Hacker News new | past | comments | ask | show | jobs | submit login
Recovering a password-protected ThinkPad T60 (ounapuu.ee)
129 points by hddherman on Oct 15, 2022 | hide | past | favorite | 69 comments



I was in my second year of University and really needed a computer for my studies. My last machine had been an Amiga A1200, which I adored, but sadly was going to be too much work to get it into a useful state for studies. I bought my first PC - a Thinkpad T40 brand new. I was intrigued about the 'embedded securiy subsystem'. Back then things like this seemed cool and exciting to me. I set a password, excited that I could lock the system at such low level. It rebooted, I typed in the password, and it beeped at me an error. I typed it in again, and got another beep. I remember starting to sweat. Third time it worked. I must have typo'd something, so I immediately unset it and never did that again.


Older laptops tend to have all sorts of hacks, master passwords and whatnot, because they realized these scenarios happen and with physical access and enough time it's generally game over any way.

I wish this were possible with current-day phones. I've had multiple instances of a friend or relative either buying or getting handed an older iphone, and if the previous owner did the responsible thing of resetting the phone beforehand, it will refuse to get past initial setup without a stable wifi connection and the previous owner's icloud credentials. Tracing down the previous owner and getting them to change their password or disable the "find my" feature for this one time operation is harder than you'd think, especially if it was passed down multiple hands or the account is from a different person (and the original owner was never aware). In some of these instances we've had no choice but to throw the brick away.


It's not a complete brick; if you give up iCloud and all associated Apple services, you can get a root shell (assuming checkra1n is unpatched on your device & iOS version) and delete the locks and end up with a phone that works fine if you can get an alternative app store on it (which you can if you're able to get a root shell in the first place)[0][1]

[0] https://github.com/FlymeDllVa/iCloud-bypass-via-USB

[1] https://github.com/Toni-d-e-v/Aurora-Icloud-bypass


Would this work when the USB accessory lock is enabled?


It looks like checkra1n is more limited in that case[0][1] so I'm not sure if there are any workarounds that can get you the whole way. I would ask in their bugtracker: https://github.com/checkra1n/BugTracker

[0] https://blog.elcomsoft.com/2020/05/iphone-usb-restricted-mod...

[1] https://blog.elcomsoft.com/2020/07/checkra1n-usb-restriction...


It does make iPhones a far less attractive target for theft, though. Much harder to resell a locked device.


No idea why you get downvoted because that’s the reason it is set up the way it is.


Not really. It can be sold for parts. If someone can grab one, he will.


Hence the serializing of individual parts on the iPhones nowadays. If you take your iPhone to a store that sources stolen parts, the phone will flag it.

It obviously doesn't stop the supply chain of stolen parts but it makes it so legitimate consumers will ask questions and legitimate stores will be less likely to buy stolen phones for parts.


It's interesting that the ostensible reason for serializing the parts is of great benefit to Apple by basically killing off second-hand parts and third-party repair shops, much like its ostensible privacy-related reasons for locking down ads in the App Store have massively enhanced its own Ads business while crushing its competitors.

In this case, Apple has forcibly become the gatekeeper for all parts, both used and new, and has plausible reasons for why this is good for the customer. It's really quite brilliant.


Agreed. I don't think the primary reason is the safety and security of the customer.


It's about weighing the needs of people who break their screens vs the needs of people who don't want to be violently deprived of their property.

Frankly, I'm fine spending an extra $50 if I break something vs depriving the market of stolen iPhones. Like everything, there are costs and benefits.


Lowers the value proposition though


I don't consider the increase in e-waste resulting from it to be a worthwhile trade-off.


The responsible thing is for the owner to log out of iCloud before selling the device or giving it away. Google Android works the same way AIUI: if your device is logged into Google and you reset from recovery or bootloader, you'll need to input these credentials due to FRP.


Extremely few people are even aware this is a thing, let alone know how to reset a phone in a way that won't essentially brick the device. I'm not too familiar with how google does it, but considering the average android device is easier to unlock while retaining full functionality, and I've managed to help someone bypass it by setting up a captive portal, I've had less issues with it than with iphones.


That's a feature, not a bug https://techcrunch.com/2015/02/11/apples-activation-lock-lea...

The tradeoff is very reasonable: People need to actively engage in the process of relinquishing control over a device that's essentially become an extension of the mind


When said "extension of the mind" is wiped, there's nothing left to lose but monetary value. I agree this was an anti-theft tactic, but in my opinion it does more harm than good given the amount of people that will forget their credentials, throw/give it away without decoupling it, servers that will shut down in the long run (rendering the devices inoperable), and etc.


Even if it's wiped?


The idea is that ownership needs to be transferred in a structured and conscious way. A factory reset is not an ownership transfer and Apple are not keeping those operations separate.

These are expensive devices and theft happens.


A reasonable solution would be to have a "Do you want to disassociate this phone from your iCloud account?" prompt as part of the factory reset.


I thought this was the case already?


On the Samsung J5 2017 you need to delete the Google accounts before resetting.I haven't tested FRP on anything newer.


It is. iOS prompts to remove the Find My setting (iCloud Lock) when you use the Erase everything prompt. Requires entering your Apple ID password.


This already happens.


For a number of years I used to buy BIOS locked thinkpads off ebay for pittance, do this and sell them again as working. Made a small fortune. Most of them were from ex corps who just pulled the disks out and the disposal company didn't know how to do it.

Eventually my wife got fed up of boxes of bits of laptops everywhere.


So you unlocked your wife too ? :p

I'm still wondering if it would be profitable today.


Triggered yes. Unlocked no.

Probably not. Post covid, the laptop glut is huge and prices have declined to negligible.


What model was easiest for you?

It would be nice to have a cheap Linux laptop to play around in a Linux desktop environment.


Anything T470 and before was good IMHO. That excludes the T440 where they screwed up the touchpad arrangement.

I use exclusively apple M1 kit now and keep Linux in the cloud. I honestly can’t go back now to a thinkpad.


I was thinking of using it as a way to force focus, and not care if anything happens to it. Lugging around a mbp 16-inch is a bit heavy sometimes.


MacBook Air plus insurance :)


Fun, years ago I bought a T60 and I locked it by accident only to spend the night trying to fix it. I used the same method described here and I actually remember this page http://www.ja.axxs.net/t60_t60p.htm

I had a post on Reddit shit it and people kept finding years later. I would receive a message every once in a while about it, until they stopped completely.


Am I correct in saying that, at least from the photos, this post and the article are shorting different pins?


That’s correct.

This SuperUser answer explains it as well: https://superuser.com/a/1633143


I'm using a T60 right now. Love the keyboard feel, I enjoy a 4:3 resolution too.

Can anyone recommend a newer laptop with a nice keyboard? I find all new laptops keyboards feel like a flat piece of plastic.


The ASUS Zephyrus series (I'm on a 2022 G14) are fantastic if you can get past the mild gamer aesthetic. Great magnesium build. Lots of keyboard travel. Tons of ports (USB-A, HDMI, etc.) Touchpad works great on Linux, but wake from suspend results in mild bork on the current kernel (fans won't turn on at all, speaker amplifier stays shut off so audio is very quiet) on. Patches resolving this are available [1] and will likely be mainlined in 6.1 [2]. Performance from the AMD CPU/GPU and Micron SSD is bonkers awesome. You can get around 10 hours of use on Linux with conservative backlight settings and disabling the discrete GPU. To top it off, many components are easily replaced. I just upgraded the memory in mine from 16GB to 40GB (the is a socketed SODIMM and 8GB of soldered on memory, so I replaced the 8GB SODIMM).

The m.2 NVME drive is also upgradeable, as is the wireless card. My only real complaint is that the display suffers from backlight bleed along the edges in my unit. That said, the display is also pretty dang great: anti-glare coated, high-refresh, bright, and color accurate.

[1] https://asus-linux.org/ [2] https://www.phoronix.com/news/ASUS-ROG-More-With-Linux-6.1


Yeah, after years of stagnation, the offers for X86 laptops are finally amazing and I expect them to get even better next year with mobile Ryzen 7000 and RDNA 3 APUs moving to 5nm, and who knows, maybe mobile 13th Gen Intel and RTX 4000 could also be good.

My current 13" Ryzen 5800 laptop is no slouch but its Vega iGPU is a bit too long in the tooth for any kind of games, screen could be brighter and battery life could be better. I'm very excited for a laptop upgrade next year.


Does the gpu have a physical mux though?

I usually don’t even consider laptops with dedicated nvidia graphics because dealing with nvidia drivers is more hassle than gain (I don’t do anything gpu-intensive and the intel gpu is enough for me).

A physical mux means you can effectively shut down the dedicated graphics but still drive outputs with the intel embedded gpu. And save battery.

Can that laptop do that?


The laptop I have does have a "MUX switch" but is controlled in software. As far as I understand, the benefits of the MUX switch are primarily to graphics performance when working with the discrete GPU. At any rate, my laptop (G14 2022) is all AMD and I haven't had any trouble with the amdgpu drivers on recent Linux kernels.


The MNT Reform 2 has a mechanical keyboard with a nice feel (and it's using off-the-shelf switches so you can replace them if you'd prefer), but it has a weird layout.

The most recent laptops with an actual nice Thinkpad keyboard were X220 or T420, everything after that is chiclets.


> The most recent laptops with an actual nice Thinkpad keyboard were X220 or T420, everything after that is chiclets.

I agree that the Sandy Bridge era (2011) ThinkPads were the last to have a proper 7 row keyboard layout, but there's slightly more to it.

ThinkPad keyboards are made by a variety of OEMs. For the 2011 models, the manufacturers were NMB, Chicony and Alps. The consensus within the ThinkPad enthusiast community is that keyboards from NMB offered the best typing feel, followed Chicony and finally Alps.

You can tell if you have a NMB keyboard by carefully prising off one of the keycaps: if you see a red rubber dome, it's a NMB keyboard. (grey = Chicony; white = Alps). Each keyboard manufacturer has a unique part number (FRU - field replaceable unit in the IBM/Lenovo parlance). Online sellers often mix and match FRUs, so it can't be relied upon to get the NMB keyboard - you need to ask the seller what colour the domes are. The NMB keyboards are sadly becoming more rare and expensive by the day.

FWIW, chiclet machines often had better feel than the 7-row predecessors. E.g. T440p with non-backlit keyboard. This is due to improvements in chassis design - the T440p's magnesium alloy rollcage was solid underneath the keyboard, resulting in 0 keyboard flex.


Agreed. Of course the *40 series had a unique feature of getting security and infra architect consultants to slam them repeatedly on the office desks in clients' offices, due to their special and innovative combined top trackpad / trackpoint buttons :D

(I hear ThinkPad is trying that a abomination again, which means my t25 may have to live another 5 years)


The trackpad is horrible on the *40 series! Can be swapped by the one from the ones from the next generation though.


Your T25 will end up like mine, with a cracked case because of poor design.


Possibly; I did drop it from large height onto hard floor once, and ever so slightly cracked a corner. A little black sugru fixed it up like new. It survived 3 years of weekly travels before covid otherwise, and several years of young kids since, so I'm hopeful that case won't be a problem.


There is a structural issue with the right side hinge, it's mounted in plastic.


You can also mod an X230 or a T430 with a xx20 keyboard, which is worth it as the CPU/GPU and USB ports are all a decent upgrade. You need to flash the embedded controller though, to remap the keys - also worth it, to use a third-party battery. The process is not too difficult, you just need to compile the stuff, make a bootable flash drive, and boot from it - no soldering etc.

https://github.com/hamishcoleman/thinkpad-ec


I think some people are doing mobo swaps (a tiny chinese group called something 51) so you can keep the T60 shell and have a gen 10 core i5 or similar.


51nb is the site


The Thinkpads retain good feel until the *30 series. They are 'chiclet', but having had a T40, T60p and X230, I am confident the X230 has the best feel and same travel. The depth of travel continued to the T450 and T450s, but the feel dropped off by then.

There is a gaming laptop with mechanical keys also.


A related question: I very much enjoy the keyboard of my T550 and would like to have some similar USB or wireless Keyboard with German layout, numpad and backlight for my PC as well. Lenovo does not offer anything that matches all these criteria. Any recommendations from other brands?


I got "lucky" with a T60 I bought for €25 last year - only the HD was password-locked (I think there are up to 3 levels of password security possible on the T60), so I solved the problem by replacing the HD with a (higher-capacity) spare I had lying around.


It's cool how shorting pins seems to be a common hack for accessing devices. The way to jailbreak the Nintendo Switch also involves shorting the pins that connect the main device to the detachable controllers.


I believe in the case of the Nintendo Switch, it's an intentional feature to enter a special boot mode, where as here, it kinda looks like it might be a trick rendering some kind of memory unreadable.


Those of you from an even earlier era might remember "lkwpeter" and "alfarome". An era of relative freedom, when security was still only for "keeping honest people honest"...


Haha, I remembered these, too... here are some more: https://gist.github.com/Yousha/b6ed8edf8961f028140a563718ea9...


Nice writeup. It's brought back memories of resetting bios boot passwords on even earlier laptops by shorting out two of the parallel port pins with (iirc) the right value of resistor.


> "...These laptops are classics, but they are really starting to show their age. I’ve even encountered issues like the WiFi chip causing lots of trouble, with the connection being very spotty and borderline unusable."

Is it really a case and there is a reason for WiFi chip degradation?


A friend of mine have found a fun way to bypass the bios password of thinkpads. With some trial and errors, you short some pins on bios eeprom at the right time so it will read all 0xff’s. It just happen to be that all 0xff’s means the bios password is not set.


You mean like in this very article? ;)


Yeah, exactly like this. He showed me the hexdump of the eeprom for an empty password where the space for the password were 0xff’s.

Had an empty password been any other value, such as 0x00, this trick would not work


Oh man this is great, I have a W701DS that's not much newer than this, gonna try!


How would one have figured this out? I assume only because it's documented in a service manual? Would this be within the BIOS if one disassembled the code?


What is an robust business grade solution to BIOS passwords? Didn't write enterprise grade because we have dozens of PCs, not thousands or tenthousands Open source friendly solutions preferred. We use only Linux, no Windows.


What exactly do you mean by "solution"? To reset them?


Set them in a managed way.

We use a password generator, but it happens that some machine cannot be unlocked. We don't assume malice, but the biggest error source is probably data enter error when setting it. You cannot see what you type and in real life it has happened that obviously the same typo was made twice, but later we have not been able to guess what it was.


Intel AMT / vPro perhaps?


We have considered that. Not really convincing given the security track record of Intel ME. But of course if you run Intel you cannot avoid it anyway, so whether having it idling or using it actively makes a huge difference who knows.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: