Tuesday, November 4, 2008

IBM ThinkPad R40 Supervisor Password Recovery

NOTICE:
I did not take responsibility for any loses due to the usage of the information from this blog post. Please take extreme precaution while following this procedure. Thank You.

[Lihat Bahasa Melayu]

IBM / Lenovo save password (POP and Supervisor Password) in a EEPROM Chip call ATMEL 24RF08. These password couldn't be remove simply by resetting any jumper or unplugging any battery or backup battery. The only way is to read the password stored in the chip. To achieve this, you have to send in the laptop to the manufacturer together with prove of ownership.

But, we can hack this (by reading the EEPROM chip using homebrew EEPROM Reader and reader software from ALLservice.ro.

Thing we need:
  1. EEPROM Reader (homebrew)

    Parts:
    1. D-Sub 9pin female COM header,
    2. 2 units 5.1v Zener Diod
    3. 2 units 2.2 Kilo Ohm Resistor

  2. Software
    Get the software from http://www.allservice.ro/ iaitu r24rf08_setup.zip and setup_ibmpass21.zip

    details as follow:
    http://www.allservice.ro/forum/viewtopic.php?t=61 – r24rf08 - Reader http://www.allservice.ro/forum/viewtopic.php?t=56 – IBMpass 2.1 Lite
Build the EEPROM Reader

EEPROM Reader schematic.
Figure 1: EEPROM ATMEL 24RF08 Reader Diagram.

Attach the Reader to ATMEL 24RF08 EEPROM

From the site where I first get the information about hacking this BIOS password, it is suggested that we solder two wire to EEPROM pins to connect the reader. I thought it will be disasterous and would void the warranty.


Photo #1: EEPROM Reader,
all component soldered to d-sub female connector


I soldered a needle to the wire from the reader, one for SDA and one for SCL. For the GND wire, I suggest you attach a aligator clip to clip the GND wire to any GND point on the mainboard. For my case, I clip the GND to the jacket of USB port near the EEPROM.

With this method, you need to have a very steady finger to hold the needdle in place. I used both hand to hold the needdle. One needdle in one hand. You have no more hand to operate the PC. Get your buddy's help. I ask my wife to press ENTER.

The Location of AMTEL 24RF08CN on R40

EEPROM Chip AMTEL 24RF08 is located beneath the plastic protective sheet under the harddrive compartment.
Photo #2: Harddrive compartment

Remove the aluminum cover. You have to remove two screws. One in the small hole at the bottom of the picture and the other one is on the bottom right side of the cover.


Photo #3: Plastic Protective Sheet

You have to peel the plastic sheet to uncover the EEPROM. Be very careful not to tear off the sheet. We need to replace is later on the board. The sheet is fastened with double sided tape on the audio jack. Peel it from there.
Photo #4: ATMEL location and pin connections

I've mark the SDA and SCL pin in Photo #4. Look where I slip in my GND wire. "Saya klip GND kat kulit port USB ini" meaning "I have clip my GND wire at this USB port sleeve."

Figure #2: ATMEL 24RF08 Pinouts
(In direction match the Photo #4)


Photo #5: Protective Sheet peeled.

The attached PCMCIA removed and the protective sheet has been peeled to give us a clear view to the EEPROM.


EEPROM Reading Procedures

To complete this procedure, you need to have another pc (secondary pc) with spared COM Port.

Step 1:

Attach EEPROM Reader to COM Port (other pc or laptop with COM Port), then open up Command Prompt. (Under Windows XP, Click on Start-->Run then type in CMD then press ENTER. Go to the folder where r24rf08 is installed.

C:\>cd C:\ALLservice\24RF08 then ENTER
type at the command prompt

C:\ALLservice\24RF08>r24rf08.exe r40dump.bin
Don't hit ENTER yet. (C:\ALLservice\24RF08 is where your r24rf08.exe located)


Step 2:
Turn on your ThinkPad (Please be really careful). Wait until your ThinkPad is prompt you to enter password (when big padlock icon appear).

Step 3:
With precaution (be really careful, bro), attach GND wire to any GND on the board then attach or touch the two needdles which connect to SDA and SCL on the ATMEL 24RF08CN EEPROM.

Step 4:
Now, press ENTER (my wife did -- both my hand holding the needle), wait for a moment until reading finish (appox. 10 to 20 seconds). In the same folder as r24rf08.exe, a new file named r40dump.bin has been created. Now you can power off the ThinkPad and reassemble the unit.

Langkah 5:
Run IBMpass 2.1 Lite that you have installed earlier. Click Start --> ALLservice --> IBMpass 2.1 Lite. Open the file r40dump.bin from the C:\ALLservice\24RF08. Scroll down to address 0x330, you could read the password right there. If you can not read the password (or files did not show anything), make sure you click on the icon "AA off" to "AA on". That's all.



Photo #6: IBMpass 2.1 Lite Screen Shoot

Type in the password at ThinkPad, in my case, the password is KHALIF. I have succesfully boot this ThinkPad. KHALIF is a person name --  We believed he (a teacher) is the previous user of this laptop, and before he relocated to another school. he didnot reset or tell anyone the password, but return the laptop to school administration.

p/s: Sorry for the bad quality of the images. Those images taken using Nokia 6600 camera phone. To seek more help from me, please send short text message to +6o-12-96o82o8 and email me at spokdogol AT gmail DOT com

References:
http://sodoityourself.com/hacking-ibm-thinkpad-bios-password
http://www.allservice.ro/

Further Readings:
1. ATMEL 24RF08 datasheet

NOTICE: I did not take responsibility for any loses due to the usage of the information from this blog post. Please take extreme precaution while following this procedure. Thank You.

22 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. I have done everything as explained, but it created an "empty" file

    Any ideas?

    Does this mean the eeprom chip is corrupt?

    ReplyDelete
  3. Does this work with a IBM t43?

    ReplyDelete
  4. Well, the COM port is usually not available in current ages. Is there any way we can do that via USB port or any other available port?

    thanks for the nice article btw. I have a system locked at this time and I need to unlock that. But I dont have any system with COM port. Please guide me if I can do that via USB or any other available way.

    ReplyDelete
  5. Thanks! I'm going to give this a shot - I'll post my success/failure.
    I appreciate your thoroughness!

    ReplyDelete
  6. Just an update on my progress - I built the reader (not pretty, but it works), and did everything here, with a little help from another website to remove my system board, and this worked perfectly!

    The only problem I had was that the entire system board needed to be removed for my model (R60). This wasn't VERY hard, but it was more than I expected...

    Thank you for the documentation - it saved my laptop!

    ReplyDelete
  7. bro,

    can sell me ur eeprom reader?

    tried making 2 but failed...

    ReplyDelete
  8. @Birdie, u can built it urself. Trust me.. u can make it work.

    ReplyDelete
  9. @Dan and Amy, you are welcome.

    @Sameers, I believed you can use any USB-to-COM Port Converter.

    ReplyDelete
  10. Test my password reader/recovery app.
    Ofcourse free

    http://dl.dropbox.com/u/27947369/SVP_Tool.zip

    ReplyDelete
  11. guys i done all the wirings. then i open r24rf08.exe(cmd) it shows that "circuit not found" any solution...Pl.tell me......

    ReplyDelete
  12. can i use the 9 pin usb converter between D-Sub 9pin female COM header and spare PC....?????

    ReplyDelete
  13. finaly i got the password after change AA on.......thx man it works............

    ReplyDelete
  14. Hi i made tool for reading and got .bin file, I've opened that file and saw on 330 and 340 same password "-R" how could i enter this password? I've tried to press "-" button and computer just beeps and ignores that symbol, what i am doing wrong?

    ReplyDelete
  15. Yeehaaa. Worked great! Built connector, attached to serial port, prepared command. Connected wires to chip, hit enter, got file.
    Read file with tool, found password, entered - WIN :D
    Thanks a lot, this saved 5 good old IBM T40 laptop's going to garbage can ;-)

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. Although I must say the probe you used (Tweaser kind) looked a lot easier to clip on... I had to hold it whilst a friend pressed enter on my computer. Spot on for the address to read too, only needed to read 6 chars.

    ReplyDelete
  18. wow!!! i tried that and it was pretty easily and it worked like magic

    ReplyDelete
  19. anyone with an idea on how i can break dell-inspiron 1525 bios password ?

    ReplyDelete
  20. It worked! Thanks for the great info. By the way, the password was "IBMBIOS". Wouldn't you know it?!

    ReplyDelete

Put a nice comments.. or kabooommm.!

Google
 
Related Posts Plugin for WordPress, Blogger...
Note: English is not my first language.