[Problem] MSI ZH77A-G43 BIOS Recovery (incl. serial numbers)

Vincent12 · March 7, 2020, 12:51pm

I’ve deleted the other attachments, so that it’s not confusing.

Just take in post #19 the remaining one: MSI_ZH77A_G43_1.A0_MFlash_reflashed-FW_EEPROM-Backup_TL866II_Plus_-Verify-OK.zip

Extract the zip.
Then could you do the hexediting the MAC into the .BIN file?
=> 8C 89 A5 A1 93 E9

Then repack it to zip.

And after that could you attach this?

Later then I’ll compare with mine, if identical.

If not identical I’d look to find out why, and/or I’d ask back how you did it.
—

Lost_N_BIOS · March 7, 2020, 1:03pm

OK, I will get on this for you tonight

* Edit - @Vincent12 - Here, I think you had it right when you did before too! Do edit via direct hex only on BIOS as a whole, otherwise padding file can be removed
http://s000.tinyupload.com/index.php?fil…508511830040415

Vincent12 · March 8, 2020, 4:04pm

Just compared your hexedit with mine.
Checksum certainly would match actually between my hexedit to yours, as same offset positions I used like you,
if I had just told you entirely correct MAC you using that (my mistake)

(I had told you wrong MAC at post #21, sry)
Wrong: 8C 89 A5 A1 93 E9
This one is correct 8C 89 A5 E1 93 E9

But I used right MAC in the hexediting. I also had written wrong MAC within the long text string in post #19, but at correct psoition (see edit history), just have corrected in #19, (but won’t at #21).
—
So all in all everything is correct (principially) actually, could I reflash the (1A-MFlash-reflashed)-dump hexedited with the MAC with my ext. programmer?
Then after that I’d use MFlash to flash your mod with the CPU-microcodes, LAN update etc, you gave me in ealier post?

Maybe unlocking FD is not so important to me, as I can use ext. programmer with ICSP with the SOIC-clip/clap reliably on this board anyway, and maybe a locked FD could be a good security measure.
—

I also had attempted repairing an SOIC test/clip/clamp, with a thin nail (ca. 0.5-1mm max. thin) pushing the brass contact a bit up,
to reach and grab the brass contacts better and more easily with some small plier tool and pulling the brass contact from the clamp ca 1mm back to its original position. Works like a charm:)

I used such as a plier tool:
https://www.amazon.com/-/de/dp/B0001P0C0…=ÅMÅŽÕÑ&keywords=KNIPEX+26+22+200+Flachrundzange+mit+Schneide+(Storchschnabelzange)+schwarz+atramentiert+mit+Mehrkomponenten-Hüllen+200+mm&qid=1583686144&sr=8-1-fkmr1

Works likea charm with that smaller tool and the tiny nail, in case you’d need a tip to repair a SOIC/SOP-test-clip/clamp

Lost_N_BIOS · March 8, 2020, 9:52pm

Yes, you can program in BIOS as we fixed it about the MAC. Then M-Flash after any ucode/LAN updated BIOS etc, the MAC will remain in place and you don’t need to program in that kind of BIOS mod. You may need to rename file to stock name.extension for M-Flash to take it, but not always.
About unlocking FD, you can easily do that before you program in the MAC Fix BIOS, it’s easy and you can do the edit I’m sure See the thread below, look at spoiler #2 in section “B”, image #1 - Never mind, in the file I sent you FD is already unlocked, so one of us must have done previously

You should consider better clamp, Pomona 5250 wont need repair for LONG Time, it’s mich higher quality clip and last long time (but pricey $15-18 usually)

Vincent12 · June 26, 2020, 10:24pm

Sry for delayed response. Just want to let you know. Only tested MMTool one, you recommended to do first. Your modded file works, boots fine.

I’d like to ask s.th. about another baord. But I’m noot too much in hurry, it’s not so important as I can “circumvent” it.

And I don’t want to take advantage of s.b. just because I got him donation etc. nor to give him bad conscience.

Just if you should have time and if not too much to do propably for others, for now, in case if were interested, tell me, I’d ask back, otherwise it’s not so important etc.

Lost_N_BIOS · June 27, 2020, 8:23am

@Vincent12 - No worries about late reply, I am ALWAYS buried, behind, and extra late, so I know how it is
Good to hear the BIOS is working well!

No problem about other BIOS, not sure what you mean up there, but you wouldn’t be taking advantage of me, it’s OK
Let me know the model and the issue and I’ll try to help

Vincent12 · June 27, 2020, 1:31pm

I mentioned about Foxconn H61M-S (AMI Aptio 4), about removing BIOS-Administrator-password from firmware-image.
Booting and Quick-Bootmenu is possible, for entering firmware-setup it asks for the Admin-BIOS-password.

So far with help of my father we managed to find out the location (/and/or a 2nd location) where BIOS-password is stored (encrypted) with help of this guide.
https://gist.github.com/en4rab/550880c09…bf3039e3c8ab6fd
Recovering the BIOS password from a Panasonic CF-U1 mk2 (AMI Aptio UEFI)

We also find out that blancing BIOS password (via hexedit), refalshing image, for entering setup, it still wants Admin-password…
We found out the password: IA4KD
It seems to be a standard-BIOS-password, used by BOSCH company, after doing a google search for “IA4KD”.
The mainboard was purchased from ebay, 2nd hand, and at BIOS-BOOT splash-logo it shows “beissbarth”.
https://www.beissbarth-online.com
—
SO “IA4KD” is accepted and can I get into Setup now, and clear the Admin-password, with changing password option in Setup, typing in when asking for old password+return, new password (leaving field blanc) +return, again return as confirmation.

After I cleared password, I shut off PC,
and made a 2nd dump with external programmer. In C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)" the coded password area gets blanc aftter cleared the password.

The Admin-password is cleared, but only temporarily.

When attempting a CMOS-reset or putting out battery, I have to redo the procedure or just enter “IA4KD” to get into the setup.

After Password got back automatically after CMOS reset and PC booting freshly, we found the password area in C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup) is filled again with the old coded password.
So it appears firmware has stored the password at 2nd location, and after CMOS reset it copies the password back to C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup) from backup area.
Afaik we did a hex search in the BIOS file, for the old chiffred password , but we didn’t find it in hexeditor.
Maybe I used the original file, but forgot to search on 2nd dump after cleared password.
Maybe the firmware shifts the password from C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup) to another area while it acts as inactive.

Overwriting EEPROM with a stock firmware also clears the password, but Foxconn has shut off his Download-servers since severals months, and on Internet I only get, are older versions and for non-OEM -HM61M-S board, booting also, but they behave more buggy than the original B93F1T02 one. B93F1T02 and newer ones are not available on internet, or pürobably just dubios 3rd party-pages wanting money for Download.

This is not very serious at all. But if you maybe have an idea, or in which direction to look further, would be cool.
But anyway we’re not sure if was possible to clear the password fully, and even if, it’s probably very difficult, at least for for us,
but you have more experience to do that.

Attachment: Foxconn_H61M-S_-Original-FW_B93F1T02_EEPROM-Backup_-gut_ausgelesen_-Password.zip
—
Foxconn_H61M-S_-Original-FW_B93F1T02_EEPROM-Backup_-gut_ausgelesen_-Password.BIN

->UEFITool_NE.exe
->Open Image File ->“Foxconn_H61M-S_-Original-FW_B93F1T02_EEPROM-Backup_-gut_ausgelesen_-Password.BIN”
->Intel Image ->BIOS Region
->EfiFirmwareFileSystemGuid
->NVRAM
->C811FA38-42C8-4579-A9BB-60E94EDDFB34 (AMITSESetup)
->right klick “Body hex view…”
“Body hex view…”: Offset 0x28 <->0x4F
(Before Offset 0x28 there are just much zeros (USER-Password is NOT set)
From Offset 0x28 <->0x4F : No zeros and no FF : (=Admin-Password is set)
—

“So Xoring the above encoded password “Body hex view…”: Offset 0x28 <->0x4F” (=0x28 bytes (including offset 0x28 and 0x4F =40 dec. Bytes =80 digits)
(here)
12 93 F7 26 25 BA 27 4D 83 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35
0B C9 66 5C C1 EF 1C 83

"…with"
(so from leaked XOR-key from AMI Aptio BIOS) 80 digits - (here just use the front 80 digits (dez.) (0x50 digits) for XOR-operation):
5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 <==(32 Bytes =64 digits)
0B C9 66 5C C1 EF 1C 83 <==(08 Bytes =16 digits)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
(full leaked XOR-Schlüssel used on some AMI Aptio - 128 digits, (0x80)
(here for me only use the forward 80 (dec.) hex-digits (40 Bytes =0x28 Bytes) of 128 hex-digits (64 Bytes =0x40 Bytes) from leaked full XOR-Key:)
5B 93 B6 26 11 BA 6C 4D C7 E0 22 74 7D 07 D8 9A 33 2E 8E C1 E9 54 44 E8 9F 7B FA 0E 55 A2 B0 35 <==(32 Bytes =64 digits)
0B C9 66 5C C1 EF 1C 83 77 16 D2 A9 2D 3D 88 D0 E3 63 3E F7 99 8A F4 1D 4F B1 AA 44 05 D8 60 6B <==(32 Bytes =64 digits)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------

“gives…” (here for me) - result =>http://xor.pw/
49 00 41 00 34 00 4B 00 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00

Administrator-Password (Hex):
49 00 41 00 34 00 4B 00 44 00
(The “00” in between and after, probably can be ignored.
-
https://www.rapidtables.com/convert/number/hex-to-ascii.html

HEX → ASCII:
49 =I
00 =NUL
41 =A
34 =4
4B =K
44 =D

Administrator-Password (ASCII):
IA4KD

(all in upper case letters)

The Administrator-Passwort “IA4KD” does work!
The setup also accepts the password in upper- and lower-case letters.

--------------

Foxconn_H61M-S_-Original-FW_B93F1T02_EEPROM-Backup_-gut_ausgelesen_-Password.zip (1.89 MB)

BIOS123 · April 23, 2021, 12:00pm

Hello

You have found the password for your bios, well done.

I have an asus F402NA bios but there is no password with UEFI tool but when I reflash the bios request administrator password, look for me where the password is.

thank you.