ibm thinkpad 600x Schematics

Doc. Rev. 1.4

Password recovery procedure for IBM ThinkPads

using R24RF08 and IBMpass

1. Introduction.
As you may know, IBM ThinkPad uses a small eeprom (ATMEL 24RF08) to store different OEM
issues like serial number, UUID, etc. The supervisor password (SVP) is stored also into this litle
chip. So, anybody should figure that he needs to read the eeprom in order to find the password
string. The first problem is that 24RF08 is not an ordinary eeprom. The second is that the password
is written in a special scan code.
To read this properly you need a software (and an interface) specially designed for this eeprom.
The software is R24RF08 (eeprom reader) and IBMpass (password decoder).

Below is detailed the password recovery procedure. Both R24RF08 and IBMpass are needed. Also,
for TPs using TCPA security chip to encrypt the passwords, the eeprom writer W24RF08 is needed
to complete the unlock procedure.

IBMpass works for absolutely all TP models. The following ThinkPad models are based on 24RF08
eeprom and must be accessed only with 24RF08 programming tools mentioned above:

-240, 240X

-390E, 390X

-570, 570E

-600e, 600X

-770Z

-A20m, A21e, A21m, a22m, A30, A30p, A31, A31p

-G40, G41

-R30, R31, R32, R40, R50, R51

-Transnote, T20, T21, T22, T23, T30, T40, T40p, T41, T41p, T42, T42p, T61

-X20, X21, X22, X23, X24, X30, X31, X32, X40, X41

Newer T43/T43p, R52, T60/T60p, R60, X60/s, Z60 and Z61 series don't use 24RF08, but more
advanced security chips like PC8394T-VJG or secure storage chips PC8394 Tools are needed to

unlock the new models.

Other ThinkPad models such as 380XD, 600 or 760/765 use 24C01 or 93C46 eeproms, that are the
most ordinary and can be read with anything you want. The method is the same like for the models
based on 24RF08, only the software to dump the eeprom is different.

[New:] For 24C01, you can use R24C01, a software made specially to read such eeproms
in Thinkpads and included now in the R24RF08 kit. It is based on the library used to
build 24RF08 software and can be used in the same manner.

2. Locating the eeprom. Soldering.
No need to unsolder the 24RF08 eeprom, just solder 3 wires to SDA, SCL and GND pins of the
eeprom. There are two eeprom layouts (see interface schematics described bellow), corresponding
to the 8 pin or 14 pin eeproms. Locate the eeprom first according to your model (E.g. T20-23 and
T30 have the eeprom underneath and can be accessed by removing the RAM modules cover, no
need to dismantle the laptop.) and solder the wires using a soldering iron with a fine tip. Also, you
can use 0.15 - 0.20 mm enamel coated wires or similar small diameter insulated wires. These wires
will be connected later to the interface.
Tip: You can use clips to connect the wires or you can solder on the PCB traces leading to the
eeprom pins. GND wire can be attached to laptop GND elsewhere in most of the cases.
Once again, be careful and double, triple check the soldering if necessary till you are positively sure
you have done the right job.

3. Choose and build the interface.
Since version 2.0, R24RF08 and W24RF08 are compatible with a wide range of eeprom
programmers. By default, both programs set the COM port signals to use direct logic level to
accessI2C bus. We provide here 2 schematics that are relevant for direct logic signals and for
inverse logic signals (simple-i2cprog.pdf and driven-i2cprog.pdf). Also, depending of the interface
you build, you can invert the logics for SDA-In, SDA-Out, and SCL COM port signals by some
command line parameters described later in this document.

a) The file simple-i2cprog.pdf contains the schematic diagram of a simple interface (known as
SIPROG) based on 2 zeners and 2 resistors. This is a classic, easy to build circuit and works with
soldered or unsoldered eeproms. The purpose of the 2 zeners is to convert RS232 levels (+/­5~10V) to TTL ones, needed by the eeprom. It uses direct logic signals to I2C eeprom and is
powered by the COM port. However, this interface works with in-system eeproms but is dependant
on COM port current and eeprom bus impedance. R24RF08 works natively with this circuit, no need
to change the lines signals with command line parameters. This circuit works pretty well with
almost all Thinkpads series.

b) The second interface is described in driven-i2cprog.pdf. The circuit uses MAX 232 as a RS232
to TTL driver and its main purpose is to work with soldered eeproms. The advantage of MAX232 is
the TTL outputs that are more reliable and more powerful when work with soldered, in-system
eeproms (dependency free from the COM port current). Due of the internal inverters of MAX232
the interface responds to an inverse signal logic level. R24RF08 needs /x, /d, /i switches to be
specified in the
command line.

What this switches mean:
/x - invert serial clock, also known as SCL;
/d - invert serial data output, also known as SDA-Out;
/i - invert serial data input, also known as SDA-In.

All those can be used in any combination to meet the interface specification.

Note. The two schematic diagrams, simple-i2cprog.pdf and driven-i2cprog.pdf are
included with R24RF08/W24RF08 kits.

4. How is it working:

Prepare your technician PC by connecting the interface to the COM1 port (don’t connect the wires
to eeprom yet). Turn on the ThinkPad and press F1 to enter BIOS Setup. When you are prompted
for the password and there’s no other activity like HDD access or so, connect the wires (GND first!,
SDA, SCL) to the corresponding wires from the interface (attached before to COM1) and execute
R24RF08:

-for SI-PROG interface (as described in 3.a above):
r24rf08.exe <filename>. where filename.ext is the file where eeprom content will be stored.
Example: r24rf08 mytp.bin

-for MAX232 driven I2C interface (as described in 3.b above):
r24rf08.exe <filename> /x /d /i. where /x /d /i are command line parameters (switches) for
this kind of interface.
Example: r24rf08 mytp2.bin /x /d /i

Use exactly the instructed switches to avoid possible damages to your eeprom data!

The file should be created in the same folder. Finally, disconnect the wires (GND last!) and turn off
the ThinkPad by pressing on/off switch.

5. Reveal the password.
Now, you have the .bin file but you need to dump in scancode to retrieve the password. IBMpass
Lite is a free tool that does this job. Just open the eeprom dump you've created before and search
for 0x330, 0x340 lines. The password is located on 0x338 (and 0x340 depending on model) in
scancode (AA button must be "ON"). For 24C01 eeproms the password is located at 0x38, 0x40. If
the password won't work for the very first time then your eeprom may use newer IBM encryptions.
In this case switch to alternate scancodes to find it.

For some old models like 570 or 770Z you need to execute the eeprom patcher first. This will reset
the read protection on the password offset. To do that just execute patcher.exe before the reading
operation, without rebooting the laptop: