[coreboot] password

Harald Gutmann harald.gutmann at gmx.net
Fri Apr 9 16:46:11 CEST 2010

On Friday 09 April 2010 16:12:28 Harald Gutmann wrote:
> On Thursday 08 April 2010 20:45:34 ron minnich wrote:
> > I have a lenovo x300 somebody set the password on and ... as you guess,
> >  forgot.
> As Rudof suggested, you can probably use the master password for recovery
>  if it works.
I just read his posting quite fast, and he didn't mention a master password, 
just a eeprom chip name.

> Otherwise I recommend for such situations the cmospwd utility from
>  cgsecurity (also pretty well know for their testdisk utility). As far I
>  used the cmospwd utility it worked like a charm.
> http://www.cgsecurity.org/wiki/CmosPwd

According to it's Readme the tool won't work really fine on the Thinkpads, as 
those laptops use the chip Rudolf described.

> > So, question: anyone have any idea how deep into the machine the
> > password is kept no new machines? Deep in TPM?
> I think it's most likely stored in CMOS/EEPROM, but the solutions on that
>  goal varies from manufacturer to manufacturer.
In this case, its stored in a separate EEPROM, but the question is if it would 
be hard to read it in linux.

Quote form the CmosPwd utilities Readme section Laptops:
IBM Thinkpad X20: eeprom 24RFC08CN, password in scan code at 0x338
IBM TP 240: eeprom ?, password in scan code at 0x338.
IBM TP 380Z: eeprom 24c01, password in scan code at 0x38 and 0x40
IBM TP 390: eeprom 24c03 (be carrefull, there are two eeprom)
IBM TP 560X: eeprom 24c01, password in scan code at 0x38 and 0x40
IBM TP 570: eeprom ?, password in scan code at 0x338 and 0x3B8.
IBM TP 750C,755CX,760C,765D: eeprom 93c46, password in scan code at 0x38 and 
            OKI M811b may be written on the chip. Search near pcmcia slot or
	    adjacent the floppy connector on the top side of the board
IBM TP 770:  eeprom 24c01
IBM TP 600E, T21, T23: 14 PIN 24RF08
IBM TP T20: 24RF08, password in scan code at 0x338 and 0x3B8


You can get/buy eeprom programmer in electronic shops or labs, you need
another PC to use it.
You can desolder the eeprom with hot air or you can try to "clip" the
eeprom. With the eeprom programmer, backup your eeprom and run
"cmospwd /d /l eeprom_backup". If you don't see the password, you can try
to fill the eeprom with zero or FF, don't forget the reset the cmos.

> > in other words, were flashrom to work on this box, can the password be
> >  reset?
I guess if the assumption is right, that the X300 uses also a 24c0X eeprom to 
save the passwords, it's just a matter of how to read that without an external 
programmer, or if it is even possible to read it within an OS.

> Try to use the tool mentioned above, I had until now always success with
>  that.
Yes, but never used it on thinkpads...
But pretty successful on desktop computers.

> > ron

More information about the coreboot mailing list