Password for Unbranded NUC-like Board BIOS

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Radar_Cap
    New Member
    • Jun 2022
    • 5
    • USA
    #1

    Password for Unbranded NUC-like Board BIOS

    Hello

    I got a NUC-like motherboard.
    Unfortunately it's with Boot password, unable to boot or enter BIOS setup.


    It's AMI BIOS as we can see from the POST screen.


    I use CH341a programmer to get the dump of only SPI flash chip(W25Q128JVSIQ) on this board.
    Tried to find AMITSESETUP with the bin file, but following HEXs are empty.



    Please help with decrypt password or removal.

    Thanks!
    Attached Files
    Last edited by Radar_Cap; 06-20-2022, 07:50 AM. Reason: Typo for tittle wording
    Tags: None
    • AAAC
      Badcaps Veteran
      • Jan 2020
      • 458
      • Mexico
      #2
      Re: Password for Unbranded NUC-like Board BIOS

      Hi,
      I've also tried to find AMITSESetup variable, it is empty, so I did check AMITSE dxe driver by tracing other variables and invalidated a variable by patching your file.
      Before patching the bios I did also consider that the password may be stored in volatile memory, did you try to disconnect CMOS battery to see if that clears the password?

      VERY IMPORTANT: Make sure you have a good backup of your bios, this is your last chance. Sometimes CH341A programmer corrupts readings/writings of bios chip. If you haven't done so, I suggest to READ and SAVE bios chip contents, do this 3 times and then make sure all 3 files are identical.
      Attached Files

        Comment

        • SMDFlea
          Super Moderator
          • Jan 2018
          • 21307
          • UK
          #3
          Re: Password for Unbranded NUC-like Board BIOS

          Originally posted by AAAC
          Hi,
          I've also tried to find AMITSESetup variable, it is empty, so I did check AMITSE dxe driver by tracing other variables and invalidated a variable by patching your file.
          Before patching the bios I did also consider that the password may be stored in volatile memory, did you try to disconnect CMOS battery to see if that clears the password?

          VERY IMPORTANT: Make sure you have a good backup of your bios, this is your last chance. Sometimes CH341A programmer corrupts readings/writings of bios chip. If you haven't done so, I suggest to READ and SAVE bios chip contents, do this 3 times and then make sure all 3 files are identical.
          the pass is on the yellow and green stickers on the motherboard
          All donations to badcaps are welcome, click on this link to donate. Thanks to all supporters

            Comment

            • Radar_Cap
              New Member
              • Jun 2022
              • 5
              • USA
              #4
              Re: Password for Unbranded NUC-like Board BIOS

              Originally posted by AAAC
              Hi,
              I've also tried to find AMITSESetup variable, it is empty, so I did check AMITSE dxe driver by tracing other variables and invalidated a variable by patching your file.
              Before patching the bios I did also consider that the password may be stored in volatile memory, did you try to disconnect CMOS battery to see if that clears the password?

              VERY IMPORTANT: Make sure you have a good backup of your bios, this is your last chance. Sometimes CH341A programmer corrupts readings/writings of bios chip. If you haven't done so, I suggest to READ and SAVE bios chip contents, do this 3 times and then make sure all 3 files are identical.

              Hi, AAAC

              I programmed the SPI flash chip with your patched file.

              Good news is it didn't get brick, bad news is the password still there.

              As your advice.
              Actually before I upload the dump, SPI flash was read for several times, all the dump files are identical.

              For hardware reset method, the board doesn't have CLR_CMOS jumper, CMOS battery was removed at the first beginning.

              When I checked similar boards' manual, there's a way for short connect BAT connector to reset BIOS, which also didn't work for this board.


              By the way, when I compare the patched file from you, it's addr 0x90DEF1h & 0x93DEF1h changed from 0x83 to 0x03.

              After 1st boot of patched, new read from SPI flash shows the value of 0x93DEF1h is now 0x83, and 0x90DEF1h is still 0x03.

              Thanks for your help!
              Any new thoughts please let me know.
              Attached Files

                Comment

                • AAAC
                  Badcaps Veteran
                  • Jan 2020
                  • 458
                  • Mexico
                  #5
                  Re: Password for Unbranded NUC-like Board BIOS

                  @Radar_Cap
                  Yes, I've only invalidated "Ep" variable, which to me seemed the way to go.
                  Will try to trace strings such as: "Create New Password" and "Confirm New Password", to see where the password is saved.

                    Comment

                    • AAAC
                      Badcaps Veteran
                      • Jan 2020
                      • 458
                      • Mexico
                      #6
                      Re: Password for Unbranded NUC-like Board BIOS

                      While checking the code did find a couple of strings, actually the same string, one lowercase and the other UPPERCASE, which makes sense for a typed password. If this one works, it means that the password is hard coded into the uefi firmware. Good luck!
                      password = hstsys123
                      Last edited by AAAC; 06-23-2022, 11:24 PM.

                        Comment

                        • Radar_Cap
                          New Member
                          • Jun 2022
                          • 5
                          • USA
                          #7
                          Re: Password for Unbranded NUC-like Board BIOS

                          Originally posted by AAAC
                          While checking the code did find a couple of strings, actually the same string, one lowercase and the other UPPERCASE, which makes sense for a typed password. If this one works, it means that the password is hard coded into the uefi firmware. Good luck!
                          password = hstsys123
                          Yes, it worked! Appreciate your help!



                          By the way, it seeems this is a solid passowrd. Either you set the password or not.
                          Even I clean the password in BIOS setup. Still need to type in this default password to make the machine boot.
                          Is that possible to remove this default password check?

                          Thanks!
                          Attached Files
                          Last edited by Radar_Cap; 06-27-2022, 08:22 PM.

                            Comment

                            • AAAC
                              Badcaps Veteran
                              • Jan 2020
                              • 458
                              • Mexico
                              #8
                              Re: Password for Unbranded NUC-like Board BIOS

                              This is a customized BIOS, so maybe if you could find a regular stock BIOS you can swap it.
                              The DXE driver module where I found the hard coded password is AMITSE (GUID: B1DA0ADF-4F77-4070-A88E-BFFE1C60529A), that's the one to be modified in order to make it boot without asking for a password, it will require "trial and error" or to study the module very well in order to properly patch it. First test would be to NULL those strings ("hstsys123") and see what happens.
                              What's the application of this motherboard?

                                Comment

                                • Radar_Cap
                                  New Member
                                  • Jun 2022
                                  • 5
                                  • USA
                                  #9
                                  Re: Password for Unbranded NUC-like Board BIOS

                                  Originally posted by AAAC
                                  This is a customized BIOS, so maybe if you could find a regular stock BIOS you can swap it.
                                  The DXE driver module where I found the hard coded password is AMITSE (GUID: B1DA0ADF-4F77-4070-A88E-BFFE1C60529A), that's the one to be modified in order to make it boot without asking for a password, it will require "trial and error" or to study the module very well in order to properly patch it. First test would be to NULL those strings ("hstsys123") and see what happens.
                                  What's the application of this motherboard?
                                  Thanks for your advise, I'll try if I get time to look into that.

                                  For the board, it shipped without case, there's no direct description for the usage.
                                  When I check the model in POST screen, it should be the motherboard of video conference device, but retail version have different I/O ports, so I guess it's kind of engineering sample board for that product.

                                    Comment

                                    Previous template Next

                                    Related Topics

                                    Collapse
                                    • zenius
                                      [REQUEST] Dell G3 3579 BIOS Password & AMI Protected Range/BIOS Guard Unlock
                                      by zenius
                                      Hello, I have an old Dell G3 3579 (ST: 2WQ7LP2-8FC8) with a newer 8FC8 BIOS password. I have successfully attached to the flash chip (W25Q128JVSQ) on the motherboard with a CH341A programmer and made several modifications using Intel FIT (e.g., allow software SPI write) without bricking. I was also able to boot to a modified GRUB shell where I attempted to edit many BIOS security related options like BIOS Guard/Lock, Flash Signature Override, ME FW Image Re-Flash, etc.

                                      Unfortunately, some of these modifications like to Intel BIOS Guard failed because it is fused into the PCH. Also,...
                                      12-08-2024, 06:13 AM
                                    • DynaxSC
                                      MSI PRO B660M-G DDR4 - real bios dump from board needed (no stock bios)
                                      by DynaxSC
                                      Hi, I have an MSI PRO B660M-G DDR4 board with damaged BIOS and i need a bios dump from a real board, along with MAC, UUID and Serial Number info (eg. a BIOS screenshot and pictures from the board stickers).

                                      I need to reconstruct the bios on my board, based on another bios image form a real board - meaning a bios image containing MAC address, UUID and Serial number. A stock BIOS is not suffiecient, as it is impossible to discover where the MAC, UUID and SerialNumber are stored. Tried with a similar board, but there are too much differences, and the stock BIOS is missing a lot of...
                                      11-17-2023, 10:56 AM
                                    • traxformania
                                      TONGFANG "GM7TG7P" Bios Password Problem?
                                      by traxformania
                                      Hello,

                                      I'm using TONGFANG "GM7TG7P" model laptop for over 3 years and i'm entering the same bios administrator password everyday. My laptop has Aptio BIOS (American Megatrends, AMI).

                                      But today it's not accepting my password. I'm %100 sure i'm entering the correct password.

                                      I'm trying to reset my bios without success.

                                      I tried :

                                      -I removed the BIOS battery and main battery. Waited for a long time but it didn't work. They already stated in the user manual that the password will not be reset even if the batteries...
                                      11-15-2023, 07:32 AM
                                    • Nopslide
                                      HP Omen 15-dh0052nf power-on & bios password
                                      by Nopslide
                                      Hello everyone, I come here to tell you my problem regarding the power-on password. It is not a bios reset demand, and i can't have any access to windows. This is the bios and power-on password that is blocking all other things.

                                      My Omen 15-dh0052nf purchased second-hand was configured with the bios password upon purchase (very simple password :P ).

                                      Having decided to sell it in order to get something more powerful, I reset all BIOS settings and set a blank administrator password. But the power-on password cannot be changed to a blank one so I let the actual password set....
                                      04-01-2024, 04:27 PM
                                    • BlackVisor
                                      How to Decode BIOS password for RedmiBook Pro15 2022 6800H
                                      by BlackVisor
                                      RedmiBook Pro 1542022 6800H
                                      SKU: TM2113-39463
                                      Model Number: RMA2204-AB
                                      CMIIT ID: 2022AP1835
                                      SN: 39463/22WD01355
                                      BIOS version: RMARB5B0P1010 20230628

                                      1. I bought this laptop from flea market, and the seller said that he had never set a password, however here is a password required when pressing F2 to enter BIOS.
                                      2. And after entering incorrrect password 3 times, there is no any useful information like "recovery code"
                                      3. I used universal bios backup tool, and dumped 8MB bin file, but hex code after "SystemSupervisorPw" is...
                                      01-14-2024, 06:35 AM
                                    • Loading...
                                    • No more items.
                                    Working...