Linux Scroll

Just another WordPress.com site

Category Archives: BIOS

Hack Thinkpad X100e BIOS Password

Warning: Use at Your Own Risk

IBM ThinkPad X100e uses a small eeprom (ATMEL 24RF08) to store different OEM issues like serial number, UUID, etc. The supervisor password (SVP) is stored also into this litle chip.

1. Locating the eeprom
X100e EEPROM Location
Look for PS08.

2. Download Software

The software is R24RF08 (eeprom reader) and IBMpass (password decoder).

3. DIY Simple ATMEL 24RF08 Chip Reader
Buy:

* 2 x 2.2K Ohm Resistors

* 2 x Zener diodes 5.1V
* Serial Port 9 pin Female


Simple-i2cprog.pdf

Soldering according to Simple-i2cprog.pdf.
Connect to Serial Port 1.
Install R24RF08.

Test your reader with itester.(itester include in R24RF08 installation folder)
itester result must be:
SDA in = 1
SDA/SCL out = 1

(Interval 5 seconds)

SDA in = 0
SDA/SCL out = 0

Test with R24RF08:

cmd > r24rf08 dump.bin

You should get:

24RF08 eeprom reader v2.0b - Win32 Console Version

Copyright (C) Victor Voinea, ALLservice 2004-2005, www.allservice.ro
----------------------------------------------------------------
Initializing timer...4908 OK!
ERROR: Eeprom not available!
----------------------------------------------------------------
Hit to exit...

If you get:

24RF08 eeprom reader v2.0b - Win32 Console Version

Copyright (C) Victor Voinea, ALLservice 2004-2005, www.allservice.ro
----------------------------------------------------------------
Initializing timer...4908 OK!
ERROR: Circuit not found or bus error!
----------------------------------------------------------------
Hit to exit...

You have to check your circuit.
Note: Do not open itester while running r24rf08.

4. Link EEPROM
Connect 3 cable to EEPROM:
GND 4
SDA 5
SCL 6

5. Dumping the password

cmd > r24rf08 dump.bin (Do not hit ENTER)

Connect reader to EEPROM cable in order:
GND
SDA
SCL
Hit ENTER

You should get:

24RF08 eeprom reader v2.0b - Win32 Console Version

Copyright (C) Victor Voinea, ALLservice 2004-2005, www.allservice.ro
----------------------------------------------------------------
Initializing timer...4908 OK!
File already exists. Overwrite? : y

Reading eeprom...
>>>>>>>>>
Done.
1024 bytes saved in dump.bin

----------------------------------------------------------------
Hit to exit...

Disconnect cable in order:
SCL
SDA
GND

6. Read dump.bin file
Open dump.bin with IBMpass.
Normally password at 0x330 and 0x340.
X100e have TCPA lock enable, you cannot get the SVP password.

You may get help from allservice.ro:

1xTCPA unlock service...........$25

W24RF08 license.................$30 (license per seat, unlimited use)
------------------------------------
Total...........................$55

OR
Find a way to edit dump.bin file.

7. Reprogramme dump.bin to EEPROM
You need to unlock the Access Protection Page before you can reprogramme new dump.bin to EEPROM.
You need W24RF08 software.

Connect cable in order:
GND
SDA
SCL

Reset Access Protection Page:

cmd > w24rf08 /p

24RF08 eeprom  writer v2.0b - Win32 Console Version

Copyright (C) Victor Voinea, ALLservice 2004-2005, www.allservice.ro
----------------------------------------------------------------
Initializing timer...4908 OK!

Resetting APP...
Done.

----------------------------------------------------------------
Hit to exit...

Reprogramme EEPROM:

cmd > w24rf08 newdump.bin

24RF08 eeprom  writer v2.0b - Win32 Console Version

Copyright (C) Victor Voinea, ALLservice 2004-2005, www.allservice.ro
----------------------------------------------------------------
Initializing timer...4908 OK!
Eeprom dump size:OK

Page mode. Writing eeprom...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Done.

----------------------------------------------------------------
Hit to exit...

Disconnect cable in order:
SCL
SDA
GND

Now you enter BIOS. Cheers!

Resources:
X100e EEPROM Location
IBM ThinkPad Password Help Center (EN)
Hacking IBM Thinkpad Bios Password
For those laptop don’t have serial port can use “RS232 to USB”.

Advertisements