Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

CF-U1-BIOS.md

Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

A mess of my own making

While messing with a CF-U1 handheld PC that I bought off ebay I managed to mess up the BIOS and it seems it reverted to previous settings which included an unknown BIOS password, it would however still boot into windows. Since I could still boot windows I was able to dump the bios flash using AFUWINGUI.EXE the version I used was 3.09.03.1462 which is available here:
https://www.ami.com/support-other/ Click on Aptio 4 AMI Firmware Update Utility

There may be a more appropriate version to use as this seemed to have trouble checking the bios version when flashing but did work if you selected "Do Not Check ROM ID" but flashing isnt needed to get the password.

Dumping the flash

Run AFUWINGUI.EXE and at the bottom of the "Information" tab click the save button to make a backup of your bios, the default name is afuwin.rom Now open this saved image with UEFITool_NE available here:
https://github.com/LongSoft/UEFITool/releases

I used UEFITool_NE_A51_win32.zip later versions should work fine. The new engine (NE) verson seems to deal with AMI's odd nvram format better.

Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID
C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry.
Now right click and select "Body hex view" and you should see something like:

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040  7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A  {.”¦.:)ÍÒ`.ô\‡í.
0050  07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35  .®®AÜÔ.h«ûú.U¢°5
0060  0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0  .Éf\Áï.ƒw.Ò©-=ˆÐ
0070  E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B  ãc>÷™Šô.O±ªD.Ø`k
0080  01

In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag.

1337 encryption

The password is obfuscated using super secure xor

VOID PasswordEncode( CHAR16 *Password, UINTN MaxSize)
{
    UINTN	ii;
    unsigned int key = 0x935b;

#if SETUP_PASSWORD_NON_CASE_SENSITIVE
    for ( ii = 0; ii < MaxSize; ii++ )
        Password[ii] = ((Password[ii]>=L'a')&&(Password[ii]<=L'z'))?(Password[ii]+L'A'-L'a'):Password[ii];
#endif

    // Encode the password..
    for ( ii = 1; ii <= MaxSize/2; ii++ )
        Password[ii-1] = (CHAR16)(Password[ii-1] ^ (key*ii));
}

So Xoring the above encoded password:

7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A 07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

with

5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

gives

20 80 22 80 16 80 45 80 15 80 38 80 21 80 35 80 34 80 20 80 35 80 4e 80 34 80 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Each character of the password is stored as 2 bytes, and as x86 is wrong endian im guessing should be read as 0x8020 0x8022 I have no idea where the 0x80 comes from possibly its something to do with the EFI_SHIFT_STATE_VALID in this case the password was lower case, possibly uppercase status is encoded in this byte too I have no idea I havent tested uppercase passwords.

WTF scancodes how does this map to keys

From the unobfuscated data you can see the password is 13 characters long, im going to ignore the 0x80 bytes as i dont understand them :P and just look at the others:
20 22 16 45 15 38 21 35 34 20 35 4e 34
They appear to be some sort of scancodes, although while googleing this I found some AMI bioses seem to use ascii here so you can read it out directly as text, but not on this machine.
When this CF-U1 arrived from ebay it had a password which i sucessfully guessed as "toughbook" my second guess would have been "panasonic" since using text written on the front of the PC as a password saves writing it under the battery cover :P
Looking through the older link entrys for the AMITSESetup nvram I found what I thought was the data for this password which deobfuscating as above gave (ignoring the 0x80):

35 39 37 24 25 14 39 39 27
t  o  u  g  h  b  o  o  k

This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page:
http://wiki.phoenix.com/wiki/index.php/EFI_KEY
From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii:
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

So i made up a list of byte to ascii using these, below are just 0x10 to 0x4E to cover most values but not be too stupidly long.

Hex	Char	EFIkey	Hex	Char	EFIkey
10	z	EfiKeyB1	30	Tab	EfiKeyTab
11	x	EfiKeyB2	31	q	EfiKeyD1
12	c	EfiKeyB3	32	w	EfiKeyD2
13	v	EfiKeyB4	33	e	EfiKeyD3
14	b	EfiKeyB5	34	r	EfiKeyD4
15	n	EfiKeyB6	35	t	EfiKeyD5
16	m	EfiKeyB7	36	y	EfiKeyD6
17	,	EfiKeyB8	37	u	EfiKeyD7
18	.	EfiKeyB9	38	i	EfiKeyD8
19	/	EfiKeyB10	39	o	EfiKeyD9
1A		EfiKeyRShift	3A	p	EfiKeyD10
1B		EfiKeyUpArrow	3B	[	EfiKeyD11
1C	1	EfiKeyOne	3C	]	EfiKeyD12
1D	2	EfiKeyTwo	3D	\	EfiKeyD13
1E	3	EfiKeyThree	3E		EfiKeyDel
1F		EfiKeyCapsLock	3F		EfiKeyEnd
20	a	EfiKeyC1	40		EfiKeyPgDn
21	s	EfiKeyC2	41	7	EfiKeySeven
22	d	EfiKeyC3	42	8	EfiKeyEight
23	f	EfiKeyC4	43	9	EfiKeyNine
24	g	EfiKeyC5	44	`	EfiKeyE0
25	h	EfiKeyC6	45	1	EfiKeyE1
26	j	EfiKeyC7	46	2	EfiKeyE2
27	k	EfiKeyC8	47	3	EfiKeyE3
28	l	EfiKeyC9	48	4	EfiKeyE4
29	;	EfiKeyC10	49	5	EfiKeyE5
2A	'	EfiKeyC11	4A	6	EfiKeyE6
2B	|	EfiKeyC12	4B	7	EfiKeyE7
2C	4	EfiKeyFour	4C	8	EfiKeyE8
2D	5	EfiKeyFive	4D	9	EfiKeyE9
2E	6	EfiKeySix	4E	0	EfiKeyE10
2F	+	EfiKeyPlus

So what was the password?

Using the above list and the recovered scancodes gave:

20 22 16 45 15 38 21 35 34 20 35 4e 34
a  d  m  1  n  i  s  t  r  a  t  0  r

and when i tried adm1nistrat0r it worked!
This is not complete as there are still questions about the 0x80 bytes but my guess is they encode the shift alt etc modifier keys but im back into my handheld so i'm not sure ill look further into it. This may also apply to other Aptio bioses as well as the Panasonic CF-U1, and if the machine isnt bootable you may be able to use a cheap spi adapter to dump the bios, in the case of the CF-U1 it uses an LPC flash which I don't think you can get cheap clips and readers for and its buried in the machine so a nuisance to get to.

I saw some remarks of people clearing just one instance of the password and after resetting the bios, they got the password back (as they didn't take out the other one in the bin-file). Would it be an option to use a reset to switch back to a working unbricked part of the bios.... Do they have something like dual-bios?

so splitting this file 8MB in two and paste part one with my 4MB file wouldn't work?

Sorry, my knowledge is limited when it comes to bootguard, that was just a guess. Just something to keep in mind when the tablet does not boot with the modified bios image, that it could be caused by bootguard. Just try and see if it works I guess 😏 .

I saw some remarks of people clearing just one instance of the password and after resetting the bios, they got the password back

I think they talk about the option "restore default" in bios which initializes the NVRAM variables with some default values, which probably includes the manufacturer set bios password.
I don't think they have dual bios support, normally for dual bios you will have two identical flash chips.

Well got to admit this one got the better of me, I couldn't work out a way to strip the password out on this CF-54 mk3, in the end I sent the bin file to someone that I have used before and they stripped it out for me.
Reprogramed the chip and soldered it back on the board just now, machine is back up and running again and all the original machine serial/model number and hours are retained

@corty8
Can you check if the data at 0x89c710 has been altered in this new file, would be interesting to see what needs to be modified.
Would have guessed that the bytes around there just need to be overwritten with zeros.
Maybe you could run a diff on the two files.

@userx14
Yes there is a definite charge there, I have done a hex compare and there are quite a few differences in the file
I can upload the new bin file if you like you can compare it with the one I posted above

Don't know why - ut my previous post is gone - deleted!
Maybe, because of the e-mail adress!

You could send my your file to the e-mail adress in my account - but, that one, i usually don't use constant.

Better you send me your file to:

my user name at g mail dot com.

I can upload the new bin file if you like you can compare it with the one I posted above

Would be interesting indeed.

@userx14
Here it is mate:
https://drive.google.com/file/d/1XsHPFKjUu4SCDjvEy0dPUVKzE-gDnUkI/view?usp=sharing

@corty8 thanks,

Ok short summary for the changes for the panasonic CF-54 mk3, if anyone else is interested:

0x00003010 - 0x00003da0 (me region flash partition table)             probably caused by different/modified ME-version
0x00133000 - 0x00603cff (intel me region)                             maybe a different ME-version or effect of using ME disable/cleaner, unsure, large regions replaced with 0xff
0x0089c710 - 0x0089c74F (location for the AMITSESetup NVRAM variable) was overwritten with zeros

Well the change at 0x0089c710 is exactely what one would expect to remove the password.
I'm unsure if the ME modification was neccesary, I would guess that this could be the action of me_cleaner which disables intel me by overwriting selected pages with 0xff.

Mission accomplished! FZ-G1R mk4 BIOS: MX25L12873F Motherboard DHLB1030ZD/X1
Thanks a lot everyone especially you userx14 ;-) As without information you cannot grow in knowledge, here my findings:

I used a CH341 Black (with the V3.3 adjustment proposed by userx14) with NeoProgrammer 2.2.0.10 (I read that AsProgrammer might give some problems) and the Clamp and I was able to read and write the bios!
After first successfully downloading and saving 3 identical images, I checked the files and found out that the second part of the BIOS file (00800000 - 00FFFFFF) which I got with the NeoProgrammer was partially erased by AfuWin64Gui during an unsuccessful write effort (in which it already wiped part of the BIOS before finding out that it was write-protected).
So as final bios file I used the first part of the BIOS-file I downloaded from the BIOS with NeoProgrammer (so 0 - 007FFFFF) and as second part (00800000 - 00FFFFFF) I took the file which I got with Afuwin.exe, from which I deleted the password. Of course if you haven't screwed up your BIOS with Afuwin then you could use the full file from NeoProgrammer after taking out the password with HxD.

In NeoProgrammer I selected all the options in Write IC (Off-Protect, Erase, Blank Check, Write and Verify) to write this file to the BIOS.
(There will still be a part in the BIOS in which "toughkit" is a useful word ;-) )

Thanks again everybody!!!

@fz-g1
Glad it worked out 👍 , interesting that the failed flash erased only some parts of the bios and aborts afterwards.
That should mean that it is easyer to find and use an incomplete bios image to revocer from this, as only the upper section is needed.

I think one has to assume that with the newer versions / revisions of the panasonic lineup one will most likeley encounter this error with afuwin,
and that one should do a full dump with a hardware flasher to avoid any unpleasant surprises.

Models known from this thread to encounter errors with software flashing (definitiveley do a backup with a hardware programmer beforehand):

• CF-20 Mk2
• CF-31 MK3
• CF-53 mk3
• CF-53 mk4
• FZ-G1 mk4

This XOR technique does not work on the ToughPad FZ-G1 series of tablets. The ToughPad passwords are in the same BIOS NVRAM area, but as others have mentioned about newer ToughBooks, this BIOS area is encrypted in the ToughPads too, even with the oldest MK1 series. However, you can still clear the password by zeroing out both the user and supervisor data values in the BIOS flash chip.

I did a video on how I applied this technique to clear the BIOS password on my ToughPad FZ-G1A MK1, as well as the ToughPad tablet disassembly required to access, desolder, reprogram, and reinstall the BIOS flash chip. I thought I'd share it here too as this might apply to later ToughBooks that encrypt this NVRAM area as well and help someone else out - ToughPad FZ-G1 Clear BIOS Password

I've given a shout out to this gist in my video, and included a link to this gist in the videos description. Thanks for sharing the ToughBook approach here, as that inspired me to dig into how to clear the lost BIOS password on my ToughPad FZ-G1 that I use for automotive diagnostics work.

Hello, Everyone.
Glad I Have Found This Thread, Because I Have Try To Find Out My Bios Password For Panasonic Toughbook CF-31 For A Long Time.
Can Anyone Tell Me: Is It Posible To Remove It With userx14 Method, or It Should Be Only Flashed?
I Have Made ROM Bios File, But I Cant Handle With The Rest. I Have Open File In UEFITool_NE_A59_win32, but Dont Understand, How To Find Need Line In Code.
Can Anyone Help Me: https://drive.google.com/file/d/1ADYcAcvcbLBODWNHtjKWgKira9R_6kej/view?usp=sharing
Thanks For The Answer And Help To Anyone!
Happy New Year Everyone!

Forgot To Say: Model: Panasonic Toughbook CF-31 MK4 (Intel Core I5-3340M)

@Biozax:

Drive Google ? - Access denied !

Sorry, Looks Like I Didnt Open It For Everyone
Here It Is:
https://drive.google.com/file/d/1ADYcAcvcbLBODWNHtjKWgKira9R_6kej/view?usp=sharing

Thank You!

@Biozax

With a hex editor one can find two occurrences:

I would guess that one is the current value and the other one could be loaded when one uses "reset to default".

Or Uefi Tool Alpha 51 seems to work as well (corresponds to second screenshot from hex editor):

The password is hashed (20bytes) so you probably have to overwrite both occurences with zeros.

The dangerous part is flashing the modified image back to the bios chip, and there is a known problem for the CF-31 MK3 resulting in a brick.
I would guess that it will very likely occur with a MK4, so please check the previous posts.
Since the flashing procedure could abort with an error I would advise against trying a flash with afuwin on windows without having a full backup, and your file seems to only be a partial backup.
A hardware flasher like a CH341a should be able to create a full backup.

Best,
Benjamin

@Biozax:

https://drive.google.com/file/d/1N38VpcbiF_4-622a-nVMqE5LRQym8YzU/view?usp=sharing

Thanks For Your Attention and Help.
Understand.

Good afternoon. Can you please tell me, is it possible to restore the password?
5BC1B65211E76C83C7
B5225A7D8FD8FF339C8E66E9DA44659F
25FA89555BB0EE0B9D6669C1A81C2B77
16D2A92D3D88D0E3633EF7998AF41D4F
B1AA4405D8606B01

@passssha
Your password is hashed (20 bytes with zeros as padding in between). The only option known to reset it is to overwrite the sections in the bios with zeros and flash the resulting image back to the device. Mind the risks involved and that flashing back the bios using the software afuwin tool on some panasonic models will lead to a bricked device (see this list, which is probably incomplete).
Best Benjamin

@en4rab
It worked (: I did the reset on Windows 10. I ran all programs as Administrator. Dump was edited in Hex Editor Neo (14-day trial). I found 2 occurrences on the mask "D8606B01" and wiped them all with zeros. After the reboot I was able to enter the BIOS. Thank you very much for your help. (Laptop Panasonic CF-53MK4)

Hi all
Anyone could help me to get the bios pass
https://drive.google.com/file/d/14XVmrpRfDzr0uGdngT_cAbrlAQAQ73Qr/view?usp=sharing
Thanks

Hi all Anyone could help me to get the bios pass https://drive.google.com/file/d/14XVmrpRfDzr0uGdngT_cAbrlAQAQ73Qr/view?usp=sharing Thanks

Hi @fastar1981,
unfortunatelly the password does not seem to be stored the same way as in the BIOS images I've already looked at.
I mean I can find the AMITSESetup in one compressed section, but can't find the associated data.
Maybe someone else has an idea?
Is this a new panasonic model?
Best,
Benjamin

@fastar1981
This doesn't look like a Panasonic BIOS image. what laptop it is?

@userx14 @r-plabs
Thanks
I bought a computer with this motherboard but I don't know the model because it doesn't put it on the motherboard
Is a aptio V but I can't find where the sha256 is
I cant calculate the sha and I cant remove the pass becase I can not find where is loated the second sha
i think its a weird motherboard

I need help with the XoR part. It's been a minute since I've been in c++, does anyone have a link or example project I can use to decrypt my hash? I have an MK1 CF-31 that I've been trying to extract the password from for 2 years.

using this https://xor.pw/# I'm able to recreate the OP's password (with their hashes), but mine just generated gibberish. Any ideas?

I need help with the XoR part. It's been a minute since I've been in c++, does anyone have a link or example project I can use to decrypt my hash? I have an MK1 CF-31 that I've been trying to extract the password from for 2 years.

@t4thfavor
Just use the website xor.pw,
one field is your hashed password, the other the xor sequence from the first post, which one you put in which field (1/2) doesn't matter.
Make sure to cut the xor sequence from the first post on the end, such that it matches the length of your hashed password.
It is likeley that the length matches already.

Best,
Benjamin

I need help with the XoR part. It's been a minute since I've been in c++, does anyone have a link or example project I can use to decrypt my hash? I have an MK1 CF-31 that I've been trying to extract the password from for 2 years.

@t4thfavor Just use the website xor.pw, one field is your hashed password, the other the xor sequence from the first post, which one you put in which field (1/2) doesn't matter. Make sure to cut the xor sequence from the first post on the end, such that it matches the length of your hashed password. It is likeley that the length matches already.

Best, Benjamin

I did that, I get 0xcc as my first bit which maps to some nonsense character. What are the odds that my bios is encrypted somehow? Everything else matches and I can reproduce your results with the hashes you posted. Mine are just stupid.

This is what I get, and it maps to something like "Ì^M5‰œž¸0^H" where "^H" is one character and :^M is one character, etc.
cc000d00350089009c009e00b80030000800eb0073002800d600c900cc001600c100fc00a300aa000000000000000000000000000000000000000000000000

EDIT: I have two identical machines, both produce the same hashes exactly. Is that good or bad?

This is what I get, and it maps to something like "Ì^M5‰œž¸0^H" where "^H" is one character and :^M is one character, etc. cc000d00350089009c009e00b80030000800eb0073002800d600c900cc001600c100fc00a300aa000000000000000000000000000000000000000000000000

These 20 bytes (with zeros as padding in between) are most likeley a sha1 hash of the password or input keys.
Since hashing is a one way function there is no feasable way to find the password.

But overwriting the hash with all zeros disables the password. Some models have write protection for software flashing the bios in place, which can result in a brick, see the posts above.