just getting back to this, the unlocked bios is crippled there is no support for some of the hardware even tho the device works under the locked bios
I have compared the unlocked bios with the same bios with a supervisor password and even a 3 way compare with the oem bios dump
Next step is to work out where the various information is located on the chip, that should narrow down the password location as long as the bytes are not spread out
Its the same base model (CF-H2A Mk 1) I'm not sure how many variations there are but I don't see there being multiple bioses
Here's the unlocked dump and the same dump with the supervisor password set for comparison, according to ExamDiff there are 138 changes between files but comparing them to the oe dump is proving difficult.
Just poking around in these 2 files in ExamDiff Pro again and found it, FF filled 20 bytes @ 5B73A8 what is a nvar setting and it dropped the supervisor password now all I have to do is compare the OE dump fingers crossed
Well to draw this to a close, I have now got the OE bios fully working, It took a while and was a bit of a mare but I found a pattern in the hex near to the 'No asset tag' ansi text
02 01 0C 00 D0 41 03 0A 00
The 4 bios files I have been working with the original has a different layout so it does take some time to dig through
Hope this comes in useful to someone with a Toughbook a AMI Aptio bios/efi (2009 onwards)
thanks for the input
ps. All hardware is detected and the wwan card is fully functional
Sorry to bring back an old thread but I'm in the same situation as you were. I bought 4 cf-31 laptops off a government auction, one came looked. I have a SPI programer but it fails to read the eeprom while on the board. I tried turning it on without ram but still just fails to read. I'll have to unsolder it to get much further.
Now if I read what you did right you just FF the following hex?
"02 01 0C 00 D0 41 03 0A 00" I assume just means "enabled" as I found it repeated through out the bios right after a setting string. I never once found it near "No Asset tag" though.
The information in this thread is for the H2 Toughbook, there are plenty of unlocked bios for the 31 and they are simpler to hack - only just seen the notification in my spam folder tbh
Yeah I was trying to use the "No asset tag" as a locating marker as you suggested. I thought the two machines would be similar as they're from around the same generation and use the same AMI uefi bios types. I've never found any good info on hacking the CF-31 bios only people mentioning it. If you could point me in the right direction that would be amazing.
I have had to change some of my software so learning how the new one runs - I have a compare running the moment but its taking an age to sequence, Your bios is different to the one on the H2 the binary addresses and layout are very strange to me
Yours is a CF-H2P making it a newer mk3 model, it seems around 2009-2010 certain parts of the bios became dynamically written - this makes finding the passwords even more complex
I have discovered another method that I have applied to zanzee's bios above for a CF-31, I have no way of testing it other than waiting on zanzee's reply
Edit. just noticed the later models have a 16mb bios rather than the mk1/2 bios what is 8mb
This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.
You have declined cookies. This decision can be reversed.
You have allowed cookies to be placed on your computer. This decision can be reversed.
This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.