Users of Lenovo ThinkPad laptops may be in for a nasty surprise if they forget their main (supervisor) hard drive password. The Chinese hardware manufacturer refuses to reset hard drive (BIOS) security passwords for laptops even if they are covered by warranty. Lenovo, which bought IBM's ThinkPad laptop business in 2005, cites …
Had to do this
My laptop was stolen and several months later it was actually returned, but the thing had been bricked by the thieves witht the supervisor password nonsense. I also had the 3 year warranty and gold support or whatever from lenovo and they refused to fix it even though I'm the registered owner. Pretty frustrating. They explained that if the motherboard hardware failed they would replace it.
What I did was find the TPM chip on the motherboard, solder a few wires to it, hook up the serial connection and reset it. not an easy task and not for the faint of heart, but i figured it was bricked anyway so I took the risk.
not the easiest solder connection on that board and it was on the bottom of the unit, it was challenging but in the end i got it fixed.
My thoughts exactly.
That's exactly what I plan on doing. There are a few sites that sell kits to enable this. Naturally I'll document the process and make it as public as I can. The laptop is effectively spare parts now anyway, so I might as well risk $80 to get it fixed. If that doesn't work I'll sell it for parts on ebay and then buy anything except Lenovo.
This security policy needs to change as it doesn't benefit anyone in the long-term, even Lenovo as they will ultimately lose sales.
TPM module and Serial EEPRAM chips
On older Thinkpads, these are two separate chips, and the TPM module was optional on many models. On T23 through to T43's the Serial EEPRAM chip was an Atmel 10 or 14 pin surface mount chip (can't remember the numbers). There are supposed to be *readable* with the kit mentioned by dkenned1, but I have tried on two separate T23's and could never get it to work, although I did use the homebrew kit rather than pre-made one. The soldering is *very* fiddly, and I challenge anyone who is not a regular user of soldering irons to successfully carry out the work.
If there is also a TPM module (optional on T23-T43), I believe that there is extra encryption involved that checks the contents, and also scrambles the password so that it cannot be read from the serial EEPRAM. Similarly, if a perfect motherboard with a TPM module fitted, has it removed, then this bricks the motherboard until the *correct* TPM module is replaced (ebay TP parts sellers beware of this, I have bought 2 'working' Mobo's from ebay sellers who post testing removed the TPM module and discarded it. Grrrrr).
On T60's and later, I believe that they have put the Serial EEPRAM function into the TPM module, and soldered it onto the motherboard (rather than the TPM module being a plug-in daughter board). I do not believe any amount of hardware hacking will enable the passwords to be read from one of these. This is by design and is a key selling point.
I do not know how this info relates to A and R series Thinkpads. I only use second-hand T series.
Always been the case
It's not easy to do and does require some hardware hacking skills but it's not impossible to reset passwords on IBM/Lenovo laptops. Certainly less than the cost of a replacement motherboard.
This article underscores the fundamental flaw in thinking that password-only-based security represents. The password is supposed to be a secure credential, but by its nature is highly unlikely to be so in the vast majority of cases. The problem is systemic and cannot be solved satisfactorily for all cases with bolt-ons. (example: password aging schemes only ever truly inconvenience the people with a perfect right to the password. Given no change in habits, a user's stealthily busted password can be busted the same way when it's changed).
Proximity-detected, or even better, contact PIDS are really the only answer, although they suffer from many of the same "social" problems that passwords do: they get forgotten or lost and there you go. How about a motherboard-based "any three from five" scheme could be built on the backbone of ubiquitous RFID spinoff tech using, say, jewelry, ID cards and so forth to assemble a viable identity credential set? To use your "secure" tech it would only be necessary to be wearing the right combination of items (watch, ring etc), each of which having it's own identity that squawks, transponder style, when queried.
Of course, now you are into ID card territory with all the bugbears that lets loose.
BIOS Passwords are just a pain...
I can't see any reason why Lenovo can't reset motherboard passwords, the use of the motherboard doesn't pose any high security risk. Also it's a specialist item which is just wrong to bin due to some software on it!
However, harddrive passwords I think they're completely correct not to unlock, afterall it's the data that people care about losing (mostly). If you forget your HDD password then tough luck - you've lost your data and since a HDD costs less than fifty quid now it's not an expensive or difficult item to replace.
I didn't want the HDD password to be reset, reformatting the HDD did that, but I do want them to reset the BIOS password.
Have been the same for years, what is the news?
I always considered the Thinkpad's motherboard password a last laugh, a "fcuk you thief" kind of thing. You stole my laptop, now you'll have to sweat to use it.
Not as serious as you think...
These are in my guess designed this way to create more revenue for the manufacturer. I took apart a friend's Dell one time that had this issue (forgotten password). No dip switches, no jumpers and the BIOS battery was soldered to the motherboard. Simply soldering the battery off and back on fixed the issue. My only conclusion with the no jumpers, dip switches or removable battery was a design decision to "force" people to replace the motherboard. Funny how it's still the same years later. As much as I would cheer on a good F YOU! to a thief you are probably only delaying them a couple hours from using your shiny new laptop.
Some of you make the same assumptions Lenovo did
I didn't forget the password, I've used the same one since I've had the laptop, and it's the supervisor password not the HDD password. I disabled the security to turn off the HDD password so I could reuse it, and when I set it up again that's when I got locked out. And before you say it, I didn't type it in incorrectly. But.... the laptop now takes a lot longer to prompt for a password than it did before. My view is that an encrypted password has been brought over from the TPM module when I turned that back on.
I also didn't find out about the password policy or how easily it is to potentially break the password until after I had the problem, else otherwise I wouldn't have bothered, there would be no point.
I don't expect Lenovo to provide a free fix, but their solution costs more than the laptop is worth. So my point is that they assume I am wrong and offer no viable solution to the problem. If you were in my position would you be happy about their support? Make fun of the situation, call me a dumb-ass, whatever. The fact is their security and user support need updating.
Dell doesn't do that, lenovo sucks.
ShaunP highlights a flash problem
ShaunP's issue highlights a problem with flash memory, mirroring an experience we had with encrypted USB keys - but it could probably happen to any flash memory that is encrypted.
If you use the same password every day then it is nigh-on impossible to forget passwords. So when your password suddenly stops working it's incredibly frustrating. Our problem was with Sandisk Countour Cruzer 8Gb USB sticks. They support 256bit AES encryption and we duly implemented a password policy. As backup I also held an encrypted copy of all the company's passwords. Imagine my surprise when suddenly passwords stopped working on two of the memory sticks. The users hadn't changed their passwords (one of the users was me, I definitely hadn't changed my password), the password "hints" were not being displayed (a bad sign I guess) and I could not reformat the USB stick or use it in any way.
This was annoying but it's only a USB stick, the manufacturer takes full responsibility and replaced the USB stick.
What Lenovo are doing here is saying that even if their encrypted flash memory fails, they can not take responsibility for it.
Is that a breach of the "fit for purpose" section of the sale of goods act?
All of the persistent memory in a Thinkpad is checksum'd. If it were a case that this memory had become damaged or corrupted, then the checksum check would fail, leading to an identifiable pattern of beeps when the laptop is powered up.
If there were one of these pattern of beeps (which are documented in the maintenance manual that is on the Lenovo website) then Lenovo would have leapt in, and fixed the laptop under warranty.
Also, it is not always clear that the warranty is actually transferable. If this TP was bought second-hand, Lenovo may also refuse to service it. Whether this is legal or not is debatable, and has been discussed elsewhere on the Register.
The reason is simple - Lenovo (IBM as was) laptop + Hitachi (IBM as was) hard disk = bulk encryption of hard disk. Thinkpads have been able to do this (with the right h/d) for a decade or so. Nothing to do with the operating system AT ALL.
Whats the point in bulk encrypting the hard drives if a phone call to some muppet in support permits you to reset the password and gain access to the data?
I don't expect Truecrypt/Bestcrypt/whatever to be able to circumvent encryption with a "master reset" password so why would I expect Lenovo to do it?
Can't remember the password you set DESPITE the dire warnings about the hard drive? If so then you shouldn't have been allowed access to the machine's BIOS in the first place.
Oh and you're a fuckwit :-)
In a Thinkpad, the disk is not encrypted with the HD password, the disk controller just refuses to work as a disk controller if the password check fails. You're thinking of something like a Flagstone disk, which are not fitted to TP's
In theory, it would be possible to change the drive electronics and get access to the data on the disk, but this is way beyond a casual thief, and requires a controller board with the same revision and firmware as the original.
The option with TravelStar (and other) disks is to use an IOCTL to cause the disk to forget the password, but this also then clears the disk. The disk becomes usable again, but the data is lost.
Bah kids today.....
....Forgot the BIOS password and still under warranty....?
By pass the power brick and send 240 straight into it. One f**ked laptop.
Geeezzz some people have no imagination these days.....
AFAIK Fujitsu laptops are the only ones with a secure BIOS
Caveat: This info was true as of 2005 and is entirely from memory so it may contain some slight inaccuracies regarding the hardware.
I have never encountered a BIOS that could not be bypassed some way or another until a few years ago. Usually there will be a tool/utility/info on one of the more unscrupulous forums dedicated to such tasks (admin backdoor/ password reset or removal/brute forcer/hex editor/jumper short - old skool). However, after a particularly hasty bid on two cheap Fujitsu laptops listed on FleaBay for spares or repair, I found out the hard way that this is not always the case.
You see those clever chaps over in Singapore realised what most have already posted on here: Give someone a scope and enough time and they will prod and poke your BIOS until they find a way in.
So they developed a proprietary daughter chip that sits alongside the BIOS chip. This chip creates a secure communication channel between the user and BIOS using proprietary encryption. The result if you forget your BIOS password? You need to send the laptop board to Singapore to have the password reset by a Fujitsu engineer. Or buy a replacement board yourself for about £100 more and save yourself 6 weeks wait. Suffice to say, the car-puter project didn't warrant that sort of expenditure and one of those two laptops is still available should anyone want a 1ghz Athlon lappy that can only boot from live CD's or HDD (caddy not included).
Further research (at the time) confirmed Fujitsu were the ONLY manufacturer to produce laptops with a secure and unbreakable BIOS password policy (thanks to the daughter chip). It would surprise me not if this were still true today.
@SquashNutz - Standard TPM 'Fritz chip" behaviour
I don't believe that Fujitsu are unique. I believe that a Thinkpad with an enabled TPM Security Module is pretty much the same. (Fuji copied so much of the design features of some of their Lifebooks from IBM Thinkpads, it's scary).
Earlier TP's, or later ones without the TPM Security Module fitted (it was optional on many models) can be hacked. Ones with the Security Module fitted and enabled can't.
You can't boot the TP without the security module installed, and it enforces encryption of the various passwords when it is enabled. This is part of the function of the TPM module, which also has a good (albeit a bit slow for the early ones) hardware random number generator, and also offers hardware based encryption to speed up SSL, and encrypted password storage for an OS and applications that support the API.
I believe that if ShaunP's Thinkpad is indeed a T61, with the security module enabled, then he will not get it working again without replacing the motherboard.
BTW. Shaun has been complaining that he did not 'forget' the password, but the original article title is at odds with that assertion.
And your point is?
Personally I think Lenovo are right to do this. Some of us actually need devices that are secure if some scroat nicks them.
What next, complaints that you have to re-install Windows if you forget your password and haven't made a recovery disk?
I've very little sympathy for anyone who gets hit by this, and it's not exactly clear how a webbased reset could work on a supervisor password, much less how you could avoid knackering your security reputation.
Anyone who gets hit by this will certainly remember to keep a backup of their password next time!
How do you backup the password?
I know what the password is, I never 'forgot it', but Lenovo don't have a policy for this other than buy a new motherboard.
Supervisor password is relatively trivial to obtain...
At least on my T42 it was!
Build a relatively simple circuit with a few components from Maplink, and solder the whole thing on to the mobo, along couple of bits of software installed on a computer with a serial port, and you can read the password in plain text...
and, no, I'm not a surface soldering expert, again a £15 soldering iron from Maplink will do...
If you can't follow the simple instructions online, you really shouldn't be allowed near a computer... IMHO...
Ooooh, they still have that policy?
One guy at high school had the misfortune of setting his password, and he immediately forgot his password.
He then spent MONTHS trying to get IBM to reset his password... he eventually had to buy another laptop. That was back in 1998, seems like that policy has remained in Lenovo.
How much is your data worth?
The whole point is that IBM, and now Lenovo, are doing what they can to make it extremely difficult to break drive security. Resetting a power-on password is no big deal. It doesn't unlock any data, it's a very superficial level of security.
I would put forth that, if the confidentiality of your data isn't worth more than the price of your laptop, you probably shouldn't set that password. There are DIRE WARNINGS that inform the user of these consequences prior to setting the supervisor password. No, a field tech can't do anything with the encryption chips on the system board. IBM and Lenovo seem to be of the mind that they won't even trust a board once they've messed with jumpering and resetting the chip, so they won't even mess with trying to "rehab" boards with that password set. The selling point is that it's so non-trivial to reset one of these passwords (which would enable the recovery of the data) that your average burglars or laptop snatchers are simply not going to have the skills to compromise the data. They might be able to sell the machine for parts, but your business or agency is likely not going to be embarrassed by having all your clients' or patients' personal information sold off. Your company secrets are less likely to find their way into the hands of your competition. Your data is really as safe as it's going to get on a device that is ostensibly going to be exposed to leaving secure facilities and is rather easy to walk-off with.
T400 booted up asking for a password.
My office Lenovo woke up one morning asking for the administrator/bios password... I never had it. IT finally figured it out after 3 days someone (not Lenovo) showed up with the right password.
I used to like Think pads and own a couplefor myself until til I got this T400 in the office - its a rather large, heavy piece of crap, has blue screened on me more than a few times, doesn't wake up properly etc. etc.
I won't be buying any more Lenovos.
hehe.. i remember doing the old tosh*ba "parallel port" hack back in uni days..
Interestingly on the A*pire1 the cmos/etc password is stored within the 8 pin flash, so much for security here.
Yes, the biggest problem seems to be that those who steal laptops/etc would rather scavenge what they can (screen. DVD drive,case, etc) and dump the rest rather than fiddling with them, a variant on the car stripping scam.
Beware used motherboards, they are usually locked. Guess how i found that out :(
So it would seem that the solution here is to implement "secure inactivation", incorporate a feature in the screen controller etc rendering it permanently unusable if a password is set except on the machine it was originally installed on.
Bonus if it displays "STOLEN!!!!" in red flashing letters for good measure.
I still like my idea, a device in the hard drive which if not disarmed permanently blows the head amplifier and scores the platters (koff reverse biased tantalum /koff) thereby rendering the drive a paperweight.
AC, because this is probably too much information...
I think the author is hasn't done his research
"a variety of password recovery tools will do the job for around $80"
The tools exist, but they don't do the job. Resetting the superviser password involves replacing an EEPROM chip on the motherboard, among others. This is very risky to do by hand even by a specialist. The board has a very high density and even the slightest mistake will destroy that board. There is also the question of resetting the TPM chip if one exists. Now these chips are designed so that they can't be reset. At least the procedure is a very close guarded secret. Can't say the superviser password can't be reset with the right equipment and expertize, but it would definitely cost more then a brand new laptop.
- +Analysis Microsoft: We're making ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Apple: We'll unleash OS X Yosemite beta on the MASSES July 24
- White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
- Pics It's Google HQ - the British one: Reg man snaps covert shots INSIDE London offices