SuperMicro H8DGU-F BIOS password reset

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Zxarr

New Member
Jan 2, 2020
8
0
1
The Backstory

I've been given a used server from work. This is fine, I've 'disposed' of servers, via the proper process, in this manner many times for my home lab. This one looked nice on paper. Dual Opteron 6380 16 core with 128Gb memory. Nice!

The problem arose when I went to boot my USB key to zero out the drives... I couldn't boot from USB as the BIOS had it disabled. Boo. Entering the BIOS asks for a password! Naturally. This was a 'FireEYE' management server, and thus far no one at the company has responded to inquiries.

This board appears to have an eeprom with AMI BIOS on it...

What I've Tried

I've gone through the manual for the motherboard and it states that all I need to do is turn the server off and short the pads JBT1 and all will be well. No dice. Next, I removed the CMOS battery for a solid 7 hours and shorted the pads a few times. I even removed the power supplies during this time. Nada.

I even tried the AMI 'backdoor' passwords that I've Googled. They do nothing.

I don't get an hex code when it fails, it just says 'Too many tries' and continues the boot procedure.

The Question

I can PXE boot, so I can get into a Linux OS (Ubuntu) Is there some kind of a CMOS password cracking utility that would work? Even a brute force attack... I can happily let this server run on a desk at work while it whittles away at the password...

Motherboard / BIOS Information

Supermicro H8DGU-F-FIO10 BIOS Date: 12/31/2013 Rev: FI3.0c
AMIBIOS(C)2010 American Megatrends, Inc

Website:
Super Micro Computer, Inc. - Aplus Products | Motherboards | H8DGU-F


Any help would be appreciated.

Thanks!
 
Last edited:

bigtweekx

New Member
Jun 24, 2020
2
0
1
I have the same server (FireEYE 5400-EX). I was able to get past the bios password by flashing the Supermicro bios from a DOS USB drive. Perhaps you can do the same via PXE. After flashing the BIOS I powered off the server, unplug the power, removed CMOS battery, shorted JBT1, then put everything back together and no more password!

EDIT: You will also need to flash IPMI and reset BIOS to fail-safe defaults through the BIOS settings page (DEL)
 
Last edited:

Zxarr

New Member
Jan 2, 2020
8
0
1
I'll have to give that a try. At the moment, the server is sitting quietly on a shelf. I never got around to PXE booting it yet.
 

Zxarr

New Member
Jan 2, 2020
8
0
1
Sorry @bass00. I haven't gotten to it yet. Hah! It's been so long. I'm in the middle of a garage renovation to give me a place to tinker with all this stuff! It is on my list and I will update this thread once I know the results of said tinkering.
 

cikadule

New Member
Sep 9, 2020
1
0
1
Hi,
I was dealing with the same issue for few weeks on and off. So this is how i did it, and i hope it will help you :):

Since boot order cannot be changed... this was my workaround:

-Created a boot-able sata disk with rufus (free DOS)

-Downloaded and copied the bios files from the manufacturers web site (Product Resources | Support - Super Micro Computer, Inc.) to the above hard drive.
Note: you need the zip file that contains both flash tool and bios image

-Removed all the hard drives from the servers and plugged the above sata drive
(tricky part: based on the raid controller or the appliance- you might need to create the virtual drive with the above sata disk, or it might not boot automatically.
Important part-when the config is done - dont initialize the disk or it will reformat it. Dont forget also to assign boot device to that virtual drive)

-After it booted to DOS, type flash "nameofbiosfile.xxx", wait for few minutes and thats it.

Hope it helps,
 

Iaroslav

Member
Aug 23, 2017
111
24
18
37
Kyiv
Had the same problem, but with newer X9 boards, don't know if it will work the same, anyway here's how I fixed that:
- Boot up with some linux on SATA drive
- Reset IPMI admin password and set up network through ipmicfg
- Login to IPMI interface and flashed IPMI and BIOS FW's without "save preferences" selected
After that no more password
 

penrhos

New Member
Nov 23, 2020
28
10
3
I'm struggling too - Work just ditched two FireEye boxes - the drives have been destroyed but I have the servers & caddies sat in the test lab. Was thinking if I took the CPU and ram out of one so I could make the other dual CPU and double the ram it'd make a nice little VMWare host.

Motherboards a SuperMicro HD8DGU-F-FI010 and according to manual removing cmos battery and shorting JBT1 while PSU's unplugged should reset passwords but nadda - stuck booting from raid controller only and bios password enabled, IPMI disabled so I can't attack from there either.

Tried all the usual attack options for resetting to factory defaults but stuck so far.

Thinking best option might be to remove raid controller - stick in another server, configure a sas drive JBOD with linux installed, swap it back and try to boot from there - then flash ipmi back to factory defaults and force flash the bios with erase NVRAM option.

I have an eprom programmer so how feasible is removing the bios chip from the motherboard and rewriting it with the stock bios?
 

penrhos

New Member
Nov 23, 2020
28
10
3
There's an easy option if you pick up a FireEye X11SSW-F based appliance...

The X11 motherboard has an "Bios Recovery" jumper - set the jumper to "recovery mode"
format a small < 4Gb usb pen FAT - copy the latest bios file onto the usb pen, rename it to super.bin
Power on server with usb pen plugged in and follow the bios recovery menu - make sure reset nvram is selected.
Put jumper back to normal mode.
Boot server using a bootable usb pen with ipmi firmware and utility on and flash the ipmi with latest firmware and save settings = N

Sorted - server is back to factory.
 

penrhos

New Member
Nov 23, 2020
28
10
3
Sorted - Was easy in the end...

I took the raid controller out of the system and stuck it into a pcie 16x slot PC

1) Connected up a 70Gb SAS drive to port 0 of a mini-sas SFF-8087 to 4 x sas cable.
2) Entered the raid controller menu
3) Cleared the raid configuration
4) Created a new one with just the 70Gb drive
5) Formatted drive and set it to bootable.
6) Saved settings on the raid controller
7) Rebooted PC with usb pen containing FreeDos full and installed Freedos onto the 70Gb SAS drive.
8) Copied latest bios and ipmi files onto the drive
9) Powered off PC and removed raid controller & drive.

Put the raid controller back into the FireEye server:-

1) Put the drive into a spare caddy and stuck it into bay 0 (top left) - others bays empty.
2) Powered on
3) Server boots into DOS first attempt.
4) Ran dupdate -f smt_329.bin -r N to flash and factory reset BMC & IPMI.
5) Rebooted
6) Ran Flash H8DGU6.318
7) Rebooted
8) Pressed F2 to enter bios then F9 for defaults, then F10 to save new settings.

All sorted - one EX5400 put back to stock....

Might be handy info as a few of these might become available now FireEye have been hacked and had their "team red" tools stolen.
 

Zxarr

New Member
Jan 2, 2020
8
0
1
The Backstory

I've been given a used server from work. This is fine, I've 'disposed' of servers, via the proper process, in this manner many times for my home lab. This one looked nice on paper. Dual Opteron 6380 16 core with 128Gb memory. Nice!

The problem arose when I went to boot my USB key to zero out the drives... I couldn't boot from USB as the BIOS had it disabled. Boo. Entering the BIOS asks for a password! Naturally. This was a 'FireEYE' management server, and thus far no one at the company has responded to inquiries.

This board appears to have an eeprom with AMI BIOS on it...

What I've Tried

I've gone through the manual for the motherboard and it states that all I need to do is turn the server off and short the pads JBT1 and all will be well. No dice. Next, I removed the CMOS battery for a solid 7 hours and shorted the pads a few times. I even removed the power supplies during this time. Nada.

I even tried the AMI 'backdoor' passwords that I've Googled. They do nothing.

I don't get an hex code when it fails, it just says 'Too many tries' and continues the boot procedure.

The Question

I can PXE boot, so I can get into a Linux OS (Ubuntu) Is there some kind of a CMOS password cracking utility that would work? Even a brute force attack... I can happily let this server run on a desk at work while it whittles away at the password...

Motherboard / BIOS Information

Supermicro H8DGU-F-FIO10 BIOS Date: 12/31/2013 Rev: FI3.0c
AMIBIOS(C)2010 American Megatrends, Inc

Website:
Super Micro Computer, Inc. - Aplus Products | Motherboards | H8DGU-F

Any help would be appreciated.

Thanks!

Replying to my initial post! I have finally returned and after an evening of searching and prodding I managed to get this silly thing going!

Thanks for all the suggestions on how to get this going, I hope it helped a few of us out there, but the issue I had was I couldn't boot from ANYthing but the NIC, or the RAID controller. No USB boot for me. The answer was actually quite simple, once you know how it's done...

This was the board in question: Super Micro Computer, Inc. - Aplus Products | Motherboards | H8DGU-F
I downloaded the BIOS .zip file from that location and read the readme file. In there I found that you can recover the BIOS from a catastrophic event by pressing CTRL-HOME repeatedly upon power up. Here are the instructions from the actual readme:

Code:
When you performed the Flash reprogramming, make sure you do not reboot or power down until the updates is completed
( typically within 5 minutes).  If you fail to heed this procedure,
you will be left with a system that has a corrupted BIOS. 
In the unlikely event that a Flash upgrade is interrupted catastrophically,
the BIOS may be left in an unusable state. However, SUPERMICRO's Flash ROMs have a special BIOS Recovery procedure
that can be performed. Recovering from this condition requires the following steps.


1. Copy the H8xxxxx.xxx file from BIOS package and save into a USB drive
2. Rename the H8xxxxx.xxx file to super.rom
3. Install the USB on the MB and remove other bootable device
4. While Power on the system, hit "ctrl + Home" keys several times
5. The USB LED turn on, but the screen is blank and some long beeps from onboard buzzer.
6. After the BIOS recovery is completed, 4 quick beeps and then system will reboot.
7. “CMOS Checksum” message will show, press F1 go into BIOS setup and then load optimal default settings or your custom BIOS setting.
8. Save setting and reboot system.
The key thing here is you cannot have any boot sources when pressing CTRL-HOME. I yanked the RAID card in the system, plugged the USB into the INTERNAL header near the front of the board. The USB was just a FAT32 formatted drive with the super.rom file on it. I kept pressing CTRL-HOME until I saw the LED on the USB stick flashing. It gave me a number of long beeps, then after about 30 seconds four short beeps and it rebooted!!! ...to a black screen. Uhoh. Well, a full power down (hold power for 5 seconds) and power up solved it! New BIOS, no more password. Reset the BIOS to optimal and everything worked!

I will note that without resetting the BIOS to optimal settings, the NIC cards weren't working in FreeBSD or Linux.

So that's it. Read the manual. Sorry it took me so long!

Hope this helps someone.
 

penrhos

New Member
Nov 23, 2020
28
10
3
Mines fully working with stock bios, IPMI, dual processors, 128Gb of ram, 8 * 300Gb 15K SAS drives in Raid-10 and an IBM 5015 dual port SAS controller (LSI 9260-8i), 10Gbe network card - but it's soo loud, the fans are real screamers. But it was 90% free so can't complain too much.

FYI the LCD control panel removes with 3-4 small screws and a small metal bracket that hooks into the drive-bay mounts, once removed there's a SATA power to floppy power conversion lead and a small cable that goes to the status leds and power switch. I chopped the power cable, removed it, fed the cable for the led panel back through the rear of the sas/sata backplane. this frees up four additional 2.5" drive bays - you just need a 8087-8087 M-SAS cable long enough to reach the ports on the raid controller card.

I also drilled a small hole in the right front corner and fitted a push-to-make switch wired to the first pair of pins on the front panel connector. so I can power-cycle the server easily.

Total cost £40 for the IBM-5015 & cable + about 4 hours to work out how to get it back to stock and install the CPU/RAM/Caddies from the other one work scrapped.
 

Fart_biscuits

New Member
Mar 17, 2021
6
1
3
Any thoughts on what the bios password might be? I’ve got a FireEye NX 2500 that’s actually an advantech model (fwa-3260). The manual shows how to update the bios but not where to get it and I haven’t been able to find it on their website.
 

Zxarr

New Member
Jan 2, 2020
8
0
1
I never did find the password, I essentially just over-wrote it. If you crack the unit open and find the model of the motherboard, that might help in your search.
 

Zxarr

New Member
Jan 2, 2020
8
0
1
Have you tried different keyboards? I know this sounds a little strange, but sometimes keyboards aren't detected in time for the CTRL-HOME to register? Or maybe you're going through a KVM, or something?

I'm just spitballing here, because I've now done three motherboards like this, plus two more smaller SuperMicro boards... all FireEye products too. Hah.

if I think of anything else, I'll let you know.
 

Olli399

New Member
Aug 12, 2021
2
0
1
Have you tried different keyboards? I know this sounds a little strange, but sometimes keyboards aren't detected in time for the CTRL-HOME to register? Or maybe you're going through a KVM, or something?

I'm just spitballing here, because I've now done three motherboards like this, plus two more smaller SuperMicro boards... all FireEye products too. Hah.

if I think of anything else, I'll let you know.

I used a USB and then a PS/2 keyboard so it definitely should work. What size was the USB stick? Maybe mine was too big.

I renamed the .318 file and I'm assuming that was the correct one.

I think you can tell I unplugged the backplane, used the internal USB header as suggested and definitely pressed CTRL-Home

I remember it saying something about a buffer being full?

The problem for me is that its not really the BIOS and more that it straight up won't boot into any disk OS or not, and obviously I need to get into the BIOS to disable that.

Cheers for replying so quick :)
 

Fart_biscuits

New Member
Mar 17, 2021
6
1
3
My FireEye appliance, which is actually an Advantech unit, only boots from bios/mbr (pre flashed) drives. It won’t boot from usb or a drive that has a uefi os on it. Maybe try that?

edit: I should also say I wasn’t able to get in to the bios but this method still allowed me to boot TrueNAS (and other OS’s)
 

Zxarr

New Member
Jan 2, 2020
8
0
1
I renamed the .318 file and I'm assuming that was the correct one.

I think you can tell I unplugged the backplane, used the internal USB header as suggested and definitely pressed CTRL-Home
Yes, that should be the correct file.

I pulled the RAID card out completely to get mine to work.


The key thing here is you cannot have any boot sources when pressing CTRL-HOME. I yanked the RAID card in the system, plugged the USB into the INTERNAL header near the front of the board. The USB was just a FAT32 formatted drive with the super.rom file on it. I kept pressing CTRL-HOME until I saw the LED on the USB stick flashing. It gave me a number of long beeps, then after about 30 seconds four short beeps and it rebooted!!! ...to a black screen. Uhoh. Well, a full power down (hold power for 5 seconds) and power up solved it! New BIOS, no more password. Reset the BIOS to optimal and everything worked!

I will note that without resetting the BIOS to optimal settings, the NIC cards weren't working in FreeBSD or Linux.
 

KeithF

New Member
Aug 30, 2021
1
0
1
I am having a heck of a time getting this thing to flash. I tried a 16GB USB and a 2GB USB drive with the super.rom file and nothing happens. All drives have been removed, RAID card removed. CTRL+HOME seems to work since the USB LED is flashing, but I have left it running for 5 to 20 minutes with nothing changing.