[coreboot] password

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Fri Apr 9 00:44:47 CEST 2010

On 08.04.2010 20:45, ron minnich wrote:
> I have a lenovo x300 somebody set the password on and ... as you guess, forgot.

BIOS password or boot password?

> So, question: anyone have any idea how deep into the machine the
> password is kept no new machines? Deep in TPM?
> in other words, were flashrom to work on this box, can the password be reset?

It depends. I know that you can reset the password with flashrom on HP
machines (got a success report about that a few weeks ago).
Not sure about Lenovo. You can store a password (or a hash of it) in
flash or NVRAM or a small SPI EEPROM or an I2C EEPROM or even the TPM or
any combination thereof.

How much time/money are you willing to invest?

- The easiest and probably most expensive way (could be a few hundred
dollars) is to send the laptop with a proof of ownership to Lenovo to
have it unlocked.

- A risky and fast (if you can recover from a misflashed ROM) way is to
simply flash a new ROM image which is pretty much guaranteed to have no
builtin protection, but it won't help at all if the protection is not
dependent on flash contents. Messing with nvramtool might have other
effects, but hey, you can try that as well.

- If you have a good logic analyzer, you can watch the traffic to the
TPM, NVRAM, flash, and all other EEPROMs around the time you enter the

If you find a good way to get the password removed, there's always the
option of selling that knowledge to non-Lenovo repair shops.

Good luck!



More information about the coreboot mailing list