Stand Alone Mode

Home
Up
READ THIS FIRST!
Buy Products
KeyMaker 9A USB
KeyMaker 9A USB PRO
PRECAUTIONS
KM9A User's Guide
EEPROM Locations
Customer Feedback
KM7 User's Guide
KM8 User's Guide
KM9 User's Guide
Reference Docs

Up Stand Alone Mode KM9USB 2nd PC KM9USB PRO 2nd PC

ZAP SVP or Clear SVP using KeyMaker 9 USB or KeyMaker 9 USB PRO in Stand Alone MODE

How to unlock any of the ThinkPads (TPs) listed below using KM9USB or KM9USBPRO

240, 240X, 390E, 390X, 570,  600e, 600X, 770Z, A20m, A21e, A21m, A22e, A22m, A30, A30p, A31, A31p, G40, G41, R30, R31, R32,  R40, R400, R50, R500,  R50p, R51, R52, R61, R60, R61i, T20, T21, T22, T23, T30, T40, T40p, T400,  T43, T43p, T500, T41, T41p, T42, T42p, T60, T60p, T61, T61p, TransNote, W500, X20, X200, X21, X22, X23, X24, X30, X200, X300, X301, X31, X40, X41, X41T, X60, X60s, Z60, X61, X61s, X61t,  Z61

Stand Alone mode is exactly the same when using KM9USB and KM9USBPRO

In this page only any reference to KM9USB also applies to KM9USBPRO

Clearing a Supervisor Password (SVP) from a TP is fairly straightforward.

Once you know how to avoid all the TRAPS IBM/Lenovo have set for you the customer.

I know this is all very exciting and you are ready to start stripping down your TP and jump into it, but WAIT! read all of this first.

Most people are absolutely certain they have a Supervisor Password (SVP) set.

There is a chance you may not have a SVP set in your TP.

I have exchanged emails with many people who have gone through all the SVP unlocking thing read the EEPROM, wasted days,  only to discover there is no SVP set at all.

How is that possible, are these people really dumb or something.

The answer is NO, these are all perfectly sane intelligent people. 

The real problem is IBM/Lenovo and their warped sense of humour.

When you really do have strong security, you challenge people to try and defeat it, you invite peer review  to make sure it is in fact secure.

When you have flimsy pretend security and you obstinately pretend it is so secure even you cant unlock it, well you have to get all secretive and vague about everything HOPING people wont find out, in other words an illusion of strong security where none really exist, which is what we have here.

Trap number 1, the Hard Disk Password (HDP)

If at any time you see this Password prompt icon

That icon with the small number 1 (it may be a small number 2 or 3 if you have more than one Hard Disk] means the HDP is set. You will not be able to easily recover or clear the HDP, KM9 USB will NOT recover or clear HDP.

It will cost you more to clear the HDP than a new Hard disk is worth.

Clearing a HDP is only worth the expense and effort if there is valuable data on the Hard disk that MUST be recovered.

If HDP is set then remove the Hard Disk [HD] before continuing so that you can determine which other passwords (IF ANY) you need to recover or clear.

There may not be any other password set!

Ok, you removed the HD and you see yet another Password Prompt icon.

Trap number 2, the guessing game - is it  SVP or POP -

The trap is that IBM/Lenovo in their wisdom chose to have THE SAME PASSWORD PROMPT ICON for BOTH SVP and Power on Password (POP)

The password prompt icon pictured above
Does NOT define which PASSWORD it is asking you to enter.

It can be either POP or SVP

Only ONE way to find out for sure which one it is and maybe save a LOT of time.

  1. Identify your TP model

  2. Download the Hardware Maintenance Manual (HMM) for your TP model

The link above is to the IBM/Lenovo site, if it doesn't work, don't panic, it isn't broken, their site is shut down daily for maintenance and at those times they display spurious messages like the page you requested cannot be found, wait a good while and try again.

Using the HMM link above, once you select a model and are on the page that has the PDF HMM for that model, it is best to right click on the PDF HMM for your model then select Save Target AS, that way you will have the PDF HMM on your PC to refer to any time you need it.

Spend the time to read the first part of the HMM which deals with Cautions some of which like for example Shock Sensors  are very important, you would not want to roughly handle your System board to find out when you power it up to unlock it that in fact you have ruined it.

Read the HMM section dealing with Passwords and become familiar with how to remove Power on Password [POP

Then follow the instructions for POP Removal 

After performing POP Removal if there is no password prompt icon displayed, you are done, your TP is unlocked.

if you have performed POP Removal and you continue to see this password prompt icon

It does NOT mean you didn't perform POP Removal correctly

It means that with POP removed, you have now absolutely confirmed that you do indeed have a SVP set and you can now put the time and effort into removing or clearing it.

How to Zap SVP using KM9USB

Zapping or Clearing a Supervisor Password (SVP) from a ThinkPad (TP) always involves these steps.

  1. Identify your TP model.
  2. Find the location of the EEPROM connection points and EEPROM Type.
  3. Download and save the HMM, then follow the HMM to enable you strip down the TP [without damaging it as you would if you don't follow the HMM] down to the point you can access that EEPROM location, depending on the model this could be ONE Screw or a total strip down.
  4. Connect 3 leads between the EEPROMs connection points and KeyMaker 9 USB Zap (KM9USB)
  5. Switch on the TP 
  6. Press the ZAP SVP button, you see a Green LED on the KM9USB board turn On, stay on for 15 seconds and go off, if it flashes slowly twice, that means the SVP is gone forever, your TP is now unlocked.

More detail on those 5 steps follows below, please continue reading

The connection Points on KM9USB are, VCC - GND - SCL - SDA

Most times we only use GND - SCL - SDA and leave VCC NOT connected.

When you purchase KM9USB you are supplied with a 4 wire lead.

Most of the time you will ONLY be using 3 of those 4 wire leads.

In the photo above on the right, the 4 wire lead is connected onto the I2C header pins

NOTE: The orientation, by convention, much like a car battery, RED is Positive Voltage, in this case it is called VCC.

Black is Negative or as we will be referring to it as GND which stands for Ground, in plain English Ground is the negative or common point in a circuit.

You do NOT connect VCC [the RED lead] unless you are reading an unsoldered 24xx series EEPROM and I can't see you doing that very often if at all unless you run a Laptop Repair Shop.

All the EEPROM location pages show 3 connection points;

  1. GND which you connect to the BLACK lead above.
  2. SCL which you connect to the YELLOW lead above.
  3. SDA which you connect to the WHITE lead above.

Make it a habit of connecting the 4 wire lead as per above with the RED wire over VCC.

When it comes to making those 3 connections between KM9USB and the EEPROM you have the choice of using;

  1. Clips to make the connections
  2. Using Sharp Probes, for example multimeter leads that are skinny and come to a sharp point, they also have an insulated handle for you to hold without your sweaty hands interfering with the low power signals on SDA and SCL.
OR IF YOU PREFER YOU can Solder the thin enamel wire supplied to the EEPROM pins, don't forget to tape them down just near the solder joint to relieve tension on the solder joint. NO, you don't run the thin wires all the way back to the I2C header on the KM9, you only run the thin wires until they exit the side of the TP then you join it to the supplied 4 wire cable by soldering a short piece of copper wired [an off cut from a resistor works well] onto the end of the enamel wire and poking the short but of copper wire into the 4 lead cable holes.

Like this, it is a good idea to label the enamel wire ends to avoid getting them mixed up. Notice the RED wire not being used at all.

Whichever method you chose to make the 3 connections is up to you, so long as there is a good electrical connection during any Read or Write operation between the connection points at both the EEPROM and KM9USB I2C header pins all is well.

You really want to unlock your TP and use it again?

It does not get any easier than this!

Yes, you can easily do it yourself!

 

 

If you have read all the preceding information on this page and not simply skipped all that boring IMPORTANT information,  - if you skipped it, go back and read all of this page above.

 You should already have:

  1. Identified your TP model.

  2. Downloaded and saved the HMM, then followed the HMM POP removal procedure to be certain it isn't simply a POP and NOT SVP you are faced with

  3. Having confirmed it is a SVP, found the location of the EEPROM connection points and EEPROM Type for your TP Model.

  4. Followed the HMM to enable you to strip down the TP [without damaging it as you would if you don't follow the HMM] down to the point you can access that EEPROM location, depending on the model this could be ONE Screw or a total strip down.

Having found the EEPROM connection point for your TP Model, having decided if you solder wires or use clips or sharp probes to make the actual connections.

Some older model TPs will have an EEPROM type 24C01 or 24C03 or 93C46 you cannot Zap those, you can however Recover the SVP and type it in at the SVP Prompt using the keyboard, for that YOU WILL need to purchase the KM9PWD Product Key and use the Terminal Software to display the Recovered SVP

KM8USBZ will ONLY zap EEPROM Type LSI and 24RF08 which luckily is the MAJORITY of TP models, here is the list of LSI and 24RF08 TPs.

240, 240X, 390E, 390X, 570,  600e, 600X, 770Z, A20m, A21e, A21m, A22e, A22m, A30, A30p, A31, A31p, G40, G41, R30, R31, R32,  R40, R400, R50, R500,  R50p, R51, R52, R61, R60, R61i, T20, T21, T22, T23, T30, T40, T40p, T400,  T43, T43p, T500, T41, T41p, T42, T42p, T60, T60p, T61, T61p, TransNote, W500, X20, X200, X21, X22, X23, X24, X30, X200, X300, X301, X31, X40, X41, X41T, X60, X60s, Z60, X61, X61s, X61t,  Z61

Whichever connection method you chose, your KM9USB should be switched ON,

First, you connect the 3 wires (GND, SDA, SCL) from the KM9USB I2C header to the EEPROM connection points on your Password Protected TP.

You can solder the 3 wires, or you can use a clip on each wire, or you can use a clip for GND and sharp probes for SDA and SCL.

For example:

A T60 being unlocked, using Joe's KeyMaker 7 together with Joe's KeyMaker 7 LCD, the same principles apply when using KeyMaker 9 USB Zap or KM9 USB KM9 PWD or KM9 USB PRO.

Using the Zap function on KM9USB simply means you have no display and the EEPROM type must be either an LSI or 24RF08 as only those EEPROM types can be Zapped..

Using two multi meter leads with sharp points hand held [in one hand] for the SDA and SCL connections.

A black clip is being used for the GND connection attached to the CPU heat sink. 

Leaving one hand free to operate the Joystick on the KeyMaker 9 LCD board.

Looks easy - because - it is easy when you have the right tools.

The 3 connections MUST be made to the correct connection points.

Double check you have not mixed up the 3 wires.

With some models, you will have a totally stripped down bare, yet able to be switched on and run TP for this operation. 

In that case make sure the metal parts of the keyboard cannot come into electrical contact with any part of the circuitry on the system board you can use paper or plastic or insulating tape to keep things electrically isolated. 

Make sure you do have attached the CPU heat sink and that the CPU cooling fan is connected and will operate when the TP is switched on, else you will fry your CPU.

On some models it helps if you open the LCD screen at 90 degrees and stand the TP vertical so one side of the LCD screen and one side of the Machine are resting on the table surface, that way you can access the front and back of the TP after it is switched ON.

If you are using sharp probes to make the connections then you can wait until the locked TP has Powered UP and is at a password prompt before making the connections using your sharp probes.

You have made sure nothing can 'short out' ?

Plug a mini-USB cable from one of the USB Ports on the locked TP to the USB socket on your KM9USB, that will power KM9USB once the locked TP is switched ON..

Switch your TP On using the Power On button on it's keyboard, of course you do need to connect some power to it via your TP AC adaptor, else nothing useful will occur.

If you don't hear the sound of the CPU cooling fan running, switch off and check it before continuing, normally the fan runs the instant you switch the TP ON, it may stop in the next few seconds, that's OK, so long as it does run at start up you know you have not forgotten to connect it during re-assembly.

As soon as you see the IBM/Lenovo logo displayed -  press the ESC key.

Then - press the F1 key.

You should see a message 'Entering Bios set -up' or similarly worded message.

Then you should see a Password prompt icon.

If you see this password prompt icon with either the number 1 or 2 or 3 etc

That means, that like a LOT OF PEOPLE, you are rushing and you completely skipped the important information at the start of this page, please switch the TP OFF, and start reading from the top of this page, this time do NOT skip anything!

You should be seeing this icon

One final reminder for those in a huge rush who skip important information, you did already follow the POP Removal procedure detailed at the top of this page, YES?

Did you notice that each page showing the location of the EEPROM connection point for your TP model, starts off with, for example for R52;

R52 EEPROM you treat it as LSI

That is telling us that the EEPROM TYPE for an R52 is LSI.

If your EEPROM Type is not an LSI or 24RF08 then you will need to use KM9PWD Option Product Key and use a second PC running Terminal Software. This short tutorial assumes you do have an LSI or 24RF08 EEPROM TYPE and are using the KM9USB Zap feature.

Do not press the ZAP SVP button before the EEPROM connections have been made.

If you are using sharp probes to make the EEPROM connections, you must now apply them to the EEPROM connection points for SDA and SCL, you did connect GND earlier, right?.

Now press the ZAP SVP button to Zap the SVP.

If you are using sharp probes, you do need another person to push the ZAP SVP button while you concentrate on holding the sharp probes so that there is a good solid electrical connection during the entire operation.

You should see a Green LED on the KM9USB board turn On, stay on for 15 seconds and go off, if it flashes slowly twice, that means the SVP is gone forever, your TP is now unlocked. 

If the connections are not made correctly the Green LED will display a fast burst of flashes, that means failure, check the connections and try again.

If the green LED turned on for about 15 seconds followed by 2 slow 1/2 second flashes at the end, your TO is now UNLOCKED, that SVP is gone.

NOTE: on newer models, Hard Disk Password cannot be recovered from anywhere inside the TP, the Hard Disk itself internally looks after the HD Password.

Your TP is now unlocked,  as a reward, when you switch the TP OFF and switch it back ON again , press F1 to enter BIOS set-up and it will not ask for a SVP.

Now you have full access to your TP

Time to congratulate yourself on a job well done.

I would recommend that you set a new Supervisor Password, one you can remember. If you don't set one someone else can and you may have to do this all over again, much easier to set your own password so no one else can set one and frustrate you.

CAUTION: IF your laptop is set to boot over a Corporate Network then do not tinker with BIOS set-up unless you know the required settings for your Corporate network.

While in BIOS set-up, SET DEFAULT setting, the F9 key does that, select BOOT and also set defaults there by using F9.

Then Press F10 to SAVE those settings, switch the TP OFF and switch it back ON again to continue using it.

Those last F9, F10 steps above are VERY IMPORTANT else you may see  errors reported, your TP may not find the Hard Disk to boot from etc.

A quick lesson;

When using KeyMaker 9 USB, connection leads to the EEPROM inside a TP can be connected whilst the TP is switched OFF or ON, the leads can be left connected while the TP is being switched ON and OFF.

If you are new to TP unlocking you might be thinking - so what! well read on and you will see what a significant difference that can make.

RS-232 based simple interfaces when connected to the EEPROM inside a TP impose a substantial load on the EEPROM's signal lines and if left connected will interfere with the power on and power off functions of the TP. 

Which means that when using an old RS-232 interface the EEPROM leads  must be disconnected while the TP is powering up, connected to perform a function then disconnected again before switching the TP OFF. 

When using an old RS-232 interface the EEPROM leads can ONLY be connected after the TP has been switched ON and has completed its power up functions.

KeyMaker 9 USB's EEPROM connections do NOT have those restrictions because the KeyMaker 9 USB's EEPROM connection points are High Impedance, they do not load down the signals, therefore they can be left connected at all times without affecting TP power up or power down.

A lot of TP unlock operations require that you Power Cycle the TP, in other words Switch OFF, Switch ON the TP, having to disconnect leads from the EEPROM and  reconnect those EEPROM leads each time the TP is switched ON or OFF becomes tedious and can lead to mistakes.

Another plus for Joe's KeyMaker 9 USB.

Disclaimer

I make no warranty that any of my information is correct, or safe, or does or does not breach any warranty clause,  or anything else, it is up to you to decide if you will follow all or any of the instructions to recover the Supervisor Password from a TP. It is up to you to decide, I am not responsible for the results or for any consequential or incidental damages whatsoever.

Up Stand Alone Mode KM9USB 2nd PC KM9USB PRO 2nd PC

If you have any questions, email Joe at

Hit Counter