Jump to content
Tuts 4 You
H1TC43R

Uefi Bios backdoor

Recommended Posts

H1TC43R

Has anyone been able to find any master passwords or backdoors for the newer UEFI bios?

Let me give you an overview of what I'm doing below

I have a windows 10 x64 based machine which works fine, but i want to get into the bios to change settings (Boot order etc) now the older machines used to give you a code on the 3 wrong password attempts which then lets you get a master code for it, but these newer machines have a locked password, which again you get 3 attempts then locks up until reboot no more codes, the bios is the American Megatrends v5.65

 

i don't want to open it up and remove the cmos at the moment for a few reasons plus I'm not sure that old trick still works with (2017+ machines)

 

 

 

 

Share this post


Link to post
H1TC43R

This is just a follow up as all too often someone makes a post about something then that is it nothing else.


I was fortunate enough to chat with someone on another forum and i was able to make a dump of the bios, and he was able to give me the original password in a couple of minutes, and this has got me interested in the bios dump itself and what it contains.

Yes i could have attempted to use CmosPwd 5 or try to reset it with pulling Cmos out for 20 mins, but I'm not sure that would work anymore.

The old trick of mistyping the password 3 times to get the code followed by using bios-pw does not work on these newer bios, you still have 3 attempts but no longer do you get a code just a freeze/lock which then means you have to restart the device and start over

 

  • Like 1

Share this post


Link to post
NOP

You were lucky with your machine, you only had the setup protected so booting and then reading was possible

I don't know about your bios as I haven't kept up to date with the newer ones but I know some manufacturer of the newer bios, you need to enter 3 master passwords and then it shows you the hash which you can use in a master password generator
 

eg: FSI bios

First password:  3hqgo3
Second password: jqw534
Third password:  0qww294e

and then it shows you the hash

All of the new machines I have seen recently all have some way of getting the hash, it isn't always obvious so maybe something simlar is needed for your bios

If it was a laptop then removing cmos batt would do nothing and they generally don't have a jumper reset and password / hash is stored on a chip, but you can normally read the chip its stored on or write it without a password if you know what your doing

Share this post


Link to post
H1TC43R
Posted (edited)

To be honest when i saw the bios was from 2016 i had a better feeling than i when i 1st started, a couple of years have past and there was a good chance there would be a crack in the security, the OEM bought a template bios from AMI and the OEM modified the bios and windows to suit them

I still have a ways to go as windows has also been locked down, so will see if i can recover the original admin account on it rather than change it, Pass-the-Hash is an option but i have only used twice so I'm cautious lol

 

The thing is there is not a lot of info on the latest bios in public and the 1's i saw a lot are outdated and have the same spelling mistakes and missing little things that should be there, so u know a couple have plagiarized someone else's work

 

 

 

Edited by H1TC43R
spelling (see edit history)

Share this post


Link to post
NOP

It seems AMI has a different system to the usual hash...

Press F2 on startup to enter bios setup, On password prompt press ALT+R which will then prompt you for "Rescue Password" which can be generated from the supplied date code

Windows password can be  changed or removed easily with various programs and even the windows setup, there are lots of tuts on this subject

Share this post


Link to post
H1TC43R
Posted (edited)

The hot key for this device is Del not F2, also the ALT+R wont work, I'm sure the company created there own sub section so that makes it a bit more creative, but thanks for the ideas always helpful

 

I'm hoping to find a way of getting the original password from windows rather than change if possible, god mode can deal with that if it becomes the final option  

 

Not sure if you know or not but there is a God Mode on windows?, for anyone else interested try this there's plenty of info on it out there


Enabling God Mode in Windows 10

To make this work, you must be using an account with administrative privileges. Go to your desktop and create a new folder by right-clicking any open area, pointing to “New” on the context menu, and then clicking the “Folder” command.

Now, rename the folder to the following:   GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}  and hit return, you’ll notice the folder icon change to a control panel icon.

Edited by H1TC43R (see edit history)

Share this post


Link to post
NOP

God mode wont help with the password, this mode is simply a collection of shortcuts found in control panel and other sections

To crack the original password, you could create a new user using 1 of many methods and then grab the hashes from the SAM and run a dictionary or brute force attack on it to recover the original password but it all depends on how secure the original password is

Share this post


Link to post
H1TC43R
Posted (edited)

I was hoping that it may help as the windows system is locked down even defender is blocked, so access to the sections may help in my case.

I'm thinking of trying Kali with Hashcat 6, it's had a major update so its got to be worth 1st shot, my back up option would by John The Ripper 

 

Any comments will be helpful

 

I came across this public user guide and thought it might shed light for anyone following

 

 

Aptio_TSE_Data_Sheet.pdf

Edited by H1TC43R
Old data sheet replaced for newer (see edit history)

Share this post


Link to post
H1TC43R

I have upgraded the ram and hard drive to a higher spec and still works, i also managed to load other software which i couldn't do originally

Only issue i had was a flat ribbon and putting it back on the motherboard, still not 100% it's in right but will come back to that.

The windows is a bit more challenging, as mentioned before it has been locked down by the company, on the sign in screen there is only 1 user listed when i know there are is 2 built in admin accounts, the normal Windows Administrator account and the OEM company's own which is where it gets locked up

I can access to reset the password through CMD net user Administrator password /active:yes and comes up successful but the admin accounts are still hidden, i need to be careful as it is possible that if i delete the original password, it could cause the system a problem, which will then cost some time when i have to reset everything and start again, attached a pic so you see what i mean not sure if its genetic or something else

 

Warning.jpg

Share this post


Link to post
NOP

Data from the admin will be lost as mentioned but not the main OS, u might lose any user data for that account but not the OS

Have u downloaded the SAM and tried brute forcing the admin password?

Share this post


Link to post
H1TC43R
Posted (edited)
22 hours ago, NOP said:

Data from the admin will be lost as mentioned but not the main OS, u might lose any user data for that account but not the OS

Have u downloaded the SAM and tried brute forcing the admin password?

Not yet i know where SAM is in the system folder, but I'm cautious because i don't want to loose that particular account (i can recover it to factory settings but takes 2+ hrs to recover) but whilst trying other options i came across Windows Password Recovery

 I tested it on another computer and it did give me 2 of the passwords (well 1st 3 letters/numbers as it's in trial mode)

 

On reading up a bit more, it seems enterprise is not as easy to do because it is not main stream like the pro and home versions that most people have, it's basically a windows 10 pro with extras

Enterprise:

Windows 10 Enterprise provides all the features of Windows 10 Pro, with additional features to assist with IT-based organizations.

 

 

Edited by H1TC43R
added updated info (see edit history)

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...