NOTE
Described action took place many years ago, like ten years ago. I knew even less about thinking rocks computers than I do now.
Thanks Sébastien for convincing me to publish this one.
Phase 1#
It was around 3 AM when I was installing Argh Loomix (high school times when pacman -Syu five times a day was a thing).
OK, disk encrypted, works fine with btrfs and compression. The only thing missing was a BIOS password. Sure thing! I enter the passphrase, confirm, apply — done. I powered on a laptop. Let’s see if the passphrase works.
I type the passphrase once, twice — nothing. It’s rejected. It’s impossible, that’s why I wanted to check it immediately to eliminate an issue like this.
I started trying various combinations to a point I forgot what the original passphrase was.
Being used to desktop computers, I thought:
meh, let’s just remove the battery from the motherboard
Narrator:
that’s the moment they knew they fucked up
Yes, a few seconds after removing the battery, I understood what I just did. It wouldn’t make any sense having a passphrase in a mobile device when you could just remove battery and continue getting into the device.
Hello, EEPROM, my new friend. So, after removing the battery, Catch-22 mode has been started. CMOS settings are gone and to restore defaults. To restore defaults, I need to provide passphrase. Yes, the passphrase was not required as I first locked in access to BIOS only, not to the bootloader.
If I did not remove the battery, I could still use the laptop.
Phase 2: research go brr#
I already knew that passphrase is stored in a separate chip — EEPROM.
I found a project specialized in removing passwords from ThinkPad devices. They also provided hardware and software for that, but either of them was twice as I paid for the ThinkPad. Not an option.
Some part of that software was available, however. It could read, write, and decode the EEPROM content.
Phase 3: theory and practice#
One of my friends was building a CNC machine at the time and had some laptop with a COM port which was mandatory for the operation.It was possible to hook up a few cables to a COM pins and connect them to specific pins on EEPROM. Sounds good in theory.
It was not possible to solder them to a chip because of the chip size and tools we had. So, my friend operated the software and I’ve been keeping this spaghetti together for the time of reading the EEPROM and taking the dump.
Decoding the password, however, didn’t bring results we expected.
Well, we expected little, to be honest. But having an EEPROM dump and seeing that passphrase is there, but the decoded form is mangled, anyway. I could recognize some part of my input, but not that.
That confirmed what I thought before: some special signs I used in the passphrase weren’t encoded properly. It could pass the validation upon creation, but it wouldn’t match my input with a passphrase, as the content was different.
Phase four: there’s nothing to lose.
As the case was already lost and I started looking for motherboards to replace, we’ve tried the last option: putting some random dumps from Internet to my precious EEPROM. We’ve been through a lot, my little chip.
OK, we’ve got five dumps with passwords provided.
First — nothing.
Second — nope.
Third — are you kidding?
Fourth — u mad?
And here we go: the last EEPROM dump we had. I was ready to get my $FAVE_DRINK and call it a day. Screw it.
EEPROM dump loaded, powering on the computer. Typing the passphrase provided. It… worked! Boom, I could unlock my disk now and proceed to the bootloader. I was never so happy seeing a system booting, not to mention opening a browser and being able to use a computer.
dmidecode showed some interesting things. Detected model was T43, so it matched the model of the EEPROM giver.
My OCD was racing for a while, but soon I forgot about that.
I got a working computer in the end.