Thinkpad 24RF08 SVP unlocking

I just got a donated Lenovo R500 notebook. Fortunately it works, and also includes a puzzle before I can actually use it. It has the SVP password enabled (supervisor password). This password is stored in a 24RF08 i2c EEPROM, and is NOT clearable by removing batteries, shorting stuff etc. Also the EEPROM includes two CRC fields, and can not just be patched.

I am possibly going to get pounded on for publishing this. The Lenovo support forums clearly forbid even talking about this. This is to prevent theft of notebooks they state. But there are multiple websites out there, that wants to take your hard earned cash and sell you a small device which can talk to the i2c bus on the notebook, and either display the password or reset it. If someone steals a notebook, they can unlock it with such a device.

But paying for the solution is unsportly behaviour, and not a part of this solution. I already have the Dangerous Prototypes Bus Pirate v3, which talks i2c natively, via a terminal emulator interface.

Read on for this adventure …

Also the AT24RF08 datasheet is available on Google if you can sift through all those blood sucking sites that want your money for a otherwise FREE datasheet. Come on, guys, that’s just awful.

Anyway, on to the procedure:

1) Disassmble the notebook completely. Remove motherboard. Remove black plastic tape below the PCMCIA/PCCARD slots, there you will find the 24RF08 chip which we’re going to talk to. Place heatsinks on CPU and GPU, and connect the fan cable. Connect external monitor or LCD. Connect native keyboard (take care not to short anything) or external keyboard.
– Connect Bus Pirate to GND, SDA and SCL on the 24RF08. With a R500 that involves completely removing the motherboard from the notebook. Take a look here for connections: http://www.ja.axxs.net/r500.htm
– Check you haven’t shorted anything. Connect power.
– Download TeraTerm 4.76 or better (http://ttssh2.sourceforge.jp/), and connect to your BusPirate COM port at 115200 bps. When you configure the serial connection, use 10msec delay per char, and 100ms per line – that worked for me (this part is important).

– Step into i2c mode:

HiZ>m<<<open the mode menu
1. HiZ
…
4. I2C
…
(1) >4<<<choose I2C mode
Set speed:
1. 50KHz
2. 100KHz
3. 400kHz
(1) >2<<<choose I2C speed
I2C READY
I2C>

If you wan’t to check your i2c connection, you can put the BusPirate into i2c snooping mode:

I2C>(2)
I2C bus sniffer, press any key to exit

Now power on the notebook. You should get some output in TeraTerm confirming i2c communication to the 24RF08. This is the notebook getting the settings from the chip. Wait until the notebook stops at the SVP password prompt.

Press a key in TeraTerm to exit bus sniffer mode. Clear the output from TeraTerm (in the menu). Now dump the contents of the EEPROM, by pasting this into TeraTerm:

[0xA8 0b00000000][0xA9 r:16]
[0xA8 0b00010000][0xA9 r:16]
[0xA8 0b00100000][0xA9 r:16]
[0xA8 0b00110000][0xA9 r:16]
[0xA8 0b01000000][0xA9 r:16]
[0xA8 0b01010000][0xA9 r:16]
[0xA8 0b01100000][0xA9 r:16]
[0xA8 0b01110000][0xA9 r:16]
[0xA8 0b10000000][0xA9 r:16]
[0xA8 0b10010000][0xA9 r:16]
[0xA8 0b10100000][0xA9 r:16]
[0xA8 0b10110000][0xA9 r:16]
[0xA8 0b11000000][0xA9 r:16]
[0xA8 0b11010000][0xA9 r:16]
[0xA8 0b11100000][0xA9 r:16]
[0xA8 0b11110000][0xA9 r:16]
[0xAA 0b00000000][0xAB r:16]
[0xAA 0b00010000][0xAB r:16]
[0xAA 0b00100000][0xAB r:16]
[0xAA 0b00110000][0xAB r:16]
[0xAA 0b01000000][0xAB r:16]
[0xAA 0b01010000][0xAB r:16]
[0xAA 0b01100000][0xAB r:16]
[0xAA 0b01110000][0xAB r:16]
[0xAA 0b10000000][0xAB r:16]
[0xAA 0b10010000][0xAB r:16]
[0xAA 0b10100000][0xAB r:16]
[0xAA 0b10110000][0xAB r:16]
[0xAA 0b11000000][0xAB r:16]
[0xAA 0b11010000][0xAB r:16]
[0xAA 0b11100000][0xAB r:16]
[0xAA 0b11110000][0xAB r:16]
[0xAC 0b00000000][0xAD r:16]
[0xAC 0b00010000][0xAD r:16]
[0xAC 0b00100000][0xAD r:16]
[0xAC 0b00110000][0xAD r:16]
[0xAC 0b01000000][0xAD r:16]
[0xAC 0b01010000][0xAD r:16]
[0xAC 0b01100000][0xAD r:16]
[0xAC 0b01110000][0xAD r:16]
[0xAC 0b10000000][0xAD r:16]
[0xAC 0b10010000][0xAD r:16]
[0xAC 0b10100000][0xAD r:16]
[0xAC 0b10110000][0xAD r:16]
[0xAC 0b11000000][0xAD r:16]
[0xAC 0b11010000][0xAD r:16]
[0xAC 0b11100000][0xAD r:16]
[0xAC 0b11110000][0xAD r:16]
[0xAE 0b00000000][0xAF r:16]
[0xAE 0b00010000][0xAF r:16]
[0xAE 0b00100000][0xAF r:16]
[0xAE 0b00110000][0xAF r:16]
[0xAE 0b01000000][0xAF r:16]
[0xAE 0b01010000][0xAF r:16]
[0xAE 0b01100000][0xAF r:16]
[0xAE 0b01110000][0xAF r:16]
[0xAE 0b10000000][0xAF r:16]
[0xAE 0b10010000][0xAF r:16]
[0xAE 0b10100000][0xAF r:16]
[0xAE 0b10110000][0xAF r:16]
[0xAE 0b11000000][0xAF r:16]
[0xAE 0b11010000][0xAF r:16]
[0xAE 0b11100000][0xAF r:16]
[0xAE 0b11110000][0xAF r:16]

Copy the complete output of the terminal window into a file, and process this through the following PHP script. You need a php-cli installed on your machine.

#!/usr/bin/php

<?
if ($argv[1]=='-r') {
  $ascii=file_get_contents($argv[2]);
  if ($count=preg_match_all('/0x([0-9A-F][0-9A-F])  ?N?ACK/',$ascii, $matches)!=1024) {
    echo "Expected 1024 matches - your file has ".$count." - aborting\n";
    exit;
  }
  $result="";
  foreach ($matches as $match) {
    $result.=hex2bin($match[1]);
  }
  file_put_contents($argv[3], $result);
} elseif ($argv[1]=='-w') {
  $binary=file_get_contents($argv[2]);

  if (!strlen($binary)==1024) {
    echo "Wrong file length - 1024 bytes expected\n";
    exit;
  }
  $index=0; $output="";
  while ($index<1024) {   
    $output.="[0x".dechex(0xA8+2*floor($index/256)).' 0x'.dechex((floor($index/16) << 4) & 0xFF);
    for ($sub=0; $sub<16; $sub++) {
      $output.=' 0x'.bin2hex(substr($binary,$index,1)); $index++;
    }
    $output.="]\n";
  }
  file_put_contents($argv[3], $output);
} else {
  echo "24RF08 for BusPirate parser and processor\n\nUsage: 24rf08.php -r|-w sourcefile destinationfile\n\n";
}
?>

You run it like: ./24rf08.php -r myteratermoutput.txt settings.bin

This gets you a settings.bin file if everything worked as it should.

I found a tool that processes the binary dump file here:

http://dl.dropbox.com/u/27947369/SVP_Tool.zip – local copy here

The tool is written in Java, and there are launch batch files for Windows, Linux and OSX. It can either display the SVP password or reset it to a known password (check the readme.txt file). Load your settings.bin into the program. I had to reset the password, and it generates a Clear_EEP.bin file.

If you cleared the password, you will have a new binary file. You need to convert this into Bus Pirate lingo, also by using my above script (with the -w paramenter).

./24rf08.php -w Clear_EEP.bin newsettings.txt

Now write the new contents of the EEPROM, by pasting the contents of newsettings.txt into TeraTerm.

Pull the power from the notebook after this.

The password is now KORN.

Hopefully this will yield an unlocked notebook 😉

Big thanks to whoever created the Java tool – without this I wouldn’t be able to do this.

This Post Has 14 Comments

  1. POaul

    thx a heap, with your help i saved top notch T500

  2. Karl

    Was a great help!
    Good job on this userful tutorial.

  3. sabbir

    thank u sooooooooooooooooooooooooooooo much

  4. Andrew

    Is it work on Thinkpad t61 with TCG/TCPA ?

  5. Andrew

    Photo of the AT24RF08 EEPROM in T60

  6. Joe

    Hello I bought a bus pirate (sparkfun style) and found that x120e uses the L08 style that “http://www.allservice.ro/forum/viewtopic.php?t=52” calls a 24rf08 chip. I connected SDA-MOSI & SCL-CLK and ground… Did the snoop and got some good stuff spiting back, so it was working (woohoo!).

    Copied all the contents int a text file (and also tried a raw file pasted into HXD). Ran the php script with the flags and keep getting “Expected 1024 matches – your file has 1 – aborting” (maybe im just dumb with php?)

    LINK bellow, Here is my dump:
    https://www.dropbox.com/s/a5bbq9di5f7bk77/dump.txt?dl=0

    I am willing to take pictures, documentation or anything if you/yall comment or help. Hell I f I can do this I will donate $5. We have netbooks that are spossed to have SPV password but some A-hole found one that wasnt and set a SPV…. T_T… I would look like a genius if I could find/reset instead of a new MOBO … THANK YOU!!!

    If anyone wants to pharse/process my dump than post a comment here and I will post my email. I found a scan table maybe I can manually type the stuff and hunt for what looks like a password too

  7. Michael

    Thanks for this great tutorial, lkarlslund.
    I just removed a TPCA SVP from my T500.

  8. Hans

    Hello. I used this simple Interface (http://4.bp.blogspot.com/_BnMjoF0Pas4/SQ_RuiRcIeI/AAAAAAAAARQ/PQtJxXB_-dk/s400/ATMEL+EEPROM+READER.JPG) and the free “R24RF08” tool (http://www.allservice.ro/forum/viewtopic.php?t=61) to dump the eeprom and then read it with the SVP Tool. It shows me correct Notebook type, MAC Serial, etc. but not the correct SVP password. IBM-Passlite didnt either. I think it is TCPA encrypted.
    Is it possible to reset the original dump file with the SVP Tool and the file write it back with the “W24RF08” tool? Or ist the bus pirate interface needed? Thank you.

  9. lkarlslund

    I would think so – if you save the original dump you can always revert to that.

  10. service

    Hi do you maybe still have R500 eeprom dump?

  11. William Maddox

    Thanks for the great post. I’d like to try this on a second-hand T530.
    The link to SVP_Tools.zip on Dropbox posted above is dead. Can you repost it?

  12. phaitoon dawan

    Someone help me pls. i need a bin file.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.