Unlocking Thinkpad Batteries

February 11, 2016 by Brian Benchoff 66 Comments

A few months ago, [Matt] realized he needed another battery for his Thinkpad X230T. The original battery would barely last 10 minutes, and he wanted a battery that would last an entire plane flight. When his new battery arrived, he installed it only to find a disturbing message displayed during startup: “The system does not support batteries that are not genuine Lenovo-made or authorized.” The battery was chipped, and now [Matt] had to figure out a way around this.

Most recent laptop batteries have an integrated controller that implements the Smart Battery Specification (SBS) over the SMBus, an I2C-like protocol with data and clock pins right on the battery connector. After connecting a USBee logic analyser to the relevant pins, [Matt] found the battery didn’t report itself correctly to the Thinkpad’s battery controller.

With the problem clearly defined, [Matt] had a few options open to him. The first was opening both batteries, and replacing the cells in the old (genuine) battery with the cells in the newer (not genuine) battery. If you’ve ever taken apart a laptop battery, you’ll know this is the worst choice. There are fiddly bits of plastic and glue, and if you’re lucky enough to get the battery apart in a reasonably clean matter, you’re not going to get it back together again. The second option was modifying the firmware on the non-genuine battery. [Charlie Miller] has done a bit of research on this, but none of the standard SBS commands would work on the non-genuine battery, meaning [Matt] would need to take the battery apart to see what’s inside. The third option is an embedded controller that taps into the SMBus on the charger connector, but according to [Matt], adding extra electronics to a laptop isn’t ideal. The last option is modifying the Thinkpad’s embedded controller firmware. This last option is the one he went with.

There’s an exceptionally large community dedicated to Thinkpad firmware hacks, reverse engineering, and generally turning Thinkpads into the best machines they can be. With the schematics for his laptop in hand, [Matt] found the embedded controller responsible for battery charging, and after taking a few educated guesses had some success. He ran into problems, though, when he discovered some strangely encrypted code in the software image. A few Russian developers had run into the same problem, and by wiring up a JTAG to the embedded controller chip, this dev had a fully decrypted Flash image of whatever was on this chip.

[Matt]’s next steps are taking the encrypted image and building new firmware for the embedded controller that will allow him to charge is off-brand, and probably every other battery on the planet. As far as interesting mods go, this is right at the top, soon to be overshadowed by a few dozen comments complaining about DRM in batteries.

Hacking An Android Laptop To Run Linux

June 13, 2015 by Brian Benchoff 22 Comments

A few years ago, someone at Lenovo realized they could take an Android tablet, add a keyboard, and sell a cheap netbook that’s slightly more useful than a YouTube and Facebook machine. Since then, Lenovo has stopped making the A10 notebook and has moved on to manufacturing Chromebooks. That doesn’t mean this little Laptop doesn’t have some life left in it: it still has a Cortex A9 Quad core CPU, is reasonably priced on the ‘defective’ market, and can now run a full-blown Linux.

When the A10 notebook was released, there was a statement going around saying it was impossible to install Linux on it. For [Steffen] that was a challenge. He cracked open this netbook and took a look around the Flash chips. There were two tiny pads that could be shorted to put the device in recovery mode, and the entire thing can be booted from a USB stick.

[Steffen] ran into a problem while putting a new kernel on the netbook: there was a null pointer reference in some device during boot. The usual way of diagnosing this problem is to look at the console to see what device failed. This netbook doesn’t have a UART, though, and [Steffen] had to use an FTDI chip and set the console to USB to see why this device failed.

Just about everything on this tiny laptop works right now, with a few problems with WiFi, webcam, and standby mode – all normal stuff for a putting Linux on a random machine. It’s worth it, though: the quad-core ARM is a very good chip, and [Steffen] is running x86 apps with qemu. Not bad for something that can be found very, very cheap.

Lenovo Shipped PC’s With Spyware That Breaks HTTPS

February 19, 2015 by Rick Osgood 91 Comments

If you’ve ever purchased a new computer then you are probably familiar with the barrage of bloatware that comes pre-installed. Usually there are system tools, antivirus software trials, and a whole bunch of other things that most of us never wanted in the first place. Well now we can add Superfish spyware to the list.

You may wonder what makes this case so special. A lot of PC’s come with software pre-installed that collect usage statistics for the manufacturer. Superfish is a somewhat extreme case of this. The software actually installs a self-signed root HTTPS certificate. Then, the software uses its own certificates for every single HTTPS session the user opens. If you visit your online banking portal for example, you won’t actually get the certificate from your bank. Instead, you’ll receive a certificate signed by Superfish. Your PC will trust it, because it already has the root certificate installed. This is essentially a man in the middle attack performed by software installed by Lenovo. Superfish uses this ability to do things to your encrypted connection including collecting data, and injecting ads.

As if that wasn’t bad enough, their certificate is actually using a deprecated SHA-1 certificate that uses 1024-bit RSA encryption. This level of encryption is weak and susceptible to attack. In fact, it was reported that [Rob Graham], CEO of Errata Security has already cracked the certificate and revealed the private key. With the private key known to the public, an attacker can easily spoof any HTTPS certificate and systems that are infected with Superfish will just trust it. The user will have no idea that they are visiting a fake phishing website.

Since this discovery was made, Lenovo has released a statement saying that Superfish was installed on some systems that shipped between September and December of 2014. They claim that server-side interactions have been disabled since January, which disables Superfish. They have no plans to pre-load Superfish on any new systems.

Extreme Repair Of An All-in-One PC

November 18, 2014 by Adam Fabio 11 Comments

While browsing a local auction site, [Viktor] found himself bidding on a beat up Lenovo A600 all-in-one PC. He bid around $50 and won. Then came the hard part – actually making the thing work. The front glass was cracked, but the LCD was thankfully unharmed. The heat pipes looked like they had been attacked with monkey wrenches. The superIO chip’s pins were mangled, and worst of all, the MXM video card was dead.

The first order of business was to fix the superIO chip’s pins and a few nearby discrete components which had been knocked off their pads. Once that was done, [Viktor] was actually able to get the computer to boot into Linux from a USB flash drive. The next step was bringing up the display. [Viktor] only needed a coding station, so in addition to being dead, the video accelerator on the MXM wasn’t very useful to him. The Lenovo’s motherboard was designed to support video on an MXM card or internal video. Switching over meant changing some driver settings and moving a few components, including a rather large LVDS connector for the display itself. A difficult task, compounded by the fact that [Viktor’s] soldering tools were a pair of soldering guns that would be better suited to fixing the bodywork on a ’57 Chevy. He was able to fashion a hot wire setup of sorts, and moved the connector over. When he was done, only one tiny solder bridge remained!

The end result is a new coding battle station for [Viktor] and a computer which was a basket case is saved from the landfill. If you like this hack, check out [Viktor’s] low power PSU, or his 1 wire network!

Using A ThinkPad Keyboard Over USB

April 30, 2014 by Brian Benchoff 31 Comments

It doesn’t have buckling springs, Cherry blues, or even the wonderful if forgotten Alps switches, but the keyboard found in ThinkPads has the best keyboard action of any laptop around. They would make a great USB conversion keyboard, but the board to board connector is very hard to find, and no one has yet managed to get the keyboard and track point working as a USB HID device. Until [rampadc] came along, that is.

[Rampadc]’s keyboard adapter is built for the ThinkPad T60 keyboard, which is shared between the Lenovo T60, T61, Z60, Z61, R400, R500, T400, T500, and X41 laptops, among many others. The connector is an extremely odd proprietary deal, that can be found through the usual channels for about $5 in quantity 100. On top of this, the keyboard doesn’t have a controller – that’s offloaded to the laptop’s main board. The only electronics in this keyboard is just a matrix. Despite all this, [rampadc] managed to create a breakout board with a decade counter and an SPI GPIO expander.

The board [rampadc] made features one of the proprietary connectors, a few chips, and a receptacle for an Arduino Micro. With just a little bit of code, the old keyboard becomes one of the best portable keyboards in existence, and probably a bit cheaper than the official Lenovo USB-bound ThinkPad keyboard.

[rampadc] has a few of the expansion boards available over on Tindie should you want to build your own. It’s only cost-effective if you have one of these T60 keyboards sitting around in a junk pile; not a likely situation because these machines just don’t die.

Continue reading “Using A ThinkPad Keyboard Over USB” →

One Remote To Stream Them All

July 24, 2012 by Mike Szczys 11 Comments

We’d bet that most readers stream video as the lion’s share of their entertainment consumption. It’s getting easier and easier thanks to great platforms like XBMC, but not everything is available in one place, which can be a bit off-putting. [Tony Hoang] is trying to simplify his viewing experience by creating one remote to rule all of his streaming software. He’s got an HTPC connected to his entertainment center, and used a bit of scripting to add some functionality to this Lenovo N9502 remote control.

The hack is entirely software-side. The remote already works quite well, but he remapped the home, end, and page up buttons, as well as the mouse controller. The three buttons will launch XBMC, Hulu, and Netflix respectively. They are also set to kill the other applications before launch so that one button will do everything needed to switch between one another. The mouse remapping takes care of up, down, left, and right keys for navigation in the UI and control of the playing videos. See a demo of the setup after the break.

Everything was done with autohotkey scripts for Windows. But this should be easy to code with other OSes as well. If you’re prone to have a slip of the finger you might want to work out a double-click to launch the applications so you don’t accidentally hit a key in the middle of your favorite show.

Continue reading “One Remote To Stream Them All” →

Photo Booth In Briefcase Form

October 4, 2010 by Mike Szczys 12 Comments

Taking portability one step further [Marty Enerson] built a photo booth in a roll-away case. The Pelican mobile case houses an Elo Touchscreen, a Canon PIXMA iP3000 photo printer, and a Canon Powershot SD100 digital camera. Most of this, including a Lenovo laptop to run it, was purchased second-hand from eBay, with a copy of Photoboof (different from the wedding photo booth from last week) to tie up the software side of the project. He plans to add a folding stand later on to make it into a kiosk. For some reason that sparks the image of a voting booth in our minds.