|
Service Forum support board, PC repair, unlocking solutions
|
View previous topic :: View next topic |
Author |
Message |
victor S.F. Boss
Joined: 07 Mar 2004 Posts: 2578 Location: Staff
|
Posted: Wed Oct 27, 2004 3:06 pm Post subject: [Tutorial]How to unlock [older] ThinkPad supervisor password |
|
|
Last update: May 2020
Topic is already too long and has been closed now in order to avoid mass-mailing to hundreds of posters and followers.
If you have any questions then create a new (your own) thread and Bob, my self or other colleague will be happy to give you an answer.
(Please see the latest updates with the chip pictures & locations here)
For MEC1633L based models, all new series in fact: T440, T450, T460, T470, T540, T550, T560, T570, W540, W541, W550s, X1 Carbon, X1 Yoga, X240, X250, X260, X270, P40, P50, P50s, P70, Thinkpad Yoga 12, Yoga 260, Yoga 370, Yoga 460 and Yoga 15 and so on and so forth, the solution is listed here:
http://www.allservice.ro/forum//viewtopic.php?p=11382#11382
Hi everybody,
Because so many of you need this I decided to publish here the whole story.
1. Introduction.
As you may know, IBM ThinkPad uses a small eeprom (ATMEL 24RF08) to store different OEM issues like serial number, UUID, etc. The supervisor password (SVP) is stored also into this litle chip. So, anybody should figure that he needs to read the eeprom in order to find the password string. The first problem is that 24RF08 is not an ordinary eeprom. The second is that the password is written in a special scan code.
To read this properly you need a software (and an interface) specially designed for this eeprom.
The software is R24RF08 (eeprom reader) and IBMpass (password decoder).
Below is detailed the password recovery procedure. Both R24RF08 and IBMpass are needed. Also for TPs using TCPA security chip to encrypt the passwords, the eeprom writer W24RF08 is needed to complete the unlock procedure.
IBMpass works for absolutely all TP models. The following ThinkPad models are based on 24RF08 eeprom and must be accessed only with 24RF08 programming tools mentioned above:
- 240, 240X
- 390E, 390X
- 570, 570E
- 600e, 600X
- 770Z
- A20m, A21e, A21m, a22m, A30, A30p, A31, A31p
- Edge models: Edge 13, 14 and 15, E120, E220s, E320, E420, E425, E430, E520, E530, E531, S430
- G40, G41
- Helix
- L412, L512, L420, L520, L430, L530, L540
- Lenovo B480, B490, B580, B590, G550, G570, Ideapad Z570, U330 Touch, B40-30, B50-30, B50-30 Touch, E40-30, IdeaPad 305-15IBY, IdeaPad 720S and many other IdeaPads require SPEG programmer and our assistance for unlocking if you buy SPEG, password stored in BIOS or EC serial flash.
- R30, R31, R32, R40, R50, R51, R61, R61i, R400, R500
- SL410, SL510 (not SL300-400-500 and G550 - they require SPEG programmer)
- Transnote, T20, T21, T22, T23, T30, T40, T40p, T41, T41p, T42, T42p, T61, T400, T410, T420, T430, T431, T500, T510, T520, T530.
- X20, X21, X22, X23, X24, X30, X31, X32, X40, X41, X61, X1, X100, X120, X121, X200, X201, X220, X230, X300, X301
- W500, W510, W520, W530, W700, W701
T43/T43p, R52, T60/T60p, R60, X60/s, Z60t/m/p and Z61 series don't use 24RF08, but more advanced security chips like PC8394T-VJG or secure storage chips PC8394 Tools are needed to unlock the new models.
SL300, SL400 and SL500 have the SVP stored in BIOS flash. The new Lenovo 580 and similar ones based on EFI/Insyde BIOS also use a serial flash. SPEG programmer is the right solution in this case.
T440, T540, X1 carbon gen2, X240, X250, W540, W541 requires our UEFI patched BIOS and SPEG programmer:
http://www.allservice.ro/forum//viewtopic.php?p=11382#11382
Other ThinkPad models such as 380XD, 600 or 760/765 use 24C01 or 93C46 eeproms, that are the most ordinary and can be read with anything you want. The method is the same like for the models based on 24RF08, only the software to dump the eeprom is different.
[New:] For 24C01, you can use R24C01, a software made specially to read such eeproms in Thinkpads and included now in the R24RF08 kit. It is based on the library used to build 24RF08 software and can be used in the same manner.
2. Locating the eeprom. Soldering.
No need to unsolder the 24RF08 eeprom, just solder 3 wires to SDA, SCL and GND pins of the eeprom. There are two eeprom layouts (see interface schematics described bellow), corresponding to the 8 pin or 14 pin eeproms. Locate the eeprom first according to your model (E.g. T20-23 and T30 have the eeprom underneath and can be accessed by removing the RAM modules cover, no need to dismantle the laptop.) and solder the wires using a soldering iron with a fine tip. Also, you can use 0.15 - 0.20 mm enamel coated wires or similar small diameter insulated wires. These wires will be connected later to the interface.
Tip: You can use clips to connect the wires or you can solder on the PCB traces leading to the eeprom pins. GND wire can be attached to laptop GND elsewhere in most of the cases.
Once again, be careful and double, triple check the soldering if necessary till you are positively sure you have done the right job.
3. Choose and build the interface.
Since version 2.0, R24RF08 and W24RF08 are compatible with a wide range of eeprom programmers. By default, both programs set the COM port signals to use direct logic level to accessI2C bus. We provide here 2 schematics that are relevant for direct logic signals and for inverse logic signals (simple-i2cprog.pdf and driven-i2cprog.pdf). Also, depending of the interface you build, you can invert the logics for SDA-In, SDA-Out, and SCL COM port signals by some command line parameters described later in this document.
a) The file simple-i2cprog.pdf contains the schematic diagram of a simple interface (known as SIPROG) based on 2 zeners and 2 resistors. This is a classic, easy to build circuit and works with soldered or unsoldered eeproms. The purpose of the 2 zeners is to convert RS232 levels (+/- 5~10V) to TTL ones, needed by the eeprom. It uses direct logic signals to I2C eeprom and is powered by the COM port. However, this interface works with in-system eeproms but is dependant on COM port current and eeprom bus impedance. R24RF08 works natively with this circuit, no need to change the lines signals with command line parameters. This circuit works pretty well with almost all Thinkpads series.
b) The second interface is described in driven-i2cprog.pdf. The circuit uses MAX 232 as a RS232 to TTL driver and its main purpose is to work with soldered eeproms. The advantage of MAX232 is the TTL outputs that are more reliable and more powerful when work with soldered, in-system eeproms (dependency free from the COM port current). Due of the internal inverters of MAX232 the interface responds to an inverse signal logic level. R24RF08 needs /x, /d, /i switches to be specified in the
command line.
What this switches mean:
/x - invert serial clock, also known as SCL;
/d - invert serial data output, also known as SDA-Out;
/i - invert serial data input, also known as SDA-In.
All those can be used in any combination to meet the interface specification.
Note. The two schematic diagrams, simple-i2cprog.pdf and driven-i2cprog.pdf are included with R24RF08/W24RF08 kits.
4. How is it working:
Prepare your technician PC by connecting the interface to the COM1 port (don’t connect the wires to eeprom yet). Turn on the ThinkPad and press F1 to enter BIOS Setup. When you are prompted for the password and there’s no other activity like HDD access or so, connect the wires (GND first!, SDA, SCL) to the corresponding wires from the interface (attached before to COM1) and execute R24RF08:
-for SI-PROG interface (as described in 3.a above):
r24rf08.exe <filename>. where filename.ext is the file where eeprom content will be stored.
Example: r24rf08 mytp.bin
-for MAX232 driven I2C interface (as described in 3.b above):
r24rf08.exe <filename> /x /d /i. where /x /d /i are command line parameters (switches) for this kind of interface.
Example: r24rf08 mytp2.bin /x /d /i
Use exactly the instructed switches to avoid possible damages to your eeprom data!
The file should be created in the same folder. Finally, disconnect the wires (GND last!) and turn off the ThinkPad by pressing on/off switch.
5. Reveal the password.
Now, you have the .bin file but you need to dump in scancode to retrieve the password. IBMpass Lite is a free tool that i wrote specially for this job. Just open the eeprom dump you'e created before and search for 0x330, 0x340 lines. The password is located on 0x338 (and 0x340 depending on model) in scancode (AA button must be "ON"). For 24C01 eeproms the password is located at 0x38, 0x40. If the password won't work for the very first time then your eeprom may use newer IBM encryptions. In this case switch to alternate scancodes to find it.
For some old models like 570 or 770Z you need to execute the eeprom patcher first. This will reset the read protection on the password offset. To do that just execute patcher.exe before the reading operation, without rebooting the laptop:
-for SI-PROG:
patcher.exe , then imediately
r24rf08.exe <filename>
-for Driven-I2C (Max232) you must insert the switches:
patcher.exe /x /d /i, then imediately
r24rf08.exe <filename> /x /d /i
W24RF08, the writer version, has included the complete APP reset operation you don’t need to use patcher.
Also there are a new encrypting algos used with some new security chips that are very secured. The password is not in scancode and in some cases not even in the eeprom. To unlock the machine, the dumps would suffer some changes and the eeprom will be re-programmed by using W24RF08. This operation works for all IBM TCG/TCPA secured laptops w/o exceptions. We can provide full support for unlocking TCPA locked machines, contact us at support@allservice.ro
More details on PC8394 Tools (R60, T60, X60, Z60, Z61, T43, R52 models) can be found here.
Remember, use 3 wires from the interface and 3 wires from eeprom! Connect them after your ThinkPad is powered and disconnect them right after you read the content, before you switch off the laptop.
Good luck!
Last edited by victor on Wed May 13, 2020 6:16 pm; edited 83 times in total |
|
Back to top |
|
|
600e Nou Venit
Joined: 04 Jul 2005 Posts: 1
|
Posted: Mon Jul 04, 2005 7:54 pm Post subject: |
|
|
Hi,
I have tried to read the eeprom from my 600e TP but get an error:
24RF08 eeprom reader v1.2c - Win32 Console Version
Copyright (C) Victor Voinea, ALLservice 2004-2005, www.allservice.ro
----------------------------------------------------------------
Initializing timer...4908 OK!
ERROR: Eeprom not available!
----------------------------------------------------------------
Hit <Enter> to exit...
===>>
I used the simple seriali2c programmer hardware and also the more komplex keymaker hardware. Both do not work with your software.
However -- the keymaker hardware works fine with the keymaker software -
so the connection to the eeprom is OK.
Do you have an idea what I do wrong ?
thanks |
|
Back to top |
|
|
victor S.F. Boss
Joined: 07 Mar 2004 Posts: 2578 Location: Staff
|
Posted: Mon Jul 04, 2005 8:13 pm Post subject: |
|
|
My software is not compatible with other circuits yet, but the next 2.0 versions that will be launched this week will have support for a wide range of serial interfaces including this one.
(Moderator Note: Updated version 2.0 launched already. July 8 2005)
I will try to resume here the most common possibilities or usual mistakes that can be done:
1. When you start the laptop the interface must be disconnected. You can connect after F1 is pressed, don't forget that.
2. If you are prompted with "eeprom not found" then:
a) It is a problem with the wires. Check them again (SDA,SCL and GND) even that seems to be OK, you never know...
If you disconnect the circuit and run the program you would be prompted with "circuit not found" but doesn't mean necessary that your circuit is healthy, not at all.....
b) An usual mistake is to confuse the COM1 pin array enumeration and/or orientation. Note that the
schematic diagram shows the port from the front end. Check again carefully:
pin 4 -DTR, pin 5 -GND, pin 7 -RTS, pin 8 -CTS. All gnds must be fit togheter (COM1 + diode anodes + eeprom GND)
c) Your serial port is too weak. The circuit is powered by the port itself. Check with other PC. |
|
Back to top |
|
|
primarius Nou Venit
Joined: 15 Aug 2005 Posts: 2
|
Posted: Tue Aug 16, 2005 5:46 am Post subject: I need help |
|
|
Hello,
Just want to know how do I go upon making - simple-i2cprog or buying one.
I pretty good with computers but when it comes to electronic, I am clueless.
Is there a list of hardware I need to buy and step - by -step instuction in putting it all together.
Oh yeah, I follow directions pretty good too....
Thanks, |
|
Back to top |
|
|
CAD Nou Venit
Joined: 19 Aug 2005 Posts: 3
|
Posted: Fri Aug 19, 2005 6:18 am Post subject: confused |
|
|
i have an IBM thinkpad A21e , i'm trying to recover the supervisor password, i understand all that is posted on this forum but i can't find the simple-i2cprog.pdf file to download or a schematic o build the eeprom reader.
can you help me out with a link? |
|
Back to top |
|
|
bob S.F. Moderator
Joined: 07 Mar 2004 Posts: 800 Location: Staff
|
Posted: Fri Aug 19, 2005 7:53 am Post subject: |
|
|
OK.
Just install R24RF08 or W24RF08 and you'll find there the diagrams simple-i2cprog.pdf and driven-i2cprog.pdf. |
|
Back to top |
|
|
CAD Nou Venit
Joined: 19 Aug 2005 Posts: 3
|
Posted: Mon Sep 05, 2005 2:09 am Post subject: problema |
|
|
I have an IBM Thinkpad a21e, i connected everything like suposed(or at least i think i did) i get an error
initializing timer..11647 OK!
ERROR: Circuit not found or bus error!
What can be the problem, bad soldering or what? |
|
Back to top |
|
|
CAD Nou Venit
Joined: 19 Aug 2005 Posts: 3
|
Posted: Mon Sep 05, 2005 5:04 am Post subject: Worked! |
|
|
Nvm i smashed the complicated circuit and i did the simple one, worked perfect, I used IBMpass 1.1 and the simple circuit
Couldn't figure it out how to use IbmPass 2.0 but IbmPass 1.1 woked great.
Thank you for all this information! It helped a lot and i made some money out of it too as i work in a computer store and the verified owner forgot the admin pass. It was the first time i tried this method and i took the project home, worked like 3 hours on it.
Traiasca desteptaciunea romaneasca! |
|
Back to top |
|
|
bob S.F. Moderator
Joined: 07 Mar 2004 Posts: 800 Location: Staff
|
Posted: Mon Sep 05, 2005 8:50 am Post subject: |
|
|
Could you tell us what was the problem? Maybe others could take advantage from your experience.
Seems like you understand the following:
M-ai rupt, frate! |
|
Back to top |
|
|
gotaplay Nou Venit
Joined: 23 Oct 2005 Posts: 3
|
Posted: Sun Oct 23, 2005 7:05 pm Post subject: A quick thankyou |
|
|
This may not be in line with this topic or thread but i just wanted to say thankyou for all the information you havemade avalible here on your site .
I have a t22 board with a the locked supervisor password and at22 that will not charge or startup from the battery and a t21 that has a CR1 175 error .
As with most people here I have searched and searched the web for information on how to ulock and clear errors on other wise good working systems and until now I have only found sites where people charge between $40 and over $100 to do the same things as the information you provide here and more than likey obtained there knolledge here as well .
Thankyou to all the moderators and others who help with out expectation
I will be watching this forum and hopefully there will come a time where I too can assist someone in need..
Best Regards
P Nosko
Cananda |
|
Back to top |
|
|
victor S.F. Boss
Joined: 07 Mar 2004 Posts: 2578 Location: Staff
|
Posted: Sun Oct 23, 2005 10:18 pm Post subject: |
|
|
Sometimes I have the impression that all I did was wrong and unnecessary. But people like you remind me every day that I did it right. Thanks. |
|
Back to top |
|
|
zzzn00bzzz Nou Venit
Joined: 30 Nov 2005 Posts: 3
|
Posted: Wed Nov 30, 2005 2:21 am Post subject: Pictures for IBM t40 |
|
|
It would be nice if you guys could supply with some visual instructions also, i would appriciate it. I would like to see instructions for IBM T40. Thank You! |
|
Back to top |
|
|
T20PWD Nou Venit
Joined: 30 Nov 2005 Posts: 1
|
Posted: Wed Nov 30, 2005 10:05 am Post subject: |
|
|
Hi Victor,
Firstly, I want to thankyou for an excellent job and for providing this service free of cost.
I have a friend's T20, it all started by doing him a favor by trying to recovery the lost sup. pwd. But I have tried for 2 days now and there has been no success, I have tried both the driven as well as the simple circuit.
The only difference in the driven circuit is that I am using a MAX232N as the Max232A was not available, I have tried connecting the circuit to 2 PCs but still no success.
I am getting the folowing errors depending on the switches
ERROR: Eeprom not available!
or
ERROR: Circuit not found or bus error!
I have checked the wires and the connectors on the breadboard over and over again and they seem fine, I have no idea what I am doing wrong.
On the first PC I would get a message that it is copying the eeprom but the 1kb file would have 00 everywhere (empty).
I see the circuit in my sleep now
please help
Thanks |
|
Back to top |
|
|
victor S.F. Boss
Joined: 07 Mar 2004 Posts: 2578 Location: Staff
|
Posted: Wed Nov 30, 2005 10:27 am Post subject: |
|
|
T20 is the most common IBM model. SIPROG works perfect with this.
Could you send me some picture and details at support-at-allservice.ro.
zzzn00bzzz: The instructions is the same for T40. To see some pictures of a SIPROG see the thread here |
|
Back to top |
|
|
boukehj Nou Venit
Joined: 07 Dec 2005 Posts: 1
|
Posted: Wed Dec 07, 2005 8:11 pm Post subject: Thanks, thanks, thanks! |
|
|
Incredible - everything worked (a T40, using simple interface, 24RF08.exe and IBMpass 1.1) in the first try!
Thanks a lot. I can now return this laptop to my employer (who didn't know I had a password on it that I forgot).
Bouke |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|