[ltp] Password recovery (T22) success/howto.

Richard Neill linux-thinkpad@linux-thinkpad.org
Wed, 17 Jan 2007 21:25:04 +0000 

Dear All,

Hope this may be of some use. I just bought a 2nd hand T22, which the 
owner couldn't use, because the power-on password was set (and unknown).
The recovery was quite simple, but not straightforward, so I'm 
documenting it here.

There's a good (Windows-based) tutorial here:
http://sodoityourself.com/hacking-ibm-thinkpad-bios-password/
(also read the comments)

1)For the T22, the EEPROM is located under the DIMMs next to the bottom 
of the case. It's easy to access. The chip is the 14-pin version 
described here:
http://www.allservice.ro/forum/dl/simple-i2cprog.pdf

2)Solder carefully, and tape the wires to the back of the case. A 
standard 15Watt iron with a sharp tip is fine; you don't need a surface 
mount soldering iron. Should a mishap occur, Flux impregnated, braided 
copper "Desoldering braid" works miracles at wicking away surplus solder.

3)The ground can connect to anywhere convenient - but note that the 
"obvious" place (the DIMM retaining springs) is not actually grounded.

4)The serial interface is very easy to build, and works as expected. 
However, I was unsuccessful in my initial attempts, using a USB-Serial 
adapter. You really need to use a proper (hardware) serial port for 
this, because the voltage levels are higher. I used my A22p for this.

5)The EEPROM reading software, r24c01.exe  works fine under WINE with 
Linux. (Just create a symlink in ~/.wine/dosdevices named com1, pointing 
to /dev/ttyS0 for your serial port.) The baud rate etc is automatically 
set by the reader software.

6)Read the EEPROM at least 3 times consecutively, and do a bytewise 
compare with `cmp`. If they don't match exactly, you have had an 
incorrect EEPROM read, which probably denotes that the serial port isn't 
up to spec).  The file is exactly 1024 bytes long.

7)If you look at the binary dump with hexedit, it looks like garbage. My 
EEPROM begins with the string:   SER#

8)At this point, you need to run ibmpass2.exe to decode (uncompress? 
translate?) the EEPROM dump. Sadly, this program wouldn't run under WINE 
- I have no idea why, but I needed to use XP. [This might change, with 
luck!]

9)You should now get the Power-on password and supervisor password. 
These are located at location 0x338 (and maybe 0x340). The font is 
unhelpful - it's impossible to distinguish '1','l', '0', 'O'.

10)The password on the Thinkpad is limited to 7 characters. (Maybe less; 
more will be ignored). These characters are restricted to (about)
  [0-9A-Z;_-]
It is NOT case-sensitive.  (I found this out by experiment with my A22p, 
which has a known Power-on password).


11)This process should work exactly  as above for most modern ThinkPads.
Very old machines (770 and earlier) need some extra tweak. Newest 
machines (t60 and so) need some other process to deal with the TCPA chip 
- it's documented, but I didn't read it.
The Hard disk password is more secure than the Power-on password, and is 
stored within the disk itself. It can't be recovered in this manner.


12)Lastly, the ThinkWiki has a section here:
http://www.thinkwiki.org/wiki/Maintenance#Recovering_BIOS_passwords
which probably needs some attention.

Hope that's useful.

Richard