Skip to content

Instantly share code, notes, and snippets.

@en4rab
Last active October 6, 2024 02:50
Show Gist options
  • Save en4rab/550880c099b5194fbbf3039e3c8ab6fd to your computer and use it in GitHub Desktop.
Save en4rab/550880c099b5194fbbf3039e3c8ab6fd to your computer and use it in GitHub Desktop.
Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

A mess of my own making

While messing with a CF-U1 handheld PC that I bought off ebay I managed to mess up the BIOS and it seems it reverted to previous settings which included an unknown BIOS password, it would however still boot into windows. Since I could still boot windows I was able to dump the bios flash using AFUWINGUI.EXE the version I used was 3.09.03.1462 which is available here:
https://www.ami.com/support-other/ Click on Aptio 4 AMI Firmware Update Utility

There may be a more appropriate version to use as this seemed to have trouble checking the bios version when flashing but did work if you selected "Do Not Check ROM ID" but flashing isnt needed to get the password.

Dumping the flash

alt text
Run AFUWINGUI.EXE and at the bottom of the "Information" tab click the save button to make a backup of your bios, the default name is afuwin.rom Now open this saved image with UEFITool_NE available here:
https://github.com/LongSoft/UEFITool/releases

I used UEFITool_NE_A51_win32.zip later versions should work fine. The new engine (NE) verson seems to deal with AMI's odd nvram format better.

alt text

Expand the first EfiFirmwareFilesystemGuid >> NVRAM dropdown tree and look for the GUID
C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
with subtype Data there will be others with subtype Link which are older no longer valid entrys because of the odd way AMI nvram works, if you find one of these right click on it and select "Go to data" and it will take you to the actual data entry.
Now right click and select "Body hex view" and you should see something like:

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040  7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A  {.”¦.:)ÍÒ`.ô\‡í.
0050  07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35  .®®AÜÔ.h«ûú.U¢°5
0060  0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0  .Éf\Áï.ƒw.Ò©-=ˆÐ
0070  E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B  ãc>÷™Šô.O±ªD.Ø`k
0080  01

In this the bytes from 0x00 to 0x3F are the currently unset user password, 0x40 to 0x7F are the obfuscated administrator password and 0x80 is the quiet boot flag.

1337 encryption

The password is obfuscated using super secure xor

VOID PasswordEncode( CHAR16 *Password, UINTN MaxSize)
{
    UINTN	ii;
    unsigned int key = 0x935b;

#if SETUP_PASSWORD_NON_CASE_SENSITIVE
    for ( ii = 0; ii < MaxSize; ii++ )
        Password[ii] = ((Password[ii]>=L'a')&&(Password[ii]<=L'z'))?(Password[ii]+L'A'-L'a'):Password[ii];
#endif

    // Encode the password..
    for ( ii = 1; ii <= MaxSize/2; ii++ )
        Password[ii-1] = (CHAR16)(Password[ii-1] ^ (key*ii));
}

So Xoring the above encoded password:

7B 13 94 A6 07 3A 29 CD D2 60 1A F4 5C 87 ED 1A 07 AE AE 41 DC D4 0A 68 AB FB FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

with

5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B

gives

20 80 22 80 16 80 45 80 15 80 38 80 21 80 35 80 34 80 20 80 35 80 4e 80 34 80 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Each character of the password is stored as 2 bytes, and as x86 is wrong endian im guessing should be read as 0x8020 0x8022 I have no idea where the 0x80 comes from possibly its something to do with the EFI_SHIFT_STATE_VALID in this case the password was lower case, possibly uppercase status is encoded in this byte too I have no idea I havent tested uppercase passwords.

WTF scancodes how does this map to keys

From the unobfuscated data you can see the password is 13 characters long, im going to ignore the 0x80 bytes as i dont understand them :P and just look at the others:
20 22 16 45 15 38 21 35 34 20 35 4e 34
They appear to be some sort of scancodes, although while googleing this I found some AMI bioses seem to use ascii here so you can read it out directly as text, but not on this machine.
When this CF-U1 arrived from ebay it had a password which i sucessfully guessed as "toughbook" my second guess would have been "panasonic" since using text written on the front of the PC as a password saves writing it under the battery cover :P
Looking through the older link entrys for the AMITSESetup nvram I found what I thought was the data for this password which deobfuscating as above gave (ignoring the 0x80):

35 39 37 24 25 14 39 39 27
t  o  u  g  h  b  o  o  k

This seemed promising repeated characters have the same value and gives a bit of a key to the mapping Some googeling later about UEFI scancodes and i found this page:
http://wiki.phoenix.com/wiki/index.php/EFI_KEY
From this it seems the value is the offset into this enum so in the toughbook example 35 translates to EfiKeyD5 a second page I found gave the mapping from EfiKey to ascii:
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c#L36

So i made up a list of byte to ascii using these, below are just 0x10 to 0x4E to cover most values but not be too stupidly long.

Hex Char EFIkey Hex Char EFIkey
10 z EfiKeyB1 30 Tab EfiKeyTab
11 x EfiKeyB2 31 q EfiKeyD1
12 c EfiKeyB3 32 w EfiKeyD2
13 v EfiKeyB4 33 e EfiKeyD3
14 b EfiKeyB5 34 r EfiKeyD4
15 n EfiKeyB6 35 t EfiKeyD5
16 m EfiKeyB7 36 y EfiKeyD6
17 , EfiKeyB8 37 u EfiKeyD7
18 . EfiKeyB9 38 i EfiKeyD8
19 / EfiKeyB10 39 o EfiKeyD9
1A EfiKeyRShift 3A p EfiKeyD10
1B EfiKeyUpArrow 3B [ EfiKeyD11
1C 1 EfiKeyOne 3C ] EfiKeyD12
1D 2 EfiKeyTwo 3D \ EfiKeyD13
1E 3 EfiKeyThree 3E EfiKeyDel
1F EfiKeyCapsLock 3F EfiKeyEnd
20 a EfiKeyC1 40 EfiKeyPgDn
21 s EfiKeyC2 41 7 EfiKeySeven
22 d EfiKeyC3 42 8 EfiKeyEight
23 f EfiKeyC4 43 9 EfiKeyNine
24 g EfiKeyC5 44 ` EfiKeyE0
25 h EfiKeyC6 45 1 EfiKeyE1
26 j EfiKeyC7 46 2 EfiKeyE2
27 k EfiKeyC8 47 3 EfiKeyE3
28 l EfiKeyC9 48 4 EfiKeyE4
29 ; EfiKeyC10 49 5 EfiKeyE5
2A ' EfiKeyC11 4A 6 EfiKeyE6
2B | EfiKeyC12 4B 7 EfiKeyE7
2C 4 EfiKeyFour 4C 8 EfiKeyE8
2D 5 EfiKeyFive 4D 9 EfiKeyE9
2E 6 EfiKeySix 4E 0 EfiKeyE10
2F + EfiKeyPlus

So what was the password?

Using the above list and the recovered scancodes gave:

20 22 16 45 15 38 21 35 34 20 35 4e 34
a  d  m  1  n  i  s  t  r  a  t  0  r

and when i tried adm1nistrat0r it worked!
This is not complete as there are still questions about the 0x80 bytes but my guess is they encode the shift alt etc modifier keys but im back into my handheld so i'm not sure ill look further into it. This may also apply to other Aptio bioses as well as the Panasonic CF-U1, and if the machine isnt bootable you may be able to use a cheap spi adapter to dump the bios, in the case of the CF-U1 it uses an LPC flash which I don't think you can get cheap clips and readers for and its buried in the machine so a nuisance to get to.

@kevinhulster
Copy link

@r-plabs I dump it through AMI afulnx tool.

@mayk469
Copy link

mayk469 commented Feb 14, 2024

Hello all,

Can anyone help me to erase the bios password ? I have attached the extracted file .

Thanks!

@en4rab
Copy link
Author

en4rab commented Feb 15, 2024

Try thua5P or thua5P|

@HackerajOfficial
Copy link

Hello all,

Can anyone help me to erase the bios password ? I have attached the extracted file .

Thanks!

try now https://alien.raaz.info.np/server/unlock/AMITSESetup/

@mayk469
Copy link

mayk469 commented Feb 15, 2024

Hello all,
Can anyone help me to erase the bios password ? I have attached the extracted file .
Thanks!

try now https://alien.raaz.info.np/server/unlock/AMITSESetup/

I tried, it doesn't work.

@mikrovr
Copy link

mikrovr commented Feb 15, 2024

@mayk469
Copy link

mayk469 commented Feb 15, 2024

mikrovr

Thanks @mikrovr ! I've tried all the variations with and without the uppercase, but it doesn't work.

@mikrovr
Copy link

mikrovr commented Feb 15, 2024

@mayk469
What is your country of origin, what is the standard keyboard you are using to enter the password?

@mayk469
Copy link

mayk469 commented Feb 15, 2024

I used two different US keyboard layout (ANSI and ISO).

@en4rab
Copy link
Author

en4rab commented Feb 15, 2024

did thua5P or thua5P| not work?

@HackerajOfficial
Copy link

Hello all,
Can anyone help me to erase the bios password ? I have attached the extracted file .
Thanks!

try now https://alien.raaz.info.np/server/unlock/AMITSESetup/

I tried, it doesn't work.

Your file can not decrypt so, use unlock option and simply flash the bios

@mayk469
Copy link

mayk469 commented Feb 15, 2024

did thua5P or thua5P| not work?

Thank you very much! It worked with thua5P. I didn't understand the first time that this is the password .

You guys are the best!

@mikrovr
Copy link

mikrovr commented Feb 15, 2024

@en4rab
Your answer was right!

AMI BIOS Password Recovery Tool v1.2 (Reset or/and recover lost passwords)
Copyright (C) 2016-2018 Paulo Coelho aka Mikrovr [email protected]

Password Recovery

Admin: thua5P

Note: Passwords are case-sensitive, upper and lower case.
Done!
Press any key to exit

// I had to make a small adjustment to the body of the hash.
max( 0, ( ( x - 1 ) | ( m - 1 ) ) + 1 - m )

@warst
Copy link

warst commented Feb 16, 2024

@en4rab Your answer was right!

AMI BIOS Password Recovery Tool v1.2 (Reset or/and recover lost passwords) Copyright (C) 2016-2018 Paulo Coelho aka Mikrovr [email protected]

Password Recovery

Admin: thua5P

Note: Passwords are case-sensitive, upper and lower case. Done! Press any key to exit

// I had to make a small adjustment to the body of the hash. max( 0, ( ( x - 1 ) | ( m - 1 ) ) + 1 - m )

Hey @mikrovr, is AMI BIOS Password Recovery Tool v1.2 available to use somewhere? I have some Panasonic bios dumps that are locked (I have unlocked them but kept the locked copy too) and I would like to know if I am able to recover the password from them.

@9Kid
Copy link

9Kid commented Mar 19, 2024

Anyone had luck unlocking a [Panasonic Let''s note RZ6? AMITSESetup is only of 0 , not a single character, but the password still is required.

@Castdeath97
Copy link

Trying to get the .bin dump via AFUWINGUI, but I get "32 - error: problem opening file to write". Any ideas?

@cesar030693
Copy link

cesar030693 commented Apr 16, 2024

Hello, can someone help me decipher the password? I am unable to flash the BIOS and am receiving the error message "43 - error: problem erasing flash". I've successfully unlocked the BIOS by flashing it on a few other CF-53 devices, but this particular one is giving me the error. Can anyone assist me with this issue?

its a panasonic cf-53J

I have included the link to the ROM file.

https://mega.nz/file/MCcV2CLb#_5Dl0p41pw2--RwTDNiMzgWGkL_NDncVbMZAmJtjUsE

83717453-c0053900-a600-11ea-98dd-09f5bb569b01

@Hyedryn
Copy link

Hyedryn commented May 21, 2024

Hi there,

If you're looking to recover an encrypted BIOS password that is 64 hex characters long, I've created a tutorial that might help to decrypt the password (tested successfully on an Asus Vivobook X412D). You can find it here: Recover SHA256 encoded AMI BIOS Password

@fperez2022
Copy link

Please, can someone help me obtain the key or unlock this Bios file on a Nuage 7850 NSG -E200 computer? Thanks in advance.

https://mega.nz/file/1EoETTZC#HoDtlBI5TIinaAohtC3v1AR2ZAONLgQksYlxMzYhUkU

@fperez2022
Copy link

AMITSESetup Decryptor & Unlocker link: https://alien.raaz.info.np/server/unlock/AMITSESetup/

image

The download link does not work. Please can someone who has the software share it? Thank you

@en4rab
Copy link
Author

en4rab commented Jun 13, 2024

I had a quick look and as far as i can tell there isnt a user or admin password set so if it is asking you for a passsword to enter the UEFI its probably some factory password they added to the uefi code

@mohamedxp
Copy link

Hi there,

If you're looking to recover an encrypted BIOS password that is 64 hex characters long, I've created a tutorial that might help to decrypt the password (tested successfully on an Asus Vivobook X412D). You can find it here: Recover SHA256 encoded AMI BIOS Password

please how can use this script

@DongRyeok
Copy link

Hello.

I tried to figure out the BIOS password for the network equipment that the Intel Atom CPU used, but UEFITool does not have C811FA38-42C8-4579-A9BB-60E94EDDFB34.

I tried changing CMOS battery and Clear jumper, but it did not initialize.

I think the manufacturer set the password when compiling the BIOS.

What should I do in this case?

The motherboard manufacturer of the equipment is Nexcom.

BIOS DUMP

@mikrovr
Copy link

mikrovr commented Aug 19, 2024 via email

@DongRyeok
Copy link

Have I managed to resolve it? If not, I will help you.

No, I haven't solved it.

@rebeltaz
Copy link

rebeltaz commented Oct 2, 2024

Is there an updated link to the AFUWINGUI? The link in the article doesn't seem to work for me. I found an archive called AMIBIOS_and_Aptio_AMI_Firmware_Update_Utility.zip that includes several different versions, but none that seem to work on the CF-U1 that I have. One, in a folder called "AFU_Core8" there isn't a GUI, but when I run the command line with /O it says that the "BIOS is write-protected," while the one in the folder called "AMI AFU For Aptio 4" give me an error "46 - Error : Problem getting flash information." I am hoping that I am just working with an incorrect version of AFU.

@en4rab
Copy link
Author

en4rab commented Oct 2, 2024

It seems AMI have redesigned their site, the new link is https://www.ami.com/support-other/ then click on Aptio 4 AMI Firmware Update Utility.
I have updated the gist to point to the new location

@rebeltaz
Copy link

rebeltaz commented Oct 2, 2024

It seems AMI have redesigned their site, the new link is https://www.ami.com/support-other/ then click on Aptio 4 AMI Firmware Update Utility. I have updated the gist to point to the new location

Thank you!

@rebeltaz
Copy link

rebeltaz commented Oct 6, 2024

It seems AMI have redesigned their site, the new link is https://www.ami.com/support-other/ then click on Aptio 4 AMI Firmware Update Utility. I have updated the gist to point to the new location

I downloaded that and tried again, but I am still getting "46 - Error: Problem getting flash information", so 🤷‍♂️

I am noticing that you are working on a mk2. Mine doesn't have the camera or fingerprint reader so mine may be an mk1? I don't know if that's why it won't run or not, but...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment