Deprecated: Assigning the return value of new by reference is deprecated in /home/sodoityo/public_html/wp-settings.php on line 512

Deprecated: Assigning the return value of new by reference is deprecated in /home/sodoityo/public_html/wp-settings.php on line 527

Deprecated: Assigning the return value of new by reference is deprecated in /home/sodoityo/public_html/wp-settings.php on line 534

Deprecated: Assigning the return value of new by reference is deprecated in /home/sodoityo/public_html/wp-settings.php on line 570

Deprecated: Assigning the return value of new by reference is deprecated in /home/sodoityo/public_html/wp-includes/cache.php on line 103

Deprecated: Assigning the return value of new by reference is deprecated in /home/sodoityo/public_html/wp-includes/query.php on line 61

Deprecated: Assigning the return value of new by reference is deprecated in /home/sodoityo/public_html/wp-includes/theme.php on line 1109
 » Hacking IBM Thinkpad Bios Password : SoDoItYourself.com

Back to SoDoItYourself.com
The Ikea hamper light tent »

Hacking IBM Thinkpad Bios Password
spacer spacer spacer spacer spacer
spacer  Loading ...

spacer Lost your IBM ThinkPad Supervisor password? No problem, on this page i will show you how to recover your old password.

Although IBM claims their TP BIOS passwords are impossible to break, there is a easy and cheap way to fix this.

The stuff you need cost about 5 $ at your closest radio shack type of store. Also you need a spare PC with a serial port.

This article is based on a IBM ThinkPad T42. There are no guarantees and you might end up destroying your TP. So continue at your own risk. Other models this ought to work with are:spacer

  • 240, 240x
  • 390E, 390x
  • 570, 570E
  • 600e, 600X
  • 770Z
  • A20m, A21e, A21m, a22m, A30p, A31, A31p
  • G40, G41
  • R30, R31, R32, R40, R50, R51
  • Transnote, T20, T21, T22, T30, T40, T40p, T41, T42, T42p
  • X20, X21, X22, X23, X24, X30, X31, X40, X41

The supervisor (SVP) password is stored in a chip called ATMEL 24RF08.It can not be reset by disconnecting the BIOS battery or shorting any jumper. It has to be read in order to deciffer the password. For this we need some kind of hardware so read on…

Soldering the ATMEL 24RF08 Chip reader

To read this chip we need to interface with it using a secondary computer and some simple electronics. You will need to purchase this:

spacer

  • 2 x 2200 Ohm Resistors
  • 2 x C5V1 Zener diodes (For example BZX55/C5V1 )
  • Serial Port 9 pin Female

The serial port can be salvaged from any old PS2 type mouse. The zeners and resistors can be found in scrap electronics, but they are rather cheap so i would not bother. Solder them according to the image below. Leave the wires leading to SDA , SCL and GND. These will be connected to the TP later.

spacer
Here is a simplified schematic for those unfamilliar with the above symbols:

spacer

spacer Locating the ATMEL chip

Usually the ATMEL chip is located somewhere below the touchpad. Start off by remving the keyboard and mousepad. This is done by unscrewing a couple of screws located under the TP. It is quite clearly illustrated on the bottom side of your ThinkPad.

Pull the TP keyboard up and let it rest against the screen. Pry off the touchpad part and fold it over where the keyboard used to be. Remove the WiFi card.

Under it all you should find a chip with something like this printed:

ATMEL

24RFC8

0446

Heres a closeup of the Atmel chip. Click to enlarge.

spacer

You can see the Atmel right under were the Wifi card used to sit:

spacer

Soldering the ThinkPad

Now this is the tricky part. You will have to solder 3 wires to the motherboard of your TP. Two wires to the ATMEL chip and one to ground. The ground is a piece of cake, just solder it anywhere you can find ground. The mounting screw holes on the motherboard is a good place. Solder 3 wires according to the image below:

spacer

As you can see, the SCL and SDA are located right next to eachother. It can be difficult to hold them in place while soldering. I have used some tape to hold them in place. The tape can be left there to minimze the risk of pulling off the soldered wires during the next steps.

Leave these wires unconnected and make them ready by peeling off the insulation. These will be connected to the reader ciruit later on. Make sure they can not reach ground or short circuit in any way.

Preparing the spare PC

You have made the hardware to read the chip, so now you need to supply the software. There is this great sofware made by www.allservice.ro/ that can be found here:

home.ripway.com/2005-7/365678/index.htm - Select R24RF08 v2.0b - Reader for ATMEL 24RF08 (Freeware)

While you are at it, download the Supervisor Password decoder IBM Pass 2.0 Lite found here:

home.ripway.com/2005-7/365678/index.htm

Also great software made available by www.allservice.ro/ .

Note:

Softpedix wrote that the download mirror has limited bandwidth. If you can’t download with the above, try these:
www.allservice.ro/forum/viewtopic.php?t=61 – Programmer
www.allservice.ro/forum/viewtopic.php?t=56 – IBMpass Lite

Install the software.

Connect the ATMEL chip reader to the spare PC.

Fire up a command promt(Start->run type cmd) and navigate to the folder where you installed R24RF08 v2.0b. Type in (don’t hit Enter):

r24rf08 dump.bin

Dumping the password

  1. Turn on your ThinkPad with all the wiring you just soldered.
  2. Press F1 during the startup to enter the BIOS.
  3. Wait untill all activity stops, blinking HDD leds and such.
  4. Connect the ATMEL Chip reader. GND first then the SDA and SCL.
  5. Now go to your spare PC and Hit enter on the command prompt.

Now there should be a file created in the same folder with the name dump.bin. Disconnect all the wiring off your TP and assemble it back together.

Decoding the Supervisor Password

On your Spare PC start the program IBM Pass 2.0 Lite. Load the file you just created (dump.bin). Navigate with the scroll list to the memory address of 0×330. Tada! It should look something like this:

spacer

 

This entry was posted on Monday, October 2nd, 2006 at 6:09 am and is filed under Computers, Electronics, Hacking. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

spacer  spacer  spacer  spacer  spacer  spacer  spacer  spacer  spacer  

spacer -->

1,362 comments to “Hacking IBM Thinkpad Bios Password”

  1. Comment by softpedix:
    Tuesday, October 10th 2006 at 6:44 pm

    Very well written. I would only mention that the download mirror has limited bandwith. The following links are from the www.allservice.ro:
    www.allservice.ro/forum/viewtopic.php?t=61 –programmer
    www.allservice.ro/forum/viewtopic.php?t=56 –IBMpass Lite

  2. Comment by www.techtagg.com - See Tech Taggers view on this story!:
    Tuesday, October 10th 2006 at 9:15 pm

    Hacking IBM Thinkpad Bios Password…

    This dude solderes some wires to the laptop to retrieve a password stored in a chip….

  3. Comment by Ian:
    Tuesday, October 10th 2006 at 9:55 pm

    Wish there were a way for the T60p

  4. Comment by Mike Douglas:
    Wednesday, October 11th 2006 at 12:34 am

    “Wish there were a way for the T60p ”

    Have you checked what kind of chips there are on the motherboard?

  5. Comment by softpedix:
    Friday, October 13th 2006 at 6:32 am

    There is a solution for T60! Didn’t you see the download page?
    It points to this:
    www.serviceforum.lx.ro/viewtopic.php?p=1061#1061

  6. Comment by Jernej:
    Monday, October 16th 2006 at 6:55 pm

    I was really happy when I found your page about hacking ibm-bios password. But when I start doing this, I found hard to recognize this ATMEL, 24RFC8, 0446!! Is atmel on the top of the cpu? Cause there is writen TPC8002, 2C as on many other chips!! and not 24RFC8!! but it has 8 leads! Please help me! Have a nice day, Jernej

  7. Comment by Mike:
    Tuesday, October 17th 2006 at 12:34 am

    Jernej, you need to find a chip has written Atmel , 24RFC8 written on it. Check above, ive added a couple more images with closeups.

    The atmel is located under the CPU looking chip.

  8. Comment by Tim:
    Wednesday, October 18th 2006 at 12:28 am

    I am doing this for my R40, i found that the amtel chip is actually underneath the motherbaord, between the hard drive and the bottom of the motherboard. i had to completely dissasemble my TP as far as i could go to get at it.

    ill let you know how it goes.

  9. Comment by Mike:
    Wednesday, October 18th 2006 at 1:21 pm

    Tim, maybe you could post a pic of the location of the chip? Then i could include it in the post so others can find it.

  10. Comment by Mike:
    Friday, October 20th 2006 at 1:59 pm

    Digg this story at digg:
    digg.com/security/Hacking_ibm_thinkpad_bios_password

  11. Comment by Nuno Martins:
    Saturday, October 28th 2006 at 4:53 pm

    Hi there is realy good what you did, i start doing but get to a stage were i found the the eprom is difrent the only atmel the board got is 16contacts not 8. and the numbers on it are ATMEL / 24RF08CT / 9952. Do you know in what contacts shoud i weld the wires, do the software work the same way??????

    Thanks
    Nuno

  12. Comment by admin:
    Monday, October 30th 2006 at 12:43 am

    Hi Nuno!

    Are you sure your 24RF08 has got 16 pins? There is one with 14 pins. however, allservice has got this schematic for the wiring.

    Also, what model is your TP?

  13. Comment by James:
    Thursday, November 2nd 2006 at 8:50 am

    I searched for the Atmel chip on the MB of a TP A21m. Found a 14 pin chip underneath the MB near the memory slots. Again, had to disassemble the whole thing to get at it so I guess I’ll have to run the wires out of the case to get it running again. I hope this is the one I need. It is marked ATMEL F 24RF08CT 0042. I will try using the diagram from allservice and hope that I get the right pins connected. I did take a couple of photos showing the chip and it’s location but I’m not sure how to post them.

  14. Comment by Cool:
    Saturday, November 4th 2006 at 1:05 pm

    hey.
    is there any way that I can read the bios password, while im in windows??
    i want to update my bios but it requires password, and I dont remeber it?

    By the way, its a ibm r51 i’m talking about.

  15. Comment by tof:
    Sunday, November 5th 2006 at 1:48 pm

    Hi, i have an old tp570, but not the supervisor password.
    i have found the chips Atmel (8 pins like the T42) near the bottom-left corner.
    I was done all step by step, and now i have my 1024kb dump.

    But the password don’t appear at the address 0×0330. Only Null bytes.

    Any help, please ?

    PS great this page, thanks.

  16. Comment by softpedix:
    Sunday, November 5th 2006 at 4:47 pm

    According to allservice.ro, The SVP is not set. You have to reset only the power on password, by removing the RTC battery.

  17. Comment by tof:
    Sunday, November 5th 2006 at 10:02 pm

    >> Hi, i have an old tp570, but not the supervisor password.
    >> I have found the chips Atmel (8 pins like the T42) near the bottom-left corner.
    >> I was done all step by step, and now i have my 1024 bytes dump.
    >> But the password don’t appear at the address 0×0330. Only Null bytes.

    Using IBMpass’s DOS version, the password appear ! Thanks !

    Note the password is store with Qwerty english keyboard character set.

    Great thanks !

  18. Comment by AMMAR:
    Monday, November 6th 2006 at 11:40 am

    Thankyou very much for all of this.
    I have an A22M with CRC ERROR (lovly message) because I loose all the information in the eeprom
    so it will be great if you find for me the .bin file for the 24rf08 from any ather A22M laptop
    even with wrong information .
    sorry for my bad English
    GREAT THANKS .

  19. Comment by Joe:
    Monday, November 6th 2006 at 4:41 pm

    I haven’t seen another post in reference to the T21 model, so I guess I’m the first in to try finding the elusive chip. I’m thinking mine must be bottom side like the R40, since I have a complete view of the top with no luck finding it yet.

    Anyone else with a T21 done this yet?

    Joe

  20. Comment by Admin:
    Tuesday, November 7th 2006 at 3:31 am

    To everyone following this post!

     

     

    If you manage to find the ATMEL chip on your TP please email me with pictures of the location so i can put them here for others!

    Mail me with your TP Model and a picture with the chip circled in.

    Also i would like one original pic(without the chip circled in)!

    Mail me at pekka ( atsign ) brevk (dot) org .

    Thank you!

  21. Comment by Joe:
    Tuesday, November 7th 2006 at 7:23 pm

    Way too easy on a T21.

    So much for “security”…

  22. Comment by Frank:
    Wednesday, November 8th 2006 at 3:28 am

    can someone please send me a picture of the actual wiring of the diodes and resistors and how they are grounded (i am not very good in this kind of stuff.. especially reading a schemetics)
    thank you

  23. Comment by jose:
    Thursday, November 9th 2006 at 1:21 am

    hello there.i built the system. i fould out that the simbol on my screen is a little computer and the command prompt says “Eeprom not available”

    can somebody tell me how to get this thing going.

  24. Comment by Frank:
    Thursday, November 9th 2006 at 4:36 am

    hi all.. can some one tell me if the sketch of the 9 pin female is the back or the front that we see. and also where do you solder the ground.
    thank you

  25. Comment by To Frank:
    Thursday, November 9th 2006 at 8:54 am

    The wiring is(DB9 / Technican PC side):
    5 - GND

    The ground on the ThinkPad side can usually be just about anywhere. For example one of the mounting screw holes.

  26. Comment by Feizel:
    Thursday, November 9th 2006 at 5:09 pm

    Hi, I have a Thinkpad Tp42p and my son put in a password which I forgot. I did all the procedures, and yes I managed to download the dump file, but, on line 330 does not reaveal my password. Please help

  27. Comment by Ruud:
    Thursday, November 9th 2006 at 6:48 pm

    Hello.

    I have read this over and over and i still can’t find where you have to ground the Zener diodes and serial port.

    The one in the portable is clear.

    The ground of the serial port is going on ground of the extra pc ore also to the portabel ?

  28. Comment by Ruud:
    Thursday, November 9th 2006 at 7:02 pm

    Ground is common on the Thinkpad AND the technican PC

    Just wire all grounds together:

    Ground on the Technican PC DB9 is pin 5.
    Ground on the ThinkPad can be any of the mounting screw holes (or pin 4 on 24rf08 with 8 leads / pin 6 on 24rf08 with 14 leads)
    Ground on the diodes should be wired to Ground on the DB9 and Thinkpad ground.

    DO NOT ATTACH IF NOT GROUNDED PROPERLY!

  29. Comment by Joe:
    Thursday, November 9th 2006 at 10:08 pm

    Fiezel:

    I’m at work and using the T21 I unlocked, so I don’t havce access to the IBMPass program.
    I had the same thing happen to me, but I fould that there was a button on the left just above the data from the .bin file that said “somethinorother” OFF. Clicking it got rid of the heiroglyphics and the rows of periods after the memory dump lines. It also magically made the password “Q21WSD” appear following line 0×330.
    I hope this helps.
    Joe

  30. Comment by Bale:
    Thursday, November 9th 2006 at 10:45 pm

    Is there any way you could provide more pictures of how the wiring setup is done? I’ve been through electronics classes but it’s been a while, and i just want to make sure i get this right. If you could provide any more information on this i would greatly appreciate it. Thanks.

  31. Comment by Frank:
    Friday, November 10th 2006 at 12:03 am

    hi all.. Can someone PLEASE help me.. I have taken my TP T21 apart and CANNOT find the Atmel chip can someone tell me where it coul be?
    Thank you

  32. Comment by Joe:
    Friday, November 10th 2006 at 2:45 pm

    Frank:
    Put your T21 back together. Turn it over. Remove the RAM access door. Viola! a 14 pin AMTEL chip conveniently hidden under RAM slot 1(closest to the outer edge of the laptop).

    ADMIN:
    What are the possibilities of setting up different “folders” for specific models? I’m willing to help if I can.

    Joe

  33. Comment by admin:
    Friday, November 10th 2006 at 4:06 pm

    Joe, i have mailed you.

  34. Comment by Ruud:
    Sunday, November 12th 2006 at 1:02 pm

    Thank you verry verry much.

    Thinkpad is up and running again.

  35. Comment by funkyboyoz:
    Monday, November 13th 2006 at 6:26 am

    hello admin.

    this is the great thing you guys are doing and i really appreciate it. As my request for bios password for my Ibm TP 40 is been knocked back by IBM saying that it is impossible to recover the passwor and the only option i am left with is either buy another m/b from them that itself is the cost of laptop or dump it in the rubbish bin. but i refused to both the offers. so while surfing i accidently found your site through google. its pretty explanatory on how to do the wiring and other stuff.

    anyway my question is regarding the ATMEL chip thats found under the WiFi card. i have done it all dissemble the laptop as i have gone thro this procedure before few times. i did find the chip as shown in the diagram with all the circuits and numbers whatever shown in the photo in the website. but only problem is that its number is different than written above. its written as ATMEL 24RF08 and some other numbers instead of ATMEL 24RFC8 0446. Still got the 8 pins as shown in the diagram and curcuits. looks exactly the same except above numbers. just wanna make sure it works even the numbers are different.

    I have IBM TP 40 [(2373PM1) is the model no.] with 1.3 Ghz and 32 MB Video and 768 RAM with 14.1″ screen. any help will be appreciated. and once again keep up the good work.
    Regards

    funkyboyoz

  36. Comment by Mike:
    Monday, November 13th 2006 at 2:44 pm

    funkyboyoz , those last numbers are probably just the batch number of the chip.

    You´ ve found the right one. As long as it says Atmel 24RF08.

  37. Comment by Carl:
    Wednesday, November 15th 2006 at 6:05 pm

    Hi,

    I have a TP R30. Looking for the atmel chip. all i have found is a atmel 93c46

    Is this it? it is also a 8 pin. if not please let me know were to find this little sucker

  38. Comment by Mike:
    Friday, November 17th 2006 at 12:10 am

    i have a thinkpad R60 and its dssassembled the only amtel chip i can find has this number
    Amtel at97sc3203 1.2.8.05 ***** ***** and its a 28 pin chip.
    and its located under the pci xpress expansion slot. any help would be greatly appreciated.
    can post pics if needed please someone help me!!!

    Mike

  39. Comment by Mike:
    Friday, November 17th 2006 at 12:42 am

    i found a diagram of the 28 lead chip if that helps located here >>>>>> www.atmel.com/dyn/resources/prod_documents/doc5010.pdf

    hope that helps.

  40. Comment by Brian:
    Friday, November 17th 2006 at 4:23 pm

    Admin- Will this work or is it needed with the older 760xl series?
    Thanks!

  41. Comment by Santonu:
    Saturday, November 18th 2006 at 9:02 pm

    I have a ThinkPad 600X. I opened the laptop but did not find any of the chips you mentioned. Instead I find TPC8002(8 legs).
    Please tell me what should I do.

  42. Comment by John:
    Monday, November 20th 2006 at 6:03 am

    Hello:
    I was following your instruction on navigating the folder where I installed the R24RF08 v2.0b and IBMpass lite to the hard drive (c drive). Then I type in r24rf08 dump.bin and setting up the wiring and connecting the ATMEL chip reader. When I go to my spare PC and hit enter on the command prompt. It will exit the r24rf08 program as stated in the instruction and the password won’t dump on the dump bin that I created. Can you tell me what do I do wrong? Looking forward for your reply.

    Regards,
    John

  43. Comment by John:
    Monday, November 20th 2006 at 8:03 am

    Hello:
    I have 2 errors message when I press on F1 during the startup to enter the BIOS.
    Error 0271 - check date and time setting
    Error 0176 - System sercurity. The system has been tempered with.

    Is it a problem?

  44. Comment by Santonu:
    Tuesday, November 21st 2006 at 9:17 am

    Hi,
    I have found the ATMEL chip on the motherboard and been able to find the supervisor password following your instructions. Thank you very much for the information you provided here.

    Santonu

  45. Comment by Ramiro85:
    Wednesday, November 22nd 2006 at 3:52 am

    Hello, thanks for these guide. I have an R50e notebook and Ive managed to find a atmel chip that seems the one on you are talking about, but im not shure if these procedures will work couse the numbrer is slightly diferent. The one Ive found is an
    Atmel
    24rf08 CN
    0536
    Do you think these guide will work for my chip?(it has 8pins and is located just there). finally another question, what if the password is also on the HD? couse i have read that there are 3 types of password SVC, POP, and HD password. It seems that my notebook has HD password and POP or SVC password couse even if I remove the HD there still is a password on boot (before booting) so I cant acess windows or any OS

    well if anyone could give me a had my mail is ramironospam&argentina.com
    (remove nospam to e-mail me, that is done to prevent automated bots finding my real mail)

  46. Comment by polico:
    Wednesday, November 22nd 2006 at 7:17 pm

    i have an T30 and i dont seem to find the atmel chip it may be named othervise any ideas where i can find it?

  47. Comment by Gsmtechno:
    Thursday, November 23rd 2006 at 5:49 pm

    ibm thinkpad T42

    i have read the bin file but whene i open it with pass tool password is encoded how to decode it ?

  48. Comment by John:
    Friday, November 24th 2006 at 12:30 am

    I was able to find the password using the dump bin but as soon as I entered onto the laptop, there was a OK signal but eventually denial it ? Why is it that way? What do I do wrong? Looking forward for suggestion.

    Thanks,
    John

  49. Comment by Angel:
    Saturday, November 25th 2006 at 4:22 am

    Hi there i am also looking for a picture on how you connect the diodes to the seriel port and how you ground the 2 zener diodes too i have over 10 laptops with the bios password,so i will post back if i have any differeiculties with them.if some1 can email me on be great
    Many Thanks
    Angel

  50. Comment by ian:
    Saturday, November 25th 2006 at 7:37 pm

    Hi i have got a tp 390x but unabell to find the the ATMEL 24RFC8 CHIP . Can anbody please help

  51. Comment by ian:
    Saturday, November 25th 2006 at 7:43 pm

    Hi i have got a tp 390x but unable to find the Atmel chip. Can anbody please help

  52. Comment by Aaron:
    Monday, November 27th 2006 at 1:06 pm

    Hi,
    The way your explained here, is the only way I found until now. I could buy a new Atmel chip, too. would you prefer this??

    Because, I don’t think, that I will find the atmel chip on my T30 2366. hmm I even can’t remove the case spacer hehe

    Can u tell me the place of the atmel chip and scl and sda on a T30 / 2366 ?????
    I can see under the mousepad a big chip with intel, but there i

gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.