Uefi Bios backdoor

[H1TC43R]

Has anyone been able to find any master passwords or backdoors for the newer UEFI bios?

Let me give you an overview of what I'm doing below

I have a windows 10 x64 based machine which works fine, but i want to get into the bios to change settings (Boot order etc) now the older machines used to give you a code on the 3 wrong password attempts which then lets you get a master code for it, but these newer machines have a locked password, which again you get 3 attempts then locks up until reboot no more codes, the bios is the American Megatrends v5.65

 

i don't want to open it up and remove the cmos at the moment for a few reasons plus I'm not sure that old trick still works with (2017+ machines)

 

 

 

 

[H1TC43R]

This is just a follow up as all too often someone makes a post about something then that is it nothing else.

I was fortunate enough to chat with someone on another forum and i was able to make a dump of the bios, and he was able to give me the original password in a couple of minutes, and this has got me interested in the bios dump itself and what it contains.

Yes i could have attempted to use CmosPwd 5 or try to reset it with pulling Cmos out for 20 mins, but I'm not sure that would work anymore.

The old trick of mistyping the password 3 times to get the code followed by using bios-pw does not work on these newer bios, you still have 3 attempts but no longer do you get a code just a freeze/lock which then means you have to restart the device and start over

 

[NOP]

You were lucky with your machine, you only had the setup protected so booting and then reading was possible

I don't know about your bios as I haven't kept up to date with the newer ones but I know some manufacturer of the newer bios, you need to enter 3 master passwords and then it shows you the hash which you can use in a master password generator
 

eg: FSI bios

First password:  3hqgo3
Second password: jqw534
Third password:  0qww294e

and then it shows you the hash

All of the new machines I have seen recently all have some way of getting the hash, it isn't always obvious so maybe something simlar is needed for your bios

If it was a laptop then removing cmos batt would do nothing and they generally don't have a jumper reset and password / hash is stored on a chip, but you can normally read the chip its stored on or write it without a password if you know what your doing

[H1TC43R]

To be honest when i saw the bios was from 2016 i had a better feeling than i when i 1st started, a couple of years have past and there was a good chance there would be a crack in the security, the OEM bought a template bios from AMI and the OEM modified the bios and windows to suit them

I still have a ways to go as windows has also been locked down, so will see if i can recover the original admin account on it rather than change it, Pass-the-Hash is an option but i have only used twice so I'm cautious lol

 

The thing is there is not a lot of info on the latest bios in public and the 1's i saw a lot are outdated and have the same spelling mistakes and missing little things that should be there, so u know a couple have plagiarized someone else's work

 

 

 

Edited June 20, 2020 by H1TC43R
spelling

[NOP]

It seems AMI has a different system to the usual hash...

Press F2 on startup to enter bios setup, On password prompt press ALT+R which will then prompt you for "Rescue Password" which can be generated from the supplied date code

Windows password can be  changed or removed easily with various programs and even the windows setup, there are lots of tuts on this subject

[H1TC43R]

The hot key for this device is Del not F2, also the ALT+R wont work, I'm sure the company created there own sub section so that makes it a bit more creative, but thanks for the ideas always helpful

 

I'm hoping to find a way of getting the original password from windows rather than change if possible, god mode can deal with that if it becomes the final option  

 

Not sure if you know or not but there is a God Mode on windows?, for anyone else interested try this there's plenty of info on it out there

Enabling God Mode in Windows 10

To make this work, you must be using an account with administrative privileges. Go to your desktop and create a new folder by right-clicking any open area, pointing to “New” on the context menu, and then clicking the “Folder” command.

Now, rename the folder to the following:   GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}  and hit return, you’ll notice the folder icon change to a control panel icon.

Edited June 20, 2020 by H1TC43R

[NOP]

God mode wont help with the password, this mode is simply a collection of shortcuts found in control panel and other sections

To crack the original password, you could create a new user using 1 of many methods and then grab the hashes from the SAM and run a dictionary or brute force attack on it to recover the original password but it all depends on how secure the original password is

[H1TC43R]

I was hoping that it may help as the windows system is locked down even defender is blocked, so access to the sections may help in my case.

I'm thinking of trying Kali with Hashcat 6, it's had a major update so its got to be worth 1st shot, my back up option would by John The Ripper 

 

Any comments will be helpful

 

I came across this public user guide and thought it might shed light for anyone following

 

 

Aptio_TSE_Data_Sheet.pdf

Edited June 20, 2020 by H1TC43R
Old data sheet replaced for newer

[H1TC43R]

I have upgraded the ram and hard drive to a higher spec and still works, i also managed to load other software which i couldn't do originally

Only issue i had was a flat ribbon and putting it back on the motherboard, still not 100% it's in right but will come back to that.

The windows is a bit more challenging, as mentioned before it has been locked down by the company, on the sign in screen there is only 1 user listed when i know there are is 2 built in admin accounts, the normal Windows Administrator account and the OEM company's own which is where it gets locked up

I can access to reset the password through CMD net user Administrator password /active:yes and comes up successful but the admin accounts are still hidden, i need to be careful as it is possible that if i delete the original password, it could cause the system a problem, which will then cost some time when i have to reset everything and start again, attached a pic so you see what i mean not sure if its genetic or something else

 

[NOP]

Data from the admin will be lost as mentioned but not the main OS, u might lose any user data for that account but not the OS

Have u downloaded the SAM and tried brute forcing the admin password?

[H1TC43R]

22 hours ago, NOP said:

Data from the admin will be lost as mentioned but not the main OS, u might lose any user data for that account but not the OS

Have u downloaded the SAM and tried brute forcing the admin password?

Not yet i know where SAM is in the system folder, but I'm cautious because i don't want to loose that particular account (i can recover it to factory settings but takes 2+ hrs to recover) but whilst trying other options i came across Windows Password Recovery

 I tested it on another computer and it did give me 2 of the passwords (well 1st 3 letters/numbers as it's in trial mode)

 

On reading up a bit more, it seems enterprise is not as easy to do because it is not main stream like the pro and home versions that most people have, it's basically a windows 10 pro with extras

Enterprise:

Windows 10 Enterprise provides all the features of Windows 10 Pro, with additional features to assist with IT-based organizations.

 

 

Edited July 1, 2020 by H1TC43R
added updated info

[H1TC43R]

Been away for a bit but back now and i have managed to source another unit as well now which should be here in a couple of days.

 

Going to start with the Sam and System file to see if i can crack the password but the bigger challenge will be dealing with the group policy, but will create a new post  about that rather than mess up this post

[H1TC43R]

I managed to get another device and am starting to get somewhere, i have the SAM and SYSTEM files from both units all that needed to be done was

Just open the Command Prompt as Administrator, and then run the following commands:

reg save HKLM\SAM C:\sam

reg save HKLM\SYSTEM C:\system

Or you can change the directory to what you want to save the files too.

 

I also found 2 ways to activate the hidden users so now when i start the machine it asks which user i want to use, it also works with signing out and signing back in with another account

1st way was to regedit and doing the following

Open the Registry Editor (click your Start Button, type regedit and hit enter)

Navigate to: KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

In the right hand pane look for a DWord that has the name of the hidden user account

Double click that DWord, if the value of that DWord is 0 set it to 1

Close the Registry Editor and restart your system . . .

 

2nd way is

 

To enable the Windows 10 administrator account do the following (note: this works in older versions of Windows as well):

Tap on the Windows-key. This should open the start menu or bring you to the Start Screen interface depending on how Windows 10 is configured on the system.

Type cmd and wait for the results to be displayed.

Right-click on the Command Prompt result (cmd.exe)  and select "run as administrator" from the context menu. Alternatively, hold down the Shift-key and the Ctrl-key before you start cmd.exe.

Run the command net user to display a list of all user accounts on the system. You should see Administrator listed as one of the accounts.

To activate the inactive administrator account, run the command net user administrator /active:yes

Windows returns "The command completed successfully" if the operation is successful. Check the spelling and that you are in an elevated command prompt interface if you get error messages.

If you want to enable the guest account as well run the command net user guest /active:yes

 

So now that i have access to the other user accounts it now makes sense for me to find a way to find the passwords out (Mimikatz, Hascat, etc..)

[H1TC43R]

I found 1 of the 2 passwords I'm looking for, it was for the default windows admin account, i tested it and works fine, but the company account password looks to be slightly harder (i know 1st 3 keys from previous research) so currently giving Cain & Abel a try on a i7 whilst i have another program running on 1 of the devices, but that's running slower due to limits of the Cpu, after this i can move on to the actual program and its protections

I also upgraded the memory and boosted the ssd to 500gb in the 2nd device also fixed an issue i was having, problem was EaseUS Todo Backup, it wouldn't copy the winload.efi file over correctly, and i think possibly a couple of other small files 1kb etc. and wouldn't load up the device but i got around this and runs like it should finally

[NOP]

Do you have a CUDA compatible GPU? It would be MUCH faster using GPU over CPU, C&A is an old app which, I think only officially works with XP, NT and 2000 and has been known not to recover some newer accounts / windows versions

I recommend Hashcat, John the ripper or a pre rolled windows app which supports modern GPUs like the many from Elcomsoft

😀

[H1TC43R]

Thanks NOP i went with Elcomsoft in the end as i was having a few problems with hashcat and the tables. it is something i would like to come back to though as its something you need a few days to understand not the few hrs i have had, also would like to dig deeper into John the ripper.

Cain and Abel wasn't that great as you say it's dated as is ophcrack

Anyway i found the password within 10 minutes, it was a 40 character password, and much longer than originally thought and wouldn't be easy to guess as its random " Hj0KNmz2" exc...  so it shows again passwords mean nothing if your using Windows LOL

 

Now i have managed to get total control of both devices, it will be time to close this down as the next part will be to do with the protections, and this is where i have spent a few weeks picking up bits and pieces as it is riddled with protections

 

 

After that i have a dongle to play with so all that should see me til the new year

Edited October 3, 2020 by H1TC43R
SPELLING

[H1TC43R]

I managed to get a few more devices same spec and wondering if i can get the hwid's (already have the licenses) and find a solution to create a keygen.

The passwords etc from my work above are all the same so its a generic setup, and the programs are .net

Currently I'm looking at the protections on the system as there are a few obfuscation's

[fpgaguy]

Usual method I hear is to pull the SPI chip (well SPI on modern but not too modern) from the motherboard and modify offline, and solder back - this is what the repair guys do -  you can find some of this info and backup images for the bios on the typical places to get laptop or motherboard schematics web sites although most of them are subscription

 

You can pick up a USB SPI read/write tool on ebay for 20-100$ or so

 

 

 

 

Edited December 31, 2020 by fpgaguy

[H1TC43R]

Thanks that was an option i was told to look at from the guys on the repair forums, i got help from them a while ago accessing the .rom file, but didn't chase it up as i decided to upgrade my network over Christmas, but now back on it so just refreshing my memory 😅

 

[H1TC43R]

I decided to factory reset the machine from a recovery partition i found, and I'm looking to create my own version so if a problem happens i can just factory reset it already updated, it's easier than having to restore the machine and then spend a few hours updating it each time as I'm bound to make the odd mistake here and their, and always handy to have a back up plan 😅 plus being a ufei bios makes it interesting 😆 

Clonezilla will be the way forward for me to create a nice clean recovery image and will put in place of the previous Clonezilla image, i did have a quick look with Diskpart and it shows the hidden recovery partitions after that it will be on to protections mainly .Net reactor and Themida

[H1TC43R]

I have managed to get a newer version of this hardware, better CPU, double the memory and a slightly different version of Windows Enterprise

 

So far the bios password is the same as previous version, they do have the same users as well but the 1 i looked at didn't have a password it was just a hidden account which i brought back, so will have to check another

[ra1n]

I'm not suggesting that this guy leaked the source code, but it's likely he's telling the truth and other people have paid for it. I believe that someone bought it but only used it for the x86 protection, thus they stripped the "intel files" and leaked the rest? Chances are the missing files won't be leaked so don't bother searching.

[Gladiator]

20 hours ago, ra1n said:

I'm not suggesting that this guy leaked the source code, but it's likely he's telling the truth and other people have paid for it. I believe that someone bought it but only used it for the x86 protection, thus they stripped the "intel files" and leaked the rest? Chances are the missing files won't be leaked so don't bother searching.

i think you mentioned me in wrong place !

[ra1n]

2 hours ago, Gladiator said:

i think you mentioned me in wrong place !

AHHHH, my bad, was supposed to send this in that leaked VMP thread. Now that you're here however, maybe you could supply the missing files from the leak? haha

[H1TC43R]

Speaking of protection i have managed to have a quick look at the software on both devices, the old device is end of life in 2018 (Themidia) and the newer device is 2023 (VMProtect) and is about to be replaced by a new version tablet.

I have also had a look at the traffic and they both phone home, the old 1 all the links seem dead, the new are still active.

 

Also i found some info that the devices serials can be changed on the bios chip, and the bios password is the same on the newer device which i was surprised with considering