
A ThinkPad supervisor password crack - BuuQu9hu
http://xiphmont.livejournal.com/70560.html
======
userbinator
_DISCLAIMER: Any discussion of how to crack security on even vintage machines
is banned on most ThinkPad forums. So much as mentioning this page can get you
banned in some places._

IBM/Lenovo also says the only way to "recover" from a lost password is a new
motherboard. Meanwhile eveyone else has figured it out. Great example of
security theater.

~~~
satysin
If Lenovo were serious about security they would _encourage_ such discussion
and exploration to improve their product. Of course this is Lenovo we are
talking about, the company that thought Superfish would be a super idea!

~~~
userbinator
On the other hand, as evidenced by a few other comments here, there are
probably quite a few who don't want the security "improved" Apple-style, to
the point that losing the password really means it's impossible to recover
from.

Note that this password only allows access to BIOS and being able to boot; if
the HDD also has a password and/or is encrypted, this doesn't really affect
security of data.

~~~
satysin
That is the trade off though. If you want a secure device you need to accept
the risks that if you forget the passphrase you are fucked. A false sense of
security isn't a good thing.

------
frozenice
That reminds me of a trick I discovered nearly 10 years ago on an Acer to
reset the BIOS Password from Windows.

There was this eSettings.exe which let you change some BIOS Settings from
Windows, including the password. Of course it first asked for the old password
and showed a prompt, denying the request if it was wrong.

I fired up good old OllyDbg and traced the prompt in the ASM code. I changed
only one bit IIRC (jne to je, or similar), saved the .exe and tried my luck.

It let me through the prompt and I entered the new password. Amazingly the
BIOS gladly accepted it!

I didn't bother to find out what functions it exactly called to set the new
password to write a small tool, because I already had one. ;)

I wonder if this still works... If not with an Acer, maybe with some other
make?

~~~
rincebrain
I haven't tried this on anything newer than Sandy Bridge, but yes.

I've never seen a BIOS that actually had anything but application-level
password check for the calls from OS mode to rewrite the BIOS passwords or
settings. No idea whether you can leverage TPMs or some of the enterprise
trusting features to change that, though.

------
new299
It's great that they've never fixed this, as I regularly pick up old Thinkpads
super-cheap because they have supervisor passwords.

But I've always been a bit confused as to why they've never fixed (or at least
tried to fix) this issue.

~~~
jstanley
Even if you can't bypass the password by shorting these pins, you could just
replace the entire EEPROM with one that has a known password.

I don't think it's a serious enough security feature to be worth trying to
defend against physical access.

~~~
new299
Right, but I'm still surprised they've not at least implemented "if can't read
EEPROM at boot disable EEPROM writes".

With the architecture used, they're never going to be too robust to physical
access. Overall EEPROM reset button on motherboard would be best, and just
admit there's no really security against physical access here.

------
justinsaccount
Really more of a bypass than a crack, but good to know.

I have a t420 that has the supervisor password enabled. The only thing it
prevented me from doing was enabling virtualization on the cpu, but docker has
mostly replaced vagrant for me so I haven't minded.

------
gima
> "I'm telling you to use different pins than ~all the other instructions on
> the web."

 _sigh_ Please, Please, provide reasons along with your arguments. Simply
stating something doesn't help, especially when there is contradicting
information floating around.

~~~
gima
[continued..] You can't generalize, but you can assume. Quite likely many
Thinkpads use the same piece of code to handle firmware password-checking.
Once the code is changed, it'll likely propagate (slowly) inside the company
to all of the new (or firmware-updated) laptops.

That being said, it's likely the firmware's failsafe-mechanism kicking in when
it cannot access the memory chip that stores the password (because access to
the chip is hindered).

Yet utilizing the "WP" (write protect) pin on the memory chip ought to do
nothing in my opinion - unless the firmware tries to store something to the
memory at boot time (which is entirely possible). On the other hand, forcing
clock or data pins to ground - in effect disallowing any signalling via them -
should be a sureproof way to force the firmware to trigger it's failsafe
mechanism.

~~~
xiphmont
I'm not using the WP pin, I'm using the PROT pin. It forces the EEPROM to
behave differently, because it signals it does not have a good power state.
The EEPROM can be 'read', but the data it hands back is different. You can go
read the spec sheets for the EEPROMs in question. You have the part numbers.

But I was more interested in the end-to-end test, as I expected others reading
would also be:

SDL to SDA (the usual instructions given elsewhere) only works on some models.

PROT to GND appears to work on all. In my collection of ~ 30 machines, it
works on all the models SCL to SDA does, as well as all the models SCL to SDA
does not.

PROT to GND was the original hack as discovered around the time of the T20.

~~~
gima
Ahh, my mistake. WP != PROT. Utilizing the PROT-pin appears to force memory
chip's internal read&write protection flags active, causing read and write
operations to fail (unless I understood incorrectly). This kind of information
could be beneficial to others if it's correct: You could add it to your post?

Source:
[http://cache.nxp.com/documents/data_sheet/PCA24S08.pdf](http://cache.nxp.com/documents/data_sheet/PCA24S08.pdf)
(Section 6.4 Access Protection)

------
mkj
Good to see nothing changes. Many years ago I found I could bypass a 760EL
password by copying the boot sector from an IBM util floppy disk to any boot
disk.

