[FAQ] IBM ThinkPad Unlock Supervisor Password

Networking/Security Forums -> Hardware // Upgrades

Author: allserviceLocation: @your.service PostPosted: Wed Nov 10, 2004 8:50 pm    Post subject: [FAQ] IBM ThinkPad Unlock Supervisor Password
    ----
updated: October 2006

Hi everybody,

Because so many of you need this I decided to publish here the whole story.

1. Introduction.
As you may know, IBM ThinkPad uses a small eeprom (ATMEL 24RF08) to store different OEM issues like serial number, UUID, etc. The supervisor password (SVP) is stored also into this little chip. So, anybody should figure that he needs to read the eeprom in order to find the password string. The first problem is that 24RF08 is not an ordinary eeprom. The second is that the password is written in a special scan code.
To read this properly you need a software (and an interface) specially designed for this eeprom.
The software is R24RF08 (eeprom reader) and IBMpass (password decoder).

Below is detailed the password recovery procedure. Both R24RF08 and IBMpass are needed. Also for TPs using TCPA security chip to encrypt the passwords, the eeprom writer W24RF08 is needed to complete the unlock procedure.

IBMpass works for absolutely all TP models. The following ThinkPad models are based on 24RF08 eeprom and must be accessed only with 24RF08 programming tools mentioned above:


-240, 240X
-390E, 390X
-570, 570E
-600e, 600X
-770Z
-A20m, A21e, A21m, a22m, A30, A30p, A31, A31p
-G40, G41
-R30, R31, R32, R40, R51
-Transnote, T20, T21, T22, T23, T30, T40, T40p, T41, T41p, T42, T42p
-X20, X21, X22, X23, X24, X30, X31, X40, X41

Also newer models may use the same eeprom. Other ThinkPad models such as 380XD or 600 use 24C01 or 93C46 eeproms, that are the most ordinary and can be read with anything you want. The method is the same like for the models based on 24RF08, only the software to dump the eeprom is different.

T43, R52, T60, Z60, R60 and other new models use special built-in TPM chips or embedded contollers to store the SVP. The unlock procedure can be done in the same manner but the software needed is RPC8394 (TPM chip reader) and WPC8394 (TPM chip writer).

2. Locating the eeprom. Soldering.
No need to unsolder the 24RF08 eeprom, just solder 3 wires to SDA, SCL and GND pins of the eeprom. There are two eeprom layouts (see interface schematics described bellow), corresponding to the 8 pin or 14 pin eeproms. Locate the eeprom first according to your model (E.g. T20-23 and T30 have the eeprom underneath and can be accessed by removing the RAM modules cover, no need to dismantle the laptop.) and solder the wires using a soldering iron with a fine tip. Also, you can use 0.15 - 0.20 mm enamel coated wires or similar small diameter insulated wires. These wires will be connected later to the interface.
Tip: You can use clips to connect the wires or you can solder on the PCB traces leading to the eeprom pins. GND wire can be attached to laptop GND elsewhere in most of the cases.
Once again, be careful and double, triple check the soldering if necessary till you are positively sure you have done the right job.

3. Choose and build the interface.
Since version 2.0, R24RF08 and W24RF08 are compatible with a wide range of eeprom programmers. By default, both programs set the COM port signals to use direct logic level to accessI2C bus. We provide here 2 schematics that are relevant for direct logic signals and for inverse logic signals (simple-i2cprog.pdf and driven-i2cprog.pdf). Also, depending of the interface you build, you can invert the logic for SDA-In, SDA-Out, and SCL COM port signals by some command line parameters described later in this document.

a) The file simple-i2cprog.pdf contains the schematic diagram of a simple interface (known as SIPROG) based on 2 zeners and 2 resistors. This is a classic, easy to build circuit and works with soldered or unsoldered eeproms. The purpose of the 2 zeners is to convert RS232 levels (+/- 5~10V) to TTL ones, needed by the eeprom. It uses direct logic signals to I2C eeprom and is powered by the COM port. However, this interface works with in-system eeproms but is dependent on COM port current and eeprom bus impedance. R24RF08 works natively with this circuit, no need to change the lines signals with command line parameters. This circuit works pretty well with almost all Thinkpads series.

b) The second interface is described in driven-i2cprog.pdf. The circuit uses MAX 232 as a RS232 to TTL driver and its main purpose is to work with soldered eeproms. The advantage of MAX232 is the TTL outputs that are more reliable and more powerful when work with soldered, in-system eeproms (dependency free from the COM port current). Due of the internal inverters of MAX232 the interface responds to an inverse signal logic level. R24RF08 needs /x, /d, /i switches to be specified in the
command line.

What this switches mean:
/x - invert serial clock, also known as SCL;
/d - invert serial data output, also known as SDA-Out;
/i - invert serial data input, also known as SDA-In.

All those can be used in any combination to meet the interface specification.

Note. The two schematic diagrams, simple-i2cprog.pdf and driven-i2cprog.pdf are included with R24RF08/W24RF08 kits.


4. How is it working:
Prepare your technician PC by connecting the interface to the COM1 port (donít connect the wires to eeprom yet). Turn on the ThinkPad and press F1 to enter BIOS Setup. When you are prompted for the password and thereís no other activity like HDD access or so, connect the wires (GND first!, SDA, SCL) to the corresponding wires from the interface (attached before to COM1) and execute R24RF08:

-for SI-PROG interface (as described in 3.a above):
r24rf08.exe <filename.ext>. where filename.ext is the file where eeprom content will be stored.
Example: r24rf08 mytp.bin

-for MAX232 driven I2C interface (as described in 3.b above):
r24rf08.exe <filename.ext> /x /d /i. where /x /d /i are command line parameters (switches) for this kind of interface.
Example: r24rf08 mytp2.bin /x /d /i

Use exactly the instructed switches to avoid possible damages to your eeprom data!

The file should be created in the same folder. Finally, disconnect the wires (GND last!) and turn off the ThinkPad by pressing on/off switch.

5. Reveal the password.
Now, you have the .bin file but you need to dump in scancode to retrieve the password. IBMpass 2.0 Lite is a free tool that i wrote specially for this job. Just open the eeprom dump youíve created before and search for 0x330, 0x340 lines. The password is located on 0x338 (and 0x340 depending on model) in scancode. For 24C01 eeproms the password is located at 0x38, 0x40. If the password won't work for the very first time then your eeprom may use newer IBM encryptions. In this case switch to alternate scancodes to find it. For those who want quick answers the recommended version is IBMpas 1.1.

Usage for IBMpass 1.1 (command line only):
ibmpass mytp.bin
use /a switch to see in alternate scancode if needed:
ibmpass mytp.bin /a

For some old models like 570 or 770Z you need to execute the eeprom patcher first. This will reset the read protection on the password offset. To do that just execute patcher.exe before the reading operation, without rebooting the laptop:

-for SI-PROG:
patcher.exe , then imediately
r24rf08.exe <filename.ext>

-for Driven-I2C (Max232) you must insert the switches:
patcher.exe /x /d /i, then imediately
r24rf08.exe <filename.ext> /x /d /i
W24RF08, the writer version, has included the complete APP reset operation you donít need to use patcher.


Also there are a new encrypting algo used with some new security chips. The password is not in scancode and in some cases not even in the eeprom. To unlock the machine, the dump should suffer some changes and the eeprom must be reprogrammed using W24RF08. This operation works for all IBM TCG/TCPA secured laptops w/o exceptions.

For further infos regarding the usage of W24RF08, download and install the program first then read carefully the file CRC_repair.pdf.


Remember, use 3 wires from the interface and 3 wires from eeprom! Connect them after your ThinkPad is powered and disconnect them right after you read the content, before you switch off the laptop.

Good luck!


Last edited by allservice on Sun Oct 29, 2006 12:56 am; edited 23 times in total

Author: allserviceLocation: @your.service PostPosted: Fri Nov 26, 2004 2:47 pm    Post subject:
    ----
This post is for hwnd and others:
The zener diodes are for line protection purpose. Connect only with anode on GND.
A zener acts like a rectifier when is normaly polarized and as a peek voltage cutter when is inverse.
A zener is tipicaly connected beetwin line and GND with anode on GND.

Author: jusking PostPosted: Fri Jan 21, 2005 3:50 am    Post subject: victory
    ----
hi everybody
My password of Thinkpad 600 is PORTHO
I'm read my eeprom with comeep13, shemas is in sofware.
I'm decrypt eeprom with cmospwd

All software is freeware

search in web with google.

thanks for all
bye

Author: allserviceLocation: @your.service PostPosted: Fri Jan 21, 2005 10:58 am    Post subject:
    ----
Well done!
Cmospwd is a good tool but supports only classic IBM scan code.
I developed a free tool called IBMpass that can decrypt newer scancodes.
The software for reading/writing eeproms is specialy designed for 24rf08, meaning it can read exactly what is in eeprom (without trash), is tested on almost every TP based on 24rf08 and is free as well.

The software you mentioned above is for 24cxx eeprom series. For this eeproms a much better program is PonyProg. The dump you read has a lot of trash but sometimes with some luck a program like this can read well the first password offset. As i said the dump is not good.

Regards

Author: kloleLocation: Arandjelovac, Serbia PostPosted: Thu May 19, 2005 11:03 am    Post subject:
    ----
Can i use Joe in Australia scheme to read 24RF08 with allservice software?

Author: allserviceLocation: @your.service PostPosted: Thu May 19, 2005 1:13 pm    Post subject:
    ----
No.
The schematic of the circuit is shown in i2cprog.pdf (download the kit and install first). I might say that this is a very simple circuit Wink

Updated:
Actually, yes since version 2.0. /x /d /i command line parameters are needed as well
r24rf08 file.bin /x /d /i


Last edited by allservice on Fri Jul 29, 2005 1:47 pm; edited 2 times in total

Author: kloleLocation: Arandjelovac, Serbia PostPosted: Thu May 19, 2005 1:20 pm    Post subject:
    ----
allservice wrote:
No. My software works with a higher frequency on I2C bus.
The schematic of the circuit is shown in i2cprog.pdf (download the kit and install first). I might say that this is a very simple circuit Wink


I already make Joe's interface but i can't send money to him from Serbia.
I saw interface. Smile Is it possible to make "CRC" error with this software?

Author: allserviceLocation: @your.service PostPosted: Thu May 19, 2005 6:46 pm    Post subject:
    ----
Yes. I made a writer for the eeprom. I can also correct any bad checksum for 24RF08 and will be pleased to help you Mr Spliff

Last edited by allservice on Sat Nov 19, 2005 11:22 am; edited 1 time in total

Author: wooly PostPosted: Sat Jun 11, 2005 6:30 am    Post subject: ibm thinkpad t23 password lock
    ----
Hello allservice, I just got done visiting your webpage, slightly hard to navigate because I do not no spanish although always mistaken to be hispanic. I have also been plagued with the IBM supervisor password lock virus. I have a T23, and I have printed, and read Joe from Austrilias how to, along with his clever software that makes money. I am not a electronics guru, I would have to say I never soldered anything in my life, but I recently bought this chip:

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=51162&item=6775004925&rd=1&ssPageName=WDVW

I wanted to know your opinion on this, and if its bogus, I spent $45.00 on it, he also promised me to read the password from my eeprom - but after reading your posts here in the forum, I want to use your method instead. Can you please email me the schematics for the device, and the software? Thanks, from reading the posts it sounds like you have helped alot of people. Also I was wondering if you sell a already made keymaker circuit. Thanks,

Here is my email:


fastandtheferocious@gmail.com

Henry

Author: allserviceLocation: @your.service PostPosted: Sat Jun 11, 2005 9:25 am    Post subject:
    ----
The security chip is an eeprom that should replace yours.
Is obvious you don't need it, specially if you never soldered anything in your life.
You can read the original eeprom and find the password by yourself.
Regarding my site, it is romanian as well as I know.
Download R24RF08 and IBMpass from here , install R24RF08 and read carefully all pdfs inside.

Hasta la vista! Laughing

Author: serpent99 PostPosted: Tue Jun 28, 2005 8:49 pm    Post subject:
    ----
Hi Mr. Voinea, I built your interface and when I run r24rf08.exe it says no eeprom found. It outputs a bin file but there's nothing in it. I built Joes more complicated interface and was able to use his software but I'm not having any luck with your schematic. I always screw up the simple things Embarassed Anyway, I didn't have any 5.1 volt zener diodes so used some standard diodes in series that add up to about 5.2 volts, could this be my problem? Thanks for all your help.

Author: allserviceLocation: @your.service PostPosted: Tue Jun 28, 2005 9:05 pm    Post subject:
    ----
The zener purpose is to limit the voltage but also to protect the i2c bus on reverse current due of fast switching freq, so use zeners. Also the COM port must be able to switch the line. What TP model do you have there?
Just send a PM.

Author: mac23 PostPosted: Thu Jul 28, 2005 9:15 pm    Post subject: ALLService to the rescue?
    ----
Allservice,

Yea, I've been trying since yesterday to download the IBMpass from your web site. http://www.allservice.home.ro/dl/index.htm It appears that your ISP is unresponsive. If you want to send me the file(s), I could mirror it on my site here in the US for a while.

I've been researching unlocking a Thinkpad for the last two days and yours seems to be the best option. I work for a school and apparently one of our loaner Thinkpads was locked by a student accidentally entering in the Supervisor Password and the HD password (are they created simultaneously?). I was able to get into the computer, but I wanted to do a clean install with the IBM Rescue & Recovery Disks. I've read that a low level format will remove the HD password, but it is much more difficult to remove the Supervisor Password. Yesterday I removed the CMOS battery, in hopes to clear the BIOS passwords, and now I am definitely locked out. It's showing the computer & padlock icon after the IBM Thinkpad splash screen.

I would really like to get this computer back to the proper working order before school starts. I'm definitely learning a valuable lesson in setting BIOS passwords! Very Happy

Author: allserviceLocation: @your.service PostPosted: Thu Jul 28, 2005 11:02 pm    Post subject:
    ----
I have created a temporary mirror
http://home.ripway.com/2005-7/365678/
Hopefully the outside backbone of my ISP is getting well soon. My apology for this inconvenience

Mac, to do a low-level format you must unlock the drive first. Till then you may spend about 100$ to buy another one.

Author: mac23 PostPosted: Tue Aug 02, 2005 11:15 pm    Post subject:
    ----
allservice wrote:
Mac, to do a low-level format you must unlock the drive first. Till then you may spend about 100$ to buy another one.


Thanks Allservice! The surrogate site worked great. No inconvenience, just wondering why I couldn't connect to your site. Speedy recovery to your ISP!

Actually I was mistaken, only the supervisor password is now set. The other password is the Access IBM password, which I believe can be set when a user changes his/her windows login password.

I was able to access the hard drive before, actually everything was working fine, but I just noticed I was locked out changing the BIOS. It only gave me certain things that I could change and boot order was not one of them. (Does anyone know what this was? Is it Access IBM influencing the BIOS?) That's when I started this adventure. I pulled the CMOS battery and that got me deeper into this mess by resetting the Time & Date and requiring the Supervisor password to unlock the system! Argh! Confused

Thanks for your help! I'm a graphic artist turned support tech, gettin' dirty and learning a lot!

Author: Digitalman PostPosted: Fri Sep 02, 2005 3:19 pm    Post subject: Some helppp!!!
    ----
I have a TP600e locked whit SVP, after read the EEPROM(24RF08)
I find the password and fix this problem, GREATE!!!!

BUT...Now I have 188ERROR (CRC ERROR)...NOOO!!!!
How can i do to fix this ERROR????
May by updating the BIOS???
Please, can someboby send me a copy of that(.bin) or
tell me where can I find it?
Thankssss!!!!!!

Author: allserviceLocation: @your.service PostPosted: Fri Sep 02, 2005 3:47 pm    Post subject:
    ----
IF you have the password then I am sure you verified if that works so you couldn't have the CRC 2 error at that time. Or is about other machine? What model it is? because for this 600e you already have the dump

To correct the error you have to read the eeprom, correct & write back.

Author: corneliusLocation: Earth PostPosted: Mon Sep 05, 2005 11:46 am    Post subject:
    ----
hi
would it be possible to create the circut on a breadboard like the one here http://www.iguanalabs.com/breadboard.htm.

Author: allserviceLocation: @your.service PostPosted: Tue Sep 06, 2005 8:13 am    Post subject:
    ----
The schematic diagrams are coming with the eeprom reader or writer. Just install and look for simple-i2cprog.pdf and driven-i2cprog.pdf.
I hope this will eliminate any confusion for the future.

Author: Digitalman PostPosted: Tue Sep 06, 2005 2:42 pm    Post subject: Some help!!!!(2)
    ----
Thanks ALL SERVICE for your fast answer...
My TP600E is 2646type.
And yes, i read the EEPROM and password but something must be change
when i read that, because when i ingress the password the machine show me OK, and then stop with ERROR188 message(BAD EEPROM CRC#1)
This is because the checksum of the memory and the checksum store in the BIOS are not the same(CRC ERROR)
You are right, i must correct something in the EEPROM but WHAT???(I dont have the original dump)
May be updating the BIOS the checksum store in that will be erased???
Thanks again and sorry for me english...
Digitalman

Author: allserviceLocation: @your.service PostPosted: Tue Sep 06, 2005 4:41 pm    Post subject:
    ----
you said you read the eeprom then you have the dump. This dump is the original eeprom content that must be write into eeprom. CRC error is displayed before the password prompt so you didn't have such error at that time. This error appeared after you successfully unlocked the eeprom and not in the same power cycle. Well you have the dump...
Until you program the eeprom with this dump. you'll not be able to perform any task on your machine (including BIOS update-this will not solve this kind of problems).

Author: Digitalman PostPosted: Thu Sep 08, 2005 2:09 pm    Post subject: Some helppp!!!(3)
    ----
Sorry, first of all the machine show me 188, then go on and display the
password prompt(I ingress that and show me OK) and then(other screen) the machine stop witch 188ERROR.

I dont understand one thing.....When the machine ask me the password I read the eeprom and get the DUMP...ok!!
You say that I must re-write the eeprom(witch this DUMP) after the machine stop witch 188ERROR???

What program can I use to write?
I use the PonyProg to read....is secure to write???

Thanks AGAIN Smile

Author: allserviceLocation: @your.service PostPosted: Thu Sep 08, 2005 2:59 pm    Post subject:
    ----
If you used PonyProg to read then you need a good dump indeed.

Author: joker77 PostPosted: Fri Sep 09, 2005 9:12 pm    Post subject:
    ----
Allservice I also have a R32 which has been a door stop for over a year. It would be nice to clear the bios and supervisor password. Could you please send me your solution (schematic/software)...

AT: crazy_spic@msn.com
OR : concho12@hotmail.com


thanks

Author: allserviceLocation: @your.service PostPosted: Fri Sep 09, 2005 9:59 pm    Post subject:
    ----
Please, read the entire thread even if is a bit larger now. I already specified here the links where you could get the software. The schematics are coming with the eeprom reader or writer, just install R24rf08 and see the pdfs.
So. visit http://www.serviceforum.lx.ro/viewforum.php?f=12 or http://home.ripway.com/2005-7/365678/


Last edited by allservice on Thu Feb 09, 2006 2:16 pm; edited 4 times in total

Author: Tom BairLocation: Portland, Oregon USA PostPosted: Sat Sep 10, 2005 2:21 am    Post subject:
    ----
To our members and visitors:

allservice has provided links above to download the needed items to solve your IBM Password problem.

Please do not post in this FAQ asking for that which you can now download Smile Any such posts will be deleted without notification to the poster.

If you have problems, or fail to understand the instructions; please PM (Private Message) allservice concerning such.

Thank you in advance for your understanding and cooperation.

Author: Digitalman PostPosted: Mon Sep 12, 2005 10:35 pm    Post subject: Why not PonyProg?
    ----
Hello ALL SERVICE Smile))
My notebook is a tp600e
I build the driven-i2cprog interfase, but when I trie to use your
software(r24rf08 v2.0a) witch /x/d/i, only get:
ERROR: Eeprom not available!
I tire witch the patcher /x/d/i too

If I use the PonyProg can read the 24rf08 and then ibmpass2 to see the
password....Why you software cant read?

Author: allserviceLocation: @your.service PostPosted: Tue Sep 13, 2005 11:54 am    Post subject:
    ----
You must use spaces between /x /d /i got that?. PonyProg doesn't work with this interface unless you invert the logics for the signals in setup menu ( i bet you knew that). And of course PonyProg cannot read 24rf08 properly, otherwise why are you still asking help in this thread?

To be clear, you must run the reader with parameters:
-Open a console window start > run and type "cmd" or "command" and press <Enter>
- switch to program folder, usualy c:\allservice\24rf08"
with this command:
"cd c:\allservice\24rf08", you should see the prompt "c:\allservice\24rf08>"
-now, type "r24rf08 filename.bin /x /d /i" - for driven-i2c programmer or simply "r24rf08 filename.bin" for SIPROG and pres <Enter>. don't forget to put spaces between parameters like this:
r24rf08<sp>filename.bin<sp>/x<sp>/d<sp>/i

If you are prompted with "eeprom not found" then something is wrong. I am not there to tell you what that might be.


Last edited by allservice on Fri Sep 16, 2005 8:46 pm; edited 1 time in total

Author: loppan PostPosted: Thu Oct 13, 2005 1:47 pm    Post subject:
    ----
Hi Allservice
I have tried your method of solving SVP password on a TP T21.
I reached the eeprom with the max232 circuit and got a dump file.
But... the dump file contains nothing but zeros.

What is wrong?

Hope you can help me.

loppan

Author: allserviceLocation: @your.service PostPosted: Fri Oct 14, 2005 8:05 pm    Post subject: Hacking
    ----
Maybe you can PM me with some details. Anyway the main reason seems to be the SDA line that is held Low all the time.

Last edited by allservice on Sat Oct 15, 2005 1:07 am; edited 1 time in total

Author: noromamai PostPosted: Fri Oct 21, 2005 9:03 pm    Post subject:
    ----
i have a bricked tp r52 and was glad to find out there was a free way to get it all working again.

i bought the parts for the reader and have taken apart the tp, but have not been able to find the location of the atmel chip. the maintenance manual does mention a security chip, but i assume that's not the one i need. i did find the location on the main board of that chip, but it doesn't seem right.

can someone point out to me where i can find the atmel chip on the main board?

any help would be appreciated.

Author: allserviceLocation: @your.service PostPosted: Sun Oct 23, 2005 12:59 pm    Post subject:
    ----
It is a 8 pin eeprom. remove the top cover with keyboard and touch pad. It is just near the intel southbridge chip.
It is marked as "U53" on the PCB if I remember well.


Last edited by allservice on Thu Oct 27, 2005 10:33 am; edited 1 time in total

Author: noromamai PostPosted: Sun Oct 23, 2005 10:37 pm    Post subject:
    ----
thanks for the info. i had a look on my mainboard and it's not exactly the same. i do have a chip there but it reads 'MAX1989 MEE 508' and has 16 legs. Did IBM change the chips they use or did they just stuck it somehwere where one can't find it as easily...

I've included a pic, see here http://www.saikoutokuten.net/r52_chip.jpg

any advice?

Author: allserviceLocation: @your.service PostPosted: Sun Oct 23, 2005 10:45 pm    Post subject:
    ----
I think your machine type is different and the board also. The eeprom must be a 8 lead 24RF08. Look again for this chip.

Author: sst39sf020 PostPosted: Sat Nov 05, 2005 4:35 am    Post subject:
    ----
IBM T42
can not find the password use IBMpass

Author: allserviceLocation: @your.service PostPosted: Sat Nov 05, 2005 9:09 am    Post subject:
    ----
Maybe the password is TCPA encrypted. In this case, the dump must me modified and the eeprom re-programmed. You can send me the dump to see at the email address listed in 24RF08 tools.

bata_1: see the first post in this thread, pal.

all the best

Author: rachido PostPosted: Sun Nov 13, 2005 3:06 am    Post subject: Supervisor Password
    ----
Hi ALLservice,
I visited "Joe from Australia" 's web page and I must say, people are positive about his method, isn't that logic?
could you please send me the schematics and software needed to recover a Supervisor Password from a IBM TP T40, that would be a life saver.
the laptop is locked by the SVP in the bios.
please show the solution step by step.
waiting for your reply,
rachido.
Smile
thanks.

Author: allserviceLocation: @your.service PostPosted: Sun Nov 13, 2005 3:27 pm    Post subject:
    ----
I will never start to doubt about what you said before.
You see, my method presented here and the software are absolutely free. The software has been developed to read the eeprom as it is and not to encrypt the data. As a result, you can unlock any TP, how many times you want, whenever you need, free of charge. Smile

If you still don't know how and where, please see the first post in this thread. Download the software from the links mentioned above, install and you'll find 2 schematics to build.

I hope it will be a helpfull post this one.
Cheers

Author: indirection PostPosted: Wed Dec 21, 2005 12:21 pm    Post subject:
    ----
Hi Jvan,

All is not lost my friend. I didn't fancy my chances soldering wires onto the legs of the 14 pin chip either, but i have been successful without needing to. I looked for a clip, but they were VERY expensive, and also i wasn't confident i was even buying the correct thing!!
If you build the simple circuit, as suggested by all service, you only need to 'solder' 3 pins, which can be achieved with a little patience, care, and a prayer or two to a God of your Choosing (or even none at all - seemed to work for me Wink....

You will need the following:
2 pencils
some cellotape
the legs of an unused resister. you just want the wire legs, cut these off a resister that you don't want. each leg should be about 25mm long.
1 simple chip reader circuit.

Solder a resister leg to a length of wire so it can be used as a probe. Cellotape this probe tightly to the end of a pencil so that the wire probe is at right angles to the pencil. You want the wire part of the probe to stick out about 15mm. You now have a probe that can be taped down to your laptop and will stay where itís put. With care and patience, you can tape the pencil to your laptop, so that the wire probe at the end of it is in exactly the right place so that the end of the probe is touching the pin your interested in.

I used two of these Ďpencil-probesí. One for the ground pin, and one for the data pin. The third and final pin (clock) I just held that probe on manually for the few seconds required to read the chip.
It's a delicate operation, but one that is within the skill-set of most people I'd say.

A small but important point is that you want to make your probes out of bits of wire that are not connected to your simple circuit. This is so that you can get all your probes set up without them being connected to the circuit, then connect them to the circuit when the time is right (see below).

The procedure is then:

Connect your simple circuit to your Doctor PC

With the laptop switched off - tape probes in place. Double check to make sure each probe is touching the right pin. At this stage, the probes are not connected to the simple circuit. One tip is that on a t20, t21, t22, the PCB layout is such that you can attach one of the probes to the Ďviaí near pin 6. A Via looks like a circular pad with a hole in the middle of it. You might find it easier to connect your probe to this rather than pin 6.
With the probes in place, it will become obvious that youíre going to need to balance the laptop on its side, so that you can see the screen, and the bottom of the laptop is undisturbed.

power on laptop - wait for all activity to stop. It should boot into its normal password screen.

Attach your simple circuit to your probes (connect ground first). My simple circuit had alligator clips on the end of each wire, so it was just a case of clipping the correct wire from the simple circuit, to the correct probe.

Get the doctor PC ready so that all you will have to do is hit Ďenterí and the reader software will run.

Carefully hold the last probe onto the clock pin (SCL).

Use your nose or big toe to press Ďenterí on doctor PC Ėwait a few seconds until chip has been read. If software complains, then your probes probably arenít connected firmly enough, or you may even have the wrong pin! (shame on you!). Donít panic, its probably just that one of the probes isnít making a good connection.
Try to read the chip again whilst applying a little downward pressure to the probes to make a good connection. If you have a friend who can help you, it is handy to have someone else drive the doctor PC, so you can concentrate on the laptop, but it is possible to do this by yourself.

With the chip successfully read, disconnect your probes from your simple circuit (disconnect ground last)

now, at this stage, you could switch your laptop off, and remove your probes. but you might want to leave them on until you have verified that you have successfully read your chip so you can have another crack at it of you were not successful the first time.

Run the password reveal software.

turn off laptop
remove probes
reboot laptop,
enter the password which you now know (see post from Allservice at the start of this thread).
Smile to yourself at how clever you are Smile

This technique has worked well for me on all boards i have tried it on.

I bought a job lot of 9 motherboards from a repair shop. some had password protection, some CRC errors.
If anybody out there knows how to troubleshoot the powersupply of a laptop motherboard, I'd love to know!

Did I win record for longest post?? - sorry all, but hope it helps someone.

Thanks, and good luck.

Author: allserviceLocation: @your.service PostPosted: Thu Dec 22, 2005 3:29 pm    Post subject:
    ----
Nice post. 10+

About the PS. For PIII machines like t20-22 look for ADP chips like ADP3410 or ADP3421. I remember a friend that he never waste his time checking, he always removes the ADP3421 from the start.

Author: indirection PostPosted: Wed Dec 28, 2005 12:34 pm    Post subject:
    ----
Thanks for the tip Allservice,
About the adp3421 and adp3410...
Like Jvan, I don't trust my soldering skills enough to attempt to remove these chips. I did read somewhere that before replacing these chips, you should have a go replacing the capacitors in the power supply. This is probably my limit. If anyone knows which ones to replace (and thier values), then that would be very helpful to me.

Thanks, and best regards.

Author: naseerak PostPosted: Fri Jan 06, 2006 4:27 pm    Post subject: confused
    ----
By the suggestion of a member I am repeating my request here which i posted in he wrong place earliar.
Hi Allservice you r doing a great job and this is my first time to build ur programmer as i have built many max232 based interfaces before but the capicitors you have shown in the schematics are non-polar with the values of 1uF which are supposed to be polar according my knowledge if u have purposely did so then it will be as right as any universal truth as your ability is undoubtfull. my other confusion is the VCC because during password prompt the TP is supplying the required VCC to the Chip then why it is necessary to include the exterternal VCC as u have told us that we need only three wires And if VCC is necessary then the same VCC can be derived from USB without nrrding AA cells.
Pleaese quench my thurst and finish my confusion I will be as thankfull to You as the world to the Georj Boole (Boolean Algebra Confused

Author: allserviceLocation: @your.service PostPosted: Sat Jan 07, 2006 10:31 am    Post subject:
    ----
1. Look again. The capacitors shown in the diagram are non-polar 0.1uF (0.1uF=100nF) not 1uF. There is also an asterisk explained in the "List of components". The schematic shows a MAX232A by default, but if you use MAX232 (without A) then the capacitors must be 1uF elcos, the polarity is shown by the IC schematic layout.

Note: Generally speaking, It is not necessary that a 1uF capacitor or 10 uF or bigger to be a polar one or "ELCO" all the time. It depends on the schematic request. It is true also that a non polar 1uF is kind of huge comparing with an ELCO.

2. The power source may be used for stand alone eeproms (not soldered) as well. It is specified there (again with 2 asterisks) what part of the PS to be used for unsoldered eeproms. It make sense, don't you think?
Use USB +5V is you feel better with that.

Well, if you pay attention just a bit you will find the best solution for your problems, see?

I think the world should thank to some arabs for the Al-Jabr first, he, he

Author: goenLocation: Indonesia PostPosted: Mon Jan 09, 2006 3:01 pm    Post subject: Where I can get the software and circuit schema?
    ----
Hello AllService,

Where I can get the software and circuit schema for unlocking the BIOS Password for my TP R40e? I try for this address

http://www.serviceforum.lx.ro/viewforum.php?

but the connection failed. Is there other address that I can catch up?

Thanks in advance.

gbrotos@yahoo.com

Author: allserviceLocation: @your.service PostPosted: Mon Jan 09, 2006 11:45 pm    Post subject:
    ----
Well, try http://www.serviceforum.lx.ro/viewforum.php?f=12
or at least http://www.serviceforum.lx.ro

Author: Pop45398 PostPosted: Tue Jan 17, 2006 6:39 am    Post subject:
    ----
allservice wrote:
Posted: Sun Nov 21, 2004 1:22 am

If you don't care about the info then buy a new one. HDDs are almost impossible to unlock. The password is stored on a special track and the procedure is complicated and very expensive. The resulted HDD will never work the same anymore.

I don't know if your view on locked HDDs has changed in the last 15 months but I thought I'd share with you in case it hasn't, that unlocking HDDs is very easy, I've been doing it for several years. I learned about it on a UltimateTV forum, and it has now become widely known in the Xbox community as well. You will lose all your data, however. You need a program called MHD3.EXE. You can download it here. This link has better directions. It takes a while to run but there's nothing stopping you from doing something else. Smile

I've also been unlocking 770s (24C01) for many years. Iíve yet to mess with the newer models, though. Iíve been considering providing this service for a reasonable price for those who donít possess the skills or desire to do it themselves.

Keep up the good work. You provide a valuable service and seem to have the patience of Job.

Author: allserviceLocation: @your.service PostPosted: Tue Jan 17, 2006 10:54 am    Post subject:
    ----
Hi,
The program you mentioned cannot be used to unlock a laptop drive or any drive that wasn't locked into an UTV. It claims that it is able to unlock drives used in UTV with the master password. This password is set by the UTV and probably is a standard password, I remember XBOX has "TEAMASSEMBLY". That's all folks.

Just to answer your question, I am very much involved in this matter and my opinion is not changed since then. To unlock drives coming from a laptop, that is a machine built to be a data-safe not a toy for kiddies, is not so easy. See here
Quote:
Iíve been considering providing this service for a reasonable price for those who donít possess the skills or desire to do it themselves

Oh, I am sure your efforts will be highly appreciated by the rest of Thinkpad users community.Good luck!

Author: Pop45398 PostPosted: Tue Jan 17, 2006 1:25 pm    Post subject:
    ----
MHD3 has worked fine for unlocking Thinkpad drives for me. I do this in a desktop with a cheap 2.5" to 3.5" adapter. The first time I did it was when I inadvertently locked my own drive. After that I started buying locked drives off eBay. BTW, I am familiar with ATA encryption.

I've never messed (or played) with ax Xbox, although my sons have all heavily modified theirs, just assumed they were locked the same.

Author: allserviceLocation: @your.service PostPosted: Tue Jan 17, 2006 1:39 pm    Post subject:
    ----
Are you kidding, right? You cannot unlock ThinkPad drives with this program.

What do this MHD3 you mentioned? Well, it sends a Security Erase ATA command to the drive and the password to erase the drive. It was built to try a single password (probably that matches the master pwd used by UTV and is built in with the program). If the password won't match (of course this will happen, you need to know a password), the operation is aborted. It is clear for you now?

I think you are just blowing hot air here, no offense.

Author: naseerak PostPosted: Thu Jan 26, 2006 6:31 pm    Post subject: t23
    ----
Hi
allservice how can I locat the position of the security chip on my t23 motherboard as I searched desperately for it but could,nt find it please help me.

Author: allserviceLocation: @your.service PostPosted: Thu Jan 26, 2006 6:53 pm    Post subject:
    ----
You have to remove the RAM cover (turn the machine upside-down). The chip is there, near the second memory socket. 24RF08 14 pin.

Author: naseerak PostPosted: Fri Feb 03, 2006 8:08 pm    Post subject: Crc
    ----
Hi
My questions are as follows:
1. Is it safe to read the eprom without the danger of disturbing CRC with your interface.
2. what if The CRC arises can i fix it using some hex editors
3. some mechanic has desoldered the chip from my friend,s laptop T23
now i have found this chip from my local computor dealers garbage so can U provide me with a good dump of T23
I will be extremly greatfull to You.

Author: allserviceLocation: @your.service PostPosted: Sat Feb 04, 2006 11:13 am    Post subject:
    ----
The answers:
1. Yes.
2. No.
3. Yes, but you need W24RF08.

For other questions you might have please use PM.
Thanks.

Author: potshot87 PostPosted: Thu Feb 16, 2006 7:50 am    Post subject: TP A31, EEPROM Location
    ----
Anybody knows exactly where the eeprom is located on an A31? Which part do I need to open up on the laptop?

Author: allserviceLocation: @your.service PostPosted: Thu Feb 16, 2006 10:33 pm    Post subject:
    ----
A31 has the eeprom close to the IDE HDD connector, on the other side. You have to dismantle the TP.

Author: hobcal12 PostPosted: Mon Feb 20, 2006 9:21 am    Post subject:
    ----
I know it may sound crazy and unbelievable, but I got the idea from the following:

http://www.geek.com/news/geeknews/q22000/gee2000918002375.htm
in that page, search under: CRC1 errors Thinkpad T20 (12:46pm EST Thu Jun 02 2005)
message was posted by: ďHappy NowĒ
the message is near the bottom of the thread.

So I did that, shorted the crc chip. Please donít ask me which pin I shorted, because I donít remember. I did it randomly. I did that for two days without any luck and yesterday afternoon while watching tv, I do it again for fun, after 5-10 times shorting the crc pin randomly, all the sudden, no crc error and I got my windows screen.

At one point, when I shorted the pin, I got spark. Also, sometimes I got error 0195 ďsecurity hardware tamper detectedĒ.

I am not suggesting any of you to do this. I think I am very very very lucky. I am willing to do this because I have a new laptop as off last week. My T23 has served me well for 5 years until that 0175 crc1 error. So at that time I figure I am going to disassemble my T23 and sell it parts by parts at ebay.

Btw, itís easy to short crc chip on the T23, because the chip is at the back, under the memory. So while shorting those pins, I can press the power button and look at the screen at the same time.

So now my laptop is working, but the HD giving me clicking sound more often, I am not sure if thatís because of what I did or not.

!!!If you decided to short the crc pin, do it at your own risk!!!

Author: allserviceLocation: @your.service PostPosted: Mon Feb 20, 2006 10:13 am    Post subject:
    ----
There are no "CRC" pins. CRC stands for Cyclic Redundancy Check which allows the BIOS to check the integrity of the eeprom data.
0175 Bad CRC1 occurs when the data is corrupt.
This error cannot be corrected by shortcutting "CRC pins", but by reprogramming the eeprom. Or maybe you are such a lucky guy...too lucky Smile

Author: hobcal12 PostPosted: Tue Feb 21, 2006 5:19 am    Post subject:
    ----
ups, sorry... i was reffering to the ATMEL chip... my T23 has 14 pins.
btw, is it possible that when i shorted the pins, i accidentally reset the atmel chip?
I couldn't agree more.. i was very very very lucky... :D :D

Author: allserviceLocation: @your.service PostPosted: Tue Feb 21, 2006 8:30 am    Post subject:
    ----
No matter if is 14 pins or 8 pins, there are no "CRC pins". And no, you cannot "reset" the eeprom.

Author: nightflyr PostPosted: Wed Feb 22, 2006 10:14 am    Post subject: IBM Thinkpad 380Z
    ----
First, Thank you for having this Forum. Im sure it wouldnt be fun for you but more people should know about this work. Also please let me know of anyway that I can help in this effort.

IBM Thinkpad 380Z
I am in need of the BIOS Supervisory Password for this unit.

I have a TP 380z 2635-HGU. I have located an ATMEL 842 24C01A chip 8 pins at location U37.

Is this the right chip for this TP? or should I get out my magnifing glass and look harder?

Can I use this software, for this TP, to get the Password?

Taking note of the locations of the Chip, Can I dump this chip without powering up the TP and without de-soldering it?

Thank you in advance. It is nice to see people helping others. Please let me know if I can do anything to help out. No matter the outcome of my TP I will be reading everyday to see If I can help someone else.

Author: allserviceLocation: @your.service PostPosted: Wed Feb 22, 2006 3:16 pm    Post subject:
    ----
380Z has 24c01 indeed. It's located right close to the memory socket.

This eeprom can be read with the same interfaces but not with R24RF08, this is only for 24RF08. I suggest you driven-i2cprog (schematic available with R24RF08 kit)
24C01 is a clasic 128 byte IIC eeprom that can be read with many free software like PonyProg from www.lancos.com

The procedure is the same like for 24RF08, you have to solder only 3 wires on SDA, SCL and GND. to read in system (w/o unsolder it). The laptop must be powered, of course.

See more details here

Good luck

Author: hdtintin PostPosted: Thu Apr 06, 2006 2:31 am    Post subject: Thinkpad T43
    ----
Bought my laptop from ebay and there's a supervisor password on it. The guy I bought it from doesn't even know about it. He said he's looking into it for me. The thing is, I can by-pass everything and actually logged into windows. I just can't use the hardwares available to the fullest. Do you know of anyway to break or reset the password?

Thanks

Author: allserviceLocation: @your.service PostPosted: Fri Apr 07, 2006 3:55 pm    Post subject:
    ----
Though question. And it's very hard to answear because there's no info about your laptop, what is it, how is it looks like Rolling Eyes
You got me.

Oh, it is a T43. Sorry, but I think you should claim your money back, the guy is a crook for sure. T43 uses PC 8394, the super IO chip to store the SVP and no way to be unlocked so easy.

Edit: T43 and R52 unlocking procedure included in IBMpass Pro already that will be available soon.


Last edited by allservice on Sun Jun 11, 2006 6:39 pm; edited 1 time in total

Author: locdupr50 PostPosted: Wed Apr 19, 2006 2:06 am    Post subject: R50
    ----
Does anyone know if this process will work on an R50 ? I know that the R50 has the embedded security chip on it but I don't know where to look for the eeprom.

Author: allserviceLocation: @your.service PostPosted: Wed Apr 19, 2006 8:23 am    Post subject:
    ----
Yes, it works.

Author: icse PostPosted: Mon Apr 24, 2006 3:50 pm    Post subject:
    ----
Hi AllService, Thanks for your info. I like to build the reader but I can not found MAX232 or MAX232A, I only can get MAX232CPE, can I use it with 1uf Cap instead?

Author: allserviceLocation: @your.service PostPosted: Mon Apr 24, 2006 4:31 pm    Post subject:
    ----
Yes.
MAX232ACPE - 0.1uF
MAX232CPE - 1uF

1uF/50 should be small enough.
Look out for the cap. polarity. C4 and C5 have to match the V- and V+ IC pins:
C4 (+) --> MAX232 pin#2
C5 (+) --> circuit GND

Author: ShuG PostPosted: Mon Apr 24, 2006 5:06 pm    Post subject: Re: Confirmed Working For Ibm T40 2373-hh1
    ----
ibecamemad wrote:

what i can offer in exchange for now is for me to post an illustrated guide for other t40 users! (i.e. the location of eeprom, images of the interfaces built & so on!)



This would be really helpfull as I need to remove my T40 POP and need the location of te eeprom

Thanks for a great discussion forum

Author: allserviceLocation: @your.service PostPosted: Mon Apr 24, 2006 6:45 pm    Post subject:
    ----
To get access to eeprom, dismantle the keyboard, palmrest and WIFI card if necessary. For T4X, the eeprom is near Intel Soutbridge chip and it is 8 pin ATMEL 24RF08. Exactly under the touchpad buttons if you follow the direction.

Author: ShuG PostPosted: Thu Apr 27, 2006 1:50 am    Post subject:
    ----
allservice wrote:
Yes.

Look out for the cap. polarity. C4 and C5 have to match the V- and V+ IC pins:
C4 (+) --> MAX232 pin#2
C5 (+) --> circuit GND


please confirm the following

C1 (+) --> MAX232 pin#1
C2 (+) --> MAX232 pin#4
C3 (+) --> MAX232 pin#16

thankyou in anticipation

Author: allserviceLocation: @your.service PostPosted: Thu Apr 27, 2006 5:39 pm    Post subject:
    ----
You got it.

Author: bakzer PostPosted: Tue Jun 13, 2006 2:02 pm    Post subject: error 188
    ----
Hi

Just got a thinkpad A22m
it comes with error 118 every time i boot.
I'm able to get around this error and force the machine boot on my HD, but still it's annoying.

Is there any way to correct the problem, without tearing the computer apart ?



br
Bakzer

Author: allserviceLocation: @your.service PostPosted: Tue Jun 13, 2006 2:21 pm    Post subject:
    ----
I think the error is 0188- CRC2.
In this case the eeprom content must be fixed and reprogramed with W24RF08.
Sorry, you need to partialy dismantle the laptop to get access there.

Author: bakzer PostPosted: Tue Jun 13, 2006 5:13 pm    Post subject:
    ----
Sorry, you are right, Allservice. It is Error 0188.a
But not CRC2, only "Invalid RDIF Serialization Information Area"

As I wrote, it's possible to bypass the error, so i did that and upgraded my bios to newest version.
In the bios it seems like it's possible to clear RDIF, but No.
Before that I had Error 0188 also with CRC2 error, now i only have 0188.a

I had hoped that would help, but I can see that I have to follow your instructions

BR
Bakzer

Author: allserviceLocation: @your.service PostPosted: Thu Jun 22, 2006 1:14 pm    Post subject:
    ----
It is 0188- CRC2, only that the error text has been changed in the new BIOS code.

Author: mk77b PostPosted: Fri Jul 07, 2006 6:58 pm    Post subject: a22m error 175 crc1
    ----
I have a a22m thinkpad with error 175 .
I read the 24rf08 chip but i don't have another thinkpad to get a new dump.

can someone out there email me a dump for this machine type?

Can allservice correct these errors?

how much cost this ?

Author: allserviceLocation: @your.service PostPosted: Fri Jul 07, 2006 7:03 pm    Post subject:
    ----
This is a free forum, I don't sell services here.

Author: hadakajime PostPosted: Tue Jul 11, 2006 3:00 pm    Post subject:
    ----
hmm, the only chip i can find that resembles 24rf08 is a '74af lm56 CIM'

Author: allserviceLocation: @your.service PostPosted: Wed Jul 12, 2006 1:34 am    Post subject:
    ----
The eeprom is a Microwire 93C46. It is noted C46xx.
Maybe this one will help you better:
http://www.allservice.ro/forum/viewtopic.php?t=200&highlight=93c46

Author: hadakajime PostPosted: Wed Jul 12, 2006 6:00 am    Post subject:
    ----
haha u were right, cant miss it, found it in 10seconds.

73af 93c46 m8

do i realy have to unsolder it? Shocked


Last edited by hadakajime on Wed Jul 12, 2006 9:54 am; edited 1 time in total

Author: allserviceLocation: @your.service PostPosted: Wed Jul 12, 2006 9:38 am    Post subject:
    ----
For better results, yes. But give it a try, you never know..

Edit: Yes, that is the chip. Nice shot.


Last edited by allservice on Wed Jul 12, 2006 9:45 am; edited 1 time in total

Author: hadakajime PostPosted: Wed Jul 12, 2006 9:41 am    Post subject:
    ----
what program do i use to write the dump? ponyprog?

Author: allserviceLocation: @your.service PostPosted: Wed Jul 12, 2006 9:51 am    Post subject:
    ----
You can use whatever you want but the diagram I published there works with PonyProg, which is a classic.

Look out, there are two kind of 93c46, for this one you must select "Microwire 16 bit", In rest they are really easy to program.

Author: hadakajime PostPosted: Fri Jul 14, 2006 1:30 pm    Post subject:
    ----
ok i cannot get the circuit to work Evil or Very Mad wen i use ponyprog it keeps showing up only 0's and all the tests fail. i reali tried not to heat the chip too much, and im sure i got the circuit right and there are no shorts. plus i didnt overheat any resistors or diodes because i used a screw board instead of a breadboard

in my view there are only 4 possibilities:

1 - i am not using ponyprog properly

2 - i did overheat the chip with the soldering iron - is there any way i can just buy another one?

3 - i am not grounding it properly - what would you suggest is the best grounding for an unsoldered chip?

4 - it is evil and i should throw it out the window with a stick of TNT attached. afterwards i will smash the remainders on the ground continuously, until i feel it has been unlocked (ie. svp has been removed)

UPDATE
what if i try to use the laptop without the eeprom in it? Very Happy Very Happy Very Happy maybe it will take pity on me and work

Author: allserviceLocation: @your.service PostPosted: Fri Jul 14, 2006 7:23 pm    Post subject:
    ----
1. Did you calibrate Pony first?
Don't tell me, you tried to read it soldered, n'est pas?

2. You'll be amazed to know how tough are these little ones. If you didn't brake it in pieces then the chip is good.

3. Ground the COM #5 pin to eeprom GND, and anodes. the zeners have a strip on the cathode part.

If the eeprom pin #6 (ORG) was on GND (not on Vcc as it should normally be), then you must select Microwire 8 bit. Else, use it as microwire 16 bit (this is normal).

No, you can't use the laptop w/o it, take it easy.

Edit:
4. Relax, have a cigarette or a soda, free your mind and try again Smile

Author: hadakajime PostPosted: Sat Jul 15, 2006 3:34 pm    Post subject:
    ----
excellent. your reply fills me with lots of hope. if they are hardy chips then hopefully its probably not overheated from the soldering iron.

yes i calibrated pony. should i select si prog I/O ?
i unsoldered the chip then tried to read it.
now i dont think i had it grounded properly. i will try a different way.

i hav org connected with vcc. how do i change between microwire 8/16bit in ponyprog?

Author: allserviceLocation: @your.service PostPosted: Sun Jul 16, 2006 1:08 am    Post subject:
    ----
Quote:
how do i change between microwire 8/16bit in ponyprog?


Hmm, if you asked me this then I must understand that you did not selected the device at all. Select Microwire 16 bit>9346 in the device list.

SI-Prog API should do it fine.

If you need me to fill your hopes more, well, I know a 14 year old teenager that did this at once. You should do it to, trust me Laughing

Good luck!

Author: KingPin PostPosted: Tue Aug 01, 2006 4:52 pm    Post subject: Password asked when power on my TP t41
    ----
Password asked when power on my TP t41

- Allservice , thanks for all the infomations you posted here... It helps me so much .... Can you provide me the 'simple schema' interface and wires and power box !!! I am willing to pay you in return . You can PM me at sylvain.chen-at-cgocable.ca ... thnaks for your help

http://www.biostools.com/pad/english/bios3.htm

Author: allserviceLocation: @your.service PostPosted: Sat Aug 05, 2006 2:13 am    Post subject:
    ----
Hm, strange that the link you provided here leads to a chinese website where some guys are trying to sell my software as theirs. They seem to have no limit in doing this.
IBMpass 2.0 for example (which btw is a free software) is renamed as "IBMpa", moreover they launched even a new version IBMpa 3.0. Huh?!?

W24RF08 (that version is not genuine) and R24RF08 pictures show ALLservice (this is a miss Laughing ) but they wiped out the author's name, etc.

Anyway, this is an old story....and we are just amusing now.

Author: BADBILLLocation: oKLAHOMA, USA PostPosted: Wed Aug 09, 2006 11:44 pm    Post subject: Ibmpass Shows Blank Password
    ----
I have tried several t23 laptops and your fix works great. Very Happy but i have run into a problem the last 5 t23's I've dumped, Ibmpass will not give me a password. i tried ibmpass2.0 but when i go to 0x038 the field is blank (not sure that i am using ibmpass2.0 correctly) am i doing something wrong??? i have my dumps saved so any help would be very help full. thanks for all your help

badbill

Author: allserviceLocation: @your.service PostPosted: Sun Aug 13, 2006 12:58 am    Post subject:
    ----
@badbill

If SVP is blank then it is only the POP, just remove the CMOS batt.

Thank you all!

Author: staufj22 PostPosted: Mon Aug 21, 2006 2:53 am    Post subject:
    ----
allservice wrote:
@badbill

If SVP is blank then it is only the POP, just remove the CMOS batt.

Thank you all!


Hi allservice,

Great info you have here. I have a T60, and am trying to remove the POP by removing the backup battery. I was following the instructions in the hardware manual, but its a bit confusing.
It said to first turn off the computer, remove the battery, and then, remove the backup battery, and turn the thing back on.
After the POST, when the POP is wiped, put back both battery.

I was confused as to how to turn the laptop on without either of the 2 batteries.. so I've tried different combinations.. so now, whenever I boot up, it tells me the date-time mismatch, and that security is compromised. In the HMM (ftp://ftp.software.ibm.com/pc/pccbbs/mobiles/39t9448r01.pdf) it said that after I do the POP removal, if there's a SVP, I can still get into the BIOS.. however, thats not the case on my system. Do you think maybe I didn't erase the POP correctly?
I'm guessing that there might be a SVP in addition to the POP..
So.. does your instructions on page 1 of this thread work for T60s?

Thanks

EDIT - ok, I just finished reading the thread about PC8394T programming tools
. This sounds like a long process...

Author: allserviceLocation: @your.service PostPosted: Mon Aug 21, 2006 8:30 am    Post subject:
    ----
When you remove the CMOS battery, POP will be vanished right away. But after that, you have to enter BIOS to set the time/date, otherwise laptop won't boot. This is the usual problem with Thinkpads, SVP is needed anyway (if set)

In rest, your guess is correct, you have the SVP set. PC8394 Tools includes support for T60, and I must say that the procedure is in fact the same like for 24RF08, only the software and the subject (the "dreadful" chip) are different

Author: elwea PostPosted: Wed Aug 23, 2006 10:21 pm    Post subject: T41 problem. Please help me.
    ----
I have ThinkPad T41 and forgot password.
If I read the epprom 24RF08CN by simple interface SIPROG to dump file, IBMPASS show "F *" or "Q 29$" (with /A) but this password is wrong. The string in dump file is "21 dl al 92 37 8b 62 f3" in 0x338 to 0x340. Please where is a problem?

Author: allserviceLocation: @your.service PostPosted: Wed Aug 23, 2006 10:44 pm    Post subject:
    ----
It is 21d1a1.....
The problem is that the password is encrypted with TCPA chip simply because the passphrase feature is enabled in BIOS setup.
The only way is to reprogram the eeprom.
Other info you can find on the allservice.ro forum, it is all I can say.

Author: elwea PostPosted: Wed Aug 23, 2006 11:05 pm    Post subject: W24RF08 error
    ----
if i type w24rf08.exe ibmt41.bin the result if "ERROR: Unable to open source file!". I don't know why. The version is 2.1.

Author: allserviceLocation: @your.service PostPosted: Wed Aug 23, 2006 11:17 pm    Post subject:
    ----
Don't you think that using pirated software is a bad thing to do?
Do you want me, the author, to tell you why your pirated copy do not work?!

Funny, what can I say..

Author: elwea PostPosted: Wed Aug 23, 2006 11:28 pm    Post subject: W24RF08 error
    ----
because the original buyed by my colleague at the cost of 31.5$ few month ago wrote the same error.

Author: allserviceLocation: @your.service PostPosted: Wed Aug 23, 2006 11:38 pm    Post subject:
    ----
Maybe your colleague bought it from the same place as you and he paid the same price = nothing Smile
Anyway, if you have a license issue, feel free to contact our support, but I think is not the case.
Thank you.

Author: JanchikLocation: Sweden PostPosted: Thu Sep 07, 2006 10:30 am    Post subject:
    ----
Hello, sorry i have so bat english. I want to ask about IBM r40. I dont know what i can to do with it. Now i living in Sweden, i can buy some special programm or some like that. Please ansver to my mail yanlit@gmail.com. Thanks

Author: allserviceLocation: @your.service PostPosted: Thu Sep 07, 2006 10:59 am    Post subject:
    ----
Hi,

Well if it is locked, then read the first post in this thread.
Also I posted here a nice pictured tutorial about R40:

http://www.allservice.ro/forum/viewtopic.php?p=1011#1011

I hope this is of some help.

Author: mnamky PostPosted: Tue Oct 10, 2006 6:09 am    Post subject: ThinkPad R52 Password Removal
    ----
hi every body;

I read and the post by allservice. It was a very useful information and I was so happy getting it. However, I tried that with ThinkPad R52 and it did not work. The eeprom mounted in the system is 24C64W by CATALYST Semiconductor Inc. I reviewed its block diagram and found it typically the same as ATMEL 24RF08, with one missed pin (PROT) which I found out it works as a protection for the chip. Since the missing port is always set high and it it was not exist in the 24C64L, I assumed that both chips are identical and proceeded with the instruction shown in the post anyway. Since it did not work, then they were not identical. I was upset and tried to find an alternative solution, and run through the Universal EEPROM Programmer, a device that you can buy, and I thought if I got it and took my eeprom out of the board and tried to refresh it or write its information from scratch, with no password of course, it might actually work. BUT since I did several trials and non has worked and I still have my laptop NOT damaged, I thought it would be a good idea to ask some professional first.... Any help ? would the eeprom burner work as a final solution? or should I give up and just send my system board to IBM ??

Thank you
Mohamed Elnamaky

Author: Thinkpad t42p PostPosted: Wed Oct 11, 2006 8:13 pm    Post subject: Alternative 24RF08 Reader than the KeyMaker
    ----
Hi,

I have a Thinkpad t42p that unfortunatley has a supervisor password set.

After reading a thoroughly around the forums, I found this wedsite:

http://www.passwordmethod.com/

It seems that someone other than joe in australia has created a 24RF08 Reader and is also selling it...

Was wondering if anybody has any experience with this alternative device?

Thanks

Author: allserviceLocation: @your.service PostPosted: Sun Oct 29, 2006 1:12 am    Post subject:
    ----
@mnamky:
The 24C64 eeprom contains only the Broadcom NIC firmware, the password is in the PC8394T-VJG.

@Thinkpad T42:
The website you mentioned is just selling interfaces, I guess the software proposed there is R24RF08/W24RF08 which is allservice.ro property. We agreed with the owner to let him put our banner there. Please read also the first post in this thread for more info.


I guess this topic has reached a good milleage and is already the most visited in this board. Anyway, I think everything has been said in this matter and I will ask Tom, our beloved administrator, to take it to a glorious end. (But I hope it will remain sticky)

If anybody will have questions about this subject, I will try to reply to any PM in my box or to give my humble support in the forum.

Thanks



Networking/Security Forums -> Hardware // Upgrades


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group