Skip to content

Instantly share code, notes, and snippets.

@en4rab
Last active November 30, 2024 14:37
Show Gist options
  • Save en4rab/550880c099b5194fbbf3039e3c8ab6fd to your computer and use it in GitHub Desktop.
Save en4rab/550880c099b5194fbbf3039e3c8ab6fd to your computer and use it in GitHub Desktop.
Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

A mess of my own making

While messing with a CF-U1 handheld PC that I bought off ebay I managed to mess up the BIOS and it seems it reverted to previous settings which included an unknown BIOS password, it would however still boot into windows. Since I could still boot windows I was able to dump the bios flash using AFUWINGUI.EXE the version I used was 3.09.03.1462 which is available here:
https://www.ami.com/support-other/ Click on Aptio 4 AMI Firmware Update Utility

There may be a more appropriate version to use as this seemed to have trouble checking the bios version when flashing but did work if you selected "Do Not Check ROM ID" but flashing isnt needed to get the password.

Dumping the flash

alt text
Run AFUWINGUI.EXE and at the bottom of the "Information" tab click the save button to make a backup of your bios, the default name is afuwin.rom Now open this saved image with UEFITool_NE available here:
https://github.com/LongSoft/UEFITool/releases

I used UEFITool_NE_A51_win32.zip later versions should work fine. The new engine (NE) verson seems to deal with AMI's odd nvram format better.

alt text

Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID
C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry.
Now right click and select "Body hex view" and you should see something like:

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040  7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A  {.”¦.:)ÍÒ`.ô\‡í.
0050  07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35  .®®AÜÔ.h«ûú.U¢°5
0060  0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0  .Éf\Áï.ƒw.Ò©-=ˆÐ
0070  E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B  ãc>÷™Šô.O±ªD.Ø`k
0080  01

In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag.

1337 encryption

The password is obfuscated using super secure xor

VOID PasswordEncode( CHAR16 *Password, UINTN MaxSize)
{
    UINTN	ii;
    unsigned int key = 0x935b;

#if SETUP_PASSWORD_NON_CASE_SENSITIVE
    for ( ii = 0; ii < MaxSize; ii++ )
        Password[ii] = ((Password[ii]>=L'a')&&(Password[ii]<=L'z'))?(Password[ii]+L'A'-L'a'):Password[ii];
#endif

    // Encode the password..
    for ( ii = 1; ii <= MaxSize/2; ii++ )
        Password[ii-1] = (CHAR16)(Password[ii-1] ^ (key*ii));
}

So Xoring the above encoded password:

7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A 07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

with

5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

gives

20 80 22 80 16 80 45 80 15 80 38 80 21 80 35 80 34 80 20 80 35 80 4e 80 34 80 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Each character of the password is stored as 2 bytes, and as x86 is wrong endian im guessing should be read as 0x8020 0x8022 I have no idea where the 0x80 comes from possibly its something to do with the EFI_SHIFT_STATE_VALID in this case the password was lower case, possibly uppercase status is encoded in this byte too I have no idea I havent tested uppercase passwords.

WTF scancodes how does this map to keys

From the unobfuscated data you can see the password is 13 characters long, im going to ignore the 0x80 bytes as i dont understand them :P and just look at the others:
20 22 16 45 15 38 21 35 34 20 35 4e 34
They appear to be some sort of scancodes, although while googleing this I found some AMI bioses seem to use ascii here so you can read it out directly as text, but not on this machine.
When this CF-U1 arrived from ebay it had a password which i sucessfully guessed as "toughbook" my second guess would have been "panasonic" since using text written on the front of the PC as a password saves writing it under the battery cover :P
Looking through the older link entrys for the AMITSESetup nvram I found what I thought was the data for this password which deobfuscating as above gave (ignoring the 0x80):

35 39 37 24 25 14 39 39 27
t  o  u  g  h  b  o  o  k

This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page:
http://wiki.phoenix.com/wiki/index.php/EFI_KEY
From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii:
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

So i made up a list of byte to ascii using these, below are just 0x10 to 0x4E to cover most values but not be too stupidly long.

Hex Char EFIkey Hex Char EFIkey
10 z EfiKeyB1 30 Tab EfiKeyTab
11 x EfiKeyB2 31 q EfiKeyD1
12 c EfiKeyB3 32 w EfiKeyD2
13 v EfiKeyB4 33 e EfiKeyD3
14 b EfiKeyB5 34 r EfiKeyD4
15 n EfiKeyB6 35 t EfiKeyD5
16 m EfiKeyB7 36 y EfiKeyD6
17 , EfiKeyB8 37 u EfiKeyD7
18 . EfiKeyB9 38 i EfiKeyD8
19 / EfiKeyB10 39 o EfiKeyD9
1A EfiKeyRShift 3A p EfiKeyD10
1B EfiKeyUpArrow 3B [ EfiKeyD11
1C 1 EfiKeyOne 3C ] EfiKeyD12
1D 2 EfiKeyTwo 3D \ EfiKeyD13
1E 3 EfiKeyThree 3E EfiKeyDel
1F EfiKeyCapsLock 3F EfiKeyEnd
20 a EfiKeyC1 40 EfiKeyPgDn
21 s EfiKeyC2 41 7 EfiKeySeven
22 d EfiKeyC3 42 8 EfiKeyEight
23 f EfiKeyC4 43 9 EfiKeyNine
24 g EfiKeyC5 44 ` EfiKeyE0
25 h EfiKeyC6 45 1 EfiKeyE1
26 j EfiKeyC7 46 2 EfiKeyE2
27 k EfiKeyC8 47 3 EfiKeyE3
28 l EfiKeyC9 48 4 EfiKeyE4
29 ; EfiKeyC10 49 5 EfiKeyE5
2A ' EfiKeyC11 4A 6 EfiKeyE6
2B | EfiKeyC12 4B 7 EfiKeyE7
2C 4 EfiKeyFour 4C 8 EfiKeyE8
2D 5 EfiKeyFive 4D 9 EfiKeyE9
2E 6 EfiKeySix 4E 0 EfiKeyE10
2F + EfiKeyPlus

So what was the password?

Using the above list and the recovered scancodes gave:

20 22 16 45 15 38 21 35 34 20 35 4e 34
a  d  m  1  n  i  s  t  r  a  t  0  r

and when i tried adm1nistrat0r it worked!
This is not complete as there are still questions about the 0x80 bytes but my guess is they encode the shift alt etc modifier keys but im back into my handheld so i'm not sure ill look further into it. This may also apply to other Aptio bioses as well as the Panasonic CF-U1, and if the machine isnt bootable you may be able to use a cheap spi adapter to dump the bios, in the case of the CF-U1 it uses an LPC flash which I don't think you can get cheap clips and readers for and its buried in the machine so a nuisance to get to.

@userx14
Copy link

userx14 commented Dec 6, 2021

-- EDIT: Now right bios file --

Capture

I think the yellow and red markings indicate that the bios is protected by an RSA Key.

Capture2

When I search for AMITSEsetup I can find three matches, two of them are empty, but one of them (the one in the second screenshot) seems to have some data attached.

@corty8
Copy link

corty8 commented Dec 6, 2021

@userx14
Copy link

userx14 commented Dec 6, 2021

@corty8 Please check edited answer...

Every second byte seems to be identical with the original xor key...
5b XX b6 XX ... 05 XX 60 XX (xx are the bytes that are different)so that's probably the location where it is stored...

@corty8
Copy link

corty8 commented Dec 6, 2021

interesting, I didnt notice that.. I will do some checking

@r-plabs
Copy link

r-plabs commented Dec 6, 2021

@userx14
Your BIOS has Bootguard enabled which is bad. I think all Panasonic with 6th gen Intel CPUs and after have it enabled.
If you modify wrong sections you will brick your tablet/laptop. I didn't read much about it so I don't know if this can be unbricked or not.
Just be careful and in the future don't buy any laptop/tablet with 6th gen Intel CPU or higher that has password or custom BIOS (Mxx after version number) unless price is very low. When I say low it means under 100 USD/EUR.

@corty8
Copy link

corty8 commented Dec 6, 2021

I have done 6th gen before without any issues, this is a 7th gen machine
If I make changes to the bin file and it is bricks it I can still copy back the original bin file can't I?

@r-plabs
Copy link

r-plabs commented Dec 6, 2021

@corty8
Bootguard is not mandatory, depends if the vendor will activate it or not. I saw some Dell laptops that had it in 5th gen already but on Panasonic I saw it on some 7th gen but in general after 6th gen you can expect to have it enabled from factory.

As for flashing back the original BIOS to unbrick it I didn't try it. I bought a 7th gen without password since I was expecting to have the Bootguard issue and I didn't want to experiment on some expensive laptop.

Another point for all FZ-G1 is that you cannot read the chip correctly without de-soldering it. At least it was not working on Mk1-2-3. I noticed that CPU and RAM was also powered when BIOS chip was connected to the programmer via clip and it produced a lot of errors. Maybe it works with some programmer that can do ICSP and has enough current to sustain the other components also during reading and writing. In the end I de-soldered the chip and read/write it on programmer and soldered it back when finished. For testing I soldered short wires to the pads that went to a socket so I can remove the chip easily and reflash it. Do not use too long wires since it will create issues maybe because of voltage drop?!

@userx14
Copy link

userx14 commented Dec 6, 2021

I'm not sure, but isn't the purpose of the RSA key/bootguard to protect the actual bios and it's modules, while the nvram variables are still editable?
Otherwise the bios itself would need the key to encrypt the nvram variables when changing any setting.

@corty8
Yes, you should be able to flash back the original image without the modification in case the modified version does not work.

@r-plabs
I'm a bit confused because you are talking about an "fz-gz", while corty8 tinkers with a "cf-54 mk3".
Are refering to @fz-g1, who has the FZ-G1 tablet?

Another point for all FZ-G1 is that you cannot read the chip correctly without de-soldering it

Have you tried cutting the bios chips 3.3v rail and connecting a switch to it, this way you don't have to extend the signal lines? But I think it is not a problem, since the communication on spi isn't that high speed.

@fz-g1
So the plan with just "Copying" parts of the original bios together with the me section is expected to fail, if bootguard is enabled. But if you are able to find a full dump of a fz-g1 mk4 that should work.
Maybe try the images from here:
https://www.badcaps.net/forum/showthread.php?t=80985

@fz-g1
Copy link

fz-g1 commented Dec 6, 2021

Thanks userx14, I downloaded that bin-file.. so splitting this file 8MB in two and paste part one with my 4MB file wouldn't work? You can clearly find the location where the second part of the 8MB resembles mine.. and the size is correct as well...

@fz-g1
Copy link

fz-g1 commented Dec 6, 2021

I saw some remarks of people clearing just one instance of the password and after resetting the bios, they got the password back (as they didn't take out the other one in the bin-file). Would it be an option to use a reset to switch back to a working unbricked part of the bios.... Do they have something like dual-bios?

@userx14
Copy link

userx14 commented Dec 6, 2021

so splitting this file 8MB in two and paste part one with my 4MB file wouldn't work?

Sorry, my knowledge is limited when it comes to bootguard, that was just a guess. Just something to keep in mind when the tablet does not boot with the modified bios image, that it could be caused by bootguard. Just try and see if it works I guess 😏 .

I saw some remarks of people clearing just one instance of the password and after resetting the bios, they got the password back

I think they talk about the option "restore default" in bios which initializes the NVRAM variables with some default values, which probably includes the manufacturer set bios password.
I don't think they have dual bios support, normally for dual bios you will have two identical flash chips.

@corty8
Copy link

corty8 commented Dec 6, 2021

Well got to admit this one got the better of me, I couldn't work out a way to strip the password out on this CF-54 mk3, in the end I sent the bin file to someone that I have used before and they stripped it out for me.
Reprogramed the chip and soldered it back on the board just now, machine is back up and running again and all the original machine serial/model number and hours are retained

@userx14
Copy link

userx14 commented Dec 7, 2021

@corty8
Can you check if the data at 0x89c710 has been altered in this new file, would be interesting to see what needs to be modified.
Would have guessed that the bytes around there just need to be overwritten with zeros.
Maybe you could run a diff on the two files.

@corty8
Copy link

corty8 commented Dec 7, 2021

@userx14
Yes there is a definite charge there, I have done a hex compare and there are quite a few differences in the file
I can upload the new bin file if you like you can compare it with the one I posted above

@Ftmmsch
Copy link

Ftmmsch commented Dec 7, 2021

Don't know why - ut my previous post is gone - deleted!
Maybe, because of the e-mail adress!

You could send my your file to the e-mail adress in my account - but, that one, i usually don't use constant.

Better you send me your file to:

my user name at g mail dot com.

@userx14
Copy link

userx14 commented Dec 7, 2021

I can upload the new bin file if you like you can compare it with the one I posted above

Would be interesting indeed.

@userx14
Copy link

userx14 commented Dec 8, 2021

@corty8 thanks,

Ok short summary for the changes for the panasonic CF-54 mk3, if anyone else is interested:

0x00003010 - 0x00003da0 (me region flash partition table)             probably caused by different/modified ME-version
0x00133000 - 0x00603cff (intel me region)                             maybe a different ME-version or effect of using ME disable/cleaner, unsure, large regions replaced with 0xff
0x0089c710 - 0x0089c74F (location for the AMITSESetup NVRAM variable) was overwritten with zeros

Well the change at 0x0089c710 is exactely what one would expect to remove the password.
I'm unsure if the ME modification was neccesary, I would guess that this could be the action of me_cleaner which disables intel me by overwriting selected pages with 0xff.

@fz-g1
Copy link

fz-g1 commented Dec 9, 2021

Mission accomplished! FZ-G1R mk4 BIOS: MX25L12873F Motherboard DHLB1030ZD/X1
Thanks a lot everyone especially you userx14 ;-) As without information you cannot grow in knowledge, here my findings:

I used a CH341 Black (with the V3.3 adjustment proposed by userx14) with NeoProgrammer 2.2.0.10 (I read that AsProgrammer might give some problems) and the Clamp and I was able to read and write the bios!
After first successfully downloading and saving 3 identical images, I checked the files and found out that the second part of the BIOS file (00800000 - 00FFFFFF) which I got with the NeoProgrammer was partially erased by AfuWin64Gui during an unsuccessful write effort (in which it already wiped part of the BIOS before finding out that it was write-protected).
So as final bios file I used the first part of the BIOS-file I downloaded from the BIOS with NeoProgrammer (so 0 - 007FFFFF) and as second part (00800000 - 00FFFFFF) I took the file which I got with Afuwin.exe, from which I deleted the password. Of course if you haven't screwed up your BIOS with Afuwin then you could use the full file from NeoProgrammer after taking out the password with HxD.

In NeoProgrammer I selected all the options in Write IC (Off-Protect, Erase, Blank Check, Write and Verify) to write this file to the BIOS.
(There will still be a part in the BIOS in which "toughkit" is a useful word ;-) )

Thanks again everybody!!!

@userx14
Copy link

userx14 commented Dec 9, 2021

@fz-g1
Glad it worked out 👍 , interesting that the failed flash erased only some parts of the bios and aborts afterwards.
That should mean that it is easyer to find and use an incomplete bios image to revocer from this, as only the upper section is needed.

I think one has to assume that with the newer versions / revisions of the panasonic lineup one will most likeley encounter this error with afuwin,
and that one should do a full dump with a hardware flasher to avoid any unpleasant surprises.

Models known from this thread to encounter errors with software flashing (definitiveley do a backup with a hardware programmer beforehand):

  • CF-20 Mk2
  • CF-31 MK3
  • CF-53 mk3
  • CF-53 mk4
  • FZ-G1 mk4

@drshock
Copy link

drshock commented Dec 18, 2021

This XOR technique does not work on the ToughPad FZ-G1 series of tablets. The ToughPad passwords are in the same BIOS NVRAM area, but as others have mentioned about newer ToughBooks, this BIOS area is encrypted in the ToughPads too, even with the oldest MK1 series. However, you can still clear the password by zeroing out both the user and supervisor data values in the BIOS flash chip.

I did a video on how I applied this technique to clear the BIOS password on my ToughPad FZ-G1A MK1, as well as the ToughPad tablet disassembly required to access, desolder, reprogram, and reinstall the BIOS flash chip. I thought I'd share it here too as this might apply to later ToughBooks that encrypt this NVRAM area as well and help someone else out - ToughPad FZ-G1 Clear BIOS Password

I've given a shout out to this gist in my video, and included a link to this gist in the videos description. Thanks for sharing the ToughBook approach here, as that inspired me to dig into how to clear the lost BIOS password on my ToughPad FZ-G1 that I use for automotive diagnostics work.

@Biozax
Copy link

Biozax commented Dec 29, 2021

Hello, Everyone.
Glad I Have Found This Thread, Because I Have Try To Find Out My Bios Password For Panasonic Toughbook CF-31 For A Long Time.
Can Anyone Tell Me: Is It Posible To Remove It With userx14 Method, or It Should Be Only Flashed?
I Have Made ROM Bios File, But I Cant Handle With The Rest. I Have Open File In UEFITool_NE_A59_win32, but Dont Understand, How To Find Need Line In Code.
Can Anyone Help Me: https://drive.google.com/file/d/1ADYcAcvcbLBODWNHtjKWgKira9R_6kej/view?usp=sharing
Thanks For The Answer And Help To Anyone!
Happy New Year Everyone!

@Biozax
Copy link

Biozax commented Dec 30, 2021

Forgot To Say: Model: Panasonic Toughbook CF-31 MK4 (Intel Core I5-3340M)

@Ftmmsch
Copy link

Ftmmsch commented Dec 30, 2021

@Biozax:

Drive Google ? - Access denied !

@Biozax
Copy link

Biozax commented Dec 30, 2021

Sorry, Looks Like I Didnt Open It For Everyone
Here It Is:
https://drive.google.com/file/d/1ADYcAcvcbLBODWNHtjKWgKira9R_6kej/view?usp=sharing

Thank You!

@userx14
Copy link

userx14 commented Dec 30, 2021

@Biozax

With a hex editor one can find two occurrences:

I would guess that one is the current value and the other one could be loaded when one uses "reset to default".

Or Uefi Tool Alpha 51 seems to work as well (corresponds to second screenshot from hex editor):

The password is hashed (20bytes) so you probably have to overwrite both occurences with zeros.

The dangerous part is flashing the modified image back to the bios chip, and there is a known problem for the CF-31 MK3 resulting in a brick.
I would guess that it will very likely occur with a MK4, so please check the previous posts.
Since the flashing procedure could abort with an error I would advise against trying a flash with afuwin on windows without having a full backup, and your file seems to only be a partial backup.
A hardware flasher like a CH341a should be able to create a full backup.

Best,
Benjamin

@Biozax
Copy link

Biozax commented Dec 30, 2021

Thanks For Your Attention and Help.
Understand.

@passssha
Copy link

passssha commented Feb 1, 2022

Good afternoon. Can you please tell me, is it possible to restore the password?
5BC1B65211E76C83C7
B5225A7D8FD8FF339C8E66E9DA44659F
25FA89555BB0EE0B9D6669C1A81C2B77
16D2A92D3D88D0E3633EF7998AF41D4F
B1AA4405D8606B01

@userx14
Copy link

userx14 commented Feb 1, 2022

@passssha
Your password is hashed (20 bytes with zeros as padding in between). The only option known to reset it is to overwrite the sections in the bios with zeros and flash the resulting image back to the device. Mind the risks involved and that flashing back the bios using the software afuwin tool on some panasonic models will lead to a bricked device (see this list, which is probably incomplete).
Best Benjamin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment