Return to Level1Techs.com

Thinkpad T440 and BIOS/UEFI passwords

#1

I recently bought a used T440 and updated the BIOS. Afterwards I realized it’s locked and the provided password doesn’t work. After some research I realized the BIOS will be locked forever.

Then I discovered a post that got me curious. User @catsay managed to wipe the BIOS:

Lenovo changed the hashing algorithm? That means before my BIOS update the password probably worked.

Do you have more information on that? Could a BIOS downgrade possibly help then? I still can’t believe you recovered the locked T440’s by rewriting the chip. What programming hardware and software did you use?

I would be glad if you can provide some more information.

0 Likes

#2

You can always try downgrading the BIOS with a hardware SPI flasher (like a raspberry pi or bus pirate) and a SOIC-8 clip. This would require disassembling the entire laptop, though.

1 Like

#3

you can also mcguyver it and replace the bios chip with a new unlocked one with a heat gun and soldering iron

1 Like

#4

This is exactly what I did.

It’s a non-trivial task to say the least.
I was fortunate to have enough time and tooling to dedicate to the task. :stuck_out_tongue:

But really in it’s simplest form it’s pretty much this:

  1. Downgrade to mod BIOS
  2. Remove password and reset to defaults.
  3. Flash new BIOS.

Alternatively if you happen to have AMT enable you can possibly use the newly discovered AMT vulnerability as a bypass

https://support.lenovo.com/us/en/product_security/LEN-14963

4 Likes

#5

Thank you for the suggestions. Just realized my BIOS version is older (2.39 from 09/29/2016). Later in version 2.44 (9/25/2017) Lenovo blocked BIOS downgrades.

I couldn’t update it because I don’t have the correct password.
The seller told me it’s the default one by IBM ‘sertafu’ but it isn’t. So a downgrade wouldn’t help.

@catsay: Did you replace the chip or reflash the existing one? Reflashing seems doable to me if I get some more information.

I think the AMT exploit gets you into the system but not into the BIOS. https://www.youtube.com/watch?v=aSYlzgVacmw

0 Likes

#6

Ok is it a UEFI or BIOS? If its an actual BIOS you can take the battery out and short 2 jumpers and it’s reset.

0 Likes

#7

It’s definitely UEFI.

0 Likes

#8

You would need an Serial flash programmer. As well as a dump of your current BIOS and a DXE driver module.

Now let me explain why this is a complicated and shitty process.

The supervisor password is stored in a SMSC MEC1633L sort of a TPM chip and not in the main UEFI EEPROM.

Additionally in the T440 the BIOS is married to the internal TPM chip (SMSC) and contains a unique signature of that.

Resetting this is complex because:

  1. It first involves reading the BIOS and creating a full dump. This is critical as otherwise you are stuffed trying to restore any other BIOS to it.

  2. One has to patch the dumped BIOS binaries and inject a small UEFI program (DXE Driver). This program will read the secure eeprom, reset the TPM certificate and password and also rewrite the secure eeprom and reconstruct all data such as writing back serial number, RFID config/UUID/Type/checksums etc.

  3. Flash the patched BIOS dump (this will only function for that TP btw), start the laptop, while the BIOS is loading it will execute the unlock routine in the DXE module and unlock the SVP(supervisor password) and TPM.

  4. Finally, write the original BIOS dump back.

Now this is the part where I tell that unfortunately for whatever damn reason I can’t find my hacked DXE driver code anymore. I want to beat myself with a stick for being so stupid to loose it. :grimacing:
Or maybe I never copied it off the computer at my old workplace. But either way I’m not going to be able to help you any further with that right now.

EDIT: There is apparently still some romanian guy that does this at allservice.ro but I don’t know If his patch can be trusted and he charges quite a bit for the job. But either way this gives me hope that someone else still has similar code to do this.

3 Likes

#9

That’s a nice overview! It sounds very difficult and risky. I have to wait until some kind professional like you will post his/her code. I have great respect to all of you who figure out stuff like this. It’s wizardry to me.

0 Likes

#10

What kind of “Serial flash programmer” did you use? Can you please recommend one? Thanks

0 Likes

#11

Just about any of these will do the job:

I have one similar to this:

You would also need a SOIC test clip:

1 Like

#12

@nokian
Sent you a message.

0 Likes

#13

@xmxmm: I have not found a solution yet.

0 Likes

#15

Thanks for keeping this thread alive.

0 Likes

#16

Just found this site after looking for dxe driver mods

If I have a bios that has already been patched/ injected with the dxe driver
How would I extract the driver itself out.
So then I would have the code ?

0 Likes

#18

Thank you guys for the informative and useful thread!
@catsay, thank you for the wonderful guidelines!
@nokian and xmxmm , did you manage to solve your issues?

Did you manage to find a DXE Driver?

I have a T460p with a locked BIOS. Is the security architecture the same and are the principles from catsay’s post similar?

Thank you in advance! :slight_smile:

0 Likes

#19

Unfortunately I’ve lost the DXE module code.

It remained on a system at a previous employer and I no longer have access to that there. :frowning:
EDIT: @dando
There is this ‘hack’, easiest guide I could link to quickly: https://www.youtube.com/watch?v=H-s-14Po4Zk

But I’ve never tried it on a T460 and I’m really not sure if it works.

It involves shorting the SCL and SDA lines on the EEPROM during boot to skip the security check.

Also partly outlined here:

1 Like

#20

Thank you for the quick response. @catsay!
It is pity that you do not have the DXE module code anymore. It would have been of tremendous help I believe :slight_smile:

In case you remember some of the information sources (specifications, standards, code snippets, etc.) you used for developing this code, it would be helpful to share them if you had the time. :slight_smile:

Thank you for the links, too. It seems that the video is regarding the ThinkPad R500, which used older security mechanisms and I believe the outlined method would not work on any ThinkPad newer than the xx30 series, i.e., produced after 2013.

Thank you!

1 Like

#21

Hello to all respected member of this forum.

I had an issue with my T440 as follow that I would like to discuss here.

  1. I requested whitelist removal on my BIOS, successfully flashing the modified BIOS to the chip using CH341A flash programmer.
  2. I install a DW1560 card, where WiFi detected and running well, while BT is not present.
  3. I purchased a new DW1560 card replacing the first one, and this time WiFi and BT works well. However, installing the card at this stage makes the computer behaves strangely, i.e. never want to shut down and keeps on restarting again and again. When finally the computer shutsdown, the next time it powered on, the WiFi is no longer detected by the system.
  4. I tried to revert back to Intel 7265 stock card, WiFi and BT works well.
  5. Purchase a new DW1560 card, WiFi not detcted but BT detcted.
  6. Revert back to the first DW1560 card, now the WiFi of this card (which previously worked) is no longer detected.
  7. Tried to flash the BIOS using flash programmer, but this time the chip detction always fail. Repeatedly cannot detect the chip, by readjusting SOIC plug, plugging and unplugging the USB programmer, all fails to detect.

Is this symptom relates with broken BIOS chip? I still can open the BIOS setting and make adjustments to the setting, though.

Should I replace the BIOS chip, by purchasing a new chip, flashing the BIOS in the new chip, and soldering into the board?

Any advise given is greatly appreciated.

Thank you.

0 Likes

#22

I tried shorting… it had no effect and on the 4th or 5th try, my yoga 370’s screen no longer turns on and does not POST. Downgrading to an older BIOS made the screen come back but it now asks for a password. Any idea what options I have?

Thank you.

0 Likes