IBM Thinkpad

 

Hacking IBM Thinkpad Bios Password



 


Hacking IBM Thinkpad Bios Password


IBM T42 Supervisor Password recoveryLost
your IBM ThinkPad Supervisor password? No problem, on this page
i will show you how to recover your old password.

Although IBM claims their TP BIOS passwords are
impossible to break, there is a easy
and cheap way to fix this.
The stuff you need cost about 5 $ at your closest radio shack
type of store. Also you need a spare PC with a serial port.

 

 

 

This article is based on a IBM ThinkPad T42.
There are no guarantees and you might end up destroying your TP.
So continue at your own risk. Other models this ought to work
with are:supervisor (SVP) password

  • 240, 240x
  • 390E, 390x
  • 570, 570E
  • 600e, 600X
  • 770Z
  • A20m, A21e, A21m, a22m, A30p, A31, A31p
  • G40, G41
  • R30, R31, R32, R40, R50, R51
  • Transnote, T20, T21, T22, T30, T40, T40p, T41,
    T42, T42p
  • X20, X21, X22, X23, X24, X30, X31, X40, X41

The supervisor (SVP) password is stored in a


chip
called ATMEL 24RF08.It
can not be reset by disconnecting the BIOS battery or shorting
any jumper. It has to be read in order to deciffer the password.
For this we need some kind of hardware so read on…

Soldering the ATMEL 24RF08 Chip reader

To read this chip we need to interface with it using a
secondary computer and some simple electronics. You will need to
purchase this:

Electronic components

          • 2 x 2200 Ohm Resistors

 

        • 2 x C5V1 Zener diodes (For example BZX55/C5V1 )

 

        • Serial Port 9 pin Female

 

The serial port can be salvaged from any old PS2 type mouse. The zeners and resistors can be found in scrap electronics, but they are rather cheap so i would not bother. Solder them according to the image below. Leave the wires leading to SDA , SCL and GND. These will be connected to the TP later. Allservice schematic for reader Here is a simplified schematic for those unfamilliar with the above symbols:

Simplified atmel reader schematic Location of ATMEL chipLocating the ATMEL chip Usually the ATMEL chip is located somewhere below the touchpad. Start off by remving the keyboard and mousepad. This is done by unscrewing a couple of screws located under the TP. It is quite clearly illustrated on the bottom side of your ThinkPad.


Pull the TP keyboard up and let it rest
against the screen. Pry off the touchpad part
and fold it over where the keyboard used to be.
Remove the WiFi card.

Under it all you should find a chip with
something like this printed:

ATMEL

24RFC8

0446

Heres a closeup of the Atmel chip. Click to
enlarge.


Locating the Atmel Chip
You can see the Atmel right under were the Wifi
card used to sit:


Another closeup

Soldering the ThinkPad

Now this is the tricky part. You will have to
solder 3 wires to the


motherboard
of your TP. Two wires
to the ATMEL chip and one to ground. The ground
is a piece of cake, just solder it anywhere you
can find ground. The mounting screw holes on the
motherboard is a good place. Solder 3 wires
according to the image below:

DSC_0154.JPGAs you can see, the SCL and SDA
are located right next to
eachother. It can be difficult
to hold them in place while
soldering. I have used some tape
to hold them in place. The tape
can be left there to minimze the
risk of pulling off the soldered
wires during the next steps.Leave these wires unconnected
and make them ready by peeling
off the insulation. These will
be connected to the reader
ciruit later on. Make sure they
can not reach ground or short
circuit in any way.

Preparing the spare
PC

You have made the hardware to
read the chip, so now you need
to supply the software. There is
this great sofware made by

http://www.allservice.ro/

that can be found here:


http://home.ripway.com/2005-7/365678/index.htm

– Select R24RF08 v2.0b
– Reader for ATMEL 24RF08
(Freeware)

While you are at it, download
the Supervisor Password decoder
IBM Pass 2.0 Lite
found here:


http://home.ripway.com/2005-7/365678/index.htm

Also great software made
available by

http://www.allservice.ro/
.

Note:

Softpedix wrote that the
download mirror has limited


bandwidth
. If you
can’t download with the above,
try these:


http://www.allservice.ro/forum/viewtopic.php?t=61

– Programmer


http://www.allservice.ro/forum/viewtopic.php?t=56

– IBMpass Lite

Install the software.

Connect the ATMEL chip reader
to the spare PC.

Fire up a command
promt(Start->run type cmd) and
navigate to the folder where you
installed R24RF08 v2.0b.
Type in (don’t hit
Enter):

r24rf08 dump.bin

Dumping the password

  1. Turn on your ThinkPad
    with all the wiring you just
    soldered.
  2. Press F1 during the
    startup to enter the BIOS.
  3. Wait untill all activity
    stops, blinking HDD leds and
    such.
  4. Connect the ATMEL Chip
    reader. GND first then the
    SDA and SCL.
  5. Now go to your spare PC
    and Hit enter on the command
    prompt.

Now there should be a file
created in the same folder with
the name dump.bin. Disconnect
all the wiring off your TP and
assemble it back together.

Decoding the
Supervisor Password

On your Spare PC start the
program IBM Pass 2.0
Lite.
Load the
file you just created (dump.bin).
Navigate with the scroll list to
the



memory
address
of 0×330. Tada! It should look
something like this:

Image of passwor dump

 

 

 

 

 

Kommentare deaktiviert für IBM Thinkpad