Thinkpad password bypass hardware

Some friends of mine are gathering up some old IBM Thinkpads from a recycling center, to refurbish them with Libreboot. It reminds me how much fixing end-user problems are like attacking a system. One of the Thinkpads had multiple passwords that had to be bypassed, so it could be used.

There’s a password bypass solution for Thinkpads that involves custom hardware:

“Joe in Australia offers the only Affordable Fully Assembled, Programmed and Tested unlimited use USB based ThinkPad Supervisor Password [SVP] Recovery or Clear Tools in the world.  Joe’s KeyMaker X1 [KMX1] and X2 [KMX2] can Recover or Clear Supervisor Password from all current IBM and Lenovo ThinkPad models with the exception of the SL300 SL400 SL500 G550 T*40 X*40 X1 Carbon (Gen 2) it can do this even if TPM/TCPA/PC8394T/8356908 security has been enabled. SL300 SL400 SL500 G550 T*40 X*40 X1 Carbon (Gen 2) do NOT store Supervisor Password [SVP] in an EEPROM, that is the reason the SVP cannot be recovered in those models from an EEPROM by KMX1 or KMX2.”

Matthew Chapman on Lenovo laptop internals

Matthew Chapman has a nice set of blog posts that go into detail about Lenovo internals, including some firmware and ACPI details, all because of a new battery:

Unlocking my Lenovo laptop, parts 1-3

Two months ago, I bought a new battery for my Lenovo laptop (a ThinkPad X230T). I was about to go away on holidays and wanted a battery that could last me through a plane flight; the original battery was by then barely lasting ten minutes. Little did I know that I was about to […]

In part 1, we looked at the communication between a Lenovo Thinkpad X230T laptop and battery, and discovered that there a challenge-response protocol used to authenticate ‘genuine’ Lenovo batteries. On the laptop side, this – and battery communication in general – is implemented in a component known as the embedded controller (EC). […]

In part 2, we discovered that a embedded controller update is performed by uploading a small ‘flasher’ program to the EC. This flasher program is then responsible for programming a new firmware image to the EC’s internal flash memory. However, both the flasher program and part of the firmware image are encrypted: the old (currently running) EC firmware decrypts the flasher program, and the flasher program then decrypts the new firmware update. This creates a bit of a chicken-and-egg problem that prevents discovering the encryption algorithm from firmware update files alone. […]

Blog series:

Libiquity Taurinus X200

As noted by LinuxDevices:

The Ministry of Freedom is getting some competition refurbishing Thinkpads with Free Software!  Purism is getting some competition disabling Intel security features! 🙂