Thinkpad Passwords

From FreekiWiki
Jump to navigation Jump to search

This page has been migrated to a document on Free Geek's Google Drive.

Information remaining behind may no longer be relevant.


When you have tagged this page as migrated,
please add a link to the new document on Google Drive.

(Link to new page immediately below.)


Thinkpad Laptop Passwords

The best way to remove a password is to ask the donor to do it. Note that a donor company with a central IT department may use the same BIOS passwords on all their machines, so the steps below, used to extract those passwords, may reveal secret passwords that the donor company does NOT want to be made public. On the other hand, passwords removed from an easily accessible laptop (like the T30) can be tried on the rest of a donated batch of machines. Proper handling of these passwords will require good judgment and delicate handling of private information.

Some IBM Thinkpads ( T20, T21, T30, R20, many more ) have multiple start-up passwords, some stored in nonvolatile memory. There are different ways to remove these, depending on the model. The Hardware Maintenance Manual (HMM) is helpful, and these can sometimes be found on the Lenovo website, and sometimes elsewhere on the web.

These passwords interfere with the repurposing of a Thinkpad laptop. Since the IDE hard disk on a Thinkpad is easily removed and read with another machine, their only real purpose is to make the hardware less useful to thieves.

Rumor has it that newer Thinkpads built after 2005 store passwords in ways that can't be accessed using the techniques below. These will probably become parts machines.

This document is INCOMPLETE, and more will be added later.

Thinkpad T30

The T30 has a Power On Password ( PON ), a Supervisor Password (SVP), and a Hard Disk password. The PON password ( letters, numerals, and semicolon ) must be entered for the machine to continue to boot. The Supervisor Password is needed to enter the BIOS, which may be necessary to fix the time of day, change boot options, etc.

The PON can be removed by pulling the main battery, then removing the small lithium coin battery underneath. The coin battery is in a black plastic holder - remove one screw and pull the holder up and sideways, to disconnect the little white two pin connector. Next, with an AC adapter attached, start the unit; this clears the PON.

The SVP is more difficult to remove. This is stored in a small 8 pin surface mount 24RF08 nonvolatile memory, located underneath the second (outer) memory stick. The nonvolatile memory can be read with an external fixture, see below, and the password extracted. The extracted password allows entry into the BIOS, to remove the password.

I haven't removed a hard disk password yet, but that can be done through the BIOS. If this encrypts the bits on the disk, then the disk is probably unreadable without that password. For Free Geek purposes, that is fine; the disk will be wiped anyway. If a Free Geek client set the password (through the BIOS) and then forgot it, they are out of luck, and will need a re-install.

24RF08 SVP Password Removal

This requires a specially built cable with a clip, and a (gag) Windows computer with a 9 pin serial port and the right software. Keith Lofstrom built a fixture for this, using information from [1] and elsewhere. Rather than soldering wires to the tiny chip, the cable has something called an "SOIC Dip Clip" on the end.

Some thinkpads use the 93C46 chip instead. That needs a fixture with different wiring.

On some Thinkpads, the 24RF08 chip is available through an opening in the case: battery compartment (T30), under the keyboard, etc. For other thinkpads, a hole through the case will be necessary. And for some models of Thinkpad, the laptop will need to be mostly disassembled, then reconnected on the bench without the case, the pieces loose. Very difficult and time consuming - these may be better as parts machines.

A web search will find sites with pictures of where the 24RF08 is located.

Two freeware windows programs are used, 24rf08.exe and ibmpass2.ext from All Service. These run under Windows; win95 is fine. They could probably be duplicated in Linux if someone is looking for a coding project.

1) The Laptop Under Test (LUT) is powered up, and F1 is held down to enter the BIOS. A picture of a padlock will appear on the screen. In normal operation, this is where the "supervisor" would enter the SVP BIOS password.

2) Next, clip on the cable, with the other end connected to the win computer serial port. You may need to hold it in place, and make sure all 8 pins are contacted on the chip. In some cases, this will require two people to hold everything.

3) Run "24rf08.exe nvout.bin" on the windows computer. This extracts the binary image file nvout.bin, or the program complains that it isn't hooked up correctly. Repeat 2, and try again.

4) Disconnect the clip.

5) Run "ibmpass2.exe" on the windows computer. Use the menus to load the mvout.bin file. It will bring up a binary window, with a keycode text translation on the side. The first 80 bytes contain a machine description, BIOS version, and serial number. If you don't see those, start again from 2.

6) At approximately address 0x338 and 0x340, you will see two copies of the plaintext password. If these look like gibberish, click on the "AA Off" "AA On" button near the upper left. If the 8 character fields are all zeros, there is no password, you silly English person, I pick my teeth in your general direction.

7) Enter the password at the padlock prompt on the LUT laptop. You should now be able to enter the BIOS, go into config, and remove all passwords.