|
|
发表于 2008-4-1 04:51:47| 字数 4,409| - 加拿大 Rogers
|
显示全部楼层
这里来看看:http://sodoityourself.com/hacking-ibm-thinkpad-bios-password/
Recovering BIOS passwords
Password recovery procedure for IBM ThinkPads using R24RF08 and IBMpass
1. Introduction.
The IBM ThinkPad uses a small eeprom (ATMEL 24RF08) to store different OEM issues like serial number, UUID, etc. The supervisor password (SVP) is also stored in this eeprom. The 24RF08 is not an ordinary eeprom: it features read protection, which the BIOS uses to lock down access to the eeprom contents. Also, the password is written in a special scan code, which needs to be translated to ASCII to be of any use.
To recover the password, one can use two different programs: R24RF08 (eeprom reader) and IBMpass (password revealer) available at http://www.allservice.ro. Diagrams are included in the reader kit.
Models for which R24RF08 and IBMpass are enough to recover the password: 240, 240X, 390E, 390X, 570, 570E, 600e, 600X, 770Z, A20m, A21e, A21m, a22m, A30, A30p, A31, A31p, G40, G41, R30, R31, R32, R40, R50, R51, Transnote, T20, T21, T22, T23, T30, T40, T40p, T41, T41p, T42, T42p, X20, X21, X22, X23, X24, X30, X31, X40, X41, X61.
ThinkPads featuring TPCA technology (i.e. a TPM trusted platform module chip), especially T4x, X3x, X4x, X61 and X61T need the W24RF08 eeprom writer program to complete the password recovery procedure, if the passphrase function is enabled in BIOS setup.
Other models such as the 380XD or 600 use 24C01 or 93C46 eeproms, which can be read without special tools. The method is the same like for the models based on 24RF08, only the software to dump the eeprom is different.
Newer T43/T43p, R52, R60, T60/p, X60 and Z60 ThinkPads can be unlocked using PC8394 programming tools that consist in RPC8394 and WPC8394 (reader and writer for TPM chips). The software is available as well on http://www.allservice.ro. IBMpass 2.0 works for any TP model without exceptions.
2. Locating the ATMEL 24RF08 eeprom. Soldering.
No need to unsolder the 24RF08 eeprom, just solder 3 wires to SDA, SCL and GND pins of the eeprom. There are two eeprom layouts (see interface schematics described bellow), corresponding to 8 pin or 14 pin eeproms. Locate the eeprom first according to your model (E.g. T20-23 and T30 have the eeprom underneath TP, and can be accessed by removing the RAM modules cover, no need to dismantle the laptop.) and solder the wires using a soldering iron with a fine tip. Also, you can use 0.15 -0.20 mm enamel coated wires or similar small diameter insulated wires. These wires will be connected later to the interface. Tip: You can use clips to connect the wires or you can solder on the PCB traces leading to the eeprom pins. Once again, be careful and double, triple check the soldering if necessary till you are positively sure you have done the right job. In case of applying too much solder, use flux-impregnated copper-braid "desoldering wick" - this works exceptionally well.
3. Choose and build the interface.
Since version 2.0, R24RF08 and W24RF08 (eeprom writer) are compatible with a wide range of eeprom programmers. By default, both programs set the COM port signals to use direct logic level to access I2C bus. We provide here 2 schematics that are relevant for direct logic signals and for inverse logic signals (simple-i2cprog.pdf and driven-i2cprog.pdf). Also, depending of the interface you build, you can invert the logics for SDA-In, SDA-Out, and SCL COM port signals by some command line parameters described later in this document. a) The file simple-i2cprog.pdf contains the schematic diagram of a simple interface (known as SIPROG)based on 2 zeners and 2 resistors. This is a classic, easy to build circuit and works with soldered or unsoldered eeproms. The purpose of the 2 zeners is to convert RS232 levels (+/- 5V) to TTL levels, needed by the eeprom. It uses direct logic signals to I2C eeprom and is powered by the COM port. However, this interface works with in-system eeproms but is dependant on COM port current and eeprom bus impedance. R24RF08 works natively with this circuit, no need to change the lines signals with command line parameters. This circuit works pretty well with almost all ThinkPads series. b) The second interface is described in driven-i2cprog.pdf. The circuit uses MAX 232 as a RS232 to TTL driver and its main purpose is to work with soldered eeproms. The advantage of MAX232 is the TTL outputs that are more reliable and more powerful when work with soldered, in-system eeproms (dependency free from the COM port current). Due of the internal inverters of MAX232 the interface responds to an inverse signal logic level. R24RF08 needs /x, /d, /i switches to be specified in the command line.
What these switches mean: /x - invert serial clock, also known as SCL; /d - invert serial data output, also known as SDA-Out; /i - invert serial data input, also known as SDA-In. All those can be used in any combination to meet any interface specification.
Note that the "standard" serial port programmer probably won't work with a USB-Serial adapter, but requires the full nominal voltage of a hardware serial port. [Example: the A22p's serial port works fine here.]
4. Dump the EEPROM:
Prepare your technician PC by connecting the interface to the COM1 port (donâ |
|
楼主: larblue
狗仔卡
离线
没工具下载的地址
