tahina.priv.at/ hacks/ r61-password-reset

ich / me

vorträge / talks

spam

hacks

electronics

impressum

cm@tahina.priv.at

  1. Resetting the Superuser Password in a Lenovo Thinkpad R61 BIOS
  2. Find the chip
  3. Connect to the chip
  4. Access the chip via arduino

Resetting the Superuser Password in a Lenovo Thinkpad R61 BIOS

I've had an R61 given to me that had an unknown password. That's easy enough to reset by unplugging the CMOS battery, but that only showed that there was also a superuser password set.

There's a lot of resources about this on the Net, I primarily used

http://www.allservice.ro/forum/viewtopic.php?t=47&start=0

https://wiki.das-labor.org/w/Thinkpad-EEPROM-Reset

One thing that has been brought to my attention (thx Spenser!) is this description of how to do it without soldering: https://kinggeek.co.uk/tech-notes/item/46-clearing-the-supervisor-password-on-a-lenovo-thinkpad-r61i-at-your-own-risk.

Find the chip

The password is stored in an 24RF08 EEPROM, it seems it's in different locations on different sub-models of the R61. The allservice.ro link has some pictures, mine was on the underside of the mainboard next to the ultrabay.

The maintenance manual with disassembly instructions (because you need to unscrew the right 35 screws in the right order to get to the guts): https://thinkpads.com/support/hmm/hmm_pdf/42x3549_05.pdf

Connect to the chip

That's described in the links above, connect SDA, SCL and GND.

On the Nano, SDA goes to the "A4" pin and SCL to "A5".

I didn't find it too hard to solder onto the chip, and I'm not the world's best solderer. Thin enameled copper wire is definitely a must, a microscope or an ultra-fine soldering tip is not.

I first had some series resistors (4.7k) in the SDA/SCL lines on the arduino side, but that didn't work, so I dropped them. Seems sketchy, but no magic smoke escaped.

I then taped all the wiring and the arduino right into the ultrabay, because the R61 had to be turned over quite a few times and I didn't want to short anything out.

Access the chip via arduino

That's where it got interesting. The serial interface described on the allservice site, well, who has serial ports anymore? But I had an arduino nano clone around (you can never have too many of those). I first tried with the code from das-labor, but that had a severe case of bitrot (Not complaining here -- the info on this here page will bitrot soon enough, too)

So I went the arduino IDE route and cobbled something together from I2C samples I found on the arduino forum, thinkpad eeprom.ino. That code is a mess, but I spent all night getting it to work and it did work, so I'm not gonna clean it up for you. Links to the places I've copy&pasted from are in the code.

The process was as follows:

Hook it up

Power on the R61 while the arduino is off and let it boot until it asks for the password. Then power on the arduino and open the serial terminal.

Scan for I2C devices

The code first scans for devices, because contrary to all info I've found elsewhere, my EEPROM was at 0x54 and not at 0x50. So see where it pops up (4 consecutive addresses) and put that in EEPROM_I2C_ADDRESS in the code.

Dump the sucker

Re-upload if necessary, and copy the dumped data from the terminal.

I tried to analyze the (massaged) data with allservice's "ibmpass" tool (you need to click "translate" to see the decoded data at 0x338/0x340, and you can try different decodings in the "view" menu), but the password candidates this gave me didn't work.

Burn it to the ground!

So I went the (risky) route of overwriting 0x338-0x347 in the EEPROM with zeros; enable the "overwrite()" call in "void loop()" if you feel you can take the risk. YMMV.

The result: no more password. BINGO!