Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

A mess of my own making

While messing with a CF-U1 handheld PC that I bought off ebay I managed to mess up the BIOS and it seems it reverted to previous settings which included an unknown BIOS password, it would however still boot into windows. Since I could still boot windows I was able to dump the bios flash using AFUWINGUI.EXE the version I used was 3.09.03.1462 which is available here:
https://ami.com/en/?Aptio_4_AMI_Firmware_Update_Utility.zip

There may be a more appropriate version to use as this seemed to have trouble checking the bios version when flashing but did work if you selected "Do Not Check ROM ID" but flashing isnt needed to get the password.

Dumping the flash

alt text
Run AFUWINGUI.EXE and at the bottom of the "Information" tab click the save button to make a backup of your bios, the default name is afuwin.rom Now open this saved image with UEFITool_NE available here:
https://github.com/LongSoft/UEFITool/releases

I used UEFITool_NE_A51_win32.zip later versions should work fine. The new engine (NE) verson seems to deal with AMI's odd nvram format better.

alt text

Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID
C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry.
Now right click and select "Body hex view" and you should see something like:

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040  7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A  {.”¦.:)ÍÒ`.ô\‡í.
0050  07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35  .®®AÜÔ.h«ûú.U¢°5
0060  0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0  .Éf\Áï.ƒw.Ò©-=ˆÐ
0070  E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B  ãc>÷™Šô.O±ªD.Ø`k
0080  01

In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag.

1337 encryption

The password is obfuscated using super secure xor

VOID PasswordEncode( CHAR16 *Password, UINTN MaxSize)
{
    UINTN	ii;
    unsigned int key = 0x935b;

#if SETUP_PASSWORD_NON_CASE_SENSITIVE
    for ( ii = 0; ii < MaxSize; ii++ )
        Password[ii] = ((Password[ii]>=L'a')&&(Password[ii]<=L'z'))?(Password[ii]+L'A'-L'a'):Password[ii];
#endif

    // Encode the password..
    for ( ii = 1; ii <= MaxSize/2; ii++ )
        Password[ii-1] = (CHAR16)(Password[ii-1] ^ (key*ii));
}

So Xoring the above encoded password:

7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A 07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

with

5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

gives

20 80 22 80 16 80 45 80 15 80 38 80 21 80 35 80 34 80 20 80 35 80 4e 80 34 80 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Each character of the password is stored as 2 bytes, and as x86 is wrong endian im guessing should be read as 0x8020 0x8022 I have no idea where the 0x80 comes from possibly its something to do with the EFI_SHIFT_STATE_VALID in this case the password was lower case, possibly uppercase status is encoded in this byte too I have no idea I havent tested uppercase passwords.

WTF scancodes how does this map to keys

From the unobfuscated data you can see the password is 13 characters long, im going to ignore the 0x80 bytes as i dont understand them :P and just look at the others:
20 22 16 45 15 38 21 35 34 20 35 4e 34
They appear to be some sort of scancodes, although while googleing this I found some AMI bioses seem to use ascii here so you can read it out directly as text, but not on this machine.
When this CF-U1 arrived from ebay it had a password which i sucessfully guessed as "toughbook" my second guess would have been "panasonic" since using text written on the front of the PC as a password saves writing it under the battery cover :P
Looking through the older link entrys for the AMITSESetup nvram I found what I thought was the data for this password which deobfuscating as above gave (ignoring the 0x80):

35 39 37 24 25 14 39 39 27
t  o  u  g  h  b  o  o  k

This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page:
http://wiki.phoenix.com/wiki/index.php/EFI_KEY
From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii:
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

So i made up a list of byte to ascii using these, below are just 0x10 to 0x4E to cover most values but not be too stupidly long.

Hex Char EFIkey Hex Char EFIkey
10 z EfiKeyB1 30 Tab EfiKeyTab
11 x EfiKeyB2 31 q EfiKeyD1
12 c EfiKeyB3 32 w EfiKeyD2
13 v EfiKeyB4 33 e EfiKeyD3
14 b EfiKeyB5 34 r EfiKeyD4
15 n EfiKeyB6 35 t EfiKeyD5
16 m EfiKeyB7 36 y EfiKeyD6
17 , EfiKeyB8 37 u EfiKeyD7
18 . EfiKeyB9 38 i EfiKeyD8
19 / EfiKeyB10 39 o EfiKeyD9
1A EfiKeyRShift 3A p EfiKeyD10
1B EfiKeyUpArrow 3B [ EfiKeyD11
1C 1 EfiKeyOne 3C ] EfiKeyD12
1D 2 EfiKeyTwo 3D \ EfiKeyD13
1E 3 EfiKeyThree 3E EfiKeyDel
1F EfiKeyCapsLock 3F EfiKeyEnd
20 a EfiKeyC1 40 EfiKeyPgDn
21 s EfiKeyC2 41 7 EfiKeySeven
22 d EfiKeyC3 42 8 EfiKeyEight
23 f EfiKeyC4 43 9 EfiKeyNine
24 g EfiKeyC5 44 ` EfiKeyE0
25 h EfiKeyC6 45 1 EfiKeyE1
26 j EfiKeyC7 46 2 EfiKeyE2
27 k EfiKeyC8 47 3 EfiKeyE3
28 l EfiKeyC9 48 4 EfiKeyE4
29 ; EfiKeyC10 49 5 EfiKeyE5
2A ' EfiKeyC11 4A 6 EfiKeyE6
2B | EfiKeyC12 4B 7 EfiKeyE7
2C 4 EfiKeyFour 4C 8 EfiKeyE8
2D 5 EfiKeyFive 4D 9 EfiKeyE9
2E 6 EfiKeySix 4E 0 EfiKeyE10
2F + EfiKeyPlus

So what was the password?

Using the above list and the recovered scancodes gave:

20 22 16 45 15 38 21 35 34 20 35 4e 34
a  d  m  1  n  i  s  t  r  a  t  0  r

and when i tried adm1nistrat0r it worked!
This is not complete as there are still questions about the 0x80 bytes but my guess is they encode the shift alt etc modifier keys but im back into my handheld so i'm not sure ill look further into it. This may also apply to other Aptio bioses as well as the Panasonic CF-U1, and if the machine isnt bootable you may be able to use a cheap spi adapter to dump the bios, in the case of the CF-U1 it uses an LPC flash which I don't think you can get cheap clips and readers for and its buried in the machine so a nuisance to get to.

@c0deh4xor

This comment has been minimized.

Copy link

@c0deh4xor c0deh4xor commented Aug 20, 2019

Need some help! I am trying to replicate what you did and.... how did you get the second hex set? I bought a toughbook and when the bios was reset it defaulted to the corp one :(

This is what I have gotten so far...

5B F5 B6 D2 11 16 6C 71 C7 63 22 C6 7D D5 D8 EE 33 32 8E BC E9 42 44 57 9F E1 FA FC 55 26 B0 2D
0B DE 66 B2 C1 20 1C 91 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

@esters

This comment has been minimized.

Copy link

@esters esters commented Aug 29, 2019

Good day,

Thanks for the wonderful write-up, at the moment I'm stuck with the same issue as @c0deh4xor, here is the BIOS password (Thoughbook CF53 MK1):

Password

5B C6 B6 55 11 64 6C 4B C7 A7 22 16 7D 70 D8 DA 33 27 8E 4F E9 93 44 64 9F 25 FA B9 55 51 B0 C1
0B EB 66 90 C1 1C 1C 2E 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

After xor'ing the password the output is like this:

Output

00 55 00 73 00 de 00 06 00 47 00 62 00 77 00 40 00 09 00 8e 00 c7 00 8c 00 5e 00 b7 00 f3 00 f4
00 22 00 cc 00 f3 00 ad 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

@en4rab

This comment has been minimized.

Copy link
Owner Author

@en4rab en4rab commented Aug 29, 2019

It's possible that bios's for models other than the CF-U1 may encrypt the password in some way, the AMI source has a function intended to be customised by the OEM to provide a more secure method of password storage:

VOID HiiGetEfiKey(CHAR16 *PwKey);
//<AMI_PHDR_START>
//----------------------------------------------------------------------------
// Procedure:	PasswordEncode
//
// Description:	This function is a hook called when user entered
//              password has to be encoded. This function is
//              available as ELINK. OEMs may choose to use different
//              encryption logic here.
//
// Input:		Password : Password array to be encrypted. Encryped
//              password is returned in the same array.
//              MaxSize : Max size of Password
//
// Output:		VOID
//
//----------------------------------------------------------------------------
//<AMI_PHDR_END>

In both the above cases it looks like the stored password is 20 bytes in size (ignoring the 00 bytes) but this doesnt look like it is any sort of keyboard scancodes or ascii.
This is a wild guess but the fact the password seems to be 20 bytes or 160 bits makes me think that possibly its a SHA1 hash of the password being stored, I did try googleing 5573de0647627740098ec78c5eb7f3f422ccf3ad but got no hits, and if it was a SHA1 hash im not sure if it would be a hash of the ascii or keyboard scan codes so im afraid im out of ideas.

@c0deh4xor

This comment has been minimized.

Copy link

@c0deh4xor c0deh4xor commented Aug 29, 2019

Just blank it all out, that's what I did with mine and it boots fine or replace it with a known SHA-1 hash ;)

@esters

This comment has been minimized.

Copy link

@esters esters commented Sep 2, 2019

It's possible that bios's for models other than the CF-U1 may encrypt the password in some way, the AMI source has a function intended to be customised by the OEM to provide a more secure method of password storage:

VOID HiiGetEfiKey(CHAR16 *PwKey);
//<AMI_PHDR_START>
//----------------------------------------------------------------------------
// Procedure:	PasswordEncode
//
// Description:	This function is a hook called when user entered
//              password has to be encoded. This function is
//              available as ELINK. OEMs may choose to use different
//              encryption logic here.
//
// Input:		Password : Password array to be encrypted. Encryped
//              password is returned in the same array.
//              MaxSize : Max size of Password
//
// Output:		VOID
//
//----------------------------------------------------------------------------
//<AMI_PHDR_END>

In both the above cases it looks like the stored password is 20 bytes in size (ignoring the 00 bytes) but this doesnt look like it is any sort of keyboard scancodes or ascii.
This is a wild guess but the fact the password seems to be 20 bytes or 160 bits makes me think that possibly its a SHA1 hash of the password being stored, I did try googleing 5573de0647627740098ec78c5eb7f3f422ccf3ad but got no hits, and if it was a SHA1 hash im not sure if it would be a hash of the ascii or keyboard scan codes so im afraid im out of ideas.

It could be that it is a SHA1 hash. Were did you found the source code for the AMI BIOS ? Was it leaked somewhere ?

@en4rab

This comment has been minimized.

Copy link
Owner Author

@en4rab en4rab commented Sep 2, 2019

Jetway leaked some source and a signing key on an unsecured ftp server about 6 years ago ( https://adamcaudill.com/2013/04/04/security-done-wrong-leaky-ftp-server/ ) the files were called cm013-org1.zip 013s.zip 016s.zip 018s.zip I think you can find them here: https://mega.nz/#!Oc8hHILZ!HgMIVBWRPyQFIpG4EqvYzEiB91gpedStB1iihGbphmY but they arent terribly useful

@esters

This comment has been minimized.

Copy link

@esters esters commented Sep 3, 2019

@en4rab

Thanks!

@Bernhard95

This comment has been minimized.

Copy link

@Bernhard95 Bernhard95 commented Nov 16, 2019

I need some help please!
Unfortunately i have buy a used CF-U1 mk2 with BIOS lock, no known default PW will work and no user PW is set.
I'm stuck while Compiling the C program for encryption.
Which programm do you use vor compiling?
Maybe can any one post an executable file?
Or can somebady help my to decrypt the Bios PW?
I get folloring vom the BIOS dump file(0x40 to 0x7F):

6E 13 8F A6 36 3A 22 CD 89 60 69 F4 5C 87 EA 1A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35

0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

Thnaks for Help

@en4rab

This comment has been minimized.

Copy link
Owner Author

@en4rab en4rab commented Nov 16, 2019

Bernhard95 there is no need to comile anything all you need to do is xor your data with the secret xor string and recover the password I used this site for example to do that http://xor.pw/
Xoring your data with the secret string gave the following:
3580 3980 2780 4e80 4e80 4b80 2180 3280 00000000000 (some 00's cut) which i think decodes to:
t o k 0 0 7 s w
So try tok007sw and see if that works

@Bernhard95

This comment has been minimized.

Copy link

@Bernhard95 Bernhard95 commented Nov 17, 2019

Thank you en4rab,
tok007sw works fine for my Device.

@C0debreak

This comment has been minimized.

Copy link

@C0debreak C0debreak commented Nov 24, 2019

Thank you so much for putting this information together, and then sharing it!!! This has taught me more about AMI Bios than any other source I have come across... I am trying to figure out the password to one of my CF-31's and have done everything as per your instructions, but the XOR string is obviously different for the separate models - maybe even the marks within the models. If you could help point me in the right direction in regards to finding out the correct XOR string to use - I would appreciate it more than you know. Again, my sincere thanks for this bro!

@en4rab

This comment has been minimized.

Copy link
Owner Author

@en4rab en4rab commented Nov 28, 2019

C0debreak I has a look and found an efi dump claiming to be form a CF-31, it begins "MEI_CF31-3" so I guess its from a mk3 cf-31.
Having a look at the AMITSESetup data and the xor key was the same (based on the fact that after xor the data ended with alot of 00's)
However the stored password seems to be store as 20 bytes like in some of the comments above so it looks like the password is probably stored as a SHA1 hash, to get any further with that youd need to try setting the pass to a known value dumping the stored hash and trying to work out if its a hash of the ascii pass, or the keyboard scancodes which i cant do.
For this version your best bet is probably to dump the flash chip with an spi programmer, hexedit the stored pass to 00's and write it back to the spi chip

@Rothrex93

This comment has been minimized.

Copy link

@Rothrex93 Rothrex93 commented Jan 6, 2020

Hi i want to ask for your help. I bought a used motherboard (MSI X370 Gaming Plus) and unfortunately bios is locked with a password. Removing a bios item for 24 hours or using the jbat jumper will not help your password remain. Fortunately, I can boot the system and dump the bios file. but unfortunately I can't interpret the values. I would ask you to help decipher it. I will write you the value you received from the appropriate partition (nvram) and I will help you in advance. I'll write the values ​​soon.

@Wasmachineman-NL

This comment has been minimized.

Copy link

@Wasmachineman-NL Wasmachineman-NL commented Jan 14, 2020

Haha, Notebookreview retards BTFO. Nice writeup @en4rab! Would this work on a Broadwell/Intel Secure Boot equipped machine like a CF-31 Mk5?

@danhart102

This comment has been minimized.

Copy link

@danhart102 danhart102 commented Jan 20, 2020

What language is the code snip-it? Nevermind, It's Python 3

@greeef

This comment has been minimized.

Copy link

@greeef greeef commented Mar 3, 2020

Hi there,

I have a cf-19 machine and am also struggling with the password. I am unsure i got the secret key step right, this is the output I've ended up with
b4007f00ba00af00b000d600e2002d001300c90049005c004f00cb00cc004b00980065007c00e1000000000000000000000000000000000000000000000000
which looked promising at first, but seems to be 20 characters.

@danhart102

This comment has been minimized.

Copy link

@danhart102 danhart102 commented Mar 3, 2020

Looks like a HASH, to me

@danhart102

This comment has been minimized.

Copy link

@danhart102 danhart102 commented Mar 3, 2020

Bummer, and I'm struggling to figure out the tool with which i can navigate the bios and also edit it... hmmm i'll get there.

URL

FREE ONLINE OCR SERVICE
https://www.onlineocr.net/

@greeef

This comment has been minimized.

Copy link

@greeef greeef commented Mar 3, 2020

Just blank it all out, that's what I did with mine and it boots fine or replace it with a known SHA-1 hash ;)

I'm terrified lol this is my first time attempting to hack a bios. Do you mean literally replace that 64 byte string with zeroes? or do i need to invert the xor process somehow?

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Mar 13, 2020

Hi,
on a toughbook cf53 mk2 the decoded password also was a hash. I can confirm that just zeroing out the 128 hex characters in the bios section with HxD on the offset indicated by the UEFI-tool removed the boot password promt, the administrator and user password in the bios. Because I could not boot to any media I flashed and dumped the Bios file with a ch341a programmer.
Be careful, some of them operate on 5v and need a hardware modification to 3.3v, when in doubt measure the voltage on the ch341a-ic on the supply pin, it should NOT be 5V or you might deamage the bios chip.
I disconnected the backup Battery (two pin connector opposite to the bios chip in the wifi/4G hatch) and in order to detect the chip I had to disconnect the 3.3v supply of the bios ic (pin 8) by scratching the trace coming out from underneath the chip, possibly because the programmer powered other stuff on the 3.3V line (IC is Micron 25Q128AB, see picture). After dumping the 16MB bios file with programmer software 1.30, getting the correct offset with UEFI-Tool-A51, zeroing out the 64bytes with HxD.exe and flashing back to the chip, I reconnected 3.3V with a jumper wire. All of this can be done without dissasembling the laptop through the wifi and 4g module access hatch, although it's quiet tight and I had do saw of a chunk of my bios test clip because it collided with the magnesium housing.
IMG_20200313_093946

@en4rab The most recent version of UEFI-Tool did not work for me, there GUID was not there, and I used the alpha 51 version like you. The NVRAM variable strangly had more bytes and about 4bytes in front of the user and admin password. I can paste it here if you are interested.

@greeef I literally zeroed out the 64 bytes with a hex editor before the last 01 (quiet boot flag). But I'm not sure if you will be able to flash it back with a windows utility as this might mess up the bios checksum.

@vampel

This comment has been minimized.

Copy link

@vampel vampel commented Mar 17, 2020

Hello. I have a cf-31j, on the post you say: In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag. but in this are more down but if i select those hex are the same numbers of pairs(but finish on the file 90)
cf31j

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Mar 17, 2020

@vampel , yeah, those bytes in front of the password were present on my cf-53 too.
The user password and admin password are offset and don't start from 0x00 to 0x3F. Just look for the bytes ending on 60 6B and count back 64bytes. This section should be the admin/user password.
You have correctely selected the administrator password, if you just want to remove it just overwrite it with zeros, or try to decrypt it with xor.pw and the key, to see if it is only a hash of the password (see answer from greeef).

@vampel

This comment has been minimized.

Copy link

@vampel vampel commented Mar 17, 2020

@vampel

This comment has been minimized.

Copy link

@vampel vampel commented Mar 19, 2020

@BenjaminRenz did u try zeroing the pass 2 times, the pass are found it 2 times on the rom, try it

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Mar 19, 2020

@vampel ,
I only zeroed out one occurence, but like you the password has more than one occurence in the bios file.

Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID
C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry.

Then with UEFI tool alpha 51 (newer version didn't work for me) you have an "Offset" in the information window on the right. For me it is Offset: AB49F3, but I guess yours will differ. Then use HeX.exe an zero out the password ONLY on this offset location+(the offset in the key itself).

Just use ctrl+f and search for 05D8606B (the end of your password) and zero the one which comes slightly after the offset indicated by uefi tool.

@vampel

This comment has been minimized.

Copy link

@vampel vampel commented Mar 19, 2020

@BenjaminRenz its works! i zeroed 2 times, copy all the 64bits code i extract body with uefitool cuz HxD dont give me the spacebar every 2 characters copy from that extracted... now in another tab on HxD open it select all and copy(will copy all spacebars xd) paste on the search option on the entire rom you will found it 2 times, in the repleace option i write yeah write 00 and space bar 64 times lol use another version of uefitool like 56 more new i have been downloaded a lot of version and yes some version dont open the NVRAM tree

@vampel

This comment has been minimized.

Copy link

@vampel vampel commented Mar 19, 2020

@BenjaminRenz this its why we cant replace any on AMI bios using UEFItool (see 4th point NDA)
image
source: https://github.com/LongSoft/UEFITool

@otorra14

This comment has been minimized.

Copy link

@otorra14 otorra14 commented Mar 21, 2020

Hello, I hope everything is well with you. I have tried to do the same step as you have explained but I have some questions about this proccedure. The first one is about the part that you have xor the encoded password 5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B . Where did you found this one? Is this secret xor string always the same? And also about the converter table that you have put as a reference. Where did you got based to produce such a table because I have some other string that arent included at the table above like c4 or fe. I researched on the internet but i couldn't find a proper converter to help me out.

@Mark678

This comment has been minimized.

Copy link

@Mark678 Mark678 commented Mar 21, 2020

Hi all - Newbie to the forum so be gentle ...

I just spent a week trying to beat the supervisor password on a pair of CF-52 Mk3's & this group was instrumental in being able to do so,
Thank you all contributing :)

As a couple of posts have said, you can zero out the hash to clear the password - Here's what I did, all in software ---

Read the BIOS, open with UEFITool NE & locate the password data with 'hex view' as per the OP's post - You'll see the offset for the password variable in the top left box - 0x1A43C in his pic. Now open the BIOS dump file with a hex editor (I used an on-line one) & go to the offset address - you'll see the raw variable data (the bytes in the 'Hex view' window) in the middle of a bunch of other stuff so be VERY careful ONLY to zero out only the 64 byte hash value & save the file. Go back into AMIWINGUI & open the newly edited file - check the hash is zeroed out and the rest of the Var entry is the same - then flash with 'NVRAM' & 'Do Not Check ROM ID' being the only options checked in setup & reboot the lappy when done - Password request when entering BIOS should be gone.

I noted that the offset to the password is not consistent - The 2 CF52's I've done (both 2010 models) were different but the password was cleated without any problems that I can see so far ...

Strange that they'd go to the trouble of a SHA-1 encrypted password & make deleting it so easy ....

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Mar 21, 2020

@otorra14
The answer to your first question is in en4rab's post on Sep 3. 2019:

Jetway leaked some source and a signing key on an unsecured ftp server about 6 years ago ( https://adamcaudill.com/2013/04/04/security-done-wrong-leaky-ftp-server/ ) the files were called cm013-org1.zip 013s.zip 016s.zip 018s.zip I think you can find them here: https://mega.nz/#!Oc8hHILZ!HgMIVBWRPyQFIpG4EqvYzEiB91gpedStB1iihGbphmY but they arent terribly useful

For the UEFI scancodes please refer to the section directely above the Table in the first post from en4rab.

This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page:
http://wiki.phoenix.com/wiki/index.php/EFI_KEY
From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii:
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

@otorra14

This comment has been minimized.

Copy link

@otorra14 otorra14 commented Mar 22, 2020

I got this encoded password 5B 8C B6 15 11 41 6C 59 C7 E5 22 53 7D 0E D8 5E 33 1B 8E 8D E9 87 44 16 9F 85 FA E1 55 12 B0 ED 0B 43 66 9E C1 78 1C 86 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B 5B A6 B6 41 11 FD 6C 05 C7 F8 22 DA 7D 8D D8 7D 33 EF 8E DF E9 97 44 39 9F 8E FA 7C 55 65 B0 35 0B FC 66 A1 C1 85 1C 92 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B . I did the xor of
5B 8C B6 15 11 41 6C 59 C7 E5 22 53 7D 0E D8 5E 33 1B 8E 8D E9 87 44 16 9F 85 FA E1 55 12 B0 ED 0B 43 66 9E C1 78 1C 86 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B
with
5B A6 B6 41 11 FD 6C 05 C7 F8 22 DA 7D 8D D8 7D 33 EF 8E DF E9 97 44 39 9F 8E FA 7C 55 65 B0 35 0B FC 66 A1 C1 85 1C 92 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B .

After xor I got this result 2a005400bc005c001d00890083002300f400520010002f000b009d007700d800bf003f00fd0014000000000000000000000000000000000000000000000000. Ignoring the 00 part 2a 54 bc 5c 1d 89 83 23 f4 52 10 2f 0b 9d 77 d8 bf 3f fd 14 this is my final one. Based on the tabel i could found this letters. Please let me know if this procedure is the right one to follow . Also if you could help me with the missing letters it would be very helpful.
2a is '
54
bc
5c
1d is 2
89
83
23 is f
f4
52
10 is z
2f is +
0b
9d
77
d8
bf
3f
fd
14 is b

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Mar 22, 2020

@otorra14 your password is probably hashed, see the other posts here. You won't be able to find out what the password was, but you have the possibility to zero it out and flash the modified bios back.

@vampel

This comment has been minimized.

Copy link

@vampel vampel commented Mar 23, 2020

@otorra14 i think will not work just like mine ;\ try zeroed like @BenjaminRenz said
2a is '
54 b
bc ]
5c 1
1d is 2
89 5
83 9
23 is f
f4 r
52 c
10 is z
2f is +
0b 7
9d 2
77 u
d8 .
bf empty
3f empty
fd
14 is b

@Anachem

This comment has been minimized.

Copy link

@Anachem Anachem commented Mar 30, 2020

Hi, Friends,
I have panasonic toughpad FZ-G1 ASBDXBA(mk1). Its Bios is locked with supervisor password. I can boot and use the system but cant change bios settings. So i tried to read the rom. I cant read the chip n25q128A with Orange5 programmer. Do i need to scratch pin8 print. as i see in the BenjaminRenz post. A high value resistor with pin8 to ground do the trick for reading chip.
or there is other ways to reset password.
Thnaks.

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Mar 30, 2020

@Anachem
Hi Anachem,

if you can still boot to windows you shoul be able to read the bios rom from there with AFUWINGUI.exe. I only used a programmer because I was not able to boot, because a password prompt appeared directly after pressing the power button.

A high value resistor with pin8 to ground do the trick for reading chip.

Was that a question? I can't see yet how pulling pin8 (3.3v supply voltage for the bios chip) to ground with a high value resistor should help.
My guess why my initial attempt to read the chip failed was, that the 3.3v supply voltage pin was connected to other circuits on the mainboard. This either overwhelms the power supply of the programmer or something like the chipset which is probably connected to the data pins of the flash chip pulls the voltage on one logic level which could work against output pins of the programmer.

Have you checked if you programmer uses 3.3v pullups for the data pins?

Just because of the issues with pin8 alone, I would recommend AFUWINGUI over the hardware programmer way.
Less ways to screw up 😁 .

When you have a dump of the bios you can follow the steps of the initial post by en4rab and check if the password is even hashed.

There are four ways to reset the password:
a) find the password with uefi tool from a bios dump when it is not hashed, with the password you obviously can change and disable it.
b) overwrite the section where the hashed password used to be, with zeros (refer to other posts above).
c) (not recommended) If you have set the password yourself and just forgot it, and you are sure that the machine shipped without a bios password and user password from factory you could try to remove any power sources and the bios battery and press the power button for 30sec. This might reset the laptop back to the factory settings. But this might make things worse if there is also a user/boot password set. Avoid this as long as you can boot an operating system.
d) guess the password, some of them are set to "Password","password" or "Biostar"...

If you need any help just ask, good luck!

@Anachem

This comment has been minimized.

Copy link

@Anachem Anachem commented Mar 31, 2020

@BenjaminRenz
Thanks for your quick help. You litterally save me to hardwork. I was planned to desoldering and lifting pin8 to read chip. It was my mistake i download the afguwin in my dell and trying to readROM and failed because of it i was going to read chip by programmer. after reading your reply I realize what i was doing to do. Thanks i read the rom and find the encrypted password.
5B 61 B6 34 11 ED 6C CB C7 E7 22 4B 7D F1 D8 73 33 90 8E FE E9 A5 44 11 9F 59 FA 5D 55 7A B0 19 0B D6 66 AD C1 78 1C 13 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B 01

after xor i got
F2 12 57 86 07 3F F6 E9 BE 3f F1 F9 22 53 D8 2C 1F F1 97 90

f2 (?) 12(c) 57(+) 86(?) 7(d) 3f(endkey) f6(?) e9(?) be() 3f(fn6) f1(?) f9(?) 22(5) 53(Nlock) d8(?) 2c(spbar) 1f(2) f1(?) 97(?)
90(?)
I open the ROM in HxX and found two instances of password string. Now ready to zero the bytes in two instances of password string and update the rom.
If anything wrong please indicate.
THANKS

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Mar 31, 2020

@Anachem
It looks like your password is hashed, indicated by the spaces in between the output and it beeing 20 bytes long,
f20012005700 ..., so there is no way to get the raw password, see: https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3095306

According to my tests you only need to zero out one instance of the password string, but according to vampel zeroing out both instances works aswell.
But since I don't know what the second instance is (maybe some recovery image of the bios, not sure), I would recommend to only zero out the 64bytes on the position described in my comment:
https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3219509

For flashing the image back please take a look at the post from Mark678:
https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3222826

Hope you get it working 👍

@Anachem

This comment has been minimized.

Copy link

@Anachem Anachem commented Apr 1, 2020

Thanks to all contributors. After zeroing 64bytes password is clear.

@paw2000

This comment has been minimized.

Copy link

@paw2000 paw2000 commented Apr 3, 2020

Hi, i find this very interesting i have a custom bios from a cf-54 panasonic and have made a dump (desolder chip) and wonder if anyone can help me and see if its possible to find the password or help me zero it. i am new to this and tried for my self but with out any succses.

https://mega.nz/file/KloDSR4L#PtQ3rbZzVCZh4-f4bJdRUWJlikuFokQSOtCbQjEUOUM

Best regards // PaW2000

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Apr 3, 2020

@paw2000
Your bios seems to be a bit different 🤔 , the bios tool's does not have a seperate data section for the AMITSESetup. I would guess that the passwords hash is located at the hex offset:
A32F3F to A32FBE.
This seems to be the only string ending on the typical characters for the password.

5B71B65911C46C90C7F922A07D0FD856
33AC8EF4E9D144A19FABFA59550CB001
0B5B66E2C14C1C8A7716D2A92D3D88D0
E3633EF7998AF41D4FB1AA4405D8606B
5B8FB61211766CEFC76022E57D8BD8CD
33A68ECBE92344579FDDFAB255C4B009
0BA36681C1231C047716D2A92D3D88D0
E3633EF7998AF41D4FB1AA4405D8606B

There is another instance of this string at hex offset:
A72F52 to A72FD1
Im not sure which one you need to zero out, but zeroing out both will probably work.

and tried for my self but with out any succses.

Have you already tried this or what have you done so far?

Good luck 😃

@paw2000

This comment has been minimized.

Copy link

@paw2000 paw2000 commented Apr 4, 2020

Hi

Thank you for your fast reply, i have not done so much yet, i need to order some new chips before i start do some testing, do you know what type of chip it is? MX25L12835F is that the right one?

Best regards //Peter

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Apr 4, 2020

@paw2000
Hi Peter,

can't you recycle the chip you desoldered? What are the markings on the one you desoldered?
Since the toughbook which I've been working on is an cf-53 I can't tell you which flash chip to use.
I would recommend to get one with the same "device id" and obviously "manufacturer id". Make sure to get one with the same voltage as the one you are trying to replace.

Greetings
Benjamin

@paw2000

This comment has been minimized.

Copy link

@paw2000 paw2000 commented Apr 4, 2020

Hi,

Thank you, the original computer is fire damaged, and wait for a used motherboard to replace the bios chip, this bios is a custom bios, and cant afford to buy a new computer, i know the user password for it and was thinking good to have admin also but no need, this cf-54 bios have some special bit locker add on to only work with this special hdd. i did damage the chip, i lost it on the fllor and later found it under one of the legs of a chair, so cant read it, hope i can read it from the chip on the other motherboard i am wating for.. and when i read the chip the first time it was more then a year ago, and not remember what chip it was.. no during corona i started this old prodject agan to recover my good old cf-54 :)

Regards // Peter

@adolf022

This comment has been minimized.

Copy link

@adolf022 adolf022 commented Apr 28, 2020

Hi,

thank you for sharing!!I was trying to get the password from CF53, and I am stuck at the xor process, I'am not well educated in this area and was trying before with brute force methods with no luck. is there a way I can get help from you, I totally appreciate! i think this is the string where the password is located.:
4D45495F434635332D34000000000000
000000000800C502FF00000400180000
3542545341DE60014346353332534C5A
41434D008000A8FFA5144D45495F5F5F
4346000000000000000000000000E4E5
2800B200E2001E22009D051400100013

1

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Apr 28, 2020

Hi,

thank you for sharing!!I was trying to get the password from CF53, and I am stuck at the xor process, I'am not well educated in this area and was trying before with brute force methods with no luck. is there a way I can get help from you, I totally appreciate! i think this is the string where the password is located.:
4D45495F434635332D34000000000000
000000000800C502FF00000400180000
3542545341DE60014346353332534C5A
41434D008000A8FFA5144D45495F5F5F
4346000000000000000000000000E4E5
2800B200E2001E22009D051400100013

1

@adolf022
Hi adolf,
are you sure you got the right NVAR entry? If you password is encoded in the same scheme it would have "4F B1 AA 44 05 D8 60 6B" at the end. I would guess that that's the wrong nvar variable as the xored password would probably not contain "CF53" in plain text.

Could you please check the following things:
You are using alpha 57, have you also tried the older alpha 51 version of uefi tool?, the newer one did not show the right nvram variable for me.
Is is the key named AMITSEsetup? (can't tell because that column is not visible in your screenshot)
Is the GUID = C811FA38-42C8-4579-A9BB-60E94EDDFB34 ?

Greetings,
Benjamin

@adolf022

This comment has been minimized.

Copy link

@adolf022 adolf022 commented Apr 28, 2020

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Apr 29, 2020

@adolf022
Hi Adolfo,

just to clarify en4rab did all the hard work of finding the xor key and collecting the tools.
Github releases does not do a particularly good job at presenting an overview of all available versions.
Here is a link for the a51 release page
Happy bios patching,
Benjamin

@adolf022

This comment has been minimized.

Copy link

@adolf022 adolf022 commented Apr 29, 2020

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Apr 29, 2020

Hello,

i am new - and no programmer. All, i could do, is to use afuwin and UEFI tool.

I tried one advice from here: just to go on: Xor.pw. But there it ended.

1.) my english isn't perfect 2.) i didn't know exactly, what to paste there 3.) there are two inputs......

I am at my end - don't know what to do at all :-(

I was stupid. Bought a BIOS locked cf-31 mk1 US version.

Could someone help me plz. ? I really don't understand much.....

Kind Regards

image

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Apr 30, 2020

@Ftmmsch
Hi Ftmmsch,

after pasting your password into xor.pw I ended up with
56005e009100200085002a008200990038000f001800bc0056006f00e8007900160081004c00ab000000000000000000000000000000000000000000000000
This means that your bios is not storing the password in clear text or the uefi keyboard codes, but rather the hash of your password with whitch it checks the string you type in. There is no way to get back the password because calculating the hash of your keyboard entry is computationally fast, but getting back the password from a hash is computationally extremly slow.
So like others your best bet would be to just zero out the section in the bios file, see the other posts above for details.

Just to note, flashing a bios has always a risk involved (e.g. when there would be a power outage). Then the only thing to rescue the pc would be a hardware bios programmer. Do you really need the bios password?


3.) there are two inputs......

Do you mean on xor.pw? You have to past your extracted password (ending on ... D8 60 DB) in the first slot and the key:

5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

from en4rab's post in the second slot. But now that's already done.


I have tried to optimize this post for google translate, if something is not clear feel free to ask 😃

Greetings,
Benjamin

@paw2000

This comment has been minimized.

Copy link

@paw2000 paw2000 commented Apr 30, 2020

Hi, for the Cf-31 mk1 you and use ami bios flash tool and make a dump, will not be a full dump of the rom but is enough for removing password, this require that you can boot the computer to windows, and ami tool, to read it and modify and flash back. I paid a guy to do this on my cf-31 mk1 and worked perfect.

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Apr 30, 2020

@BenjaminRenz
Danke Danke :-)

About: "absolute necessity", to access the BIOS:
1.) WWan is disabled
2.) i have installled Win 7 Prof 32bit allready and would like to run XP Prof SP3 on the second partitition.

  • Ok - there is an explicite sata driver form panasonic, which i have to install first - by using my floppy drive.
    It would be handsome, when i could try to make changes - after installation.
    The better way is, to format again (Aua ha) and install XP first....... Egal.... (I hate every windows - later than xp)
    And about windows 10? - not posssible on my mk1.....

That the password isn't stored in clear text, i noticed a few times in other forums.... (die Hoffnung stirbt zuletzt:-)

I noticed to be aware about making changes as - par exampel - zero out. I am surtenly no expert. (of course not - as Heizungsmonteur LoL)

Someone told, that it is possible, that panasonic stored a password on the board, which wil be automatically activated, when unauthorized changes wil be made. Sound's a little bit military to me. But WHEN, than there is no more access possible.

Here, in switzerland, i phoned panasonc.
They told me, that there wil be no way - exept chanching the motherboard. They said, that i must be send to panasonic UK ?? (egal..)
There, they change my motherboard. (or they aren't stupid and just make money on an easy way:-)

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Apr 30, 2020

About: in the first NVRAM AMITSESetup

There is annother AMITSESetup in the second NVRAM - It has to be the one in the first NVRAM?

IF i (am so stupid, to try out "zero out" I allways have to take the one in the first NVRAM?

The second AMITSESetup look a bit different.....

@paw2000

This comment has been minimized.

Copy link

@paw2000 paw2000 commented Apr 30, 2020

I think i still have original and modified rom files still, i can comprare and see where he removed it, problem is i am home and will be back at work on monday.

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Apr 30, 2020

Back again - due to the fact, that i flashed at least not in a wrong way :-)

As long as i can remember, i was alllways prepared to take risks - even, when i wasn't shure abbout what i am doing exactly :-)

I am not shure about the flash, i did. Maybe, there are setting, which are nessesary for me?

The only set, i chose for, is: "Do not check ROM ID" - because, i noticed it here in this thread :-)

Can someone give me an advice about the setting i need?

I don't stop trying - when it all goes wrong.... I can live with it :-) Stil have my CF-19

image

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Apr 30, 2020

Btw: is it generallly possible, to flash - using the afuwin.exe ?

Or, do i have to flash via the DOS commandline?

Sorry, that i don't know much about programming......

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Apr 30, 2020

Ja ja..... just saved the running rom file and looked into it: Nothing changed :-(

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Apr 30, 2020

many Thank's ! To All of you !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Did it - now, i am in a U N L O C K E D BIOS ! Password is GONE ! Thank you Thank You Thank You !!!!!!!!!!!!!!!!

I used a hex editor, to zero out the identified block - safed it - run it.

First tryed it with wrong setting - becaus, the ID was wrong. Uncked it - Boom ! No, i am In my BIOS !

image

1.) 4 years ago, i bought this cf-31 mk1 from a US ebay seller. He told me before, that BIOS is locked and the password is lost.
2.) Allso, he told me, that he can't install XP on this notebook ! We'll see ! I tell here about that next week !
3.) Panasonic - both: in switzerland and germany ! told me, that it is NOT possible! - Mainboard has to be changed !!!!!!!!!
4.) in Threads from Bob Johnson, Bob told, that it is NOT possible! - he ruther would like to know about - if possible !!!!

many thanks to all of you !
Per accident, i found this thread weeks ago. But, i thought: "come on - this is a magic number for you - you'll never understand".

But, because, allways i was inquisitive, i didn't stop and tried to understand this stuff.

"Cordial thanks!" to Panasonic ! (peinlich peinlich!)

(die E-Mail, die nächste Woche an Panasonic geht...... hat sich gewaschen !!!!!!!!!!!!!!!!!!!!!!!!!!!!)

Btw: before, i forget it: @en4rab: where - resp. how can i support your work - (or this domai?)

I preciate all the work, what's done here! This can't be used for ZERO - the only zero's should be used for flashing!

Verdammt nochmal - bin ich happy! - searched for that problem frequently - over 4 years......

Btw: not only thank's to: "en4rab" - ebenfalls Gruss nach Baden-Wuertfemberg

(Shit! - wird Zeit fuer eine deutsche Tastatur:-)

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Apr 30, 2020

BIOS is U N L O C K E D now !

Checked the from hex "zeroed" file - password section was deleted - flashed - done.

  • but not at the first time! - i had to change the settings in afuwin to All / main and "uncheck BIOS version"
  • Ok, it was risky - but, thats ME :-)

Thanks to all of you !

Btw:
Panasonic germany and switzerland - both told me, that it isn't possible!
It has to be send to panasonic UK - there, they have to change the motherboard!

What should i tell them? - although, i am just a normal ordinary heeting engineer - I just did it ?
The US Thoughbook Ebay seller told me the same! Not possible !

Anyway: many thanks to en4rab and all others!

Notice: I need to know about support for en4rab - or at least for this forum!

The help, i found here, cant just be for zero - the only Zero here, has to be qualified for using in hex editor ! LoL

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Apr 30, 2020

A still existent problem: installation of xp sp3 on my mashine - which has win 7 prof allready installed:
If this forum here doesn't want support this - plz tell me - i would search in other forums for that!

As it says in the download section from panasonic, there is a special sata driver for flopy needed;
But: this actually is for "clean install".

My problem in understanding is:
In case of clean install - i could change the BIOS setting for hdd support from ahci to compatible.
In which case of application, resp. order of installation of a dual system - do i need to change?
I mean, when i can change to "compatible" - what for do i need this driver?

The only thing, i know, is: i noticed in a forum, that installing xp first, is the wrong order....
But, i don"t like to uninstall my running win 7 prof...
Ok - i can use EasyBCD - to change the boot record - if it is changed from xp.

But still, i don't know, how to make NO mistakes - due to the allready installed win 7 prof.

If i try it - with panasonic's sata driver - to install xp as second OS: should i just leave the SATA BIOS setting as it is? - to ahci ?

Sorry, for those bothering questions....

@Wasmachineman-NL

This comment has been minimized.

Copy link

@Wasmachineman-NL Wasmachineman-NL commented Apr 30, 2020

A still existent problem: installation of xp sp3 on my mashine - which has win 7 prof allready installed:
If this forum here doesn't want support this - plz tell me - i would search in other forums for that!

As it says in the download section from panasonic, there is a special sata driver for flopy needed;
But: this actually is for "clean install".

My problem in understanding is:
In case of clean install - i could change the BIOS setting for hdd support from ahci to compatible.
In which case of application, resp. order of installation of a dual system - do i need to change?
I mean, when i can change to "compatible" - what for do i need this driver?

The only thing, i know, is: i noticed in a forum, that installing xp first, is the wrong order....
But, i don"t like to uninstall my running win 7 prof...
Ok - i can use EasyBCD - to change the boot record - if it is changed from xp.

But still, i don't know, how to make NO mistakes - due to the allready installed win 7 prof.

If i try it - with panasonic's sata driver - to install xp as second OS: should i just leave the SATA BIOS setting as it is? - to ahci ?

Sorry, for those bothering questions....

What you need are AHCI drivers for the 5-Series Chipset: https://www.win-raid.com/f23-Specific-Intel-AHCI-RAID-Drivers.html

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented May 1, 2020

(edit removed, got confused by mails being embedded into github comments, seems to be a new github feature)
@Ftmmsch just write a mail to appswert (at) gmail.com so I can reply by mail, since I don't have your email yet .

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 1, 2020

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented May 1, 2020

@adolf022
Sorry I am not able to see your picture, something has seen to gone wrong then embedding it into this gist.

I could find the key name and GUID finally, but I see some differences from what en4rab did, I am not sure if this will work anyways. Also after I want to see "Body hex view" It just shows 0000 all way down.… and this is what I got with the “hex view” only. Should I try to XOR it? And that’s the step where I am lost.
I am sorry for the attached picture quality.

Small differences are to be expected, the GUID I found on the cf53 had some extra bytes in the beginning. There is a possibility that there are multiple keys which have a simmilar name, only one of them will contain the typical passwords (identifyable by the constant end bytes ..AA 44 05 D8 60 6B). So the nvar which is completely empty (filled with zeros) is probably not the right entry.
Have you tried searching for AMITSEsetup and what results have come up?
Could you share a your bios file or a screenshot from the key you think is the right one?
What Subtype the the key you have? (Link, Data)
Is there an option "Go to data" available?

As a last resort if you are unable to find it with uefi tool you can always try to find the byte sequence with an hex editor, it will probably also apper at multiple locations.

Good Luck
Benjamin

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 1, 2020

@Wasmachineman-NL

On panasoics sites, i downloaded here, in the section for my XP SP3:
https://pc-dl.panasonic.co.jp/dl/search?q=&button=&dc%5B%5D=002001&p1=117&p2=1170047&oc=001018&lang=007
At point 16, there is the notice about sata driver.

Here, there is the instruction for this section:
https://pc-dl.panasonic.co.jp/dl/docs/017675?sri=14760141&trn_org=5
Which leads to the driver:
https://pc-dl.panasonic.co.jp/dl/search?q=&button=&dc%5B%5D=002001&p1=117&p2=1170047&oc=001018&lang=007

Anyway: I'll have to wait until saturday for my floppy, which i found here in switzerland. My own is in germany. I'll try it (as usual:-)

Based on my actual configuration, I think, that the best way is, to leave the ahci settings as is: on AHCI and NOT "compatible" - I'll see :-)

Anyway: I'll take a look at your link - thank you for that :-)

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 1, 2020

@Wasmachineman-NL

Yep - this advice, i found weeks ago in fernando's thread.
But after, i found specific driver and instructions in panasonics section for my XP Prof SP3 - i decided to try it this way.
Ok - can go wrong - i know - But: as usual; i like it risky :-) Least not last, I'll have to change the boot record..... LoL (if i do later too:-)

Btw: if i would like to do it with nlite, i have to use an untouched OS from XP.
I have one - but it's very old! and surtenley not a DVD Ram ! RAM can have 30 years at least - but the old dvd ? :-) is 14 years old...

Anyway: I have a slipstreamed XP Prof SP3 - burned on DVD-RAM and would like to try this one first - on my own risk of course :-)
(against all advices from skinned IT people:-)

I'll never change :-) I am 61 years old and..... "was Hänschen nicht lernt - lernt Hans nimmer mehr" LoL

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented May 1, 2020

@Ftmmsch
What about using windows xp in a virtual machine or do you need access to special hardware components?
If your cf31 has the i5-520M, it would have support for VT-x and virtualisation.
And please backup your win7 data before you start with any MBR tinkering, getting a Windows system with a destroyed MBR repaired with the onboard tools is a very work intensive process (Guess how I know).

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 1, 2020

@BenjaminRenz

Yes - indeed. I need access to special hardware (critical) components and software, which run only on XP SP3.

To destroy the MBR, wouldn't be that problem :-) Because, i have just installed a fresh Win 7 Prof.

It's allmost nothing important on it - Allready safed everything :-)

On my cf-19, i run a VT - before i installed xp in a dual installation.
Not mine - VT

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 1, 2020

@en4rab

couldn't thank you personally, don't know how to contact you directly.

Greate work, you've done! - this helped me to go one with my (previous:-) BIOS locked CF-31

Step by step, i went trough all of this.

I am impressed about people like you.

Regards

Lothar

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 1, 2020

Just got the floppy drive from swiss post. I'll try it out, to install XP SP3 - weather, it's actually NO clean install :-)

I'll be back later :-)

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 22, 2020

So: made may mistakes..
Used on older slipstreamed DVD-RAM on/for my CF-31 - which was made for CF-19 (Kopfschüttel:-)
Created the CF-31 Slipstream under Win 7 (long time ago, microsft warned about doing this under Vista)
Slipstream with SP3 for CF-31, which includes the original "clean install" driver didn't run - much problems
CF-31 rep. Microsoft had problems with some driver - Mouse allways run to the right corner
And so on And so on....
Finally,
just took my old XP Prof. SP2, added the driver with N Lite. (without SP3)
Installed it - could not startup correctly
Installed the SP3-Network ISO in safe mode...
No, It's running - Don't know exectly, what the problem was.

What I DO KNOW! I'll never try again all those advices for boot problems after / while Dual Install Win 7 + XP!

I found out, that the very easy and uncomlicated way is:

If Win 7 is allready installed: stop system restore --> defrag --> clean the dirve --> run GPARTED Live to create a second partitition
1.) If it's clean: Just run GPARTED Live and create 2 partititions
2.) Install Win / first !!!!!!!!!! beleave me! - NO problem!
3.) Install XP
4.) If XP is correct installed --> just take your Win 7 DVD --> Restore Options --> Sytem repair -- Done
5.) Win 7 is showing up again in the boot order - everything is fine

At least: this is, what i found out - after many versions, like EasyBCD and more - I don't need it this way

@iwanator

This comment has been minimized.

Copy link

@iwanator iwanator commented May 25, 2020

Panasonic CF-D1 Bios password
Gentlemen, I'm also stuck in this topic, could any of you help me decipher my password, Thank you for all the help

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 25, 2020

Hi,
on the right you have to use the hex editor! EXACT! the whole area - except for the point you see below! - Mark and fill with zeros - or: "zero out". Then it is deleted - or replaced by zeros.
Attention! VERY ACCURATE! And regarding the point at the very end! Enrab had mentioned that too! I excluded him because Enrab - I think - thought that he was NOT one of them.
It's best to search for what he writes about the point on the site.
In any case, I EXCLUDED him!

My box was then freed from the password :-)

@iwanator

This comment has been minimized.

Copy link

@iwanator iwanator commented May 25, 2020

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 25, 2020

Just gtake a look above: You'll need exactly ! these settings!
If you don't uncheck at: "Do not Check ROM ID" it wil faile.
https://user-images.githubusercontent.com/64559832/80721929-55874780-8aee-11ea-845f-f495b9d34ebd.png

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 25, 2020

CLOSE all applications! - close ALL windows! be shure, that your adapter has power!
Anyway! I would be shure about a full battery! In case of power loss in your home, you'll have still power!
Maybe, you have to set the "UAC" (User Account Control) to the lowest level.
Leave it to this lebel until the PC restarted.
I would deactivate all network connections! - So, that no process can suddenly do something!
I know that from - par example - Outlook! Just close all running programs!

The flash progress may NOT be interupted!

I would copy the picture above to your desktop - compare the settings --> if OK --> close the picture and go on.

Run "AfuwinGUI.exe" --> Click "Open" --> load your edited/changed ROM file --> above, in "Setup", you compare the settings exactly, like as shown in the picture! -->above, you go to "Progress" --> down, you click on "Flash" --> you can watch the progress
--> do nothing before it ended!

Restart --> have fun with your free BIOS :-)

@iwanator

This comment has been minimized.

Copy link

@iwanator iwanator commented May 25, 2020

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 25, 2020

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented May 25, 2020

@iwanator
I'm not sure how it works with uefi tool a57, but with a51 you have an additional information box which tells you the offset in bytes from the beginning of the bios file. I saw one screenshot from a57 with that information too, so there shold be a way to enable this output somehow.

For editing the bios you can use an hexeditor of your choise. If you are unable to find the right offset you can also try to search for the bytestring that your password is, and find the position in the file that way. Some users have reported that there are two matches in the file and that it seems to work to zero out both.

Then you just override the 128bytes=2x(64bytes for each password) with zeros, check that they contain the bytes that uefi-tool displays as your password.

If you are not sure you could send a screenshot , in which you highlight the bytes you would plan to zero out.
Then, as ftmmsch has already written, you can flash back the file with afuwingui and the settings described above.

Or take Ftmmsch's offer to take a look of course :)

If you have any question, feel free to ask.

Good luck,
Benjamin

@xyberdan

This comment has been minimized.

Copy link

@xyberdan xyberdan commented May 25, 2020

Can anyone help me to retrieve password from CF-31(CF-31WEUAEM2) BIOS dump?
I do everything according to the instructions and nothing comes out. Maybe I do something wrong.. I don't know.
Dump file: https://mega.nz/file/z4cVBIaD#pPqo8d8dn2hn8VhYbJD-L7xBnRo2xZQpp_nFrpy-hUY
Best regards,
Dan

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 25, 2020

@xyberdan

This comment has been minimized.

Copy link

@xyberdan xyberdan commented May 25, 2020

@Ftmmsch , I did it! :)
The first time I incorrectly edited the BIOS in hex editor. In BIOS dump, section related to password occurs twice. So I've filled this sections with zeros, save image, run FreeDOS and AFUDOS app with command: afudos bios_file.rom /an and password is gone :)

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 26, 2020

Hi Dan, you could have sent me an e-mail! Because, i found out exactly, what you did wrong! I edited it. But, as i can see - I can delete it, because you don't need it.
Regards

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 26, 2020

@ Dan:

As i could see in the file: You edited it Before you send it to me! Next time, please tell me about those "fact's".

Regards

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 26, 2020

@ Dan:

As i could see in the file: You edited it Before you send it to me! Next time, please tell me about those "fact's".

Regards

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 26, 2020

Btw: I helped annother one with his BIOS file and noticed the same:
Allready edited the file and didn't tell me about that.
I my opionion, that is a little bit unfair.
Because, there it's allways possible, that it fail - because, it's edited before i did.
And after all, it looks like: "Ftmmsch" made this mistake.

Regards

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 26, 2020

Btw: I helped annother one with his BIOS file and noticed the same:
Allready edited the file and didn't tell me about that.
I my opionion, that is a little bit unfair.
Because, there it's allways possible, that it fail - because, it's edited before i did.
And after all, it looks like: "Ftmmsch" made this mistake.

Regards

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 27, 2020

@benjamin Renz

do you know about the settings of the Hex editor?

A friend asked me about that.
He told me, that he could just fill it with zero - the main option.
And down under, there is an option: "zero-bytes".
I told him, that he has to use the normal way and not to use "zero-bytes".

I just told him that, because i really don't know about the possibility to damage the ROM file - using "zero-bytes".

Would'nt "zero-bytes" just "kill" this section - in stade of replace it?

For those, ho are reading this here - about "zero-bytes"!
DON'T use this option, until it's CLEAR! - what that means! - respectivally what happen!
Just use the normal way -without extra options!

@benjamin Renz
Is here a way, to send private messages?
If every message is posted here - like before - it doesn't look very well :-) Look's like "Junk" :-)

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 27, 2020

Sorry - found it

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 27, 2020

@Anachem

You wrote:
"Now ready to zero the bytes in two instances of password string and update the rom."

Plesase be aware! - And other's could allso interprate this to: "zero-bytes" !!!

I think, that you did just zeroing / zero out - But NOT used the additional setting: "zero-bytes"!
I am affraid, that using the addtitional function "zero-bytes" can damage everything!

As long as no one can give a clear statement about HEX editor --> "zero-bytes" DON'T use "zero-bytes"! Just zeroing / zero !

Hope, that nobody is angry about this post

Ftmmsch

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented May 27, 2020

@Ftmmsch
I guess github does not have an option for private messages, and yes, I also see the problem that this thread gets quiet cluttered.
You could write me an email (appswert (ät) gmail.com).

I'm not sure which option you mean by zero-bytes", which hex editor did you use? Maybe you could share a screenshot which shows which option you mean.
I'm using HxD.exe which only has an option called EDIT->fill selection, do you refer to something like that?

I'm not aware of any special "zero-bytes", just replace value of the bytes in which the password is stored with 0x00 and it should work.

Have you tested what your "zero-bytes" option does to your file? Or any other short test file?
Greetings
Benjamin

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 27, 2020

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 28, 2020

Here about the settings, i used in the Hex Editor:

Hex - Settings

Btw: Yep! - that's what i thought! Therefore, a few minutes ago, i switched from XP Prof. to Win 7 !
NOT ! possible, to upload images from Chrome or Chromium - which are running under XP !

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented May 28, 2020

@Ftmmsch
"Vorgegebene Löschverfahren"(predefinded methods of deletion) are just shorthands to define "durchläufe"(cycles). You will see that if you click on "DoD Sanitizing", there will be three cycles, where the last one will just fill in random data.
I think the name DoD Sanitizing is refering to this deprecated method of deleting data on hdd's by the US Department of Defense

The 1995 edition of the National Industrial Security Program Operating Manual (DoD 5220.22-M) permitted the use of overwriting techniques to sanitize some types of media by writing all addressable locations with a character, its complement, and then a random character. This provision was removed in a 2001 change to the manual and was never permitted for Top Secret media, but it is still listed as a technique by many providers of the data erasure software.

If you press on zero bytes again, it will delete those cycles and replace them with one cycle which overwrites the bytes in the selection with 0x00, which is exactely what you want. A cycle which overwrites the data with zeros seems to be the default selection, so clicking on "zero bytes" will not make a difference when you have just opened the "fill selection" dialog.

So the conclusion is don't use "DoD Sanitizing", you don't want to have random data, you want zeros there.
Also dont press the delete key on the selected bytes, as that will just trunkate the file.

Pressing the zero key (probably gets tiring quickly), or selecting the section of bytes and using one cycle of overwriting the bytes with zeros, which is equivalent to pressing the "Nullbytes" button will work.

At least on win10 HxD also displays the changes in red, so you can see quiet well what you are about to change.

Hope that this clears up the confusion.
Greetings,
Benjamin

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 28, 2020

@BenjaminRenz
Thank you
"Maybe someone wil clarify us here" - has thus done :-)

Speaking of: "displays the changes in red"
I hadn't changed anything in the picture yet, so he's not showing it in red yet.

What I did wrong in this "example" from my point of view:
It could be irritating to the viewer that I just chose a random and completely irrelevant area.
An accurately recorded, relevant area would have made more sense at this point.

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented May 29, 2020

About the settings in MY Hex editor, i got an asnwer from the owner of my Hex Editor:

https://forum.mh-nexus.de/viewtopic.php?f=7&t=1097&p=3417#p3417

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 3, 2020

Hello,

Need help with correct settings for AFUWINGUI I’ve seen different items selected on the many pics above. My flash keeps failing I’m using windows 10.

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 3, 2020

10AA43D4-87D2-4FCB-AB6F-C8B7A23CC5DD
F6069E58-0F06-472F-8A47-C5EF98B5AC16
Uploading 466B1408-43CD-4002-A93E-0EAEABAB508B.jpeg…

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 3, 2020

@FoRcEdOnLiNe

If you like, that i'll do it for you:

Please go on my profile - there, you'll see my e-mail adress.

If you send me your safed ROM file:
Please send me an UNTOUCHED ! - if you still have one!

You know about the settings, you need for flashing? - par example: "Do NOT Check ROM ID" ect. ?
(If you don't check this setting, nothing wil be damaged - it just don't work - it wil fail)

Regards

P.S. if you're quick - i'll do it tonight :-)

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 3, 2020

Please click on my profile!
Then you will see my email address!
The conversation via github is very annoying!
Then I can work directly via Outlook!
You're welcome ! Click on "Profile" = email address.
Send me the file by email - done.
Thank you :-)

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 3, 2020

Hi @FoRcEdOnLiNe,
your modification of the rom file looks good to me, as @Ftmmsche already noted the problem seems to be your settings of afuwingui. Can you share your current settings and the precise wordig of the error?
If you can't get it to work with the windows utility there is an option to use a freedos usb stick to flash the bios. But the windoss utility is probably easyer to use.
Be carefull, flashing an invalid rom image might softbrick your device.

Greetings
Benjamin

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 3, 2020

I’ve tried checking nvram and do no check rom id, checking main bios image and do not check rom id, checking everything, and all of these with unchecking do not check rom id. I can remember of hand the exact message but I believe it was a problem with writing and 3 squares remained white. I’m using windows 10 64bit and 64bit of the afuwingui.. the message also reads don’t restart the computer until a successful flash is done but it appears there no actual effect to the computer

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 4, 2020

Some stuff you could try:
Have you checked if your modified bios has the same number of bytes as your modifyed image?
Does wirting back the original unaltered image work?
And I forgot to ask, which laptop model do you have?

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 4, 2020

I tried the original file and received the same error, CF-31 MK3, I don’t know what you are referring to regarding the comparison.

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 4, 2020

The comparison would only be interesting if flashing the original image would have worked. Just to check that you have not accidentally altered the length of the file.

Have you tried only writing the nvram section/block? I would guess, because the password is in the category nvram variables, that writing back only this sectiom should be sufficient. But I have to admit, that I have not tested that myself.

Or if that fails too you could look up the procedure for flashing ami bioses with freedos and try it that way.

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 4, 2020

D04153D1-2997-4F0D-A3E2-CFC7E5765C04

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 4, 2020

Well, it looks like it can't properly erase the flash, so i would recommend you try either the afudos or afuefi.

Option 1 afudos:
For the first one you need a freedos usb stick, your bios and the afudos utility.
for freedos usb stick see here
I'm not sure if you can still download the afudos.exe from ami directly, but there are probably a lot of rehosts out there.
for a commans reference of afudos see here

Option 2 would be afuefi, but in order to use that your bios must offer a boot option called efi-shell. I'm not sure if the CF-31 mk3 already supports that.

If one searches for this error, then it is caused either by some write protection or it is a software problem which is normaly fixed by using the dos version. I would guess that Afudos would at least report a more detailled error message, if write protection would be in place.

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 4, 2020

Hi,
There were other sections.
If it is not a single section, these are immediately after the first part.

The UEFI tool is actually not required.

Attention! To be on the safe side, make a copy BEFORE editing the ROM file!

  • for yourself - or for others!

1.) Open the ROM file with the HEX Editor.
2.) set the file so that it is at the beginning.
3.) In the search: Enter "AMITSESetup"
4.) Search direction: "All"
5.) Search
6.) Search further

Does the area look as if there are two almost identical sections in a row:
BOTH zeros.
From the beginning of the first part: bracket "["
By the end of the second part: "k"
! Let .NVAR stand!

Have fun with the now accessible BIOS :-)

P.S.

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 4, 2020

Sorry - I have "wrongly" judged the last case here!
Sectons were still present that were not "zeroed", but this should NOT lead to the flash process failing ...

That would have to flash - only the BIOS would still be locked

P.S.
Sorry for my "misjudgment"

The following also applies to me:
"Those who can read have a clear advantage"

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 4, 2020

How do I proceed with the dos version? I created the usb stick

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 4, 2020

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 4, 2020

Did you got my message? - about flashing via USB ?
https://www.win-raid.com/t286f16-Guide-Deprecated-Flashing-modified-AMI-Aptio-UEFI-using-AFU.html
In there, he warned about using Aptio 4 - don't know if it could be the reason for Error 43....

and my advice, to try it with Aptio 5 (V) ? You did it with 4 ?

Here my link to the original AMI 3 + 4 + 5 + HEX
https://drive.google.com/file/d/1pSgb0q7STpvHuc4lBXjWz4ULIO9oa5RR/view?usp=sharing

You could try my edited file for a last time - using Aptio 5 (V)

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 4, 2020

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 4, 2020

@FoRcEdOnLiNe

what exactly do you mean with:
"I haven’t tried I don’t know how to proceed that way"

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 4, 2020

@FoRcEdOnLiNe

which version of Aptio - AfuwinGUI.exe - did you use ?

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 4, 2020

@FoRcEdOnLiNe
Does your PC support both? legacy BIOS mode and UEFI mode?
I don't know much about that, because, i don't know anything about Windows 10.
Anyway: to find out:

On Windows, “System Information” in Start panel and under BIOS Mode, you can find the boot mode. If it says Legacy, your system has BIOS. If it says UEFI, well it's UEFI. Alternative: If you using Windows 10, you can check whether you are using UEFI or BIOS by opening File Explorer and navigating to C:\Windows\Panther

When you tried to flash:
Did You:
run from an administrator account?
exit antivirus?
Stop all network connections?
Set the "UAC" (User Account Control) to the lowest / deapest setting?

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 4, 2020

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 4, 2020

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 4, 2020

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 4, 2020

dos/freedos is only 16/32bit, but win7 can't run dos executables. So chose your windows version based on your processor and if it supports x64.

How do I proceed with the dos version?
Download afudos and put it inside a folder on your freedos usb stick, also copy the bios file there.
Start your CF31 and boot from your usb key.
Change your current working directory to the folder where afudos.exe and your rom file reside (cd Path\to\Folder).
Flash with the commands from the commands reference i posted earlier.

There are some tutorials out there, search for "afudos flash bios", or ask here if you get stuck.
Please try both versions of afudos (4.40 and 5.05.x) since I'm not sure which bios version you have.

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 4, 2020

And first try running the windows version with administrative priviledges if you have not done that so far.

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 4, 2020

I created the Rufus USB stick using the link you gave,do I just put the afudos and bios file on the USB stick?

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 4, 2020

@FoRcEdOnLiNe
Does your PC support both? legacy BIOS mode and UEFI mode?
I don't know much about that, because, i don't know anything about Windows 10.
Anyway: to find out:

On Windows, “System Information” in Start panel and under BIOS Mode, you can find the boot mode. If it says Legacy, your system has BIOS. If it says UEFI, well it's UEFI. Alternative: If you using Windows 10, you can check whether you are using UEFI or BIOS by opening File Explorer and navigating to C:\Windows\Panther

Did you try it with the AfuwinGUI.exe from Aptio 5 / V - x 64 ?

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 4, 2020

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode

commandline:

reg query HKLM\System\CurrentControlSet\Control /v PEFirmwareTyp

Return code Firmware mode
0x1 BIOS

0x2 UEFI

I think, you could just run regedit and search for the Key: HKLM\System\CurrentControlSet\Control /v PEFirmwareTyp

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 4, 2020

I created the Rufus USB stick using the link you gave,do I just put the afudos and bios file on the USB stick?

Yes, it should be that simple. Just make sure that your bios file and the folder you can optionally create do not have a strange name, like special characters or commas etc.

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 5, 2020

Found USB flash files in my chaos.
HP tool and usbdos.zip.
Should go relatively easily.
I translated the old description (PDF) into English.
The files are in the AMI folder.
For the sake of simplicity, I stuffed EVERYTHING from AMI and shortened the names - would be too long. The Panasonic WMI tool is also included and a folder with files to start an OS from the USB stick.
Here the link - is big - 43MB.

https://drive.google.com/file/d/1tBySiSj74hu62RRhWvWFMHsi9CLHzg1G/view?usp=sharing

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 5, 2020

Btw: the Panasonic WMI Tool is a nice feature - but useless, if the supervisor password is unknown :-)

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 5, 2020

Notice - as in the pdf from the usb bios flash folder described, the files (usbdos.zip), which are copied with the hp tool to the usb drive,
are "unvisible" (hidden) :-)
So don't delete them by accident :-)

Just read - and have fun

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 5, 2020

So - i better go in bed for a few ours......

Good Night

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 5, 2020

The computer didn’t boot from the dos usb

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 5, 2020

7C22776E-6B02-4210-959D-42AD452AC280
And I got this message from aptio 5

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 5, 2020

The google link didn’t work for me either

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 5, 2020

The computer didn’t boot from the dos usb

Have you already tested if the stick is bootable with a different pc?
I'm not sure which features your bios has and if you are able to change them without a Admin password, but here are some options to check:
-disble Secure Boot
-enable CSM, sometimes called legacy boot
-obviously change the boot order

So please let me know if it works on a different pc and if you are able to change those settings.

AFUWINGUI seems to indicate your bios is an Aptio 4 one, so try afudos 5.05.X first.

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 5, 2020

A note regarding my "USB BIOS Flash" in my AMI folder:
The HP format tool is NOT compatible with Windows 10!

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 5, 2020

Btw:
What i have in my folder, is exactly the same software as from Here;
https://www.biosflash.com/e/bios-boot-usb-stick.htm
This site is in english and german

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 5, 2020

Whereby I am now wondering how the flashing should work via USB stick ...
If due to the locked BIOS no boot order can be made ....

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 5, 2020

if you have nothing of importance on your hdd, or if you got a spare one, you could hook it up to another pc and install freedos there. You probably have to bypass some sanity checks of rufus, which will obviously try to save you from overwriting a hdd.

The last option would be to use an hardware flasher like a ch314a chich you can get for ca 10$, but this is always more risky than doing it the software way. And such a bios flasher from china might take a while i the current situation.

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 5, 2020

It would be a bigger problem if you can not disable secureboot or enable csm, as freedos still relies on legacy bios features and will not start with efi or uefi.

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 5, 2020

The usb works but bios is locked there for I cannot boot from usb because that requires it being selected in the bios. Afudos installs but doesn’t open on any of my systems which leads me to believe it was intended for usb flash. If others here have a CF-31 mk3 or higher and where able to do it then I should to it’s a matter of me figuring out why it’s not working

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 5, 2020

Could a DOS HDD Work?

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 6, 2020

You got my last mail.

But: befor you try anything else:

Did you try to find out about your settings? "Systeminformation" ? "Ms32Info.exe" ?

At least, to find out about BIOS, EFI ect.
You didn't answer about that.

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 6, 2020

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 6, 2020

The usb works but bios is locked there for I cannot boot from usb because that requires it being selected in the bios. Afudos installs but doesn’t open on any of my systems which leads me to believe it was intended for usb flash. If others here have a CF-31 mk3 or higher and where able to do it then I should to it’s a matter of me figuring out why it’s not working

Afudos will not work on anything other than dos, freedos, win3.1, win95, win98.
With Windows 2000 Microsoft switched to Windows NT as a kernel, hence dos applications will not run at all on newer systems (win2000, win xp, win vista, win7, win8/8.1 win10).

Could a DOS HDD Work?

Yes, see: https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3331221 .
Rufus will hide you internal hard drives, because it wants to save you from wiping your windows install or other important data.
But there is a way to bypass that: https://superuser.com/questions/1337415/make-rufus-show-internal-hard-drives .
Please tripple check when you install freedos that you have selected the right HDD.
Alternateiveley you can probably use the usb stick you created for that, and install freedos on the hdd from there see: http://web.uflib.ufl.edu/libsys/Liaisons/InstallingFreeDOS.html .

But before you spend time installing freedos to hdd please check if you can enable csm (legacy boot) or if there is this option.
Because freedos can't be booted from efi/uefi.

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 6, 2020

0359EDE0-9D8A-4876-9442-E18CD0FEAA21

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 6, 2020

46DA06CE-BB8B-402F-9E21-AA9B0A48974A

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 6, 2020

95A93659-CAC3-475A-AF77-DCD2EDC40564

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 6, 2020

shame shame....

all the time, i forget about the PC informaton viewer.... sorry

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 6, 2020

Does anyone know to get afuwingui64 to open on windows 7

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 6, 2020

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 6, 2020

7x64 aptio 4 it’s a mk3 aptio 5 is for the mk5

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 6, 2020

95A93659-CAC3-475A-AF77-DCD2EDC40564

Seems ok, boot mode is set to compatible, which is csm enabled.

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 6, 2020

Does anyone know to get afuwingui64 to open on windows 7

Haven't you said you installed win7 32bit? Then you will be unable to open any 64 bit application, which afuwingui64 obviousely is.

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 6, 2020

I switched to win7 64 because I had no luck with win7 32

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 7, 2020

It will boot from windows recovery CD and windows 10 usb downloaded from the Microsoft website(but I get BSOD) so either it doesn’t recognize the dos or I didn’t create a proper bootable usb...It appears the boot order is CD, HDD the USB

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 7, 2020

Just checked with my pc (desktop), installed with rufus portable, freedos launches, but only when csm is enabled.
Can you test the stick with another pc? That way you could rule out the stick as the problem.

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 7, 2020

Btw: AufuwinGUI.exe not running:
I just did a self-test on my CF-31 because I wanted to check something.
I noticed that my AfuwinGUI.exe suddenly could not be run anymore!
I deleted it and completely packed the folder where it was in on the desktop.
Now it was suddenly.
When I took the AfuwinGUI.exe out of the folder one by one, it didn't work ...
Now that I have selected the whole folder, I was able to flash easily.

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 7, 2020

@FoRcEdOnLiNe:

Something is strange about the failed flash attempts ...
Could it be that you have NOT used the AMI tool: "AfuwinGUI.exe" to save the ROM file?
Instead, a tool such as "BIOS Backup ToolKit" ???
I am surprised that your ROM file is twice as big as the ROM file from MY CF-31!
If you actually used a tool like the "BIOS Backup ToolKit", that would be NORMAL!
This tool makes a FULL BackUp!
Therefore a back-up of - par example: "BIOS Backup ToolKit" twice as big!

If I'm FULLY wrong,
I would like to be enlightened!

@BenjaminRenz

This comment has been minimized.

Copy link

@BenjaminRenz BenjaminRenz commented Jun 7, 2020

Btw: AufuwinGUI.exe not running:
I just did a self-test on my CF-31 because I wanted to check something.
I noticed that my AfuwinGUI.exe suddenly could not be run anymore!
I deleted it and completely packed the folder where it was in on the desktop.
Now it was suddenly.
When I took the AfuwinGUI.exe out of the folder one by one, it didn't work ...
Now that I have selected the whole folder, I was able to flash easily.

Are you talking about the afuwin64.zip file?
AFUWINGUIx64.EXE probably depends on AFUWINx64.EXE and amifldrv64.sys to be present in the folder in which you try to run it.
With some unzip tools running the programm directly from the archive works, because they create a temporary folder with all the contents of the archive while unzipping and start the exe in there.

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 8, 2020

Thanks for your explanations.
Keeping that in mind will definitely help me :-)

Do you know if "FoRcEdOnLiNe" has found a solution by now? He wrote nothing more.
Also I still don't know if he got the ROM file
actually saved with AfuwinGUI.exe, or took another program.
OK - normally he will have done it with AFU,
But as I said: it makes me wonder that his BIOS ROM file is twice as big as mine.
And I also have a CF-31.
OK - I have CF-31 mk2 he has mk3.
But: can the difference be so big?
Unfortunately I have no idea whether that could be due to Winows 10.
Now he has Windows 7 on it.
Would be nice if he would save and send me a ROM file again.

@FoRcEdOnLiNe

This comment has been minimized.

Copy link

@FoRcEdOnLiNe FoRcEdOnLiNe commented Jun 9, 2020

Still haven’t unlocked it, tried a mk5 that was unlocked with aptio 5 just to see it I could flash it and it seemed to work, there were no errors it was running 8.1. I got no where on the mk3 with windows 7 because I couldn’t get pass the not signed driver menu and Windows 10 the flash failed. I was wondering it there was a problem with the bios it self. I’ve also seen a 4.48 version of afuwingui trying to find it to download and try

@Ftmmsch

This comment has been minimized.

Copy link

@Ftmmsch Ftmmsch commented Jun 9, 2020

Hi,
could you please tell me, which software you used to safe the ROM file?

Because, i was wondering about the size! It's twice as big as my ROM file.
Mine is about 3 MB and your's is abbout 6 MB ?
Did you try a software like: Backup Tool ?
I used that once - just to find out about differences.
But:
1.) it was twice as big as the file, i safed using AfuwinGUI.exe
2.) My Antivirus gave extrem Alarm about this "Software Tool"

I don't know about differences of my CF-31 mk2 and your CF-31 mk3.

As i told you before: If you trust me, you can let me have look on your PC - via "TeamViewer".

What did you use? AfuwinGUI.exe ?

Could you please safe a file again and send it to me ?

@FoRcEdOnLiNe

This comment has been minimized.

Copy link