I just got a donated Lenovo R500 notebook. Fortunately it works, and also includes a puzzle before I can actually use it. It has the SVP password enabled (supervisor password). This password is stored in a 24RF08 i2c EEPROM, and is NOT clearable by removing batteries, shorting stuff etc. Also the EEPROM includes two CRC fields, and can not just be patched.
I am possibly going to get pounded on for publishing this. The Lenovo support forums clearly forbid even talking about this. This is to prevent theft of notebooks they state. But there are multiple websites out there, that wants to take your hard earned cash and sell you a small device which can talk to the i2c bus on the notebook, and either display the password or reset it. If someone steals a notebook, they can unlock it with such a device.
But paying for the solution is unsportly behaviour, and not a part of this solution. I already have the Dangerous Prototypes Bus Pirate v3, which talks i2c natively, via a terminal emulator interface.
Read on for this adventure … (more…)