kinggeek.co.uk
  • You are here:  
  • Home
  • Tech Notes
  • Reset / Clear the supervisor password on a Lenovo Thinkpad R61i (and many other Thinkpad models) - (at your own risk)
Sunday, 22 December 2013 00:00

Reset / Clear the supervisor password on a Lenovo Thinkpad R61i (and many other Thinkpad models) - (at your own risk)

Use this the following your own risk!

 

I recently had two Lenovo ThinkPad R61i come my way with the supervisor passwords set.
After trying a tonne of stuff on the web I finally stumbled across a solution.

There is a lot of information on the web about reading the I2C EEPROMs and reading the scancodes using a program called IBMPass. I managed to read the EEPROM (first using an Arduino Nano, and then using a simple RS232 I2C reader). Alas IBMPass would not provide the correct translations for the scan codes.

While messing around I found another solution to the problem: Basically tricking the BIOS into thinking it has no supervisor password and then resetting it.

 

 

  1. For the first attempt I soldered two leads on to the EEPROM (pins 5 & 6). (For the second machine I just used a scalpel to short the two pins).
  2. Boot the machine and press F1. Immediately short the two pins and hold them for a few seconds.
  3. The machine will appear to hang while you do this (trying to read the data from the EEPROM and failing). This step should clear the 'user' portion of the password and you should now be able to enter the BIOS (however the Supervisor password is still set).
  4. On rebooting and pressing F1 for BIOS and just press 'enter' e.g. blank password and you should be into the BIOS but with the Supervisor Password still set.
  5. Power off the machine and reboot with the pins shorted. Release the pins and machine should complain it can't read the EEID data or somesuch
  6. If the machine seems to hang release the short to proceed to the next step, then reshort the pins. You should be able to get to a point where you have complete access to the security menu (except you still don't know the supervisor password to remove it). Here is the clever bit:-
  7. Select the supervisor password from the menu with the pins shorted. The BIOS setup assumes the password is blank and asks for a new password. Release the short.
  8. Enter a blank password twice and press F10 to save.

 

The supervisor password is gone!

If you found this useful please consider buying me a beer with a small donation using the PayPal button on the right. Many Thanks.

Matt.

Last modified on Sunday, 16 October 2016 18:36
More in this category: « Automatically cleaning a CISS equipt (with an external waste ink kit) Epson Stylus Photo 1400 once a week (via a cronjob) Generate a self signed 2048 bit SSL certificate for apache »

44 comments

  • Comment Link stanley Wednesday, 26 March 2014 19:15 posted by stanley

    Hi!
    I have similar problem with my t60. Could you tell me what atmel (number) does r61i have? Or what pins are you shortening? HELP MEEEE

    Report
  • Comment Link Matthew Smith Wednesday, 26 March 2014 19:42 posted by Matthew Smith

    Hi,

    I'm sorry by I can't remember what the particular chip was. I think it was a P24S08 which is equivalent to a 24RF08, I believe it's the clock and data lines I'm shorting so it can't be read. It's a sort of timing attack.

    http://www.ja.axxs.net/r61_r61i.htm

    Report
  • Comment Link Ben Stanley Tuesday, 08 April 2014 08:05 posted by Ben Stanley

    This procedure worked for me for an R61. I was able to remove a supervisor password using this procedure. I had previously removed a power on password (POP) using a procedure from http://www.ja.axxs.net/ . This procedure got me out of having to buy a KeyMaker to remove the SVP!

    Report
  • Comment Link Dawood Friday, 09 May 2014 07:19 posted by Dawood

    Can this procedure help in clearing poweron password for Lenovo ?

    Report
  • Comment Link Matt Smith Tuesday, 20 May 2014 21:06 posted by Matt Smith

    Too generic a question I'm afraid.

    Report
  • Comment Link J Wednesday, 11 June 2014 12:31 posted by J

    This procedure worked for x61s.

    Report
  • Comment Link david Sunday, 19 October 2014 13:10 posted by david

    Good Afternoon. after purchasing a used r61i i tried changing the boot order and discovered the SPV password was set. i used your suggestions and was able to reset it successfully. many thanks
    Best regards

    Report
  • Comment Link Oscar Thursday, 30 October 2014 06:21 posted by Oscar

    Confirming it works with a Lenovo E420. I had to locate the chip: it was called PS08A. I have no words to thank you properly sir, I owe you my life.

    Report
  • Comment Link alex Wednesday, 18 February 2015 13:31 posted by alex

    Thank you! It works perfectly on R61 machine (15,4 inch wide screen, intel graphics). The whole procedure was rather simple. The EEPROM chip was under left side of the keyboard (http://wallyoz.smugmug.com/photos/i-Df9v3cF/0/XL/i-Df9v3cF-XL.jpg). Thanks to http://www.ja.axxs.net/

    Report
  • Comment Link Ray Tuesday, 31 March 2015 17:20 posted by Ray

    Thank you for sharing.

    This works on a Lenovo T61.

    I was about to give up after trying the method elsewhere on the internet, relating to reading the password from the 24rf08 eeprom chip.
    I read the 1024 bytes of eeprom data, but the password at 0x338 was garbage. un-typeable.
    It turns out that if the TPM security chip is turned on, you cannot read the password from the eeprom.

    Your method of shorting out the SCL and SDA, (pins 5&6) on the 24RF08 chip worked like a charm.

    Job done in less than 5 minutes, after faffing about with serial ports and terminal software for hours.

    Thank you

    Report
  • Comment Link Tom Oliver Friday, 10 July 2015 22:34 posted by Tom Oliver

    Worked first go on my S230U twist ThinkPad. Thank you. Saved me paying some bloke in Australia 100 dollars for a kit. 10/10

    Report
  • Comment Link Shakil Shaikh Monday, 10 August 2015 16:24 posted by Shakil Shaikh

    I confirm that I have removed Supervisor passwords using your method on Lenovo T500. You did a remarkable discovery. I really appreciate it. I removed T510 passwords using your method as well whereas a bit different methods as follows:
    For Lenovo T510:

    1. Keep the pins shorted once from getting into BIOS till you are in menu of changing supervisor password, i.e security -> Passwords -> Supervisior Password and this time it will not ask for old password, will give you only new password option, hit Enter twice then release pins and hit F10 save and you are done, Supervisor password is gone.

    For T500 and T510, EEPROM are at the bottom side of motherboards, i had to take motherboard out, Parts connected at that time was CPU FAN with heat sink on CPU, Screen cable, Keyboard, RS232 BIOS (Yellow) Battery and Adaptor power cable, it was hard to manage but you can do it.

    Thanks a million.

    Report
  • Comment Link felix Monday, 07 September 2015 15:06 posted by felix

    i was able to reset the supervisor password using the procedure above for lenovo thinkpad r61,the procedure was as above,except that for me i booted the machine with the pins already shorted,pressed f1 twice ,and there it booted into bios menu,am based in uganda,and no technician in our capital city has this knowledge,i was contemplating shipping it to joe in australia,thank u so much,

    Report
  • Comment Link greg Saturday, 17 October 2015 02:20 posted by greg

    I have a R61 which uses a SST25VF016B chip instead. The pin description is:
    6 Clock
    5 (SI) Serial Data Input To transfer commands, addresses, or data serially into the device.
    Inputs are latched on the rising edge of the serial clock.
    2 (SO) Serial Data Output To transfer data serially out of the device.
    Data is shifted out on the falling edge of the serial clock.

    While for the atmel :
    2 (L2) Coil Connection
    5 (SDA) Serial Data,Open Drain I/O
    6 (SCL) Serial Clock Input

    In your step (7), to make the BIOS setup assume the password is blank, please tell me, do I just short pins 5&6 as you do or must I short pins 5,6&2? Thank you.

    Report
  • Comment Link greg Saturday, 17 October 2015 02:36 posted by greg

    I should have added, the third possibility to have a similar effect to yours with the atmel chip is to short pins 6&2?

    Report
  • Comment Link Matt Smith Sunday, 18 October 2015 18:26 posted by Matt Smith

    greg - I would have thought 5&6 would do it. Not at all sure though. Avoid the VCC pin and you'll probably won't brick it whether it works or not.

    Matt

    Report
  • Comment Link Richard Tuesday, 03 November 2015 16:56 posted by Richard

    Hi,
    It does not work for my T61. I've tried to find the NXP P24S08 on my motherboard and short the pin 5 and pin6, and then switched on, then pressed F1. It did show some error on the screen, but suddenly the "LOCK" icon show up!

    How can I solve the problme?! Thanks for your sharing!

    Report
  • Comment Link Ben Wednesday, 02 December 2015 22:58 posted by Ben

    It worked on T400, many thanks lads

    Report
  • Comment Link ClawFinger Wednesday, 24 February 2016 10:12 posted by ClawFinger

    Thank you a lot! This rescued me really!!! Thought that with cmos reset superviser pass will go, but it locked (password ask even on logon!!!) Everyone to notice: every word in head post is true! Try to read carefully and do as told. The main recipe is to short pins a little longer after F1 pressed while BIOS trying to read the pass from chip, and short pins for a sec when going to change superviser pass - if do right you will see not 3 lines (old and 2 new passes) but only 2 lines with new pass entry!!!

    Report
  • Comment Link Tom Saturday, 26 March 2016 13:18 posted by Tom

    I can confirm it worked too for x201. Location of EPROM is the same as for x201 Tablet. Thank you so much for sharing :-)

    Report
  • Comment Link Anders Monday, 28 March 2016 20:09 posted by Anders

    Confirmed working on a T40 with the 24RF08 chip. Had to fiddle a bit with the timing of the first short, so for those who are having problems, keep it up.

    Report
  • Comment Link Roocky Sunday, 24 April 2016 18:49 posted by Roocky

    Gracias Amigo...tu fue grande tu ayuda.

    Report
  • Comment Link michael Friday, 29 April 2016 04:37 posted by michael

    The process worked well on a t410

    Thank you!

    Report
  • Comment Link Guido Friday, 13 May 2016 19:50 posted by Guido

    unbelivable.............. i f*** around the whole day with the serial interface from allservice and got my dump file... used ibmpass and had where the password should be a few weired letters encrypted i guess.......... then i found this here no hardware no nothing just a skalpel to bridge and bamm dude u rock it worked now i get get the 15 TPs back in service i owe u big time !!!!!!!

    Report
  • Comment Link faisal alhattami Wednesday, 29 June 2016 01:40 posted by faisal alhattami

    Two closed code BIOS Lenovo t510

    Report
  • Comment Link Faizy Sunday, 17 July 2016 21:34 posted by Faizy

    Bullshit

    Report
  • Comment Link Matt Smith Saturday, 23 July 2016 14:36 posted by Matt Smith

    @Faizy

    If you say so.

    Report
  • Comment Link laurent Sunday, 07 August 2016 16:25 posted by laurent

    works on a ThinkPad X201. Thank you very much for this solution

    Report
  • Comment Link John Wednesday, 14 September 2016 14:02 posted by John

    After taking the CMOS-battery out in order to delete the SVP I had the same problem. I tried it as you said, set a new pw but nevertheless it does not work. When I restart after having set a new pw and saving it, the machine boots by showing some errors (e.g. time and date error) than it shows the SVP screen but accepts just enter and lets me into bios. But after waiting a few minutes and rebooting it is like before and does not accept enter or my new set pw... What should I do? ://

    Report
  • Comment Link John Wednesday, 14 September 2016 19:34 posted by John

    I got this SVP problem after buying a second hand TP W510 and releasing the CMOS-battery. Since then it asks for the SVP. I tried your trick and successfully removed the SVP, set a new one and booted without problems - for 2 or 3 times (everytime he asked for the SVP, although I disabled it after setting it new, but just pressing "enter" was sufficient). After waiting for a few minutes and trying it again, it didn't accept neither "enter" nor the new SVP I had set before. So to cut it short, it does not last with my model. Any new ideas? Besides it shows permanently the data and time error and several other ones.

    Report
  • Comment Link David Tuesday, 20 September 2016 14:50 posted by David

    Hi guys, I have a damn Lenovo ideapad G780 laptop with supervisor password, I bought it and everything is password protected, BIOS, HDD I can't change boot order there is nothing when I push the button laptop is totally unusable, I tried everything but nothing works, I just threw away my bucks :( can you tell me if this method will work and where is the proper chip on motherboard ? I watold by lenovo that there are two chips BIOs and EEPROM and only way to unlock is to send it somewhere to china or throw it away. can you help please ??? thanks

    Report
  • Comment Link Riku Tuesday, 27 September 2016 19:52 posted by Riku

    Thanks man. I have about 25-30 T410 and T420 with SVP. First really well written instructions I've found. TY!

    Report
  • Comment Link Nik Wednesday, 05 October 2016 11:49 posted by Nik

    Hey Guys, im not so good with these terms in english - with short the pins, do you mean connect them (pin 5&6) with f.e. a screwdriver or to connect each pin to the GND? I dont want to mess it up :)

    Thanks in advance

    Report
  • Comment Link Nik Friday, 07 October 2016 16:40 posted by Nik

    Nevermind, I just tapped it with a screwdriver (first some tape all around those pins) and it worked! thanks!

    Report
  • Comment Link Terry Saturday, 15 October 2016 12:23 posted by Terry

    I just wanted to confirm that this procedure worked for a Lenovo X230 Tablet.
    Thanks.

    Report
  • Comment Link Anonymous Thursday, 03 November 2016 14:25 posted by Anonymous

    wow amazing, it worked on a Lenovo L440.
    Thank you very much

    Report
  • Comment Link Efrem Mc Friday, 18 November 2016 09:00 posted by Efrem Mc

    To Anders
    You just did pin 5&6 and no ground?
    Boot system, press F1, then immediately short 5&6?
    how long to hold the short?
    my system hung at entering bios
    can't get into bios yet

    Report
  • Comment Link q Saturday, 26 November 2016 00:24 posted by q

    Thank you!
    Just tested on a Lenovo X200.

    Report
  • Comment Link XCUR3 Tuesday, 29 November 2016 09:07 posted by XCUR3

    It worked on T400 machine type 6474. Don`t worry to short PINs 5&6 even randomly after you enter the BIOS for the first time. Maybe one suggestion - when you enter the BIOS already but you can`t change nothing in PASSWORD menu try left/right arrow keys with the PINs shorted. Those settings should change to disable. Then i saved it by F10 clicking repeatedly with PINs in short. After reboot with PINs shorted 3 errors appeared and then stucked. Reboot again with short still holding - 2 errors and stuck. Then release the short and reboot and the password menu was accessible with all passwords disabled. It sounds complicated but as i said before, dont worry to experiment with the PINs SHORT (but only with 5&6) - This worked on T400

    Report
  • Comment Link Saurabh Singh Tuesday, 14 February 2017 11:08 posted by Saurabh Singh

    I'VE similar problem in my Lenovo L 410 Thinkpad.
    And having Foxconn DDR3 RAM MOTHERBOARD.
    But I still not found the EEPROM on mainboard.
    Plz help me in locating EEPROM or tell me any serial no of EEPROM chip set.
    Plz help me
    Thank you

    Report

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Back to top

© kinggeek.co.uk 2024