Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

CF-U1-BIOS.md

Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

A mess of my own making

While messing with a CF-U1 handheld PC that I bought off ebay I managed to mess up the BIOS and it seems it reverted to previous settings which included an unknown BIOS password, it would however still boot into windows. Since I could still boot windows I was able to dump the bios flash using AFUWINGUI.EXE the version I used was 3.09.03.1462 which is available here:
https://www.ami.com/support-other/ Click on Aptio 4 AMI Firmware Update Utility

There may be a more appropriate version to use as this seemed to have trouble checking the bios version when flashing but did work if you selected "Do Not Check ROM ID" but flashing isnt needed to get the password.

Dumping the flash

Run AFUWINGUI.EXE and at the bottom of the "Information" tab click the save button to make a backup of your bios, the default name is afuwin.rom Now open this saved image with UEFITool_NE available here:
https://github.com/LongSoft/UEFITool/releases

I used UEFITool_NE_A51_win32.zip later versions should work fine. The new engine (NE) verson seems to deal with AMI's odd nvram format better.

Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID
C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry.
Now right click and select "Body hex view" and you should see something like:

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040  7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A  {.”¦.:)ÍÒ`.ô\‡í.
0050  07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35  .®®AÜÔ.h«ûú.U¢°5
0060  0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0  .Éf\Áï.ƒw.Ò©-=ˆÐ
0070  E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B  ãc>÷™Šô.O±ªD.Ø`k
0080  01

In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag.

1337 encryption

The password is obfuscated using super secure xor

VOID PasswordEncode( CHAR16 *Password, UINTN MaxSize)
{
    UINTN	ii;
    unsigned int key = 0x935b;

#if SETUP_PASSWORD_NON_CASE_SENSITIVE
    for ( ii = 0; ii < MaxSize; ii++ )
        Password[ii] = ((Password[ii]>=L'a')&&(Password[ii]<=L'z'))?(Password[ii]+L'A'-L'a'):Password[ii];
#endif

    // Encode the password..
    for ( ii = 1; ii <= MaxSize/2; ii++ )
        Password[ii-1] = (CHAR16)(Password[ii-1] ^ (key*ii));
}

So Xoring the above encoded password:

7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A 07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

with

5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

gives

20 80 22 80 16 80 45 80 15 80 38 80 21 80 35 80 34 80 20 80 35 80 4e 80 34 80 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Each character of the password is stored as 2 bytes, and as x86 is wrong endian im guessing should be read as 0x8020 0x8022 I have no idea where the 0x80 comes from possibly its something to do with the EFI_SHIFT_STATE_VALID in this case the password was lower case, possibly uppercase status is encoded in this byte too I have no idea I havent tested uppercase passwords.

WTF scancodes how does this map to keys

From the unobfuscated data you can see the password is 13 characters long, im going to ignore the 0x80 bytes as i dont understand them :P and just look at the others:
20 22 16 45 15 38 21 35 34 20 35 4e 34
They appear to be some sort of scancodes, although while googleing this I found some AMI bioses seem to use ascii here so you can read it out directly as text, but not on this machine.
When this CF-U1 arrived from ebay it had a password which i sucessfully guessed as "toughbook" my second guess would have been "panasonic" since using text written on the front of the PC as a password saves writing it under the battery cover :P
Looking through the older link entrys for the AMITSESetup nvram I found what I thought was the data for this password which deobfuscating as above gave (ignoring the 0x80):

35 39 37 24 25 14 39 39 27
t  o  u  g  h  b  o  o  k

This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page:
http://wiki.phoenix.com/wiki/index.php/EFI_KEY
From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii:
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

So i made up a list of byte to ascii using these, below are just 0x10 to 0x4E to cover most values but not be too stupidly long.

Hex	Char	EFIkey	Hex	Char	EFIkey
10	z	EfiKeyB1	30	Tab	EfiKeyTab
11	x	EfiKeyB2	31	q	EfiKeyD1
12	c	EfiKeyB3	32	w	EfiKeyD2
13	v	EfiKeyB4	33	e	EfiKeyD3
14	b	EfiKeyB5	34	r	EfiKeyD4
15	n	EfiKeyB6	35	t	EfiKeyD5
16	m	EfiKeyB7	36	y	EfiKeyD6
17	,	EfiKeyB8	37	u	EfiKeyD7
18	.	EfiKeyB9	38	i	EfiKeyD8
19	/	EfiKeyB10	39	o	EfiKeyD9
1A		EfiKeyRShift	3A	p	EfiKeyD10
1B		EfiKeyUpArrow	3B	[	EfiKeyD11
1C	1	EfiKeyOne	3C	]	EfiKeyD12
1D	2	EfiKeyTwo	3D	\	EfiKeyD13
1E	3	EfiKeyThree	3E		EfiKeyDel
1F		EfiKeyCapsLock	3F		EfiKeyEnd
20	a	EfiKeyC1	40		EfiKeyPgDn
21	s	EfiKeyC2	41	7	EfiKeySeven
22	d	EfiKeyC3	42	8	EfiKeyEight
23	f	EfiKeyC4	43	9	EfiKeyNine
24	g	EfiKeyC5	44	`	EfiKeyE0
25	h	EfiKeyC6	45	1	EfiKeyE1
26	j	EfiKeyC7	46	2	EfiKeyE2
27	k	EfiKeyC8	47	3	EfiKeyE3
28	l	EfiKeyC9	48	4	EfiKeyE4
29	;	EfiKeyC10	49	5	EfiKeyE5
2A	'	EfiKeyC11	4A	6	EfiKeyE6
2B	|	EfiKeyC12	4B	7	EfiKeyE7
2C	4	EfiKeyFour	4C	8	EfiKeyE8
2D	5	EfiKeyFive	4D	9	EfiKeyE9
2E	6	EfiKeySix	4E	0	EfiKeyE10
2F	+	EfiKeyPlus

So what was the password?

Using the above list and the recovered scancodes gave:

20 22 16 45 15 38 21 35 34 20 35 4e 34
a  d  m  1  n  i  s  t  r  a  t  0  r

and when i tried adm1nistrat0r it worked!
This is not complete as there are still questions about the 0x80 bytes but my guess is they encode the shift alt etc modifier keys but im back into my handheld so i'm not sure ill look further into it. This may also apply to other Aptio bioses as well as the Panasonic CF-U1, and if the machine isnt bootable you may be able to use a cheap spi adapter to dump the bios, in the case of the CF-U1 it uses an LPC flash which I don't think you can get cheap clips and readers for and its buried in the machine so a nuisance to get to.

here is the bin file guys
https://drive.google.com/file/d/1qsXm21xMGuA9qWp6USkSlLCO4KtFFAHe/view?usp=share_link

@corty8
Yes, it's very simple... Wait a few minutes...

@corty8
https://we.tl/t-mpzuKOP0WN

@mikrovr
So that file is clear of all passwords now?

@corty8
It sure is! :)

That's great, thanks for that I will try it tomorrow

What is that utility that you used there?

@mikrovr
That file worked fine, Thanks for that
Unfortunately I have since discovered the machine has fault on the battery circuit, will not recognise a battery at all so not sure what to do with it yet
they are not always easy :)

@corty8 https://we.tl/t-mpzuKOP0WN

sorry all, i'm a bit less savvy than i'd like, but is this possible with an ASUS ROG Zephyrus G14 on version GA401IU.219?
it's either that, DavidZou's EEPROM method, Kiosk, or small claims court... xD

@ NevoidHyp
Post the BIOS file (eeprom), we can check it for you.

@corty8 https://we.tl/t-mpzuKOP0WN

Hey Mikrovr, would you be able to post this app please?

Does anyone have any experience with removing the BIOS password from a Panasonic CF-54?

Yes, wIth rt809f programmer.

…

On Wed, Feb 22, 2023 at 3:58 PM passssha ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Does anyone have any experience with removing the BIOS password from a Panasonic CF-54? — Reply to this email directly, view it on GitHub <https://gist.github.com/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4480274> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFHQZCNXIK745CCY6YXBEA3WY2DZZBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TENBQHA3DEMFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

any chance i could get someone to check this bin. it's for a asus GL731GT-RB73 https://drive.google.com/file/d/1Kd1euEJsgnRqcNWBNp01tKhU3GOOEsf4/view?usp=sharing

What is it you are hoping to check? This is a post for Panasonic devices - you'd be better off looking in the badcaps forum or something similar. The bios dump looks good - I can see the ME region and your Windows product key.... KRCBM-NX9Y9-29BW8-4CJ4M-.....

HI guys! I have passworded Panasonic CF-C1. Please help. I trying use your programms to get password, but nothing work. I have a full dump of my bios in .rom format. I realy need help. Also i try to use ChatGPT but he dont work correctly. - https://drive.google.com/file/d/1JwfQ7EdWbaKVny8QSkwv1Gb4DkCEp3mV/view?usp=sharing

key AMITSESetup from uefitool a51:
5B44B6C511656CD0C7A0222D7DC9D82033B58E1EE9CD440F9F08FAD45516B0C20BCB6679C1A71C3D7716D2A92D3D88D0E3633EF7998AF41D4FB1AA4405D8606B

from python tool:

the xored sequence is likely the following sha1 hash:
b'd7 e3 df 9d 40 59 ce ba 9b df 99 e7 73 da b4 f7 02 25 48 be'

This means as far as I know that it is impossible to find out your password, but you can overwrite the hash with zeros and it should be gone.
But be cautious when flashing bios images from within windows, I've seen multiple cases of bricked machined because some part of the bios could not be written from within the os and the bios backups were incomplete. More information in the previous posts.

@userx14

That it allways is risky, to flash within windows, i knew.

But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD.
Under this conditions, the OS isn't running, because it's not loaded.

But: could it be risky allso?

Hi to ALL! I Fix problem with BIOS Password on the my Panasonic CF-C1
How to :

1. I make a dump with APTIO 4
2. In the UEFITool i fund password section on the AMITSESetup in first tree. BUT! This information same writed in 2 tree. I Erase this information with writing zeros and save this modificated ROM.
3. Im flash BIOS With this custom ROM from windows with APTIO 4 - Need to put checkbox - Write All bloks, and Do not check ID. Optionaly - restart after flashing.
4. Congrats! We are removed password from the BIOS!!!!
   Thanks for all people who help to me here! I think this instruction will help for some people!

@userx14

That it allways is risky, to flash within windows, i knew.

But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded.

But: could it be risky allso?

СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode.

@userx14
That it allways is risky, to flash within windows, i knew.
But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded.
But: could it be risky allso?

СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode.

Get yourself a CH134a with a test eeprom clip and flash it the correct way, it's very cheap, straightforward and you can easily experiment more in the future. Make sure it has the 5v-3.3v mod applied though as the vcc line is tied directly to the 5v usb port power which is bad news for a bios chip!

I did that via USB too. Used Ventoy 1.0.14 for the USB Stick. Put my ISO's on it. WIN 10 PE SE etc. A second USB Stick, (HP) i formatted with the HP UDB Format Tool to NTFS. I installed Windows AMI Flash Tool and Run it. Btw: same i did with a Apple Software, which i installed on the second Usb Stick und Run it together with WIN 10 PE SE. Because i have no WIN 10 PC. Regards Warren ***@***.***> schrieb am Fr., 30. Juni 2023, 10:26:

…

***@***.**** commented on this gist. ------------------------------ @userx14 <https://github.com/userx14> That it allways is risky, to flash within windows, i knew. But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded. But: could it be risky allso? СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode. Get yourself a CH134a with a test eeprom clip and flash it the correct way, it's very cheap, straightforward and you can easily experiment more in the future. Make sure it has the 5v-3.3v mod applied though as the vcc line is tied directly to the 5v usb port power which is bad news for a bios chip! — Reply to this email directly, view it on GitHub <https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd#gistcomment-4615032> or unsubscribe <https://github.com/notifications/unsubscribe-auth/APMRVWBEU3747F5PD6H5HU3XN2ESJBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TENBQHA3DEMFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

Hi all,
i have Panasonic fz-g1 mk4 pad, where is bios password. I have bios dump file, but not sure how to get cracked that password from it.

Is here anybody who can help me
Regards

Привет всем, у меня есть панель Panasonic fz-g1 mk4, где находится пароль биоса. У меня есть файл дампа биоса, но я не знаю, как взломать этот пароль.

Здесь есть кто-нибудь, кто может мне помочь С уважением

Hi!. I think i can help. Share your dump here.

i cannot add rar, or file here :(
Can u give ur email, or something where i can send it

Regards

i cannot add rar, or file here :( Can u give ur email, or something where i can send it

Regards

Just write to me in the Telegram

Hallo,

my Englisch is Bad, but i try it.
I have one CF-52 with Password, i understand i can delete it, but i want know what word is was.
Can you say my PW? ( i understand that the PW from Toughbook works,... WTF scancodes how does this map to keys)
Thank you

0F 93 FE 26 45 BA 2A 4D 97 E0 61 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 01

@Jeeg1975
You can try the python code in this comment and paste your code (leave out the last 01 in your highlighted selection, it is not part of the password) from your screenshots into the variable
yourValueFromNvRam. If it is hashed, you will not be able to find out the original password.

ok thank you,

Looks like the PW for
0F 93 FE 26 45 BA 2A 4D 97 E0 61 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 01
is
THTFPC

You are doing it wrong - I found the actual hash and can crack it using brute force - let me know if anyone needs help. I spent an entire year digging into Toughbook BIOS Rom's using UEFIEdit NE and this may sound arrogant, but I am the only one that can get the actual password for the machine. You can see my eBay feedback here https://www.ebay.com/fdbk/feedback_profile/ingbtc and my site here https://www.toughbookbios.com/

I have worked with every major toughbook vendor.