Back during the summer I had the pleasure of going to FOSSCON 2015 in Philadelpha, PA. Some of you might remember that from my post where I talked about meeting Eric S. Raymond. While I was at FOSSCON, I picked up two laptops from a company that was selling refurbed x86 laptops. I managed to nab two X31 Thinkpads for $30, so I was quite pleased. The units were previously owned by a community learning center, so i figured they were well cared for. When I got home I put them on the shelf till I had time to figure out what to do with them. Since I’ve been unemployed recently I decided to take them down and start doing something with them. And that’s when I realized I made a terrible mistake. The ThinkPads were locked with BIOS passwords. I thought to myself, “Ok that’s not a big deal; I’ll just pull the CMOS battery and reset it.” Unfortunately that’s when I realized a bigger problem, the units also had Supervisor Passwords which aren’t stored in the BIOS and cant be removed by pulling the battery. The supervisor password on ThinkPads is stored on an EEPROM chip on the motherboard and it must be accessed directly through other hardware. I don’t have that hardware, but I know a couple of guys who do. So I sent out a few texts and convinced my friends Jason and Will that the next time we got together they should help me unbrick these units. Thankfully they are awesome guys who were more than happy to help me along. Let this be a lesson to everyone; If you’re primarily a software person, make friends with people that are great with hardware!
After searching around online I was able to find a few guides on how to remove the supervisor passwords on other Thinkpads, so we had a good idea of what we needed to do. Unfortunately all the other guides we found were for units where this was easy, sadly, it’s not on the X31. While most Thinkpads have the ATMEL chip under the keyboard so its easy to access, on the X31 units it’s on the bottom side of the motherboard so you have to completely disassemble the unit to get access to it. However this is where the fun comes in, since the chip itself is encrypted, you have to be able to power on the unit to read it. So that meant we had to take the unit apart, and then piece enough of it back together so that it’d actually start up. This in itself was a fun challenge since finding the exact parts needed to boot was tricky. Hint, you have to plug in the modem to boot the unit… don’t ask me why, I have no clue. It was at this point that we realized we’d need to elevate the motherboard off the table so that we could get access to the chip, and that the keyboard was shorting out the system by contacting the motherboard. a few sheets of notebook paper later and we had the unit mostly together and able to boot without issue.
Initially we planned use an arduino, but we didn’t really come prepared and weren’t having any luck in figuring out how exactly to get everything to work that way, so we eventually decided to break out the bus pirate. After a few failed attempts at reading the chip we realized that running the system without a CPU heat-sink might not be a good idea, so we decided to add that back in. Of course we couldn’t screw down the heat-sink since it screws into the back of the case, so we had to manually hold the heat-sink on the CPU while we were running the unit. Eventually we decided to ditch the arduino all together and just wire the bus pirate to the chip directly. While we didn’t follow this guide completely, if you’re facing the same problem check out this guide.
We were having the hardest time figuring out why it wasn’t working properly for about 15 minutes until we realized that we had disconnected the leads. Always remember the basics, if you’re getting no signal… make sure you’re actually connected. After a few laughs we managed to get it hooked back up.
Now we were getting somewhere. We were able to read the data directly from the chip and then it was a simple matter of decoding the key values and figuring out the keystrokes and then testing on the other unit which was still put together.
I’m glad to report that both units are working fine now, and are rocking Haiku.
If you want more information on the Bus Pirate, I strongly suggest you check out its page @ AdaFruit.