--- In A-1-Computer_Tech@yahoogroups.com, "CV" <[EMAIL PROTECTED]> wrote:
> Hello again everyone! I have a problem (again). My co-worker at 
> gave me her old IBM thinkpad 600. She said she had it a long time. 
> she did not remember the password to get into it! i tried what she 
> thought the password was it did not work. It boots up and then has 
> little "lock" icon requiring a password.  Can anyone PLEASE PLEASE 
> help me to get past the password and get into the OS?  Is there a 
> generic password? Why the heck does IBM do this? It makes it 
> impossible if you were to lose or forget the password. 
> Can anyone PLEASE HELP!
> Thank you and God Bless!
> Cindy
Firstly, why have you got to post the message to a number of groups? 
If you need to do so, you should cross post in such a way that people 
know that you have done so?  Yesterday someone on the CHAD Group got 
upset because they found out that they had responded to a message 
already answered on A1- Computer Tech Group.  People, understandably, 
get upset when they find out their efforts have been wasted.
As for why the heck did IBM follow similar standards to other 
portable computer manufacturers, for security purposes.  Doh, if I 
had a thinkpad stolen I wouldn't want the felon to be able to use it, 
or to be easily able to access the Hard Disk in an other machine.
I have researched your problem on your internet, and found (a) People 
that say you cant crack the password, (b) a  person that he will for 
a fee, plus you will have to pay in addition for repairs to the 
machine, (c) the option that you have costly maintenance work carried 
and have the chip replaced and the Hard Disk or finally (d) that you 
can actually change the supervisors pasword etc if you have another 
computer and the technical ability to so.
A......Those that say you can't (or shouldn't) overcome forgotten 
 From the list's FAQ: 

#15) Can you help me remove the BIOS/HDD password from this ThinkPad 
that I 
just bought/inherited/found/was given/stole/other? 

Short answer: No. 

Long answer: Cracking passwords is a highly charged subject over 
reasonable people disagree. Threads discussing it can be found 
starting at: 




B...........Pay for the password and repairs

This site is dedicated to ThinkPad™ (TP) owners who find themselves 
locked out for whatever reason, they don't know the Power On Password 
or Supervisor Password or Hard Disk Password or encounter a BAD CRC1 
or CRC2 ERROR displayed on their TP.  

TP owners will have subsequently discovered, to their absolute 
amazement, that the manufacturer of their beloved TP offers no 
economically viable solution. The manufacturer does not have a policy 
to help genuine legitimate owners out of this predicament without 
paying, in some cases more than the TP is worth, to replace for no 
sane or logical reason their perfect and fully functional System 


How much does password recovery cost
Cost depends on which model ThinkPad you have

USD $30 for these 'Category 1' models; 

370C, 380Z, 380XD, 560Z, 600, 760EL, 760LD, 770 series, 770E, 770ED

USD $45 for these 'Category 2' models;

240, 240X, 390E, 390X, 570, 600e, 600X, 770Z, A20m, A21e, A21m, A22e, 
A22m, A30, A30p, A31, A31p, G40, G41, R30, R31, R32, R40, R51, T20, 
T21, T22, T23, T30, T40, T40p, T41, T41p, T42, T42p, TransNote, X20, 
X21, X22, X23, X24, X30, X31, X40, X41.

I am currently developing password recovery solutions for ThinkPad 
models T43, T43p, R52, T60, T60p and Z60, I will add them to the list 
when the work is completed, until then please do NOT purchase a 
password recovery for these models.


What else will I need to buy
You will need to buy the parts to build the interface, the parts for 
the interface are NOT included in your purchase price.

I do NOT sell the parts for the interface, you can easily source 
these parts locally or on the net, costs of the parts for the 
interface varies from USD $25 to USD $50 depending on where you buy 

You will also need;

 a fine tipped Soldering Iron and solder.

a small Philips head screw driver

What do I receive after payment
Following receipt of payment, detailed illustrated step by step 
instructions will be sent by email to your PayPal registered email 
address  to enable you to successfully use my Password Recovery and 
CRC Repair  procedures.

You will also receive a 'Certificate Number' always quote 
your 'Certificate Number' in any subsequent email.


C...............Recovery through servicicing and replacement of the 
main board and Hard Drive:
Forgotten Supervisor password 
A forgotten Supervisor password will prevent access to the ThinkPad 
BIOS setup utility. To regain access, the system will need to be 
serviced to have the system board and hard drive replaced. Proof of 
purchase is required, and this repair is not covered under the 

Hard drive password 
There are two Hard drive passwords: a user Hard drive password for 
the user and a master Hard drive password for the system 
administrator. The administrator can use the master password to get 
access to the hard drive even if a user has changed the user Hard 
drive password. The following is the icon that comes up in the upper 
left corner if a Hard disk password is set:

Normal Operation 
There are two modes for the Hard drive password: user only and master 
+ user. The master + user mode requires two Hard drive passwords; the 
system administrator enters both in the same operation and provides 
the user Hard drive password to the system user. If either master + 
user or user only are set, a the password prompt will appear during 
the boot process either the master or the user Hard drive password 
will need to be entered before the operating system can be booted. 

Forgotten Hard drive password 
If the user's Hard drive password has been forgotten, check whether a 
master Hard drive password has been set. If it has, it can be used 
for access to the hard drive. If no master Hard drive password is 
available, or if the administrator forgets the master Hard drive 
password, then the hard drive must be replaced. This replacement 
process is not covered under the warranty. 

Power-on password 
A Power-on password protects the system from being powered on by an 
unauthorized person. The following is the icon that comes up in the 
upper left corner if a Power-on password is set:

Normal Operation 
When the Power-on password has been set, a prompt will appear during 
the system start up, and the Power-on password must be entered before 
an operating system can be booted. 

Forgotten Power-on password 
If the Power-on password is forgotten and the Supervisor password is 
known, simply go into the ThinkPad BIOS setup utility and reset the 
Power-on password, otherwise try the following: 
Turn off the computer. 
Remove the battery pack. 
Remove the backup battery. 
Turn on the computer and wait until the POST ends. After the POST 
ends, the password prompt does not appear. The POP has been removed. 
Reinstall the backup battery and the battery pack. 
Note: Some ThinkPad systems have the ability to reset the Power-on 
passwords in the ThinkPad BIOS setup utility if a Supervisor password 
has been set.
D........................Recovery by building an interface and using 
another computer
Recovering BIOS passwords
Password recovery procedure for IBM ThinkPads using R24RF08 and 

1. Introduction. 

As you probably know, IBM ThinkPad uses a small eeprom (ATMEL 24RF08) 
to store different OEM issues like serial number, UUID, etc. The 
supervisor password (SVP) is stored also into this little chip. So, 
anybody should figure that he needs to read the eeprom in order to 
find the password string. The first problem is that 24RF08 is not an 
ordinary eeprom. The second is that the password is written in a 
special scan code. To read properly you need a software (and an 
interface) specially designed for this eeprom. This software is 
R24RF08 (eeprom reader) and IBMpass (password revealer) available at 
www.allservice.ro . Diagrams are included in the reader kit 

2. Locating the eeprom. Soldering. 

No need to unsolder the 24RF08 eeprom, just solder 3 wires to SDA, 
SCL and GND pins of the eeprom. There are two eeprom layouts (see 
interface schematics described bellow), orresponding to 8 pin or 14 
pin eeproms. Locate the eeprom first according to your model (E.g. 
T20-23 and T30 have the eeprom underneath TP, and can be accessed by 
removing the RAM modules cover, no need to dismantle the laptop.) and 
solder the wires using a soldering iron with a fine tip. Also, you 
can use 0.15 -0.20 mm enamel coated wires or similar small diameter 
insulated wires. These wires will be connected later to the 
interface. Tip: You can use clips to connect the wires or you can 
solder on the PCB traces leading to the eeprom pins. Once again, be 
careful and double, triple check the soldering if necessary till you 
are positively sure you have done the right job. 

3. Choose and build the interface. 

Since version 2.0, R24RF08 and W24RF08(eeprom writer) are compatible 
with a wide range of eeprom programmers. By default, both programs 
set the COM port signals to use direct logic level to access I2C bus. 
We provide here 2 schematics that are relevant for direct logic 
signals and for inverse logic signals (simple-i2cprog.pdf and driven-
i2cprog.pdf). Also, depending of the interface you build, you can 
invert the logics for SDA-In, SDA-Out, and SCL COM port signals by 
some command line parameters described later in this document. a) The 
file simple-i2cprog.pdf contains the schematic diagram of a simple 
interface (known as SIPROG)based on 2 zeners and 2 resistors. This is 
a classic, easy to build circuit and works with soldered or 
unsoldered eeproms. The purpose of the 2 zeners is to convert RS232 
levels (+/- 5V) to TTL levels, needed by the eeprom. It uses direct 
logic signals to I2C eeprom and is powered by the COM port. However, 
this interface works with in-system eeproms but is dependant on COM 
port current and eeprom bus impedance. R24RF08 works natively with 
this circuit, no need to change the lines signals with command line 
parameters. This circuit works pretty well with almost all ThinkPads 
series. b) The second interface is described in driven-i2cprog.pdf. 
The circuit uses MAX 232 as a RS232 to TTL driver and its main 
purpose is to work with soldered eeproms. The advantage of MAX232 is 
the TTL outputs that are more reliable and more powerful when work 
with soldered, in-system eeproms (dependency free from the COM port 
current). Due of the internal inverters of MAX232 the interface 
responds to an inverse signal logic level. R24RF08 needs /x, /d, /i 
switches to be specified in the command line. What these switches 
mean: /x - invert serial clock, also known as SCL; /d - invert serial 
data output, also known as SDA-Out; /i - invert serial data input, 
also known as SDA-In. All those can be used in any combination to 
meet any interface specification. 

4. How is it working: 

Prepare your technician PC by connecting the interface to the COM1 
port (don't connect the wires to eeprom yet). Turn on the ThinkPad 
and press F1 to enter BIOS Setup. When you are prompted for the 
password and there's no other activity like HDD access or so, connect 
the wires (GND first!, SDA, SCL) to the corresponding wires from the 
interface (attached before to COM1) and execute R24RF08: 

-for SI-PROG interface (as described in 3.a above): r24rf08.exe 
<filename.ext>. where filename.ext is the file where eeprom content 
will be stored. Example: r24rf08 mytp.bin 

-for MAX232 driven I2C interface (as described in 3.b above): 
r24rf08.exe <filename.ext> /x /d /i. where /x /d /i are command line 
parameters (switches) for this kind of interface. Example: r24rf08 
mytp2.bin /x /d /i 

Use exactly the instructed switches to avoid possible damages to your 
eeprom data! The file should be created in the same folder. Finally, 
disconnect the wires (GND last!) and turn off the ThinkPad by 
pressing on/off switch. 

5. Reveal the password. 

Now, you have the .bin file but you need to dump in scan code to 
retrieve the password. IBMpass 2.0 Lite is a free tool that will do 
the job. Just open the eeprom dump you've created before and search 
for 0x330, 0x340 lines. The password is located on 0x338 (and 0x340 
depending on model) in scan code. For 24C01 eeproms the password is 
located at 0x38, 0x40. If the password won't work for the very first 
time then your eeprom may use newer IBM scancodes. In this case 
switch to alternate scan codes to find it. For those who want quick 
answers the recommended version is IBMpass 1.1. Usage for IBMpass 1.1 
(command line only): 

ibmpass mytp.bin – use "/a" switch to see in alternate scan code if 
needed: ibmpass mytp.bin /a 

For some old models like 570 or 770Z you need to execute the eeprom 
patcher first. This will reset the read protection on the password 
offset. To do that just execute patcher.exe before the reading 
operation, without rebooting the laptop: 

-for SI-PROG: patcher.exe , then immediately r24rf08.exe 

-for Driven-I2C (Max232) you must insert the switches: 
patcher.exe /x /d /i, then immediately r24rf08.exe 
<filename.ext> /x /d /i 

W24RF08, the writer version, has included the complete APP reset 
operation you don't need to use patcher. 

Remember, use 3 wires from the interface and 3 wires from eeprom! 
Connect them after your ThinkPad is powered and disconnect them right 
after you read the content, before you switch off the laptop. 

[edit]External Sources
R24RF08 & IBMpass author's webpage. 
IBM Support - Lost or forgotten password 
Full Service of all Thinkpad models including free password recovery 
I hope the above helps, whether its cost effective to mess about with 
elderly computers - and/or to spend money on them - only you will 
know.  Would be far better if your colleague could remember the 

If you have any questions or problems with any aspect of this site, please feel 
free to contact me directly [EMAIL PROTECTED] Please do not post personal 
issues directly to the group.

To unsubscribe from this list, send an email to [EMAIL PROTECTED]

Thank you for using A-1 Computer Tech 
Yahoo! Groups Links

<*> To visit your group on the web, go to:

<*> To unsubscribe from this group, send an email to:

<*> Your use of Yahoo! Groups is subject to:

Reply via email to