Note: Most of the following information does not apply to any Lenovo-made ThinkPads or even IBM-made ThinkPads manufactured after circa 1999. If you have one of those laptops protected with an unknown password, please look elsewhere.
Imagine you bought, found, or were given an old ThinkPad. The hardware has very little value as such, but for anyone interested in the history of PC computing, it may be a valuable system nonetheless. These systems tend to have been reasonably well built and are fairly likely to function more or less 100% even after all this time.
If the system is 15-20 years old, chances are the CMOS battery is dead. That would normally not pose any serious difficulty, unless the previous owner was slightly paranoid and set a supervisor password, also called Privileged Access Password or PAP. You will only get as far as this:
The PAP is bad news for two reasons: The original owner probably forgot the password or cannot be contacted at all (might easily be dead!), and the IBM engineers weren’t stupid when they designed the PAP.
A quick introduction to the classic ThinkPad password scheme is in order. There are three types of passwords: Power-On Password (POP), Hard Disk Password (HDP), and the aforementioned supervisor password aka PAP.
The POP must be entered every time the system is powered on, including resuming from suspend mode. It does not prevent modification of system settings.
The HDP is a disk lock password, and uses ATA commands. The HDP can be used alone or together with a POP. The HDP is implemented in the disk and the ThinkPad merely provides a user interface. The HDP is usually stored on a special disk cylinder and prevents the disk from being accessed in a different system. On the other hand, a different disk with no password could be installed in the ThinkPad and used instead.
IBM says the following about the HDP: If you forget your hard-disk password, there is no way to reset the password or recover data in the hard disk drive. Neither IBM nor an IBM authorized dealer can make the hard disk drive usable.
The PAP is the “master” password. It prevents modification of system settings and hardware, but it does not usually need to be entered on every boot. ThinkPads can be “personalized” with owner information etc., and the PAP protects this information.
It’s easy to imagine a scenario where a company owns a number of laptops which are loaned to employees and labeled as being owned by the company. Employees can use the laptops but cannot modify the data identifying the owner.
A note about the password icons is in order. The POP, HDP, and PAP are each supposed to have a separate icon. However, it appears to be a common problem that the POP icon is shown when the PAP needs to be entered.
The POP is easy enough to get rid of. On older 750/755 series ThinkPads, there is a jumper that may be bridged to clear the password. The POP is stored in a protected area of the CMOS non-volatile memory, hence removing the CMOS battery may do the trick too, with obvious side effects. What’s funny is that the ThinkPad HMM (Hardware Maintenance Manual) in PDF format says the following: How to Disable the Power-On Password: This information is not available in this HMM online format. See your IBM Servicer or IBM Authorized Dealer for this procedure. (Searching the web may come up with better information.)
At any rate, the HMM still lists the location of the “Power-On Password Connector” for some models. At least for the 755 series ThinkPads, the POP can be cleared without disassembling the system.
The HDP is very difficult to get rid of. It appears that for all practical purposes, a forgotten HDP turns a disk into a paperweight because removing it is often more expensive than a new disk, if it is possible at all.
That leaves the supervisor password (PAP). The PAP is stored in a serial EEPROM chip on the system board. The upshot is that no amount of removing CMOS batteries, powering off, and playing with jumpers is going to do any good.
The common approaches are either reading the EEPROM contents and decoding the password, or desoldering the EEPROM and replacing it with a “clean” one designed for the right model. Depending on the ThinkPad model, this may require fairly major surgery and more or less completely disassembling the system. A replacement system board could easily be a cheaper/simpler solution… but where’s the fun in that?
Hacking a ThinkPad 755C
I had a ThinkPad 755C with just the sort of problem described above. The CMOS battery was dead, which forced the system to enter Easy-Setup… but the PAP prevented that. The laptop was presumably okay but could not be used at all, even if the PAP under normal circumstances would not prevent use.
The system came up with the following errors: 163, 173, 158. Errors 163 and 173 are a direct consequence of CMOS NVRAM loss and mean “Time and Date was not set” and “Configuration data were lost”, respectively. Normally these errors would be fixed by entering Easy-Setup and correcting the settings. However, 158 is a sign of trouble ahead and means “HDP was not set even though the supervisor password is set”.
Assuming the TP755C (a 1994 model, system board FRU 84G4287) works the same as the late 1990s models, would I be able to find the EEPROM where the PAP is stored? Let’s see, on the upper side of the system board (the bottommost board in the assembly), there’s a promising-looking 8-pin SMD. The markings read C46A1 and 09XZ and there’s a ST (SGS-Thomson Microelectronics) logo. A quick search showed that ST93C46A and related devices are indeed serial Microwire EEPROMs.
A post on the excellent allservice.ro forum was very mixed news. The newer 760/765 ThinkPads indeed use a 93C46 EEPROM to store the supervisor password… but the chip has to be de-soldered to be read. Without having an EEPROM reader available and not trusting my SMD soldering skills to successfully remove and re-solder the EEPROM chip, I was in a pickle.
My choice was then either trying to desolder the EEPROM and risk destroying the system board, or just getting a replacement board (at least in theory available for about $10). In the end I decided to try a low-tech option… shorting the EEPROM pins with a screwdriver. If the board ends up being fried, I was not going to be worse off than before, and if the password gets successfully removed, I will have saved $10 and some hassle.
I wasn’t certain how the chip is oriented and whether it’s the normal or the 90-degree turn variant. After playing with a multimeter for a bit, I just made a guess and tried shorting what I thought were the D and Q (serial data input/output) pins. This isn’t entirely easy as the DC/DC board gets in the way and the EEPROM chip access is partially obstructed, but with the right tool it’s still possible.
On the first try, the ThinkPad stopped with a 175 error before even displaying the amount of installed memory. That’s “Bad EEPROM CRC 1″—not quite what I wanted but definitely on the right track! After a few tries, I finally succeeded: No 158 error and no password prompt before Easy-Setup appeared! This would only allow me to set the date, but after that the system would boot… until it was powered off, lost the NVRAM contents again (as I didn’t have a replacement battery yet), and triggered the same errors again.
The trick was to enter Easy-Setup again and set a known PAP, or clear it entirely. This is a security hole in the password scheme on the 755C and possibly other old ThinkPads. One possible explanation is that the systems were manufactured with an empty EEPROM which was then programmed in a fully assembled system. The screwdriver pin shorting hack perhaps simulates such empty EEPROM. The same method may not be usable on newer ThinkPad models.
At any rate, the board was saved and I now have a lovely SL-enhanced 50 MHz 486DX2 laptop.
Disclaimer: If you try this method on your ThinkPad, only you are responsible for any potential damage. Since the EEPROM must be shorted in a running system, it is easy to slip up and damage some component. Only do it if the alternative is throwing the password-protected board away.