KM9AUSBPRO 2nd PC

Home
Read this First
KeyMaker X1
KeyMaker X2
KeyMaker LCD
Buy Now
Delivery times
Firmware Update
Functionality Upgrade
Damaged Board
Safety Precautions
User's Guides
EEPROM Locations
Customer Feedback
Reference Docs

How to unlock any of the ThinkPads (TPs) listed below using Joe's KeyMaker 9A USB PRO and a second PC

370C, 380Z, 380XD, 560Z, 600, 760EL, 760LD, 770 series, 770E, 770ED, 240, 240X, 390E, 390X, 570,  600e, 600X, 770Z, A20m, A21e, A21m, A22e, A22m, A30, A30p, A31, A31p, G40, G41, R30, R31, R32,  R40, R400, R50, R500,  R50p, R51, R52, R61, R60, R61i, T20, T21, T22, T23, T30, T40, T40p, T400,  T43, T43p, T500, T41, T41p, T42, T42p, T60, T60p, T61, T61p, TransNote, W500, X20, X200, X21, X22, X23, X24, X30, X200, X300, X301, X31, X40, X41, X41T, X60, X60s, Z60, X61, X61s, X61t,  Z61

Recovering or Clearing a Supervisor Password (SVP) from a TP is fairly straightforward.

Once you know how to avoid all the TRAPS IBM/Lenovo have set for you the customer.

I know this is all very exciting and you are ready to start stripping down your TP and jump into it, but WAIT! read all of this first.

Most people are absolutely certain they have a Supervisor Password (SVP) set.

There is a chance you may not have a SVP set in your TP.

I have exchanged emails with many people who have gone through all the SVP unlocking thing read the EEPROM, wasted days,  only to discover there is no SVP set at all.

How is that possible, are these people really dumb or something.

The answer is NO, these are all perfectly sane intelligent people. 

The real problem is IBM/Lenovo and their warped sense of humour.

When you really do have strong security, you challenge people to try and defeat it, you invite peer review  to make sure it is in fact secure.

When you have flimsy pretend security and you obstinately pretend it is so secure even you cant unlock it, well you have to get all secretive and vague about everything HOPING people wont find out, in other words an illusion of strong security where none really exist, which is what we have here.

Trap number 1, the Hard Disk Password (HDP)

If at any time you see this Password prompt icon

That icon with the small number 1 (it may be a small number 2 or 3 if you have more than one Hard Disk] means the HDP is set. You will not be able to easily recover or clear the HDP, KM9A USB will NOT recover or clear HDP.

It will cost you more to clear the HDP than a new Hard disk is worth.

Clearing a HDP is only worth the expense and effort if there is valuable data on the Hard disk that MUST be recovered.

If HDP is set then remove the Hard Disk [HD] before continuing so that you can determine which other passwords (IF ANY) you need to recover or clear.

There may not be any other password set!

Ok, you removed the HD and you see yet another Password Prompt icon.

Trap number 2, the guessing game - is it  SVP or POP -

The trap is that IBM/Lenovo in their wisdom chose to have THE SAME PASSWORD PROMPT ICON for BOTH SVP and Power on Password (POP)

The password prompt icon pictured above
Does NOT define which PASSWORD it is asking you to enter.

It can be either POP or SVP

Only ONE way to find out for sure which one it is and maybe save a LOT of time.

  1. Identify your TP model

  2. Download the Hardware Maintenance Manual (HMM) for your TP model

The link above is to the IBM/Lenovo site, if it doesn't work, don't panic, it isn't broken, their site is shut down daily for maintenance and at those times they display spurious messages like the page you requested cannot be found, wait a good while and try again.

Using the HMM link above, once you select a model and are on the page that has the PDF HMM for that model, it is best to right click on the PDF HMM for your model then select Save Target AS, that way you will have the PDF HMM on your PC to refer to any time you need it.

Spend the time to read the first part of the HMM which deals with Cautions some of which like for example Shock Sensors  are very important, you would not want to roughly handle your System board to find out when you power it up to unlock it that in fact you have ruined it.

Read the HMM section dealing with Passwords and become familiar with how to remove Power on Password [POP

Then follow the instructions for POP Removal 

After performing POP Removal if there is no password prompt icon displayed, you are done, your TP is unlocked.

if you have performed POP Removal and you continue to see this password prompt icon

It does NOT mean you didn't perform POP Removal correctly

It means that with POP removed, you have now absolutely confirmed that you do indeed have a SVP set and you can now put the time and effort into removing or clearing it.

How to recover or clear SVP

You must ACTIVATE your KM9AUSBPRO before it will do anything useful.

If you jumped straight in here without reading all of the above information - STOP - and read all the information above FIRST!

Recovering or Clearing a Supervisor Password (SVP) from a ThinkPad (TP) always involves these steps.

  1. Identify your TP model.

  2. Find the location of the EEPROM connection points and EEPROM Type.

  3. Download and save the HMM, then follow the HMM to enable you strip down the TP [without damaging it as you would if you don't follow the HMM] down to the point you can access that EEPROM location, depending on the model this could be ONE Screw or a total strip down.

  4. Connect 3 leads between the EEPROM's connection points and KeyMaker 9A USB (KM9A)

  5. Switch on the TP and use the KM9A Menu to select the EEPROM type which you would have from the EEPROM connection points;

    At the TOP of each EEPROM LOCATION page you will find a message, for example for R61 you would see;

                 R61 R61i EEPROM you treat it as a 24RF08

    That is the eeprom type you select at this point from the menu for your model TP if you are unlocking an R61, check for your own model and select what that page says is the EEPROM in your model TP.

  6. select the command to Recover or Clear your SVP.

More detail on those 5 steps follows below, please continue reading

It will lead to this

The connection Points on KM9A, VCC - GND - SCL - SDA

Most times we only use GND - SCL - SDA and leave VCC NOT connected.

There are 2 versions of the board, firmware is identical.

When you purchase KM9A you are supplied with a 4 wire lead.

Most of the time you will ONLY be using 3 of those 4 leads.

In the photo above on the right, the 4 wire lead is connected onto the I2C header pins

NOTE: The orientation, by convention, much like a car battery, RED is Positive Voltage, in this case it is called VCC.

Black is Negative or as we will be referring to it as GND which stands for Ground, in plain English Ground is the negative or common point in a circuit.

You do NOT connect VCC [the RED lead] unless you are reading an unsoldered 24xx series EEPROM and I can't see you doing that very often if at all unless you run a Laptop Repair Shop.

All the EEPROM location pages show 3 connection points;

  1. GND which you connect to the BLACK lead above.

  2. SCL which you connect to the YELLOW lead above.

  3. SDA which you connect to the WHITE lead above.

Make it a habit of connecting the 4 wire lead as per above with the RED wire over VCC.

When it comes to making those 3 connections between KM9A and the EEPROM you have the choice of using;

  1. Clips to make the connections

  2. Using Sharp Probes, for example multimeter leads that are skinny and come to a sharp point, they also have an insulated handle for you to hold without your sweaty hands interfering with the low power signals on SDA and SCL.

Read more about Clips and Probes here.

Whichever method you chose to make the 3 connections is up to you, so long as there is a good electrical connection during any Read or Write operation between the connection points at both the EEPROM and KM9A I2C ends all is well.

You really want to unlock your TP and use it again?

It does not get any easier than this!

Yes, you can easily do it yourself!

 

 

If you have read all the preceding information on this page and not simply skipped all that boring IMPORTANT information,  - if you skipped it, go back and read all of this page above.

 You should already have:

  1. Identified your TP model.

  2. Downloaded and saved the HMM, then followed the HMM POP removal procedure to be certain it isn't simply a POP and NOT SVP you are faced with

  3. Having confirmed it is a SVP, found the location of the EEPROM connection points and EEPROM Type for your TP Model.

  4. Followed the HMM to enable you to strip down the TP [without damaging it as you would if you don't follow the HMM] down to the point you can access that EEPROM location, depending on the model this could be ONE Screw or a total strip down.

Having found the EEPROM connection point for your TP Model, having decided if you solder wires or use clips or sharp probes to make the actual connections.

The time has come to actually make those connections.

Whichever connection method you chose, your KM9A should be switched ON, your Terminal software should be connected to your KM9A and you should be at the Main Menu displayed on the screen

If you really really skipped a lot of preceding information, here is a clue, the Terminal software runs on a second PC or Laptop, the USB port on that second PC is connected to KM9A,  NOT ON THE LOCKED TP as clearly that is mission impossible!

A quick lesson: IBM and Lenovo used three different key layouts for country specific keyboards:

QWERTY   for US English
QWERTZ   for DE German
AZERTY     for FR French

Since some keys are in different places, the password could be different for each keyboard if those keys were used.

Use Command 6 first to select your TP keyboard language.

KM9A REMEMBERS the last selected Keyboard Language even if switched off.

Pay attention to Selecting ThinkPad's Keyboard if you are doing different Language TPs.

Keyboard Selection Menu

Keyboard selection is not as important with KM9AUSBPRO enabled as PRO displays all recovered passwords in all the different languages, if you are also using the LCD board then it is important you have the correct language selected.

First, you connect the 3 wires (GND, SDA, SCL) from the KM9A I2C header to the EEPROM connection points on your Password Protected TP.

You can solder the 3 wires, or you can use a clip on each wire, or you can use a clip for GND and sharp probes for SDA and SCL.

For example:

Below are photos of an R52 being unlocked using another R52 to run the Terminal software and power the KM9AUSB.

The password locked R52 has been opened and placed on its side to allow access to the ON/OFF push button and also to allow access to the underside of the R52.

The Memory cover underneath the R52 has been removed, the Memory has also been removed to allow access to the EEPROM connection points, only 1 screw to undo.

KM9AUSB is powered by the USB port of the second R52, the one running the Terminal Software to communicate with KM9AUSB.

Making the 2 probes used is described here

Nothing else is required.

A black clip is being used for the GND connection attached to the metal clip which normally holds the Memory in place.

Leaving one hand free to operate the Terminal Software, in some case you may need 2 persons.

Looks easy - because - it is easy when you have the right tools.

You can find the EEPROM location and connection points for the R52 in this case on the EEPROM Locations page, there you see the photo below of the R52 EEPROM connections

 

The 2 probes held in place, GND clip not visible clipped to finger on left that holds memory in place.

The 3 connections MUST be made to the correct connection points.

Double check you have not mixed up the 3 wires.

With some models, you will have a totally stripped down bare, yet able to be switched on and run TP for this operation. 

In that case make sure the metal parts of the keyboard cannot come into electrical contact with any part of the circuitry on the system board you can use paper or plastic or insulating tape to keep things electrically isolated. 

Make sure you do have attached the CPU heat sink and that the CPU cooling fan is connected and will operate when the TP is switched on, else you will fry your CPU.

On some models it helps if you open the LCD screen at 90 degrees and stand the TP vertical so one side of the LCD screen and one side of the Machine are resting on the table surface, that way you can access the front and back of the TP after it is switched ON.

If you are using sharp probes to make the connections then you can wait until the locked TP has Powered UP and is at a password prompt before making the connections using your sharp probes.

You have made sure nothing can 'short out' ?

Plug a mini-USB cable from one of the USB Ports on your unlocked laptop or PC to the USB socket on your KM9AUSB, that will power KM9AUSB.

Switch the KeyMaker on and run the Terminal software on your laptop or PC, NOT THE ONE LOCKED WITH A PASSWORD, ANOTHER PC OR LAPTOP.

Connect the GND wire from the ThinkPad to the KeyMaker I2C interface.

Of course you do need to connect some power to the ThinkPad via your TP AC adaptor, else nothing useful will occur.

Switch the ThinkPad ON.

PRESS AND HOLD DOWN the ThinkPad F1 KEY

If you don't hear the sound of the CPU cooling fan running, switch off and check it before continuing, normally the fan runs the instant you switch the TP ON, it may stop in the next few seconds, that's OK, so long as it does run at start up you know you have not forgotten to connect it during re-assembly.

WAIT until you see the message 'Entering Bios setup' or similarly worded message or you see a Password Prompt icon or you see an error message that is NOT about a boot error.

ONLY THEN RELEASE THE F1 KEY

If the ThinkPad has booted to any operating System, switch it OFF and pay MORE ATTENTION, hold down the F1 key and continue to hold it down while switching the ThinkPad ON..

VERY IMPORTANT THAT YOU DO NOT continue unless the ThinkPad is displaying the message 'Entering Bios setup' or similarly worded message or you see a Password Prompt icon or you see an error message that is NOT about an operating system boot error.

If you see this password prompt icon with either the number 1 or 2 or 3 etc

That means, that like a LOT OF PEOPLE, you are rushing and you completely skipped the important information at the start of this page, please switch the TP OFF, and start reading from the top of this page, this time do NOT skip anything!

You should be seeing this icon

One final reminder for those in a huge rush who skip important information, you did already follow the POP Removal procedure detailed at the top of this page, YES?

Did you notice that each page showing the location of the EEPROM connection point for your TP model, starts off with, for example for R52;

R52 EEPROM you treat it as LSI

That is telling us that the EEPROM TYPE for an R52 is LSI.

That EEPROM TYPE will be your first Main menu selection

Go ahead and select your TP's  EEPROM type LSI, 24RF08, 24C01, 24C03 or 93C46  from the main menu. 

Type in the command number for the EEPROM Type in your TP.

Depending on the EEPROM Type selected, you will then see either 1 or more Command options.

Fast SVP Recovery is always the number 1 Command.

Do not press a command button before the EEPROM connections have been made.

If you are using sharp probes to make the EEPROM connections, you must now apply them to the EEPROM connection points for SDA and SCL, you did connect GND earlier, right?.

Now press the command number for the operation you wish to perform and perform that operation.

If you are using sharp probes, you do need another person to type the commands for you while you concentrate on holding the sharp probes so that there is a good solid electrical connection during the entire operation.

If for example we had select LSI as the EEPROM type and then selected Command 1 for Fast SVP Recovery we would see the following screen.

Recovered Password ABCDEFG displayed ready to type in a the password prompt using a QWERTY English Keyboard or QBCDEFG using an AZERTY keybaord.

The Supervisor password (SVP)

The copy of the SVP (CSVP) which on some older models contains the Hard Disk Password (HDP) can also be recovered and displayed.

NOTE: on newer models, Hard Disk Password cannot be recovered from anywhere inside the TP, the Hard Disk itself internally looks after the HD Password.

RSC The type of Scan code decoded, in this case R series Scan Code. Will also decode Normal Scan Codes NSC

Now that you KNOW what the Supervisor Password is.

Your TP is asking you to enter the Supervisor Password? 

Well now you have it!  

You simply type in your recovered SVP 
and press the ENTER key.

 

Your TP is now unlocked,  as a reward, you are greeted by this welcome sign of an UNLOCKED TP

Now you have full access to your TP

Time to congratulate yourself on a job well done.

To permanently remove the Supervisor Password,  follow the instructions for turning off the password option in the setup.

I would recommend that you set a new Supervisor Password, one you can remember. If you don't set one someone else can and you may have to do this all over again, much easier to set your own password so no one else can set one and frustrate you.

To avoid confusion between different language keyboards, you can select which Keyboard language you wish to use to display your recovered passwords, see sample Screen Shots further down at the foot of this webpage. 

If the optional TPM/TCPA  Security (encryption) was enabled, then the SVP cannot be recovered - it isn't a word or phrase that can be displayed.  In that case you would see something like this instead of your recovered SVP,  *BADCS* as per the image below, you may also see *NVPC**

THIS is NOT a problem!

As you can see in the screen shot above, command 2 lets you Clear SVP.

This will clear ANY password including the encrypted TPM/TCPA  SVP or as some people call it Reset TCPA.

You press the 2 key, a message appears asking you if you are ready to Clear SVP, you type Y for Yes.

A few seconds later there is no longer an encrypted SVP and TCPA has been reset.

 After the Clear SVP operation is completed, if you press 1 for Fast SVP Recovery
 you will see the screen below, see - NO SVP, gone as if it never existed.

Switch OFF your TP, switch it back ON again and it will NOT ask you for a SVP, as if it never existed.

CAUTION: IF your laptop is set to boot over a Corporate Network then do not tinker with BIOS setup unless you know the required settings for your Corporate network.

If you have had to clear SVP then (subject to the Caution above) you should while in BIOS setup, SET DEFAULT setting, the F9 key does that, select BOOT and also set defaults there by using F9.

Then Press F10 to SAVE those settings, switch the TP OFF and switch it back ON again to continue using it.

Those last F9, F10 steps above are VERY IMPORTANT else you may see  errors reported, your TP may not find the Hard Disk to boot from etc.

Another quick lesson;

In the display above *BLANK* means that there is no SVP set, the * (asterisk) on both sides of a MESSAGE is used to indicate that the word displayed is not a recovered password.

Same thing with the previous screen shot *BADCS*

You may also see *NVPC** which stands for No Valid Password Characters.

The * character can never be typed in as a password character on any TP, so it is used on either side of a useful message when you go looking at the recovered SVP.

KeyMaker 9A USB never leaves you in any doubt about whether you are seeing a displayed password or a message telling you it is a non recoverable encrypted password *BADCS* [which stands for Bad Checksum] or that there is no SVP set *BLANK*

If you see *BADCS* or *NVPC** that is usually an indication the the TP has an encrypted TPM/TCPA  passwords set, your obvious option at that point is Clear SVP.

Final quick lesson;

When using KeyMaker 9A USB, connection leads to the EEPROM inside a TP can be connected whilst the TP is switched OFF or ON, the leads can be left connected while the TP is being switched ON and OFF.

If you are new to TP unlocking you might be thinking - so what! well read on and you will see what a significant difference that can make.

RS-232 based simple interfaces when connected to the EEPROM inside a TP impose a substantial load on the EEPROM's signal lines and if left connected will interfere with the power on and power off functions of the TP. 

Which means that when using an old RS-232 interface the EEPROM leads  must be disconnected while the TP is powering up, connected to perform a function then disconnected again before switching the TP OFF. 

When using an old RS-232 interface the EEPROM leads can ONLY be connected after the TP has been switched ON and has completed its power up functions.

KeyMaker 9A USB's EEPROM connections do NOT have those restrictions because the KeyMaker 9A USB's EEPROM connection points are High Impedance, they do not load down the signals, therefore they can be left connected at all times without affecting TP power up or power down.

A lot of TP unlock operations require that you Power Cycle the TP, in other words Switch OFF, Switch ON the TP, having to disconnect leads from the EEPROM and  reconnect those EEPROM leads each time the TP is switched ON or OFF becomes tedious and can lead to mistakes.

Another plus for Joe's KeyMaker 9A USB.

Disclaimer

I make no warranty that any of my information is correct, or safe, or does or does not breach any warranty clause,  or anything else, it is up to you to decide if you will follow all or any of the instructions to recover the Supervisor Password from a TP. It is up to you to decide, I am not responsible for the results or for any consequential or incidental damages whatsoever.

If you have any questions, email Joe at

Hit Counter

Up Stand Alone Mode KM9AUSB 2nd PC KM9AUSBPRO 2nd PC Using KM9AUSBLCD