If you can still boot the OS, the BIOS ROM can be exported, dumped, and decoded to recover the password.
Export ROM
Use the official BIOS utility from AMI: https://www.ami.com/bios-uefi-utilities
I used Aptio V AMI Firmware Update Utility, specifically AFUWINGUIx64.EXE for my system. When run, it looks like this:
Click "Save" to export the BIOS ROM file to disk.
Dump ROM
Use UEFITool's UEFIExtract: https://github.com/LongSoft/UEFITool/releases
I had trouble with the windows version, so I ran UEFIExtract_NE_A72_x64_linux.zip in WSL instead:
./uefiextract afuwin.rom dump # produces afuwin.rom.dump folder
Decode Password Hashes in Dump
Execute the Python script below:
"""Decode AMI ROM dump to recover BIOS UEFI password
Usage: python decode_ami_rom_dump.py afuwin.rom.dump
"""
import itertools as it
import math
import sys
from pathlib import Path
AMI_KEY = 0x5B93B62611BA6C4DC7E022747D07D89A332E8EC1E95444E89F7BFA0E55A2B0350BC9665CC1EF1C83
bytelen = math.ceil(AMI_KEY.bit_length() / 8)
def pw_hashes(body: bytes):
blocks = it.pairwise(range(0, len(body), bytelen))
pw_hashes = (int.from_bytes(body[s:e]) for s, e in blocks)
yield from filter(None, pw_hashes)
def decode(pw_hash: int):
return (pw_hash ^ AMI_KEY).to_bytes(bytelen).decode('utf-16')
rom_dump_dir = Path(sys.argv[1])
bodies = [p / 'body.bin' for p in rom_dump_dir.rglob("*AMITSESetup")]
all_pw_hashes = {h for b in bodies for h in pw_hashes(b.read_bytes())}
for pwh in all_pw_hashes:
print(decode(pwh))
Sources:
