Unlocking any TP

How to unlock any ThinkPad (TP) using Joe's KeyMaker 7 USB

Recovering or Clearing a Supervisor Password (SVP) from a TP is fairly straightforward.

Once you know how to avoid all the TRAPS IBM/Lenovo have set for you the customer.

I know this is all very exciting and you are ready to start stripping down your TP and jump into it, but WAIT! read all of this first.

Most people are absolutely certain they have a Supervisor Password (SVP) set or as some people incorrectly call it a BIOS Password, (there is NO BIOS PASSWORD IN ANY ThinkPad).

There is a chance you may not have a SVP set in your TP.

I have exchanged emails with many people who have gone through all the SVP unlocking thing read the EEPROM, wasted days, only to discover there is no SVP set at all.

How is that possible, are these people really dumb or something.

The answer is NO, these are all perfectly sane intelligent people.

The real problem is IBM/Lenovo and their warped sense of humour.

When you really do have strong security, you challenge people to try and defeat it, you invite peer review to make sure it is in fact secure.

When you have flimsy pretend security and you obstinately pretend it is so secure even you cant unlock it, well you have to get all secretive and vague about everything HOPING people wont find out, in other words an illusion of strong security where none really exist, which is what we have here.

Trap number 1, the Hard Disk Password (HDP)

If at any time you see this Password prompt icon

That icon with the small number 1 (it may be a small number 2 or 3 if you have more than one Hard Disk] means the HDP is set. You will not be able to easily recover or clear the HDP, KM7 USB will NOT recover or clear HDP.

It will cost you more to clear the HDP than a new Hard disk is worth.

Clearing a HDP is only worth the expense and effort if there is valuable data on the Hard disk that MUST be recovered.

If HDP is set then remove the Hard Disk [HD] before continuing so that you can determine which other passwords (IF ANY) you need to recover or clear.

There may not be any other password set!

Ok, you removed the HD and you see yet another Password Prompt icon.

Trap number 2, the guessing game - is it SVP or POP -

The trap is that IBM/Lenovo in their wisdom chose to have THE SAME PASSWORD PROMPT ICON for BOTH SVP and Power on Password (POP)

The password prompt icon pictured above
Does NOT define which PASSWORD it is asking you to enter.

It can be either POP or SVP

Only ONE way to find out for sure which one it is and maybe save a LOT of time.

Identify your TP model

Download the Hardware Maintenance Manual (HMM) for your TP model

The link above is to the IBM/Lenovo site, if it doesn't work, don't panic, it isn't broken, their site is shut down daily for maintenance and at those times they display spurious messages like the page you requested cannot be found, wait a good while and try again.

Using the HMM link above, once you select a model and are on the page that has the PDF HMM for that model, it is best to right click on the PDF HMM for your model then select Save Target AS, that way you will have the PDF HMM on your PC to refer to any time you need it.

Spend the time to read the first part of the HMM which deals with Cautions some of which like for example Shock Sensors are very important, you would not want to roughly handle your System board to find out when you power it up to unlock it that in fact you have ruined it.

Read the HMM section dealing with Passwords and become familiar with how to remove Power on Password [POP]

Then follow the instructions for POP Removal

After performing POP Removal if there is no password prompt icon displayed, you are done, your TP is unlocked.

if you have performed POP Removal and you continue to see this password prompt icon

It does NOT mean you didn't perform POP Removal correctly

It means that with POP removed, you have now absolutely confirmed that you do indeed have a SVP set and you can now put the time and effort into removing or clearing it.

How to recover or clear SVP

If you jumped straight in here without reading the above - STOP - and read the information above FIRST!

Recovering or Clearing a Supervisor Password (SVP) from a ThinkPad (TP) always involves these steps.

Identify your TP model.

Find the location of the EEPROM connection points and EEPROM Type.

Download and save the HMM, then follow the HMM to enable you strip down the TP [without damaging it as you would if you don't follow the HMM] down to the point you can access that EEPROM location, depending on the model this could be ONE Screw or a total strip down.

Connect 3 leads between the EEPROM's connection points and KeyMaker 7 USB (KM7)

Switch on the TP and use the KM8 Menu to select the EEPROM type which you would have from the EEPROM connection points;

At the TOP of each EEPROM LOCATION page you will find a message, for example for R61 you would see;

R61 R61i EEPROM you treat it as a 24RF08

That is the eeprom type you select at this point from the menu for your model TP if you are unlocking an R61, check for your own model and select what that page says is the EEPROM in your model TP.

Select the command to Recover or Clear your SVP.

More detail on those 5 steps follows below, please continue reading

It will lead to this

The connection Points on KM7, VCC - GND - SCL - SDA

Most times we only use GND - SCL - SDA and leave VCC NOT connected.

When you purchase KM7 you are supplied with 2 leads, a 4 wire lead and a 6 wire lead.

The 6 wire leads is ONLY used for the 93C46 EEPROM found in some really really old TPs.

The 4 wire lead is what you will use the most.

Most of the time you will ONLY be using 3 of those 4 leads.

In the photo above on the right, the 4 wire lead is connected onto the I2C header pins

NOTE: The orientation, by convention, much like a car battery, RED is Positive Voltage, in this case it is called VCC.

Black is Negative or as we will be referring to it as GND which stands for Ground, in plain English Ground is the negative or common point in a circuit.

You do NOT connect VCC [the RED lead] unless you are reading an unsoldered 24xx series EEPROM and I can't see you doing that very often if at all unless you run a Laptop Repair Shop.

All the EEPROM location pages show 3 connection points;

GND which you connect to the BLACK lead above.

SCL which you connect to the YELLOW lead above.

SDA which you connect to the WHITE lead above.

Make it a habit of connecting the 4 wire lead as per above with the RED wire over VCC.

When it comes to making those 3 connections between KM7 and the EEPROM you have the choice of using;

Clips to make the connections

Using Sharp Probes, for example multimeter leads that are skinny and come to a sharp point, they also have an insulated handle for you to hold without your sweaty hands interfering with the low power signals on SDA and SCL.

Solder the thin enamel wire supplied to the EEPROM pins, don't forget to tape them down just near the solder joint to relieve tension on the solder joint. NO, you don't run the thin wires all the way back to the I2C header on the KM7, you only run the thin wires until they exit the side of the TP then you join it to the supplied 4 wire cable by soldering a short piece of copper wired [an off cut from a resistor works well] onto the end of the enamel wire and poking the short but of copper wire into the 4 lead cable holes.

Like this, it is a good idea to label the enamel wire ends to avoid getting them mixed up. Notice the RED wire not being used at all.

Whichever method you chose to make the 3 connections is up to you, so long as there is a good electrical connection during any Read or Write operation between the connection points at both the EEPROM and KM7 I2C ends all is well.

You really want to unlock your TP and use it again?

It does not get any easier than this!

Yes, you can easily do it yourself!

If you have read all the preceding information on this page and not simply skipped all that boring IMPORTANT information, - if you skipped it, go back and read all of this page above.

You should already have:

Identified your TP model.

Downloaded and saved the HMM, then followed the HMM POP removal procedure to be certain it isn't simply a POP and NOT SVP you are faced with

Having confirmed it is a SVP, found the location of the EEPROM connection points and EEPROM Type for your TP Model.

Followed the HMM to enable you to strip down the TP [without damaging it as you would if you don't follow the HMM] down to the point you can access that EEPROM location, depending on the model this could be ONE Screw or a total strip down.

Having found the EEPROM connection point for your TP Model, having decided if you solder wires or use clips or sharp probes to make the actual connections.

The time has come to actually make those connections.

Whichever connection method you chose, your KM7x should be switched ON, your Terminal software should be connected to your KM7x and you should be at the Main Menu displayed on the screen

If you really really skipped a lot of preceding information, here is a clue, the Terminal software runs on a second PC or Laptop, the USB port on that second PC is connected to KM7x, NOT ON THE LOCKED TP as clearly that is mission impossible!

A quick lesson: IBM and Lenovo used three different key layouts for country specific keyboards:

QWERTY   for US English
QWERTZ   for DE German
AZERTY     for FR French

Since some keys are in different places, the password could be different for each keyboard if those keys were used.

Use Command 6 first to select your TP keyboard language.

KM7x REMEMBERS the last selected Keyboard Language even if switched off.

Pay attention to Selecting ThinkPad's Keyboard if you are doing different Language TPs.

Keyboard Selection Menu

First, you connect the 3 wires (GND, SDA, SCL) from the KM7x I2C header to the EEPROM connection points on your Password Protected TP.

You can solder the 3 wires, or you can use a clip on each wire, or you can use a clip for GND and sharp probes for SDA and SCL.

For example:

A T60 being unlocked, using Joe's KeyMaker 7 together with Joe's KeyMaker 7 LCD.

Using two multi meter leads with sharp points hand held [in one hand] for the SDA and SCL connections.

A black clip is being used for the GND connection attached to the CPU heat sink.

Leaving one hand free to operate the Joystick on the KeyMaker 7 LCD board.

Looks easy - because - it is easy when you have the right tools.

The 3 connections MUST be made to the correct connection points.

Double check you have not mixed up the 3 wires.

With some models, you will have a totally stripped down bare, yet able to be switched on and run TP for this operation.

In that case make sure the metal parts of the keyboard cannot come into electrical contact with any part of the circuitry on the system board you can use paper or plastic or insulating tape to keep things electrically isolated.

Make sure you do have attached the CPU heat sink and that the CPU cooling fan is connected and will operate when the TP is switched on, else you will fry your CPU.

On some models it helps if you open the LCD screen at 90 degrees and stand the TP vertical so one side of the LCD screen and one side of the Machine are resting on the table surface, that way you can access the front and back of the TP after it is switched ON.

If you are using sharp probes to make the connections then you can wait until the locked TP has Powered UP and is at a password prompt before making the connections using your sharp probes.

You have made sure nothing can 'short out' ?

Switch your TP On using the Power On button on it's keyboard, of course you do need to connect some power to it via your TP AC adaptor, else nothing useful will occur.

If you don't hear the sound of the CPU cooling fan running, switch off and check it before continuing, normally the fan runs the instant you switch the TP ON, it may stop in the next few seconds, that's OK, so long as it does run at start up you know you have not forgotten to connect it during re-assembly.

As soon as you see the IBM/Lenovo logo displayed - press the ESC key.

Then - press the F1 key.

You should see a message 'Entering Bios set -up' or similarly worded message.

Then you should see a Password prompt icon.

If you see this password prompt icon with either the number 1 or 2 or 3 etc

That means, that like a LOT OF PEOPLE, you are rushing and you completely skipped the important information at the start of this page, please switch the TP OFF, and start reading from the top of this page, this time do NOT skip anything!

You should be seeing this icon

One final reminder for those in a huge rush who skip important information, you did already follow the POP Removal procedure detailed at the top of this page, YES?

Did you notice that each page showing the location of the EEPROM connection point for your TP model, starts off with, for example for R52;

R52 EEPROM you treat it as LSI

That is telling us that the EEPROM TYPE for an R52 is LSI.

That EEPROM TYPE will be your first Main menu selection

Go ahead and select your TP's EEPROM type LSI, 24RF08, 24C01, 24C03 or 93C46 from the main menu.

Type in the command number for the EEPROM Type in your TP.

Depending on the EEPROM Type selected, you will then see either 1 or more Command options.

Fast SVP Recovery is always the number 1 Command.

Do not press a command button before the EEPROM connections have been made.

If you are using sharp probes to make the EEPROM connections, you must now apply them to the EEPROM connection points for SDA and SCL, you did connect GND earlier, right?.

Now press the command number for the operation you wish to perform and perform that operation.

If you are using sharp probes, you do need another person to type the commands for you while you concentrate on holding the sharp probes so that there is a good solid electrical connection during the entire operation.

If for example we had select LSI as the EEPROM type and then selected Command 1 for Fast SVP Recovery we would see the following screen.

Recovered Passwords QAZYSVP displayed ready to type in a the password prompt using a QWERTY English Keyboard

The Supervisor password (SVP)

The copy of the SVP (CSVP) which on some older models contains the Hard Disk Password (HDP) can also be recovered and displayed.

NOTE: on newer models, Hard Disk Password cannot be recovered from anywhere inside the TP, the Hard Disk itself internally looks after the HD Password.

RSC The type of Scan code decoded, in this case R series Scan Code. Will also decode Normal Scan Codes NSC

Now that you KNOW what the Supervisor Password is.

Your TP is asking you to enter the Supervisor Password?

Well now you have it!

You simply type in your recovered SVP
and press the ENTER key.

Your TP is now unlocked, as a reward, you are greeted by this welcome sign of an UNLOCKED TP

Now you have full access to your TP

Time to congratulate yourself on a job well done.

To permanently remove the Supervisor Password, follow the instructions for turning off the password option in the setup.

I would recommend that you set a new Supervisor Password, one you can remember. If you don't set one someone else can and you may have to do this all over again, much easier to set your own password so no one else can set one and frustrate you.

To avoid confusion between different language keyboards, you can select which Keyboard language you wish to use to display your recovered passwords, see sample Screen Shots further down at the foot of this webpage.

If the optional TPM Security (encryption) was enabled, then the SVP cannot be recovered - it isn't a word or phrase that can be displayed. In that case you would see something like this instead of your recovered SVP, *BADCS* as per the image below, you may also see *NVPC**

THIS is NOT a problem!

As you can see in the screen shot above, command 2 lets you Clear SVP.

This will clear ANY password including the encrypted TPM SVP or as some people call it Reset TCPA.

You press the 2 key, a message appears asking you if you are ready to Clear SVP, you type Y for Yes.

A few seconds later there is no longer an encrypted SVP and TCPA has been reset.

After the Clear SVP operation is completed, if you press 1 for Fast SVP Recovery
you will see the screen below, see - NO SVP, gone as if it never existed.

Switch OFF your TP, switch it back ON again and it will NOT ask you for a SVP, as if it never existed.

CAUTION: IF your laptop is set to boot over a Corporate Network then do not tinker with BIOS set-up unless you know the required settings for your Corporate network.

If you have had to clear SVP then (subject to the Caution above) you should while in BIOS set-up, SET DEFAULT setting, the F9 key does that, select BOOT and also set defaults there by using F9.

Then Press F10 to SAVE those settings, switch the TP OFF and switch it back ON again to continue using it.

Those last F9, F10 steps above are VERY IMPORTANT else you may see errors reported, your TP may not find the Hard Disk to boot from etc.

Another quick lesson;

In the display above *BLANK* means that there is no SVP set, the * (asterisk) on both sides of a MESSAGE is used to indicate that the word displayed is not a recovered password.

Same thing with the previous screen shot *BADCS*

You may also see *NVPC** which stands for No Valid Password Characters.

The * character can never be typed in as a password character on any TP, so it is used on either side of a useful message when you go looking at the recovered SVP.

KeyMaker 7 USB never leaves you in any doubt about whether you are seeing a displayed password or a message telling you it is a non recoverable encrypted password *BADCS* [which stands for Bad Checksum] or that there is no SVP set *BLANK*

If you see *BADCS* or *NVPC** that is usually an indication the the TP has an encrypted TPM passwords set, your obvious option at that point is Clear SVP.

Final quick lesson;

When using KeyMaker 7 USB, connection leads to the EEPROM inside a TP can be connected whilst the TP is switched OFF or ON, the leads can be left connected while the TP is being switched ON and OFF.

If you are new to TP unlocking you might be thinking - so what! well read on and you will see what a significant difference that can make.

RS-232 based simple interfaces when connected to the EEPROM inside a TP impose a substantial load on the EEPROM's signal lines and if left connected will interfere with the power on and power off functions of the TP.

Which means that when using an old RS-232 interface the EEPROM leads must be disconnected while the TP is powering up, connected to perform a function then disconnected again before switching the TP OFF.

When using an old RS-232 interface the EEPROM leads can ONLY be connected after the TP has been switched ON and has completed its power up functions.

KeyMaker 7 USB's EEPROM connections do NOT have those restrictions because the KeyMaker 7 USB's EEPROM connection points are High Impedance, they do not load down the signals, therefore they can be left connected at all times without affecting TP power up or power down.

A lot of TP unlock operations require that you Power Cycle the TP, in other words Switch OFF, Switch ON the TP, having to disconnect leads from the EEPROM and reconnect those EEPROM leads each time the TP is switched ON or OFF becomes tedious and can lead to mistakes.

Another plus for Joe's KeyMaker 7 USB.

Disclaimer

I make no warranty that any of my information is correct, or safe, or does or does not breach any warranty clause, or anything else, it is up to you to decide if you will follow all or any of the instructions to recover the Supervisor Password from a TP. It is up to you to decide, I am not responsible for the results or for any consequential or incidental damages whatsoever.

If you have any questions, email Joe at

Hit Counter