ALLservice Service Forum
support board, PC repair, unlocking solutions
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

[Practice] Making it work.
Goto page 1, 2, 3  Next
 
Post new topic   Reply to topic    Service Forum Forum Index -> IBM/Lenovo ThinkPad Password Help Center (EN)
View previous topic :: View next topic  
Author Message
wolfman
Interesat


Joined: 24 Nov 2005
Posts: 13
Location: Southwest USA

PostPosted: Sat Dec 10, 2005 8:09 pm    Post subject: [Practice] Making it work. Reply with quote

An old guy's interpretation of Victor's driven circuit diagram into a working breadboard.

PDF of breadboard interpretation

Picture of breadboard

Bottom of T22 showing eeprom chip with wires soldered

Close up of 24RF08 chip with SDA SCL GND wires soldered on

Center close up of breadboard

Main wiring area of breadboard

Test lead connection area


I used a breadboard for ease of wiring and figuring the circuit out. It took a few tries; been over four decades since I built a ham radio from scratch. I had a friend with a steady hand and fine-tipped iron solder on the wires to the 24RF08. (Note that the ground wire doesn't have to be soldered to the chip; you can clip to anywhere grounded metal on the frame.) I used fine Kynar coated magnet wire to go to the chip, taped it down, and then re-inserted the memory chips and gently put the door cover in place. The laptop needs to be right side up for the final steps <grin>.

I used mini-grabber test leads to go from the breadboard to the leads from the 24RF08. They have very secure clips. Since their connection wires are stranded and the board wires are solid, I used the binding post connectors on the Twin Industries breadboard to connect them to jumpers from the board.

To connect to the serial port, I just cut the end off an old modem cable, stuck pins in the holes until I found which wires matched up with the four that were needed, and then soldered solid jumpers to these wires. This way I had a nice long cable with a good connection at the port end. Also, my cable plug was conveniently numbered (needed magnifier).

Note that the sequence is, connect the serial port, power on the 5V circuit, power up the laptop, connect the test leads to the wires from the security chip, run r24rf08.exe. Be sure to follow all of Victor's other cautions and instructions.

I'm sure there are lots of ways to realize Victor's design (which he modestly says is "just a classic max232 usage diagram" into a working circuit, and this surely may not be the best one. However, it did work for me, successfully reading the contents of the AT24RF08 security chip from my T22. Then the IBMPass2.exe read the .bin file and translated the scan code and gave me the correct supervisor password.

I can't say enough for Victor's generosity and skill. Like many, I searched the net for a solution to get into my laptop after the CMOS battery died. Having his circuit diagram was great; I hope someone will benefit from seeing how this old guy translated it into a working design.

Parts. Of course there are many sources. Here are the part numbers for the ones I used, purchased from Digikey, web-tronics, and radio shack:

MAX232ACPE-ND MAXIM 232A

Twin Industries 438-1047-ND BREADBOARD

1N4148FS-ND DIODE

OD472J-ND 4.7 K OHM RESISTORS

23PP410 .1uf polypropylene capacitor

MiniGrabber Test Lead Set/Deluxe Heavy Duty Set(M000F0004)

Enclosed 4 AAA Battery Holder Model: 27-411 Catalog #: 270-411

DB9 female cable -- spare from the parts box




Useful links: Soldering Guide

Dallas Maxim Chip Tutorials

Dallas Maxim Spec Sheets

AT24RF08C Manufacturer's datasheet

Lessons in electronic circuits

The Electronics Club at Kelsey School. Lots of good info on theory and practice.
Back to top
View user's profile Send private message
LenFischer
Nou Venit


Joined: 25 Jan 2006
Posts: 2

PostPosted: Thu Feb 16, 2006 10:20 am    Post subject: I think Diodes D1 and D2 are shorted out in the breadboard Reply with quote

Based on my understanding of how these plastic breadboards work, I think that diodes D1 and D2 are just shorted out above a breadboard "wire" and not really in the circuit with the breadboard layout as shown. It's that way on the PDF breadboard diagram and in the picture as well, but not in the schematic.
Back to top
View user's profile Send private message
basscleff
Interesat


Joined: 27 Mar 2006
Posts: 19
Location: Canada

PostPosted: Thu Apr 06, 2006 5:28 pm    Post subject: Reply with quote

thx for the post, can we get some of the photos updated, the links are dead.
Back to top
View user's profile Send private message
wolfman
Interesat


Joined: 24 Nov 2005
Posts: 13
Location: Southwest USA

PostPosted: Fri Apr 07, 2006 4:29 pm    Post subject: thanks for the tips Reply with quote

Thanks for the tip on the diodes; I'll check it out. All I know is the the board as pictured worked just fine on my T22. I'll confirm with Victor and revise as needed and put up new diagrams/pics if revisions necessary.

On the links, I don't know why they just went dead. If I can't get my hosting site working I'm going to send them to Victor so he can host them off of this site. Sorry for any confusion/delay.
Back to top
View user's profile Send private message
basscleff
Interesat


Joined: 27 Mar 2006
Posts: 19
Location: Canada

PostPosted: Fri Apr 07, 2006 5:07 pm    Post subject: Reply with quote

thx for the pictures, it helps. I've been having a heck of a time, trying simple and driven. Your photos were a great help though.

I've been trying to mold some sort of a cap to fit on top of the chip with 3 pins (or needles) to make the connections without soldering. Just put the mold on, press down and then remove it Smile Can't find the exact type of material that will make a good negative impression of the chip. Then oke the needles through it at the right locations of course.
Back to top
View user's profile Send private message
wolfman
Interesat


Joined: 24 Nov 2005
Posts: 13
Location: Southwest USA

PostPosted: Mon Apr 10, 2006 4:59 am    Post subject: links fixed; cap to connect to security chip Reply with quote

The links are fixed.

There is indeed an error in the diodes; Victor will post an explanation; I'll fix the drawings.

About a cap--3M makes testing clips for many IC chips that do just what bassclef proposes, but I searched many electronic catalogs and was not able to find one small enough for the 24RF08. Search IC test clip and see what you find--it is an attractive idea. Another thought is to take a six pack of good beer to a skilled soldering guy (or gal) and offer to trade for the three connections you need!
Back to top
View user's profile Send private message
basscleff
Interesat


Joined: 27 Mar 2006
Posts: 19
Location: Canada

PostPosted: Mon Apr 10, 2006 5:12 am    Post subject: Reply with quote

I'm going to attempt the cap tomorrow. I'll update all with my results.
so far i am using the "tack" stuff you use to stick pictures to the wall.
It seems to make a good negative impression. I put it in the freezer for a few minutes to make sure it retains its shape, but i don't think its going to work if the chip gets heated, then it will be like bubble gum.
Back to top
View user's profile Send private message
rkawakami
Interesat


Joined: 16 Apr 2006
Posts: 26
Location: San Jose, CA USA

PostPosted: Tue Apr 18, 2006 7:09 am    Post subject: My success story with a 600X Reply with quote

Victor and Bob have requested that I post my story of successfully reading the supervisor password from a 600X (2645-9FU) in this thread. The complete details (with lots of pictures!) are available at:

http://www.rkawakami.net/ibm_600x/bios_pass/

The short version is here:

Got the laptop off of eBay for CHEAP. Had seen this forum previously and decided to give the R24RF08/IBMPASS2 procedure a try. Built the MAX232 driven interface on a small breadboard, used another one of my 600X laptops as the reading/decoding machine. Spent a LOT of time trying to figure out where the Atmel 24RF08 EEPROM was. With a confirmation of my guess that the EEPROM was on the back side of the motherboard, tore the laptop completely apart, located the little bugger, soldered the three wires to the board, partially re-assembled the laptop and ran the two pieces of software which gave me the CORRECT supervisor password. The laptop is now fully back together. System clock has been accessed in BIOS and correctly set (no more 161 and 163 errors). Supervisor password has been REMOVED. It has run several memory diagnostic checks and passed. It has booted a spare WinXP hard drive that I had laying around (and triggered the Windows Product Activation "feature", bah!).

My thanks and "tip of the hat" goes to Victor for posting this information. It does work. It does require some degree of skill in taking apart the laptop and in constructing the interface circuit, but it is worth it.

Ray

Staff Note:
Excelent review with good pictures and very well written. We strongly suggest anyone to read it. You'll find a lot of details that would help you understand better the procedure and avoid making mistakes. Victor.
Back to top
View user's profile Send private message
Ricardo
Nou Venit


Joined: 09 Apr 2006
Posts: 5

PostPosted: Tue Apr 18, 2006 10:24 am    Post subject: Re: My success story with a 600X Reply with quote

rkawakami.net wrote:
...By posting this page I think I just may have shot myself in the foot if I ever want to bid on another eBay-offered, password-locked, IBM 600X Razz...Ray

ouch Laughing
Splendid documentation, Ray!. I was about to add using the screw pads for ground connection (as I did) to minimize connection to the tiny ic pins but you already mentioned it in your webpage. I have a couple more tips for would-be tinkerers. For the 600e (this time the 24rf08 is on the top of the motherboard, above-left of the battery terminals for my model) there is a via close by that leads to pin 10 of the chip so i used that one for connecting the #30AWG tefzel wire. It is much easier than connecting to the ic pin. I had to scrape the varnish over the hole and clean the copper to bright metal with needle-point Exacto trimming knife to ensure a good connection. My pocket 10x loupe came handy too to make sure there are no solder micro bridges when the wires were connected/unconnected. And what added to the adrenaline rush seeing the OK message after keying the revealed password is seeing the padlock icons open for the hdp and svp at the password page in the bios. I was able to redeem a locked 10gb paper weight Very Happy .
Back to top
View user's profile Send private message
rkawakami
Interesat


Joined: 16 Apr 2006
Posts: 26
Location: San Jose, CA USA

PostPosted: Tue Apr 18, 2006 6:54 pm    Post subject: Re: My success story with a 600X Reply with quote

Ricardo wrote:
It is much easier than connecting to the ic pin.


Agreed. I spent about an hour looking for alternate locations where I could tap into the SDA and SCL signals from the topside of the motherboard. That way I would not have to go through the trouble of removing it from the case the next time I do this. It wasn't easy holding a lead from an ohmmeter on the SDA pin (I hadn't solder on the wires yet), turning the motherboard right-side up, and then using the other ohmmeter lead to randomly poke around, hoping for a "beep". I did get one, however. It was on a chip that is next to the docking port connector, just below the CPU/heat sink board. As I said in my web page, that part also has the (15-20mil?) lead spacing as the 24RF08, and it was about 5 legs in from the corner of the package so it was actually harder to solder to than pin 8 (on the corner) of the 24RF08. (Although now that I'm thinking about it, it was the same difficulty as pin 10 of the EEPROM. And it would mean that I don't have to remove the motherboard... Hmmm... Maybe next time.) So I gave up looking. That, plus I was anxious to proceed with the password recovery.

If I get around to doing this again (buying an eBay test case), I'll spend a little more time and prepare better for probing the motherboard, like borrowing one of the PC board holders from work and soldering on the wires to the EEPROM before poking around. Oh yeah, and a pair of magnifying glasses! I had to take my contacts out to see well enough to solder onto the 24RF08. Very Happy

Ray
Back to top
View user's profile Send private message
basscleff
Interesat


Joined: 27 Mar 2006
Posts: 19
Location: Canada

PostPosted: Thu Apr 27, 2006 5:47 pm    Post subject: Reply with quote

very well written, and presented tutorial on your process!
thank you!

please post pics of the alternate locations for trces to the ic pins, that would be a great help.
Back to top
View user's profile Send private message
rkawakami
Interesat


Joined: 16 Apr 2006
Posts: 26
Location: San Jose, CA USA

PostPosted: Thu Apr 27, 2006 7:54 pm    Post subject: Reply with quote

basscleff wrote:
please post pics of the alternate locations for trces to the ic pins, that would be a great help.


I'm already looking around eBay for a 600X motherboard that I can play with. I do not want to rip apart any of my working systems and risk damaging them by blindly poking around with my multimeter. I hope to have something to post in the next few weeks.

Ray
Back to top
View user's profile Send private message
victor
S.F. Boss


Joined: 07 Mar 2004
Posts: 2546
Location: Staff

PostPosted: Thu Apr 27, 2006 8:50 pm    Post subject: Reply with quote

Some of our forum members requested a PCB design of the driven circuit.

For those who want to make their own printed circuits see the picture below. Also download the pdf document from HERE that represents the circuit board (1:1) to print.

Back to top
View user's profile Send private message
rkawakami
Interesat


Joined: 16 Apr 2006
Posts: 26
Location: San Jose, CA USA

PostPosted: Mon May 08, 2006 8:59 pm    Post subject: Alternate connection method for IBM 600X Reply with quote

Hi!

As promised in my last posting about my experience with unlocking a 600X, I have some new information that will make it easier to perform this task. You don't have to remove the LCD or motherboard anymore! I have updated my site at:

http://www.rkawakami.net/ibm_600x/bios_pass/

with this new method. (Sorry for the numerous pictures but I like having complete documentation; dial-up users may have to wait several minutes for the page to finish loading.)

I have also cross-posted this message to a 600X thread that I have found here:

http://www.allservice.ro/forum/viewtopic.php?t=187

Basically, I have found places to tap into the SDA and SCL signals from the top side of the motherboard. You only have to remove the keyboard and CPU/heat sink assembly to get at them.

Ray
Back to top
View user's profile Send private message
basscleff
Interesat


Joined: 27 Mar 2006
Posts: 19
Location: Canada

PostPosted: Mon May 08, 2006 10:30 pm    Post subject: Reply with quote

thx!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Service Forum Forum Index -> IBM/Lenovo ThinkPad Password Help Center (EN) All times are GMT + 2 Hours
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group