Cracking a ThinkPad 755C

Note: Most of the following information does not apply to any Lenovo-made ThinkPads or even IBM-made ThinkPads manufactured after circa 1999. If you have one of those laptops protected with an unknown password, please look elsewhere.

Imagine you bought, found, or were given an old ThinkPad. The hardware has very little value as such, but for anyone interested in the history of PC computing, it may be a valuable system nonetheless. These systems tend to have been reasonably well built and are fairly likely to function more or less 100% even after all this time.

If the system is 15-20 years old, chances are the CMOS battery is dead. That would normally not pose any serious difficulty, unless the previous owner was slightly paranoid and set a supervisor password, also called Privileged Access Password or PAP. You will only get as far as this:

ThinkPad POP/PAPThe PAP is bad news for two reasons: The original owner probably forgot the password or cannot be contacted at all (might easily be dead!), and the IBM engineers weren’t stupid when they designed the PAP.

ThinkPad Passwords

A quick introduction to the classic ThinkPad password scheme is in order. There are three types of passwords: Power-On Password (POP), Hard Disk Password (HDP), and the aforementioned supervisor password aka PAP.

The POP must be entered every time the system is powered on, including resuming from suspend mode. It does not prevent modification of system settings.

The HDP is a disk lock password, and uses ATA commands. The HDP can be used alone or together with a POP. The HDP is implemented in the disk and the ThinkPad merely provides a user interface. The HDP is usually stored on a special disk cylinder and prevents the disk from being accessed in a different system. On the other hand, a different disk with no password could be installed in the ThinkPad and used instead.

IBM says the following about the HDP: If you forget your hard-disk password, there is no way to reset the password or recover data in the hard disk drive. Neither IBM nor an IBM authorized dealer can make the hard disk drive usable. 

The PAP is the “master” password. It prevents modification of system settings and hardware, but it does not usually need to be entered on every boot. ThinkPads can be “personalized” with owner information etc., and the PAP protects this information.

It’s easy to imagine a scenario where a company owns a number of laptops which are loaned to employees and labeled as being owned by the company. Employees can use the laptops but cannot modify the data identifying the owner.

A note about the password icons is in order. The POP, HDP, and PAP are each supposed to have a separate icon. However, it appears to be a common problem that the POP icon is shown when the PAP needs to be entered.

Removing Passwords

The POP is easy enough to get rid of. On older 750/755 series ThinkPads, there is a jumper that may be bridged to clear the password. The POP is stored in a protected area of the CMOS non-volatile memory, hence removing the CMOS battery may do the trick too, with obvious side effects. What’s funny is that the ThinkPad HMM (Hardware Maintenance Manual) in PDF format says the following: How to Disable the Power-On Password: This information is not available in this HMM online format. See your IBM Servicer or IBM Authorized Dealer for this procedure. (Searching the web may come up with better information.)

At any rate, the HMM still lists the location of the “Power-On Password Connector” for some models. At least for the 755 series ThinkPads, the POP can be cleared without disassembling the system.

The HDP is very difficult to get rid of. It appears that for all practical purposes, a forgotten HDP turns a disk into a paperweight because removing it is often more expensive than a new disk, if it is possible at all.

That leaves the supervisor password (PAP). The PAP is stored in a serial EEPROM chip on the system board. The upshot is that no amount of removing CMOS batteries, powering off, and playing with jumpers is going to do any good.

The common approaches are either reading the EEPROM contents and decoding the password, or desoldering the EEPROM and replacing it with a “clean” one designed for the right model. Depending on the ThinkPad model, this may require fairly major surgery and more or less completely disassembling the system. A replacement system board could easily be a cheaper/simpler solution… but where’s the fun in that?

Hacking a ThinkPad 755C

I had a ThinkPad 755C with just the sort of problem described above. The CMOS battery was dead, which forced the system to enter Easy-Setup… but the PAP prevented that. The laptop was presumably okay but could not be used at all, even if the PAP under normal circumstances would not prevent use.

The system came up with the following errors: 163, 173, 158. Errors 163 and 173 are a direct consequence of CMOS NVRAM loss and mean “Time and Date was not set” and “Configuration data were lost”, respectively. Normally these errors would be fixed by entering Easy-Setup and correcting the settings. However, 158 is a sign of trouble ahead and means “HDP was not set even though the supervisor password is set”.

Assuming the TP755C (a 1994 model, system board FRU 84G4287) works the same as the late 1990s models, would I be able to find the EEPROM where the PAP is stored? Let’s see, on the upper side of the system board (the bottommost board in the assembly), there’s a promising-looking 8-pin SMD. The markings read C46A1 and 09XZ and there’s a ST (SGS-Thomson Microelectronics) logo. A quick search showed that ST93C46A and related devices are indeed serial Microwire EEPROMs.

EEPROM Chip

A post on the excellent allservice.ro forum was very mixed news. The newer 760/765 ThinkPads indeed use a 93C46 EEPROM to store the supervisor password… but the chip has to be de-soldered to be read. Without having an EEPROM reader available and not trusting my SMD soldering skills to successfully remove and re-solder the EEPROM chip, I was in a pickle.

My choice was then either trying to desolder the EEPROM and risk destroying the system board, or just getting a replacement board (at least in theory available for about $10). In the end I decided to try a low-tech option… shorting the EEPROM pins with a screwdriver. If the board ends up being fried, I was not going to be worse off than before, and if the password gets successfully removed, I will have saved $10 and some hassle.

I wasn’t certain how the chip is oriented and whether it’s the normal or the 90-degree turn variant. After playing with a multimeter for a bit, I just made a guess and tried shorting what I thought were the D and Q (serial data input/output) pins. This isn’t entirely easy as the DC/DC board gets in the way and the EEPROM chip access is partially obstructed, but with the right tool it’s still possible.

EEPROM Chip

On the first try, the ThinkPad stopped with a 175 error before even displaying the amount of installed memory.  That’s “Bad EEPROM CRC 1″—not quite what I wanted but definitely on the right track! After a few tries, I finally succeeded: No 158 error and no password prompt before Easy-Setup appeared! This would only allow me to set the date, but after that the system would boot… until it was powered off, lost the NVRAM contents again (as I didn’t have a replacement battery yet), and triggered the same errors again.

The trick was to enter Easy-Setup again and set a known PAP, or clear it entirely. This is a security hole in the password scheme on the 755C and possibly other old ThinkPads. One possible explanation is that the systems were manufactured with an empty EEPROM which was then programmed in a fully assembled system. The screwdriver pin shorting hack perhaps simulates such empty EEPROM. The same method may not be usable on newer ThinkPad models.

At any rate, the board was saved and I now have a lovely SL-enhanced 50 MHz 486DX2 laptop.

Disclaimer: If you try this method on your ThinkPad, only you are responsible for any potential damage. Since the EEPROM must be shorted in a running system, it is easy to slip up and damage some component. Only do it if the alternative is throwing the password-protected board away.

This entry was posted in IBM, PC hardware, ThinkPad. Bookmark the permalink.

14 Responses to Cracking a ThinkPad 755C

  1. Cd-MaN says:

    Regarding HDD passwords: aren’t those stored on the HDD controlled board? (but the actual data on the HDD is protected in no way?). So you can use the EEPROM tricks to clear the HDD chip or just get an identical HDD, swap the boards and be good to go?

    Neither of those options are “easy as pie” but the “no way to recover HDD password” seems far fetched (taking it literally it’s true – you can’t recover the password – but you can get your data back and I assume that’s what most people care about :-))

  2. Michal Necasek says:

    Based on what I read, the password is typically stored on a service track which also holds information about things like reallocated sectors etc. And of course this track is not software accessible at all. So there’s no EEPROM to erase and even replacing the controller board doesn’t get rid of it. Certainly that’s how it should be designed 🙂 Possibly a hacked firmware might do the trick, but that is pure speculation on my part.

    That said, there might be different implementations out there.

  3. Valery says:

    As far as I know (and I serviced as HDD Data recovery specialist for the number of years) no one HDD has password stored in the EEPROM chip (if any). IBM/HGST HDDs usually store password in a very strong way and use very artifical master password.

  4. Alan Pope says:

    Hi. I tried this method on my 755C and it just kept spitting 177, 175 and 178 errors at me. I never managed to get past that :(. I saw another post which suggested pressing F1 at the same time, or maybe sacrificing a chicken in a pentagram might help. Wondered if there were any other tips you might have. I have shorted the two pins you highlighted many times, and never get the success you did.

  5. Michal Necasek says:

    I’m afraid I don’t have any hints really 🙁 It worked for me, but I don’t know that all the ThinkPads are the same or truly have the same problem.

  6. Andry says:

    Michal, were CMOS batterys connected when you shorted that pins?

  7. Michal Necasek says:

    I believe so. Do you expect that to make a difference?

  8. Andry says:

    I just want to do everything good. I have no experience in such things and I have no ability to buy a new system board. One mote question. Was the notebook connected to electricity when you did it? If yes, was the screen working that moment.

  9. Michal Necasek says:

    The laptop has to be powered on and booted up while shorting the EEPROM pins. The key is to get into the setup but skip the password check. And yes, the screen will work.

    As long as you’re careful to only touch the pins of the EEPROM and nothing else, you should be pretty safe I think. Well, it worked for me 🙂

  10. Andry says:

    Thank you. Will try to do it today.

  11. Andry says:

    OK, I have only 175 error… IT IS WORKING! WORKING!!!
    Thank you very much!

  12. Michal Necasek says:

    Glad to hear that it worked for you!

  13. Andry says:

    The way I used:
    1)remove hdd, fdd, battery, memory card which is under fdd
    2)connect computer to electricity
    3)open keyboard, you will see a little white lever near the place where battery was you should lower it with scotch tape
    4)leave the keyboard open and hold F1 key
    5)switch on the computer (keep holding F1)
    6)wait for 0.5 a second and short pins that were shown on the picture (keep holding F1)
    7)wait for 10 seconds and stop holding F1
    8)if you see error 175 try again from step 4
    9)if you see bios which wants you to enter time and date do it, reboot system and try again from step 4
    10)if you see bios menu with many options you did it! go to “passwords” and set new PAP. Reboot computer and enter new password.

Leave a Reply

Your email address will not be published. Required fields are marked *