DISCLAIMER: Any discussion of how to crack security on even vintage machines is banned on most ThinkPad forums. So much as mentioning this page can get you banned in some places.
IBM/Lenovo also says the only way to "recover" from a lost password is a new motherboard. Meanwhile eveyone else has figured it out. Great example of security theater.
If Lenovo were serious about security they would encourage such discussion and exploration to improve their product. Of course this is Lenovo we are talking about, the company that thought Superfish would be a super idea!
On the other hand, as evidenced by a few other comments here, there are probably quite a few who don't want the security "improved" Apple-style, to the point that losing the password really means it's impossible to recover from.
Note that this password only allows access to BIOS and being able to boot; if the HDD also has a password and/or is encrypted, this doesn't really affect security of data.
That is the trade off though. If you want a secure device you need to accept the risks that if you forget the passphrase you are fucked. A false sense of security isn't a good thing.
Correct. The HD password is a little closer to real security.
My motivation here is the same as most people buying old Thinkpads off eBay-- getting past the SVP on machines with a dead CMOS battery. I don't give a fig about any data on the hard drive :-)
That reminds me of a trick I discovered nearly 10 years ago on an Acer to reset the BIOS Password from Windows.
There was this eSettings.exe which let you change some BIOS Settings from Windows, including the password. Of course it first asked for the old password and showed a prompt, denying the request if it was wrong.
I fired up good old OllyDbg and traced the prompt in the ASM code. I changed only one bit IIRC (jne to je, or similar), saved the .exe and tried my luck.
It let me through the prompt and I entered the new password. Amazingly the BIOS gladly accepted it!
I didn't bother to find out what functions it exactly called to set the new password to write a small tool, because I already had one. ;)
I wonder if this still works... If not with an Acer, maybe with some other make?
I haven't tried this on anything newer than Sandy Bridge, but yes.
I've never seen a BIOS that actually had anything but application-level password check for the calls from OS mode to rewrite the BIOS passwords or settings. No idea whether you can leverage TPMs or some of the enterprise trusting features to change that, though.
Right, but I'm still surprised they've not at least implemented "if can't read EEPROM at boot disable EEPROM writes".
With the architecture used, they're never going to be too robust to physical access. Overall EEPROM reset button on motherboard would be best, and just admit there's no really security against physical access here.
One other point. You don't even need to remove the EEPROM, you can reprogram them in-place using an SOOC-8 clip and an SPI interface (eg buspirate). There lot of info available.
Really more of a bypass than a crack, but good to know.
I have a t420 that has the supervisor password enabled. The only thing it prevented me from doing was enabling virtualization on the cpu, but docker has mostly replaced vagrant for me so I haven't minded.
> "I'm telling you to use different pins than ~all the other instructions on the web."
sigh Please, Please, provide reasons along with your arguments. Simply stating something doesn't help, especially when there is contradicting information floating around.
[continued..] You can't generalize, but you can assume. Quite likely many Thinkpads use the same piece of code to handle firmware password-checking. Once the code is changed, it'll likely propagate (slowly) inside the company to all of the new (or firmware-updated) laptops.
That being said, it's likely the firmware's failsafe-mechanism kicking in when it cannot access the memory chip that stores the password (because access to the chip is hindered).
Yet utilizing the "WP" (write protect) pin on the memory chip ought to do nothing in my opinion - unless the firmware tries to store something to the memory at boot time (which is entirely possible). On the other hand, forcing clock or data pins to ground - in effect disallowing any signalling via them - should be a sureproof way to force the firmware to trigger it's failsafe mechanism.
I'm not using the WP pin, I'm using the PROT pin. It forces the EEPROM to behave differently, because it signals it does not have a good power state. The EEPROM can be 'read', but the data it hands back is different. You can go read the spec sheets for the EEPROMs in question. You have the part numbers.
But I was more interested in the end-to-end test, as I expected others reading would also be:
SDL to SDA (the usual instructions given elsewhere) only works on some models.
PROT to GND appears to work on all. In my collection of ~ 30 machines, it works on all the models SCL to SDA does, as well as all the models SCL to SDA does not.
PROT to GND was the original hack as discovered around the time of the T20.
Ahh, my mistake. WP != PROT. Utilizing the PROT-pin appears to force memory chip's internal read&write protection flags active, causing read and write operations to fail (unless I understood incorrectly). This kind of information could be beneficial to others if it's correct: You could add it to your post?
You said it's because of a mix-up when reading documentation, but you said nothing about /why/ changing the write-protect pin's state should work - or why tying clock and data pins together should not.
To be fair, I cannot say with certainty why it works; I don't have code for the BIOS or EC. The CoreBoot and LibreBoot people might be able to shed some light.
The more interesting aspect, verified by testing, is that it does work.
In my own testing, SCL to SDA will not work on the T2X, T3X, T4X, T60, X2X, X3X, X4X, or X60. It does work on the T61/X61 and T400/500.
PROT to GND works on all of the above. I also tested it on an X230 (works), but I didn't check SCL to SDA on that machine.
thanks for the list of combinations of Thinkpad models regarding SCL/SDA and PROT/GND. I tried SCL/SDA on my T60, of course it did not work... Do you happen to know how to locate PROT and GND on the top of T60 mainboard? Unfortunately the guide on ja.axxs shows only where SCL and SDA is located. Really appreciate it, thanks!
GND and PROT are pins 31 and 32 on the same chip, right next to SCL and SDA on the 8356908. I don't know where PROT might be exposed on the top of the PCB, it very well might not be. I soldered leads directly to the chip to test.
Good to see nothing changes. Many years ago I found I could bypass a 760EL password by copying the boot sector from an IBM util floppy disk to any boot disk.
IBM/Lenovo also says the only way to "recover" from a lost password is a new motherboard. Meanwhile eveyone else has figured it out. Great example of security theater.