HIR Issue 3: The Joys of The Personal Computer CMOS
The Joys of The Personal Computer CMOS By Axon
Ahoy! Axon here. I Figured it would be a good thing to teach all you guys a few things about the Personal Computer CMOS (Complimentary Metal Oxide Semiconductor). Actually, Complimentary Metal Oxide is what most Integrated Circuits are made of, however, when one refers to "THE CMOS", they are either Stupid, or they are talking about the Personal Computer's way of storing configuration Settings.
The CMOS is part of the modern computer's hardware that saves many things, such as the specifications of your hard drive, what floppy drives you have, and various other settings like the password used for protected boot-ups.
Potentially, this brings up a lot of cool ideas. I don't know much about the data format of the CMOS memory, but I know that traditionally in the IBM AT computers, when the CMOS was introduced, there were 64 bytes of memory on the chip.
Before the CMOS was nothing. There were jumpers, or switches on the motherboards of computers. These switches PHYSICALLY held setup values such as what types of floppy drives, and video settings. There was no password. A severe drawback to this system was that in order to change these values, one needed to pull the case off of the computer, search for the switches, which were scarcely ever located in a single place. Usually they were near the device they affected. If the switches were jumpers, which they usually were, you needed small fingers or a pair of tweezers to adjust them. It was clear that there must be a better way of doing things. With a lot of hard thinking and determination, IBM toyed with the idea of using computer memory to store the settings that the Jumpers were used for.
Memory is volatile. When you shut off power, the bits that are stored are hosed, lost forever. The CMOS is no exception. All computers with a CMOS chip also have a battery of some sort that support it while the computer is off. These batteries can be NiCd or Lithium. Disconnecting the battery from the motherboard will erase all settings the CMOS held (sometimes the battery needs to stay disconnected for as long as 2 hours for the CMOS data to vaporize. Also, there is usually a jumper near the CMOS chip. I will discuss the battery later, right now I will focus on identifying the chip itself.
Usually, the chip has 28 pins. Most of the time it isn't soldered onto the motherboard, it actually fits in a DIP socket on the board, and looks like a long sandwich to me. There will usually be a sticker on the top that says "AWARD", "Ami, or American MEgatrends", or "Phoenix". possibly others. This is the chip you are concerned with. Look for a jumper near it (within 1 inch) For those idiots out there, a jumper is a little black...thing, that is about 1/8" by 1/4" by 1/4" inch (roughly, I don't have one with me to measure, unless i take apart the computer i am typing this on.) It has 2 holes that will fit over pins on the motherboard. chances are, only one hole of the jumper is on a pin, and the other hole could fit onto a pin if you pulled it off and re-aligned it. If you do this, and leave it there for a while, it shorts out the power connection to the CMOS, casuing it to lose its data.
The battery, which, as i said earlier, can be removed to erase CMOS data, is usually found near the CMOS chip, but not always. It may look like an oversize watch battery. I've seen various other shapes and sizes though. Some look like half of a AA battery, some look like 3 small batteries held together with shrink material, and others look like brown boxes that are not even mounted on the motherboard, but mounted somewhere else in the case, with wires running to a pin connector socket on the motherboard (These are replacement batteries for the batteries that are soldered directly to the motherboard at the factory. Soldered on batteries are a pain, and clearing the CMOS is easiest if you find the jumper.
Why in the world would you want to clear a CMOS? Well, for one, if you, or someone you are working for, happens to forget a startup password, clearing the CMOS is a viable option. If you can get into the setup program, write down all the information (memory size, hard drive specs, floppy specs, and any other settings there are) before resetting the CMOS. Of course there are some other reasons why a hacker would want to be able to do this, but we shall leave that up to your imagination.
Along the way I've come up with a pair of cute little programs in QuickBasic that will extract CMOS data from a standard AT machine, and to put it back. I'd imagine you could hex edit the data file it saves, or use a program like game guru to compare multiple saved CMOS data files. Who knows, maybe you'll find a way to do some cool stuff to the data before you put it back into the CMOS. This may or may not work on your computer, as there has been a lot more data stored on the CMOS chips lately. Call the manufacturer of your BIOS and they may be able to tell you where the CMOS data is at (and then you can change the source code respectively).
------------[ HiR CMOS DATA EXTRACTION SOURCE CODE BEGINS HERE ]--------------
OPEN "CMOS.DAT" FOR OUTPUT AS #1
FoR CMOSAddress% = 0 TO 63
OUT &H70, CMOSAddress%
CMOSByte$ = CHR$(INP(&H71))
PRINT #1, CMOSByte$
NEXT CMOSAddress%
CLOSE #1
END
-------------[ HiR CMOS DATA EXTRACTION SOURCE CODE ENDS HERE ]---------------
As you can see, the computer will push the CMOS Address to be read into 70h, then reads the byte from 71h. Note, since there is only 64 bytes, the program only pushes addresses 0-63 into 70Hex. To the best of my knowledge, the CMOS data will always be read and written using 70h for the address, and 71h for the data. The only thing that might change is the number of bytes that the CMOS Stores. Find out for sure from your BIOS/CMOS Manufacturer, though, and make adjustments to the code as necessary.
-------------[ HiR CMOS DATA INSERTION SOURCE CODE BEGINS HERE ]--------------
OPEN "CMOS.DAT" FOR INPUT AS #1
FoR CMOSAddress% = 0 TO 63
CMOSByte$ = INPUT$(1,1)
OUT &H70, CMOSAddress%
OUT &H71, ASC(CMOSByte$)
NEXT CMOSAddress%
CLOSE #1
END
--------------[ HiR CMOS DATA INSERTION SOURCE CODE ENDS HERE ]---------------
OBviousely, Both of these programs are just core code, and are by no means supposed to be used alone, but can be modified a little and combined to make a fully functional CMOS Backup program, CMOS Data Modification program, and anything else (Evil or not) that you can think of. Happy hacking!