I have a lenovo x300 somebody set the password on and ... as you guess, forgot.
So, question: anyone have any idea how deep into the machine the password is kept no new machines? Deep in TPM?
in other words, were flashrom to work on this box, can the password be reset?
ron
ron minnich wrote:
I have a lenovo x300 somebody set the password on and ... as you guess, forgot.
So, question: anyone have any idea how deep into the machine the password is kept no new machines? Deep in TPM?
in other words, were flashrom to work on this box, can the password be reset?
flashrom likely isn't enough. :\
ThinkPads at least used to have a special "high security" EEPROM, plus they've had fairly much more sophisticated ECs compared to other laptop designs, for a long time.
I'm sure it's possible to reset that password, but I don't know where, and I'm pretty sure it's somewhere unusual.
If you want to dive into the ThinkPad world of ECs, there was a lot of good work done on the T43 - although that one is old by now, maybe it can still be helpful:
http://forum.thinkpads.com/viewtopic.php?t=20958 http://www.thinkwiki.org/wiki/Embedded_Controller_Firmware
It may be quickest to just order a new system board for the laptop off eBay.
//Peter
On Thu, 8 Apr 2010 18:45:34 +0000, ron minnich rminnich@gmail.com wrote:
I have a lenovo x300 somebody set the password on and ... as you guess, forgot.
So, question: anyone have any idea how deep into the machine the password is kept no new machines? Deep in TPM?
in other words, were flashrom to work on this box, can the password be reset?
I had an IBM Laptop that I had gotten used and it was password protected by the bios. I had found from googling around that there is a seperate EC on the board that held the password. By shorting 2 pins on the EC and powering it on, cleared it and I was able to use it. Hope that helps.
On 08.04.2010 20:45, ron minnich wrote:
I have a lenovo x300 somebody set the password on and ... as you guess, forgot.
BIOS password or boot password?
So, question: anyone have any idea how deep into the machine the password is kept no new machines? Deep in TPM?
in other words, were flashrom to work on this box, can the password be reset?
It depends. I know that you can reset the password with flashrom on HP machines (got a success report about that a few weeks ago). Not sure about Lenovo. You can store a password (or a hash of it) in flash or NVRAM or a small SPI EEPROM or an I2C EEPROM or even the TPM or any combination thereof.
How much time/money are you willing to invest?
- The easiest and probably most expensive way (could be a few hundred dollars) is to send the laptop with a proof of ownership to Lenovo to have it unlocked.
- A risky and fast (if you can recover from a misflashed ROM) way is to simply flash a new ROM image which is pretty much guaranteed to have no builtin protection, but it won't help at all if the protection is not dependent on flash contents. Messing with nvramtool might have other effects, but hey, you can try that as well.
- If you have a good logic analyzer, you can watch the traffic to the TPM, NVRAM, flash, and all other EEPROMs around the time you enter the password.
If you find a good way to get the password removed, there's always the option of selling that knowledge to non-Lenovo repair shops.
Good luck!
Regards, Carl-Daniel
I'm not sure if this will work and it's risky as well, but you might want to try it out:
In most BIOS, shorting the address pins (or the equivalent of that act) upon boot will force the machine to boot from the bootblock BIOS. The bootblock routine usually searches for BIOS binary file to flash, because the assumption is the system BIOS a.k.a main BIOS module is corrupt and need replacement. I'm not sure how to provide this "new" BIOS binary file replacement for your case. However, most BIOS requires boot floppy (in recent days FAT16 formatted USB sticks) which contains an autoexec.bat file with the routine to flash the new BIOS binary and the BIOS binary file itself.
On 4/9/10, Carl-Daniel Hailfinger c-d.hailfinger.devel.2006@gmx.net wrote:
On 08.04.2010 20:45, ron minnich wrote:
I have a lenovo x300 somebody set the password on and ... as you guess, forgot.
BIOS password or boot password?
So, question: anyone have any idea how deep into the machine the password is kept no new machines? Deep in TPM?
in other words, were flashrom to work on this box, can the password be reset?
It depends. I know that you can reset the password with flashrom on HP machines (got a success report about that a few weeks ago). Not sure about Lenovo. You can store a password (or a hash of it) in flash or NVRAM or a small SPI EEPROM or an I2C EEPROM or even the TPM or any combination thereof.
How much time/money are you willing to invest?
- The easiest and probably most expensive way (could be a few hundred
dollars) is to send the laptop with a proof of ownership to Lenovo to have it unlocked.
- A risky and fast (if you can recover from a misflashed ROM) way is to
simply flash a new ROM image which is pretty much guaranteed to have no builtin protection, but it won't help at all if the protection is not dependent on flash contents. Messing with nvramtool might have other effects, but hey, you can try that as well.
- If you have a good logic analyzer, you can watch the traffic to the
TPM, NVRAM, flash, and all other EEPROMs around the time you enter the password.
If you find a good way to get the password removed, there's always the option of selling that knowledge to non-Lenovo repair shops.
Good luck!
Regards, Carl-Daniel
-- coreboot mailing list: coreboot@coreboot.org http://www.coreboot.org/mailman/listinfo/coreboot
On 09.04.2010 05:17, Darmawan Salihun wrote:
I'm not sure if this will work and it's risky as well, but you might want to try it out:
In most BIOS, shorting the address pins (or the equivalent of that act) upon boot will force the machine to boot from the bootblock BIOS. The bootblock routine usually searches for BIOS binary file to flash, because the assumption is the system BIOS a.k.a main BIOS module is corrupt and need replacement.
This can't work on LPC/FWH/SPI flash because there are no address lines on these chips.
And even on old-style parallel flash, I don't understand how this is supposed to work. If we short all address lines, the CPU is going to read garbage from the ROM and won't even start up. Same problem applies if you short the lowest address line. Shorting some intermediate address line like A8 could work if the BIOS image is carefully crafted. Shorting the uppermost address line could work as well. And if an EC is using that parallel flash chip as well, you'd better make sure it will _never_ read garbage or you have some really big problems.
I'd appreciate a real-world example where shorting an address pin works. Please include the flash chip type and tell me which address pin was shorted, and whether the pin was tied to 0 or to 1.
Regards, Carl-Daniel
Hi Ron,
Thinkpads has special EEPROM for password 24RF08
http://www.allservice.ro/store/utils/index.htm
Hook it and use that software to read it. I think it is stored as scan codes.
WARNING! this eeprom has hardware bug! Avoid ANY "write short" transactions. All transactions which just sends Start cond, addr and R/W, Stop cond will not work! There is a bug in state machine which causes to ignore the stop conditions making the further probing as chip writes. The BIOS is very very pissed off if the EEPROM is corrupted.
Cleaning the eeprom is not enough because it sets the HDD password! Carefull with that!
Check also:
http://www.thinkwiki.org/wiki/Maintenance recovering bios passwords
For X300 above is also true, I think you can check the testpoints http://www.allservice.ro/forum/viewtopic.php?t=52 http://www.allservice.ro/forum/images/x300.jpg
Good luck,
Rudolf
Rudolf
On Thursday 08 April 2010 20:45:34 ron minnich wrote:
I have a lenovo x300 somebody set the password on and ... as you guess, forgot.
As Rudof suggested, you can probably use the master password for recovery if it works.
Otherwise I recommend for such situations the cmospwd utility from cgsecurity (also pretty well know for their testdisk utility). As far I used the cmospwd utility it worked like a charm.
http://www.cgsecurity.org/wiki/CmosPwd
So, question: anyone have any idea how deep into the machine the password is kept no new machines? Deep in TPM?
I think it's most likely stored in CMOS/EEPROM, but the solutions on that goal varies from manufacturer to manufacturer.
in other words, were flashrom to work on this box, can the password be reset?
Try to use the tool mentioned above, I had until now always success with that.
ron
Harald
On Friday 09 April 2010 16:12:28 Harald Gutmann wrote:
On Thursday 08 April 2010 20:45:34 ron minnich wrote:
I have a lenovo x300 somebody set the password on and ... as you guess, forgot.
As Rudof suggested, you can probably use the master password for recovery if it works.
I just read his posting quite fast, and he didn't mention a master password, just a eeprom chip name.
Otherwise I recommend for such situations the cmospwd utility from cgsecurity (also pretty well know for their testdisk utility). As far I used the cmospwd utility it worked like a charm.
According to it's Readme the tool won't work really fine on the Thinkpads, as those laptops use the chip Rudolf described.
So, question: anyone have any idea how deep into the machine the password is kept no new machines? Deep in TPM?
I think it's most likely stored in CMOS/EEPROM, but the solutions on that goal varies from manufacturer to manufacturer.
In this case, its stored in a separate EEPROM, but the question is if it would be hard to read it in linux.
Quote form the CmosPwd utilities Readme section Laptops: IBM Thinkpad X20: eeprom 24RFC08CN, password in scan code at 0x338 IBM TP 240: eeprom ?, password in scan code at 0x338. IBM TP 380Z: eeprom 24c01, password in scan code at 0x38 and 0x40 IBM TP 390: eeprom 24c03 (be carrefull, there are two eeprom) IBM TP 560X: eeprom 24c01, password in scan code at 0x38 and 0x40 IBM TP 570: eeprom ?, password in scan code at 0x338 and 0x3B8. IBM TP 750C,755CX,760C,765D: eeprom 93c46, password in scan code at 0x38 and 0x40 OKI M811b may be written on the chip. Search near pcmcia slot or adjacent the floppy connector on the top side of the board IBM TP 770: eeprom 24c01 IBM TP 600E, T21, T23: 14 PIN 24RF08 IBM TP T20: 24RF08, password in scan code at 0x338 and 0x3B8
-snip-
You can get/buy eeprom programmer in electronic shops or labs, you need another PC to use it. You can desolder the eeprom with hot air or you can try to "clip" the eeprom. With the eeprom programmer, backup your eeprom and run "cmospwd /d /l eeprom_backup". If you don't see the password, you can try to fill the eeprom with zero or FF, don't forget the reset the cmos.
in other words, were flashrom to work on this box, can the password be reset?
I guess if the assumption is right, that the X300 uses also a 24c0X eeprom to save the passwords, it's just a matter of how to read that without an external programmer, or if it is even possible to read it within an OS.
Try to use the tool mentioned above, I had until now always success with that.
Yes, but never used it on thinkpads... But pretty successful on desktop computers.
ron
Harald
-
Carl-Daniel Hailfinger -
Darmawan Salihun -
Harald Gutmann -
Joseph Smith -
Peter Stuge -
ron minnich -
Rudolf Marek