Credit for this goes out to: <a href="mailto:y_crazy_diamond _AT_ hotmail.com">Crazy Diamond</a>
<p>
Password crack is really simple. Instead of doing all that programming
stuff, just use social engineering. Password would have to be easy to
know
and self documenting for tosh techs to work with many systems. Anyway
look
on the CD in the same folder as the tosh ghost image. They have a CRC
file,
mine is called PREINST.CRC.  Ghost image password is the first four
digits
of the CRC as found in that file. I assume that this will work for all
models.
No programming required. Took 5 minutes to figure out, once I thought
about it.
</p>

<p>
But for the M200, password was not the 4 initial digits at PREINST.CRC.
Correct password is 2582.  Someone else with an M200 found this password
to be 2575 (thanks Bruce).  Another person found their M200 to be 2543 (Thanks Nitant)
</p>

<p>
Below is my original method for retrieval of the norton ghost password, which 
prompted diamond to improve upon my method:
</p>

<ul>
<li>There's a
batch file called os.bat.  That calls "tghost -clone,mode=pdump,src=preinst.gho:1,dst=1:1".  tghost called ghost.exe, probably with -pwd=PASSWORD. I
thought, "ok. I'll just write a C program that echo's the commandline
arguments and call it ghost.exe!".   I did that, and tghost gave me 
a BIOS error, indicating "you're not on a toshiba. abort".  Basically,
since I was in VMWARE with fake hardware, it blocked itself from 
calling ghost.exe (which would have revealed the password).
<li>I made a bootable CD with NERO using win98.img as my boot image (I
made that img a long time ago). I copied over ghost.exe (my echo hack) and 
tghost.exe.  I booted off the CD.  Arrgh. my ghost.exe said "This program
can only be run in Windows". Apparently, gcc for cygwin makes 32-bit
code and DOS needs 16-bit code.  I recompiled with "Miracle CD" and remade the CD.
<li>Finally, I saw tghost output: "ghost -pwd=6360", but that wasn't the
correct password! :(  After using the exact same arguments (the password
changes with the arguments), I got 2559 as the password!  So folks,
2559 is the ghost password on the Toshiba recovery CDs.  I just
saved you a lot of work :)  Also, if you have a Protege 3500, the password is
2484 (thanks to Rick Garnaat for that one).  For M200, it is 2582 (Thanks
Fernando).  For M205-S810, it is 2598 (Thanks Joe Jankowski).  For portege 2000, it's 2575 (Thanks Todd McCaskey). Protege R200, it's 2523 (Thanks Steve Wells).
M300 password is 2536 (Thanks T Jerry). Protege R100 - 2536 (Thanks Jim).  Protege R100 for different configuration - 2533.

<li>Some people have asked for my source code/compiled program on how to
get the ghost password.  I saved everything <a href="ghost/">here</a>

</ul>