I do not have a server to push it, other than the usual suspects (i.e. wetransfer and the like) i can just send you my email address via PVT if it's OK for you.
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Was able to get chipsec to work however did not find anything which would help.
None of the other options work as I cant boot to Freedos - need UEFI and doesnt look like CSM is enabled.
None of the other options work as I cant boot to Freedos - need UEFI and doesnt look like CSM is enabled.
It might be worth using chipsec (sudo pip install chipsec)
# python chipsec_main.py -m common.bios_wp
This might tell you the common vulnerabilities of the bios and chipset.
Alternatively there are ways of invalidating the CMOS checksum which can reset a password, I don't know how dangerous that is on an unknown motherboard? How To Remove, Clear, Reveal, Unlock or Reset BIOS Security Password • Raymond.CC
Edit: Someone who managed to extract the password on their AMI Aptio Toughbook:
Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)
Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI) - CF-U1-BIOS.mdgist.github.com
A note on the serial connections: I might just be dumb, but while going through a test linux install I got the BIOS and GRUB menu on the USB serial connection but the actual installer presented on the RJ45.
The RJ45 connector is the serial port on the motherboard. If you dont get it on the serial port adding console=tty0 console=ttyS0,115200 to the grub boot command line will definitely get the output on the RJ45 serial line. Your linux distro might already be setup to use the serial port.
Anyone had enough time to hook up to the jtag pinout
edit: don’t type and walk the dog..
I’ve experienced this playing with some Linux installers on an old Power system I have laying around -> wasted a day wondering why I never actually saw any installer output but couldn’t find any issue at all.... *sigh* there is a grub option I think to say what console you want to use for the text installer but I can’t recall what it is
edit: don’t type and walk the dog..
Last edited:
Ubuntu Manpage: cmospwd - a cmos/bios password recovery tool
manpages.ubuntu.com
Slightly worried that these erase tools could disable the console or worse depending on the default configuration of the BIOS
Just a note to save some time for anyone trying brute force -
over the last couple of days in 20 minute sprints I've tried a few passwords.
there is no joy in mudville.
over the last couple of days in 20 minute sprints I've tried a few passwords.
there is no joy in mudville.
“last 7 of the board serial number”
"last 4 of the board serial number"
“last 6 of a node’s mac address”
“last 4 of a node’s mac address”
000
0000
password
PASSWORD
Password
ak-d1541
AK-D1541
AKD1541
akd1541
d1541
D1541
1541
asrack
ASrack
ASRACK
Akamai
akamai
AKAMAI
AKAM
akam
asrock
ASRock
ASROCK
SSL
ssl
CLOUD
cloud
admin
ADMIN
Admin
root
ROOT
Root
Administrator
administrator
field
FIELD
craft
CRAFT
maint
MAINT
demo - wouldn’t that be funny
cisco - gotta try
AMI Master passwords
ami
amiami
CMOSPWD
amidecod
AMI.KEY
KILLCMOS
amipswd
AMISETUP
589589
AMIPSWD
AMI?SW
ami.kez
AMI
AMI!SW
ami°
A.M.I.
AMI_SW
helgasss
aammii
bios310
HEWITT RAND
AMI~
BIOSPASS
akampass
AKAMPASS
akampswd
AKAMPSWD
akamaipass
AKAMAIPASS
akpass
AKPASS
akpswd
AKPSWD
akpassword
AKPASSWORD
"last 4 of the board serial number"
“last 6 of a node’s mac address”
“last 4 of a node’s mac address”
000
0000
password
PASSWORD
Password
ak-d1541
AK-D1541
AKD1541
akd1541
d1541
D1541
1541
asrack
ASrack
ASRACK
Akamai
akamai
AKAMAI
AKAM
akam
asrock
ASRock
ASROCK
SSL
ssl
CLOUD
cloud
admin
ADMIN
Admin
root
ROOT
Root
Administrator
administrator
field
FIELD
craft
CRAFT
maint
MAINT
demo - wouldn’t that be funny
cisco - gotta try
AMI Master passwords
ami
amiami
CMOSPWD
amidecod
AMI.KEY
KILLCMOS
amipswd
AMISETUP
589589
AMIPSWD
AMI?SW
ami.kez
AMI
AMI!SW
ami°
A.M.I.
AMI_SW
helgasss
aammii
bios310
HEWITT RAND
AMI~
BIOSPASS
akampass
AKAMPASS
akampswd
AKAMPSWD
akamaipass
AKAMAIPASS
akpass
AKPASS
akpswd
AKPSWD
akpassword
AKPASSWORD
It's a long shot and assuming it's an AMI specific password rather than a Datto password try: R@str
Going to grab my 3.3v programmer from work Monday only had my 5v at home and dump the full rom again as I forgot the AMI util only dumps bios and not the full flash rom due to the management engine
@itronin I had a look at the pic but i basycally got nothing out of it other than the fact that the FPGA is way smaller than what i was expecting (it's a Xilinx kintex 7 XC7A35T)
I also had a shot at the bios image but was surprised to see all password related variables as all zero, if the image is just the base ROM without actual variables this makes sense.
For the impatient ones: i basically just followed the instruction in the link posted by @bob_dvb where it's suggested that bios password is stored as a xored keymap entry list under GUID C811FA38-42C8-4579-A9BB-60E94EDDFB34 (with text AMITSESetup). If you look at the dump posted in the previous page using UEFITool (currently i'm using 52 alpha) under said guid you will find just aseries of 0x00 terminated by a single 0x01 byte.
I think that with the full dump we may be able to recover or reset the password but this will surely need an SPI programmer.
I also had a shot at the bios image but was surprised to see all password related variables as all zero, if the image is just the base ROM without actual variables this makes sense.
For the impatient ones: i basically just followed the instruction in the link posted by @bob_dvb where it's suggested that bios password is stored as a xored keymap entry list under GUID C811FA38-42C8-4579-A9BB-60E94EDDFB34 (with text AMITSESetup). If you look at the dump posted in the previous page using UEFITool (currently i'm using 52 alpha) under said guid you will find just aseries of 0x00 terminated by a single 0x01 byte.
I think that with the full dump we may be able to recover or reset the password but this will surely need an SPI programmer.
@andreathing Did this on the bios and noticed that the user and supervisor password were zeroed out which is consistent with what the bios shows on screen which is that user and supervisor password are not setup.
I made a couple of minor changes to the bios and wrote it back it- it did display the changes but everything else remained the same.
the sequence for this is:
Pressing del during bootup brings up a menu item enter password for setup or leave blank for limited setup (not exact wording). On entering wrong password brings up a error message and then brings up the limited setup.
It almost seems there is another bios password that has been setup possibly as a special coding in this bios. Have been poking around to see if there are any other variables as an added security option.
I made a couple of minor changes to the bios and wrote it back it- it did display the changes but everything else remained the same.
the sequence for this is:
Pressing del during bootup brings up a menu item enter password for setup or leave blank for limited setup (not exact wording). On entering wrong password brings up a error message and then brings up the limited setup.
It almost seems there is another bios password that has been setup possibly as a special coding in this bios. Have been poking around to see if there are any other variables as an added security option.