Sunday, March 21, 2010

How To: Cracking a boot-time Supervisor password on an IBM ThinkPad

I've been doing laptop repair for a while now, and most of what I end up doing is opening a laptop up and cleaning out a heatsink to prevent overheating problems.

I do run into a fair share of problems like DVD drives that won't close, power jacks that have come unsoldered, displays that have been cracked / have daiquiris dumped on them, (there is such a thing as partying too hard), keyboard replacement, etc.

But a few months back I had an interesting request: unlocking an older IBM ThinkPad that had a boot-time supervisor password preventing access.

Now, there's a few different kinds of on-boot passwords you'll see. BIOS passwords, which are easily reset by clearing the CMOS, HDD passwords, which can be pretty tricky to bypass but can be done, and hardware passwords, that actually use a chip on the motherboard to store an encrypted password in non-volatile memory. This password comes up even before the BIOS starts. These are the hardest to deal with because there is no simple answer to cracking the password. You're either stuck trying to brute force it (which is all but impossible) or having the motherboard replaced, which IBM will charge you a pretty penny for.

But, there is another option. If you're resourceful enough and good with a soldering gun, you can build an EEPROM chip reader and connect it to a separate PC via serial port to read the encrypted password and decrypt it. I'll link you here as to how the entire thing is actually done.

Here's what mine looks like:

It's not an easy process, and the hardest part is soldering the wires to the legs of the EEPROM chip (seriously, it's hard) but once you've decrypted the password, it's a great feeling!

No comments:

Post a Comment