[Surface Pro 6] How to Remove/Bypass the UEFI Password?

Hello, I bought a Surface 6 Pro. The seller doesn’t remember the UEFI Password. I can enter it in read mode and it also seems the boot from usb is unlocked. But I have no access to advanced settings like switching camera on/off etc.
Long time ago i flashed a broken bios of a Lenovo Think Pad. But there i had to wire the chip on the motherboard connect it to a programmer and so on (used a guide to do this). So i hoped its maybe possible to do this with the surface pro 6 too.
The Problem is that I do not have access to the BIOS/UEFI chip (I don’t want to open the device. They are known for easily breaking screens)

My question now. Do I have any chance (without opening the device) to flash the BIOS/UEFI at stock or only a section of it so the UEFI password will be removed?

I read in another thread that via the Intel Management Engine it would be possible to flash the firmwares of this device. Does it mean that there is maybe a way to flash the UEFI too so it removes the UEFI password?
Like here: Help flashing bios on Microsoft Surface Pro 2


Edit by Fernando: Thread title shortened

Please create bootable USB drive with UEFI Shell & CHIPSEC - https://github.com/chipsec/chipsec/wiki/…with-UEFI-Shell
And run:
cd chipsec
python chipsec_main.py -m common.bios_wp


And I need result of MEInfoWin64.exe -verbose from Intel CSME System Tools v11

Thanks, It could take a moment until all is done :slight_smile:
Do you think there is maybe a way?

Update1:
MEInfo is uploaded :slight_smile:

MEInfoWin64 Surface Pro 6.txt (11.7 KB)

OK.
Make current BIOS dump by ftpw64.exe from Intel CSME System Tools v11:
fptw64 -bios -d bios.rom

And I still need CHIPSEC information.

Ok, im running chipsec on the surface. So far so good.
“python chipsec_main.py” is working. It runs the whole main stuff. But if i run “python chipsec_main.py -m common.bios_wp” it says "ERROR: Invalid module path: chipsec.modules.common.bios_wp"
On my USB stick there are 2 folders in the root directory:
-efi
-chipsec

In the chipsec folder are all files from mast-chipsec of githup: https://github.com/chipsec/chipsec

I try to get it working^^

Read attentively

Y i did all the steps above. idk whats wrong at the moment but running chipsec_main.py also runs the bios_wp module :slight_smile:
…hmm Bios write protection enabled …sounds not good :S

20200726_201729.jpg

Well.
BIOS is write protected and can be modified in SMM only.
It BIOS chip also has one protected range: 0x700000 - 0xFFFFFF
And Boot Guard is activated.

Now you need to learn how to use Read Universal in EFI shell.
Run RU.efi and press ALT-= to open list of UEFI variables.
Make a photo of results.

And I still need BIOS dump.

Ok, wow man nice!
Ok sry, y somehow i cant find ftpw64.exe in the downloaded Intel CSME System Tools v11. I’m loocking Forward to find it^^


Look in Intel CSME System Tools v11 r32\Flash Programming Tool\WIN64
P.S. You make too many elementary mistakes.

XD ups, typo, it’s FPTW64.exe. Found it …one Moment
One moment. bios.rom is over 6 mb. to large for upload

So my bios.rom file is there: https://1drv.ms/u/s!AnmfKZRphhvAkq8AppgebaDbvaWyuA?e=3pirSZ

Bios CMD Output.txt (485 Bytes)

OK. Dump is good.
-------------------

I’m waiting for RU.efi’s results (UEFI Variable List).
And I need a photo of the screen with password prompt and a photo of the screen when incorrect password was entered.

I’m running now ru.efi. works, im in :slight_smile: …but i have a german keyboard :D… Key “ALT-=” key combo isnt working… I keep looking to make it work
Update> ALT+C and then select "UEFI Variable "

RU.efi Variables.jpg

Password Input 1.jpg

Password Input Incorrect.jpg

Read PM.

Hi… i’ve got the same problem bought a SH surface pro 6 and i’ve realised that the battery not charging after 48% i suspect it is a setting from uefi bios but there is password protected and i don’t know it. I can boot from USB install OS . I can enter bios but only to see info and boot from usb. Can you help me please?

@MadMan1st
Can you run Read Universal in EFI shell?

sorry to hijack this thread , same problem having to me with surface 4 can its possible to unlock uefi password without open?

@cdma-india
Can you run Read Universal in EFI shell?

thanks for replay @DeathBringer now i am out of city i replay u when rech at office

Hi @DeathBringer I am trying to send you a PM to see if you could be so kind as to help me out. I’ve locked out my Surface Pro Bios, stupidly enough I’ve forgotten my Bios password. I still have access to Windows if that helps?
Thanks!