Zapping the SVP on a T42p

A T4x ThinkPad with a supervisor password is a ticking time bomb. The password is not needed during boot and is only required to change certain BIOS settings, something which isn’t typically needed. But if CMOS settings are lost, the BIOS setup must be entered and the SVP will be required.

That’s exactly what happened to me. I had an old T42p (2.0 GHz Pentium M) with unknown SVP, happily working. Then somehow the CMOS got scrambled. I have no idea why, because the backup battery still seems fine. At any rate, the SVP was required and I didn’t know it. Bricked.

To recover the password, it can be read from an EEPROM but then has to be decoded. That may or may not work. Or a $100+ USB gadget can be procured—worthless for a single use because a replacement T42p system board would cost less. Or the EEPROM could be desoldered and replaced with a “good” password-less one (which I don’t have). Neither option seemed appealing so the T42p was sitting around gathering dust for a while.

Then a kind reader posted this link. Clearing the password with no special tools and no soldering? What could possibly go wrong…

Obviously a lot of things could go wrong, but not much could make the situation worse. So after removing about 15 screws, popping off the keyboard and the ThinkPad’s top cover, the EEPROM chip was exposed (Atmel AT24RF08C). Because I’m lazy I just used a small flat-bladed screwdriver to short the SCL (clock) and SDA (data) pins (pins 5 and 6).

It took me a while to get it right. Most of the time the ThinkPad just asked for the password anyway or got stuck trying to read the EEPROM. After a while, I finally managed to get into the BIOS setup and after more experimentation, disable the SVP. Needless to say, this is a significant security flaw—IBM/Lenovo claims that the system board has to be replaced if the SVP is forgotten, but they’re wrong.

Unfortunately, in the process of trying to clear the SVP I also managed to corrupt the EEPROM data. On every boot, the ThinkPad reported error “0189: Invalid RFID configuration information area”. The HMM says “The EEPROM checksum is not correct” and suggests replacing the system board (yeah right…).

The error is not fatal, it is only annoying and Esc must be hit on every boot. For some mysterious reason, the T42p also decided to do a thorough memory test on every boot which takes well over a minute with 1GB RAM but can be skipped by pressing Space.

So what could fix the EEPROM? Flashing the BIOS was the first guess but that didn’t do it. The typical Internet advice is “replace the system board”. Nope, not again. After more searching, far better advice turned up: Run the Hardware Maintenance Diskette and fix the checksum!

Sure enough, Hardware Maintenance Diskette did the trick. I used version 1.72 (found in maint172.exe on a PCC BBS mirror). Choosing the “Assign UUID” option informed me that I already had a valid UUID (the BIOS setup agreed with that) and that the checksum was being updated.

Bingo! On next boot, the error was gone. As a bonus, the T42p no longer thinks that the RAM needs a thorough scrubbing every time.

I am almost certain the EEPROM  got corrupted when I was shorting the pins while the system was shutting down/rebooting. The ThinkPad firmware apparently likes to write the EEPROM a lot.

At any rate, it’s great to have the T42p back. It has a rather nice 1600×1200 display and Pentium M is a cute little CPU.

This entry was posted in Hardware Hacks, ThinkPad. Bookmark the permalink.

4 Responses to Zapping the SVP on a T42p

  1. zeurkous says:

    …an i86 processor? ‘cute’?

  2. Trowa Barton says:

    I recently inherited an X61 in gorgeous condition and it had an SVP password as well. It took me a few tries but I managed to reset it with a simple screwdriver just like you did and all was well!

    When I worked at a help desk we gave serious thought into buying one of those reset kits due to the amount of users who enabled their fingerprint readers, and inadvertently set either Power-on or SVP passwords. I was shocked but quite ecstatic that such a simple reset method worked.

  3. Miod Vallat says:

    @zeurkous: but little, so that’s ok.

  4. And this (and stuff like it) is why I long for the return of socketed EEPROMs…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.