Interesting thing happened today. I finally bought a brand new Dallas RTC and installed it in my GridCase 1520. Everything went fine until I went to power it on... Time/Date not set, Press F1, yeah, yeah, ENTER PASSWORD... wait, what? Of course I tried entering a variety of generic guesses but nothing worked. I had already ripped into the BIOS awhile back so I jumped back in and examined the password parts. After about an hour the best I found is the following...
1. It checks CMOS for a password flag
2. It then seems to check the CMOS values where an encrypted password would be stored, just in case there's a password but no flag set. (I could be wrong on this but at quick glance it appears to be the case). This section of code is very obviously obfuscated so one can't just search for the port 70h and 71h CMOS giveaways. It reads the value 70h from some place in RAM to DX, then increments and decrements during loops without ever clearly exposing the value.
3. If there's a password it prompts for input and reads it to memory.
4. It 'encrypts' (more like encodes) the password by XOR'ing it against a static datatable of 8 values (password is max 8 chars)
5. It then reads the CMOS password 8 bytes into memory and compares against the encoded input.
6. It either boots or says wrong password and the machine resets.
I wonder if the BIOS is coded to understand if the RTC clock is not running and implements a factory or custom defined end user password to prevent system access by replacing the RTC chip? I tried to discover this but daylight was wasting so I just patched the BIOS to bypass the password stuff all together and life is good (one whole byte, only had to program the Even EEPROM).
At this point I'm just curious if anyone else has run in to this? I think step 2 might be the key because it contains a lot of funny business.
1. It checks CMOS for a password flag
2. It then seems to check the CMOS values where an encrypted password would be stored, just in case there's a password but no flag set. (I could be wrong on this but at quick glance it appears to be the case). This section of code is very obviously obfuscated so one can't just search for the port 70h and 71h CMOS giveaways. It reads the value 70h from some place in RAM to DX, then increments and decrements during loops without ever clearly exposing the value.
3. If there's a password it prompts for input and reads it to memory.
4. It 'encrypts' (more like encodes) the password by XOR'ing it against a static datatable of 8 values (password is max 8 chars)
5. It then reads the CMOS password 8 bytes into memory and compares against the encoded input.
6. It either boots or says wrong password and the machine resets.
I wonder if the BIOS is coded to understand if the RTC clock is not running and implements a factory or custom defined end user password to prevent system access by replacing the RTC chip? I tried to discover this but daylight was wasting so I just patched the BIOS to bypass the password stuff all together and life is good (one whole byte, only had to program the Even EEPROM).
At this point I'm just curious if anyone else has run in to this? I think step 2 might be the key because it contains a lot of funny business.
