• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

[FAQ] IBM ThinkPad Unlock Supervisor Password

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2, 3, 4, 5, 6, 7  Next
Post new topic   This topic is locked: you cannot edit posts or make replies.   Printer-friendly version    Networking/Security Forums Index -> Hardware // Upgrades

View previous topic :: View next topic  
Author Message
allservice
Trusted SF Member
Trusted SF Member


Joined: 24 Oct 2004
Posts: 4
Location: @your.service

Offline

PostPosted: Wed Nov 10, 2004 8:50 pm    Post subject: [FAQ] IBM ThinkPad Unlock Supervisor Password Reply with quote

updated: October 2006

Hi everybody,

Because so many of you need this I decided to publish here the whole story.

1. Introduction.
As you may know, IBM ThinkPad uses a small eeprom (ATMEL 24RF08) to store different OEM issues like serial number, UUID, etc. The supervisor password (SVP) is stored also into this little chip. So, anybody should figure that he needs to read the eeprom in order to find the password string. The first problem is that 24RF08 is not an ordinary eeprom. The second is that the password is written in a special scan code.
To read this properly you need a software (and an interface) specially designed for this eeprom.
The software is R24RF08 (eeprom reader) and IBMpass (password decoder).

Below is detailed the password recovery procedure. Both R24RF08 and IBMpass are needed. Also for TPs using TCPA security chip to encrypt the passwords, the eeprom writer W24RF08 is needed to complete the unlock procedure.

IBMpass works for absolutely all TP models. The following ThinkPad models are based on 24RF08 eeprom and must be accessed only with 24RF08 programming tools mentioned above:


-240, 240X
-390E, 390X
-570, 570E
-600e, 600X
-770Z
-A20m, A21e, A21m, a22m, A30, A30p, A31, A31p
-G40, G41
-R30, R31, R32, R40, R51
-Transnote, T20, T21, T22, T23, T30, T40, T40p, T41, T41p, T42, T42p
-X20, X21, X22, X23, X24, X30, X31, X40, X41

Also newer models may use the same eeprom. Other ThinkPad models such as 380XD or 600 use 24C01 or 93C46 eeproms, that are the most ordinary and can be read with anything you want. The method is the same like for the models based on 24RF08, only the software to dump the eeprom is different.

T43, R52, T60, Z60, R60 and other new models use special built-in TPM chips or embedded contollers to store the SVP. The unlock procedure can be done in the same manner but the software needed is RPC8394 (TPM chip reader) and WPC8394 (TPM chip writer).

2. Locating the eeprom. Soldering.
No need to unsolder the 24RF08 eeprom, just solder 3 wires to SDA, SCL and GND pins of the eeprom. There are two eeprom layouts (see interface schematics described bellow), corresponding to the 8 pin or 14 pin eeproms. Locate the eeprom first according to your model (E.g. T20-23 and T30 have the eeprom underneath and can be accessed by removing the RAM modules cover, no need to dismantle the laptop.) and solder the wires using a soldering iron with a fine tip. Also, you can use 0.15 - 0.20 mm enamel coated wires or similar small diameter insulated wires. These wires will be connected later to the interface.
Tip: You can use clips to connect the wires or you can solder on the PCB traces leading to the eeprom pins. GND wire can be attached to laptop GND elsewhere in most of the cases.
Once again, be careful and double, triple check the soldering if necessary till you are positively sure you have done the right job.

3. Choose and build the interface.
Since version 2.0, R24RF08 and W24RF08 are compatible with a wide range of eeprom programmers. By default, both programs set the COM port signals to use direct logic level to accessI2C bus. We provide here 2 schematics that are relevant for direct logic signals and for inverse logic signals (simple-i2cprog.pdf and driven-i2cprog.pdf). Also, depending of the interface you build, you can invert the logic for SDA-In, SDA-Out, and SCL COM port signals by some command line parameters described later in this document.

a) The file simple-i2cprog.pdf contains the schematic diagram of a simple interface (known as SIPROG) based on 2 zeners and 2 resistors. This is a classic, easy to build circuit and works with soldered or unsoldered eeproms. The purpose of the 2 zeners is to convert RS232 levels (+/- 5~10V) to TTL ones, needed by the eeprom. It uses direct logic signals to I2C eeprom and is powered by the COM port. However, this interface works with in-system eeproms but is dependent on COM port current and eeprom bus impedance. R24RF08 works natively with this circuit, no need to change the lines signals with command line parameters. This circuit works pretty well with almost all Thinkpads series.

b) The second interface is described in driven-i2cprog.pdf. The circuit uses MAX 232 as a RS232 to TTL driver and its main purpose is to work with soldered eeproms. The advantage of MAX232 is the TTL outputs that are more reliable and more powerful when work with soldered, in-system eeproms (dependency free from the COM port current). Due of the internal inverters of MAX232 the interface responds to an inverse signal logic level. R24RF08 needs /x, /d, /i switches to be specified in the
command line.

What this switches mean:
/x - invert serial clock, also known as SCL;
/d - invert serial data output, also known as SDA-Out;
/i - invert serial data input, also known as SDA-In.

All those can be used in any combination to meet the interface specification.

Note. The two schematic diagrams, simple-i2cprog.pdf and driven-i2cprog.pdf are included with R24RF08/W24RF08 kits.


4. How is it working:
Prepare your technician PC by connecting the interface to the COM1 port (donít connect the wires to eeprom yet). Turn on the ThinkPad and press F1 to enter BIOS Setup. When you are prompted for the password and thereís no other activity like HDD access or so, connect the wires (GND first!, SDA, SCL) to the corresponding wires from the interface (attached before to COM1) and execute R24RF08:

-for SI-PROG interface (as described in 3.a above):
r24rf08.exe <filename.ext>. where filename.ext is the file where eeprom content will be stored.
Example: r24rf08 mytp.bin

-for MAX232 driven I2C interface (as described in 3.b above):
r24rf08.exe <filename.ext> /x /d /i. where /x /d /i are command line parameters (switches) for this kind of interface.
Example: r24rf08 mytp2.bin /x /d /i

Use exactly the instructed switches to avoid possible damages to your eeprom data!

The file should be created in the same folder. Finally, disconnect the wires (GND last!) and turn off the ThinkPad by pressing on/off switch.

5. Reveal the password.
Now, you have the .bin file but you need to dump in scancode to retrieve the password. IBMpass 2.0 Lite is a free tool that i wrote specially for this job. Just open the eeprom dump youíve created before and search for 0x330, 0x340 lines. The password is located on 0x338 (and 0x340 depending on model) in scancode. For 24C01 eeproms the password is located at 0x38, 0x40. If the password won't work for the very first time then your eeprom may use newer IBM encryptions. In this case switch to alternate scancodes to find it. For those who want quick answers the recommended version is IBMpas 1.1.

Usage for IBMpass 1.1 (command line only):
ibmpass mytp.bin
use /a switch to see in alternate scancode if needed:
ibmpass mytp.bin /a

For some old models like 570 or 770Z you need to execute the eeprom patcher first. This will reset the read protection on the password offset. To do that just execute patcher.exe before the reading operation, without rebooting the laptop:

-for SI-PROG:
patcher.exe , then imediately
r24rf08.exe <filename.ext>

-for Driven-I2C (Max232) you must insert the switches:
patcher.exe /x /d /i, then imediately
r24rf08.exe <filename.ext> /x /d /i
W24RF08, the writer version, has included the complete APP reset operation you donít need to use patcher.


Also there are a new encrypting algo used with some new security chips. The password is not in scancode and in some cases not even in the eeprom. To unlock the machine, the dump should suffer some changes and the eeprom must be reprogrammed using W24RF08. This operation works for all IBM TCG/TCPA secured laptops w/o exceptions.

For further infos regarding the usage of W24RF08, download and install the program first then read carefully the file CRC_repair.pdf.


Remember, use 3 wires from the interface and 3 wires from eeprom! Connect them after your ThinkPad is powered and disconnect them right after you read the content, before you switch off the laptop.

Good luck!


Last edited by allservice on Sun Oct 29, 2006 12:56 am; edited 23 times in total
Back to top
View user's profile Send private message Visit poster's website
allservice
Trusted SF Member
Trusted SF Member


Joined: 24 Oct 2004
Posts: 4
Location: @your.service

Offline

PostPosted: Fri Nov 26, 2004 2:47 pm    Post subject: Reply with quote

This post is for hwnd and others:
The zener diodes are for line protection purpose. Connect only with anode on GND.
A zener acts like a rectifier when is normaly polarized and as a peek voltage cutter when is inverse.
A zener is tipicaly connected beetwin line and GND with anode on GND.
Back to top
View user's profile Send private message Visit poster's website
jusking
Just Arrived
Just Arrived


Joined: 17 Jan 2005
Posts: 0


Offline

PostPosted: Fri Jan 21, 2005 3:50 am    Post subject: victory Reply with quote

hi everybody
My password of Thinkpad 600 is PORTHO
I'm read my eeprom with comeep13, shemas is in sofware.
I'm decrypt eeprom with cmospwd

All software is freeware

search in web with google.

thanks for all
bye
Back to top
View user's profile Send private message
allservice
Trusted SF Member
Trusted SF Member


Joined: 24 Oct 2004
Posts: 4
Location: @your.service

Offline

PostPosted: Fri Jan 21, 2005 10:58 am    Post subject: Reply with quote

Well done!
Cmospwd is a good tool but supports only classic IBM scan code.
I developed a free tool called IBMpass that can decrypt newer scancodes.
The software for reading/writing eeproms is specialy designed for 24rf08, meaning it can read exactly what is in eeprom (without trash), is tested on almost every TP based on 24rf08 and is free as well.

The software you mentioned above is for 24cxx eeprom series. For this eeproms a much better program is PonyProg. The dump you read has a lot of trash but sometimes with some luck a program like this can read well the first password offset. As i said the dump is not good.

Regards
Back to top
View user's profile Send private message Visit poster's website
klole
Just Arrived
Just Arrived


Joined: 19 May 2005
Posts: 0
Location: Arandjelovac, Serbia

Offline

PostPosted: Thu May 19, 2005 11:03 am    Post subject: Reply with quote

Can i use Joe in Australia scheme to read 24RF08 with allservice software?
Back to top
View user's profile Send private message
allservice
Trusted SF Member
Trusted SF Member


Joined: 24 Oct 2004
Posts: 4
Location: @your.service

Offline

PostPosted: Thu May 19, 2005 1:13 pm    Post subject: Reply with quote

No.
The schematic of the circuit is shown in i2cprog.pdf (download the kit and install first). I might say that this is a very simple circuit Wink

Updated:
Actually, yes since version 2.0. /x /d /i command line parameters are needed as well
r24rf08 file.bin /x /d /i


Last edited by allservice on Fri Jul 29, 2005 1:47 pm; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website
klole
Just Arrived
Just Arrived


Joined: 19 May 2005
Posts: 0
Location: Arandjelovac, Serbia

Offline

PostPosted: Thu May 19, 2005 1:20 pm    Post subject: Reply with quote

allservice wrote:
No. My software works with a higher frequency on I2C bus.
The schematic of the circuit is shown in i2cprog.pdf (download the kit and install first). I might say that this is a very simple circuit Wink


I already make Joe's interface but i can't send money to him from Serbia.
I saw interface. Smile Is it possible to make "CRC" error with this software?
Back to top
View user's profile Send private message
allservice
Trusted SF Member
Trusted SF Member


Joined: 24 Oct 2004
Posts: 4
Location: @your.service

Offline

PostPosted: Thu May 19, 2005 6:46 pm    Post subject: Reply with quote

Yes. I made a writer for the eeprom. I can also correct any bad checksum for 24RF08 and will be pleased to help you Mr Spliff

Last edited by allservice on Sat Nov 19, 2005 11:22 am; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
wooly
Just Arrived
Just Arrived


Joined: 08 Jun 2005
Posts: 0


Offline

PostPosted: Sat Jun 11, 2005 6:30 am    Post subject: ibm thinkpad t23 password lock Reply with quote

Hello allservice, I just got done visiting your webpage, slightly hard to navigate because I do not no spanish although always mistaken to be hispanic. I have also been plagued with the IBM supervisor password lock virus. I have a T23, and I have printed, and read Joe from Austrilias how to, along with his clever software that makes money. I am not a electronics guru, I would have to say I never soldered anything in my life, but I recently bought this chip:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=51162&item=6775004925&rd=1&ssPageName=WDVW

I wanted to know your opinion on this, and if its bogus, I spent $45.00 on it, he also promised me to read the password from my eeprom - but after reading your posts here in the forum, I want to use your method instead. Can you please email me the schematics for the device, and the software? Thanks, from reading the posts it sounds like you have helped alot of people. Also I was wondering if you sell a already made keymaker circuit. Thanks,

Here is my email:


fastandtheferocious@gmail.com

Henry
Back to top
View user's profile Send private message
allservice
Trusted SF Member
Trusted SF Member


Joined: 24 Oct 2004
Posts: 4
Location: @your.service

Offline

PostPosted: Sat Jun 11, 2005 9:25 am    Post subject: Reply with quote

The security chip is an eeprom that should replace yours.
Is obvious you don't need it, specially if you never soldered anything in your life.
You can read the original eeprom and find the password by yourself.
Regarding my site, it is romanian as well as I know.
Download R24RF08 and IBMpass from here , install R24RF08 and read carefully all pdfs inside.

Hasta la vista! Laughing
Back to top
View user's profile Send private message Visit poster's website
serpent99
Just Arrived
Just Arrived


Joined: 28 Jun 2005
Posts: 0


Offline

PostPosted: Tue Jun 28, 2005 8:49 pm    Post subject: Reply with quote

Hi Mr. Voinea, I built your interface and when I run r24rf08.exe it says no eeprom found. It outputs a bin file but there's nothing in it. I built Joes more complicated interface and was able to use his software but I'm not having any luck with your schematic. I always screw up the simple things Embarassed Anyway, I didn't have any 5.1 volt zener diodes so used some standard diodes in series that add up to about 5.2 volts, could this be my problem? Thanks for all your help.
Back to top
View user's profile Send private message
allservice
Trusted SF Member
Trusted SF Member


Joined: 24 Oct 2004
Posts: 4
Location: @your.service

Offline

PostPosted: Tue Jun 28, 2005 9:05 pm    Post subject: Reply with quote

The zener purpose is to limit the voltage but also to protect the i2c bus on reverse current due of fast switching freq, so use zeners. Also the COM port must be able to switch the line. What TP model do you have there?
Just send a PM.
Back to top
View user's profile Send private message Visit poster's website
mac23
Just Arrived
Just Arrived


Joined: 28 Jul 2005
Posts: 0


Offline

PostPosted: Thu Jul 28, 2005 9:15 pm    Post subject: ALLService to the rescue? Reply with quote

Allservice,

Yea, I've been trying since yesterday to download the IBMpass from your web site. http://www.allservice.home.ro/dl/index.htm It appears that your ISP is unresponsive. If you want to send me the file(s), I could mirror it on my site here in the US for a while.

I've been researching unlocking a Thinkpad for the last two days and yours seems to be the best option. I work for a school and apparently one of our loaner Thinkpads was locked by a student accidentally entering in the Supervisor Password and the HD password (are they created simultaneously?). I was able to get into the computer, but I wanted to do a clean install with the IBM Rescue & Recovery Disks. I've read that a low level format will remove the HD password, but it is much more difficult to remove the Supervisor Password. Yesterday I removed the CMOS battery, in hopes to clear the BIOS passwords, and now I am definitely locked out. It's showing the computer & padlock icon after the IBM Thinkpad splash screen.

I would really like to get this computer back to the proper working order before school starts. I'm definitely learning a valuable lesson in setting BIOS passwords! Very Happy
Back to top
View user's profile Send private message
allservice
Trusted SF Member
Trusted SF Member


Joined: 24 Oct 2004
Posts: 4
Location: @your.service

Offline

PostPosted: Thu Jul 28, 2005 11:02 pm    Post subject: Reply with quote

I have created a temporary mirror
http://home.ripway.com/2005-7/365678/
Hopefully the outside backbone of my ISP is getting well soon. My apology for this inconvenience

Mac, to do a low-level format you must unlock the drive first. Till then you may spend about 100$ to buy another one.
Back to top
View user's profile Send private message Visit poster's website
mac23
Just Arrived
Just Arrived


Joined: 28 Jul 2005
Posts: 0


Offline

PostPosted: Tue Aug 02, 2005 11:15 pm    Post subject: Reply with quote

allservice wrote:
Mac, to do a low-level format you must unlock the drive first. Till then you may spend about 100$ to buy another one.


Thanks Allservice! The surrogate site worked great. No inconvenience, just wondering why I couldn't connect to your site. Speedy recovery to your ISP!

Actually I was mistaken, only the supervisor password is now set. The other password is the Access IBM password, which I believe can be set when a user changes his/her windows login password.

I was able to access the hard drive before, actually everything was working fine, but I just noticed I was locked out changing the BIOS. It only gave me certain things that I could change and boot order was not one of them. (Does anyone know what this was? Is it Access IBM influencing the BIOS?) That's when I started this adventure. I pulled the CMOS battery and that got me deeper into this mess by resetting the Time & Date and requiring the Supervisor password to unlock the system! Argh! Confused

Thanks for your help! I'm a graphic artist turned support tech, gettin' dirty and learning a lot!
Back to top
View user's profile Send private message
Digitalman
Just Arrived
Just Arrived


Joined: 02 Sep 2005
Posts: 0


Offline

PostPosted: Fri Sep 02, 2005 3:19 pm    Post subject: Some helppp!!! Reply with quote

I have a TP600e locked whit SVP, after read the EEPROM(24RF08)
I find the password and fix this problem, GREATE!!!!

BUT...Now I have 188ERROR (CRC ERROR)...NOOO!!!!
How can i do to fix this ERROR????
May by updating the BIOS???
Please, can someboby send me a copy of that(.bin) or
tell me where can I find it?
Thankssss!!!!!!
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   This topic is locked: you cannot edit posts or make replies.   Printer-friendly version    Networking/Security Forums Index -> Hardware // Upgrades All times are GMT + 2 Hours
Goto page 1, 2, 3, 4, 5, 6, 7  Next
Page 1 of 7


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register