Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

CF-U1-BIOS.md

Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

A mess of my own making

While messing with a CF-U1 handheld PC that I bought off ebay I managed to mess up the BIOS and it seems it reverted to previous settings which included an unknown BIOS password, it would however still boot into windows. Since I could still boot windows I was able to dump the bios flash using AFUWINGUI.EXE the version I used was 3.09.03.1462 which is available here:
https://ami.com/en/?Aptio_4_AMI_Firmware_Update_Utility.zip

There may be a more appropriate version to use as this seemed to have trouble checking the bios version when flashing but did work if you selected "Do Not Check ROM ID" but flashing isnt needed to get the password.

Dumping the flash

Run AFUWINGUI.EXE and at the bottom of the "Information" tab click the save button to make a backup of your bios, the default name is afuwin.rom Now open this saved image with UEFITool_NE available here:
https://github.com/LongSoft/UEFITool/releases

I used UEFITool_NE_A51_win32.zip later versions should work fine. The new engine (NE) verson seems to deal with AMI's odd nvram format better.

Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID
C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry.
Now right click and select "Body hex view" and you should see something like:

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040  7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A  {.”¦.:)ÍÒ`.ô\‡í.
0050  07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35  .®®AÜÔ.h«ûú.U¢°5
0060  0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0  .Éf\Áï.ƒw.Ò©-=ˆÐ
0070  E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B  ãc>÷™Šô.O±ªD.Ø`k
0080  01

In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag.

1337 encryption

The password is obfuscated using super secure xor

VOID PasswordEncode( CHAR16 *Password, UINTN MaxSize)
{
    UINTN	ii;
    unsigned int key = 0x935b;

#if SETUP_PASSWORD_NON_CASE_SENSITIVE
    for ( ii = 0; ii < MaxSize; ii++ )
        Password[ii] = ((Password[ii]>=L'a')&&(Password[ii]<=L'z'))?(Password[ii]+L'A'-L'a'):Password[ii];
#endif

    // Encode the password..
    for ( ii = 1; ii <= MaxSize/2; ii++ )
        Password[ii-1] = (CHAR16)(Password[ii-1] ^ (key*ii));
}

So Xoring the above encoded password:

7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A 07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

with

5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

gives

20 80 22 80 16 80 45 80 15 80 38 80 21 80 35 80 34 80 20 80 35 80 4e 80 34 80 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Each character of the password is stored as 2 bytes, and as x86 is wrong endian im guessing should be read as 0x8020 0x8022 I have no idea where the 0x80 comes from possibly its something to do with the EFI_SHIFT_STATE_VALID in this case the password was lower case, possibly uppercase status is encoded in this byte too I have no idea I havent tested uppercase passwords.

WTF scancodes how does this map to keys

From the unobfuscated data you can see the password is 13 characters long, im going to ignore the 0x80 bytes as i dont understand them :P and just look at the others:
20 22 16 45 15 38 21 35 34 20 35 4e 34
They appear to be some sort of scancodes, although while googleing this I found some AMI bioses seem to use ascii here so you can read it out directly as text, but not on this machine.
When this CF-U1 arrived from ebay it had a password which i sucessfully guessed as "toughbook" my second guess would have been "panasonic" since using text written on the front of the PC as a password saves writing it under the battery cover :P
Looking through the older link entrys for the AMITSESetup nvram I found what I thought was the data for this password which deobfuscating as above gave (ignoring the 0x80):

35 39 37 24 25 14 39 39 27
t  o  u  g  h  b  o  o  k

This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page:
http://wiki.phoenix.com/wiki/index.php/EFI_KEY
From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii:
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

So i made up a list of byte to ascii using these, below are just 0x10 to 0x4E to cover most values but not be too stupidly long.

Hex	Char	EFIkey	Hex	Char	EFIkey
10	z	EfiKeyB1	30	Tab	EfiKeyTab
11	x	EfiKeyB2	31	q	EfiKeyD1
12	c	EfiKeyB3	32	w	EfiKeyD2
13	v	EfiKeyB4	33	e	EfiKeyD3
14	b	EfiKeyB5	34	r	EfiKeyD4
15	n	EfiKeyB6	35	t	EfiKeyD5
16	m	EfiKeyB7	36	y	EfiKeyD6
17	,	EfiKeyB8	37	u	EfiKeyD7
18	.	EfiKeyB9	38	i	EfiKeyD8
19	/	EfiKeyB10	39	o	EfiKeyD9
1A		EfiKeyRShift	3A	p	EfiKeyD10
1B		EfiKeyUpArrow	3B	[	EfiKeyD11
1C	1	EfiKeyOne	3C	]	EfiKeyD12
1D	2	EfiKeyTwo	3D	\	EfiKeyD13
1E	3	EfiKeyThree	3E		EfiKeyDel
1F		EfiKeyCapsLock	3F		EfiKeyEnd
20	a	EfiKeyC1	40		EfiKeyPgDn
21	s	EfiKeyC2	41	7	EfiKeySeven
22	d	EfiKeyC3	42	8	EfiKeyEight
23	f	EfiKeyC4	43	9	EfiKeyNine
24	g	EfiKeyC5	44	`	EfiKeyE0
25	h	EfiKeyC6	45	1	EfiKeyE1
26	j	EfiKeyC7	46	2	EfiKeyE2
27	k	EfiKeyC8	47	3	EfiKeyE3
28	l	EfiKeyC9	48	4	EfiKeyE4
29	;	EfiKeyC10	49	5	EfiKeyE5
2A	'	EfiKeyC11	4A	6	EfiKeyE6
2B	|	EfiKeyC12	4B	7	EfiKeyE7
2C	4	EfiKeyFour	4C	8	EfiKeyE8
2D	5	EfiKeyFive	4D	9	EfiKeyE9
2E	6	EfiKeySix	4E	0	EfiKeyE10
2F	+	EfiKeyPlus

So what was the password?

Using the above list and the recovered scancodes gave:

20 22 16 45 15 38 21 35 34 20 35 4e 34
a  d  m  1  n  i  s  t  r  a  t  0  r

and when i tried adm1nistrat0r it worked!
This is not complete as there are still questions about the 0x80 bytes but my guess is they encode the shift alt etc modifier keys but im back into my handheld so i'm not sure ill look further into it. This may also apply to other Aptio bioses as well as the Panasonic CF-U1, and if the machine isnt bootable you may be able to use a cheap spi adapter to dump the bios, in the case of the CF-U1 it uses an LPC flash which I don't think you can get cheap clips and readers for and its buried in the machine so a nuisance to get to.

@Benjaminrenz

I also some Dell Latitude doing the same. I don't know what is the reason and I couldn't identify it. I can say that from Friday evening to Monday morning the battery is flat 0%. I am talking about a 65W battery.

Also, did you upgrade the BIOS and EC of the CF-20 to the latest ones? There are updates for CF-20 MK1 and Mk2 for both BIOS and EC.

I upgraded all the bios ec and firmware for the CF-20 MK2 I have a feeling it’s the bios image I got from Taiwan or it’s the intel management engine it’s at version 11.8 which I have heard a lot of people complain about.

…

________________________________ From: r-plabs ***@***.***> Sent: Wednesday, May 19, 2021 8:30:37 AM To: en4rab ***@***.***> Cc: Kissel-B ***@***.***>; Mention ***@***.***> Subject: Re: en4rab/CF-U1-BIOS.md @r-plabs commented on this gist.

________________________________ @Benjaminrenz<https://github.com/BenjaminRenz> I also some Dell Latitude doing the same. I don't know what is the reason and I couldn't identify it. I can say that from Friday evening to Monday morning the battery is flat 0%. I am talking about a 65W battery. Also, did you upgrade the BIOS and EC of the CF-20 to the latest ones? There are updates for CF-20 MK1 and Mk2 for both BIOS and EC. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3748658>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ATWLUQDIBYNL7XKGN2SMO5LTOOVO3ANCNFSM4INSYQZQ>.

@r-plabs
Thanks for your reply
I have a backup using AFUWIN, how can I send it to you?

@Benjaminrenz<https://github.com/BenjaminRenz> Ben quick question I got my hands on another CF-20 which doesn’t seem to have the battery draining issues. I want to try and copy the bios off of it and put it on the old one to see if there is any effect. Do you know a way to backup the bios in windows. I don’t want to rip the shield up on the new unit to physically read the bios chip. Is there a software that can make a full rom of try bios chip?

…

________________________________ From: r-plabs ***@***.***> Sent: Wednesday, May 19, 2021 8:30:37 AM To: en4rab ***@***.***> Cc: Kissel-B ***@***.***>; Mention ***@***.***> Subject: Re: en4rab/CF-U1-BIOS.md @r-plabs commented on this gist.

________________________________ @Benjaminrenz<https://github.com/BenjaminRenz> I also some Dell Latitude doing the same. I don't know what is the reason and I couldn't identify it. I can say that from Friday evening to Monday morning the battery is flat 0%. I am talking about a 65W battery. Also, did you upgrade the BIOS and EC of the CF-20 to the latest ones? There are updates for CF-20 MK1 and Mk2 for both BIOS and EC. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3748658>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ATWLUQDIBYNL7XKGN2SMO5LTOOVO3ANCNFSM4INSYQZQ>.

@Benjaminrenz Ben quick question I got my hands on another CF-20 which doesn’t seem to have the battery draining issues. I want to try and copy the bios off of it and put it on the old one to see if there is any effect. Do you know a way to backup the bios in windows. I don’t want to rip the shield up on the new unit to physically read the bios chip. Is there a software that can make a full rom of try bios chip?

If the windows utility from ami does not create a full backup you could try Linux and flashrom, https://flashrom.org/Flashrom . But I don't know if it is compatible.

Lost_N_Bios also has an interesting method for windows to back up intel me: https://www.win-raid.com/t5165f16-How-do-you-exactly-Dump-Unlock-and-Flash-an-Asus-AMI-Aptio-IV-BIOS.html#msg86490

Greetings
Benjamin

@corty8
Upload it to any file transfer site and paste here the link.

@Benjaminrenz Ben quick question I got my hands on another CF-20 which doesn’t seem to have the battery draining issues. I want to try and copy the bios off of it and put it on the old one to see if there is any effect. Do you know a way to backup the bios in windows. I don’t want to rip the shield up on the new unit to physically read the bios chip. Is there a software that can make a full rom of try bios chip?

If the windows utility from ami does not create a full backup you could try Linux and flashrom, https://flashrom.org/Flashrom . But I don't know if it is compatible.

Lost_N_Bios also has an interesting method for windows to back up intel me: https://www.win-raid.com/t5165f16-How-do-you-exactly-Dump-Unlock-and-Flash-an-Asus-AMI-Aptio-IV-BIOS.html#msg86490

Greetings
Benjamin

not need all this things , asus can be unlocked via bios backdoor , just generate code from bios date...
Or dump via afuwin and send here for decrypt...

Hi, New to the BIOS game and 1st time post. I have a CF-31, BIOS password locked. Will only boot to HDD. Running Win 10/64 bit.
Can someone double check my XOR? I believe it is a SHA1 hash.
UFIF tool produced:

5B 90 B6 EB 11 EC 6C 29 C7 0F 22 8D 7D 8B D8 BE 33 03 8E 67 E9 59 44 22 9F BB FA E5 55 C1 B0 9F
0B 96 66 5D C1 B5 1C 92 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

Attempted a prnt scrn paste above..... Let me know if it didn't work.

Thanks!

Hi, New to the BIOS game and 1st time post. I have a CF-31, BIOS password locked. Will only boot to HDD. Running Win 10/64 bit.
Can someone double check my XOR? I believe it is a SHA1 hash.
UFIF tool produced:

5B 90 B6 EB 11 EC 6C 29 C7 0F 22 8D 7D 8B D8 BE 33 03 8E 67 E9 59 44 22 9F BB FA E5 55 C1 B0 9F
0B 96 66 5D C1 B5 1C 92 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

Attempted a prnt scrn paste above..... Let me know if it didn't work.

Thanks!

Can confirm, I also get an 20byte hash.

Greetings,
Benjamin

g5xp69y6 - try this password

g5xp69y6 - try this password

No luck..... thanks for looking at it for me!

Just wanted to say thanks for this thread! I have a CF-19 Mk5 that I was luckily able to boot to DOS on a USB drive. Using the @en4rab method I was able to decrypt the password and found it was an SHA-1 hash. Replaced with all 00s and using AFUDOS, flashed NVRAM only. Password is now gone.

Just wanted to say thanks for this thread! I have a CF-19 Mk5 that I was luckily able to boot to DOS on a USB drive. Using the @en4rab method I was able to decrypt the password and found it was an SHA-1 hash. Replaced with all 00s and using AFUDOS, flashed NVRAM only. Password is now gone.

set defaults in bios and save+restrat ...

How do I change the password encryption logic on my cf20 from sha1 to sha256 or something stronger? Isn't sha1 already out of date?

How do I change the password encryption logic on my cf20 from sha1 to sha256 or something stronger? Isn't sha1 already out of date?

You cannot, because the hashing methods are baked inside the BIOS firmware. You'd need access to the manufacturer's internal development equipment and source codes to be able to bake your own BIOS version.

Besides, the average person will not being going to the lengths we do to be able to remove/reset the password. This recovery technique is more for system administrators or repairers that have legitimate reasons to unlock a locked BIOS, ie. disposal, refurbishment or unlocking a device that belongs to themselves but was locked by the manufacturer or previous owner.

EDIT: Even if you did, you would have to modify the storage area where the password is kept as a SHA1 hash is smaller than a SHA256 hash byte-wise. You should not be relying on BIOS passwords as a super high security solution; if you are looking for a better security method, use a PM-backed security thing.

@Benjaminrenz

Can someone please help me with figuring out the pw for this? It subtype shows full no matter what version of EUFITool I use.... Please help. Attached screenshot... Thank you in advance. Any help would be greatly appreciated.

Hi @deuceduzit
Have you tried just the ascii characters which are written inside this key (2PAK5bnD4M>G) ? After all it doen't have to be xored. Kind of suspicious that all the bytes fall directely inside the ascii range.

Hi @deuceduzit
Have you tried just the ascii characters which are written inside this key (2PAK5bnD4M>G) ? After all it doen't have to be xored. Kind of suspicious that all the bytes fall directely inside the ascii range.

Yea, I just tried it and unfortunately it didn't work. I also tried zeroing it out and reflashing it. Didn't do anything and password is still there.

Have you tried other special characters inplace of ">"? maybe this could be keyboard layout specific.

Does the key remain the same even when you read the bios back after flashing and what do use to flash the bios?

Have you tried other special characters inplace of ">"? maybe this could be keyboard layout specific.

Does the key remain the same even when you read the bios back after flashing and what do use to flash the bios?

The keys changed to blanks when I read the bios back confirming the write worked. I used a ch341a usb programmer. Weird that the password is still there.

Share dump pls , i can help.

Could someone please help me ?
I get folloring vom the BIOS dump file(0x40 to 0x7F):

5B 00 B6 4D 11 76 6C 38 C7 43 22 AE 7D 9D D8 C7 33 C1 8E 98 E9 B9 44 3B 9F 75 FA 78 55 26 B0 F4
0B A9 66 EE C1 EF 1C 4F 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

The keys changed to blanks when I read the bios back confirming the write worked. I used a ch341a usb programmer. Weird that the password is still there.

You could also check if you find any more occurences of this exact byte string in other locations in this file and zero all of them.

Could someone please help me ?
I get folloring vom the BIOS dump file(0x40 to 0x7F):

5B 00 B6 4D 11 76 6C 38 C7 43 22 AE 7D 9D D8 C7 33 C1 8E 98 E9 B9 44 3B 9F 75 FA 78 55 26 B0 F4
0B A9 66 EE C1 EF 1C 4F 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

Seems hashed to me, if one passes this through xor.pw one gets 20 bytes:
936bcc75a3da9a5def59edd30e7684c160b200cc

Could someone please help me ?
I get folloring vom the BIOS dump file(0x40 to 0x7F):
5B 00 B6 4D 11 76 6C 38 C7 43 22 AE 7D 9D D8 C7 33 C1 8E 98 E9 B9 44 3B 9F 75 FA 78 55 26 B0 F4
0B A9 66 EE C1 EF 1C 4F 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

Seems hashed to me, if one passes this through xor.pw one gets 20 bytes:
936bcc75a3da9a5def59edd30e7684c160b200cc

Thanks to Velen for the answer, how can I read the password now?

Hi.   If you like to send me the saved file, i could take a look at it. In the weekend. GreetingsLothar Peters Gesendet von meinem BlackBerry 10-Smartphone. Von: JulMiDaGesendet: Mittwoch, 28. Juli 2021 09:50An: en4rabAntwort an: en4rabCc: Lothar Peters; MentionBetreff: Re: ***@***.*** commented on this gist. Could someone please help me ? I get folloring vom the BIOS dump file(0x40 to 0x7F): 5B 00 B6 4D 11 76 6C 38 C7 43 22 AE 7D 9D D8 C7 33 C1 8E 98 E9 B9 44 3B 9F 75 FA 78 55 26 B0 F4 0B A9 66 EE C1 EF 1C 4F 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B Seems hashed to me, if one passes this through xor.pw one gets 20 bytes: 936bcc75a3da9a5def59edd30e7684c160b200cc Thanks to Velen for the answer, how can I read the password now? —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe. [ { ***@***.***": "http://schema.org", ***@***.***": "EmailMessage", "potentialAction": { ***@***.***": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832208", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832208", "name": "View Gist" }, "description": "View this Gist on GitHub", "publisher": { ***@***.***": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Hi.   If you like to send me the saved file, i could take a look at it. In the weekend. GreetingsLothar Peters Gesendet von meinem BlackBerry 10-Smartphone. Von: JulMiDaGesendet: Mittwoch, 28. Juli 2021 09:50An: en4rabAntwort an: en4rabCc: Lothar Peters; MentionBetreff: Re: @.*** commented on this gist. Could someone please help me ? I get folloring vom the BIOS dump file(0x40 to 0x7F): 5B 00 B6 4D 11 76 6C 38 C7 43 22 AE 7D 9D D8 C7 33 C1 8E 98 E9 B9 44 3B 9F 75 FA 78 55 26 B0 F4 0B A9 66 EE C1 EF 1C 4F 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B Seems hashed to me, if one passes this through xor.pw one gets 20 bytes: 936bcc75a3da9a5def59edd30e7684c160b200cc Thanks to Velen for the answer, how can I read the password now? —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe. [ { @.": "http://schema.org", @.": "EmailMessage", "potentialAction": { @.": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832208", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832208", "name": "View Gist" }, "description": "View this Gist on GitHub", "publisher": { @.": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Thank you very much, I just sent you the file by e-mail to udf *** @ gmail ***

Ok - I'll see... maybe, i do it today or tomorrow. Lothar Gesendet von meinem BlackBerry 10-Smartphone. Von: JulMiDaGesendet: Mittwoch, 28. Juli 2021 12:49An: en4rabAntwort an: en4rabCc: Lothar Peters; MentionBetreff: Re: ***@***.*** commented on this gist. Hi.   If you like to send me the saved file, i could take a look at it. In the weekend. GreetingsLothar Peters Gesendet von meinem BlackBerry 10-Smartphone. Von: JulMiDaGesendet: Mittwoch, 28. Juli 2021 09:50An: en4rabAntwort an: en4rabCc: Lothar Peters; MentionBetreff: Re: @.*** commented on this gist. Could someone please help me ? I get folloring vom the BIOS dump file(0x40 to 0x7F): 5B 00 B6 4D 11 76 6C 38 C7 43 22 AE 7D 9D D8 C7 33 C1 8E 98 E9 B9 44 3B 9F 75 FA 78 55 26 B0 F4 0B A9 66 EE C1 EF 1C 4F 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B Seems hashed to me, if one passes this through xor.pw one gets 20 bytes: 936bcc75a3da9a5def59edd30e7684c160b200cc Thanks to Velen for the answer, how can I read the password now? —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe. [ { @.": "http://schema.org", @.": "EmailMessage", "potentialAction": { @.": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832208", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832208", "name": "View Gist" }, "description": "View this Gist on GitHub", "publisher": { @.": "Organization", "name": "GitHub", "url": "https://github.com" } } ] Thank you very much, I just sent you the file by e-mail to udf *** @ gmail *** —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe. [ { ***@***.***": "http://schema.org", ***@***.***": "EmailMessage", "potentialAction": { ***@***.***": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832633", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832633", "name": "View Gist" }, "description": "View this Gist on GitHub", "publisher": { ***@***.***": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Hi. Me again. I just looked into ***@***.*** There is nothing. Please send it again to: ***@***.*** Gesendet von meinem BlackBerry 10-Smartphone. Von: JulMiDaGesendet: Mittwoch, 28. Juli 2021 12:49An: en4rabAntwort an: en4rabCc: Lothar Peters; MentionBetreff: Re: ***@***.*** commented on this gist. Hi.   If you like to send me the saved file, i could take a look at it. In the weekend. GreetingsLothar Peters Gesendet von meinem BlackBerry 10-Smartphone. Von: JulMiDaGesendet: Mittwoch, 28. Juli 2021 09:50An: en4rabAntwort an: en4rabCc: Lothar Peters; MentionBetreff: Re: @.*** commented on this gist. Could someone please help me ? I get folloring vom the BIOS dump file(0x40 to 0x7F): 5B 00 B6 4D 11 76 6C 38 C7 43 22 AE 7D 9D D8 C7 33 C1 8E 98 E9 B9 44 3B 9F 75 FA 78 55 26 B0 F4 0B A9 66 EE C1 EF 1C 4F 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B Seems hashed to me, if one passes this through xor.pw one gets 20 bytes: 936bcc75a3da9a5def59edd30e7684c160b200cc Thanks to Velen for the answer, how can I read the password now? —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe. [ { @.": "http://schema.org", @.": "EmailMessage", "potentialAction": { @.": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832208", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832208", "name": "View Gist" }, "description": "View this Gist on GitHub", "publisher": { @.": "Organization", "name": "GitHub", "url": "https://github.com" } } ] Thank you very much, I just sent you the file by e-mail to udf *** @ gmail *** —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe. [ { ***@***.***": "http://schema.org", ***@***.***": "EmailMessage", "potentialAction": { ***@***.***": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832633", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832633", "name": "View Gist" }, "description": "View this Gist on GitHub", "publisher": { ***@***.***": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

I sent you a onedrive link to the email, maybe it will do better. Many Thanks

Sorry. Got nothing. No file. No link. Lothar Gesendet von meinem BlackBerry 10-Smartphone. Von: JulMiDaGesendet: Mittwoch, 28. Juli 2021 13:21An: en4rabAntwort an: en4rabCc: Lothar Peters; MentionBetreff: Re: ***@***.*** commented on this gist. I sent you a onedrive link to the email, maybe it will do better. Many Thanks —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe. [ { ***@***.***": "http://schema.org", ***@***.***": "EmailMessage", "potentialAction": { ***@***.***": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832678", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832678", "name": "View Gist" }, "description": "View this Gist on GitHub", "publisher": { ***@***.***": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Hallo. Ich wieder. Ich habe gerade in @.*** geschaut. Da ist nichts. Bitte nochmal an: @.*** Gesendet von meinem BlackBerry 10-Smartphone. Von: JulMiDaGesendet: Mittwoch, 28. Juli 2021 12:49An: en4rabAntwort an: en4rabCc: Lothar Peters; ErwähnungBetreff: Re: @.*** hat diesen Kern kommentiert. Hallo. Wenn du mir die gespeicherte Datei schicken möchtest, könnte ich sie mir anschauen. Am Wochenende. GrüßeLothar Peters Gesendet von meinem BlackBerry 10-Smartphone. Von: JulMiDaGesendet: Mittwoch, 28. Juli 2021 09:50An: en4rabAntwort an: en4rabCc: Lothar Peters; ErwähnungBetreff: Re: @.*** hat diesen Kern kommentiert. Könnte mir bitte jemand helfen? Ich erhalte folgendes aus der BIOS-Dump-Datei (0x40 bis 0x7F): 5B 00 B6 4D 11 76 6C 38 C7 43 22 AE 7D 9D D8 C7 33 C1 8E 98 E9 B9 44 3B 9F 75 FA 78 55 26 B0 F4 0B A9 66 EE C1 EF 1C 4F 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B Kommt mir gehasht vor, wenn man das über xor.pw weitergibt bekommt man 20 Bytes: 936bcc75a3da9a5def59edd30e7684c160 .200cc Danke an Velenb .200cc für die antwort, wie kann ich jetzt das passwort lesen? – Sie erhalten dies, weil Sie erwähnt wurden. Antworten Sie direkt auf diese E-Mail, zeigen Sie sie auf GitHub an. oder abmelden. [ { @.": "Zeigen Sie es auf GitHub an oder melden Sie sich ab. [ { @.***": " http://schema.org", @.": "EmailMessage", "potentialAction": { @.": "ViewAction", "target": " https:// gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832633 ", "url": " https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3832633 ", "name": "Gist anzeigen " : "} View this Gist on GitHub", "publisher": { @.***": "Organization", "name": "GitHub", "url": " https://github.com " } } ]

strange, then I'll send you the link here directly. I am sorry for the circumstances

https://1drv.ms/u/s!ApzCPlF0Hn90gf5I-JeY9htV2i-R7w

@JulMiDa

Here you are:
https://drive.google.com/file/d/1PRuXEI9KK9btn3AZi2IPPrLNKxRL8dt2/view?usp=sharing

I think, you about the settings you need for flashing the rom file?

Regards

Lothar

yes i can flash, I completely set the lines to zero today and then reflashed the chip with a programmer and now the password is gone.  Many thanks for the nice help 🙏🙌🙏

:-) so, i zeroed out today for nothing - resp. to late :-)

I found very much to zero out...

So, you didn't try to flash - before you reflashed the chip?

I thought I'd give it a try myself because I couldn't wait. Then I set the hex data to zero and then flashed it directly with the programmer. Then the password was gone. If that didn't work, I would have flashed your edited file. Thank you for your effort🙏🙏🙏🙏

…

------------------------------------------------------------------------ Gesendet mit der Telekom Mail App <https://kommunikationsdienste.t-online.de/redirects/email_app_android_sendmail_footer>

--- Original-Nachricht --- Von: Lothar Peters Betreff: Re: en4rab/CF-U1-BIOS.md Datum: 31. Juli 2021, 20:53 An: en4rab Cc: JulMiDa, Mention @Ftmmsch commented on this gist. ------------------------------------------------------------------------ :-) so, i zeroed out today for nothing - resp. to late :-) I found very much to zero out... So, you didn't try to flash - before you reflashed the chip? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3838225> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AU74ZYLMCCAPQI5XBOWNDYLT2RBDHANCNFSM4INSYQZQ> .

Hello.

Do you know how to unlock this bios file? I know that all zeros can be dewritten on other models.
I don't know how to do it with this model.

Below is the file link.
https://

thank you.

Hi @panapc
in your BIOS file I could find the key AMITSESetup at 88A40Ah, but it looks a bit different from the ones from the Panasonic models I have seen (more padding in front):
**EDIT removed**
xoring gives:
**EDIT removed**

So there is probably some additional encryption going on.
I'm not sure but zeroing this might reset the password.

@panapc

You could try it.

Here is the link:
https://drive.google.com/file/d/1uqm10A8229MScgUW5tNSDHxMzvxIAyUh/view?usp=sharing

Regards

@panapc

You could try it.

Here is the link:
https://drive.google.com/file/d/1uqm10A8229MScgUW5tNSDHxMzvxIAyUh/view?usp=sharing

Regards

Hi @userx14

It's a new model, so I found it difficult to analyze passwords.
But your solution gave me a chance.

I am very grateful.

@Ftmmsch

thank you very much.
There may be other parts as well.

You can delete the link.

Hello

I have a problem to decode my BIOS password and i can´t work with xor.

Can you send me the Password from my bios.

I send you the output from HEX View 👍
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
5B11B669112A6C8DC7F822697DB9D813
33168E8DE96F44EF9F1BFA1C5515B081
0B5C6623C11B1CF37716D2A92D3D88D0
E3633EF7998AF41D4FB1AA4405D8606B
01000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
0000

Thanks a lot for your assist.

Regards

Michael

Hi Michael / @Liakounis ,

it's probably hashed:

when applying xor I get:
824f90c0181dbe89384c3b076012b7b4957ff470

you could overwrite it with zeros and write it back.
But you should do a full bios backup with me or check if there is one online available for your specific model before proceeding.

Greetings,
userx14

Good day,

Currently I am tinkering with the Panasonic CF-53 MK1 which had a SHA1 hashed password which has been successfully removed. As a test I set up two master passwords in the bios - "test" and "password" both of them have completely different hashes than those who are known for the specified hash type:

Password - test

14de57dcb76658666368b482008eb39849f9d062 - BIOS Dump
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 - SHA1 Hash

Password - password

7bdfc5f77170d6707e86c06616f5c5cf04c3b4f0 - BIOS
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 - SHA1 Hash

My goal is to determine what probably is the additional salt of the input bios password. Any ideas/clues?

Hi, i've been trying to get the password on a Panasonic machine, I followed some of the steps, but the XOR step is not my thing yet. I am just wondering if I can get some help, I tried reading some other post. can I do something with this?

5B46B6A911846C0CC73022E97DB4D855
335F8EE5E98144889FE5FAEE5516B0A8
0B8A66B5C1B61C797716D2A92D3D88D0
E3633EF7998AF41D4FB1AA4405D8606B

46a9840c30e9b4555fe58188e5ee16a88ab5b679 is is hashed?

Hi, i've been trying to get the password on a Panasonic machine, I followed some of the steps, but the XOR step is not my thing yet. I am just wondering if I can get some help, I tried reading some other post. can I do something with this?

5B46B6A911846C0CC73022E97DB4D855 335F8EE5E98144889FE5FAEE5516B0A8 0B8A66B5C1B61C797716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B

46a9840c30e9b4555fe58188e5ee16a88ab5b679 is is hashed?

Hi @adolf022 ,

you should get something that starts with 5b, otherwise you are doing something wrong when applying the xor.
If I paste the hex bytes you provided, and the key 5B 93 B6 26 11 BA 6C ... (see first post by en4rab) in xor.pw, I get something that looks like a hash:
d58f3e41d09db3cf7124d5609ee0b49d43e959fa (i've already removed the two zeros between each pair of hex chars)

Greetings,
Benjamin

Good day,

Currently I am tinkering with the Panasonic CF-53 MK1 which had a SHA1 hashed password which has been successfully removed. As a test I set up two master passwords in the bios - "test" and "password" both of them have completely different hashes than those who are known for the specified hash type:

Password - test

14de57dcb76658666368b482008eb39849f9d062 - BIOS Dump a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 - SHA1 Hash

Password - password

7bdfc5f77170d6707e86c06616f5c5cf04c3b4f0 - BIOS 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 - SHA1 Hash

My goal is to determine what probably is the additional salt of the input bios password. Any ideas/clues?

Sorry for the very late reply,

but unfortunatelly if the hashing and salting is done properly you will not be able to determine the salt from the "password -> hash" tests you have done (here is why). The only possibility I see is to analyze the bios firmware code and try to find the salt that way, but I'm relativeley clueless on how this works.
If you find out how the password is salted, you could still only try to brute force and attempt to check if you get a match by trying every possible combination or common words.

Best,
Benjamin

@userx14 - Thanks! I will try to take a look if I can somehow analyze the BIOS image. I have created a repo with my findings. If anyone needs I found out how to unlock the hard drive after the patched BIOS has been flashed on the Toughbook.

https://github.com/esters/Toughbook-CF53-MK1

@userx14 - Thanks! I will try to take a look if I can somehow analyze the BIOS image. I have created a repo with my findings. If anyone needs I found out how to unlock the hard drive after the patched BIOS has been flashed on the Toughbook.

https://github.com/esters/Toughbook-CF53-MK1

Very interesting, thanks for the investigations.

In my attempts at this, I encountered an error and the machine shut down… naturally it was in the write phase and it was about 3% completed. I’m thinking about trying a bios programming dongle. I’m not well versed in ROM chip design and architecture. Any recommendations for a solution? CF-20 Mk2 BTW.

In my attempts at this, I encountered an error and the machine shut down… naturally it was in the write phase and it was about 3% completed. I’m thinking about trying a bios programming dongle. I’m not well versed in ROM chip design and architecture. Any recommendations for a solution? CF-20 Mk2 BTW.

I would recommend and had sucess using the following steps:

• find the complete rom image including the intel me secion as a bin file for your specific model online (typically this is the hardest part imho).
• aquire a ch341a with a sot8 clamp (used to be available for about 10€ from china)
• do the 3.3V fix
• download AsProgrammer
• connect the sot8 clamp, and ensure correct polarity by measuring continuity to GND of the laptop's mainboard and the usb plug of the ch341a
• install the included parallel ch341a driver from the AsProg zip archive
• set up AsProgrammer to use ch341a (Hardware Tab)
• check if the chip is detected by using read id function in AsProg, if you get changing values with every read or 0xff or 0x00 for all, then either the connection is not good, or something on the mainboard of the laptop is to power hungry for the ch341a's 3.3V regulator. In this case you need to desolder the chip from the board.
• select the right chip part number from the list returned by read id or a simmilar one
• (optional) try to backup the broken image which might be still on the flash chip
• unlock write protection, erase, program and verify the chip with the bin file from step 1

That is *exactly* the information I was searching for. Thank You!

…

Sent from my iPhone

On Nov 13, 2021, at 1:23 PM, Benjamin ***@***.***> wrote: ***@***.*** commented on this gist. In my attempts at this, I encountered an error and the machine shut down… naturally it was in the write phase and it was about 3% completed. I’m thinking about trying a bios programming dongle. I’m not well versed in ROM chip design and architecture. Any recommendations for a solution? CF-20 Mk2 BTW. I would recommend and had sucess using the following steps: find the complete rom image including the intel me secion as a bin file for your specific model (typically this is the hardest part imho). aquire a ch341a with a sot8 clamp (used to be available for about 10€ from china) do the 3.3V fix download AsProgrammer connect the sot8 clamp, and ensure correct polarity by measuring continuity to GND of the laptop's mainboard and the usb plug of the ch341a install the included parallel ch341a driver from the AsProg zip archive set up AsProgrammer to use ch341a (Hardware Tab) check if the chip is detected by using read id function in AsProg, if you get changing values with every read or 0xff or 0x00 for all, then either the connection is not good, or something on the mainboard of the laptop is to power hungry for the ch341a's 3.3V regulator. In this case you need to desolder the chip from the board. select the right chip part number from the list returned by read id or a simmilar one (optional) try to backup the broken image which might be still on the flash chip unlock write protection, erase, program and verify the chip with the bin file from step 1 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

Better to use NeoProgrammer software for CH341A board ...

Dear all, I tried to delete my password (on a Panasonic FZ-G1 mk4) but during the write session I also got error 34. And when I now compare the old original Rom with the new one I get from AFuWINgui I see that certain sections are deleted in the current one. Would it be wise/possible to restart the tablet

Sorry it was error 43 problems erasing FLASH

Error 43 is not good news, see here: https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3708976
There is a change that the bios is bricked and you will not be able to boot anymore.

If you do not have any means of hardware flashing the bios chip then I would not reboot just now, but instead try other tool to backup or flash the bios.

Definitiveley backup the bios from the tablet's hdd to an usb drive,
maybe try flashrom https://flashrom.org/Flashrom, but I'm not sure is this board is supported.

EDIT:

• check that you've got a full backup including the intel me section. I'm not sure how big the chip is in MB, maybe @Kissel-B knows?
  (might also depend on your specific revision of the device)
• if there is some write protection in place it might not be possible to write these sections from a running windows, which might be bad news if you do not have a hardware flasher
• does the image at https://www.badcaps.net/forum/showthread.php?t=79316 match your model?
• if you have exhausted all options you can try from windows and it dows not reboot you probably need a hardware programmer, just ask if you need help

MAke sure that you do not reboot or put the computer to sleep trying to flash a CF-20 is PIA. I have been there before. The chip is under the shield which you have to destroy to get a chip clip on it listen to Ben he knows his stuff helped me out.

…

________________________________ From: Benjamin ***@***.***> Sent: Friday, November 26, 2021 1:08:57 PM To: en4rab ***@***.***> Cc: Kissel-B ***@***.***>; Mention ***@***.***> Subject: Re: en4rab/CF-U1-BIOS.md @userx14 commented on this gist.

________________________________ Definitiveley backup the bios from the tablet's hdd to an usb drive, maybe try flashrom https://flashrom.org/Flashrom, but I'm not sure is this board is supported. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3975605>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ATWLUQAH5JFJGAOXZBWD4RDUN7ELTANCNFSM4INSYQZQ>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

Thanks for the support, it seems that I'll be needing it. I'm really stressed out... Well the file I saved using AfuWin64Gui is a rom file of 8.192 KB. The ones I find on the Badcaps site are BIN files and twice the size... Inside they look different, as mine starts with MEI_FZG1-4 and probably some other caracters identifying my Toughpad... I find this kind of string in their file on location 00A80000: MEI_FZG1-2 (So a Mk2 version).. It seems I'm missing out on the first part of the file...

I found a similar thing in a cf54cu bin file starting at 00A00000

I found some bios update programs from panasonic themselves, would that be an option? https://na.panasonic.com/us/support/toughbook-support-center#/tablets;id=126/toughpad-fz-g1;id=61356;sid=NaN/bios-ec-and-firmware;id=002003

I found some bios update programs from panasonic themselves, would that be an option? https://na.panasonic.com/us/support/toughbook-support-center#/tablets;id=126/toughpad-fz-g1;id=61356;sid=NaN/bios-ec-and-firmware;id=002003

Probably it will not hurt to try it and check if it filled the missing sections with another backup.

I read the manual and it states: Automatically, Windows will shut down and the BIOS update program will run. Wait
until Windows startup again....

I read the manual and it states: Automatically, Windows will shut down and the BIOS update program will run. Wait until Windows startup again....

Hm, then maybe try if you are able to backup the full 16mb with some other tool first.

I found this: https://www.badcaps.net/forum/showthread.php?t=80985&highlight=mk4 might be useful...

I saw in the remarks on the badcaps forum, that the latest file did't have any serial numbers it it, so I decided to use HxD to pick the first part of their file (FZ-G1r mk4 UNLOCKED.bin) and merge that into my own rom file. Now they are exactly the same size 16.384 KB. But if I would be using AfuWin64Gui would I need the .rom or a .bin extension? By the way I used a Aptio V version... Or should I use another tool...

In both cases when opening either the .rom or .bin file the nvram is grayed out...

Well I tried them out both and AfuWin64Gui reports that 3- error: ROM file size does not match existing Bios size...

Well I tried them out both and AfuWin64Gui reports that 3- error: ROM file size does not match existing Bios size...

It could be possible that aptio 5 is only able to access the part from 0x0a000000 onwards.
Maybe try a different tool, but I guess that the other sections are not accesible from a running windows.
I'm not that into sofware flashing tools so I can't really give you recommendations.
If everything else fails you will need to flash your merged bin file with a hardware programmer.

What kind of tool do you recommend? I can't figure out Flashrom.. is there a windows executable available?

What kind of tool do you recommend? I can't figure out Flashrom.. is there a windows executable available?

Yes, but I'm not to sure about the supported hardware:
https://www.win-raid.com/t7547f41-Tool-Flashrom-v-Win.html

By the way, I tried the Panasonic Bios update tool, but it said it has already been updated....

Would Intel FIT (Flash Image Tool) be an option probably v11 in my case...

Would Intel FIT (Flash Image Tool) be an option probably v11 in my case...

Maybe check out these intel me tools: https://github.com/zearp/OptiHack/blob/master/text/BIOS_STUFF.md#extracting
The page is for Dell optiplex machines, so do not read to much in the details, just hope that the intel me backup stuff works on the toughbooks too.

I used fptw64.exe to back-up and later-on flash the bios back, but it gives: Error 368 failed to disable write protection for the bios space..

Well, it seems I will need a bios programmer and flash it back (without password ;-) What would be the best hardware tool and software to use in my case?

Well, it seems I will need a bios programmer and flash it back (without password ;-) What would be the best hardware tool and software to use in my case?

My favorite one is the ch341a, but first check what flash chip model is, that you want to program (logic voltage level 5v, 3.3v, 1.8v). For 3.3V it's recommeded to modify the programmer and for 1.8V you need an adapter. See here for a short description: https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-3961486

Thanks, I'll open her up... Would it be a recommendation for the newer boards, to before starting, to extract the bios with fptw64.exe and flash it back with it, to find out if it is write protected. With AfuWINGui64.exe, during flashing the BIOS, it already erased part of the Bios before finding out it was write protected.... causing the problems I'm in right now...

Well I have some spare time and I would like to take a look at the BIOS chip, is there somebody who can point me in the direction where I can locate it? It's laying in front of me but I want to disconnect the least possible ;-)

Just to be clear, it's for a FZ-G1 (the mk4, if there are any differences between them)..

I'm not sure which revision that is or if they changed something, but I found images from a replacement board:
https://ixustrade.nl/panasonic-fz-g1-intel-i5-3437u-at-1-90ghz-4gb-motherboard-su6e-10w16au-01x.html
on the second image I would guess that the bios chip is the one on the left with the red dot.
So probably it is underneath the cooler, see the images in this thread:
http://forum.notebookreview.com/threads/fz-g1-tips-tricks-mods.809551/page-5

Thanks I lot, I'll have a look there!

Hi All

I have a toughbook CF-54 mk3 that I am trying to do and when I open up the bin file in UEFItool I get yellow and red highlighted sections and for the life of me I can't find the GUID that I need to find the password

I have done a number of G1 Tablets and CF-31 units now and all were fine but this is the first time I a have seen the highlighted sections

Any pointers would be appreciated

Cheers

@corty8
Which version of UEFItool are you using? For me only alpha 51 worked, and I could search for the guid using the menu.
If everything fails you could search the raw hex dump for the end of the xor encoding string:
3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

Thanks for your reply

I have been using alpha 51 and have done quite a few FZ-G1 and CF-31 and all have been fine but with this machine it seems to be an issue
I have also tried 57 & 58 with the same result

this is a current model machine so I am wondering if something has changed

is the XOR Encoding string just 60 6B, I get over 150 entries when I search for that and searching for the complete string you have posted above produces no results at all

@corty8
maybe try other parts of the encryption key then, they could have changed the length. The theory behind it is that if the thing that is xored contains 0x00 as padding on the end you would expect to get the encryption key when xoring. The longer the matching section the larger is the probability that it is not just a random coincidence, as most likeley happened with 60 6B.
Have your tried using a normal hex editor instead of UEFI-tool to search for the bytes?

this is a current model machine so I am wondering if something has changed

yeah, that can also be a possibility

Can the string "AMITSESetup" be found by searching with UEFI-tool?

Yeah I have tried a couple of different hex editors still cant find

the only part I can find together is 44 05 D8 from that I get 10 entries but they look totally different, than previous versions as with the older ones there was plenty of empty space around it and easy to spot

If you are up for a challenge I would be happy to put a link up to the bin file :)

the only part I can find together is 44 05 D8 from that I get 10 entries but they look totally different, than previous versions as with the older ones there was plenty of empty space around it and easy to spot

They probably have changed their password protection mechanism then...

If you are up for a challenge I would be happy to put a link up to the bin file :)

Yeah, I can take a look, but if they changed the way the password is stored there is not much we can do 😒 ...

@corty8

If you like: you could send me your BIOS file to: ftmmsch@gmail.com

cheers mate,
here is a link
https://drive.google.com/file/d/1Dh704a1pTk2uBbygfbxXfLCDaCbIyI6V/view?usp=sharing

@Ftmmsch
Thanks for looking, I have just posted a link above

-- EDIT: Now right bios file --

I think the yellow and red markings indicate that the bios is protected by an RSA Key.

When I search for AMITSEsetup I can find three matches, two of them are empty, but one of them (the one in the second screenshot) seems to have some data attached.

sorry, my bad... Wrong file :)
Try this one
https://drive.google.com/file/d/1LefTN8zOwrkflJmLUADmnGoWe4gozo6M/view?usp=sharing

@corty8 Please check edited answer...

Every second byte seems to be identical with the original xor key...
5b XX b6 XX ... 05 XX 60 XX (xx are the bytes that are different)so that's probably the location where it is stored...

interesting, I didnt notice that.. I will do some checking

@userx14
Your BIOS has Bootguard enabled which is bad. I think all Panasonic with 6th gen Intel CPUs and after have it enabled.
If you modify wrong sections you will brick your tablet/laptop. I didn't read much about it so I don't know if this can be unbricked or not.
Just be careful and in the future don't buy any laptop/tablet with 6th gen Intel CPU or higher that has password or custom BIOS (Mxx after version number) unless price is very low. When I say low it means under 100 USD/EUR.

I have done 6th gen before without any issues, this is a 7th gen machine
If I make changes to the bin file and it is bricks it I can still copy back the original bin file can't I?

@corty8
Bootguard is not mandatory, depends if the vendor will activate it or not. I saw some Dell laptops that had it in 5th gen already but on Panasonic I saw it on some 7th gen but in general after 6th gen you can expect to have it enabled from factory.

As for flashing back the original BIOS to unbrick it I didn't try it. I bought a 7th gen without password since I was expecting to have the Bootguard issue and I didn't want to experiment on some expensive laptop.

Another point for all FZ-G1 is that you cannot read the chip correctly without de-soldering it. At least it was not working on Mk1-2-3. I noticed that CPU and RAM was also powered when BIOS chip was connected to the programmer via clip and it produced a lot of errors. Maybe it works with some programmer that can do ICSP and has enough current to sustain the other components also during reading and writing. In the end I de-soldered the chip and read/write it on programmer and soldered it back when finished. For testing I soldered short wires to the pads that went to a socket so I can remove the chip easily and reflash it. Do not use too long wires since it will create issues maybe because of voltage drop?!

I'm not sure, but isn't the purpose of the RSA key/bootguard to protect the actual bios and it's modules, while the nvram variables are still editable?
Otherwise the bios itself would need the key to encrypt the nvram variables when changing any setting.

@corty8
Yes, you should be able to flash back the original image without the modification in case the modified version does not work.

@r-plabs
I'm a bit confused because you are talking about an "fz-gz", while corty8 tinkers with a "cf-54 mk3".
Are refering to @fz-g1, who has the FZ-G1 tablet?

Another point for all FZ-G1 is that you cannot read the chip correctly without de-soldering it

Have you tried cutting the bios chips 3.3v rail and connecting a switch to it, this way you don't have to extend the signal lines? But I think it is not a problem, since the communication on spi isn't that high speed.

@fz-g1
So the plan with just "Copying" parts of the original bios together with the me section is expected to fail, if bootguard is enabled. But if you are able to find a full dump of a fz-g1 mk4 that should work.
Maybe try the images from here:
https://www.badcaps.net/forum/showthread.php?t=80985

Thanks userx14, I downloaded that bin-file.. so splitting this file 8MB in two and paste part one with my 4MB file wouldn't work? You can clearly find the location where the second part of the 8MB resembles mine.. and the size is correct as well...

I saw some remarks of people clearing just one instance of the password and after resetting the bios, they got the password back (as they didn't take out the other one in the bin-file). Would it be an option to use a reset to switch back to a working unbricked part of the bios.... Do they have something like dual-bios?

so splitting this file 8MB in two and paste part one with my 4MB file wouldn't work?

Sorry, my knowledge is limited when it comes to bootguard, that was just a guess. Just something to keep in mind when the tablet does not boot with the modified bios image, that it could be caused by bootguard. Just try and see if it works I guess 😏 .

I saw some remarks of people clearing just one instance of the password and after resetting the bios, they got the password back

I think they talk about the option "restore default" in bios which initializes the NVRAM variables with some default values, which probably includes the manufacturer set bios password.
I don't think they have dual bios support, normally for dual bios you will have two identical flash chips.

Well got to admit this one got the better of me, I couldn't work out a way to strip the password out on this CF-54 mk3, in the end I sent the bin file to someone that I have used before and they stripped it out for me.
Reprogramed the chip and soldered it back on the board just now, machine is back up and running again and all the original machine serial/model number and hours are retained

@corty8
Can you check if the data at 0x89c710 has been altered in this new file, would be interesting to see what needs to be modified.
Would have guessed that the bytes around there just need to be overwritten with zeros.
Maybe you could run a diff on the two files.

@userx14
Yes there is a definite charge there, I have done a hex compare and there are quite a few differences in the file
I can upload the new bin file if you like you can compare it with the one I posted above

Don't know why - ut my previous post is gone - deleted!
Maybe, because of the e-mail adress!

You could send my your file to the e-mail adress in my account - but, that one, i usually don't use constant.

Better you send me your file to:

my user name at g mail dot com.

I can upload the new bin file if you like you can compare it with the one I posted above

Would be interesting indeed.

@userx14
Here it is mate:
https://drive.google.com/file/d/1XsHPFKjUu4SCDjvEy0dPUVKzE-gDnUkI/view?usp=sharing

@corty8 thanks,

Ok short summary for the changes for the panasonic CF-54 mk3, if anyone else is interested:

0x00003010 - 0x00003da0 (me region flash partition table)             probably caused by different/modified ME-version
0x00133000 - 0x00603cff (intel me region)                             maybe a different ME-version or effect of using ME disable/cleaner, unsure, large regions replaced with 0xff
0x0089c710 - 0x0089c74F (location for the AMITSESetup NVRAM variable) was overwritten with zeros

Well the change at 0x0089c710 is exactely what one would expect to remove the password.
I'm unsure if the ME modification was neccesary, I would guess that this could be the action of me_cleaner which disables intel me by overwriting selected pages with 0xff.

Mission accomplished! FZ-G1R mk4 BIOS: MX25L12873F Motherboard DHLB1030ZD/X1
Thanks a lot everyone especially you userx14 ;-) As without information you cannot grow in knowledge, here my findings:

I used a CH341 Black (with the V3.3 adjustment proposed by userx14) with NeoProgrammer 2.2.0.10 (I read that AsProgrammer might give some problems) and the Clamp and I was able to read and write the bios!
After first successfully downloading and saving 3 identical images, I checked the files and found out that the second part of the BIOS file (00800000 - 00FFFFFF) which I got with the NeoProgrammer was partially erased by AfuWin64Gui during an unsuccessful write effort (in which it already wiped part of the BIOS before finding out that it was write-protected).
So as final bios file I used the first part of the BIOS-file I downloaded from the BIOS with NeoProgrammer (so 0 - 007FFFFF) and as second part (00800000 - 00FFFFFF) I took the file which I got with Afuwin.exe, from which I deleted the password. Of course if you haven't screwed up your BIOS with Afuwin then you could use the full file from NeoProgrammer after taking out the password with HxD.

In NeoProgrammer I selected all the options in Write IC (Off-Protect, Erase, Blank Check, Write and Verify) to write this file to the BIOS.
(There will still be a part in the BIOS in which "toughkit" is a useful word ;-) )

Thanks again everybody!!!

@fz-g1
Glad it worked out 👍 , interesting that the failed flash erased only some parts of the bios and aborts afterwards.
That should mean that it is easyer to find and use an incomplete bios image to revocer from this, as only the upper section is needed.

I think one has to assume that with the newer versions / revisions of the panasonic lineup one will most likeley encounter this error with afuwin,
and that one should do a full dump with a hardware flasher to avoid any unpleasant surprises.

Models known from this thread to encounter errors with software flashing (definitiveley do a backup with a hardware programmer beforehand):

• CF-20 Mk2
• CF-31 MK3
• CF-53 mk3
• CF-53 mk4
• FZ-G1 mk4

This XOR technique does not work on the ToughPad FZ-G1 series of tablets. The ToughPad passwords are in the same BIOS NVRAM area, but as others have mentioned about newer ToughBooks, this BIOS area is encrypted in the ToughPads too, even with the oldest MK1 series. However, you can still clear the password by zeroing out both the user and supervisor data values in the BIOS flash chip.

I did a video on how I applied this technique to clear the BIOS password on my ToughPad FZ-G1A MK1, as well as the ToughPad tablet disassembly required to access, desolder, reprogram, and reinstall the BIOS flash chip. I thought I'd share it here too as this might apply to later ToughBooks that encrypt this NVRAM area as well and help someone else out - ToughPad FZ-G1 Clear BIOS Password

I've given a shout out to this gist in my video, and included a link to this gist in the videos description. Thanks for sharing the ToughBook approach here, as that inspired me to dig into how to clear the lost BIOS password on my ToughPad FZ-G1 that I use for automotive diagnostics work.

Hello, Everyone.
Glad I Have Found This Thread, Because I Have Try To Find Out My Bios Password For Panasonic Toughbook CF-31 For A Long Time.
Can Anyone Tell Me: Is It Posible To Remove It With userx14 Method, or It Should Be Only Flashed?
I Have Made ROM Bios File, But I Cant Handle With The Rest. I Have Open File In UEFITool_NE_A59_win32, but Dont Understand, How To Find Need Line In Code.
Can Anyone Help Me: https://drive.google.com/file/d/1ADYcAcvcbLBODWNHtjKWgKira9R_6kej/view?usp=sharing
Thanks For The Answer And Help To Anyone!
Happy New Year Everyone!

Forgot To Say: Model: Panasonic Toughbook CF-31 MK4 (Intel Core I5-3340M)

@Biozax:

Drive Google ? - Access denied !

Sorry, Looks Like I Didnt Open It For Everyone
Here It Is:
https://drive.google.com/file/d/1ADYcAcvcbLBODWNHtjKWgKira9R_6kej/view?usp=sharing

Thank You!

@Biozax

With a hex editor one can find two occurrences:

I would guess that one is the current value and the other one could be loaded when one uses "reset to default".

Or Uefi Tool Alpha 51 seems to work as well (corresponds to second screenshot from hex editor):

The password is hashed (20bytes) so you probably have to overwrite both occurences with zeros.

The dangerous part is flashing the modified image back to the bios chip, and there is a known problem for the CF-31 MK3 resulting in a brick.
I would guess that it will very likely occur with a MK4, so please check the previous posts.
Since the flashing procedure could abort with an error I would advise against trying a flash with afuwin on windows without having a full backup, and your file seems to only be a partial backup.
A hardware flasher like a CH341a should be able to create a full backup.

Best,
Benjamin

@Biozax:

https://drive.google.com/file/d/1N38VpcbiF_4-622a-nVMqE5LRQym8YzU/view?usp=sharing

Thanks For Your Attention and Help.
Understand.

Good afternoon. Can you please tell me, is it possible to restore the password?
5BC1B65211E76C83C7
B5225A7D8FD8FF339C8E66E9DA44659F
25FA89555BB0EE0B9D6669C1A81C2B77
16D2A92D3D88D0E3633EF7998AF41D4F
B1AA4405D8606B01

@passssha
Your password is hashed (20 bytes with zeros as padding in between). The only option known to reset it is to overwrite the sections in the bios with zeros and flash the resulting image back to the device. Mind the risks involved and that flashing back the bios using the software afuwin tool on some panasonic models will lead to a bricked device (see this list, which is probably incomplete).
Best Benjamin

@en4rab
It worked (: I did the reset on Windows 10. I ran all programs as Administrator. Dump was edited in Hex Editor Neo (14-day trial). I found 2 occurrences on the mask "D8606B01" and wiped them all with zeros. After the reboot I was able to enter the BIOS. Thank you very much for your help. (Laptop Panasonic CF-53MK4)

Hi all
Anyone could help me to get the bios pass
https://drive.google.com/file/d/14XVmrpRfDzr0uGdngT_cAbrlAQAQ73Qr/view?usp=sharing
Thanks

Hi all Anyone could help me to get the bios pass https://drive.google.com/file/d/14XVmrpRfDzr0uGdngT_cAbrlAQAQ73Qr/view?usp=sharing Thanks

Hi @fastar1981,
unfortunatelly the password does not seem to be stored the same way as in the BIOS images I've already looked at.
I mean I can find the AMITSESetup in one compressed section, but can't find the associated data.
Maybe someone else has an idea?
Is this a new panasonic model?
Best,
Benjamin

@fastar1981
This doesn't look like a Panasonic BIOS image. what laptop it is?

@userx14 @r-plabs
Thanks
I bought a computer with this motherboard but I don't know the model because it doesn't put it on the motherboard
Is a aptio V but I can't find where the sha256 is
I cant calculate the sha and I cant remove the pass becase I can not find where is loated the second sha
i think its a weird motherboard

I need help with the XoR part. It's been a minute since I've been in c++, does anyone have a link or example project I can use to decrypt my hash? I have an MK1 CF-31 that I've been trying to extract the password from for 2 years.

using this https://xor.pw/# I'm able to recreate the OP's password (with their hashes), but mine just generated gibberish. Any ideas?

I need help with the XoR part. It's been a minute since I've been in c++, does anyone have a link or example project I can use to decrypt my hash? I have an MK1 CF-31 that I've been trying to extract the password from for 2 years.

@t4thfavor
Just use the website xor.pw,
one field is your hashed password, the other the xor sequence from the first post, which one you put in which field (1/2) doesn't matter.
Make sure to cut the xor sequence from the first post on the end, such that it matches the length of your hashed password.
It is likeley that the length matches already.

Best,
Benjamin

I need help with the XoR part. It's been a minute since I've been in c++, does anyone have a link or example project I can use to decrypt my hash? I have an MK1 CF-31 that I've been trying to extract the password from for 2 years.

@t4thfavor Just use the website xor.pw, one field is your hashed password, the other the xor sequence from the first post, which one you put in which field (1/2) doesn't matter. Make sure to cut the xor sequence from the first post on the end, such that it matches the length of your hashed password. It is likeley that the length matches already.

Best, Benjamin

I did that, I get 0xcc as my first bit which maps to some nonsense character. What are the odds that my bios is encrypted somehow? Everything else matches and I can reproduce your results with the hashes you posted. Mine are just stupid.

This is what I get, and it maps to something like "Ì^M5‰œž¸0^H" where "^H" is one character and :^M is one character, etc.
cc000d00350089009c009e00b80030000800eb0073002800d600c900cc001600c100fc00a300aa000000000000000000000000000000000000000000000000

EDIT: I have two identical machines, both produce the same hashes exactly. Is that good or bad?

This is what I get, and it maps to something like "Ì^M5‰œž¸0^H" where "^H" is one character and :^M is one character, etc. cc000d00350089009c009e00b80030000800eb0073002800d600c900cc001600c100fc00a300aa000000000000000000000000000000000000000000000000

These 20 bytes (with zeros as padding in between) are most likeley a sha1 hash of the password or input keys.
Since hashing is a one way function there is no feasable way to find the password.

But overwriting the hash with all zeros disables the password. Some models have write protection for software flashing the bios in place, which can result in a brick, see the posts above.

@userx14 I overwrote the passwords last night and just overwrote the whole bios image, at first it didn’t work, but then I realized I left a single character in one of the bios blocks. I removed both password blocks and wrote them back from inside windows. Seems to be a serious flaw in their bios security, but whatever, it benefits me this time :)

Thanks for your help!

Hello.
I have a Panasonic CF-AX2 laptop. Unfortunately I only have the user Bios password so I can't boot from USB.
I dumped my BIOS. I found the 2 areas concerned, however I don't see what I can do afterwards to get the supervisor password or delete it.

Thanks for your help

dump link : https://drive.google.com/file/d/1YQbb03qpKXiYYhF8bX1yV_i5Tg36xLAs/view?usp=sharing

You use a hex editor to 0 out the passwords in two places in the rom, then flash it back to the bios chip. Does that help?

ok it's done I replaced the 2 passwords with 0 to 2 places. What tool do I need to flash the bios with?

ok it's done I replaced the 2 passwords with 0 to 2 places. What tool do I need to flash the bios with?

Well, that's the tricky part.
The issue is that the software flasher AFUWIN bricks some laptops, likeley because of write protection of the flash chip.
In this case the only possible way to recover the bios is using a hardware bios programmer like the ch341a,
which can be had for around 10 bucks. The previous posts contain details on this procedure.
Unfortunatelly when backing up the bios with AFUWIN it sometimes only generates a partial backup of half the size, where some parts like the ME-region are missing.
So the first thing you should do, when you consider the software flashing, is to check the size of the flash chip based on the markings on the physical chip and compare with the size of your backup.

Ok i see. my bios chip is N25Q128A. do you know what size the file should be?

Ok i see. my bios chip is N25Q128A. do you know what size the file should be?

That chip is 128Mb / (8 bits per byte) = 16MBytes,
So 16MB is the filesize for a complete dump.

The risk is, that flashing the modified image could not work and "restoring" the chip with a hardware flasher afterwards might get difficult,
as full image dumps are not that easy to find on the web (either paywall or just not available). Also you might loose some model specific things like the mac address of the network card when you flash dumps from someone else.

ok I have all the equipment at home to desolder this component. I will order a programmer to extract and then completely reinject the bios.

ok I have all the equipment at home to desolder this component. I will order a programmer to extract and then completely reinject the bios.

Don't de-solder it, just order one of these clips and some jumper wire - https://uk.farnell.com/pomona/5250/test-clip-8-pos-1-27mm-soj-soic/dp/2406243

Trying the sop8 clip first seems resonable, if it does not work you can always fall back to desoldering.
Sometimes there are additional devices on the 3.3v rail which overwhelm the bios programmer's power output capability,
in which case you have no choise but to desolder or temporarely cut the 3.3V power trace.

Trying the sop8 clip first seems resonable, if it does not work you can always fall back to desoldering. Sometimes there are additional devices on the 3.3v rail which overwhelm the bios programmer's power output capability, in which case you have no choise but to desolder or temporarely cut the 3.3V power trace.

Different devices do certainly behave differently. I have processed hundreds of different bios chips from most vendors (including Apple which has it's own quirks!), there's always a way to make them read. A combination of applying power supply, removing battery, turning the device on (with no battery attached) and then off, without removing power supply can work. Or no battery/no power supply. Sometimes even holding down the power button whilst reading will work. Panasonic is very straightforward and should read just fine with a clip. WSON8 works just the same but using probes.

@warst
Very interesting, indeed.
Which programmer are you using?
I was always afraid of powering the mainboard, since then I feared that there are potentially devices communicating with the bios chip and the output transistors of the programmer would work against the devices on the mainboard (especially the clock line).
Since as far as I know the cheap ones have no additional current limiting resistors for their data lines.

@warst Very interesting, indeed. Which programmer are you using? I was always afraid of powering the mainboard, since then I feared that there are potentially devices communicating with the bios chip and the output transistors of the programmer would work against the devices on the mainboard (especially the clock line). Since as far as I know the cheap ones have no additional current limiting resistors for their data lines.

I use a TL866ii Plus with ICSP adapter, its brilliant and not expensive either. http://www.autoelectric.cn/en/tl866_main.html The board is used to having this low voltage during normal operation so the worst you will get is a bad dump, follow the rule of dump twice and compare for differences (which I'm sure you do) and if the dumps are the same, you are good to proceed. I don't disconnect the connection to the chip until I have flashed back as the chances are, if it read OK, it'll write back OK too. So long as the laptop is in an OFF state, having power applied hasn't ever caused me any issues. The worst I have ever had is a bad dump so then I try a different variation of power/battery combination. I prefer to test with everything removed first and then work my way up to power adapter with no battery and on from there.

I use a TL866ii Plus with ICSP adapter, its brilliant and not expensive either. http://www.autoelectric.cn/en/tl866_main.html The board is used to having this low voltage during normal operation so the worst you will get is a bad dump, follow the rule of dump twice and compare for differences (which I'm sure you do) and if the dumps are the same, you are good to proceed. I don't disconnect the connection to the chip until I have flashed back as the chances are, if it read OK, it'll write back OK too. So long as the laptop is in an OFF state, having power applied hasn't ever caused me any issues. The worst I have ever had is a bad dump so then I try a different variation of power/battery combination. I prefer to test with everything removed first and then work my way up to power adapter with no battery and on from there.

Yeah, that one seems to have way better output protection.
Next time I will come across a board that needs additional power I'm going to try the your method with the off state and connected ac adapter. That probably only powers the 3.3V line and leaves the data pins unpowered, Thanks for the info.

Yeah, that one seems to have way better output protection. Next time I will come across a board that needs additional power I'm going to try the your method with the off state and connected ac adapter. That probably only powers the 3.3V line and leaves the data pins unpowered, Thanks for the info.

No problem at all, let me know how you get on, I have subscribed to this since it started, felt I should at least start commenting to help people out! Oh, also, you do know that some of the chips are 1.8v? I have a little step down in-line module to handle that too, so the clips still just work the same. I also have some tips for WSON8 should you ever want to read those without desoldering/attaching jumper wires to the pads.

Ok that's good I have a clamp for SOP-8 and I bought a TL866II Plus programmer too!
I will keep you posted on my progress as soon as I receive it.

Ok that's good I have a clamp for SOP-8 and I bought a TL866II Plus programmer too!
I will keep you posted on my progress as soon as I receive it.

Make sure you get yourself one of these too - [SPI Driver](￡6.37 | SPI DRIVER, SPI flash in Circuit Programming adapter for TL866II PLUS programmer https://a.aliexpress.com/_v1V1wU)

Hello, I apologize for the question , could the operating hours of a device be modified by this method? is there a tutorial somewhere? thx.

Hello, I apologize for the question , could the operating hours of a device be modified by this method? is there a tutorial somewhere? thx.

Two ways to find out.

1. Take a dump of the bios chip, run PC for several hours, take second dump and then compare them in a hex editor.
2. Take a dump in bios, run PC for several hours, flash it back to PC and see if the hours reset to what they were in the original flash. (This one could cause issues with write protected laptios)

Both methods should give you some reasonable idea on whether or not that info is stored in the bios at all.

That's all worked! I followed this video but without unsoldering the component : https://www.youtube.com/watch?v=YG01jdeMVmk

In link the complete bios of my CF-AX2. This might be useful for someone : https://drive.google.com/drive/folders/1OBuW-YCeXo6noc3bsXV3EaS4PXw6Ia7d?usp=sharing

Only problem I have left. The hard drive is locked and cannot be unlocked ! I will take it out to reformat it on another PC. I do not want to recover the give nor windows 7.

1. hex editor.

Thx I will try. all the best.

Hi! Tell me how to get this string for my CF-53?
5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35
It is my dump:
0000: 4E5641529800FFFFFF830D414D495453
0010: 455365747570005BE2B69C11CC6C0AC7
0020: AD229C7DD1D8E033748E7DE96D44E89F
0030: BFFA885595B0660B0F66BCC1E51CC677
0040: 16D2A92D3D88D0E3633EF7998AF41D4F
0050: B1AA4405D8606B5BD0B67E113D6C59C7
0060: 6322347DF1D85E33718E0AE966442F9F
0070: 50FAF155F2B0BB0BE1662EC19E1C6A77
0080: 16D2A92D3D88D0E3633EF7998AF41D4F
0090: B1AA4405D8606B01

Hi @avilon-reg

Both passwords are hashed,
the first one corresponds to these bytes in your dump:
5be2b69c11cc6c0ac7ad229c7dd1d8e033748e7de96d44e89fbffa885595b0660b0f66bcc1e51cc67716d2a92d3d88d0e3633ef7998af41d4fb1aa4405d8606b
-> (xored and removed padding in between bytes) ->
71ba76474de8d67a5abc3900c4863753c6e00a45

the second one is here:
5bd0b67e113d6c59c76322347df1d85e33718e0ae966442f9f50faf155f2b0bb0be1662ec19e1c6a7716d2a92d3d88d0e3633ef7998af41d4fb1aa4405d8606b
-> (xored and removed padding in between bytes) ->
435887148340f6c45fcb32c72bff508e287271e9

Both are only the sha1 hash of the respective passwords which one cannot reverse. But you can overwrite the passwords raw bytes in the bios dump with zeros and flash the modified image back to your bios flash. But read some of the previos comments, because some laptops have write protection which bricks the device if you attempt to flash it with afuwin.

Best,
Benjamin

Hi,
I extracted following strings from my Panasonic CF-53 mk1 laptop BIOS.
Would you please help me to find the passwords. The only thing I know so far is my Panasonic has both Power On Password and Administrator Password.
Best Regards

0000 5B 03 B6 49 11 B3 6C 48 C7 3A 22 23 7D F1 D8 E0
0010 33 E7 8E 4E E9 B1 44 08 9F 5E FA F0 55 D8 B0 6C
0020 0B 65 66 F3 C1 34 1C 83 77 16 D2 A9 2D 3D 88 D0
0030 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 68
0040 5B BB B6 5B 11 A7 6C FA C7 46 22 CD 7D 5A D8 32
0050 33 CB 8E 17 E9 D9 44 C6 9F 9C FA 4B 55 9A B0 F4
0060 0B 89 66 41 C1 7F 1C FA 77 16 D2 A9 2D 3D 88 D0
0070 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B
0080 01

@userx14

Hi @OAKTREELIMB,

Both of your passwords seem to be hashed, when xored they return a 20byte long sequence (probably sha hash) with zero bytes as padding in between. This hashing means that it's likeley impossible to determine the original password.

You could overwrite the bytes with zeros and flash the bios back onto the machine which removes the passwords, but please read some of the previous comments regarding problems on flashing the bios with afuwin because of hardware write protection and resulting bricks.

Best, Benjamin

@userx14
Thank you for your help.
I think I'm not going to clear the Password. I had removed the hard drive from the laptop and put it on other computer as either a boot drive or a secondary drive. On the other working computer, it asks for hard drive password immediately after power on. Entering wrong password 3 times it will shut down the computer. I then remove the locked drive, boot my computer up then put the locked hard drive in a connected SATA docking station. My computer can see the physical drive but there is no partition. I can't do anything with it. When I try to partition it, I get error message "I/O error" "too many bad sectors".
I can put the locked drive back to original Panasonic Laptop. It can boot up fine without the need of entering any password and run windows normally. I'm affraid that the Panasonic with the locked hard drive will ask for password at power up if I flash the BIOS with password removed.

@OAKTREELIMB,
Sorry but I haven't experimented with locked hdd's yet. What you encounter sounds like the password protection feature of hdd's called "ata password". Depending on the manufacturer of the drive there seem to be some master passwords floating around to remove the password protection.

I'm affraid that the Panasonic with the locked hard drive will ask for password at power up if I flash the BIOS with password removed.

If you create a dump with a hardware flasher before writing your modified bios back,
you should be able to restore the original image with the password still in place.

@OAKTREELIMB

I had the same issue with CF-53 MK 1. Turns out the hdd was locked with the first 64 bits of bios password. More here - https://github.com/esters/Toughbook-CF53-MK1#hard-disk-password-removal

@OAKTREELIMB

same issue for me, solved by using HDD Master password (seems all CF-53 share the same).
if you are still in trouble you can give me your email and i'll send you HEX Master Password.
https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd?permalink_comment_id=3698449#gistcomment-3698449

@altisco '
Yes, please send me the Master Password and instruction how to use it.
Thank you so much.
Please send to treelimb@gmail.com

Hi, i got my dump but don't understand how i can determine if the Toughbook CF-53 password is unencrypted. Can someone tell me how this "xoring" works?
my dump looks like this:
4E 56 41 52 8B 00 FF FF FF 88 5B E2 B6 9C 11 CC 6C 0A C7 AD 22 9C 7D D1 D8 E0 33 74 8E 7D E9 6D 44 E8 9F BF FA 88 55 95 B0 66 0B 0F 66 BC C1 E5 1C C6 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B 5B D0 B6 7E 11 3D 6C 59 C7 63 22 34 7D F1 D8 5E 33 71 8E 0A E9 66 44 2F 9F 50 FA F1 55 F2 B0 BB 0B E1 66 2E C1 9E 1C 6A 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B 01

Hi @zCruuz

The first sequence in your dump is:
5be2b69c11cc6c0ac7ad229c7dd1d8e033748e7de96d44e89fbffa885595b0660b0f66bcc1e51cc67716d2a92d3d88d0e3633ef7998af41d4fb1aa4405d8606b
->xored 71ba76474de8d67a5abc3900c4863753c6e00a45

The second sequence is:
5bd0b67e113d6c59c76322347df1d85e33718e0ae966442f9f50faf155f2b0bb0be1662ec19e1c6a7716d2a92d3d88d0e3633ef7998af41d4fb1aa4405d8606b
->xored 435887148340f6c45fcb32c72bff508e287271e9

Both seem to be hashes.

Best,
Benjamin

Hi trying to recover password on a Stone laptop, Aptio4 told me i needed Aptio5 which successfully extracted rom file.
Found a few C811FA38-42C8-4579-A9BB-60E94EDDFB34 on sub on NVRAM but after that things dont look right, any pointers would be good.
Many thanks
Kevin

Hi trying to recover password on a Stone laptop, Aptio4 told me i needed Aptio5 which successfully extracted rom file. Found a few C811FA38-42C8-4579-A9BB-60E94EDDFB34 on sub on NVRAM but after that things dont look right, any pointers would be good. Many thanks Kevin

So from what I get, you dumped your rom file and are unable to find the storage location of the xores / (possibly hashed) password with uefi tool?

• make sure you using uefi tool version a51
• if uefi tool does not work you could try a hex editor and search for 4f b1 aa 44 05 d8 60 6b which is the last part of the sequence if the password is hashed. To check if you really found the location, copy some bytes before that and compare with the xor key in the first post. Every second byte should look the same.

Hi
Cant find 4f b1 aa using hexedit, attached is a picture, less bytes than the shown ones but data at 40 , the user password is set to 1111

Hi Cant find 4f b1 aa using hexedit, attached is a picture, less bytes than the shown ones but data at 40 , the user password is set to 1111

Could be hashes of the passwords directely and not xored?
Both seem to be 20 bytes long and seemingly random, so they could be sha1.

Yes noticed that so im presuming the user password '1111' is 20 bytes 26F7EF0F129A96B45A2BC3921B60A5F371C7B9B7

Yes noticed that so im presuming the user password '1111' is 20 bytes 26F7EF0F129A96B45A2BC3921B60A5F371C7B9B7

Yeah, but if they have done their job well it is salted with something before putting it into the hash function.

You cound check if one of them changes if you are able to alter the user password.

Brain now hurts :) more dump info
Note 4 x 1 different from before as was looking at wrong C811FA38-42C8-4579-A9BB-60E94EDDFB34
user =20 x 0's

8B36AB9EB46EE70ADF40E18A9E037E46
6FE4C665000000000000000000000000
000000000000000080691481CCAD07F6
89E882E202FD951DC2576E5200000000
00000000000000000000000000000000
00

user =4 x 1's
8B84FE6B155A7C2CEA39C6E9A02539BC
1A9F30DE000000000000000000000000
000000000000000080691481CCAD07F6
89E882E202FD951DC2576E5200000000
00000000000000000000000000000000
00

Update, cleared user password and first 20 bytes changed to 00 so read/edited and reflashed now have admin access and no passwords set. would have been nice to work out what password was.
Many thanks for your help userx14

I'm working on a Toughbook CF-31 and was able to find the password in the .rom as described.
From the file it appears to only have a supervisor password
I also don't understand where XOR value comes from
I'd appreciate any help
Thank you

0000 00000000000000000000000000000000
0010 00000000000000000000000000000000
0020 00000000000000000000000000000000
0030 00000000000000000000000000000000
0040 5B42B64D110C6CF3C782227A7D66D89A
0050 33DB8E92E9E844B19F18FA45552AB0E1
0060 0B626693C1F81C3B7736D2742D1A8887
0070 E3F73EF99901F4C34FF7AA1605A46028
0080 01

5B42B64D110C6CF3C782227A7D66D89A33DB8E92E9E844B19F18FA45552AB0E10B626693C1F81C3B7736D2742D1A8887E3F73EF99901F4C34FF7AA1605A46028

When calculating the xor of the bytes of your dump with the key from en4rab I get:
d1006b00b600be0062000e0061000000f5005300bc00590063004b008800d400ab00cf001700b8002000dd002700570094000e008b00de00460052007c0043
padding removed:
d16bb6be620e6100f553bc59634b88d4abcf17b820dd2757940e8bde46527c43
First time I've seen a hashed result that is 32bytes long, if you ignore the zero padding. Maybe hashed with sha256?
Best
Benjamin

Maybe or could it be that the unsigned int key = 0x935b is wrong for this Toughbook model. Guess I'll have to figure out how the key changes the XOR value

Well I think you found the right sequence.
At least the sequence was definitifeley xored with the en4rab key, since otherwise you would not get those 0x00 as padding.

Very good point. Maybe it has something to do with possible uppercase characters in the password.
I'll play with some of my ideas and will post the results if I discover anything.
Thank you userx14 for all of your help and thank you en4rab for posting this.

Hi All
I was just wondering if anyone has looked into the location where the Accumulative Hours are stored on the Toughbooks?
I can find references to it but not much than that
Cheers

Hi All I was just wondering if anyone has looked into the location where the Accumulative Hours are stored on the Toughbooks? I can find references to it but not much than that Cheers

why, so you can fuck over the used market by selling CF-19's with 15k+ hours as 500h? No thanks.

Hello,
I have a FZ-G1 MK4 in front of me which has a bios password. I followed the instructions and the video on Youtube, but made a dump via CH341a and neoprogrammer. However, I can't find a password in AMITSESetup.

HEX:
0000 4E5641521901FFFFFF8327414D495453
0010 455365747570000000000000000000000
0020 00000000000000000000000000000000
0030 00000000000000000000000000000000
0040 00000000000000000000000000000000
0050 00000000000000000000000000000000
0060 00000000000000000000000000000000
0070 00000000000000000000000000000000
0080 00000000000000000000000000000000
0090 00000000000000010000000000000000
00A0 00000000000000000000000000000000
00B0 00000000000000000000000000000000
00C0 00000000000000000000000000000000
00D0 00000000000000000000000000000000
00E0 00000000000000000000000000000000
00F0 00000000000000000000000000000000
0100 00000000000000000000000000000000
0110 000000000000000000

HEX Body:
0010 00000000000000000000000000000000
0020 00000000000000000000000000000000
0030 00000000000000000000000000000000
0040 00000000000000000000000000000000
0050 00000000000000000000000000000000
0060 00000000000000000000000000000000
0070 00000000000000000000000000000000
0080 01000000000000000000000000000000
0090 00000000000000000000000000000000
00A0 00000000000000000000000000000000
00B0 00000000000000000000000000000000
00C0 00000000000000000000000000000000
00D0 00000000000000000000000000000000
00E0 00000000000000000000000000000000
00F0 00000000000000000000000000000000
0100 0000

I hope for a bad or wrong dump and next time I will unsolder the IC and re-read it.

I hope for a bad or wrong dump and next time I will unsolder the IC and re-read it.

Hi max,

i would guess that a bad dump is unlikely, since you were able to find AMITSESetup.

Maybe the following issues apply:

• UEFI tool sometimes does not show the content of the variables, if you are using the current version. Use the older "a51" release and see if the content changes.
• If this does not help you can try search for the last few hex characters of the key "B1 AA 44 05 D8 60 6B" by opening the bios with a raw hex editor. For short passwords or the 20 bytes hash these should stay the same. But there are potentially multiple matches.
• Panasonic might have changed the way that the password is stored.

Best,
Benjamin

Hello, I have a FZ-G1 MK4 in front of me which has a bios password. I followed the instructions and the video on Youtube, but made a dump via CH341a and neoprogrammer. However, I can't find a password in AMITSESetup.

HEX: 0000 4E5641521901FFFFFF8327414D495453 0010 455365747570000000000000000000000 0020 00000000000000000000000000000000 0030 00000000000000000000000000000000 0040 00000000000000000000000000000000 0050 00000000000000000000000000000000 0060 00000000000000000000000000000000 0070 00000000000000000000000000000000 0080 00000000000000000000000000000000 0090 00000000000000010000000000000000 00A0 00000000000000000000000000000000 00B0 00000000000000000000000000000000 00C0 00000000000000000000000000000000 00D0 00000000000000000000000000000000 00E0 00000000000000000000000000000000 00F0 00000000000000000000000000000000 0100 00000000000000000000000000000000 0110 000000000000000000

HEX Body: 0010 00000000000000000000000000000000 0020 00000000000000000000000000000000 0030 00000000000000000000000000000000 0040 00000000000000000000000000000000 0050 00000000000000000000000000000000 0060 00000000000000000000000000000000 0070 00000000000000000000000000000000 0080 01000000000000000000000000000000 0090 00000000000000000000000000000000 00A0 00000000000000000000000000000000 00B0 00000000000000000000000000000000 00C0 00000000000000000000000000000000 00D0 00000000000000000000000000000000 00E0 00000000000000000000000000000000 00F0 00000000000000000000000000000000 0100 0000

I hope for a bad or wrong dump and next time I will unsolder the IC and re-read it.

I have never had any success trying to do these on the board and for what it is worth they are by far one of the easiest chips to remove and re-install once you have reprogrammed them

@corty8
It will not be possible to find the corresponding password for your model. Just clear the NVRAM.

@corty8 It will not be possible to find the corresponding password for your model. Just clear the NVRAM.

oh yes that is what I have do, I have done dozens of the FZ-G1 units, but someone above mentions that they have tried to do it while the BIOS chips is still soldered to the board and said I have not had any success in trying to do it that way, I always remove the chip to clear it

Hello, I have a FZ-G1 MK4 in front of me which has a bios password. I followed the instructions and the video on Youtube, but made a dump via CH341a and neoprogrammer. However, I can't find a password in AMITSESetup.
HEX: 0000 4E5641521901FFFFFF8327414D495453 0010 455365747570000000000000000000000 0020 00000000000000000000000000000000 0030 00000000000000000000000000000000 0040 00000000000000000000000000000000 0050 00000000000000000000000000000000 0060 00000000000000000000000000000000 0070 00000000000000000000000000000000 0080 00000000000000000000000000000000 0090 00000000000000010000000000000000 00A0 00000000000000000000000000000000 00B0 00000000000000000000000000000000 00C0 00000000000000000000000000000000 00D0 00000000000000000000000000000000 00E0 00000000000000000000000000000000 00F0 00000000000000000000000000000000 0100 00000000000000000000000000000000 0110 000000000000000000
HEX Body: 0010 00000000000000000000000000000000 0020 00000000000000000000000000000000 0030 00000000000000000000000000000000 0040 00000000000000000000000000000000 0050 00000000000000000000000000000000 0060 00000000000000000000000000000000 0070 00000000000000000000000000000000 0080 01000000000000000000000000000000 0090 00000000000000000000000000000000 00A0 00000000000000000000000000000000 00B0 00000000000000000000000000000000 00C0 00000000000000000000000000000000 00D0 00000000000000000000000000000000 00E0 00000000000000000000000000000000 00F0 00000000000000000000000000000000 0100 0000
I hope for a bad or wrong dump and next time I will unsolder the IC and re-read it.

I have never had any success trying to do these on the board and for what it is worth they are by far one of the easiest chips to remove and re-install once you have reprogrammed them

Okay, no problem, I'll desolder the chip and read it in again.

@corty8 It will not be possible to find the corresponding password for your model. Just clear the NVRAM.

Okay and now clearing the NVRAM means what exactly? What do I have to watch out for?

I hope for a bad or wrong dump and next time I will unsolder the IC and re-read it.

Hi max,

i would guess that a bad dump is unlikely, since you were able to find AMITSESetup.

Maybe the following issues apply:

• UEFI tool sometimes does not show the content of the variables, if you are using the current version. Use the older "a51" release and see if the content changes.
• If this does not help you can try search for the last few hex characters of the key "B1 AA 44 05 D8 60 6B" by opening the bios with a raw hex editor. For short passwords or the 20 bytes hash these should stay the same. But there are potentially multiple matches.
• Panasonic might have changed the way that the password is stored.

Best, Benjamin

I will search in Hex Editor for these Hex characters, maybe i will have success.

Thank you guys for your help.

best wishes

maxtheobald are you doing a search for the GUID or are you actually scrolling through and trying to find it?

Hello, I have a FZ-G1 MK4 in front of me which has a bios password. I followed the instructions and the video on Youtube, but made a dump via CH341a and neoprogrammer. However, I can't find a password in AMITSESetup.
HEX: 0000 4E5641521901FFFFFF8327414D495453 0010 455365747570000000000000000000000 0020 00000000000000000000000000000000 0030 00000000000000000000000000000000 0040 00000000000000000000000000000000 0050 00000000000000000000000000000000 0060 00000000000000000000000000000000 0070 00000000000000000000000000000000 0080 00000000000000000000000000000000 0090 00000000000000010000000000000000 00A0 00000000000000000000000000000000 00B0 00000000000000000000000000000000 00C0 00000000000000000000000000000000 00D0 00000000000000000000000000000000 00E0 00000000000000000000000000000000 00F0 00000000000000000000000000000000 0100 00000000000000000000000000000000 0110 000000000000000000
HEX Body: 0010 00000000000000000000000000000000 0020 00000000000000000000000000000000 0030 00000000000000000000000000000000 0040 00000000000000000000000000000000 0050 00000000000000000000000000000000 0060 00000000000000000000000000000000 0070 00000000000000000000000000000000 0080 01000000000000000000000000000000 0090 00000000000000000000000000000000 00A0 00000000000000000000000000000000 00B0 00000000000000000000000000000000 00C0 00000000000000000000000000000000 00D0 00000000000000000000000000000000 00E0 00000000000000000000000000000000 00F0 00000000000000000000000000000000 0100 0000
I hope for a bad or wrong dump and next time I will unsolder the IC and re-read it.

I have never had any success trying to do these on the board and for what it is worth they are by far one of the easiest chips to remove and re-install once you have reprogrammed them

Okay, no problem, I'll desolder the chip and read it in again.

@corty8 It will not be possible to find the corresponding password for your model. Just clear the NVRAM.

Okay and now clearing the NVRAM means what exactly? What do I have to watch out for?

I hope for a bad or wrong dump and next time I will unsolder the IC and re-read it.

Hi max,
i would guess that a bad dump is unlikely, since you were able to find AMITSESetup.
Maybe the following issues apply:

• UEFI tool sometimes does not show the content of the variables, if you are using the current version. Use the older "a51" release and see if the content changes.
• If this does not help you can try search for the last few hex characters of the key "B1 AA 44 05 D8 60 6B" by opening the bios with a raw hex editor. For short passwords or the 20 bytes hash these should stay the same. But there are potentially multiple matches.
• Panasonic might have changed the way that the password is stored.

Best, Benjamin

I will search in Hex Editor for these Hex characters, maybe i will have success.

Thank you guys for your help.

best wishes

For what it's worth, I've done at least 50 FZ-G1's of various generations (amongst many other Panasonic models) and have read the chip on the board every time. It's a game of trial and error. Remove the battery, attach the charger - try to read. If that fails, leave the battery connected, with the charger connected. Or try turning the device on, with battery and charger connected and then switch off, leave all connected and then try to read. Sometimes you have to enter the bios and then power off. It's usually a combination of these things AND, sometimes the same device will perform differently to another of the same model. I also have a fair amount of luck using a bench power supply for powering the eeprom, this way I'm not relying on the fluctuating power supply of a cheap programmer. TL866ii is also a good programmer, but I have a CH341a which I modified to not supply 5v to the chip (as these have a design flaw - google CH341a 3.3v mod).

If you get one successful dump, dump again and then compare the two files with HxD for any differences. If they are identical, you are good to go.

Good luck!

Hi - Trying to understand fully what you've shared here.

The HEX I retrieve from the rom is:
5B 46 B6 48 11 E2 6C 70 C7 9D 22 B1 7D 43 D8 2E 33 B8 8E D7 E9 5C 44 DA 9F 8A FA FE 55 D8 B0 7F 0B E0 66 C8 C1 FF 1C A6 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

In your example you said you "xor" that with the other 64 bytes (the second 32 being the same as the first set) - but where did that part come from? Is that applied across all cf-53 models or did you need to retrieve that out of the rom?

Also how can I "xor" the HEX values? Is is an operation I can write in Python?

Thanks in advance for your time and assistance - I love reverse engineering and learning

Hi satorisage,

but where did that part come from?

See the secton "1337 encryption" of en4rab's original post. The key can generated in 16 bytes increments because it is
0x935b * (currentIteration + 1),
when you only use the lower 16 bytes of the result. This seems to be the same across many different toughbook models.

Is is an operation I can write in Python?

Yes, see following code using your rom data.

show code for panasoHardcoded.py python3

import binascii

def hexPrettyPrint(bytesStr):
    print(binascii.hexlify(bytesStr, sep=" "))

def generatePanaXorSequence(numOfBytes):
    if(numOfBytes%2):
        raise ValueError("Only even number of bytes supported")
    key = int("0x935b", 16)
    numOfInt16 = numOfBytes//2
    generatedKey = bytes()
    for i in range(numOfInt16):
        keyForThisInt16 = key*(i+1) 
        keyForThisInt16 = keyForThisInt16 & int("0xffff", 16)   #only keep the lower 2 bytes
        keyForThisInt16 = keyForThisInt16.to_bytes(2, 'little') 
        generatedKey = generatedKey + keyForThisInt16
    return generatedKey
    
def xorByteStrings(bytesStr1, bytesStr2):
    if(len(bytesStr1) != len(bytesStr2)):
        raise ValueError("Xor needs same length of byteStrings")
    byteStringResult = bytes()
    for i in range(len(bytesStr1)):
        byteStringResult += bytes([bytesStr1[i] ^ bytesStr2[i]])
    return byteStringResult
    
def getSHA1ifExist(bytesStr):
    sha1 = bytes()
    for i in range(20):                 #sha1 is 20 bytes
        if(bytesStr[2*i] != 0):         #check if the upper bytes is always zero of each int16
            return None
        sha1 += bytes([bytesStr[2*i + 1]])
    for i in range(40, len(bytesStr)):
        if(bytesStr[i] != 0):           #all bytes after the first 40 bytes should be zero
            return None
    return sha1

def getASCIIifExist(bytesStr):
    asciiBytes = bytes()
    for i in range(len(bytesStr)//2):
        if(bytesStr[2*i+1] != 0):        #check if the lower bytes is always zero of each int16
            return None
        if(bytesStr[2*i]):
            asciiBytes += bytes([bytesStr[2*i]])
    return asciiBytes.decode("ascii")

#calculation
yourValueFromNvRam = "5B 46 B6 48 11 E2 6C 70 C7 9D 22 B1 7D 43 D8 2E 33 B8 8E D7 E9 5C 44 DA 9F 8A FA FE 55 D8 B0 7F 0B E0 66 C8 C1 FF 1C A6 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B"
yourValueFromNvRam = yourValueFromNvRam.replace(" ", "")                        #remove whitespaces
yourValueFromNvRam = binascii.unhexlify(yourValueFromNvRam)                     #to bytes
generatedKeyWithSameLength = generatePanaXorSequence(len(yourValueFromNvRam))
resultOfXor = xorByteStrings(yourValueFromNvRam, generatedKeyWithSameLength)

#analysis
sha1 = getSHA1ifExist(resultOfXor)
if(sha1 == None):
    asciiString = getASCIIifExist(resultOfXor)
    if(asciiString):
        print(f"here is you password:\n{asciiString}")
    print("here is you xored sequence:")
    hexPrettyPrint(resultOfXor)
else:
    print("the xored sequence is likeley the following sha1 hash:")
    hexPrettyPrint(sha1)

(edit 04.01.23: add ascii conversion)

Please let me known if you have any additional questions.

One interesting thing I hadn't had time to implement yet is to open the dumped hex file, and search for occurences fo the last few bytes of the xor sequence for the length 64 bytes.
Since the password or hash is likely to be relatively short <40 bytes the last few bytes are most likely equal to the xor sequence.
Then derive the start of the sequence an overwrite all 64 bytes with zeros to generate a flashable image without password protection.

Maybe a check if the bios dump is complete (includes the intel me section, ...) would be important, because flashing back a partial modified dump will result in a "dead" device. Finding a complete dump online to recover from this state might be difficult.

Best,
Benjamin

Hi satorisage,

but where did that part come from?

See the secton "1337 encryption" of en4rab's original post. The key can generated in 16 bytes increments because it is 0x935b * (currentIteration + 1), when you only use the lower 16 bytes of the result. This seems to be the same across many different toughbook models.

Is is an operation I can write in Python?

Yes, see following code using your rom data.

show code for panasoHardcoded.py python3
Please let me known if you have any additional questions.

One interesting thing I hadn't had time to implement yet is to open the dumped hex file, and search for occurences fo the last few bytes of the xor sequence for the length 64 bytes. Since the password or hash is likely to be relatively short <40 bytes the last few bytes are most likely equal to the xor sequence. Then derive the start of the sequence an overwrite all 64 bytes with zeros to generate a flashable image without password protection.

Maybe a check if the bios dump is complete (includes the intel me section, ...) would be important, because flashing back a partial modified dump will result in a "dead" device. Finding a complete dump online to recover from this state might be difficult.

Best, Benjamin

Thanks for the reply! Seems like for the CF54's I have this key could be incorrect - or maybe there is something else going on. When I extracted and calculated the result I got d56e583d7dc544b496160832f1f07a4a29941025 as the sha1. But the password is "tsipub" and as a sha1 hash it calculates to 48d87741220aa2a705005a01bbbcdb1c858eae41. Any thoughts on what could be going on there?

Seems like for the CF54's I have this key could be incorrect

If the code says that the xored result is likeley a sha1 hash then the xor-key part is working / the generated key from panaXorSequence is correct. It is basically impossible to get the these zero valued bytes every second character for a non matching key (just add hexPrettyPrint(resultOfXor) in the else case and you will see these zeros). If you look closely at your valueFromNvram you can see that many bytes (those that are zero after performing the xor) are equal to the output of the generatePanaXorSequence function.

But the password is "tsipub" and as a sha1 hash it calculates to 48d87741220aa2a705005a01bbbcdb1c858eae41. Any thoughts on what could be going on there?

I would have two possible explanations for this behavior:

• instead of the password in ascii they could have hashed the scancodes. I suspect this because they also stored the scancodes for the non hashed password see first post of en4rab.
• they could have added some constant extra bytes at the end of the password like a constant salt

I have to admit that I didn't really looked into this, and just replaced the section with zeros and called it a day.

I guess that trying one letter passwords, reading the hash, and then trying to brute force the hash could lead to some insight.

Best,
Benjamin

Hello folks,
what can I say? The tip from @userx14 to simply overwrite the affected bit combination with 0 worked! Apparently the supervisor password is only stored once in the chip of the FZ-G1 MK4. Interestingly, the operating hours counter was also set to 0.
By the way, flashing also worked when installed.
Thanks again for your help.

Hello. So I tried this on a Panasonic FZ-G1 MK2 and seems went further than the guy with a FZ-G1 MK4. It doesn't contain an item with guid "C811FA38-42C8-4579-A9BB-60E94EDDFB34" but the one with name "AmiTseSetupGuid" and also text "AMITSESetup".
The content read as :
5b7db609112d6c18c7bc22b37d2fd8b0334e8e26e9a244339fb9fafd55eeb0520b286641c1251c427716d2a92d3d88d0e3633ef7998af41d4fb1aa4405d8606b and after Xoring, it comes with such a result:
ee002f00970055005c00c70028002a006000e700f600db00c200f3004c006700e1001d00ca00c1000000000000000000000000000000000000000000000000
Which the 80s that should be showing up are instead coming up with 00s and other bytes doesn't seems to be either valid EFI scancodes or ASCII codes. I wonder if some kind of masking or other procedure has been applied to them ?

Hi @Randname666, your result is most likely the sha1 of the password / keyboard scancodes and maybe some additional constant. (20 bytes = "sha1 length" and every second byte is zero padding).

Hi @Randname666, your result is most likely the sha1 of the password / keyboard scancodes and maybe some additional constant. (20 bytes = "sha1 length" and every second byte is zero padding).

Well, tried hashcating that sha1 and it exhausted 8 bytes of a-z, A-Z, 0~9 combinations. Either that's not the right direction, or just unfortunate enough to come into a guy who's really serious about device security.

Well, tried hashcating that sha1 and it exhausted 8 bytes of a-z, A-Z, 0~9 combinations. Either that's not the right direction, or just unfortunate enough to come into a guy who's really serious about device security.

Most likeley they are not ascii characters but key scancodes and there could be some additional constant added to the end.

It is possible to just overwrite the xored hash with zeros and flash the modified image back. But there is the risk that if you only have a partial bios backup / the bios chip is write protected, that you can brick the device when using a software flash tool. (See some of the earlier posts)

But there is the risk that if you only have a partial bios backup / the bios chip is write protected, that you can brick the device when using a software flash tool.

So, things like AFUWINGUI won't generate a full BIOS backup sometimes? Also, I am not sure if I got the idea of "write protected" here but I attempted a BIOS upgrade with the program provided by Panasonic, as on some "consumer level" laptops upgrading, downgrading, or "upgrading" to the same version of the current BIOS could get the password wiped, but not the case here: The FZ-G1 MK2 accepted and successfully finished the BIOS update, but the password is still kept. Luckily that the schema of the password storage is not changed.

I'm in lack of the tool and the skills to do it the hardware way if something goes wrong so I'd rather let the password stay there at least at the moment.

As an alternative to erase the password, I remove the 8 pin bios chip from the board, put it in an RT809f programmer, download the chip data to a computer, over write the password with all 00 bytes, write the edited data back to the chip and put chip back on board.

…

On Sun, Sep 18, 2022 at 7:51 PM Randname666 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ But there is the risk that if you only have a partial bios backup / the bios chip is write protected, that you can brick the device when using a software flash tool. So, things like AFUWINGUI won't generate a full BIOS backup sometimes? Also, I am not sure if I got the idea of "write protected" here but I attempted a BIOS upgrade with the program provided by Panasonic, as on some "consumer level" laptops upgrading, downgrading, or "upgrading" to the same version of the current BIOS could get the password wiped, but not the case here: The FZ-G1 MK2 accepted and successfully finished the BIOS update, but the password is still kept. — Reply to this email directly, view it on GitHub <https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4307055>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFHQZCIHW3P7SCXUVMLHT3DV662KNANCNFSM4INSYQZQ> . You are receiving this because you commented.Message ID: ***@***.***>

hi Experts,
I bought a Renew CF-53 from Amazon and it appears to have bios password locked. Contacted the seller, and so far, no answer.
Here is the link to the bios dump: https://drive.google.com/file/d/1vZ1mwTIIfs1fcMAmoxbcp3ntUjrT1zuC/view?usp=sharing
What I tried so far:

1. Tried to zero out the password and then flash it. The problem is that bios flash is locked
   Error 280: Failed to disable write protection for the BIOS space!

2. Tried the UEFI tool to get and got the hash pw.
   5B-8F-B6-EE-11-9A-6C-3A-C7-77-22-6D-7D-02-D8-74-33-59-8E-E2-E9-0F-44-C7-9F-59-FA-0C-55-71-B0-6D 0B-81-66-EB-C1-27-1C-C2-77-16-D2-A9-2D-3D-88-D0-E3-63-3E-F7-99-8A-F4-1D-4F-B1-AA-44-05-D8-60-6B
   The problem is when I Xor with the static Hex string from this post
   5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B
   I got these
   0x00, 0x1C, 0x00, 0xC8, 0x00, 0x20, 0x00, 0x77, 0x00, 0x97, 0x00, 0x19, 0x00, 0x05, 0x00, 0xEE, 0x00, 0x77, 0x00, 0x23, 0x00, 0x5B, 0x00, 0x2F, 0x00, 0x22, 0x00, 0x02, 0x00, 0xD3, 0x00, 0x58, 0x00, 0x48, 0x00, 0xB7, 0x00, 0xC8, 0x00, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   Fitlered out the 0x00, I got
   0x1C, 0xC8, 0x20, 0x77, 0x97, 0x19, 0x05, 0xEE, 0x77, 0x23, 0x5B, 0x2F, 0x22, 0x02, 0xD3, 0x58, 0x48, 0xB7, 0xC8, 0x41
   Now I have no idea what to do next.
   Some help would be greatly appreciated.

Hi @hueyvle,

to 1). I guess your best bet is to use a hardware flasher like the ch341a which can be had for around 5$-15$. If you scan through some of the previous posts you might find additional tips (e.g. how to bypass feeding 3.3V to the other ic's on the board) or simply ask if you need assistance.

to 2). Your filtered result is 20bytes long, so most likeley that's a sha1 hash.
If you paste your hex bytes into the python code in this post it would also reports this.
Unfortunatelly I do not know if there is additional salt involved in hashing or what is hashed there (keyscancodes or direct ascii characters), so brute forcing is not an option.

Best,
Benjamin

Thank you @userx14 for your inputs.

I would gladly pay $15 to have this fixed. I'm just not a hardware guy and would be very nervous to use the hw flasher.
So, my plan is

1. disable BIOS write protection (this guide https://winraid.level1techs.com/t/guide-grub-fix-intel-fpt-error-280-or-368-bios-lock-asus-other-mod-bios-flash/32725).
2. blank out the password on the bios dump
3. flash the bios with the dump.

I know it is too much to ask, but what are your thoughts on this plan. Is it doable?

Thanks!

I know it is too much to ask, but what are your thoughts on this plan. Is it doable?

Well, I would first make sure that you have a full backup of this flash chip.
This is important because there have been cases where attempting to flash the modified dump erased the hole flash chip, which meant that parts not backed up were lost (and free downloads of full dumps of these panasonic machines are hard to find online).
I'm suspicious, because your file is 0x580000 bytes long which could mean that this is not a full backup of the whole flash, but only the bios/uefi secion, but I'm not sure.
Can you try to find out if the file size matches to the flash chip size built into you machine by checking the IC marking?

I did the hardware flashing with a ch341a on a cf53 mk2 (just as a reference picture), not sure if it is the same on newer models, but the flash chip was accessible under the service hatch.

Greetings,
Benjamin

my laptop is CF53 MK4

Can you try to find out if the file size matches to the flash chip size built into you machine by checking the IC marking?

Well, I don't know how to check IC marking, but it does sound like I need pop the hatch open. I used "flash programming tool" fptw from Intel ME system tools v9.5.
fptw.exe -BIOS -D <binname>
Please let me know if you have different tool.

I disconnected the backup Battery (two pin connector opposite to the bios chip in the wifi/4G hatch) and in order to detect the chip I had to disconnect the 3.3v supply of the bios ic (pin 8) by scratching the trace coming out from underneath the chip, possibly because the programmer powered other stuff on the 3.3V line (IC is Micron 25Q128AB, see picture). After dumping the 16MB bios file with programmer software 1.30, getting the correct offset with UEFI-Tool-A51, zeroing out the 64bytes with HxD.exe and flashing back to the chip, I reconnected 3.3V with a jumper wire. All of this can be done without dissasembling the laptop through the wifi and 4g module access hatch, although it's quiet tight and I had do saw of a chunk of my bios test clip because it collided with the magnesium housing.

I really prefer not messing with wire and soldering.

Hi, could someone please help me to get my BIOS password please ?
I've found this using HxD :

26 A5 D2 82 6C 1F DB F2 F9 3B 13 80 D3 56 C3 83 F8 5B 08 6A AA 5C 48 98 38 F8 AC 5F F2 2E 1F E9

Here's the bios dump : https://transfert.free.fr/IZwnsI

Thanks !!

Hi, could someone please help me to get my BIOS password please ? I've found this using HxD : 26 A5 D2 82 6C 1F DB F2 F9 3B 13 80 D3 56 C3 83 F8 5B 08 6A AA 5C 48 98 38 F8 AC 5F F2 2E 1F E9

Here's the bios dump : https://transfert.free.fr/IZwnsI

Thanks !!

Hi @MichelBaie ,

this seems to be the correct section in the bios, but getting back the original password is probably difficult. Likely there is no xor done and these 32 bytes are directely obtained from something like a SHA-256 hash.
Overwriting with zeros should still work though, but be careful when attempting this, since there have been some problems with sections of the bios getting lost when flashing with software flashers.
This is difficult to recover from, when you do not have a full backup of bios flash chip.

Best
Benjamin

Password is hashed , i can remove it from dump , file link not valid.

Hi, don't know, what you deleted... There are no more passwords at NVRAM under AMITSESetup. at this place, there is something deleted - but don't know about correct deleted.... sorry Am Mi., 4. Jan. 2023 um 05:54 Uhr schrieb KJTR ***@***.***>:

…

***@***.**** commented on this gist. ------------------------------ Hey guys can anyone help me with my password? Im scratching me head constantly over this. Here is a copy of the bios. https://easyupload.io/hp84wa The password goes from 0x28 - 0x4F. I can't figure out how to go further. In the code listed above where was the value of UINTN ii; unsigned int key = 0x935b; derived from before starting the xor python script. Secondly if those are standards what is the derived scan code from my sequence? (Ill tip the first person via paypal friends and family for the password.) [image: image] <https://user-images.githubusercontent.com/10555280/210486910-bd161ec0-f951-4f5b-828d-32dc23a198b6.png> — Reply to this email directly, view it on GitHub <https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4423425> or unsubscribe <https://github.com/notifications/unsubscribe-auth/APMRVWGT7ZPT52SK2WJO6ETWQT7CBBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TENBQHA3DEMFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

I don't know why the post in this mornings notification email isn't here
But it looks like KJTR's PW is

C e l l T e c h

I don't know why the post in this mornings notification email isn't here But it looks like KJTR's PW is

C e l l T e c h

how did you find it ?

I XOR'd the string with the key and the response wasn't long enough. So not knowing the particulars of their model and since some of the eariler ones aren't hashed I looked up the response in ascii
for example
$18 XOR $5B is $43 which is "C" in ascii

I XOR'd the string with the key and the response wasn't long enough. So not knowing the particulars of their model and since some of the eariler ones aren't hashed I looked up the response in ascii for example $18 XOR $5B is $43 which is "C" in ascii

Witch string ?

I XOR'd the string with the key and the response wasn't long enough. So not knowing the particulars of their model and since some of the eariler ones aren't hashed I looked up the response in ascii for example $18 XOR $5B is $43 which is "C" in ascii

Witch string ?

@OmegaSentinell
I think he is refering to the byte sequence from the bios in the now deleted post from @KJTR.
The python code in my previous post now has this case built in (getASCIIifExist):
After xoring the result is directly the ascii characters of the password with some zero padding.

https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd?permalink_comment_id=4294901#gistcomment-4294901

This does not change anything in the case where the output of the xor is a sha1 or different hash.

Best,
Benjamin

Yes from the deleted post

Here is my version using python2

#!/usr/bin/python2
import sys
import os
import binascii

magic_ami_key = 0x935B

#INFO
info = "========================INFO======================== \n         PANASONIC PASSWORD DECRYPTOR \n           Created by OmegaSentinell \n              All Rights reserved"
print(info)

#Usage
usage = "=======================USAGE======================== \n   Open DUMP file (<filename>.BIN) in HEX EDITOR\n   Copy HEX password string from AMITSE section\n   Paste into program below \n===================================================="
print(usage)

#Version
version = "V_0.4"

##user input
password_hash = raw_input("[ Paste HEX Data ] : ").strip().replace(' ', '')
#for test - password_hash = "13138ea6243a5fcdd56018f47d07d89a332e8ec1e95444e89f7bfa0e55a2b0350bc9665cc1ef1c837716d2a92d3d88d0e3633ef7998af41d4fb1aa4405d8606b"
max_pwsd_length = len(password_hash)/4

##Get XOR Key
def make_xor_key():
	magic_ami_xor_key = ""
	for j in xrange(0,max_pwsd_length,1):
		xor_key = (hex(magic_ami_key * (j + 1)))
		xor_key = xor_key[-4:]
		for i in xrange(4,0,-2):
			magic_ami_xor_key += str(xor_key[i-2:(i-2)+2].upper())
	return magic_ami_xor_key

##Convert to integers
a = password_hash
b = make_xor_key()

##translate integers to HEX
binary_a = a.decode("hex")
binary_b = b.decode("hex")

##XORing strings
def xor_strings(xs, ys):
    return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(xs, ys))
xored = xor_strings(binary_a, binary_b).encode("hex")

##Cleanup string
xored_clean = xored.strip().replace('80', '').replace('00', '')

#Panasonic Dictionary
ascii_chars  =  {
          "10"  :  "z",
          "11"  :  "x",
          "12"  :  "c",
          "13"  :  "v",
          "14"  :  "b",
          "15"  :  "n",
          "16"  :  "m",
          "17"  :  ",",
          "18"  :  ".",
          "19"  :  "/",
          "1A"  :  "[RShift]",
          "1B"  :  "[UpArrow]",
          "1C"  :  "1",
          "1D"  :  "2",
          "1E"  :  "3",
          "1F"  :  "[CapsLock]",
          "20"  :  "a",
          "21"  :  "s",
          "22"  :  "d",
          "23"  :  "f",
          "24"  :  "g",
          "25"  :  "h",
          "27"  :  "k",
          "28"  :  "l",
          "29"  :  ";",
          "2A"  :  "'",
          "2B"  :  "|",
          "2C"  :  "4",
          "2D"  :  "5",
          "2E"  :  "6",
          "2F"  :  "+",
          "30"  :  "[TAB]",
          "31"  :  "q",
          "32"  :  "w",
          "33"  :  "e",
          "34"  :  "r",
          "35"  :  "t",
          "36"  :  "y",
          "37"  :  "u",
          "38"  :  "i",
          "39"  :  "o",
          "3A"  :  "p",
          "3B"  :  "[",
          "3C"  :  "]",
          "3D"  :  "\\",
          "3E"  :  "[DEL]",
          "3F"  :  "[END]",
          "40"  :  "[PgDn]",
          "41"  :  "7",
          "42"  :  "8",
          "43"  :  "9",
          "44"  :  "`",
          "45"  :  "1",
          "46"  :  "2",
          "47"  :  "3",
          "48"  :  "4",
          "49"  :  "5",
          "4A"  :  "6",
          "4B"  :  "7",
          "4C"  :  "8",
          "4D"  :  "9",
          "4E"  :  "0",
        }

##Translate output test
def panasonic_scancode_to_password(xored_clean):
	decoded_password_panasonic=""
	for i in xrange(0,len(xored_clean),2):
		try:
			decoded_password_panasonic +=str(ascii_chars[xored_clean[i:i+2].upper()])
		except:
			pass
	return str(decoded_password_panasonic)

print("\n[ HASH DATA ]\n" +password_hash +"\n")     ##show input HEX string
print("[ XOR KEY ]\n" +make_xor_key() +"\n")        ##show XOR Key
print("[ RESULT ]\n" +xored_clean.upper() +"\n")    ##show result from XORed (HEX string and XOR Key)
print("[ SCANCODE ]\n" +xored_clean.decode("hex") +"\n") ##show decrypted hex in ascii
print("[ PASSWORD ]\n" +panasonic_scancode_to_password(xored_clean)); ##show decrypted password .translate(ascii_chars)

raw_input("\n\nPress Enter to continue...")
os.system('cls')
execfile("PANASONIC_PASSWORD_DECRYPT.py")
if (raw_input() == 0) : os.system('exit')

Hi All,

I have an odd one today, clearing a password on a machine and normally the password appears twice in the BIOS, on this machine I could only find one occurrence of the password string so I set that to all zeros like I normally do reprogrammed the chip and installed it but the machine still has a password

Has anyone seen this before?

There must be another occurrence in there somewhere

Cheers

@corty8
Post the BIOS file

Send me the file or a link to it. Gesendet von meinem BlackBerry 10-Smartphone. Von: corty8Gesendet: Montag, 9. Januar 2023 07:01An: corty8Antwort an: ***@***.***: CommentBetreff: Re: en4rab/CF-U1-BIOS.mdRe: ***@***.*** commented on this gist.Hi All,I have an odd one today, clearing a password on a machine and normally the password appears twice in the BIOS, on this machine I could only find one occurrence of the password string so I set that to all zeros like I normally do reprogrammed the chip and installed it but the machine still has a passwordHas anyone seen this before?There must be another occurrence in there somewhereCheers—Reply to this email directly, view it on GitHub or unsubscribe.You are receiving this email because you commented on the thread.Triage notifications on the go with GitHub Mobile for iOS or Android.                                                            [{ ***@***.***": "http://schema.org", ***@***.***": "EmailMessage", "potentialAction": { ***@***.***": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4430643", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4430643", "name": "View on GitHub" }, "description": "View on GitHub", "publisher": { ***@***.***": "Organization", "name": "GitHub", "url": "https://github.com" } }]

here is the bin file guys
https://drive.google.com/file/d/1qsXm21xMGuA9qWp6USkSlLCO4KtFFAHe/view?usp=share_link

@corty8
Yes, it's very simple... Wait a few minutes...

@corty8
https://we.tl/t-mpzuKOP0WN

@mikrovr
So that file is clear of all passwords now?

@corty8
It sure is! :)

That's great, thanks for that I will try it tomorrow

What is that utility that you used there?

@mikrovr
That file worked fine, Thanks for that
Unfortunately I have since discovered the machine has fault on the battery circuit, will not recognise a battery at all so not sure what to do with it yet
they are not always easy :)

@corty8 https://we.tl/t-mpzuKOP0WN

sorry all, i'm a bit less savvy than i'd like, but is this possible with an ASUS ROG Zephyrus G14 on version GA401IU.219?
it's either that, DavidZou's EEPROM method, Kiosk, or small claims court... xD

@ NevoidHyp
Post the BIOS file (eeprom), we can check it for you.

@corty8 https://we.tl/t-mpzuKOP0WN

Hey Mikrovr, would you be able to post this app please?

Does anyone have any experience with removing the BIOS password from a Panasonic CF-54?

Yes, wIth rt809f programmer.

…

On Wed, Feb 22, 2023 at 3:58 PM passssha ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Does anyone have any experience with removing the BIOS password from a Panasonic CF-54? — Reply to this email directly, view it on GitHub <https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4480274> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFHQZCNXIK745CCY6YXBEA3WY2DZZBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TENBQHA3DEMFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

any chance i could get someone to check this bin. it's for a asus GL731GT-RB73 https://drive.google.com/file/d/1Kd1euEJsgnRqcNWBNp01tKhU3GOOEsf4/view?usp=sharing

What is it you are hoping to check? This is a post for Panasonic devices - you'd be better off looking in the badcaps forum or something similar. The bios dump looks good - I can see the ME region and your Windows product key.... KRCBM-NX9Y9-29BW8-4CJ4M-.....

HI guys! I have passworded Panasonic CF-C1. Please help. I trying use your programms to get password, but nothing work. I have a full dump of my bios in .rom format. I realy need help. Also i try to use ChatGPT but he dont work correctly. - https://drive.google.com/file/d/1JwfQ7EdWbaKVny8QSkwv1Gb4DkCEp3mV/view?usp=sharing

key AMITSESetup from uefitool a51:
5B44B6C511656CD0C7A0222D7DC9D82033B58E1EE9CD440F9F08FAD45516B0C20BCB6679C1A71C3D7716D2A92D3D88D0E3633EF7998AF41D4FB1AA4405D8606B

from python tool:

the xored sequence is likely the following sha1 hash:
b'd7 e3 df 9d 40 59 ce ba 9b df 99 e7 73 da b4 f7 02 25 48 be'

This means as far as I know that it is impossible to find out your password, but you can overwrite the hash with zeros and it should be gone.
But be cautious when flashing bios images from within windows, I've seen multiple cases of bricked machined because some part of the bios could not be written from within the os and the bios backups were incomplete. More information in the previous posts.

@userx14

That it allways is risky, to flash within windows, i knew.

But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD.
Under this conditions, the OS isn't running, because it's not loaded.

But: could it be risky allso?

Hi to ALL! I Fix problem with BIOS Password on the my Panasonic CF-C1
How to :

1. I make a dump with APTIO 4
2. In the UEFITool i fund password section on the AMITSESetup in first tree. BUT! This information same writed in 2 tree. I Erase this information with writing zeros and save this modificated ROM.
3. Im flash BIOS With this custom ROM from windows with APTIO 4 - Need to put checkbox - Write All bloks, and Do not check ID. Optionaly - restart after flashing.
4. Congrats! We are removed password from the BIOS!!!!
   Thanks for all people who help to me here! I think this instruction will help for some people!

@userx14

That it allways is risky, to flash within windows, i knew.

But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded.

But: could it be risky allso?

СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode.

@userx14
That it allways is risky, to flash within windows, i knew.
But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded.
But: could it be risky allso?

СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode.

Get yourself a CH134a with a test eeprom clip and flash it the correct way, it's very cheap, straightforward and you can easily experiment more in the future. Make sure it has the 5v-3.3v mod applied though as the vcc line is tied directly to the 5v usb port power which is bad news for a bios chip!

I did that via USB too. Used Ventoy 1.0.14 for the USB Stick. Put my ISO's on it. WIN 10 PE SE etc. A second USB Stick, (HP) i formatted with the HP UDB Format Tool to NTFS. I installed Windows AMI Flash Tool and Run it. Btw: same i did with a Apple Software, which i installed on the second Usb Stick und Run it together with WIN 10 PE SE. Because i have no WIN 10 PC. Regards Warren ***@***.***> schrieb am Fr., 30. Juni 2023, 10:26:

…

***@***.**** commented on this gist. ------------------------------ @userx14 <https://github.com/userx14> That it allways is risky, to flash within windows, i knew. But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded. But: could it be risky allso? СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode. Get yourself a CH134a with a test eeprom clip and flash it the correct way, it's very cheap, straightforward and you can easily experiment more in the future. Make sure it has the 5v-3.3v mod applied though as the vcc line is tied directly to the 5v usb port power which is bad news for a bios chip! — Reply to this email directly, view it on GitHub <https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4615032> or unsubscribe <https://github.com/notifications/unsubscribe-auth/APMRVWBEU3747F5PD6H5HU3XN2ESJBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TENBQHA3DEMFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

Hi all,
i have Panasonic fz-g1 mk4 pad, where is bios password. I have bios dump file, but not sure how to get cracked that password from it.

Is here anybody who can help me
Regards

Привет всем, у меня есть панель Panasonic fz-g1 mk4, где находится пароль биоса. У меня есть файл дампа биоса, но я не знаю, как взломать этот пароль.

Здесь есть кто-нибудь, кто может мне помочь С уважением

Hi!. I think i can help. Share your dump here.

i cannot add rar, or file here :(
Can u give ur email, or something where i can send it

Regards

i cannot add rar, or file here :( Can u give ur email, or something where i can send it

Regards

Just write to me in the Telegram

Hallo,

my Englisch is Bad, but i try it.
I have one CF-52 with Password, i understand i can delete it, but i want know what word is was.
Can you say my PW? ( i understand that the PW from Toughbook works,... WTF scancodes how does this map to keys)
Thank you

0F 93 FE 26 45 BA 2A 4D 97 E0 61 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 01

@Jeeg1975
You can try the python code in this comment and paste your code (leave out the last 01 in your highlighted selection, it is not part of the password) from your screenshots into the variable
yourValueFromNvRam. If it is hashed, you will not be able to find out the original password.

ok thank you,

Looks like the PW for
0F 93 FE 26 45 BA 2A 4D 97 E0 61 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 01
is
THTFPC

You are doing it wrong - I found the actual hash and can crack it using brute force - let me know if anyone needs help. I spent an entire year digging into Toughbook BIOS Rom's using UEFIEdit NE and this may sound arrogant, but I am the only one that can get the actual password for the machine. You can see my eBay feedback here https://www.ebay.com/fdbk/feedback_profile/ingbtc and my site here https://www.toughbookbios.com/

I have worked with every major toughbook vendor.

For mine the super user password comes first and then the 00s. Is this hashed? The python tool isn't providing the right password.

5B 20 B6 29 11 52 6C 0B C7 56 22 76 7D 24 D8 EC 33 EA 8E BD E9 00 44 33 9F 41 FA C9 55 6C B0 74 0B B4 66 CD C1 FD 1C A1 77 1E D2 3D 2D 6E 88 E7 E3 C3 3E 26 99 40 F4 7E 4F FA AA DA 05 D0 60 05 5B 20 B6 29 11 52 6C 0B C7 56 22 76 7D 24 D8 EC 33 EA 8E BD E9 00 44 33 9F 41 FA C9 55 6C B0 74 0B B4 66 CD C1 FD 1C A1 77 1E D2 3D 2D 6E 88 E7 E3 C3 3E 26 99 40 F4 7E 4F FA AA DA 05 D0 60 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

@AutonomousCat
did you use yourValueFromNvRam = "5B 20 B6 29 11 52 6C 0B C7 56 22 76 7D 24 D8 EC 33 EA 8E BD E9 00 44 33 9F 41 FA C9 55 6C B0 74 0B B4 66 CD C1 FD 1C A1 77 1E D2 3D 2D 6E 88 E7 E3 C3 3E 26 99 40 F4 7E 4F FA AA DA 05 D0 60 05" ?
Strangely it repeats twice, this could mean that both bios passwords are the same.
I'm not sure about the result though, it is 32 bytes long with zero bytes padding in between. Maybe SHA256?

@userx14 I'm using this. https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd?permalink_comment_id=4423922#gistcomment-4423922

It's probably hashed. Anything I can do with the public keys listed on the Security tab in UEFITool NE alpha 67?

Try
sempra123

:)

Try sempra123

Is this a joke? @cbbeerman

Im sorry it was not a joke I didn't clear out old data

Here is the hash sorry again

B30FE846B6022376C47C54DB3AC7CE417D91122208945337A0D1CA634B9E086E

Hello everyone
I have a CF-D1N
first I can't find C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)

but I found this when search for C811FA38-42C8-4579-A9BB-60E94EDDFB34

(There is 2 of them (header-offset 50h))

The XOR process it's not look very promising, it's seems to be hashed !

The question is
Am I get the right address, could I zeros those section ?

here is the rom : https://drive.google.com/file/d/1p0fY14pDjYojEwhp4RMKXiDYh15-0B1P/view?usp=sharing

The AMITSESetup entry is about 13 lines up from the one you highlighted and by the looks of it its a sha1 hash, it also looks like there are 2 copies of the NVRAM data so you might have to null out both entrys

I tried to follow the guide but I am a little stuck, is someone able to tell me my password for my bios I have a Panasonic CF-SZ6.
I could dump it fine with the afu tool, but after that I am a little stuck on how to continue.

From what I can figure out this is what I can find:
5B 63 B6 A9 11 AB 6C 05 C7 F1 22 28 7D F5 D8 31 33 5B 8E A6 E9 21 44 80 9F BA FA 2F 55 9A B0 46 0B 55 66 0F C1 63 1C 6A 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

This is the rom file i got from saving it with the afu tool:
https://drive.google.com/file/d/1err9pzUP7TDOGerwaWIYuhO-c6VSY4WE/view?usp=sharing

Thank you so much in advanced for anyone who can help me!

The code you found looks like the correct sequence, 606B on the end is typical for the xored result. Pasting this into my python script returns that this is likely an sha1 hash. So the only publicly known method is to overwrite it with zeros (check out some of the previous comments and make sure to have a full backup of all bios regions).

The code you found looks like the correct sequence, 606B on the end is typical for the xored result. Pasting this into my python script returns that this is likely an sha1 hash. So the only publicly known method is to overwrite it with zeros (check out some of the previous comments and make sure to have a full backup of all bios regions).

Thank you for the answer! :)

This method works on DUO cores, but anything i3 and above it is encoded. I spent a year trying to find the hash and then finding the algo associated with the hash. I can break any password (80-90% of the time, depending on how long the password is). Here is the full process to find the password for any duo core machine.

Open ROM dump in UEFITool_NE

Press Ctrl-F and select Text tab. Uncheck Unicode and type AMITSESetup.

Press OK.
Look at strings with ending: at header-offset 0Bh
Double-click on first one

.

Please note that the found entry inside StdDefaults node. So it’s useless. Double-click on next one

Note that it’s only Link to NVAR entry. Right-click on AMITSESetup and choose Go to data

Right-click on AMITSESetup and choose Body hex view

It’s empty again. So go to third one.

It’s inside StdDefaults node again. So go to 4 th .

Again - Go to data

Again Body hex view

Select data for admin hash

Copy by Ctrl+C and past into text editor
5B9FB60411F46C1AC78422857D14D816
33208E50E9E344D69F8CFA1A557AB0BB
0B44661DC1C21CB57716D2A92D3D88D0
E3633EF7998AF41D4FB1AA4405D8606B

Select twenty even bytes (in hex)
5B9FB60411F46C1AC78422857D14D816
33208E50E9E344D69F8CFA1A557AB0BB
0B44661DC1C21CB57716D2A92D3D88D0
E3633EF7998AF41D4FB1AA4405D8606B

Write down in line
9F04F41A848514162050E3D68C1A7ABB441DC2B5

It’s SHA1 hash from the password in Unicode format.

The password for this hash – abc
abc in Unicode format (in hex) - 61 00 62 00 63 00

Use https://www.fileformat.info/tool/hash.htm to calculate hash (Binary hash).

SHA-1 9f04f41a848514162050e3d68c1a7abb441dc2b5

Done.

https://toughbookbios.com/ (i3 processor or higher contact me to get the password, CF-31, CF-53, CF-54 - any model I can crack the password)

This method works on DUO cores, but anything i3 and above it is encoded. I spent a year trying to find the hash and then finding the algo associated with the hash. I can break any password (80-90% of the time, depending on how long the password is). Here is the full process to find the password for any duo core machine.

Open ROM dump in UEFITool_NE

Press Ctrl-F and select Text tab. Uncheck Unicode and type AMITSESetup.

Press OK. Look at strings with ending: at header-offset 0Bh Double-click on first one

.

Please note that the found entry inside StdDefaults node. So it’s useless. Double-click on next one

Note that it’s only Link to NVAR entry. Right-click on AMITSESetup and choose Go to data

Right-click on AMITSESetup and choose Body hex view

It’s empty again. So go to third one.

It’s inside StdDefaults node again. So go to 4 th .

Again - Go to data

Again Body hex view

Select data for admin hash

Copy by Ctrl+C and past into text editor 5B9FB60411F46C1AC78422857D14D816 33208E50E9E344D69F8CFA1A557AB0BB 0B44661DC1C21CB57716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B

Select twenty even bytes (in hex) 5B9FB60411F46C1AC78422857D14D816 33208E50E9E344D69F8CFA1A557AB0BB 0B44661DC1C21CB57716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B

Write down in line 9F04F41A848514162050E3D68C1A7ABB441DC2B5

It’s SHA1 hash from the password in Unicode format.

The password for this hash – abc abc in Unicode format (in hex) - 61 00 62 00 63 00

Use https://www.fileformat.info/tool/hash.htm to calculate hash (Binary hash).

SHA-1 9f04f41a848514162050e3d68c1a7abb441dc2b5

Done.

https://toughbookbios.com/ (i3 processor or higher contact me to get the password, CF-31, CF-53, CF-54 - any model I can crack the password)

I have messaged you twice now via your website, no reply on either occasion

This method works on DUO cores, but anything i3 and above it is encoded. I spent a year trying to find the hash and then finding the algo associated with the hash. I can break any password (80-90% of the time, depending on how long the password is). Here is the full process to find the password for any duo core machine.
Open ROM dump in UEFITool_NE
Press Ctrl-F and select Text tab. Uncheck Unicode and type AMITSESetup.
Press OK. Look at strings with ending: at header-offset 0Bh Double-click on first one
.
Please note that the found entry inside StdDefaults node. So it’s useless. Double-click on next one
Note that it’s only Link to NVAR entry. Right-click on AMITSESetup and choose Go to data
Right-click on AMITSESetup and choose Body hex view
It’s empty again. So go to third one.
It’s inside StdDefaults node again. So go to 4 th .
Again - Go to data
Again Body hex view
Select data for admin hash
Copy by Ctrl+C and past into text editor 5B9FB60411F46C1AC78422857D14D816 33208E50E9E344D69F8CFA1A557AB0BB 0B44661DC1C21CB57716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B
Select twenty even bytes (in hex) 5B9FB60411F46C1AC78422857D14D816 33208E50E9E344D69F8CFA1A557AB0BB 0B44661DC1C21CB57716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B
Write down in line 9F04F41A848514162050E3D68C1A7ABB441DC2B5
It’s SHA1 hash from the password in Unicode format.
The password for this hash – abc abc in Unicode format (in hex) - 61 00 62 00 63 00
Use https://www.fileformat.info/tool/hash.htm to calculate hash (Binary hash).
SHA-1 9f04f41a848514162050e3d68c1a7abb441dc2b5
Done.
https://toughbookbios.com/ (i3 processor or higher contact me to get the password, CF-31, CF-53, CF-54 - any model I can crack the password)

I have messaged you twice now via your website, no reply on either occasion

I tested every form and email on the website, and everything came through. Contact me directly ns@ingbtc.com - Also please send me the link of where you are contacting me from so I can fix it ASAP

HI, gentlemen.
I have a FW-7551W(v2.0) uCPE motherboard which is a computer motherboard, manufactured by Lanner.

This bios has a hardware watchdog. if not cancel it in bios, it will reset after several minutes. That is the reason why I want to modify bios settings.
(It just ask for password when press F2/ESC/DEL into setup utility and it doesn't ask for boot and successfully boot in WinPE via Ventory. )

I encounter the same problem with recover(or rest) the AMI bios password of the administrator. However, I am not lucky enough when searching plain or hashed text within each "AMITSESetup" entry. In this entry, its data are ALL zero. And it also doesn't contain any entry named as a GUID serial number with "AMITSESetup".

The headshots of FW-7551W:


The screenshot of GPU-Z about bios:

In addition, @SoftwareGuy said:
I see something that's slightly interesting but I can't confirm what it is. Might be a password hash or something... I'd probably see if you could drop a message on that Gist if you have a GitHub account (if not, I could probably do it for you) with a link to the BIOS. I'm sure someone would have a clue.

unfortunately, I change the highlight bytes to zero bytes and reflash it into SPI-RROM by progammer. It still need a password for setup utility.

So I just want to know there is any pattern with an entry stored password? How can I search the sector which stores password of admin in UEFITools.

P.S. I have uploaded a SPI-ROM dump file.
github.com/zhou-xuelin/FW-7551/blob/main/FW-7551W_v2.0.bin

Hello all,

Sadly, as @fastar1981 and @maxtheobald I have a motherboard where the password is neither an XOR with the multiples of 5B93 nor a SHA1 value that I could erase.

It's an Advantech motherboard of some networking device.

All AMITSESetup that are not in "AmiStandardDefaultsVariable" have the subtype "Full" and are only filled with zeroes:

Also, There is an occurrence of AMITSESetup in a "compressed section" but without any interesting data:

This is the device in question: https://forum.openwrt.org/t/nuage-networks-7850-nsg-e200-hardware-discovery/144525/5

Does anyone has any success recovering such password or erasing it? (I don't care of the password if I can erase it).

Many thanks to the community for all the work already shared!

Regards,
Kevin.

@kevinhulster
Post original BIOS file.

Here it is:

NSG-E202.rom

@kevinhulster I still haven't gotten it. I hope someone can help us
Thanks to all

How did you dump it? It doesn't look complete. File size should be 8MB/16MB/32MB. Yours is just 6MB.

…

On 12/01/2024 00:02, kevinhulster wrote: ***@***.**** commented on this gist. ------------------------------------------------------------------------ Here it is: NSG-E202.rom

@r-plabs I dump it through AMI afulnx tool.

AMITSESetup Decryptor & Unlocker
link: https://alien.raaz.info.np/server/unlock/AMITSESetup/

Hello all,

Can anyone help me to erase the bios password ? I have attached the extracted file .

Thanks!

Try thua5P or thua5P|

Hello all,

Can anyone help me to erase the bios password ? I have attached the extracted file .

Thanks!

try now https://alien.raaz.info.np/server/unlock/AMITSESetup/

Hello all,
Can anyone help me to erase the bios password ? I have attached the extracted file .
Thanks!

try now https://alien.raaz.info.np/server/unlock/AMITSESetup/

I tried, it doesn't work.

@mayk469

mikrovr

Thanks @mikrovr ! I've tried all the variations with and without the uppercase, but it doesn't work.

@mayk469
What is your country of origin, what is the standard keyboard you are using to enter the password?

I used two different US keyboard layout (ANSI and ISO).

did thua5P or thua5P| not work?

Hello all,
Can anyone help me to erase the bios password ? I have attached the extracted file .
Thanks!

try now https://alien.raaz.info.np/server/unlock/AMITSESetup/

I tried, it doesn't work.

Your file can not decrypt so, use unlock option and simply flash the bios

did thua5P or thua5P| not work?

Thank you very much! It worked with thua5P. I didn't understand the first time that this is the password .

You guys are the best!

@en4rab
Your answer was right!

AMI BIOS Password Recovery Tool v1.2 (Reset or/and recover lost passwords)
Copyright (C) 2016-2018 Paulo Coelho aka Mikrovr mikrovr@gmail.com

Password Recovery

Admin: thua5P

Note: Passwords are case-sensitive, upper and lower case.
Done!
Press any key to exit

// I had to make a small adjustment to the body of the hash.
max( 0, ( ( x - 1 ) | ( m - 1 ) ) + 1 - m )

@en4rab Your answer was right!

AMI BIOS Password Recovery Tool v1.2 (Reset or/and recover lost passwords) Copyright (C) 2016-2018 Paulo Coelho aka Mikrovr mikrovr@gmail.com

Password Recovery

Admin: thua5P

Note: Passwords are case-sensitive, upper and lower case. Done! Press any key to exit

// I had to make a small adjustment to the body of the hash. max( 0, ( ( x - 1 ) | ( m - 1 ) ) + 1 - m )

Hey @mikrovr, is AMI BIOS Password Recovery Tool v1.2 available to use somewhere? I have some Panasonic bios dumps that are locked (I have unlocked them but kept the locked copy too) and I would like to know if I am able to recover the password from them.

Anyone had luck unlocking a [Panasonic Let''s note RZ6? AMITSESetup is only of 0 , not a single character, but the password still is required.

Trying to get the .bin dump via AFUWINGUI, but I get "32 - error: problem opening file to write". Any ideas?

Hello, can someone help me decipher the password? I am unable to flash the BIOS and am receiving the error message "43 - error: problem erasing flash". I've successfully unlocked the BIOS by flashing it on a few other CF-53 devices, but this particular one is giving me the error. Can anyone assist me with this issue?

its a panasonic cf-53J

I have included the link to the ROM file.

https://mega.nz/file/MCcV2CLb#_5Dl0p41pw2--RwTDNiMzgWGkL_NDncVbMZAmJtjUsE