{{ message }}

Instantly share code, notes, and snippets.

en4rab/CF-U1-BIOS.md

Last active Nov 28, 2021
Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

A mess of my own making

While messing with a CF-U1 handheld PC that I bought off ebay I managed to mess up the BIOS and it seems it reverted to previous settings which included an unknown BIOS password, it would however still boot into windows. Since I could still boot windows I was able to dump the bios flash using AFUWINGUI.EXE the version I used was 3.09.03.1462 which is available here:
https://ami.com/en/?Aptio_4_AMI_Firmware_Update_Utility.zip

There may be a more appropriate version to use as this seemed to have trouble checking the bios version when flashing but did work if you selected "Do Not Check ROM ID" but flashing isnt needed to get the password.

Dumping the flash

Run AFUWINGUI.EXE and at the bottom of the "Information" tab click the save button to make a backup of your bios, the default name is afuwin.rom Now open this saved image with UEFITool_NE available here:
https://github.com/LongSoft/UEFITool/releases

I used UEFITool_NE_A51_win32.zip later versions should work fine. The new engine (NE) verson seems to deal with AMI's odd nvram format better.

Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID
C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry.
Now right click and select "Body hex view" and you should see something like:

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040  7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A  {.”¦.:)ÍÒ.ô\‡í.
0050  07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35  .®®AÜÔ.h«ûú.U¢°5
0060  0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0  .Éf\Áï.ƒw.Ò©-=ˆÐ
0070  E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B  ãc>÷™Šô.O±ªD.Øk
0080  01


In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag.

1337 encryption

The password is obfuscated using super secure xor

VOID PasswordEncode( CHAR16 *Password, UINTN MaxSize)
{
UINTN	ii;
unsigned int key = 0x935b;

for ( ii = 0; ii < MaxSize; ii++ )
#endif

for ( ii = 1; ii <= MaxSize/2; ii++ )
}

So Xoring the above encoded password:

7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A 07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B


with

5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B


gives

20 80 22 80 16 80 45 80 15 80 38 80 21 80 35 80 34 80 20 80 35 80 4e 80 34 80 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


Each character of the password is stored as 2 bytes, and as x86 is wrong endian im guessing should be read as 0x8020 0x8022 I have no idea where the 0x80 comes from possibly its something to do with the EFI_SHIFT_STATE_VALID in this case the password was lower case, possibly uppercase status is encoded in this byte too I have no idea I havent tested uppercase passwords.

WTF scancodes how does this map to keys

From the unobfuscated data you can see the password is 13 characters long, im going to ignore the 0x80 bytes as i dont understand them :P and just look at the others:
20 22 16 45 15 38 21 35 34 20 35 4e 34
They appear to be some sort of scancodes, although while googleing this I found some AMI bioses seem to use ascii here so you can read it out directly as text, but not on this machine.
When this CF-U1 arrived from ebay it had a password which i sucessfully guessed as "toughbook" my second guess would have been "panasonic" since using text written on the front of the PC as a password saves writing it under the battery cover :P
Looking through the older link entrys for the AMITSESetup nvram I found what I thought was the data for this password which deobfuscating as above gave (ignoring the 0x80):

35 39 37 24 25 14 39 39 27
t  o  u  g  h  b  o  o  k


This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page:
http://wiki.phoenix.com/wiki/index.php/EFI_KEY
From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii:
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

So i made up a list of byte to ascii using these, below are just 0x10 to 0x4E to cover most values but not be too stupidly long.

Hex Char EFIkey Hex Char EFIkey
10 z EfiKeyB1 30 Tab EfiKeyTab
11 x EfiKeyB2 31 q EfiKeyD1
12 c EfiKeyB3 32 w EfiKeyD2
13 v EfiKeyB4 33 e EfiKeyD3
14 b EfiKeyB5 34 r EfiKeyD4
15 n EfiKeyB6 35 t EfiKeyD5
16 m EfiKeyB7 36 y EfiKeyD6
17 , EfiKeyB8 37 u EfiKeyD7
18 . EfiKeyB9 38 i EfiKeyD8
19 / EfiKeyB10 39 o EfiKeyD9
1A EfiKeyRShift 3A p EfiKeyD10
1B EfiKeyUpArrow 3B [ EfiKeyD11
1C 1 EfiKeyOne 3C ] EfiKeyD12
1D 2 EfiKeyTwo 3D \ EfiKeyD13
1E 3 EfiKeyThree 3E EfiKeyDel
1F EfiKeyCapsLock 3F EfiKeyEnd
20 a EfiKeyC1 40 EfiKeyPgDn
21 s EfiKeyC2 41 7 EfiKeySeven
22 d EfiKeyC3 42 8 EfiKeyEight
23 f EfiKeyC4 43 9 EfiKeyNine
24 g EfiKeyC5 44  EfiKeyE0
25 h EfiKeyC6 45 1 EfiKeyE1
26 j EfiKeyC7 46 2 EfiKeyE2
27 k EfiKeyC8 47 3 EfiKeyE3
28 l EfiKeyC9 48 4 EfiKeyE4
29 ; EfiKeyC10 49 5 EfiKeyE5
2A ' EfiKeyC11 4A 6 EfiKeyE6
2B | EfiKeyC12 4B 7 EfiKeyE7
2C 4 EfiKeyFour 4C 8 EfiKeyE8
2D 5 EfiKeyFive 4D 9 EfiKeyE9
2E 6 EfiKeySix 4E 0 EfiKeyE10
2F + EfiKeyPlus

Using the above list and the recovered scancodes gave:

20 22 16 45 15 38 21 35 34 20 35 4e 34
a  d  m  1  n  i  s  t  r  a  t  0  r


and when i tried adm1nistrat0r it worked!
This is not complete as there are still questions about the 0x80 bytes but my guess is they encode the shift alt etc modifier keys but im back into my handheld so i'm not sure ill look further into it. This may also apply to other Aptio bioses as well as the Panasonic CF-U1, and if the machine isnt bootable you may be able to use a cheap spi adapter to dump the bios, in the case of the CF-U1 it uses an LPC flash which I don't think you can get cheap clips and readers for and its buried in the machine so a nuisance to get to.

c0deh4xor commented Aug 20, 2019

 Need some help! I am trying to replicate what you did and.... how did you get the second hex set? I bought a toughbook and when the bios was reset it defaulted to the corp one :( This is what I have gotten so far... 5B F5 B6 D2 11 16 6C 71 C7 63 22 C6 7D D5 D8 EE 33 32 8E BC E9 42 44 57 9F E1 FA FC 55 26 B0 2D 0B DE 66 B2 C1 20 1C 91 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

Good day,

Thanks for the wonderful write-up, at the moment I'm stuck with the same issue as @c0deh4xor, here is the BIOS password (Thoughbook CF53 MK1):

5B C6 B6 55 11 64 6C 4B C7 A7 22 16 7D 70 D8 DA 33 27 8E 4F E9 93 44 64 9F 25 FA B9 55 51 B0 C1
0B EB 66 90 C1 1C 1C 2E 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

After xor'ing the password the output is like this:

Output

00 55 00 73 00 de 00 06 00 47 00 62 00 77 00 40 00 09 00 8e 00 c7 00 8c 00 5e 00 b7 00 f3 00 f4
00 22 00 cc 00 f3 00 ad 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 It's possible that bios's for models other than the CF-U1 may encrypt the password in some way, the AMI source has a function intended to be customised by the OEM to provide a more secure method of password storage: VOID HiiGetEfiKey(CHAR16 *PwKey); // //---------------------------------------------------------------------------- // Procedure: PasswordEncode // // Description: This function is a hook called when user entered // password has to be encoded. This function is // available as ELINK. OEMs may choose to use different // encryption logic here. // // Input: Password : Password array to be encrypted. Encryped // password is returned in the same array. // MaxSize : Max size of Password // // Output: VOID // //---------------------------------------------------------------------------- //  In both the above cases it looks like the stored password is 20 bytes in size (ignoring the 00 bytes) but this doesnt look like it is any sort of keyboard scancodes or ascii. This is a wild guess but the fact the password seems to be 20 bytes or 160 bits makes me think that possibly its a SHA1 hash of the password being stored, I did try googleing 5573de0647627740098ec78c5eb7f3f422ccf3ad but got no hits, and if it was a SHA1 hash im not sure if it would be a hash of the ascii or keyboard scan codes so im afraid im out of ideas.

c0deh4xor commented Aug 29, 2019

 Just blank it all out, that's what I did with mine and it boots fine or replace it with a known SHA-1 hash ;)

esters commented Sep 2, 2019

 It's possible that bios's for models other than the CF-U1 may encrypt the password in some way, the AMI source has a function intended to be customised by the OEM to provide a more secure method of password storage: VOID HiiGetEfiKey(CHAR16 *PwKey); // //---------------------------------------------------------------------------- // Procedure: PasswordEncode // // Description: This function is a hook called when user entered // password has to be encoded. This function is // available as ELINK. OEMs may choose to use different // encryption logic here. // // Input: Password : Password array to be encrypted. Encryped // password is returned in the same array. // MaxSize : Max size of Password // // Output: VOID // //---------------------------------------------------------------------------- //  In both the above cases it looks like the stored password is 20 bytes in size (ignoring the 00 bytes) but this doesnt look like it is any sort of keyboard scancodes or ascii. This is a wild guess but the fact the password seems to be 20 bytes or 160 bits makes me think that possibly its a SHA1 hash of the password being stored, I did try googleing 5573de0647627740098ec78c5eb7f3f422ccf3ad but got no hits, and if it was a SHA1 hash im not sure if it would be a hash of the ascii or keyboard scan codes so im afraid im out of ideas. It could be that it is a SHA1 hash. Were did you found the source code for the AMI BIOS ? Was it leaked somewhere ?

en4rab commented Sep 2, 2019

 Jetway leaked some source and a signing key on an unsecured ftp server about 6 years ago ( https://adamcaudill.com/2013/04/04/security-done-wrong-leaky-ftp-server/ ) the files were called cm013-org1.zip 013s.zip 016s.zip 018s.zip I think you can find them here: https://mega.nz/#!Oc8hHILZ!HgMIVBWRPyQFIpG4EqvYzEiB91gpedStB1iihGbphmY but they arent terribly useful

esters commented Sep 3, 2019

 @en4rab Thanks!

Bernhard95 commented Nov 16, 2019

 I need some help please! Unfortunately i have buy a used CF-U1 mk2 with BIOS lock, no known default PW will work and no user PW is set. I'm stuck while Compiling the C program for encryption. Which programm do you use vor compiling? Maybe can any one post an executable file? Or can somebady help my to decrypt the Bios PW? I get folloring vom the BIOS dump file(0x40 to 0x7F): 6E 13 8F A6 36 3A 22 CD 89 60 69 F4 5C 87 EA 1A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B Thnaks for Help

en4rab commented Nov 16, 2019

 Bernhard95 there is no need to comile anything all you need to do is xor your data with the secret xor string and recover the password I used this site for example to do that http://xor.pw/ Xoring your data with the secret string gave the following: 3580 3980 2780 4e80 4e80 4b80 2180 3280 00000000000 (some 00's cut) which i think decodes to: t o k 0 0 7 s w So try tok007sw and see if that works

Bernhard95 commented Nov 17, 2019

 Thank you en4rab, tok007sw works fine for my Device.

C0debreak commented Nov 24, 2019

 Thank you so much for putting this information together, and then sharing it!!! This has taught me more about AMI Bios than any other source I have come across... I am trying to figure out the password to one of my CF-31's and have done everything as per your instructions, but the XOR string is obviously different for the separate models - maybe even the marks within the models. If you could help point me in the right direction in regards to finding out the correct XOR string to use - I would appreciate it more than you know. Again, my sincere thanks for this bro!

en4rab commented Nov 28, 2019

 C0debreak I has a look and found an efi dump claiming to be form a CF-31, it begins "MEI_CF31-3" so I guess its from a mk3 cf-31. Having a look at the AMITSESetup data and the xor key was the same (based on the fact that after xor the data ended with alot of 00's) However the stored password seems to be store as 20 bytes like in some of the comments above so it looks like the password is probably stored as a SHA1 hash, to get any further with that youd need to try setting the pass to a known value dumping the stored hash and trying to work out if its a hash of the ascii pass, or the keyboard scancodes which i cant do. For this version your best bet is probably to dump the flash chip with an spi programmer, hexedit the stored pass to 00's and write it back to the spi chip

Wasmachineman-NL commented Jan 14, 2020

 Haha, Notebookreview retards BTFO. Nice writeup @en4rab! Would this work on a Broadwell/Intel Secure Boot equipped machine like a CF-31 Mk5?

 What language is the code snip-it? Nevermind, It's Python 3

greeef commented Mar 3, 2020

 Hi there, I have a cf-19 machine and am also struggling with the password. I am unsure i got the secret key step right, this is the output I've ended up with b4007f00ba00af00b000d600e2002d001300c90049005c004f00cb00cc004b00980065007c00e1000000000000000000000000000000000000000000000000 which looked promising at first, but seems to be 20 characters.

danhart102 commented Mar 3, 2020

 Looks like a HASH, to me

 Bummer, and I'm struggling to figure out the tool with which i can navigate the bios and also edit it... hmmm i'll get there. FREE ONLINE OCR SERVICE https://www.onlineocr.net/

greeef commented Mar 3, 2020

 Just blank it all out, that's what I did with mine and it boots fine or replace it with a known SHA-1 hash ;) I'm terrified lol this is my first time attempting to hack a bios. Do you mean literally replace that 64 byte string with zeroes? or do i need to invert the xor process somehow?

vampel commented Mar 17, 2020

 Hello. I have a cf-31j, on the post you say: In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag. but in this are more down but if i select those hex are the same numbers of pairs(but finish on the file 90)

userx14 commented Mar 17, 2020

 @vampel , yeah, those bytes in front of the password were present on my cf-53 too. The user password and admin password are offset and don't start from 0x00 to 0x3F. Just look for the bytes ending on 60 6B and count back 64bytes. This section should be the admin/user password. You have correctely selected the administrator password, if you just want to remove it just overwrite it with zeros, or try to decrypt it with xor.pw and the key, to see if it is only a hash of the password (see answer from greeef).

vampel commented Mar 17, 2020

 @BenjaminRenz Tnx!

vampel commented Mar 19, 2020

 @BenjaminRenz did u try zeroing the pass 2 times, the pass are found it 2 times on the rom, try it

 @vampel , I only zeroed out one occurence, but like you the password has more than one occurence in the bios file. Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup) with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry. Then with UEFI tool alpha 51 (newer version didn't work for me) you have an "Offset" in the information window on the right. For me it is Offset: AB49F3, but I guess yours will differ. Then use HeX.exe an zero out the password ONLY on this offset location+(the offset in the key itself). Just use ctrl+f and search for 05D8606B (the end of your password) and zero the one which comes slightly after the offset indicated by uefi tool.

vampel commented Mar 19, 2020

 @BenjaminRenz its works! i zeroed 2 times, copy all the 64bits code i extract body with uefitool cuz HxD dont give me the spacebar every 2 characters copy from that extracted... now in another tab on HxD open it select all and copy(will copy all spacebars xd) paste on the search option on the entire rom you will found it 2 times, in the repleace option i write yeah write 00 and space bar 64 times lol use another version of uefitool like 56 more new i have been downloaded a lot of version and yes some version dont open the NVRAM tree

 @BenjaminRenz this its why we cant replace any on AMI bios using UEFItool (see 4th point NDA) source: https://github.com/LongSoft/UEFITool

otorra14 commented Mar 21, 2020

 Hello, I hope everything is well with you. I have tried to do the same step as you have explained but I have some questions about this proccedure. The first one is about the part that you have xor the encoded password 5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B . Where did you found this one? Is this secret xor string always the same? And also about the converter table that you have put as a reference. Where did you got based to produce such a table because I have some other string that arent included at the table above like c4 or fe. I researched on the internet but i couldn't find a proper converter to help me out.

 Hi all - Newbie to the forum so be gentle ... I just spent a week trying to beat the supervisor password on a pair of CF-52 Mk3's & this group was instrumental in being able to do so, Thank you all contributing :) As a couple of posts have said, you can zero out the hash to clear the password - Here's what I did, all in software --- Read the BIOS, open with UEFITool NE & locate the password data with 'hex view' as per the OP's post - You'll see the offset for the password variable in the top left box - 0x1A43C in his pic. Now open the BIOS dump file with a hex editor (I used an on-line one) & go to the offset address - you'll see the raw variable data (the bytes in the 'Hex view' window) in the middle of a bunch of other stuff so be VERY careful ONLY to zero out only the 64 byte hash value & save the file. Go back into AMIWINGUI & open the newly edited file - check the hash is zeroed out and the rest of the Var entry is the same - then flash with 'NVRAM' & 'Do Not Check ROM ID' being the only options checked in setup & reboot the lappy when done - Password request when entering BIOS should be gone. I noted that the offset to the password is not consistent - The 2 CF52's I've done (both 2010 models) were different but the password was cleated without any problems that I can see so far ... Strange that they'd go to the trouble of a SHA-1 encrypted password & make deleting it so easy ....

userx14 commented Mar 21, 2020

 @otorra14 The answer to your first question is in en4rab's post on Sep 3. 2019: Jetway leaked some source and a signing key on an unsecured ftp server about 6 years ago ( https://adamcaudill.com/2013/04/04/security-done-wrong-leaky-ftp-server/ ) the files were called cm013-org1.zip 013s.zip 016s.zip 018s.zip I think you can find them here: https://mega.nz/#!Oc8hHILZ!HgMIVBWRPyQFIpG4EqvYzEiB91gpedStB1iihGbphmY but they arent terribly useful For the UEFI scancodes please refer to the section directely above the Table in the first post from en4rab. This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page: http://wiki.phoenix.com/wiki/index.php/EFI_KEY From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii: https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

 I got this encoded password 5B 8C B6 15 11 41 6C 59 C7 E5 22 53 7D 0E D8 5E 33 1B 8E 8D E9 87 44 16 9F 85 FA E1 55 12 B0 ED 0B 43 66 9E C1 78 1C 86 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B 5B A6 B6 41 11 FD 6C 05 C7 F8 22 DA 7D 8D D8 7D 33 EF 8E DF E9 97 44 39 9F 8E FA 7C 55 65 B0 35 0B FC 66 A1 C1 85 1C 92 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B . I did the xor of 5B 8C B6 15 11 41 6C 59 C7 E5 22 53 7D 0E D8 5E 33 1B 8E 8D E9 87 44 16 9F 85 FA E1 55 12 B0 ED 0B 43 66 9E C1 78 1C 86 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B with 5B A6 B6 41 11 FD 6C 05 C7 F8 22 DA 7D 8D D8 7D 33 EF 8E DF E9 97 44 39 9F 8E FA 7C 55 65 B0 35 0B FC 66 A1 C1 85 1C 92 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B . After xor I got this result 2a005400bc005c001d00890083002300f400520010002f000b009d007700d800bf003f00fd0014000000000000000000000000000000000000000000000000. Ignoring the 00 part 2a 54 bc 5c 1d 89 83 23 f4 52 10 2f 0b 9d 77 d8 bf 3f fd 14 this is my final one. Based on the tabel i could found this letters. Please let me know if this procedure is the right one to follow . Also if you could help me with the missing letters it would be very helpful. 2a is ' 54 bc 5c 1d is 2 89 83 23 is f f4 52 10 is z 2f is + 0b 9d 77 d8 bf 3f fd 14 is b

userx14 commented Mar 22, 2020

 @otorra14 your password is probably hashed, see the other posts here. You won't be able to find out what the password was, but you have the possibility to zero it out and flash the modified bios back.

vampel commented Mar 23, 2020

 @otorra14 i think will not work just like mine ;\ try zeroed like @benjaminRenz said 2a is ' 54 b bc ] 5c 1 1d is 2 89 5 83 9 23 is f f4 r 52 c 10 is z 2f is + 0b 7 9d 2 77 u d8 . bf empty 3f empty fd 14 is b

Anachem commented Mar 30, 2020

 Hi, Friends, I have panasonic toughpad FZ-G1 ASBDXBA(mk1). Its Bios is locked with supervisor password. I can boot and use the system but cant change bios settings. So i tried to read the rom. I cant read the chip n25q128A with Orange5 programmer. Do i need to scratch pin8 print. as i see in the BenjaminRenz post. A high value resistor with pin8 to ground do the trick for reading chip. or there is other ways to reset password. Thnaks.

userx14 commented Mar 31, 2020

 @Anachem It looks like your password is hashed, indicated by the spaces in between the output and it beeing 20 bytes long, f20012005700 ..., so there is no way to get the raw password, see: https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3095306 According to my tests you only need to zero out one instance of the password string, but according to vampel zeroing out both instances works aswell. But since I don't know what the second instance is (maybe some recovery image of the bios, not sure), I would recommend to only zero out the 64bytes on the position described in my comment: https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3219509 For flashing the image back please take a look at the post from Mark678: https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3222826 Hope you get it working 👍

Anachem commented Apr 1, 2020

 Thanks to all contributors. After zeroing 64bytes password is clear.

paw2000 commented Apr 3, 2020

 Hi, i find this very interesting i have a custom bios from a cf-54 panasonic and have made a dump (desolder chip) and wonder if anyone can help me and see if its possible to find the password or help me zero it. i am new to this and tried for my self but with out any succses. https://mega.nz/file/KloDSR4L#PtQ3rbZzVCZh4-f4bJdRUWJlikuFokQSOtCbQjEUOUM Best regards // PaW2000

 @paw2000 Your bios seems to be a bit different 🤔 , the bios tool's does not have a seperate data section for the AMITSESetup. I would guess that the passwords hash is located at the hex offset: A32F3F to A32FBE. This seems to be the only string ending on the typical characters for the password. 5B71B65911C46C90C7F922A07D0FD856 33AC8EF4E9D144A19FABFA59550CB001 0B5B66E2C14C1C8A7716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B 5B8FB61211766CEFC76022E57D8BD8CD 33A68ECBE92344579FDDFAB255C4B009 0BA36681C1231C047716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B  There is another instance of this string at hex offset: A72F52 to A72FD1 Im not sure which one you need to zero out, but zeroing out both will probably work. and tried for my self but with out any succses. Have you already tried this or what have you done so far? Good luck 😃

paw2000 commented Apr 4, 2020

 Hi Thank you for your fast reply, i have not done so much yet, i need to order some new chips before i start do some testing, do you know what type of chip it is? MX25L12835F is that the right one? Best regards //Peter

userx14 commented Apr 4, 2020

 @paw2000 Hi Peter, can't you recycle the chip you desoldered? What are the markings on the one you desoldered? Since the toughbook which I've been working on is an cf-53 I can't tell you which flash chip to use. I would recommend to get one with the same "device id" and obviously "manufacturer id". Make sure to get one with the same voltage as the one you are trying to replace. Greetings Benjamin

paw2000 commented Apr 4, 2020

 Hi, Thank you, the original computer is fire damaged, and wait for a used motherboard to replace the bios chip, this bios is a custom bios, and cant afford to buy a new computer, i know the user password for it and was thinking good to have admin also but no need, this cf-54 bios have some special bit locker add on to only work with this special hdd. i did damage the chip, i lost it on the fllor and later found it under one of the legs of a chair, so cant read it, hope i can read it from the chip on the other motherboard i am wating for.. and when i read the chip the first time it was more then a year ago, and not remember what chip it was.. no during corona i started this old prodject agan to recover my good old cf-54 :) Regards // Peter

 Hi, thank you for sharing!!I was trying to get the password from CF53, and I am stuck at the xor process, I'am not well educated in this area and was trying before with brute force methods with no luck. is there a way I can get help from you, I totally appreciate! i think this is the string where the password is located.: 4D45495F434635332D34000000000000 000000000800C502FF00000400180000 3542545341DE60014346353332534C5A 41434D008000A8FFA5144D45495F5F5F 4346000000000000000000000000E4E5 2800B200E2001E22009D051400100013

 Hi, thank you for sharing!!I was trying to get the password from CF53, and I am stuck at the xor process, I'am not well educated in this area and was trying before with brute force methods with no luck. is there a way I can get help from you, I totally appreciate! i think this is the string where the password is located.: 4D45495F434635332D34000000000000 000000000800C502FF00000400180000 3542545341DE60014346353332534C5A 41434D008000A8FFA5144D45495F5F5F 4346000000000000000000000000E4E5 2800B200E2001E22009D051400100013 @adolf022 Hi adolf, are you sure you got the right NVAR entry? If you password is encoded in the same scheme it would have "4F B1 AA 44 05 D8 60 6B" at the end. I would guess that that's the wrong nvar variable as the xored password would probably not contain "CF53" in plain text. Could you please check the following things: You are using alpha 57, have you also tried the older alpha 51 version of uefi tool?, the newer one did not show the right nvram variable for me. Is is the key named AMITSEsetup? (can't tell because that column is not visible in your screenshot) Is the GUID = C811FA38-42C8-4579-A9BB-60E94EDDFB34 ? Greetings, Benjamin

 @adolf022 Hi Adolfo, just to clarify en4rab did all the hard work of finding the xor key and collecting the tools. Github releases does not do a particularly good job at presenting an overview of all available versions. Here is a link for the a51 release page Happy bios patching, Benjamin

 Hi, I could find the key name and GUID finally, but I see some differences from what en4rab did, I am not sure if this will work anyways. Also after I want to see "Body hex view" It just shows 0000 all way down.… and this is what I got with the “hex view” only. Should I try to XOR it? And that’s the step where I am lost. I am sorry for the attached picture quality. Regards, [cid:image003.png@01D61E4A.EE7B4EC0] @BenjaminRenz commented on this gist. @adolf022 Hi Adolfo, just to clarify en4rab did all the hard work of finding the xor key and collecting the tools. Github releases does not do a particularly good job of presenting an overview of all available versions. Here is a link for the a51 release page Happy bios patching, Benjamin — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

Ftmmsch commented Apr 29, 2020

 Hello, i am new - and no programmer. All, i could do, is to use afuwin and UEFI tool. I tried one advice from here: just to go on: Xor.pw. But there it ended. 1.) my english isn't perfect 2.) i didn't know exactly, what to paste there 3.) there are two inputs...... I am at my end - don't know what to do at all :-( I was stupid. Bought a BIOS locked cf-31 mk1 US version. Could someone help me plz. ? I really don't understand much..... Kind Regards

 @Ftmmsch Hi Ftmmsch, after pasting your password into xor.pw I ended up with 56005e009100200085002a008200990038000f001800bc0056006f00e8007900160081004c00ab000000000000000000000000000000000000000000000000` This means that your bios is not storing the password in clear text or the uefi keyboard codes, but rather the hash of your password with whitch it checks the string you type in. There is no way to get back the password because calculating the hash of your keyboard entry is computationally fast, but getting back the password from a hash is computationally extremly slow. So like others your best bet would be to just zero out the section in the bios file, see the other posts above for details. Just to note, flashing a bios has always a risk involved (e.g. when there would be a power outage). Then the only thing to rescue the pc would be a hardware bios programmer. Do you really need the bios password? 3.) there are two inputs...... Do you mean on xor.pw? You have to past your extracted password (ending on ... D8 60 DB) in the first slot and the key: 5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B from en4rab's post in the second slot. But now that's already done. I have tried to optimize this post for google translate, if something is not clear feel free to ask 😃 Greetings, Benjamin

 Hi, for the Cf-31 mk1 you and use ami bios flash tool and make a dump, will not be a full dump of the rom but is enough for removing password, this require that you can boot the computer to windows, and ami tool, to read it and modify and flash back. I paid a guy to do this on my cf-31 mk1 and worked perfect.

Ftmmsch commented Apr 30, 2020

 @BenjaminRenz Danke Danke :-) About: "absolute necessity", to access the BIOS: 1.) WWan is disabled 2.) i have installled Win 7 Prof 32bit allready and would like to run XP Prof SP3 on the second partitition. Ok - there is an explicite sata driver form panasonic, which i have to install first - by using my floppy drive. It would be handsome, when i could try to make changes - after installation. The better way is, to format again (Aua ha) and install XP first....... Egal.... (I hate every windows - later than xp) And about windows 10? - not posssible on my mk1..... That the password isn't stored in clear text, i noticed a few times in other forums.... (die Hoffnung stirbt zuletzt:-) I noticed to be aware about making changes as - par exampel - zero out. I am surtenly no expert. (of course not - as Heizungsmonteur LoL) Someone told, that it is possible, that panasonic stored a password on the board, which wil be automatically activated, when unauthorized changes wil be made. Sound's a little bit military to me. But WHEN, than there is no more access possible. Here, in switzerland, i phoned panasonc. They told me, that there wil be no way - exept chanching the motherboard. They said, that i must be send to panasonic UK ?? (egal..) There, they change my motherboard. (or they aren't stupid and just make money on an easy way:-)

Ftmmsch commented Apr 30, 2020

 About: in the first NVRAM AMITSESetup There is annother AMITSESetup in the second NVRAM - It has to be the one in the first NVRAM? IF i (am so stupid, to try out "zero out" I allways have to take the one in the first NVRAM? The second AMITSESetup look a bit different.....

paw2000 commented Apr 30, 2020

 I think i still have original and modified rom files still, i can comprare and see where he removed it, problem is i am home and will be back at work on monday.

Ftmmsch commented Apr 30, 2020

 Back again - due to the fact, that i flashed at least not in a wrong way :-) As long as i can remember, i was alllways prepared to take risks - even, when i wasn't shure abbout what i am doing exactly :-) I am not shure about the flash, i did. Maybe, there are setting, which are nessesary for me? The only set, i chose for, is: "Do not check ROM ID" - because, i noticed it here in this thread :-) Can someone give me an advice about the setting i need? I don't stop trying - when it all goes wrong.... I can live with it :-) Stil have my CF-19

Ftmmsch commented Apr 30, 2020

 Btw: is it generallly possible, to flash - using the afuwin.exe ? Or, do i have to flash via the DOS commandline? Sorry, that i don't know much about programming......

Ftmmsch commented Apr 30, 2020

 Ja ja..... just saved the running rom file and looked into it: Nothing changed :-(

 many Thank's ! To All of you !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Did it - now, i am in a U N L O C K E D BIOS ! Password is GONE ! Thank you Thank You Thank You !!!!!!!!!!!!!!!! I used a hex editor, to zero out the identified block - safed it - run it. First tryed it with wrong setting - becaus, the ID was wrong. Uncked it - Boom ! No, i am In my BIOS ! 1.) 4 years ago, i bought this cf-31 mk1 from a US ebay seller. He told me before, that BIOS is locked and the password is lost. 2.) Allso, he told me, that he can't install XP on this notebook ! We'll see ! I tell here about that next week ! 3.) Panasonic - both: in switzerland and germany ! told me, that it is NOT possible! - Mainboard has to be changed !!!!!!!!! 4.) in Threads from Bob Johnson, Bob told, that it is NOT possible! - he ruther would like to know about - if possible !!!! many thanks to all of you ! Per accident, i found this thread weeks ago. But, i thought: "come on - this is a magic number for you - you'll never understand". But, because, allways i was inquisitive, i didn't stop and tried to understand this stuff. "Cordial thanks!" to Panasonic ! (peinlich peinlich!) (die E-Mail, die nächste Woche an Panasonic geht...... hat sich gewaschen !!!!!!!!!!!!!!!!!!!!!!!!!!!!) Btw: before, i forget it: @en4rab: where - resp. how can i support your work - (or this domai?) I preciate all the work, what's done here! This can't be used for ZERO - the only zero's should be used for flashing! Verdammt nochmal - bin ich happy! - searched for that problem frequently - over 4 years...... Btw: not only thank's to: "en4rab" - ebenfalls Gruss nach Baden-Wuertfemberg (Shit! - wird Zeit fuer eine deutsche Tastatur:-)

Ftmmsch commented Apr 30, 2020

 BIOS is U N L O C K E D now ! Checked the from hex "zeroed" file - password section was deleted - flashed - done. but not at the first time! - i had to change the settings in afuwin to All / main and "uncheck BIOS version" Ok, it was risky - but, thats ME :-) Thanks to all of you ! Btw: Panasonic germany and switzerland - both told me, that it isn't possible! It has to be send to panasonic UK - there, they have to change the motherboard! What should i tell them? - although, i am just a normal ordinary heeting engineer - I just did it ? The US Thoughbook Ebay seller told me the same! Not possible ! Anyway: many thanks to en4rab and all others! Notice: I need to know about support for en4rab - or at least for this forum! The help, i found here, cant just be for zero - the only Zero here, has to be qualified for using in hex editor ! LoL

 A still existent problem: installation of xp sp3 on my mashine - which has win 7 prof allready installed: If this forum here doesn't want support this - plz tell me - i would search in other forums for that! As it says in the download section from panasonic, there is a special sata driver for flopy needed; But: this actually is for "clean install". My problem in understanding is: In case of clean install - i could change the BIOS setting for hdd support from ahci to compatible. In which case of application, resp. order of installation of a dual system - do i need to change? I mean, when i can change to "compatible" - what for do i need this driver? The only thing, i know, is: i noticed in a forum, that installing xp first, is the wrong order.... But, i don"t like to uninstall my running win 7 prof... Ok - i can use EasyBCD - to change the boot record - if it is changed from xp. But still, i don't know, how to make NO mistakes - due to the allready installed win 7 prof. If i try it - with panasonic's sata driver - to install xp as second OS: should i just leave the SATA BIOS setting as it is? - to ahci ? Sorry, for those bothering questions....

Wasmachineman-NL commented Apr 30, 2020

 A still existent problem: installation of xp sp3 on my mashine - which has win 7 prof allready installed: If this forum here doesn't want support this - plz tell me - i would search in other forums for that! As it says in the download section from panasonic, there is a special sata driver for flopy needed; But: this actually is for "clean install". My problem in understanding is: In case of clean install - i could change the BIOS setting for hdd support from ahci to compatible. In which case of application, resp. order of installation of a dual system - do i need to change? I mean, when i can change to "compatible" - what for do i need this driver? The only thing, i know, is: i noticed in a forum, that installing xp first, is the wrong order.... But, i don"t like to uninstall my running win 7 prof... Ok - i can use EasyBCD - to change the boot record - if it is changed from xp. But still, i don't know, how to make NO mistakes - due to the allready installed win 7 prof. If i try it - with panasonic's sata driver - to install xp as second OS: should i just leave the SATA BIOS setting as it is? - to ahci ? Sorry, for those bothering questions.... What you need are AHCI drivers for the 5-Series Chipset: https://www.win-raid.com/f23-Specific-Intel-AHCI-RAID-Drivers.html

 (edit removed, got confused by mails being embedded into github comments, seems to be a new github feature) @Ftmmsch just write a mail to appswert (at) gmail.com so I can reply by mail, since I don't have your email yet .

Ftmmsch commented May 1, 2020

 ‎Hallo Benjamin,Danke dir :-)Dass mit dem Boot Passwort ist klar. Davor hatte ich auch ein wenig Schiss. Aber passieren kann in dem Fall doch Nichts oder?Es geht dann halt nicht?Btw! Boot Passwort: könnte man an einem gespeicherten rom file erkennen, ob überhaupt ein Boot Passwort gesetzt ist? Ändern nicht - aber ließe es sich evtl. Erkennen? Gruß Lothar Gesendet von meinem BlackBerry Q10 Von: Benjamin RenzGesendet: Freitag, 1. Mai 2020 02:25An: en4rabAntwort an: en4rabCc: Ftmmsch; MentionBetreff: Re: en4rab/CF-U1-BIOS.md@BenjaminRenz commented on this gist. Hallo Lothar, es scheint eine gebrauchte bei ebay für ca. 25€ zu geben, findet man mit dem Suchbegriff "Panasonic Toughbook CF-31 Tastatur". Könntest ja schauen ob der Anschluss gleich aussieht. Generell sind die Ersatzteile für die Toughbooks eher teuer, und schwer zu finden. Bei meinem cf-53 fehlte der propertiäre SATA adapter den ich aus China nachbestellen durfte. Hat zwar zwei Monate gedauert, war aber damals das einzige verfügbare Angebot. Vieleicht tun es ja auch Tastatusaufkleber?, wäre vermutlich deutlich billiger, halten halt nicht ewig. Auf diverse Angebote zum Entsperren mittels BIOS-chip austausch bin ich auch schon gestoßen, würde jetzt mal behaupten, dass sowas auch funktionieren kann. Bei manchen Toughbooks ist ja noch ein Boot password eingetragen, dann hat mein keine Chance das BIOS mit Windows zu flashen. Ich würde davon absehen Panasonic zu kontaktieren, nachher sind die noch motiviert das BIOS besser zu schützen 😁 . MfG Benjamin —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe. [ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3277337", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3277337", "name": "View Gist" }, "description": "View this Gist on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

userx14 commented May 1, 2020

 @adolf022 Sorry I am not able to see your picture, something has seen to gone wrong then embedding it into this gist. I could find the key name and GUID finally, but I see some differences from what en4rab did, I am not sure if this will work anyways. Also after I want to see "Body hex view" It just shows 0000 all way down.… and this is what I got with the “hex view” only. Should I try to XOR it? And that’s the step where I am lost. I am sorry for the attached picture quality. Small differences are to be expected, the GUID I found on the cf53 had some extra bytes in the beginning. There is a possibility that there are multiple keys which have a simmilar name, only one of them will contain the typical passwords (identifyable by the constant end bytes ..AA 44 05 D8 60 6B). So the nvar which is completely empty (filled with zeros) is probably not the right entry. Have you tried searching for AMITSEsetup and what results have come up? Could you share a your bios file or a screenshot from the key you think is the right one? What Subtype the the key you have? (Link, Data) Is there an option "Go to data" available? As a last resort if you are unable to find it with uefi tool you can always try to find the byte sequence with an hex editor, it will probably also apper at multiple locations. Good Luck Benjamin

 @Wasmachineman-NL On panasoics sites, i downloaded here, in the section for my XP SP3: https://pc-dl.panasonic.co.jp/dl/search?q=&button=&dc%5B%5D=002001&p1=117&p2=1170047&oc=001018&lang=007 At point 16, there is the notice about sata driver. Here, there is the instruction for this section: https://pc-dl.panasonic.co.jp/dl/docs/017675?sri=14760141&trn_org=5 Which leads to the driver: https://pc-dl.panasonic.co.jp/dl/search?q=&button=&dc%5B%5D=002001&p1=117&p2=1170047&oc=001018&lang=007 Anyway: I'll have to wait until saturday for my floppy, which i found here in switzerland. My own is in germany. I'll try it (as usual:-) Based on my actual configuration, I think, that the best way is, to leave the ahci settings as is: on AHCI and NOT "compatible" - I'll see :-) Anyway: I'll take a look at your link - thank you for that :-)

 @Wasmachineman-NL Yep - this advice, i found weeks ago in fernando's thread. But after, i found specific driver and instructions in panasonics section for my XP Prof SP3 - i decided to try it this way. Ok - can go wrong - i know - But: as usual; i like it risky :-) Least not last, I'll have to change the boot record..... LoL (if i do later too:-) Btw: if i would like to do it with nlite, i have to use an untouched OS from XP. I have one - but it's very old! and surtenley not a DVD Ram ! RAM can have 30 years at least - but the old dvd ? :-) is 14 years old... Anyway: I have a slipstreamed XP Prof SP3 - burned on DVD-RAM and would like to try this one first - on my own risk of course :-) (against all advices from skinned IT people:-) I'll never change :-) I am 61 years old and..... "was Hänschen nicht lernt - lernt Hans nimmer mehr" LoL

userx14 commented May 1, 2020

 @Ftmmsch What about using windows xp in a virtual machine or do you need access to special hardware components? If your cf31 has the i5-520M, it would have support for VT-x and virtualisation. And please backup your win7 data before you start with any MBR tinkering, getting a Windows system with a destroyed MBR repaired with the onboard tools is a very work intensive process (Guess how I know).

Ftmmsch commented May 1, 2020

 @BenjaminRenz Yes - indeed. I need access to special hardware (critical) components and software, which run only on XP SP3. To destroy the MBR, wouldn't be that problem :-) Because, i have just installed a fresh Win 7 Prof. It's allmost nothing important on it - Allready safed everything :-) On my cf-19, i run a VT - before i installed xp in a dual installation. Not mine - VT

Ftmmsch commented May 1, 2020

 @en4rab couldn't thank you personally, don't know how to contact you directly. Greate work, you've done! - this helped me to go one with my (previous:-) BIOS locked CF-31 Step by step, i went trough all of this. I am impressed about people like you. Regards Lothar

Ftmmsch commented May 1, 2020

 Just got the floppy drive from swiss post. I'll try it out, to install XP SP3 - weather, it's actually NO clean install :-) I'll be back later :-)

Ftmmsch commented May 22, 2020

 So: made may mistakes.. Used on older slipstreamed DVD-RAM on/for my CF-31 - which was made for CF-19 (Kopfschüttel:-) Created the CF-31 Slipstream under Win 7 (long time ago, microsft warned about doing this under Vista) Slipstream with SP3 for CF-31, which includes the original "clean install" driver didn't run - much problems CF-31 rep. Microsoft had problems with some driver - Mouse allways run to the right corner And so on And so on.... Finally, just took my old XP Prof. SP2, added the driver with N Lite. (without SP3) Installed it - could not startup correctly Installed the SP3-Network ISO in safe mode... No, It's running - Don't know exectly, what the problem was. What I DO KNOW! I'll never try again all those advices for boot problems after / while Dual Install Win 7 + XP! I found out, that the very easy and uncomlicated way is: If Win 7 is allready installed: stop system restore --> defrag --> clean the dirve --> run GPARTED Live to create a second partitition 1.) If it's clean: Just run GPARTED Live and create 2 partititions 2.) Install Win / first !!!!!!!!!! beleave me! - NO problem! 3.) Install XP 4.) If XP is correct installed --> just take your Win 7 DVD --> Restore Options --> Sytem repair -- Done 5.) Win 7 is showing up again in the boot order - everything is fine At least: this is, what i found out - after many versions, like EasyBCD and more - I don't need it this way

iwanator commented May 25, 2020

 Gentlemen, I'm also stuck in this topic, could any of you help me decipher my password, Thank you for all the help

Ftmmsch commented May 25, 2020

 Hi, on the right you have to use the hex editor! EXACT! the whole area - except for the point you see below! - Mark and fill with zeros - or: "zero out". Then it is deleted - or replaced by zeros. Attention! VERY ACCURATE! And regarding the point at the very end! Enrab had mentioned that too! I excluded him because Enrab - I think - thought that he was NOT one of them. It's best to search for what he writes about the point on the site. In any case, I EXCLUDED him! My box was then freed from the password :-)

iwanator commented May 25, 2020

 you replaced the password with zeros yes and you won this edited bios, and what program did you use to upload the bios? pon., 25 maj 2020, 14:37 użytkownik Ftmmsch napisał: … ***@***.**** commented on this gist. ------------------------------ Hi, on the right you have to use the hex editor! EXACT! the whole area - except for the point you see below! - Mark and fill with zeros - or: "zero out". Then it is deleted - or replaced by zeros. Attention! VERY ACCURATE! And regarding the point at the very end! Enrab had mentioned that too! I excluded him because Enrab - I think - thought that he was NOT one of them. It's best to search for what he writes about the point on the site. In any case, I EXCLUDED him! My box was then freed from the password :-) — You are receiving this because you commented. Reply to this email directly, view it on GitHub , or unsubscribe .

Ftmmsch commented May 25, 2020

 Just gtake a look above: You'll need exactly ! these settings! If you don't uncheck at: "Do not Check ROM ID" it wil faile. https://user-images.githubusercontent.com/64559832/80721929-55874780-8aee-11ea-845f-f495b9d34ebd.png

Ftmmsch commented May 25, 2020

 CLOSE all applications! - close ALL windows! be shure, that your adapter has power! Anyway! I would be shure about a full battery! In case of power loss in your home, you'll have still power! Maybe, you have to set the "UAC" (User Account Control) to the lowest level. Leave it to this lebel until the PC restarted. I would deactivate all network connections! - So, that no process can suddenly do something! I know that from - par example - Outlook! Just close all running programs! The flash progress may NOT be interupted! I would copy the picture above to your desktop - compare the settings --> if OK --> close the picture and go on. Run "AfuwinGUI.exe" --> Click "Open" --> load your edited/changed ROM file --> above, in "Setup", you compare the settings exactly, like as shown in the picture! -->above, you go to "Progress" --> down, you click on "Flash" --> you can watch the progress --> do nothing before it ended! Restart --> have fun with your free BIOS :-)

iwanator commented May 25, 2020

 Unfortunately, I don't know exactly which lines to replace with zeros I wouldn't want to type it wrong pon., 25 maj 2020, 15:57 użytkownik Ftmmsch napisał: … ***@***.**** commented on this gist. ------------------------------ CLOSE all applications! - close ALL windows! be shure, that your adapter has power! Anyway! I would be shure about a full battery! In case of power loss in your home, you'll have still power! Maybe, you have to set the "UAC" (User Account Control) to the lowest level. Leave it to this lebel until the PC restarted. I would deactivate all network connections! - So, that no process can suddenly do something! I know that from - par example - Outlook! Just close all running programs! The flash progress may NOT be interupted! I would copy the picture above to your desktop - compare the settings --> if OK --> close the picture and go on. Run "AfuwinGUI.exe" --> Click "Open" --> load your edited/changed ROM file --> above, in "Setup", you compare the settings exactly, like as shown in the picture! -->above, you go to "Progress" --> down, you click on "Flash" --> you can watch the progress --> do nothing before it ended! Restart --> have fun with your free BIOS :-) — You are receiving this because you commented. Reply to this email directly, view it on GitHub , or unsubscribe .

userx14 commented May 25, 2020

 @iwanator I'm not sure how it works with uefi tool a57, but with a51 you have an additional information box which tells you the offset in bytes from the beginning of the bios file. I saw one screenshot from a57 with that information too, so there shold be a way to enable this output somehow. For editing the bios you can use an hexeditor of your choise. If you are unable to find the right offset you can also try to search for the bytestring that your password is, and find the position in the file that way. Some users have reported that there are two matches in the file and that it seems to work to zero out both. Then you just override the 128bytes=2x(64bytes for each password) with zeros, check that they contain the bytes that uefi-tool displays as your password. If you are not sure you could send a screenshot , in which you highlight the bytes you would plan to zero out. Then, as ftmmsch has already written, you can flash back the file with afuwingui and the settings described above. Or take Ftmmsch's offer to take a look of course :) If you have any question, feel free to ask. Good luck, Benjamin

xyberdan commented May 25, 2020

 Can anyone help me to retrieve password from CF-31(CF-31WEUAEM2) BIOS dump? I do everything according to the instructions and nothing comes out. Maybe I do something wrong.. I don't know. Dump file: https://mega.nz/file/z4cVBIaD#pPqo8d8dn2hn8VhYbJD-L7xBnRo2xZQpp_nFrpy-hUY Best regards, Dan

Ftmmsch commented May 25, 2020

 OK - I'll do it for you. Please give me a day or two. When I am ready, I'll send a drive.google link. I'll change the name to: edit-Dan-CF-31.rom Regards … _____ Von: xyberdan [mailto:notifications@github.com] Gesendet: Montag, 25. Mai 2020 16:33 An: en4rab Cc: Ftmmsch; Mention Betreff: Re: en4rab/CF-U1-BIOS.md @xyberdan commented on this gist. _____ Can anyone help me to retrieve password from CF-31(CF-31WEUAEM2) BIOS dump? I do everything according to the instructions and nothing comes out. Maybe I do something wrong.. I don't know. Dump file: https://mega.nz/file/z4cVBIaD#pPqo8d8dn2hn8VhYbJD-L7xBnRo2xZQpp_nFrpy-hUY Best regards, Dan - You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe .

xyberdan commented May 25, 2020

 @Ftmmsch , I did it! :) The first time I incorrectly edited the BIOS in hex editor. In BIOS dump, section related to password occurs twice. So I've filled this sections with zeros, save image, run FreeDOS and AFUDOS app with command: afudos bios_file.rom /an and password is gone :)

Ftmmsch commented May 26, 2020

 Hi Dan, you could have sent me an e-mail! Because, i found out exactly, what you did wrong! I edited it. But, as i can see - I can delete it, because you don't need it. Regards

Ftmmsch commented May 26, 2020

 @ Dan: As i could see in the file: You edited it Before you send it to me! Next time, please tell me about those "fact's". Regards

Ftmmsch commented May 26, 2020

 @ Dan: As i could see in the file: You edited it Before you send it to me! Next time, please tell me about those "fact's". Regards

Ftmmsch commented May 26, 2020

 Btw: I helped annother one with his BIOS file and noticed the same: Allready edited the file and didn't tell me about that. I my opionion, that is a little bit unfair. Because, there it's allways possible, that it fail - because, it's edited before i did. And after all, it looks like: "Ftmmsch" made this mistake. Regards

Ftmmsch commented May 26, 2020

 Btw: I helped annother one with his BIOS file and noticed the same: Allready edited the file and didn't tell me about that. I my opionion, that is a little bit unfair. Because, there it's allways possible, that it fail - because, it's edited before i did. And after all, it looks like: "Ftmmsch" made this mistake. Regards

Ftmmsch commented May 27, 2020

 @benjamin Renz do you know about the settings of the Hex editor? A friend asked me about that. He told me, that he could just fill it with zero - the main option. And down under, there is an option: "zero-bytes". I told him, that he has to use the normal way and not to use "zero-bytes". I just told him that, because i really don't know about the possibility to damage the ROM file - using "zero-bytes". Would'nt "zero-bytes" just "kill" this section - in stade of replace it? For those, ho are reading this here - about "zero-bytes"! DON'T use this option, until it's CLEAR! - what that means! - respectivally what happen! Just use the normal way -without extra options! @benjamin Renz Is here a way, to send private messages? If every message is posted here - like before - it doesn't look very well :-) Look's like "Junk" :-)

Ftmmsch commented May 27, 2020

 Sorry - found it

Ftmmsch commented May 27, 2020

 @Anachem You wrote: "Now ready to zero the bytes in two instances of password string and update the rom." Plesase be aware! - And other's could allso interprate this to: "zero-bytes" !!! I think, that you did just zeroing / zero out - But NOT used the additional setting: "zero-bytes"! I am affraid, that using the addtitional function "zero-bytes" can damage everything! As long as no one can give a clear statement about HEX editor --> "zero-bytes" DON'T use "zero-bytes"! Just zeroing / zero ! Hope, that nobody is angry about this post Ftmmsch

userx14 commented May 27, 2020

 @Ftmmsch I guess github does not have an option for private messages, and yes, I also see the problem that this thread gets quiet cluttered. You could write me an email (appswert (ät) gmail.com). I'm not sure which option you mean by zero-bytes", which hex editor did you use? Maybe you could share a screenshot which shows which option you mean. I'm using HxD.exe which only has an option called EDIT->fill selection, do you refer to something like that? I'm not aware of any special "zero-bytes", just replace value of the bytes in which the password is stored with 0x00 and it should work. Have you tested what your "zero-bytes" option does to your file? Or any other short test file? Greetings Benjamin

Ftmmsch commented May 27, 2020

 Hi Benjamin,No - I didn't test it :-) Because, after a test like this, my lappy could have gone over the wupper :-) defective :-)When i am at home, i'll make screenshot. Regards Gesendet von meinem BlackBerry 10-Smartphone. Von: Benjamin RenzGesendet: Mittwoch, 27. Mai 2020 16:45An: en4rabAntwort an: en4rabCc: Ftmmsch; MentionBetreff: Re: en4rab/CF-U1-BIOS.md@BenjaminRenz commented on this gist. @Ftmmsch I guess github does not have an option for private messages, and yes, I also see the problem that this thread gets quiet cluttered. You could write me an email (appswert (ät) gmail.com). I'm not sure which option you mean by zero-bytes", which hex editor did you use? Maybe you could share a screenshot which shows which option you mean. I'm using HxD.exe which only has an option called EDIT->fill selection, do you refer to something like that? I'm not aware of any special "zero-bytes", just replace value of the bytes in which the password is stored with 0x00 and it should work. Have you tested what your "zero-bytes" option does to your file? Or any other short test file? Greetings Benjamin —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe. [ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3320033", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3320033", "name": "View Gist" }, "description": "View this Gist on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

 Here about the settings, i used in the Hex Editor: Btw: Yep! - that's what i thought! Therefore, a few minutes ago, i switched from XP Prof. to Win 7 ! NOT ! possible, to upload images from Chrome or Chromium - which are running under XP !

userx14 commented May 28, 2020

 @Ftmmsch "Vorgegebene Löschverfahren"(predefinded methods of deletion) are just shorthands to define "durchläufe"(cycles). You will see that if you click on "DoD Sanitizing", there will be three cycles, where the last one will just fill in random data. I think the name DoD Sanitizing is refering to this deprecated method of deleting data on hdd's by the US Department of Defense The 1995 edition of the National Industrial Security Program Operating Manual (DoD 5220.22-M) permitted the use of overwriting techniques to sanitize some types of media by writing all addressable locations with a character, its complement, and then a random character. This provision was removed in a 2001 change to the manual and was never permitted for Top Secret media, but it is still listed as a technique by many providers of the data erasure software. If you press on zero bytes again, it will delete those cycles and replace them with one cycle which overwrites the bytes in the selection with 0x00, which is exactely what you want. A cycle which overwrites the data with zeros seems to be the default selection, so clicking on "zero bytes" will not make a difference when you have just opened the "fill selection" dialog. So the conclusion is don't use "DoD Sanitizing", you don't want to have random data, you want zeros there. Also dont press the delete key on the selected bytes, as that will just trunkate the file. Pressing the zero key (probably gets tiring quickly), or selecting the section of bytes and using one cycle of overwriting the bytes with zeros, which is equivalent to pressing the "Nullbytes" button will work. At least on win10 HxD also displays the changes in red, so you can see quiet well what you are about to change. Hope that this clears up the confusion. Greetings, Benjamin

Ftmmsch commented May 28, 2020

 @BenjaminRenz Thank you "Maybe someone wil clarify us here" - has thus done :-) Speaking of: "displays the changes in red" I hadn't changed anything in the picture yet, so he's not showing it in red yet. What I did wrong in this "example" from my point of view: It could be irritating to the viewer that I just chose a random and completely irrelevant area. An accurately recorded, relevant area would have made more sense at this point.

Ftmmsch commented May 29, 2020

 About the settings in MY Hex editor, i got an asnwer from the owner of my Hex Editor: https://forum.mh-nexus.de/viewtopic.php?f=7&t=1097&p=3417#p3417

FoRcEdOnLiNe commented Jun 3, 2020

 Hello, Need help with correct settings for AFUWINGUI I’ve seen different items selected on the many pics above. My flash keeps failing I’m using windows 10.

Ftmmsch commented Jun 3, 2020

 @FoRcEdOnLiNe If you like, that i'll do it for you: Please go on my profile - there, you'll see my e-mail adress. If you send me your safed ROM file: Please send me an UNTOUCHED ! - if you still have one! You know about the settings, you need for flashing? - par example: "Do NOT Check ROM ID" ect. ? (If you don't check this setting, nothing wil be damaged - it just don't work - it wil fail) Regards P.S. if you're quick - i'll do it tonight :-)

Ftmmsch commented Jun 3, 2020

 Please click on my profile! Then you will see my email address! The conversation via github is very annoying! Then I can work directly via Outlook! You're welcome ! Click on "Profile" = email address. Send me the file by email - done. Thank you :-)

 Hi @FoRcEdOnLiNe, your modification of the rom file looks good to me, as @Ftmmsche already noted the problem seems to be your settings of afuwingui. Can you share your current settings and the precise wordig of the error? If you can't get it to work with the windows utility there is an option to use a freedos usb stick to flash the bios. But the windoss utility is probably easyer to use. Be carefull, flashing an invalid rom image might softbrick your device. Greetings Benjamin

FoRcEdOnLiNe commented Jun 3, 2020

 I’ve tried checking nvram and do no check rom id, checking main bios image and do not check rom id, checking everything, and all of these with unchecking do not check rom id. I can remember of hand the exact message but I believe it was a problem with writing and 3 squares remained white. I’m using windows 10 64bit and 64bit of the afuwingui.. the message also reads don’t restart the computer until a successful flash is done but it appears there no actual effect to the computer

userx14 commented Jun 4, 2020

 Some stuff you could try: Have you checked if your modified bios has the same number of bytes as your modifyed image? Does wirting back the original unaltered image work? And I forgot to ask, which laptop model do you have?

FoRcEdOnLiNe commented Jun 4, 2020

 I tried the original file and received the same error, CF-31 MK3, I don’t know what you are referring to regarding the comparison.

 The comparison would only be interesting if flashing the original image would have worked. Just to check that you have not accidentally altered the length of the file. Have you tried only writing the nvram section/block? I would guess, because the password is in the category nvram variables, that writing back only this sectiom should be sufficient. But I have to admit, that I have not tested that myself. Or if that fails too you could look up the procedure for flashing ami bioses with freedos and try it that way.

userx14 commented Jun 4, 2020

 Well, it looks like it can't properly erase the flash, so i would recommend you try either the afudos or afuefi. Option 1 afudos: For the first one you need a freedos usb stick, your bios and the afudos utility. for freedos usb stick see here I'm not sure if you can still download the afudos.exe from ami directly, but there are probably a lot of rehosts out there. for a commans reference of afudos see here Option 2 would be afuefi, but in order to use that your bios must offer a boot option called efi-shell. I'm not sure if the CF-31 mk3 already supports that. If one searches for this error, then it is caused either by some write protection or it is a software problem which is normaly fixed by using the dos version. I would guess that Afudos would at least report a more detailled error message, if write protection would be in place.

Ftmmsch commented Jun 4, 2020

 Hi, There were other sections. If it is not a single section, these are immediately after the first part. The UEFI tool is actually not required. Attention! To be on the safe side, make a copy BEFORE editing the ROM file! for yourself - or for others! 1.) Open the ROM file with the HEX Editor. 2.) set the file so that it is at the beginning. 3.) In the search: Enter "AMITSESetup" 4.) Search direction: "All" 5.) Search 6.) Search further Does the area look as if there are two almost identical sections in a row: BOTH zeros. From the beginning of the first part: bracket "[" By the end of the second part: "k" ! Let .NVAR stand! Have fun with the now accessible BIOS :-) P.S.

Ftmmsch commented Jun 4, 2020

 Sorry - I have "wrongly" judged the last case here! Sectons were still present that were not "zeroed", but this should NOT lead to the flash process failing ... That would have to flash - only the BIOS would still be locked P.S. Sorry for my "misjudgment" The following also applies to me: "Those who can read have a clear advantage"

FoRcEdOnLiNe commented Jun 4, 2020

 How do I proceed with the dos version? I created the usb stick

FoRcEdOnLiNe commented Jun 4, 2020

 It did not work, it’s the same outcome On Jun 4, 2020, at 7:18 AM, Lothar Peters wrote: ﻿@Ftmmsch commented on this gist. … ________________________________ Hi, There were other sections. If it is not a single section, these are immediately after the first part. The UEFI tool is actually not required. Attention! To be on the safe side, make a copy BEFORE editing the ROM file! * for yourself - or for others! 1.) Open the ROM file with the HEX Editor. 2.) set the file so that it is at the beginning. 3.) In the search: Enter "AMITSESetup" 4.) Search direction: "All" 5.) Search 6.) Search further Does the area look as if there are two almost identical sections in a row: BOTH zeros. From the beginning of the first part: bracket "[" By the end of the second part: "k" ! Let .NVAR stand! Have fun with the now accessible BIOS :-) P.S. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

Ftmmsch commented Jun 4, 2020

 Did you got my message? - about flashing via USB ? https://www.win-raid.com/t286f16-Guide-Deprecated-Flashing-modified-AMI-Aptio-UEFI-using-AFU.html In there, he warned about using Aptio 4 - don't know if it could be the reason for Error 43.... and my advice, to try it with Aptio 5 (V) ? You did it with 4 ? Here my link to the original AMI 3 + 4 + 5 + HEX https://drive.google.com/file/d/1pSgb0q7STpvHuc4lBXjWz4ULIO9oa5RR/view?usp=sharing You could try my edited file for a last time - using Aptio 5 (V)

FoRcEdOnLiNe commented Jun 4, 2020

 I haven’t tried I don’t know how to proceed that way On Jun 4, 2020, at 10:46 AM, Lothar Peters wrote: ﻿@Ftmmsch commented on this gist. … ________________________________ Did you got my message? - about flashing via USB ? https://www.win-raid.com/t286f16-Guide-Deprecated-Flashing-modified-AMI-Aptio-UEFI-using-AFU.html In there, he warned about using Aptio 4 - don't know if it could be the reason for Error 43.... and my advice, to try it with Aptio 5 (V) ? You did it with 4 ? Here my link to the original AMI 3 + 4 + 5 + HEX https://drive.google.com/file/d/1pSgb0q7STpvHuc4lBXjWz4ULIO9oa5RR/view?usp=sharing You could try my edited file for a last time - using Aptio 5 (V) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

Ftmmsch commented Jun 4, 2020

 @FoRcEdOnLiNe what exactly do you mean with: "I haven’t tried I don’t know how to proceed that way"

Ftmmsch commented Jun 4, 2020

 @FoRcEdOnLiNe which version of Aptio - AfuwinGUI.exe - did you use ?

Ftmmsch commented Jun 4, 2020

 @FoRcEdOnLiNe Does your PC support both? legacy BIOS mode and UEFI mode? I don't know much about that, because, i don't know anything about Windows 10. Anyway: to find out: On Windows, “System Information” in Start panel and under BIOS Mode, you can find the boot mode. If it says Legacy, your system has BIOS. If it says UEFI, well it's UEFI. Alternative: If you using Windows 10, you can check whether you are using UEFI or BIOS by opening File Explorer and navigating to C:\Windows\Panther When you tried to flash: Did You: run from an administrator account? exit antivirus? Stop all network connections? Set the "UAC" (User Account Control) to the lowest / deapest setting?

FoRcEdOnLiNe commented Jun 4, 2020

 Aptio 4 x64 On Jun 4, 2020, at 11:09 AM, Lothar Peters wrote: ﻿@Ftmmsch commented on this gist. … ________________________________ @FoRcEdOnLiNe which version of Aptio - AfuwinGUI.exe - did you use ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

FoRcEdOnLiNe commented Jun 4, 2020

 What the process On Jun 4, 2020, at 11:07 AM, Lothar Peters wrote: ﻿@Ftmmsch commented on this gist. … ________________________________ @FoRcEdOnLiNe what exactly do you mean with: "I haven’t tried I don’t know how to proceed that way" — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

FoRcEdOnLiNe commented Jun 4, 2020

 I presume it can do both I’m not sure I did not run as the administrator i did not turn off the windows antivirus, I just got finished installing a fresh copy of the factory windows 7 32bit version to try again. I don’t know how to use free dos but I do have a copy of the afudos but it only supports 32 bit hence the reason I installed a 32 bit version of windows 7 On Jun 4, 2020, at 12:18 PM, Lothar Peters wrote: ﻿@Ftmmsch commented on this gist. … ________________________________ @FoRcEdOnLiNe Does your PC support both? legacy BIOS mode and UEFI mode? I don't know much about that, because, i don't know anything about Windows 10. Anyway: to find out: On Windows, “System Information” in Start panel and under BIOS Mode, you can find the boot mode. If it says Legacy, your system has BIOS. If it says UEFI, well it's UEFI. Alternative: If you using Windows 10, you can check whether you are using UEFI or BIOS by opening File Explorer and navigating to C:\Windows\Panther When you tried to flash: Did You: run from an administrator account? exit antivirus? Stop all network connections? Set the "UAC" (User Account Control) to the lowest / deapest setting? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

userx14 commented Jun 4, 2020

 And first try running the windows version with administrative priviledges if you have not done that so far.

FoRcEdOnLiNe commented Jun 4, 2020

 I created the Rufus USB stick using the link you gave,do I just put the afudos and bios file on the USB stick?

Ftmmsch commented Jun 4, 2020

 @FoRcEdOnLiNe Does your PC support both? legacy BIOS mode and UEFI mode? I don't know much about that, because, i don't know anything about Windows 10. Anyway: to find out: On Windows, “System Information” in Start panel and under BIOS Mode, you can find the boot mode. If it says Legacy, your system has BIOS. If it says UEFI, well it's UEFI. Alternative: If you using Windows 10, you can check whether you are using UEFI or BIOS by opening File Explorer and navigating to C:\Windows\Panther Did you try it with the AfuwinGUI.exe from Aptio 5 / V - x 64 ?

Ftmmsch commented Jun 4, 2020

 https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode commandline: reg query HKLM\System\CurrentControlSet\Control /v PEFirmwareTyp Return code Firmware mode 0x1 BIOS 0x2 UEFI I think, you could just run regedit and search for the Key: HKLM\System\CurrentControlSet\Control /v PEFirmwareTyp

userx14 commented Jun 4, 2020

 I created the Rufus USB stick using the link you gave,do I just put the afudos and bios file on the USB stick? Yes, it should be that simple. Just make sure that your bios file and the folder you can optionally create do not have a strange name, like special characters or commas etc.

Ftmmsch commented Jun 5, 2020

 Found USB flash files in my chaos. HP tool and usbdos.zip. Should go relatively easily. I translated the old description (PDF) into English. The files are in the AMI folder. For the sake of simplicity, I stuffed EVERYTHING from AMI and shortened the names - would be too long. The Panasonic WMI tool is also included and a folder with files to start an OS from the USB stick. Here the link - is big - 43MB. https://drive.google.com/file/d/1tBySiSj74hu62RRhWvWFMHsi9CLHzg1G/view?usp=sharing

Ftmmsch commented Jun 5, 2020

 Btw: the Panasonic WMI Tool is a nice feature - but useless, if the supervisor password is unknown :-)

Ftmmsch commented Jun 5, 2020

 Notice - as in the pdf from the usb bios flash folder described, the files (usbdos.zip), which are copied with the hp tool to the usb drive, are "unvisible" (hidden) :-) So don't delete them by accident :-) Just read - and have fun

Ftmmsch commented Jun 5, 2020

 So - i better go in bed for a few ours...... Good Night

FoRcEdOnLiNe commented Jun 5, 2020

 The computer didn’t boot from the dos usb

FoRcEdOnLiNe commented Jun 5, 2020

 And I got this message from aptio 5

userx14 commented Jun 5, 2020

 The computer didn’t boot from the dos usb Have you already tested if the stick is bootable with a different pc? I'm not sure which features your bios has and if you are able to change them without a Admin password, but here are some options to check: -disble Secure Boot -enable CSM, sometimes called legacy boot -obviously change the boot order So please let me know if it works on a different pc and if you are able to change those settings. AFUWINGUI seems to indicate your bios is an Aptio 4 one, so try afudos 5.05.X first.

Ftmmsch commented Jun 5, 2020

 A note regarding my "USB BIOS Flash" in my AMI folder: The HP format tool is NOT compatible with Windows 10!

Ftmmsch commented Jun 5, 2020

 Btw: What i have in my folder, is exactly the same software as from Here; https://www.biosflash.com/e/bios-boot-usb-stick.htm This site is in english and german

Ftmmsch commented Jun 5, 2020

 Whereby I am now wondering how the flashing should work via USB stick ... If due to the locked BIOS no boot order can be made ....

 if you have nothing of importance on your hdd, or if you got a spare one, you could hook it up to another pc and install freedos there. You probably have to bypass some sanity checks of rufus, which will obviously try to save you from overwriting a hdd. The last option would be to use an hardware flasher like a ch314a chich you can get for ca 10\$, but this is always more risky than doing it the software way. And such a bios flasher from china might take a while i the current situation.

userx14 commented Jun 5, 2020

 It would be a bigger problem if you can not disable secureboot or enable csm, as freedos still relies on legacy bios features and will not start with efi or uefi.

FoRcEdOnLiNe commented Jun 5, 2020

 The usb works but bios is locked there for I cannot boot from usb because that requires it being selected in the bios. Afudos installs but doesn’t open on any of my systems which leads me to believe it was intended for usb flash. If others here have a CF-31 mk3 or higher and where able to do it then I should to it’s a matter of me figuring out why it’s not working

FoRcEdOnLiNe commented Jun 5, 2020

 Could a DOS HDD Work?

Ftmmsch commented Jun 6, 2020

 You got my last mail. But: befor you try anything else: Did you try to find out about your settings? "Systeminformation" ? "Ms32Info.exe" ? At least, to find out about BIOS, EFI ect. You didn't answer about that.

FoRcEdOnLiNe commented Jun 6, 2020

 I have to check but I believe it’s bios based but supports UEFI it reacts differently when 10 is installed On Jun 5, 2020, at 9:42 PM, Lothar Peters wrote: ﻿@Ftmmsch commented on this gist. … ________________________________ You got my last mail. But: befor you try anything else: Did you try to find out about your settings? "Systeminformation" ? "Ms32Info.exe" ? At least, to find out about BIOS, EFI ect. You didn't answer about that. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.