Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

CF-U1-BIOS.md

Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

A mess of my own making

While messing with a CF-U1 handheld PC that I bought off ebay I managed to mess up the BIOS and it seems it reverted to previous settings which included an unknown BIOS password, it would however still boot into windows. Since I could still boot windows I was able to dump the bios flash using AFUWINGUI.EXE the version I used was 3.09.03.1462 which is available here:
https://ami.com/en/?Aptio_4_AMI_Firmware_Update_Utility.zip

There may be a more appropriate version to use as this seemed to have trouble checking the bios version when flashing but did work if you selected "Do Not Check ROM ID" but flashing isnt needed to get the password.

Dumping the flash

Run AFUWINGUI.EXE and at the bottom of the "Information" tab click the save button to make a backup of your bios, the default name is afuwin.rom Now open this saved image with UEFITool_NE available here:
https://github.com/LongSoft/UEFITool/releases

I used UEFITool_NE_A51_win32.zip later versions should work fine. The new engine (NE) verson seems to deal with AMI's odd nvram format better.

Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID
C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry.
Now right click and select "Body hex view" and you should see something like:

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040  7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A  {.”¦.:)ÍÒ`.ô\‡í.
0050  07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35  .®®AÜÔ.h«ûú.U¢°5
0060  0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0  .Éf\Áï.ƒw.Ò©-=ˆÐ
0070  E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B  ãc>÷™Šô.O±ªD.Ø`k
0080  01

In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag.

1337 encryption

The password is obfuscated using super secure xor

VOID PasswordEncode( CHAR16 *Password, UINTN MaxSize)
{
    UINTN	ii;
    unsigned int key = 0x935b;

#if SETUP_PASSWORD_NON_CASE_SENSITIVE
    for ( ii = 0; ii < MaxSize; ii++ )
        Password[ii] = ((Password[ii]>=L'a')&&(Password[ii]<=L'z'))?(Password[ii]+L'A'-L'a'):Password[ii];
#endif

    // Encode the password..
    for ( ii = 1; ii <= MaxSize/2; ii++ )
        Password[ii-1] = (CHAR16)(Password[ii-1] ^ (key*ii));
}

So Xoring the above encoded password:

7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A 07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

with

5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

gives

20 80 22 80 16 80 45 80 15 80 38 80 21 80 35 80 34 80 20 80 35 80 4e 80 34 80 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Each character of the password is stored as 2 bytes, and as x86 is wrong endian im guessing should be read as 0x8020 0x8022 I have no idea where the 0x80 comes from possibly its something to do with the EFI_SHIFT_STATE_VALID in this case the password was lower case, possibly uppercase status is encoded in this byte too I have no idea I havent tested uppercase passwords.

WTF scancodes how does this map to keys

From the unobfuscated data you can see the password is 13 characters long, im going to ignore the 0x80 bytes as i dont understand them :P and just look at the others:
20 22 16 45 15 38 21 35 34 20 35 4e 34
They appear to be some sort of scancodes, although while googleing this I found some AMI bioses seem to use ascii here so you can read it out directly as text, but not on this machine.
When this CF-U1 arrived from ebay it had a password which i sucessfully guessed as "toughbook" my second guess would have been "panasonic" since using text written on the front of the PC as a password saves writing it under the battery cover :P
Looking through the older link entrys for the AMITSESetup nvram I found what I thought was the data for this password which deobfuscating as above gave (ignoring the 0x80):

35 39 37 24 25 14 39 39 27
t  o  u  g  h  b  o  o  k

This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page:
http://wiki.phoenix.com/wiki/index.php/EFI_KEY
From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii:
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

So i made up a list of byte to ascii using these, below are just 0x10 to 0x4E to cover most values but not be too stupidly long.

Hex	Char	EFIkey	Hex	Char	EFIkey
10	z	EfiKeyB1	30	Tab	EfiKeyTab
11	x	EfiKeyB2	31	q	EfiKeyD1
12	c	EfiKeyB3	32	w	EfiKeyD2
13	v	EfiKeyB4	33	e	EfiKeyD3
14	b	EfiKeyB5	34	r	EfiKeyD4
15	n	EfiKeyB6	35	t	EfiKeyD5
16	m	EfiKeyB7	36	y	EfiKeyD6
17	,	EfiKeyB8	37	u	EfiKeyD7
18	.	EfiKeyB9	38	i	EfiKeyD8
19	/	EfiKeyB10	39	o	EfiKeyD9
1A		EfiKeyRShift	3A	p	EfiKeyD10
1B		EfiKeyUpArrow	3B	[	EfiKeyD11
1C	1	EfiKeyOne	3C	]	EfiKeyD12
1D	2	EfiKeyTwo	3D	\	EfiKeyD13
1E	3	EfiKeyThree	3E		EfiKeyDel
1F		EfiKeyCapsLock	3F		EfiKeyEnd
20	a	EfiKeyC1	40		EfiKeyPgDn
21	s	EfiKeyC2	41	7	EfiKeySeven
22	d	EfiKeyC3	42	8	EfiKeyEight
23	f	EfiKeyC4	43	9	EfiKeyNine
24	g	EfiKeyC5	44	`	EfiKeyE0
25	h	EfiKeyC6	45	1	EfiKeyE1
26	j	EfiKeyC7	46	2	EfiKeyE2
27	k	EfiKeyC8	47	3	EfiKeyE3
28	l	EfiKeyC9	48	4	EfiKeyE4
29	;	EfiKeyC10	49	5	EfiKeyE5
2A	'	EfiKeyC11	4A	6	EfiKeyE6
2B	|	EfiKeyC12	4B	7	EfiKeyE7
2C	4	EfiKeyFour	4C	8	EfiKeyE8
2D	5	EfiKeyFive	4D	9	EfiKeyE9
2E	6	EfiKeySix	4E	0	EfiKeyE10
2F	+	EfiKeyPlus

So what was the password?

Using the above list and the recovered scancodes gave:

20 22 16 45 15 38 21 35 34 20 35 4e 34
a  d  m  1  n  i  s  t  r  a  t  0  r

and when i tried adm1nistrat0r it worked!
This is not complete as there are still questions about the 0x80 bytes but my guess is they encode the shift alt etc modifier keys but im back into my handheld so i'm not sure ill look further into it. This may also apply to other Aptio bioses as well as the Panasonic CF-U1, and if the machine isnt bootable you may be able to use a cheap spi adapter to dump the bios, in the case of the CF-U1 it uses an LPC flash which I don't think you can get cheap clips and readers for and its buried in the machine so a nuisance to get to.

Hi satorisage,

but where did that part come from?

See the secton "1337 encryption" of en4rab's original post. The key can generated in 16 bytes increments because it is
0x935b * (currentIteration + 1),
when you only use the lower 16 bytes of the result. This seems to be the same across many different toughbook models.

Is is an operation I can write in Python?

Yes, see following code using your rom data.

show code for panasoHardcoded.py python3

import binascii

def hexPrettyPrint(bytesStr):
    print(binascii.hexlify(bytesStr, sep=" "))

def generatePanaXorSequence(numOfBytes):
    if(numOfBytes%2):
        raise ValueError("Only even number of bytes supported")
    key = int("0x935b", 16)
    numOfInt16 = numOfBytes//2
    generatedKey = bytes()
    for i in range(numOfInt16):
        keyForThisInt16 = key*(i+1) 
        keyForThisInt16 = keyForThisInt16 & int("0xffff", 16)   #only keep the lower 2 bytes
        keyForThisInt16 = keyForThisInt16.to_bytes(2, 'little') 
        generatedKey = generatedKey + keyForThisInt16
    return generatedKey
    
def xorByteStrings(bytesStr1, bytesStr2):
    if(len(bytesStr1) != len(bytesStr2)):
        raise ValueError("Xor needs same length of byteStrings")
    byteStringResult = bytes()
    for i in range(len(bytesStr1)):
        byteStringResult += bytes([bytesStr1[i] ^ bytesStr2[i]])
    return byteStringResult
    
def getSHA1ifExist(bytesStr):
    sha1 = bytes()
    for i in range(20):                 #sha1 is 20 bytes
        if(bytesStr[2*i] != 0):         #check if the upper bytes is always zero of each int16
            return None
        sha1 += bytes([bytesStr[2*i + 1]])
    for i in range(40, len(bytesStr)):
        if(bytesStr[i] != 0):           #all bytes after the first 40 bytes should be zero
            return None
    return sha1

def getASCIIifExist(bytesStr):
    asciiBytes = bytes()
    for i in range(len(bytesStr)//2):
        if(bytesStr[2*i+1] != 0):        #check if the lower bytes is always zero of each int16
            return None
        if(bytesStr[2*i]):
            asciiBytes += bytes([bytesStr[2*i]])
    return asciiBytes.decode("ascii")

#calculation
yourValueFromNvRam = "5B 46 B6 48 11 E2 6C 70 C7 9D 22 B1 7D 43 D8 2E 33 B8 8E D7 E9 5C 44 DA 9F 8A FA FE 55 D8 B0 7F 0B E0 66 C8 C1 FF 1C A6 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B"
yourValueFromNvRam = yourValueFromNvRam.replace(" ", "")                        #remove whitespaces
yourValueFromNvRam = binascii.unhexlify(yourValueFromNvRam)                     #to bytes
generatedKeyWithSameLength = generatePanaXorSequence(len(yourValueFromNvRam))
resultOfXor = xorByteStrings(yourValueFromNvRam, generatedKeyWithSameLength)

#analysis
sha1 = getSHA1ifExist(resultOfXor)
if(sha1 == None):
    asciiString = getASCIIifExist(resultOfXor)
    if(asciiString):
        print(f"here is you password:\n{asciiString}")
    print("here is you xored sequence:")
    hexPrettyPrint(resultOfXor)
else:
    print("the xored sequence is likeley the following sha1 hash:")
    hexPrettyPrint(sha1)

(edit 04.01.23: add ascii conversion)

Please let me known if you have any additional questions.

One interesting thing I hadn't had time to implement yet is to open the dumped hex file, and search for occurences fo the last few bytes of the xor sequence for the length 64 bytes.
Since the password or hash is likely to be relatively short <40 bytes the last few bytes are most likely equal to the xor sequence.
Then derive the start of the sequence an overwrite all 64 bytes with zeros to generate a flashable image without password protection.

Maybe a check if the bios dump is complete (includes the intel me section, ...) would be important, because flashing back a partial modified dump will result in a "dead" device. Finding a complete dump online to recover from this state might be difficult.

Best,
Benjamin

Hi satorisage,

but where did that part come from?

See the secton "1337 encryption" of en4rab's original post. The key can generated in 16 bytes increments because it is 0x935b * (currentIteration + 1), when you only use the lower 16 bytes of the result. This seems to be the same across many different toughbook models.

Is is an operation I can write in Python?

Yes, see following code using your rom data.

show code for panasoHardcoded.py python3
Please let me known if you have any additional questions.

One interesting thing I hadn't had time to implement yet is to open the dumped hex file, and search for occurences fo the last few bytes of the xor sequence for the length 64 bytes. Since the password or hash is likely to be relatively short <40 bytes the last few bytes are most likely equal to the xor sequence. Then derive the start of the sequence an overwrite all 64 bytes with zeros to generate a flashable image without password protection.

Maybe a check if the bios dump is complete (includes the intel me section, ...) would be important, because flashing back a partial modified dump will result in a "dead" device. Finding a complete dump online to recover from this state might be difficult.

Best, Benjamin

Thanks for the reply! Seems like for the CF54's I have this key could be incorrect - or maybe there is something else going on. When I extracted and calculated the result I got d56e583d7dc544b496160832f1f07a4a29941025 as the sha1. But the password is "tsipub" and as a sha1 hash it calculates to 48d87741220aa2a705005a01bbbcdb1c858eae41. Any thoughts on what could be going on there?

Seems like for the CF54's I have this key could be incorrect

If the code says that the xored result is likeley a sha1 hash then the xor-key part is working / the generated key from panaXorSequence is correct. It is basically impossible to get the these zero valued bytes every second character for a non matching key (just add hexPrettyPrint(resultOfXor) in the else case and you will see these zeros). If you look closely at your valueFromNvram you can see that many bytes (those that are zero after performing the xor) are equal to the output of the generatePanaXorSequence function.

But the password is "tsipub" and as a sha1 hash it calculates to 48d87741220aa2a705005a01bbbcdb1c858eae41. Any thoughts on what could be going on there?

I would have two possible explanations for this behavior:

• instead of the password in ascii they could have hashed the scancodes. I suspect this because they also stored the scancodes for the non hashed password see first post of en4rab.
• they could have added some constant extra bytes at the end of the password like a constant salt

I have to admit that I didn't really looked into this, and just replaced the section with zeros and called it a day.

I guess that trying one letter passwords, reading the hash, and then trying to brute force the hash could lead to some insight.

Best,
Benjamin

Hello folks,
what can I say? The tip from @userx14 to simply overwrite the affected bit combination with 0 worked! Apparently the supervisor password is only stored once in the chip of the FZ-G1 MK4. Interestingly, the operating hours counter was also set to 0.
By the way, flashing also worked when installed.
Thanks again for your help.

Hello. So I tried this on a Panasonic FZ-G1 MK2 and seems went further than the guy with a FZ-G1 MK4. It doesn't contain an item with guid "C811FA38-42C8-4579-A9BB-60E94EDDFB34" but the one with name "AmiTseSetupGuid" and also text "AMITSESetup".
The content read as :
5b7db609112d6c18c7bc22b37d2fd8b0334e8e26e9a244339fb9fafd55eeb0520b286641c1251c427716d2a92d3d88d0e3633ef7998af41d4fb1aa4405d8606b and after Xoring, it comes with such a result:
ee002f00970055005c00c70028002a006000e700f600db00c200f3004c006700e1001d00ca00c1000000000000000000000000000000000000000000000000
Which the 80s that should be showing up are instead coming up with 00s and other bytes doesn't seems to be either valid EFI scancodes or ASCII codes. I wonder if some kind of masking or other procedure has been applied to them ?

Hi @Randname666, your result is most likely the sha1 of the password / keyboard scancodes and maybe some additional constant. (20 bytes = "sha1 length" and every second byte is zero padding).

Hi @Randname666, your result is most likely the sha1 of the password / keyboard scancodes and maybe some additional constant. (20 bytes = "sha1 length" and every second byte is zero padding).

Well, tried hashcating that sha1 and it exhausted 8 bytes of a-z, A-Z, 0~9 combinations. Either that's not the right direction, or just unfortunate enough to come into a guy who's really serious about device security.

Well, tried hashcating that sha1 and it exhausted 8 bytes of a-z, A-Z, 0~9 combinations. Either that's not the right direction, or just unfortunate enough to come into a guy who's really serious about device security.

Most likeley they are not ascii characters but key scancodes and there could be some additional constant added to the end.

It is possible to just overwrite the xored hash with zeros and flash the modified image back. But there is the risk that if you only have a partial bios backup / the bios chip is write protected, that you can brick the device when using a software flash tool. (See some of the earlier posts)

But there is the risk that if you only have a partial bios backup / the bios chip is write protected, that you can brick the device when using a software flash tool.

So, things like AFUWINGUI won't generate a full BIOS backup sometimes? Also, I am not sure if I got the idea of "write protected" here but I attempted a BIOS upgrade with the program provided by Panasonic, as on some "consumer level" laptops upgrading, downgrading, or "upgrading" to the same version of the current BIOS could get the password wiped, but not the case here: The FZ-G1 MK2 accepted and successfully finished the BIOS update, but the password is still kept. Luckily that the schema of the password storage is not changed.

I'm in lack of the tool and the skills to do it the hardware way if something goes wrong so I'd rather let the password stay there at least at the moment.

As an alternative to erase the password, I remove the 8 pin bios chip from the board, put it in an RT809f programmer, download the chip data to a computer, over write the password with all 00 bytes, write the edited data back to the chip and put chip back on board.

…

On Sun, Sep 18, 2022 at 7:51 PM Randname666 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ But there is the risk that if you only have a partial bios backup / the bios chip is write protected, that you can brick the device when using a software flash tool. So, things like AFUWINGUI won't generate a full BIOS backup sometimes? Also, I am not sure if I got the idea of "write protected" here but I attempted a BIOS upgrade with the program provided by Panasonic, as on some "consumer level" laptops upgrading, downgrading, or "upgrading" to the same version of the current BIOS could get the password wiped, but not the case here: The FZ-G1 MK2 accepted and successfully finished the BIOS update, but the password is still kept. — Reply to this email directly, view it on GitHub <https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4307055>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFHQZCIHW3P7SCXUVMLHT3DV662KNANCNFSM4INSYQZQ> . You are receiving this because you commented.Message ID: ***@***.***>

hi Experts,
I bought a Renew CF-53 from Amazon and it appears to have bios password locked. Contacted the seller, and so far, no answer.
Here is the link to the bios dump: https://drive.google.com/file/d/1vZ1mwTIIfs1fcMAmoxbcp3ntUjrT1zuC/view?usp=sharing
What I tried so far:

1. Tried to zero out the password and then flash it. The problem is that bios flash is locked
   Error 280: Failed to disable write protection for the BIOS space!

2. Tried the UEFI tool to get and got the hash pw.
   5B-8F-B6-EE-11-9A-6C-3A-C7-77-22-6D-7D-02-D8-74-33-59-8E-E2-E9-0F-44-C7-9F-59-FA-0C-55-71-B0-6D 0B-81-66-EB-C1-27-1C-C2-77-16-D2-A9-2D-3D-88-D0-E3-63-3E-F7-99-8A-F4-1D-4F-B1-AA-44-05-D8-60-6B
   The problem is when I Xor with the static Hex string from this post
   5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B
   I got these
   0x00, 0x1C, 0x00, 0xC8, 0x00, 0x20, 0x00, 0x77, 0x00, 0x97, 0x00, 0x19, 0x00, 0x05, 0x00, 0xEE, 0x00, 0x77, 0x00, 0x23, 0x00, 0x5B, 0x00, 0x2F, 0x00, 0x22, 0x00, 0x02, 0x00, 0xD3, 0x00, 0x58, 0x00, 0x48, 0x00, 0xB7, 0x00, 0xC8, 0x00, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   Fitlered out the 0x00, I got
   0x1C, 0xC8, 0x20, 0x77, 0x97, 0x19, 0x05, 0xEE, 0x77, 0x23, 0x5B, 0x2F, 0x22, 0x02, 0xD3, 0x58, 0x48, 0xB7, 0xC8, 0x41
   Now I have no idea what to do next.
   Some help would be greatly appreciated.

Hi @hueyvle,

to 1). I guess your best bet is to use a hardware flasher like the ch341a which can be had for around 5$-15$. If you scan through some of the previous posts you might find additional tips (e.g. how to bypass feeding 3.3V to the other ic's on the board) or simply ask if you need assistance.

to 2). Your filtered result is 20bytes long, so most likeley that's a sha1 hash.
If you paste your hex bytes into the python code in this post it would also reports this.
Unfortunatelly I do not know if there is additional salt involved in hashing or what is hashed there (keyscancodes or direct ascii characters), so brute forcing is not an option.

Best,
Benjamin

Thank you @userx14 for your inputs.

I would gladly pay $15 to have this fixed. I'm just not a hardware guy and would be very nervous to use the hw flasher.
So, my plan is

1. disable BIOS write protection (this guide https://winraid.level1techs.com/t/guide-grub-fix-intel-fpt-error-280-or-368-bios-lock-asus-other-mod-bios-flash/32725).
2. blank out the password on the bios dump
3. flash the bios with the dump.

I know it is too much to ask, but what are your thoughts on this plan. Is it doable?

Thanks!

I know it is too much to ask, but what are your thoughts on this plan. Is it doable?

Well, I would first make sure that you have a full backup of this flash chip.
This is important because there have been cases where attempting to flash the modified dump erased the hole flash chip, which meant that parts not backed up were lost (and free downloads of full dumps of these panasonic machines are hard to find online).
I'm suspicious, because your file is 0x580000 bytes long which could mean that this is not a full backup of the whole flash, but only the bios/uefi secion, but I'm not sure.
Can you try to find out if the file size matches to the flash chip size built into you machine by checking the IC marking?

I did the hardware flashing with a ch341a on a cf53 mk2 (just as a reference picture), not sure if it is the same on newer models, but the flash chip was accessible under the service hatch.

Greetings,
Benjamin

my laptop is CF53 MK4

Can you try to find out if the file size matches to the flash chip size built into you machine by checking the IC marking?

Well, I don't know how to check IC marking, but it does sound like I need pop the hatch open. I used "flash programming tool" fptw from Intel ME system tools v9.5.
fptw.exe -BIOS -D <binname>
Please let me know if you have different tool.

I disconnected the backup Battery (two pin connector opposite to the bios chip in the wifi/4G hatch) and in order to detect the chip I had to disconnect the 3.3v supply of the bios ic (pin 8) by scratching the trace coming out from underneath the chip, possibly because the programmer powered other stuff on the 3.3V line (IC is Micron 25Q128AB, see picture). After dumping the 16MB bios file with programmer software 1.30, getting the correct offset with UEFI-Tool-A51, zeroing out the 64bytes with HxD.exe and flashing back to the chip, I reconnected 3.3V with a jumper wire. All of this can be done without dissasembling the laptop through the wifi and 4g module access hatch, although it's quiet tight and I had do saw of a chunk of my bios test clip because it collided with the magnesium housing.

I really prefer not messing with wire and soldering.

Hi, could someone please help me to get my BIOS password please ?
I've found this using HxD :

26 A5 D2 82 6C 1F DB F2 F9 3B 13 80 D3 56 C3 83 F8 5B 08 6A AA 5C 48 98 38 F8 AC 5F F2 2E 1F E9

Here's the bios dump : https://transfert.free.fr/IZwnsI

Thanks !!

Hi, could someone please help me to get my BIOS password please ? I've found this using HxD : 26 A5 D2 82 6C 1F DB F2 F9 3B 13 80 D3 56 C3 83 F8 5B 08 6A AA 5C 48 98 38 F8 AC 5F F2 2E 1F E9

Here's the bios dump : https://transfert.free.fr/IZwnsI

Thanks !!

Hi @MichelBaie ,

this seems to be the correct section in the bios, but getting back the original password is probably difficult. Likely there is no xor done and these 32 bytes are directely obtained from something like a SHA-256 hash.
Overwriting with zeros should still work though, but be careful when attempting this, since there have been some problems with sections of the bios getting lost when flashing with software flashers.
This is difficult to recover from, when you do not have a full backup of bios flash chip.

Best
Benjamin

Password is hashed , i can remove it from dump , file link not valid.

Hi, don't know, what you deleted... There are no more passwords at NVRAM under AMITSESetup. at this place, there is something deleted - but don't know about correct deleted.... sorry Am Mi., 4. Jan. 2023 um 05:54 Uhr schrieb KJTR ***@***.***>:

…

***@***.**** commented on this gist. ------------------------------ Hey guys can anyone help me with my password? Im scratching me head constantly over this. Here is a copy of the bios. https://easyupload.io/hp84wa The password goes from 0x28 - 0x4F. I can't figure out how to go further. In the code listed above where was the value of UINTN ii; unsigned int key = 0x935b; derived from before starting the xor python script. Secondly if those are standards what is the derived scan code from my sequence? (Ill tip the first person via paypal friends and family for the password.) [image: image] <https://user-images.githubusercontent.com/10555280/210486910-bd161ec0-f951-4f5b-828d-32dc23a198b6.png> — Reply to this email directly, view it on GitHub <https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4423425> or unsubscribe <https://github.com/notifications/unsubscribe-auth/APMRVWGT7ZPT52SK2WJO6ETWQT7CBBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TENBQHA3DEMFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

I don't know why the post in this mornings notification email isn't here
But it looks like KJTR's PW is

C e l l T e c h

I don't know why the post in this mornings notification email isn't here But it looks like KJTR's PW is

C e l l T e c h

how did you find it ?

I XOR'd the string with the key and the response wasn't long enough. So not knowing the particulars of their model and since some of the eariler ones aren't hashed I looked up the response in ascii
for example
$18 XOR $5B is $43 which is "C" in ascii

I XOR'd the string with the key and the response wasn't long enough. So not knowing the particulars of their model and since some of the eariler ones aren't hashed I looked up the response in ascii for example $18 XOR $5B is $43 which is "C" in ascii

Witch string ?

I XOR'd the string with the key and the response wasn't long enough. So not knowing the particulars of their model and since some of the eariler ones aren't hashed I looked up the response in ascii for example $18 XOR $5B is $43 which is "C" in ascii

Witch string ?

@OmegaSentinell
I think he is refering to the byte sequence from the bios in the now deleted post from @KJTR.
The python code in my previous post now has this case built in (getASCIIifExist):
After xoring the result is directly the ascii characters of the password with some zero padding.

https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd?permalink_comment_id=4294901#gistcomment-4294901

This does not change anything in the case where the output of the xor is a sha1 or different hash.

Best,
Benjamin

Yes from the deleted post

Here is my version using python2

#!/usr/bin/python2
import sys
import os
import binascii

magic_ami_key = 0x935B

#INFO
info = "========================INFO======================== \n         PANASONIC PASSWORD DECRYPTOR \n           Created by OmegaSentinell \n              All Rights reserved"
print(info)

#Usage
usage = "=======================USAGE======================== \n   Open DUMP file (<filename>.BIN) in HEX EDITOR\n   Copy HEX password string from AMITSE section\n   Paste into program below \n===================================================="
print(usage)

#Version
version = "V_0.4"

##user input
password_hash = raw_input("[ Paste HEX Data ] : ").strip().replace(' ', '')
#for test - password_hash = "13138ea6243a5fcdd56018f47d07d89a332e8ec1e95444e89f7bfa0e55a2b0350bc9665cc1ef1c837716d2a92d3d88d0e3633ef7998af41d4fb1aa4405d8606b"
max_pwsd_length = len(password_hash)/4

##Get XOR Key
def make_xor_key():
	magic_ami_xor_key = ""
	for j in xrange(0,max_pwsd_length,1):
		xor_key = (hex(magic_ami_key * (j + 1)))
		xor_key = xor_key[-4:]
		for i in xrange(4,0,-2):
			magic_ami_xor_key += str(xor_key[i-2:(i-2)+2].upper())
	return magic_ami_xor_key

##Convert to integers
a = password_hash
b = make_xor_key()

##translate integers to HEX
binary_a = a.decode("hex")
binary_b = b.decode("hex")

##XORing strings
def xor_strings(xs, ys):
    return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(xs, ys))
xored = xor_strings(binary_a, binary_b).encode("hex")

##Cleanup string
xored_clean = xored.strip().replace('80', '').replace('00', '')

#Panasonic Dictionary
ascii_chars  =  {
          "10"  :  "z",
          "11"  :  "x",
          "12"  :  "c",
          "13"  :  "v",
          "14"  :  "b",
          "15"  :  "n",
          "16"  :  "m",
          "17"  :  ",",
          "18"  :  ".",
          "19"  :  "/",
          "1A"  :  "[RShift]",
          "1B"  :  "[UpArrow]",
          "1C"  :  "1",
          "1D"  :  "2",
          "1E"  :  "3",
          "1F"  :  "[CapsLock]",
          "20"  :  "a",
          "21"  :  "s",
          "22"  :  "d",
          "23"  :  "f",
          "24"  :  "g",
          "25"  :  "h",
          "27"  :  "k",
          "28"  :  "l",
          "29"  :  ";",
          "2A"  :  "'",
          "2B"  :  "|",
          "2C"  :  "4",
          "2D"  :  "5",
          "2E"  :  "6",
          "2F"  :  "+",
          "30"  :  "[TAB]",
          "31"  :  "q",
          "32"  :  "w",
          "33"  :  "e",
          "34"  :  "r",
          "35"  :  "t",
          "36"  :  "y",
          "37"  :  "u",
          "38"  :  "i",
          "39"  :  "o",
          "3A"  :  "p",
          "3B"  :  "[",
          "3C"  :  "]",
          "3D"  :  "\\",
          "3E"  :  "[DEL]",
          "3F"  :  "[END]",
          "40"  :  "[PgDn]",
          "41"  :  "7",
          "42"  :  "8",
          "43"  :  "9",
          "44"  :  "`",
          "45"  :  "1",
          "46"  :  "2",
          "47"  :  "3",
          "48"  :  "4",
          "49"  :  "5",
          "4A"  :  "6",
          "4B"  :  "7",
          "4C"  :  "8",
          "4D"  :  "9",
          "4E"  :  "0",
        }

##Translate output test
def panasonic_scancode_to_password(xored_clean):
	decoded_password_panasonic=""
	for i in xrange(0,len(xored_clean),2):
		try:
			decoded_password_panasonic +=str(ascii_chars[xored_clean[i:i+2].upper()])
		except:
			pass
	return str(decoded_password_panasonic)

print("\n[ HASH DATA ]\n" +password_hash +"\n")     ##show input HEX string
print("[ XOR KEY ]\n" +make_xor_key() +"\n")        ##show XOR Key
print("[ RESULT ]\n" +xored_clean.upper() +"\n")    ##show result from XORed (HEX string and XOR Key)
print("[ SCANCODE ]\n" +xored_clean.decode("hex") +"\n") ##show decrypted hex in ascii
print("[ PASSWORD ]\n" +panasonic_scancode_to_password(xored_clean)); ##show decrypted password .translate(ascii_chars)

raw_input("\n\nPress Enter to continue...")
os.system('cls')
execfile("PANASONIC_PASSWORD_DECRYPT.py")
if (raw_input() == 0) : os.system('exit')

Hi All,

I have an odd one today, clearing a password on a machine and normally the password appears twice in the BIOS, on this machine I could only find one occurrence of the password string so I set that to all zeros like I normally do reprogrammed the chip and installed it but the machine still has a password

Has anyone seen this before?

There must be another occurrence in there somewhere

Cheers

@corty8
Post the BIOS file

Send me the file or a link to it. Gesendet von meinem BlackBerry 10-Smartphone. Von: corty8Gesendet: Montag, 9. Januar 2023 07:01An: corty8Antwort an: ***@***.***: CommentBetreff: Re: en4rab/CF-U1-BIOS.mdRe: ***@***.*** commented on this gist.Hi All,I have an odd one today, clearing a password on a machine and normally the password appears twice in the BIOS, on this machine I could only find one occurrence of the password string so I set that to all zeros like I normally do reprogrammed the chip and installed it but the machine still has a passwordHas anyone seen this before?There must be another occurrence in there somewhereCheers—Reply to this email directly, view it on GitHub or unsubscribe.You are receiving this email because you commented on the thread.Triage notifications on the go with GitHub Mobile for iOS or Android.                                                            [{ ***@***.***": "http://schema.org", ***@***.***": "EmailMessage", "potentialAction": { ***@***.***": "ViewAction", "target": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4430643", "url": "https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4430643", "name": "View on GitHub" }, "description": "View on GitHub", "publisher": { ***@***.***": "Organization", "name": "GitHub", "url": "https://github.com" } }]

here is the bin file guys
https://drive.google.com/file/d/1qsXm21xMGuA9qWp6USkSlLCO4KtFFAHe/view?usp=share_link

@corty8
Yes, it's very simple... Wait a few minutes...

@corty8
https://we.tl/t-mpzuKOP0WN

@mikrovr
So that file is clear of all passwords now?

@corty8
It sure is! :)

That's great, thanks for that I will try it tomorrow

What is that utility that you used there?

@mikrovr
That file worked fine, Thanks for that
Unfortunately I have since discovered the machine has fault on the battery circuit, will not recognise a battery at all so not sure what to do with it yet
they are not always easy :)

@corty8 https://we.tl/t-mpzuKOP0WN

sorry all, i'm a bit less savvy than i'd like, but is this possible with an ASUS ROG Zephyrus G14 on version GA401IU.219?
it's either that, DavidZou's EEPROM method, Kiosk, or small claims court... xD

@ NevoidHyp
Post the BIOS file (eeprom), we can check it for you.

@corty8 https://we.tl/t-mpzuKOP0WN

Hey Mikrovr, would you be able to post this app please?

Does anyone have any experience with removing the BIOS password from a Panasonic CF-54?

Yes, wIth rt809f programmer.

…

On Wed, Feb 22, 2023 at 3:58 PM passssha ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Does anyone have any experience with removing the BIOS password from a Panasonic CF-54? — Reply to this email directly, view it on GitHub <https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4480274> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFHQZCNXIK745CCY6YXBEA3WY2DZZBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TENBQHA3DEMFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

any chance i could get someone to check this bin. it's for a asus GL731GT-RB73 https://drive.google.com/file/d/1Kd1euEJsgnRqcNWBNp01tKhU3GOOEsf4/view?usp=sharing

What is it you are hoping to check? This is a post for Panasonic devices - you'd be better off looking in the badcaps forum or something similar. The bios dump looks good - I can see the ME region and your Windows product key.... KRCBM-NX9Y9-29BW8-4CJ4M-.....

HI guys! I have passworded Panasonic CF-C1. Please help. I trying use your programms to get password, but nothing work. I have a full dump of my bios in .rom format. I realy need help. Also i try to use ChatGPT but he dont work correctly. - https://drive.google.com/file/d/1JwfQ7EdWbaKVny8QSkwv1Gb4DkCEp3mV/view?usp=sharing

key AMITSESetup from uefitool a51:
5B44B6C511656CD0C7A0222D7DC9D82033B58E1EE9CD440F9F08FAD45516B0C20BCB6679C1A71C3D7716D2A92D3D88D0E3633EF7998AF41D4FB1AA4405D8606B

from python tool:

the xored sequence is likely the following sha1 hash:
b'd7 e3 df 9d 40 59 ce ba 9b df 99 e7 73 da b4 f7 02 25 48 be'

This means as far as I know that it is impossible to find out your password, but you can overwrite the hash with zeros and it should be gone.
But be cautious when flashing bios images from within windows, I've seen multiple cases of bricked machined because some part of the bios could not be written from within the os and the bios backups were incomplete. More information in the previous posts.

@userx14

That it allways is risky, to flash within windows, i knew.

But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD.
Under this conditions, the OS isn't running, because it's not loaded.

But: could it be risky allso?

Hi to ALL! I Fix problem with BIOS Password on the my Panasonic CF-C1
How to :

1. I make a dump with APTIO 4
2. In the UEFITool i fund password section on the AMITSESetup in first tree. BUT! This information same writed in 2 tree. I Erase this information with writing zeros and save this modificated ROM.
3. Im flash BIOS With this custom ROM from windows with APTIO 4 - Need to put checkbox - Write All bloks, and Do not check ID. Optionaly - restart after flashing.
4. Congrats! We are removed password from the BIOS!!!!
   Thanks for all people who help to me here! I think this instruction will help for some people!

@userx14

That it allways is risky, to flash within windows, i knew.

But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded.

But: could it be risky allso?

СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode.

@userx14
That it allways is risky, to flash within windows, i knew.
But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded.
But: could it be risky allso?

СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode.

Get yourself a CH134a with a test eeprom clip and flash it the correct way, it's very cheap, straightforward and you can easily experiment more in the future. Make sure it has the 5v-3.3v mod applied though as the vcc line is tied directly to the 5v usb port power which is bad news for a bios chip!

I did that via USB too. Used Ventoy 1.0.14 for the USB Stick. Put my ISO's on it. WIN 10 PE SE etc. A second USB Stick, (HP) i formatted with the HP UDB Format Tool to NTFS. I installed Windows AMI Flash Tool and Run it. Btw: same i did with a Apple Software, which i installed on the second Usb Stick und Run it together with WIN 10 PE SE. Because i have no WIN 10 PC. Regards Warren ***@***.***> schrieb am Fr., 30. Juni 2023, 10:26:

…

***@***.**** commented on this gist. ------------------------------ @userx14 <https://github.com/userx14> That it allways is risky, to flash within windows, i knew. But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded. But: could it be risky allso? СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode. Get yourself a CH134a with a test eeprom clip and flash it the correct way, it's very cheap, straightforward and you can easily experiment more in the future. Make sure it has the 5v-3.3v mod applied though as the vcc line is tied directly to the 5v usb port power which is bad news for a bios chip! — Reply to this email directly, view it on GitHub <https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4615032> or unsubscribe <https://github.com/notifications/unsubscribe-auth/APMRVWBEU3747F5PD6H5HU3XN2ESJBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TENBQHA3DEMFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

Hi all,
i have Panasonic fz-g1 mk4 pad, where is bios password. I have bios dump file, but not sure how to get cracked that password from it.

Is here anybody who can help me
Regards

Привет всем, у меня есть панель Panasonic fz-g1 mk4, где находится пароль биоса. У меня есть файл дампа биоса, но я не знаю, как взломать этот пароль.

Здесь есть кто-нибудь, кто может мне помочь С уважением

Hi!. I think i can help. Share your dump here.

i cannot add rar, or file here :(
Can u give ur email, or something where i can send it

Regards

i cannot add rar, or file here :( Can u give ur email, or something where i can send it

Regards

Just write to me in the Telegram

Hallo,

my Englisch is Bad, but i try it.
I have one CF-52 with Password, i understand i can delete it, but i want know what word is was.
Can you say my PW? ( i understand that the PW from Toughbook works,... WTF scancodes how does this map to keys)
Thank you

0F 93 FE 26 45 BA 2A 4D 97 E0 61 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 01

@Jeeg1975
You can try the python code in this comment and paste your code (leave out the last 01 in your highlighted selection, it is not part of the password) from your screenshots into the variable
yourValueFromNvRam. If it is hashed, you will not be able to find out the original password.

ok thank you,

Looks like the PW for
0F 93 FE 26 45 BA 2A 4D 97 E0 61 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 01
is
THTFPC

You are doing it wrong - I found the actual hash and can crack it using brute force - let me know if anyone needs help. I spent an entire year digging into Toughbook BIOS Rom's using UEFIEdit NE and this may sound arrogant, but I am the only one that can get the actual password for the machine. You can see my eBay feedback here https://www.ebay.com/fdbk/feedback_profile/ingbtc and my site here https://www.toughbookbios.com/

I have worked with every major toughbook vendor.

For mine the super user password comes first and then the 00s. Is this hashed? The python tool isn't providing the right password.

5B 20 B6 29 11 52 6C 0B C7 56 22 76 7D 24 D8 EC 33 EA 8E BD E9 00 44 33 9F 41 FA C9 55 6C B0 74 0B B4 66 CD C1 FD 1C A1 77 1E D2 3D 2D 6E 88 E7 E3 C3 3E 26 99 40 F4 7E 4F FA AA DA 05 D0 60 05 5B 20 B6 29 11 52 6C 0B C7 56 22 76 7D 24 D8 EC 33 EA 8E BD E9 00 44 33 9F 41 FA C9 55 6C B0 74 0B B4 66 CD C1 FD 1C A1 77 1E D2 3D 2D 6E 88 E7 E3 C3 3E 26 99 40 F4 7E 4F FA AA DA 05 D0 60 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

@AutonomousCat
did you use yourValueFromNvRam = "5B 20 B6 29 11 52 6C 0B C7 56 22 76 7D 24 D8 EC 33 EA 8E BD E9 00 44 33 9F 41 FA C9 55 6C B0 74 0B B4 66 CD C1 FD 1C A1 77 1E D2 3D 2D 6E 88 E7 E3 C3 3E 26 99 40 F4 7E 4F FA AA DA 05 D0 60 05" ?
Strangely it repeats twice, this could mean that both bios passwords are the same.
I'm not sure about the result though, it is 32 bytes long with zero bytes padding in between. Maybe SHA256?

@userx14 I'm using this. https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd?permalink_comment_id=4423922#gistcomment-4423922

It's probably hashed. Anything I can do with the public keys listed on the Security tab in UEFITool NE alpha 67?

Try
sempra123

:)

Try sempra123

Is this a joke? @cbbeerman

Im sorry it was not a joke I didn't clear out old data

Here is the hash sorry again

B30FE846B6022376C47C54DB3AC7CE417D91122208945337A0D1CA634B9E086E

Hello everyone
I have a CF-D1N
first I can't find C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)

but I found this when search for C811FA38-42C8-4579-A9BB-60E94EDDFB34

(There is 2 of them (header-offset 50h))

The XOR process it's not look very promising, it's seems to be hashed !

The question is
Am I get the right address, could I zeros those section ?

here is the rom : https://drive.google.com/file/d/1p0fY14pDjYojEwhp4RMKXiDYh15-0B1P/view?usp=sharing

The AMITSESetup entry is about 13 lines up from the one you highlighted and by the looks of it its a sha1 hash, it also looks like there are 2 copies of the NVRAM data so you might have to null out both entrys

I tried to follow the guide but I am a little stuck, is someone able to tell me my password for my bios I have a Panasonic CF-SZ6.
I could dump it fine with the afu tool, but after that I am a little stuck on how to continue.

From what I can figure out this is what I can find:
5B 63 B6 A9 11 AB 6C 05 C7 F1 22 28 7D F5 D8 31 33 5B 8E A6 E9 21 44 80 9F BA FA 2F 55 9A B0 46 0B 55 66 0F C1 63 1C 6A 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

This is the rom file i got from saving it with the afu tool:
https://drive.google.com/file/d/1err9pzUP7TDOGerwaWIYuhO-c6VSY4WE/view?usp=sharing

Thank you so much in advanced for anyone who can help me!

The code you found looks like the correct sequence, 606B on the end is typical for the xored result. Pasting this into my python script returns that this is likely an sha1 hash. So the only publicly known method is to overwrite it with zeros (check out some of the previous comments and make sure to have a full backup of all bios regions).

The code you found looks like the correct sequence, 606B on the end is typical for the xored result. Pasting this into my python script returns that this is likely an sha1 hash. So the only publicly known method is to overwrite it with zeros (check out some of the previous comments and make sure to have a full backup of all bios regions).

Thank you for the answer! :)

This method works on DUO cores, but anything i3 and above it is encoded. I spent a year trying to find the hash and then finding the algo associated with the hash. I can break any password (80-90% of the time, depending on how long the password is). Here is the full process to find the password for any duo core machine.

Open ROM dump in UEFITool_NE

Press Ctrl-F and select Text tab. Uncheck Unicode and type AMITSESetup.

Press OK.
Look at strings with ending: at header-offset 0Bh
Double-click on first one

.

Please note that the found entry inside StdDefaults node. So it’s useless. Double-click on next one

Note that it’s only Link to NVAR entry. Right-click on AMITSESetup and choose Go to data

Right-click on AMITSESetup and choose Body hex view

It’s empty again. So go to third one.

It’s inside StdDefaults node again. So go to 4 th .

Again - Go to data

Again Body hex view

Select data for admin hash

Copy by Ctrl+C and past into text editor
5B9FB60411F46C1AC78422857D14D816
33208E50E9E344D69F8CFA1A557AB0BB
0B44661DC1C21CB57716D2A92D3D88D0
E3633EF7998AF41D4FB1AA4405D8606B

Select twenty even bytes (in hex)
5B9FB60411F46C1AC78422857D14D816
33208E50E9E344D69F8CFA1A557AB0BB
0B44661DC1C21CB57716D2A92D3D88D0
E3633EF7998AF41D4FB1AA4405D8606B

Write down in line
9F04F41A848514162050E3D68C1A7ABB441DC2B5

It’s SHA1 hash from the password in Unicode format.

The password for this hash – abc
abc in Unicode format (in hex) - 61 00 62 00 63 00

Use https://www.fileformat.info/tool/hash.htm to calculate hash (Binary hash).

SHA-1 9f04f41a848514162050e3d68c1a7abb441dc2b5

Done.

https://toughbookbios.com/ (i3 processor or higher contact me to get the password, CF-31, CF-53, CF-54 - any model I can crack the password)

This method works on DUO cores, but anything i3 and above it is encoded. I spent a year trying to find the hash and then finding the algo associated with the hash. I can break any password (80-90% of the time, depending on how long the password is). Here is the full process to find the password for any duo core machine.

Open ROM dump in UEFITool_NE

Press Ctrl-F and select Text tab. Uncheck Unicode and type AMITSESetup.

Press OK. Look at strings with ending: at header-offset 0Bh Double-click on first one

.

Please note that the found entry inside StdDefaults node. So it’s useless. Double-click on next one

Note that it’s only Link to NVAR entry. Right-click on AMITSESetup and choose Go to data

Right-click on AMITSESetup and choose Body hex view

It’s empty again. So go to third one.

It’s inside StdDefaults node again. So go to 4 th .

Again - Go to data

Again Body hex view

Select data for admin hash

Copy by Ctrl+C and past into text editor 5B9FB60411F46C1AC78422857D14D816 33208E50E9E344D69F8CFA1A557AB0BB 0B44661DC1C21CB57716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B

Select twenty even bytes (in hex) 5B9FB60411F46C1AC78422857D14D816 33208E50E9E344D69F8CFA1A557AB0BB 0B44661DC1C21CB57716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B

Write down in line 9F04F41A848514162050E3D68C1A7ABB441DC2B5

It’s SHA1 hash from the password in Unicode format.

The password for this hash – abc abc in Unicode format (in hex) - 61 00 62 00 63 00

Use https://www.fileformat.info/tool/hash.htm to calculate hash (Binary hash).

SHA-1 9f04f41a848514162050e3d68c1a7abb441dc2b5

Done.

https://toughbookbios.com/ (i3 processor or higher contact me to get the password, CF-31, CF-53, CF-54 - any model I can crack the password)

I have messaged you twice now via your website, no reply on either occasion

This method works on DUO cores, but anything i3 and above it is encoded. I spent a year trying to find the hash and then finding the algo associated with the hash. I can break any password (80-90% of the time, depending on how long the password is). Here is the full process to find the password for any duo core machine.
Open ROM dump in UEFITool_NE
Press Ctrl-F and select Text tab. Uncheck Unicode and type AMITSESetup.
Press OK. Look at strings with ending: at header-offset 0Bh Double-click on first one
.
Please note that the found entry inside StdDefaults node. So it’s useless. Double-click on next one
Note that it’s only Link to NVAR entry. Right-click on AMITSESetup and choose Go to data
Right-click on AMITSESetup and choose Body hex view
It’s empty again. So go to third one.
It’s inside StdDefaults node again. So go to 4 th .
Again - Go to data
Again Body hex view
Select data for admin hash
Copy by Ctrl+C and past into text editor 5B9FB60411F46C1AC78422857D14D816 33208E50E9E344D69F8CFA1A557AB0BB 0B44661DC1C21CB57716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B
Select twenty even bytes (in hex) 5B9FB60411F46C1AC78422857D14D816 33208E50E9E344D69F8CFA1A557AB0BB 0B44661DC1C21CB57716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B
Write down in line 9F04F41A848514162050E3D68C1A7ABB441DC2B5
It’s SHA1 hash from the password in Unicode format.
The password for this hash – abc abc in Unicode format (in hex) - 61 00 62 00 63 00
Use https://www.fileformat.info/tool/hash.htm to calculate hash (Binary hash).
SHA-1 9f04f41a848514162050e3d68c1a7abb441dc2b5
Done.
https://toughbookbios.com/ (i3 processor or higher contact me to get the password, CF-31, CF-53, CF-54 - any model I can crack the password)

I have messaged you twice now via your website, no reply on either occasion

I tested every form and email on the website, and everything came through. Contact me directly ns@ingbtc.com - Also please send me the link of where you are contacting me from so I can fix it ASAP

HI, gentlemen.
I have a FW-7551W(v2.0) uCPE motherboard which is a computer motherboard, manufactured by Lanner.

This bios has a hardware watchdog. if not cancel it in bios, it will reset after several minutes. That is the reason why I want to modify bios settings.
(It just ask for password when press F2/ESC/DEL into setup utility and it doesn't ask for boot and successfully boot in WinPE via Ventory. )

I encounter the same problem with recover(or rest) the AMI bios password of the administrator. However, I am not lucky enough when searching plain or hashed text within each "AMITSESetup" entry. In this entry, its data are ALL zero. And it also doesn't contain any entry named as a GUID serial number with "AMITSESetup".

The headshots of FW-7551W:


The screenshot of GPU-Z about bios:

In addition, @SoftwareGuy said:
I see something that's slightly interesting but I can't confirm what it is. Might be a password hash or something... I'd probably see if you could drop a message on that Gist if you have a GitHub account (if not, I could probably do it for you) with a link to the BIOS. I'm sure someone would have a clue.

unfortunately, I change the highlight bytes to zero bytes and reflash it into SPI-RROM by progammer. It still need a password for setup utility.

So I just want to know there is any pattern with an entry stored password? How can I search the sector which stores password of admin in UEFITools.

P.S. I have uploaded a SPI-ROM dump file.
github.com/zhou-xuelin/FW-7551/blob/main/FW-7551W_v2.0.bin

Hello all,

Sadly, as @fastar1981 and @maxtheobald I have a motherboard where the password is neither an XOR with the multiples of 5B93 nor a SHA1 value that I could erase.

It's an Advantech motherboard of some networking device.

All AMITSESetup that are not in "AmiStandardDefaultsVariable" have the subtype "Full" and are only filled with zeroes:

Also, There is an occurrence of AMITSESetup in a "compressed section" but without any interesting data:

This is the device in question: https://forum.openwrt.org/t/nuage-networks-7850-nsg-e200-hardware-discovery/144525/5

Does anyone has any success recovering such password or erasing it? (I don't care of the password if I can erase it).

Many thanks to the community for all the work already shared!

Regards,
Kevin.

@kevinhulster
Post original BIOS file.

Here it is:

NSG-E202.rom

@kevinhulster I still haven't gotten it. I hope someone can help us
Thanks to all

How did you dump it? It doesn't look complete. File size should be 8MB/16MB/32MB. Yours is just 6MB.

…

On 12/01/2024 00:02, kevinhulster wrote: ***@***.**** commented on this gist. ------------------------------------------------------------------------ Here it is: NSG-E202.rom

@r-plabs I dump it through AMI afulnx tool.

AMITSESetup Decryptor & Unlocker
link: https://alien.raaz.info.np/server/unlock/AMITSESetup/

Hello all,

Can anyone help me to erase the bios password ? I have attached the extracted file .

Thanks!

Try thua5P or thua5P|

Hello all,

Can anyone help me to erase the bios password ? I have attached the extracted file .

Thanks!

try now https://alien.raaz.info.np/server/unlock/AMITSESetup/

Hello all,
Can anyone help me to erase the bios password ? I have attached the extracted file .
Thanks!

try now https://alien.raaz.info.np/server/unlock/AMITSESetup/

I tried, it doesn't work.

@mayk469

mikrovr

Thanks @mikrovr ! I've tried all the variations with and without the uppercase, but it doesn't work.

@mayk469
What is your country of origin, what is the standard keyboard you are using to enter the password?

I used two different US keyboard layout (ANSI and ISO).

did thua5P or thua5P| not work?

Hello all,
Can anyone help me to erase the bios password ? I have attached the extracted file .
Thanks!

try now https://alien.raaz.info.np/server/unlock/AMITSESetup/

I tried, it doesn't work.

Your file can not decrypt so, use unlock option and simply flash the bios

did thua5P or thua5P| not work?

Thank you very much! It worked with thua5P. I didn't understand the first time that this is the password .

You guys are the best!

@en4rab
Your answer was right!

AMI BIOS Password Recovery Tool v1.2 (Reset or/and recover lost passwords)
Copyright (C) 2016-2018 Paulo Coelho aka Mikrovr mikrovr@gmail.com

Password Recovery

Admin: thua5P

Note: Passwords are case-sensitive, upper and lower case.
Done!
Press any key to exit

// I had to make a small adjustment to the body of the hash.
max( 0, ( ( x - 1 ) | ( m - 1 ) ) + 1 - m )

@en4rab Your answer was right!

AMI BIOS Password Recovery Tool v1.2 (Reset or/and recover lost passwords) Copyright (C) 2016-2018 Paulo Coelho aka Mikrovr mikrovr@gmail.com

Password Recovery

Admin: thua5P

Note: Passwords are case-sensitive, upper and lower case. Done! Press any key to exit

// I had to make a small adjustment to the body of the hash. max( 0, ( ( x - 1 ) | ( m - 1 ) ) + 1 - m )

Hey @mikrovr, is AMI BIOS Password Recovery Tool v1.2 available to use somewhere? I have some Panasonic bios dumps that are locked (I have unlocked them but kept the locked copy too) and I would like to know if I am able to recover the password from them.

Anyone had luck unlocking a [Panasonic Let''s note RZ6? AMITSESetup is only of 0 , not a single character, but the password still is required.

Trying to get the .bin dump via AFUWINGUI, but I get "32 - error: problem opening file to write". Any ideas?

Hello, can someone help me decipher the password? I am unable to flash the BIOS and am receiving the error message "43 - error: problem erasing flash". I've successfully unlocked the BIOS by flashing it on a few other CF-53 devices, but this particular one is giving me the error. Can anyone assist me with this issue?

its a panasonic cf-53J

I have included the link to the ROM file.

https://mega.nz/file/MCcV2CLb#_5Dl0p41pw2--RwTDNiMzgWGkL_NDncVbMZAmJtjUsE