Tuesday, November 4, 2008

IBM ThinkPad R40 Supervisor Password Recovery

NOTICE:
I did not take responsibility for any loses due to the usage of the information from this blog post. Please take extreme precaution while following this procedure. Thank You.

[Lihat Bahasa Melayu]

IBM / Lenovo save password (POP and Supervisor Password) in a EEPROM Chip call ATMEL 24RF08. These password couldn't be remove simply by resetting any jumper or unplugging any battery or backup battery. The only way is to read the password stored in the chip. To achieve this, you have to send in the laptop to the manufacturer together with prove of ownership.

But, we can hack this (by reading the EEPROM chip using homebrew EEPROM Reader and reader software from ALLservice.ro.

Thing we need:
  1. EEPROM Reader (homebrew)

    Parts:
    1. D-Sub 9pin female COM header,
    2. 2 units 5.1v Zener Diod
    3. 2 units 2.2 Kilo Ohm Resistor

  2. Software
    Get the software from http://www.allservice.ro/ iaitu r24rf08_setup.zip and setup_ibmpass21.zip

    details as follow:
    http://www.allservice.ro/forum/viewtopic.php?t=61 – r24rf08 - Reader http://www.allservice.ro/forum/viewtopic.php?t=56 – IBMpass 2.1 Lite
Build the EEPROM Reader

EEPROM Reader schematic.
Figure 1: EEPROM ATMEL 24RF08 Reader Diagram.

Attach the Reader to ATMEL 24RF08 EEPROM

From the site where I first get the information about hacking this BIOS password, it is suggested that we solder two wire to EEPROM pins to connect the reader. I thought it will be disasterous and would void the warranty.


Photo #1: EEPROM Reader,
all component soldered to d-sub female connector


I soldered a needle to the wire from the reader, one for SDA and one for SCL. For the GND wire, I suggest you attach a aligator clip to clip the GND wire to any GND point on the mainboard. For my case, I clip the GND to the jacket of USB port near the EEPROM.

With this method, you need to have a very steady finger to hold the needdle in place. I used both hand to hold the needdle. One needdle in one hand. You have no more hand to operate the PC. Get your buddy's help. I ask my wife to press ENTER.

The Location of AMTEL 24RF08CN on R40

EEPROM Chip AMTEL 24RF08 is located beneath the plastic protective sheet under the harddrive compartment.
Photo #2: Harddrive compartment

Remove the aluminum cover. You have to remove two screws. One in the small hole at the bottom of the picture and the other one is on the bottom right side of the cover.


Photo #3: Plastic Protective Sheet

You have to peel the plastic sheet to uncover the EEPROM. Be very careful not to tear off the sheet. We need to replace is later on the board. The sheet is fastened with double sided tape on the audio jack. Peel it from there.
Photo #4: ATMEL location and pin connections

I've mark the SDA and SCL pin in Photo #4. Look where I slip in my GND wire. "Saya klip GND kat kulit port USB ini" meaning "I have clip my GND wire at this USB port sleeve."

Figure #2: ATMEL 24RF08 Pinouts
(In direction match the Photo #4)


Photo #5: Protective Sheet peeled.

The attached PCMCIA removed and the protective sheet has been peeled to give us a clear view to the EEPROM.


EEPROM Reading Procedures

To complete this procedure, you need to have another pc (secondary pc) with spared COM Port.

Step 1:

Attach EEPROM Reader to COM Port (other pc or laptop with COM Port), then open up Command Prompt. (Under Windows XP, Click on Start-->Run then type in CMD then press ENTER. Go to the folder where r24rf08 is installed.

C:\>cd C:\ALLservice\24RF08 then ENTER
type at the command prompt

C:\ALLservice\24RF08>r24rf08.exe r40dump.bin
Don't hit ENTER yet. (C:\ALLservice\24RF08 is where your r24rf08.exe located)


Step 2:
Turn on your ThinkPad (Please be really careful). Wait until your ThinkPad is prompt you to enter password (when big padlock icon appear).

Step 3:
With precaution (be really careful, bro), attach GND wire to any GND on the board then attach or touch the two needdles which connect to SDA and SCL on the ATMEL 24RF08CN EEPROM.

Step 4:
Now, press ENTER (my wife did -- both my hand holding the needle), wait for a moment until reading finish (appox. 10 to 20 seconds). In the same folder as r24rf08.exe, a new file named r40dump.bin has been created. Now you can power off the ThinkPad and reassemble the unit.

Langkah 5:
Run IBMpass 2.1 Lite that you have installed earlier. Click Start --> ALLservice --> IBMpass 2.1 Lite. Open the file r40dump.bin from the C:\ALLservice\24RF08. Scroll down to address 0x330, you could read the password right there. If you can not read the password (or files did not show anything), make sure you click on the icon "AA off" to "AA on". That's all.



Photo #6: IBMpass 2.1 Lite Screen Shoot

Type in the password at ThinkPad, in my case, the password is KHALIF. I have succesfully boot this ThinkPad. KHALIF is a person name --  We believed he (a teacher) is the previous user of this laptop, and before he relocated to another school. he didnot reset or tell anyone the password, but return the laptop to school administration.

p/s: Sorry for the bad quality of the images. Those images taken using Nokia 6600 camera phone. To seek more help from me, please send short text message to +6o-12-96o82o8 and email me at spokdogol AT gmail DOT com

References:
http://sodoityourself.com/hacking-ibm-thinkpad-bios-password
http://www.allservice.ro/

Further Readings:
1. ATMEL 24RF08 datasheet

NOTICE: I did not take responsibility for any loses due to the usage of the information from this blog post. Please take extreme precaution while following this procedure. Thank You.

29 comments:

  1. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Hi Guy's

      Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

      >>1$ each SSN+DOB
      >>2$ each with SSN+DOB+DL
      >>5$ each for premium (also included relative info)

      Prices are negotiable in bulk order
      Serious buyer contact me no time wasters please
      Bulk order will be preferable

      CONTACT
      Telegram > @leadsupplier
      ICQ > 752822040
      Email > leads.sellers1212@gmail.com

      OTHER STUFF YOU CAN GET

      SSN+DOB Fullz
      CC's with CVV's (vbv & non-vbv)
      USA Photo ID'S (Front & back)

      All type of tutorials available
      (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

      SMTP Linux Root
      DUMPS with pins track 1 and 2
      Socks, rdp's, vpn's
      Server I.P's
      HQ Emails with passwords

      Looking for long term business
      For trust full vendor, feel free to contact

      CONTACT
      Telegram > @leadsupplier
      ICQ > 752822040
      Email > leads.sellers1212@gmail.com

      Delete
    2. FULLZ AVAILABLE WITH HIGH CREDIT SCORES 700+
      (Spammed From Credit Bureau of USA)

      =>Contact 24/7<=

      Telegram> @leadsupplier
      ICQ> 752822040
      Email> exploit.tools4u@gmail.com

      FRESHLY SPAMMED
      VALID INFO WITH VALID DL EXPIRIES

      All info included
      NAME+SSN+DOB+DL+DL-STATE+ADDRESS

      Employee & Bank details included
      CC & CVV'S ONLY USA $8 FOR EACH

      $1 for SSN+DOB
      $2 for SSN+DOB+DL
      $5 for High credit fullz 700+
      (bulk order negotiable)
      *Payment in all crypto currencies will be accepted

      ->You can buy few for testing
      ->Invalid or wrong info will be replaced
      ->Serious buyers needed for long term
      ->Very fast delivery

      PLEASE DON'T ASK ANYTHING FOR FREE

      TOOLS & TUTORIALS AVAILABLE FOR SPAMMING & HACKING

      (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

      SQL Injector = 250$
      Premium Accounts (Netflix, coinbase, FedEx, Pornhub, etc) =25$
      Paypal Logins = 150$ (10 Logins)
      Bitcoin Cracker = 500$
      SMTP Linux Root = 300$
      DUMPS with pins track 1 and 2 = 85$
      Socks, rdp's, vpn = 25$
      Php mailer = 25$
      Server I.P's = 100$ (1k ip's)
      HQ Emails with passwords = 100$ (1k emails+pass)

      If you need a valid vendor it's very prime chance, you'll never be disappointed

      Telegram> @leadsupplier
      ICQ> 752822040
      Email> exploit.tools4u@gmail.com

      Delete
  2. I have done everything as explained, but it created an "empty" file

    Any ideas?

    Does this mean the eeprom chip is corrupt?

    ReplyDelete
    Replies
    1. Hayır lütfen bağlantıları kontrol ediniz...

      Delete
  3. Well, the COM port is usually not available in current ages. Is there any way we can do that via USB port or any other available port?

    thanks for the nice article btw. I have a system locked at this time and I need to unlock that. But I dont have any system with COM port. Please guide me if I can do that via USB or any other available way.

    ReplyDelete
  4. Thanks! I'm going to give this a shot - I'll post my success/failure.
    I appreciate your thoroughness!

    ReplyDelete
  5. Just an update on my progress - I built the reader (not pretty, but it works), and did everything here, with a little help from another website to remove my system board, and this worked perfectly!

    The only problem I had was that the entire system board needed to be removed for my model (R60). This wasn't VERY hard, but it was more than I expected...

    Thank you for the documentation - it saved my laptop!

    ReplyDelete
  6. bro,

    can sell me ur eeprom reader?

    tried making 2 but failed...

    ReplyDelete
  7. @Birdie, u can built it urself. Trust me.. u can make it work.

    ReplyDelete
  8. @Dan and Amy, you are welcome.

    @Sameers, I believed you can use any USB-to-COM Port Converter.

    ReplyDelete
  9. Test my password reader/recovery app.
    Ofcourse free

    http://dl.dropbox.com/u/27947369/SVP_Tool.zip

    ReplyDelete
  10. work grate THANKS!!!!!

    ReplyDelete
  11. guys i done all the wirings. then i open r24rf08.exe(cmd) it shows that "circuit not found" any solution...Pl.tell me......

    ReplyDelete
  12. can i use the 9 pin usb converter between D-Sub 9pin female COM header and spare PC....?????

    ReplyDelete
  13. finaly i got the password after change AA on.......thx man it works............

    ReplyDelete
  14. Hi i made tool for reading and got .bin file, I've opened that file and saw on 330 and 340 same password "-R" how could i enter this password? I've tried to press "-" button and computer just beeps and ignores that symbol, what i am doing wrong?

    ReplyDelete
  15. Yeehaaa. Worked great! Built connector, attached to serial port, prepared command. Connected wires to chip, hit enter, got file.
    Read file with tool, found password, entered - WIN :D
    Thanks a lot, this saved 5 good old IBM T40 laptop's going to garbage can ;-)

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. Although I must say the probe you used (Tweaser kind) looked a lot easier to clip on... I had to hold it whilst a friend pressed enter on my computer. Spot on for the address to read too, only needed to read 6 chars.

    ReplyDelete
  18. wow!!! i tried that and it was pretty easily and it worked like magic

    ReplyDelete
  19. anyone with an idea on how i can break dell-inspiron 1525 bios password ?

    ReplyDelete
  20. It worked! Thanks for the great info. By the way, the password was "IBMBIOS". Wouldn't you know it?!

    ReplyDelete
  21. destek için çok teşekkürler. sizlerin sayesinde bilgisayarın şifresini çözmeyi başardım.

    ReplyDelete
  22. Hi Guy's

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>2$ each with SSN+DOB+DL
    >>5$ each for premium (also included relative info)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    Socks, rdp's, vpn's
    Server I.P's
    HQ Emails with passwords

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  23. FULLZ AVAILABLE WITH HIGH CREDIT SCORES 700+
    (Spammed From Credit Bureau of USA)

    =>Contact 24/7<=

    Telegram> @leadsupplier
    ICQ> 752822040
    Email> exploit.tools4u@gmail.com

    FRESHLY SPAMMED
    VALID INFO WITH VALID DL EXPIRIES

    All info included
    NAME+SSN+DOB+DL+DL-STATE+ADDRESS

    Employee & Bank details included
    CC & CVV'S ONLY USA $8 FOR EACH

    $1 for SSN+DOB
    $2 for SSN+DOB+DL
    $5 for High credit fullz 700+
    (bulk order negotiable)
    *Payment in all crypto currencies will be accepted

    ->You can buy few for testing
    ->Invalid or wrong info will be replaced
    ->Serious buyers needed for long term
    ->Very fast delivery

    PLEASE DON'T ASK ANYTHING FOR FREE

    TOOLS & TUTORIALS AVAILABLE FOR SPAMMING & HACKING

    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SQL Injector = 250$
    Premium Accounts (Netflix, coinbase, FedEx, Pornhub, etc) =25$
    Paypal Logins = 150$ (10 Logins)
    Bitcoin Cracker = 500$
    SMTP Linux Root = 300$
    DUMPS with pins track 1 and 2 = 85$
    Socks, rdp's, vpn = 25$
    Php mailer = 25$
    Server I.P's = 100$ (1k ip's)
    HQ Emails with passwords = 100$ (1k emails+pass)

    If you need a valid vendor it's very prime chance, you'll never be disappointed

    Telegram> @leadsupplier
    ICQ> 752822040
    Email> exploit.tools4u@gmail.com

    ReplyDelete
  24. Hi everyone i want to share my amazing testimony on how Dr Wealth transformed my financial life, i still finds it difficult to believe that i now worth millions of dollars, am from US i have been playing lotto for so long and i have never win any reasonable amount, i was glancing through things online and i came across a testimony of a woman who won a very huge amount of money with the help of Dr Wealth who prayed for her and gave her a winning numbers to play, and surprisingly her name came out among the winners she won 36 million dollars, so i also decided to try my luck i contacted Dr Wealth and i also asked him for help and he told me what i needed to do which was a very easy task which i did and on the second day after he has made prayers for me he gave me some numbers and told me that i should go and play them so i went to play the number in the morning and on Tuesday i went to check the result there i got the shock of my life, i saw my name amongst the winners list i won an amount i have never dreamed of, my mouth was open and i didn't know what to say, i just want the world to know that there is a great man called Dr Wealth, if you have been playing lotto game and you never won i will advice you to contact Dr Wealth for help and i promise he will never fail you, here are his contacts, you can email him on Drwealthmag@gmail. com you can also WhatsApp him on +13022040295. GOODLUCK!

    ReplyDelete

Put a nice comments.. or kabooommm.!

Google
 
Related Posts Plugin for WordPress, Blogger...
Note: English is not my first language.