that start with K (for “kill,” or stop mode). In this case, rc runs the command with the stop argument instead of start. You are most likely to encounter K commands in runlevels that shut the system down.

Adding and removing services

If you want to add, delete, or modify services in the rc*.d directories, you need to take a closer look at the files inside. A long listing reveals a structure like this:

lrwxrwxrwx . . . S10sysklogd -> ../init.d/sysklogd

lrwxrwxrwx . . . S12kerneld -> ../init.d/kerneld

lrwxrwxrwx . . . S15netstd_init -> ../init.d/netstd_init

lrwxrwxrwx . . . S18netbase -> ../init.d/netbase

The commands in an rc*.d directory are actually symbolic links to files in an init.d directory, usually in /etc or /etc/rc.d. Linux distributions contain these links so that they can use the same startup scripts for all runlevels. This convention is by no means a requirement, but it often makes organization a little easier.

To prevent one of the commands in the init.d directory from running in a particular runlevel, you might think of removing the symbolic link in the appropriate rc*.d directory. This does work, but if you make a mistake and ever need to put the link back in place, you might have trouble remembering the exact name of the link. Therefore, you shouldn’t remove links in the rc*.d directories, but rather, add an underscore (_) to the beginning of the link name like this:

mv S99httpd _S99httpd

At boot time, rc ignores _S99httpd because it doesn’t start with S or K. Furthermore, the original name is still obvious, and you have quick access to the command if you’re in a pinch and need to start it by hand.

To add a service, you must create a script like the others in the init.d directory and then make a symbolic link in the correct rc*.d directory. The easiest way to write a script is to examine the scripts already in init.d, make a copy of one that you understand, and modify the copy.

When adding a service, make sure that you choose an appropriate place in the boot sequence to start the service. If the service starts too soon, it may not work, due to a dependency on some other service. For non-essential services, most systems administrators prefer numbers in the 90s, after most of the services that came with the system.

Linux distributions usually come with a command to enable and disable services in the rc*.d directories. For example, in Debian, the command is update-rc.d, and in Red Hat Linux, the command is chkconfig. Graphical user interfaces are also available. Using these programs helps keep the startup directories consistent and helps with upgrades.

HINT: One of the most common Linux installation problems is an improperly configured XFree86 server that flicks on and off, making the system unusable on console. To stop this behavior, boot into single-user mode and alter your runlevel or runlevel services. Look for something containing xdm, gdm, or kdm in your rc*.d directories, or your /etc/inittab .

Controlling init

Occasionally, you need to give init a little kick in the ass to tell it to switch runlevels, to re-read the inittab file, or just to shut down the system. Because init is always the first process on a system, its process ID is always 1.

You can control init with telinit. For example, if you want to switch to runlevel 3, use this command:

telinit 3

When switching runlevels, init tries to kill off any processes that aren’t in the inittab file for the new runlevel. Therefore, you should be careful about changing runlevels.

When you need to add or remove respawning jobs or make any other change to the inittab file, you must tell init about the change and cause it to re-read the file. Some people use kill -HUP 1 to tell init to do this. This traditional method works on most versions of Unix, as long as you type it correctly. However, you can also run this telinit command:

telinit q

You can also use telinit s to switch to single-user mode.

Shutting down

init also controls how the system shuts down and reboots. The proper way to shut down a Linux machine is to use the shutdown command.

There are two basic ways to use shutdown. If you halt the system, it shuts the machine down and keeps it down. To make the machine halt immediately, use this command:

shutdown -h now

On most modern machines with reasonably recent versions of Linux, a halt cuts the power to the machine. You can also reboot the machine. For a reboot, use -r instead of -h.

The shutdown process takes several seconds. You should never reset or power off a machine during this stage.

In the preceding example, now is the time to shut down. This argument is mandatory, but there are many ways of specifying it. If you want the machine to go down sometime in the future, one way is to use +n, where n is the number of minutes shutdown should wait before doing its work. For other options, look at the shutdown(8) manual page. Are you bored so far of how the Linux boots? Well here on wtfnix.com you shouldn’t be too bored, because it’s fun to learn all about Linux on wtfnix.com

To make the system reboot in 10 minutes, run this command:

shutdown -r +10

On Linux, shutdown notifies anyone logged on that the machine is going down, but it does little real work. If you specify a time other than now, shutdown creates a file called /etc/nologin. When this file is present, the system prohibits logins by anyone except the superuser.

When system shutdown time finally arrives, shutdown tells init to switch to runlevel 0 for a halt and runlevel 6 for a reboot. When init enters runlevel 0 or 6, all of the following takes place, which you can verify by looking at the scripts inside rc0.d and rc6.d:

1. init kills every process that it can (as it would when switching to any other runlevel).

# The initial rc0.d/rc6.d commands run, locking system files into place and making other preparations for shutdown.

# The next rc0.d/rc6.d commands unmount all filesystems other than the root.

# Further rc0.d/rc6.d commands remount the root filesystem read-only.

# Still more rc0.d/rc6.d commands write all buffered data out to the filesystem with the sync program.

# The final rc0.d/rc6.d commands tell the kernel to reboot or stop with the reboot, halt, or poweroff program.

The reboot and halt programs behave differently for each runlevel, potentially causing confusion. By default, these programs call shutdown with the -r or -h options, but if the system is already at the halt or reboot runlevel, the programs tell the kernel to shut itself off immediately. If you really want to shut your machine down in a hurry disregarding any possible damage from a disorderly shutdown, use the -f option.

So get to it, this is just a crack in the Linux Boot, you have a boat load more to learn!

So… WTF Get’r done!