There is a lot of information on the web about reading the I2C EEPROMs and reading the scancodes using a program called IBMPass. I managed to read the EEPROM (first using an Arduino Nano, and then using a simple RS232 I2C reader). Alas IBMPass would not provide the correct translations for the scan codes.
While messing around I found another solution to the problem: Basically tricking the BIOS into thinking it has no supervisor password and then resetting it.
- For the first attempt I soldered two leads on to the EEPROM (pins 5 & 6). (For the second machine I just used a scalpel to short the two pins).
- Boot the machine and press F1. Immediately short the two pins and hold them for a few seconds.
- The machine will appear to hang while you do this (trying to read the data from the EEPROM and failing). This step should clear the 'user' portion of the password and you should now be able to enter the BIOS (however the Supervisor password is still set).
- On rebooting and pressing F1 for BIOS and just press 'enter' e.g. blank password and you should be into the BIOS but with the Supervisor Password still set.
- Power off the machine and reboot with the pins shorted. Release the pins and machine should complain it can't read the EEID data or somesuch
- If the machine seems to hang release the short to proceed to the next step, then reshort the pins. You should be able to get to a point where you have complete access to the security menu (except you still don't know the supervisor password to remove it). Here is the clever bit:-
- Select the supervisor password from the menu with the pins shorted. The BIOS setup assumes the password is blank and asks for a new password. Release the short.
- Enter a blank password twice and press F10 to save.
The supervisor password is gone!
If you found this useful please consider buying me a beer with a small donation using the PayPal button on the right. Many Thanks.