When learning a new programming language, it’s best to have a goal in mind and work towards it. [Timo] thought it was about time to learn python, and he also had a project in mind: removing the BIOS supervisor password from his old Thinkpad. From there it was just a few keystrokes (and some soldering) and he was able to change the BIOS password of this black box from the outside.
The build utilizes a BeagleBone to communicate with the laptop’s EEPROM via the I2C bus. An oscilloscope also monitors the bus to look for a specific window every four-seconds when the computer is not accessing the bus. During that short period, the EEPROM can be read and written to. Once the window opens, the BeagleBone executes the Python script, which attempts to read the EEPROM and can also perform actions such as removing or changing the BIOS supervisor password.
Of course, tinkering with the EEPROM on a laptop has a high risk of bricking the device, and not all laptops use the same security measures or even memory addresses for things like this, so documentation and precision are key. Also, with Thinkpads of this vintage it’s possible to replace the firmware on these chips entirely with a FOSS version called libreboot, and even though the process is difficult, it’s definitely recommended.
a proper hack :)
Nice
Awesome, Beagle Bone Black is an interesting platform.
Very nice! Can you connect peripherals to it too?
Yes you could! It is possible to scan the bus directly from a linux terminal using the i2ctools. Just make absolutely sure you don’t have an address conflict between devices. Most devices turn invisible after boot but that doesn’t mean they are not there!
I did some scans at different states during boot and lots of devices come and go. And on the X201, almost all devices on that bus seem invisible to boot.
some devices have a i2c bridge (SMBUS ) and you cant talk to those chips from within the OS without telling the winbond(or other brands) smbus management chip to connect the bus.
The supervisor password persists if you remove the battery and the CR2016 cell?
Of course, would be fairly shit security if it did not. No modern laptop uses volatile memory to store the settings.
EEPROM
The last computer with CMOS configuration RAM was made well over two decades ago.
wow, a actual hack on HaD!
Another trick is to hold the processor in reset while you talk to peripherals, then you typically don’t need to wait for a quiet period on the bus. Most processors the I/O is setup as an input while in reset so you don’t need to deal with bus fights as well. A good spot to hold the processor in reset is the power good pins on regulators. These are often open drain so it is as simple as pulling these lines low and it will keep the processor in reset.
That is an interesting idea!
Another way I found is to simply plug in the power supply. I don’t remember if it was just plugging it in or plugging it in and then shutting down. Probably the latter. In that case the bus remains powered but no one is talking. That’s probably how I’d recommend using this instead of an oscilloscope and luck.
I’m planning on using GPIOs to check it the bus is busy and then do the work I do using the scope automagically.
Shorting two pins on the EEPROM worked for my X200. The tricky bit is timing it right. But I got on my third or fourth attempt.
That’s how I destroyed my RFID area… I don’t want to do this trick anymore. It’s at least likely that something is writing to this chip during boot as multiple flags in the protected area of the 24RF08 change during various states of the boot process.
It was pretty much my only option at the time. The BIOS wouldn’t let me boot without resetting the clock, and I couldn’t do that without the supervisor password. I had no means to flash a different BIOS at the time. Luckily it worked without issue.