Skip to content

Instantly share code, notes, and snippets.

@en4rab
Last active January 2, 2025 17:55
Show Gist options
  • Save en4rab/550880c099b5194fbbf3039e3c8ab6fd to your computer and use it in GitHub Desktop.
Save en4rab/550880c099b5194fbbf3039e3c8ab6fd to your computer and use it in GitHub Desktop.
Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

A mess of my own making

While messing with a CF-U1 handheld PC that I bought off ebay I managed to mess up the BIOS and it seems it reverted to previous settings which included an unknown BIOS password, it would however still boot into windows. Since I could still boot windows I was able to dump the bios flash using AFUWINGUI.EXE the version I used was 3.09.03.1462 which is available here:
https://www.ami.com/support-other/ Click on Aptio 4 AMI Firmware Update Utility

There may be a more appropriate version to use as this seemed to have trouble checking the bios version when flashing but did work if you selected "Do Not Check ROM ID" but flashing isnt needed to get the password.

Dumping the flash

alt text
Run AFUWINGUI.EXE and at the bottom of the "Information" tab click the save button to make a backup of your bios, the default name is afuwin.rom Now open this saved image with UEFITool_NE available here:
https://github.com/LongSoft/UEFITool/releases

I used UEFITool_NE_A51_win32.zip later versions should work fine. The new engine (NE) verson seems to deal with AMI's odd nvram format better.

alt text

Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID
C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry.
Now right click and select "Body hex view" and you should see something like:

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040  7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A  {.”¦.:)ÍÒ`.ô\‡í.
0050  07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35  .®®AÜÔ.h«ûú.U¢°5
0060  0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0  .Éf\Áï.ƒw.Ò©-=ˆÐ
0070  E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B  ãc>÷™Šô.O±ªD.Ø`k
0080  01

In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag.

1337 encryption

The password is obfuscated using super secure xor

VOID PasswordEncode( CHAR16 *Password, UINTN MaxSize)
{
    UINTN	ii;
    unsigned int key = 0x935b;

#if SETUP_PASSWORD_NON_CASE_SENSITIVE
    for ( ii = 0; ii < MaxSize; ii++ )
        Password[ii] = ((Password[ii]>=L'a')&&(Password[ii]<=L'z'))?(Password[ii]+L'A'-L'a'):Password[ii];
#endif

    // Encode the password..
    for ( ii = 1; ii <= MaxSize/2; ii++ )
        Password[ii-1] = (CHAR16)(Password[ii-1] ^ (key*ii));
}

So Xoring the above encoded password:

7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A 07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

with

5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

gives

20 80 22 80 16 80 45 80 15 80 38 80 21 80 35 80 34 80 20 80 35 80 4e 80 34 80 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Each character of the password is stored as 2 bytes, and as x86 is wrong endian im guessing should be read as 0x8020 0x8022 I have no idea where the 0x80 comes from possibly its something to do with the EFI_SHIFT_STATE_VALID in this case the password was lower case, possibly uppercase status is encoded in this byte too I have no idea I havent tested uppercase passwords.

WTF scancodes how does this map to keys

From the unobfuscated data you can see the password is 13 characters long, im going to ignore the 0x80 bytes as i dont understand them :P and just look at the others:
20 22 16 45 15 38 21 35 34 20 35 4e 34
They appear to be some sort of scancodes, although while googleing this I found some AMI bioses seem to use ascii here so you can read it out directly as text, but not on this machine.
When this CF-U1 arrived from ebay it had a password which i sucessfully guessed as "toughbook" my second guess would have been "panasonic" since using text written on the front of the PC as a password saves writing it under the battery cover :P
Looking through the older link entrys for the AMITSESetup nvram I found what I thought was the data for this password which deobfuscating as above gave (ignoring the 0x80):

35 39 37 24 25 14 39 39 27
t  o  u  g  h  b  o  o  k

This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page:
http://wiki.phoenix.com/wiki/index.php/EFI_KEY
From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii:
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

So i made up a list of byte to ascii using these, below are just 0x10 to 0x4E to cover most values but not be too stupidly long.

Hex Char EFIkey Hex Char EFIkey
10 z EfiKeyB1 30 Tab EfiKeyTab
11 x EfiKeyB2 31 q EfiKeyD1
12 c EfiKeyB3 32 w EfiKeyD2
13 v EfiKeyB4 33 e EfiKeyD3
14 b EfiKeyB5 34 r EfiKeyD4
15 n EfiKeyB6 35 t EfiKeyD5
16 m EfiKeyB7 36 y EfiKeyD6
17 , EfiKeyB8 37 u EfiKeyD7
18 . EfiKeyB9 38 i EfiKeyD8
19 / EfiKeyB10 39 o EfiKeyD9
1A EfiKeyRShift 3A p EfiKeyD10
1B EfiKeyUpArrow 3B [ EfiKeyD11
1C 1 EfiKeyOne 3C ] EfiKeyD12
1D 2 EfiKeyTwo 3D \ EfiKeyD13
1E 3 EfiKeyThree 3E EfiKeyDel
1F EfiKeyCapsLock 3F EfiKeyEnd
20 a EfiKeyC1 40 EfiKeyPgDn
21 s EfiKeyC2 41 7 EfiKeySeven
22 d EfiKeyC3 42 8 EfiKeyEight
23 f EfiKeyC4 43 9 EfiKeyNine
24 g EfiKeyC5 44 ` EfiKeyE0
25 h EfiKeyC6 45 1 EfiKeyE1
26 j EfiKeyC7 46 2 EfiKeyE2
27 k EfiKeyC8 47 3 EfiKeyE3
28 l EfiKeyC9 48 4 EfiKeyE4
29 ; EfiKeyC10 49 5 EfiKeyE5
2A ' EfiKeyC11 4A 6 EfiKeyE6
2B | EfiKeyC12 4B 7 EfiKeyE7
2C 4 EfiKeyFour 4C 8 EfiKeyE8
2D 5 EfiKeyFive 4D 9 EfiKeyE9
2E 6 EfiKeySix 4E 0 EfiKeyE10
2F + EfiKeyPlus

So what was the password?

Using the above list and the recovered scancodes gave:

20 22 16 45 15 38 21 35 34 20 35 4e 34
a  d  m  1  n  i  s  t  r  a  t  0  r

and when i tried adm1nistrat0r it worked!
This is not complete as there are still questions about the 0x80 bytes but my guess is they encode the shift alt etc modifier keys but im back into my handheld so i'm not sure ill look further into it. This may also apply to other Aptio bioses as well as the Panasonic CF-U1, and if the machine isnt bootable you may be able to use a cheap spi adapter to dump the bios, in the case of the CF-U1 it uses an LPC flash which I don't think you can get cheap clips and readers for and its buried in the machine so a nuisance to get to.

@userx14
Copy link

userx14 commented Jun 25, 2023

key AMITSESetup from uefitool a51:
5B44B6C511656CD0C7A0222D7DC9D82033B58E1EE9CD440F9F08FAD45516B0C20BCB6679C1A71C3D7716D2A92D3D88D0E3633EF7998AF41D4FB1AA4405D8606B

from python tool:

the xored sequence is likely the following sha1 hash:
b'd7 e3 df 9d 40 59 ce ba 9b df 99 e7 73 da b4 f7 02 25 48 be'

This means as far as I know that it is impossible to find out your password, but you can overwrite the hash with zeros and it should be gone.
But be cautious when flashing bios images from within windows, I've seen multiple cases of bricked machined because some part of the bios could not be written from within the os and the bios backups were incomplete. More information in the previous posts.

@Ftmmsch
Copy link

Ftmmsch commented Jun 25, 2023

@userx14

That it allways is risky, to flash within windows, i knew.

But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD.
Under this conditions, the OS isn't running, because it's not loaded.

But: could it be risky allso?

@SergeySolovyenko
Copy link

Hi to ALL! I Fix problem with BIOS Password on the my Panasonic CF-C1
How to :

  1. I make a dump with APTIO 4
  2. In the UEFITool i fund password section on the AMITSESetup in first tree. BUT! This information same writed in 2 tree. I Erase this information with writing zeros and save this modificated ROM.
  3. Im flash BIOS With this custom ROM from windows with APTIO 4 - Need to put checkbox - Write All bloks, and Do not check ID. Optionaly - restart after flashing.
  4. Congrats! We are removed password from the BIOS!!!!
    Thanks for all people who help to me here! I think this instruction will help for some people!

@SergeySolovyenko
Copy link

@userx14

That it allways is risky, to flash within windows, i knew.

But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded.

But: could it be risky allso?

СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode.

@warst
Copy link

warst commented Jun 30, 2023

@userx14
That it allways is risky, to flash within windows, i knew.
But: what about doing this from a live DVD ? - I did it once from a WIN 10 PSE DVD. Under this conditions, the OS isn't running, because it's not loaded.
But: could it be risky allso?

СF-C1 dont have a DVD or CD. Only USB and in my case, he is not see any external DVD. Also, nevermind. I can't load DVD from BIOS trow f12 because in this case he load LAN system boot in default mode.

Get yourself a CH134a with a test eeprom clip and flash it the correct way, it's very cheap, straightforward and you can easily experiment more in the future. Make sure it has the 5v-3.3v mod applied though as the vcc line is tied directly to the 5v usb port power which is bad news for a bios chip!

@Ftmmsch
Copy link

Ftmmsch commented Jul 3, 2023 via email

@juhisByte
Copy link

juhisByte commented Jul 9, 2023

Hi all,
i have Panasonic fz-g1 mk4 pad, where is bios password. I have bios dump file, but not sure how to get cracked that password from it.

Is here anybody who can help me
Regards

@SergeySolovyenko
Copy link

Привет всем, у меня есть панель Panasonic fz-g1 mk4, где находится пароль биоса. У меня есть файл дампа биоса, но я не знаю, как взломать этот пароль.

Здесь есть кто-нибудь, кто может мне помочь С уважением

Hi!. I think i can help. Share your dump here.

@juhisByte
Copy link

i cannot add rar, or file here :(
Can u give ur email, or something where i can send it

Regards

@SergeySolovyenko
Copy link

SergeySolovyenko commented Jul 10, 2023

i cannot add rar, or file here :( Can u give ur email, or something where i can send it

Regards

Just write to me in the Telegram

Copy link

ghost commented Aug 8, 2023

Hallo,
PW

my Englisch is Bad, but i try it.
I have one CF-52 with Password, i understand i can delete it, but i want know what word is was.
Can you say my PW? ( i understand that the PW from Toughbook works,... WTF scancodes how does this map to keys)
Thank you

@bsistuk
Copy link

bsistuk commented Aug 9, 2023

image

0F 93 FE 26 45 BA 2A 4D 97 E0 61 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 01

@userx14
Copy link

userx14 commented Aug 9, 2023

@Jeeg1975
You can try the python code in this comment and paste your code (leave out the last 01 in your highlighted selection, it is not part of the password) from your screenshots into the variable
yourValueFromNvRam. If it is hashed, you will not be able to find out the original password.

Copy link

ghost commented Aug 9, 2023

ok thank you,

@cbbeerman
Copy link

cbbeerman commented Aug 9, 2023

Looks like the PW for
0F 93 FE 26 45 BA 2A 4D 97 E0 61 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 0B C9 66 5C C1 EF 1C 83 01
is
THTFPC

@essquireo0o
Copy link

You are doing it wrong - I found the actual hash and can crack it using brute force - let me know if anyone needs help. I spent an entire year digging into Toughbook BIOS Rom's using UEFIEdit NE and this may sound arrogant, but I am the only one that can get the actual password for the machine. You can see my eBay feedback here https://www.ebay.com/fdbk/feedback_profile/ingbtc and my site here https://www.toughbookbios.com/

I have worked with every major toughbook vendor.

@AutonomousCat
Copy link

For mine the super user password comes first and then the 00s. Is this hashed? The python tool isn't providing the right password.

5B 20 B6 29 11 52 6C 0B C7 56 22 76 7D 24 D8 EC 33 EA 8E BD E9 00 44 33 9F 41 FA C9 55 6C B0 74 0B B4 66 CD C1 FD 1C A1 77 1E D2 3D 2D 6E 88 E7 E3 C3 3E 26 99 40 F4 7E 4F FA AA DA 05 D0 60 05 5B 20 B6 29 11 52 6C 0B C7 56 22 76 7D 24 D8 EC 33 EA 8E BD E9 00 44 33 9F 41 FA C9 55 6C B0 74 0B B4 66 CD C1 FD 1C A1 77 1E D2 3D 2D 6E 88 E7 E3 C3 3E 26 99 40 F4 7E 4F FA AA DA 05 D0 60 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

@userx14
Copy link

userx14 commented Oct 11, 2023

@AutonomousCat
did you use yourValueFromNvRam = "5B 20 B6 29 11 52 6C 0B C7 56 22 76 7D 24 D8 EC 33 EA 8E BD E9 00 44 33 9F 41 FA C9 55 6C B0 74 0B B4 66 CD C1 FD 1C A1 77 1E D2 3D 2D 6E 88 E7 E3 C3 3E 26 99 40 F4 7E 4F FA AA DA 05 D0 60 05" ?
Strangely it repeats twice, this could mean that both bios passwords are the same.
I'm not sure about the result though, it is 32 bytes long with zero bytes padding in between. Maybe SHA256?

@AutonomousCat
Copy link

@userx14 I'm using this. https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd?permalink_comment_id=4423922#gistcomment-4423922

It's probably hashed. Anything I can do with the public keys listed on the Security tab in UEFITool NE alpha 67?

@cbbeerman
Copy link

Try
sempra123

:)

@AutonomousCat
Copy link

AutonomousCat commented Oct 12, 2023

Try sempra123

Is this a joke? @cbbeerman

@cbbeerman
Copy link

Im sorry it was not a joke I didn't clear out old data

@cbbeerman
Copy link

Here is the hash sorry again

B30FE846B6022376C47C54DB3AC7CE417D91122208945337A0D1CA634B9E086E

@Fasihi-Rad
Copy link

Hello everyone
I have a CF-D1N
first I can't find C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)

but I found this when search for C811FA38-42C8-4579-A9BB-60E94EDDFB34

image_2023-11-07_183400088
(There is 2 of them (header-offset 50h))

The XOR process it's not look very promising, it's seems to be hashed !

The question is
Am I get the right address, could I zeros those section ?

here is the rom : https://drive.google.com/file/d/1p0fY14pDjYojEwhp4RMKXiDYh15-0B1P/view?usp=sharing

@en4rab
Copy link
Author

en4rab commented Nov 7, 2023

Screenshot 2023-11-07 153908 The AMITSESetup entry is about 13 lines up from the one you highlighted and by the looks of it its a sha1 hash, it also looks like there are 2 copies of the NVRAM data so you might have to null out both entrys

@aosaginohi
Copy link

aosaginohi commented Nov 10, 2023

I tried to follow the guide but I am a little stuck, is someone able to tell me my password for my bios I have a Panasonic CF-SZ6.
I could dump it fine with the afu tool, but after that I am a little stuck on how to continue.

From what I can figure out this is what I can find:
5B 63 B6 A9 11 AB 6C 05 C7 F1 22 28 7D F5 D8 31 33 5B 8E A6 E9 21 44 80 9F BA FA 2F 55 9A B0 46 0B 55 66 0F C1 63 1C 6A 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

This is the rom file i got from saving it with the afu tool:
https://drive.google.com/file/d/1err9pzUP7TDOGerwaWIYuhO-c6VSY4WE/view?usp=sharing

Thank you so much in advanced for anyone who can help me!

@userx14
Copy link

userx14 commented Nov 14, 2023

The code you found looks like the correct sequence, 606B on the end is typical for the xored result. Pasting this into my python script returns that this is likely an sha1 hash. So the only publicly known method is to overwrite it with zeros (check out some of the previous comments and make sure to have a full backup of all bios regions).

@aosaginohi
Copy link

The code you found looks like the correct sequence, 606B on the end is typical for the xored result. Pasting this into my python script returns that this is likely an sha1 hash. So the only publicly known method is to overwrite it with zeros (check out some of the previous comments and make sure to have a full backup of all bios regions).

Thank you for the answer! :)

@essquireo0o
Copy link

This method works on DUO cores, but anything i3 and above it is encoded. I spent a year trying to find the hash and then finding the algo associated with the hash. I can break any password (80-90% of the time, depending on how long the password is). Here is the full process to find the password for any duo core machine.

Open ROM dump in UEFITool_NE

Press Ctrl-F and select Text tab. Uncheck Unicode and type AMITSESetup.

Press OK.
Look at strings with ending: at header-offset 0Bh
Double-click on first one

.

Please note that the found entry inside StdDefaults node. So it’s useless. Double-click on next one

Note that it’s only Link to NVAR entry. Right-click on AMITSESetup and choose Go to data

Right-click on AMITSESetup and choose Body hex view

It’s empty again. So go to third one.

It’s inside StdDefaults node again. So go to 4 th .

Again - Go to data

Again Body hex view

Select data for admin hash

Copy by Ctrl+C and past into text editor
5B9FB60411F46C1AC78422857D14D816
33208E50E9E344D69F8CFA1A557AB0BB
0B44661DC1C21CB57716D2A92D3D88D0
E3633EF7998AF41D4FB1AA4405D8606B

Select twenty even bytes (in hex)
5B9FB60411F46C1AC78422857D14D816
33208E50E9E344D69F8CFA1A557AB0BB
0B44661DC1C21CB57716D2A92D3D88D0
E3633EF7998AF41D4FB1AA4405D8606B

Write down in line
9F04F41A848514162050E3D68C1A7ABB441DC2B5

It’s SHA1 hash from the password in Unicode format.

The password for this hash – abc
abc in Unicode format (in hex) - 61 00 62 00 63 00

Use https://www.fileformat.info/tool/hash.htm to calculate hash (Binary hash).

SHA-1 9f04f41a848514162050e3d68c1a7abb441dc2b5

Done.

https://toughbookbios.com/ (i3 processor or higher contact me to get the password, CF-31, CF-53, CF-54 - any model I can crack the password)

@corty8
Copy link

corty8 commented Nov 18, 2023

This method works on DUO cores, but anything i3 and above it is encoded. I spent a year trying to find the hash and then finding the algo associated with the hash. I can break any password (80-90% of the time, depending on how long the password is). Here is the full process to find the password for any duo core machine.

Open ROM dump in UEFITool_NE

Press Ctrl-F and select Text tab. Uncheck Unicode and type AMITSESetup.

Press OK. Look at strings with ending: at header-offset 0Bh Double-click on first one

.

Please note that the found entry inside StdDefaults node. So it’s useless. Double-click on next one

Note that it’s only Link to NVAR entry. Right-click on AMITSESetup and choose Go to data

Right-click on AMITSESetup and choose Body hex view

It’s empty again. So go to third one.

It’s inside StdDefaults node again. So go to 4 th .

Again - Go to data

Again Body hex view

Select data for admin hash

Copy by Ctrl+C and past into text editor 5B9FB60411F46C1AC78422857D14D816 33208E50E9E344D69F8CFA1A557AB0BB 0B44661DC1C21CB57716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B

Select twenty even bytes (in hex) 5B9FB60411F46C1AC78422857D14D816 33208E50E9E344D69F8CFA1A557AB0BB 0B44661DC1C21CB57716D2A92D3D88D0 E3633EF7998AF41D4FB1AA4405D8606B

Write down in line 9F04F41A848514162050E3D68C1A7ABB441DC2B5

It’s SHA1 hash from the password in Unicode format.

The password for this hash – abc abc in Unicode format (in hex) - 61 00 62 00 63 00

Use https://www.fileformat.info/tool/hash.htm to calculate hash (Binary hash).

SHA-1 9f04f41a848514162050e3d68c1a7abb441dc2b5

Done.

https://toughbookbios.com/ (i3 processor or higher contact me to get the password, CF-31, CF-53, CF-54 - any model I can crack the password)

I have messaged you twice now via your website, no reply on either occasion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment