Recovering the BIOS password from an Asus VivoBook (AMI UEFI)

AMI_BIOS_SHA256.md

Recovering the BIOS Password from an Asus VivoBook (AMI UEFI)

This tutorial provides a step-by-step guide to recover the BIOS password from an Asus VivoBook using a memory dump.

Prerequisites

1. Memory Dump: Obtain the memory dump of the BIOS using either a software method (as shown in the following writeup or a hardware programmer.
2. Hashcat: Ensure you have Hashcat installed for brute-forcing the password.

Obtaining the Memory Dump

First, follow the following writeup to obtain the memory dump and recover the BIOS password's hash.

Identifying the Password Format

Based on the encrypted password's format, there are different possible scenarios:

• 64 HEX digits: Likely a null-padded SHA-256 hash of your password.
• 40 HEX digits: Maybe a null-padded SHA-1 hash of your password, try to adapt the provided explanation to this specific case (no guarantee of success, I never tried that).
• Other lengths: Could be a XORed value. Refer to this writeup for details on handling XORed passwords.

Handling the SHA-256 Hash Case

Forward Problem: Converting the Password to a Hash

1. Convert Password to HEX

   • Use a tool like RapidTables to convert the password to a HEX value.

   Example:

   • Original Password: password
   • HEX Content: 700061007300730077006F0072006400

2. Pad the Password

   • Pad the HEX content with 0000 to reach the maximum password length (20 characters in my case for an Asus Vivobook X412D).
   • The length of the padded HEX content should be 4 times the maximum password length (20), resulting in 80 characters.

   Example:

   • Padded HEX Content: 700061007300730077006F0072006400000000000000000000000000000000000000000000000000

3. Hash the Padded Password

   • Use a tool like FileFormat to hash the padded HEX password to obtain the SHA-256 hash.

   Example:

   • Hashed padded HEX Content: a533a3987cb2994f3871dd3ca7ac57c15d21e1607d32ba224994ec8d349087a4

Inverse Problem: Recovering the Password from the Hash

Hashcat can brute-force all combinations of the password padded with zeros. Below is a script to automate this process.

#!/bin/bash

hashes=(
    "d81aab5f68305093a48db651934332124d35f6fb1b8292bceb06912c4ec0efc1" # Example SHA-256 hash for 'QQQQ'
    "3b0e248b71cd06d193c97422b695e5c419b45dc6b520bf414ead2c0336a7b7fd" # Example SHA-256 hash for 'eeeeeeeeeeeeeeeeeeee'
    "a533a3987cb2994f3871dd3ca7ac57c15d21e1607d32ba224994ec8d349087a4" # Example SHA-256 hash for 'password'
)

# Generate hash files with padding as salt
for i in {4..64..4}; do
    num=$((20 - i / 4))
    file="hashes_admin_c${num}.txt"
    for hash_value in "${hashes[@]}"; do
        zeros=$(printf '0%.0s' $(seq 1 $i))
        echo "${hash_value}:${zeros}" >> "${file}"
    done
done

charsets=(
    "?d"          # Digits
    "?d?l?u"      # Digits, lowercase and uppercase letters
    "?d?l?u?s"    # Digits, lowercase, uppercase letters, and special characters
)

# Iterate over the password lengths (length 4 to 19 here)
for length in $(seq 4 19); do
    for charset in "${charsets[@]}"; do
        echo "Running hashcat for length ${length} with charset ${charset}"
        hashcat -m 1430 -a 3 -O -1 "$charset" --hex-salt "hashes_admin_c${length}.txt" --increment-min="${length}" --increment-max="${length}" -i "?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1"
    done
done

Extra Notes

If your keyboard is not in QWERTY, it's likely that the password is still stored in QWERTY format. For example, if you enter AAAA as a password using an AZERTY keyboard, it will be stored as QQQQ in memory.

The password is padded before hashing, that's why you have to use salt when decoding it. The script does this by generating those text files with the correct salt length for every password length, so that the total length is the same. You don't have to pad anything, just put your hash in the hashes array.