Removing Supervisor Passwords And Learning Python

When learning a new programming language, it’s best to have a goal in mind and work towards it. [Timo] thought it was about time to learn python, and he also had a project in mind: removing the BIOS supervisor password from his old Thinkpad. From there it was just a few keystrokes (and some soldering) and he was able to change the BIOS password of this black box from the outside.

The build utilizes a BeagleBone to communicate with the laptop’s EEPROM via the I2C bus. An oscilloscope also monitors the bus to look for a specific window every four-seconds when the computer is not accessing the bus. During that short period, the EEPROM can be read and written to. Once the window opens, the BeagleBone executes the Python script, which attempts to read the EEPROM and can also perform actions such as removing or changing the BIOS supervisor password.

Of course, tinkering with the EEPROM on a laptop has a high risk of bricking the device, and not all laptops use the same security measures or even memory addresses for things like this, so documentation and precision are key. Also, with Thinkpads of this vintage it’s possible to replace the firmware on these chips entirely with a FOSS version called libreboot, and even though the process is difficult, it’s definitely recommended.

15 thoughts on “Removing Supervisor Passwords And Learning Python

    1. Yes you could! It is possible to scan the bus directly from a linux terminal using the i2ctools. Just make absolutely sure you don’t have an address conflict between devices. Most devices turn invisible after boot but that doesn’t mean they are not there!
      I did some scans at different states during boot and lots of devices come and go. And on the X201, almost all devices on that bus seem invisible to boot.

      1. some devices have a i2c bridge (SMBUS ) and you cant talk to those chips from within the OS without telling the winbond(or other brands) smbus management chip to connect the bus.

  1. Another trick is to hold the processor in reset while you talk to peripherals, then you typically don’t need to wait for a quiet period on the bus. Most processors the I/O is setup as an input while in reset so you don’t need to deal with bus fights as well. A good spot to hold the processor in reset is the power good pins on regulators. These are often open drain so it is as simple as pulling these lines low and it will keep the processor in reset.

    1. That is an interesting idea!
      Another way I found is to simply plug in the power supply. I don’t remember if it was just plugging it in or plugging it in and then shutting down. Probably the latter. In that case the bus remains powered but no one is talking. That’s probably how I’d recommend using this instead of an oscilloscope and luck.
      I’m planning on using GPIOs to check it the bus is busy and then do the work I do using the scope automagically.

    1. That’s how I destroyed my RFID area… I don’t want to do this trick anymore. It’s at least likely that something is writing to this chip during boot as multiple flags in the protected area of the 24RF08 change during various states of the boot process.

      1. It was pretty much my only option at the time. The BIOS wouldn’t let me boot without resetting the clock, and I couldn’t do that without the supervisor password. I had no means to flash a different BIOS at the time. Luckily it worked without issue.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.