Backdoor and default passwords
Many BIOSes have built in backdoor passwords to use to bypass a
BIOS password which has been lost. This is, of course, an unacceptable
way of handling this. No machine should have a backdoor password; this
is a massive security hole. Instead, the machine should have a hardware
jumper or dip switch located in a secure location that is not accessible
when the case is locked. For desktops, the switch can be located on the
motherboard and a locking case screw will prevent access. For notebooks,
there switch should not be inside a compartment which can not be opened
when the security cable slot is engaged.
- Award BIOSes
"Condo", "AWARD_SW", "J332", and "589589", "AWARD?SW", "lkwpeter",
"aLLY", "j262", "j332".
Some more are availible at
After 1996-12-19, Award required each OEM to set their own password.
- AMI BIOSes
There is a program to reveal backdoor passwords in AMI BIOSes was
posted on bugtraq Some backdoor passwords used include
"A.M.I.", "AMI_SW", "AMI?SW".
Some more are availible at
- Phoenix BIOSes
- Toshiba notebooks
Toshiba has a trapdoor password to bypass the bios password. The
company has adopted a truly asinine attitude regarding this password.
It turns out that if the first five bytes of sector 1 (the second
sector) of a floppy in drive a are "4B 45 59 00 00" then you can
bypass the password (type enter when asked for the password and
you will be asked to set the password again).
- Thinkpad Notebooks
Thinkpads have special pads to short. Removing the battery, or letting it
go dead, can wipe out the hard disk encryption key.
for more details.
- Other BIOSes
"biostar", "biosstar", LKWPETER", "BIOSTAR", "j262", j256", "Syxx",
- Clearing BIOS password using debug:
At least some emachines have a dip switch on the motherboard to clear
More info on BIOS backdoor passwords and clearing CMOS.
I supplemented the info on this page with stuff from there.
- Discharging CMOS RAM
There is usually a jumper near the battery for this. This is often
a three pin jumper and you move it from 1-2 to 2-3 or vice versa.
If there is no jumper, you can acomplish the same results by shorting
a particular pin on the CMOS RTC chip to ground for a few seconds while
the power is turned off.
Dallas 1287 24 Pin DIP replace chip
Dallas 1287A 24 Pin DIP Short pins 12 and 21
Chips&Tech P82C206 PLCC Short pins 74 and 75 (upper left corner)
Opti P82C206 PLCC Short pins 3 and 26 (bottom row)
Motoroola MC146818AP unplug chip
Dallas DS12885S 24 pin DIP short pins 12 and 20
Bechmarq bq325aS 24 pin SIP short pins 12 and 20
Actually, you could just wipe a grounded cliplead accross all the pins
of the chip you suspect is the CMOS RTC/RAM chip. This is usally a
24 pin DIP. If the functionality is handled by the motherboard
chipset, just do the same for all the motherboard chipset pins.
Note that if there is no series current limiting resistor on the
external battery, it may have enough power to melt a trace off the board;
this trace will be the battery power to the CMOS RTC/RAM and you
can solder in a piece of wire to replace the trace. I have never
heard of this happening on a motherboard and it would be pretty
common the way they are handled.
It should also be noted that you can look up the manufacturer's data
sheet for the chip on their web site to find out how to erase
can be used to crack the CMOS passwords on ACER, IBM, AMIBIOS, Award BIOS,
Compaq, DELL, Packard Bell, Phoenix, Toshiba, and Zenith machines.
This runs under Linux or DOS/windows.
- Cisco routers
Cisco routers prevent remote logon unless the passwords have been
- 3 Com
Lanplex/corebuilder line: Login=debug, Password=synnet
Linkswitch 2700, superstack 2700, cellplex 7000: login=tech, password=tech
Superstack II hub and switches don't respond to the above
but do have user=tech, password=tech or user=monitor, password=monitor.
- IBM 8237 Hub
Has backdoor password in cleartext in the image. No way to
change the password without editing firmware image and hacking the
- Quake servers
rcon password is "tms"; appears to require that you masquerade
as 192.246.40.* to use.
- IRC scripts
There are many trojan IRC scripts with backdoor passwords.
One of the more famous and clever backdoors existed in
early unix systems. Denis richie added hidden self-replicating object code to
the C compiler that modified both the C compiler and the Login program
when they were recompiled. So even if you recompiled the complete system
from sources and inspected the sources there was still a hidden backdoor.
Early systems had a default root password of "gnomes".
many distributions had default passwords
- Windows 95 screen lock
You can bypass the screen lock on any windows 95 box if it
has autorun enabled on the CD-ROM drive. Insert a special
CD and it will be autorun even though the screen is locked.
The autorun program can copy sensitive data to a floppy and/or
kill the screen saver process.
ftp://null.angel.nu/projects/95sscrk.zip is one of the programs which
can be used to decrypt the screen saver password.
This appears to also be a problem on windows NT machines.
Autorun.inf is the magic file.
- Motorola cell phones
The DPC-550 cell phone has a backdoor password to unlock the
phone. Typically "000000000000" or "123456123456".
- UT Lexar Telephone switches
Default login used by maintenance personal was "lexar", no password;
customers were required by contract to maintain a dialup line.
Backdoor login was "DESIGNED_BY_IC_KF". Their technicians knew
that this backdoor existed but were not given its value.
These deficiencies were reported to Lexar a decade ago.
If they haven't fixed them by now, tough.
Lexar switches print some distinctive escape codes followed by
a "login:" prompt and are easy prey for war dialers. I broke into
one almost by accident when it got added to a list of BBSes as a C/unix.
Much of this information was posted on the bugtraq mailing list.
This file is maintained by