|
Hello, I need help of friends or community experts with this problem:
We have about 100 PCs of the same brand and model manufactured in 2010. I need to change in all these PCs, periodically and manually, the system and user passwords through the BIOS and would like to automate this procedure through a software and had the following idea:
The motherboard manufacturer sent me a program to read and write the CMOS. I starts with the setting up these passwords on a single PC, saving all your content to a file and after with this program, I write de CMOS to the others machines. Detail: this program is to be used with a boot disk with DOS.
As I would like to carry this procedure through the central server, copying the file with new CMOS data to a specific folder existent on all machines. In each PC there is a process running on Windows XP SP3 that as soon as received the file, make the reading the contents, writing the new passwords in its CMOS, deletes the file from the folder and restarts yourself. The theory should work, but not, inclusive on the same machine where I created the file. What happens is that every time I update the CMOS, the changed settings are retained, but the passwords always come back clean, i.e. without any protection to access to BIOS.
Now I'm basing my work on one program called CmosPwd which can be found on the site www.cgsecurity.org, but no options works properly on the motherboard that we have. Our platform apparently uses the Award BIOS 6.00 PG as base to these chinese mother boards. Tried new contact with the manufacturer, but they do not provide a map of the structure of the CMOS. I discovered that, comparing the various files, passwords are not written in ASCII mode only 5 bytes at offset 0x40, that I believe to be your CRC, as showed below:
CMOS DUMPS WITH PASSWORDS:
SYSTEM: 11111111
USER : 22222222
CMOS Bank 0:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
0: 59 00 55 00 14 00 05 02 05 13 26 02 40 80 08 00
1: 40 f0 00 00 02 80 02 00 04 14 00 00 00 00 00 00
2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fc
3: 00 04 20 80 00 00 00 00 00 00 00 00 00 00 00 00
4: 59 00 55 00 14 00 05 02 05 13 26 02 40 80 08 00
5: 40 f0 00 00 02 80 02 00 04 14 00 00 00 00 00 00
6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fc
7: 00 04 20 80 00 00 00 00 00 00 00 00 00 00 00 00
CMOS Bank 1:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
0: 59 00 55 00 14 00 05 02 05 13 26 02 40 80 08 00
1: 40 f0 00 00 02 80 02 00 04 14 00 00 00 00 00 00
2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fc
3: 00 04 20 80 00 00 00 00 00 00 00 00 00 00 00 00
4: 59 00 55 00 14 00 05 02 05 13 26 02 40 80 08 00
5: 40 f0 00 00 02 80 02 00 04 14 00 00 00 00 00 00
6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fc
7: 00 04 20 80 00 00 00 00 00 00 00 00 00 00 00 00
SYSTEM: AAAAAAAA
USER : BBBBBBBB
CMOS Bank 0:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
0: 51 00 01 00 15 00 05 02 05 13 26 02 00 80 08 00
1: 40 f0 00 00 02 80 02 00 04 14 00 00 00 00 00 00
2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fc
3: 00 04 20 80 00 00 00 00 00 00 00 00 00 00 00 00
4: 51 00 01 00 15 00 05 02 05 13 26 02 40 80 08 00
5: 40 f0 00 00 02 80 02 00 04 14 00 00 00 00 00 00
6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fc
7: 00 04 20 80 00 00 00 00 00 00 00 00 00 00 00 00
CMOS Bank 1:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
0: 51 00 01 00 15 00 05 02 05 13 26 02 40 80 08 00
1: 40 f0 00 00 02 80 02 00 04 14 00 00 00 00 00 00
2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fc
3: 00 04 20 80 00 00 00 00 00 00 00 00 00 00 00 00
4: 51 00 01 00 15 00 05 02 05 13 26 02 40 80 08 00
5: 40 f0 00 00 02 80 02 00 04 14 00 00 00 00 00 00
6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fc
7: 00 04 20 80 00 00 00 00 00 00 00 00 00 00 00 00
Has anyone had a problem like this and got a simple and cheap solution, or would have any hint to solution this? I appreciate some kind of help.
Thanks so much,
Edison Fernando.
Brazil.
|
|
|
|
|
Any technical problem is a challenge, but though I don't have an answer in this case, I'm sure you'll appreciate that you probably won't get one (here) when your aim is to remotely change passwords.
|
|
|
|
|
Contact the manufacturer of the machines. They'll usually have a BIOS command line tool that can import/export the contents or provide some other method for what you're doing.
You're not going to get code to do this here.
|
|
|
|
|
HP & DELL provide BIOS 'replication' tools.
But if your machines aren't those don't assume they will work on yours.
They also need DOS (not Windows)
|
|
|
|
|
Hello friends,
First, thanks for the posts. I'm feeling at obligation to inform you some progress I did today.
I discovered some part of mistery. After many tries to save/restore passwords in CMOS, maybe some tool I had used for tests, did make a mess into CMOS as I posted before.
This is showed in dump where there are many bytes zeroed. I did make a hard reset on CMOS's battery and the program sent by motherboard maker, finally started to work correctly. Now I can do a copy of a configured CMOS and duplicate it on another PC or for himself, successfully. The motherboard we have, are OEM Gygabyte with security chip that encrypts the CMOS, if this feature was enabled on BIOS (default). I would also say that the manufacturer's program worked even on my home computer with a Gigabyte P35 Board with success, then I assume that it works for almost all Gigabyte boards.
A new correct dump of CMOS banks now seems like this:
SYSTEM: 'password'
USER : 'password'
CMOS Bank 0:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
0: 21 20 26 00 11 bd 07 06 05 13 26 02 50 80 00 00
1: 40 8b f0 00 03 80 02 c0 ff 2f 2f 40 00 00 00 00
2: 00 00 00 00 00 00 ff ff 10 00 00 fe ff ff 09 a7
3: c0 ff 20 00 bc db 8e 5c c1 0e b8 0f cb d1 da cf
4: 0f 53 00 95 00 00 00 02 10 01 21 00 01 00 00 00
5: 00 00 00 0d 0a 00 00 00 00 00 c8 24 00 00 00 00
6: 00 00 00 03 00 20 13 2f 00 00 00 00 00 ff ff 00
7: 2f 00 00 00 00 00 00 00 00 fc 00 00 cc 05 92 0f
CMOS Bank 1:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
0: ff df ff df c0 ff ff ff ff ff ff 8f 00 c0 09 09
1: 70 b0 dc 6e 77 7b c9 c8 70 b0 dc 6e 77 7b c9 c8
2: 00 00 00 00 00 00 00 00 7a c0 ca de b2 e6 c8 01
3: 10 86 80 05 00 24 00 00 00 00 00 d0 ff 13 10 0d
4: 85 4a 32 a5 39 33 02 01 02 33 33 55 56 00 00 00
5: 00 10 00 cf 8f 9f 8f 8f 4f 5e 43 9f ce c7 43 cb
6: 4f 17 f0 f4 db 8d c5 8f cc cf df 4b cd d1 cb f7
7: cf cb ef c7 c8 cf 5d 43 0a d4 8f 8f df ce cf dd
The offset for passwords (on this PC) is located at bank 1,
offset 0x10 up to 0x1f:
70 b0 dc 6e 77 7b c9 c8 70 b0 dc 6e 77 7b c9 c8
p a s s w o r d p a s s w o r d
The letter ' a ' inside the CMOS is encrypted as 0xB0, but on another occasion, for example, if we change the password for ' senha ' (password in Portuguese Brazil), the letter ' a ' may vary for other value, as I realized today.
I know that the first 16 bytes are for the RTC and the program should not duplicate them. So, there are only 112 bytes to find out if all of these are written sequentially by the program, or at worst, the program computes and writes a CRC before rewrite the CMOS.
This will be the next challenge and the last will be how to do this within Windows and not through the DOS.
Well, the people say that when we got 50, we turn children again. In my case, specifically, this is not true: I just went back to brush the bits !!
But it is the best thing to keep the mind always "insane", don't you think?
|
|
|
|
|
edinando wrote: This will be the next challenge and the last will be how to do this within Windows and not through the DOS.
Well, there's a little problem with that. You'll have to rewrite this application from scratch and supply a device driver to pull this off. User mode applications do not have any access to the hardware, hence the need for a driver.
If you've got the complete specs for reading/writing the CMOS on a Gigabyte board, the ability to write and debug kernel mode code, specically device drivers, and can write said device drivers in C (cannot use C#!), you should be able to pull this off.
|
|
|
|
|
My first post
I am building a DRO reader that will send 3, 8 bit data bytes to a LPT port, for my VB6 code I will be writing.
I know that the serial port has a good size buffer.
But do not know if and or the size of the LPT buffer is?
Did a quick search but no luck
Oldhat
|
|
|
|
|
The basic Line Print Terminal connector (parallel port) pin function specifies pins 2 - 9 for data bits 0 - 7. So I suppose you need to make a distinction between the hardware and the software you might be using. with the hardware accepting 1 byte, buffer size in your software - whatever that is - is now the question you need to address.
|
|
|
|
|
HI guys,
I m using Dell E6500 Laptop and wanted to know the cache memory information.. Can u help me that where to get the required information?? I am using Windows 7 64bit...
Regards,
|
|
|
|
|
Do you mean processor cache. L1, L2, L3 ?
copy the code from this link into Notepad, edit the drive letter for input file and output file, and Save As hw-info.vbs
create the input file named in the script, you only need to put a single dot in the file, in order to get local computer info. Save it to the same location as the .vbs file.
double click the .vbs file, or open Command Prompt (cmd.exe) and type cscript hw-info.vbs
"It's true that hard work never killed anyone. But I figure, why take the chance." - Ronald Reagan
That's what machines are for.
Got a problem?
Sleep on it.
modified 19-Apr-13 5:17am.
|
|
|
|
|
|
Oops.
"It's true that hard work never killed anyone. But I figure, why take the chance." - Ronald Reagan
That's what machines are for.
Got a problem?
Sleep on it.
|
|
|
|
|
Thanks, looks interesting.
Use the best guess
|
|
|
|
|
Would this script be creating the file directory itself or i have to provide it manually and secondly of which extension input file be created?? do i have to create it .html or ????
|
|
|
|
|
hi,
the input text file should be .txt, you can remove the absolute path d:\script\, if the two files will be in the same place as the script file.
d:\script\Serverlist.txt
d:\script\Inventorylist_
The output file extension is created by the script, it's .csv look at the .vbs script.
"It's true that hard work never killed anyone. But I figure, why take the chance." - Ronald Reagan
That's what machines are for.
Got a problem?
Sleep on it.
|
|
|
|
|
Thanks alot...
Well another question.. Is there any GUI based method to find out cache..i.e. windows functionality.. like to check the RAM we use BIOS settings....??????????
|
|
|
|
|
I'd rather not link any specific site as I could be accused of spamming.
so just try entering hwinfo into google.
"It's true that hard work never killed anyone. But I figure, why take the chance." - Ronald Reagan
That's what machines are for.
Got a problem?
Sleep on it.
|
|
|
|
|
Hi,
The x86 asm instruction for this is the cpuid instruction[^]. You can get the level caches by using the compiler-intrinsic __cpuid[^] function with the 0x80000006 information type.
Best Wishes,
-David Delaune
|
|
|
|
|
Just found this FEE PAGE[^] on the USB org site.
Does any company, no matter how small, have to pay that fee before even thinking about adding USB capability to its device ?
|
|
|
|
|
If I'm not mistaken, Microchip offers the ability to use their VID and they'll assign you a Product ID.
|
|
|
|
|
Thanks for the insight. I just asked Microchip what to do.
|
|
|
|
|
Please note the PID/VID combination they give you is only, according to Microchip, "legally" "valid" for use with their PIC Microcontrollers.
.-.
|o,o|
,| _\=/_ .-""-.
||/_/_\_\ /[] _ _\
|_/|(_)|\\ _|_o_LII|_
\._. |\_/|"` |_| ==== |_|
|_|_| ||" || ||
|-|-| ||LI o ||
|_|_| ||'----'||
/_/ \_\ /__| |__\
|
|
|
|
|
i'm making a disk(volume) backup/restore system.
i would unmount volume before backup,
but the system volume can not be unmounted.
so the change or access of system volume is worry for me while that system volume is backup.
is it possible that detect which disk sector or ntfs cluster was changed realtime?
that can be filter driver, can it be possible?
|
|
|
|
|
Cross-posting is annoying.
stick to one forum with a question.
"It's true that hard work never killed anyone. But I figure, why take the chance." - Ronald Reagan
That's what machines are for.
Got a problem?
Sleep on it.
|
|
|
|
|
So I have a driver that does a child enum on the ACPI PDO. It gets back the methods, and then does an evaluate. There are two ways of doing this, evaluateex and evaluate. Oddly for exactly the same methods they return different data, not different in value, but the ex evaluation data has a 4 byte padding after each package, the eval method doesent. This is for _PSS data.
What is also odd that if the eval is called during IRP_MJ_START_DEVICE the _PCT data is also different to that obtained later on so I assume even then the device hasnt completely started. The _PCT at IRP_MJ_START_DEVICE shows IO port access, but later shows FFHW as the acces.
What is also interesting is that attaching to the PDO outside of AddDevice causes enum children to returns STATUS_NOT_SUPPORTED, which is odd, since the only interface to the PDO is the PDO pointer and the Irp, how DOES the PDO know the Irp is being sent from a DO attached outside of AddDevice? Odd stuff indeed.
Anyway it doesnt affect the functioning of the driver, it controls COU speed OK, but this variability of what the PDO is returning is odd and I cant exmplain it. Anyone have any idea why this is?
==============================
Nothing to say.
modified 30-Mar-13 12:55pm.
|
|
|
|
|