18 Jun
2009
18 Jun
'09
1:21 p.m.
I bought a thinkpad 600e for a friend several years ago on eBay. She put it in storage for
a year, and when she pulled it out the backup battery has died. I replaced it, but now the
unit is asking for a password.
We never set a CMOS password, the eBay seller's email no longer works and I need to
get to her data on the HDD which is also locked.
Everything I searched tells how to wipe the HDD, but not how to recover the data without
shipping the drive to someone who will do it for much more than the laptop and drive is
worth.
Anyone have a way I can get into the unit and unlock it?
I can buy another unit cheap, but that doesn't get me into the HD.
Al
18 Jun
18 Jun
1:40 p.m.
Al Hartman wrote:
I bought a thinkpad 600e for a friend several years
ago on eBay. She put it in storage for a year, and when she pulled it out the backup
battery has died. I replaced it, but now the unit is asking for a password.
You could get an external 2.5" USB<->ATA enclosure, move the drive
to
that and get at the data that way.
1:58 p.m.
Ray Arachelian wrote:
Al Hartman wrote:
It's weird how the manual states 'hdd replacement' for forgotten password,
rather than just saying it needs to be reformatted. I assume that was just an
error in IBM's terminology (and they really don't do something like screwing
around with the drive firmware :)
You're probably onto something, though - I bet they just goof around with the
MBR or something to stop the drive booting (so with a bit of effort a new MBR
could be written via another box, or the filesystem read out 'raw' and
accessed as a loopback device under Linux / *BSD)
(I don't have an suitable 2.5" adapter with me here, or I'd do some tests
with
my 600E - I've not got anything on its drive that I want to keep right now anyway)
cheers
Jules
I bought a thinkpad 600e for a friend several
years ago on eBay. She put it in storage for a year, and when she pulled it out the backup
battery has died. I replaced it, but now the unit is asking for a password.
You could get an external 2.5" USB<->ATA enclosure, move the drive
to
that and get at the data that way. 
2 p.m.
On Thu, 18 Jun 2009, Jules Richardson wrote:
It's weird how the manual states 'hdd
replacement' for forgotten password,
rather than just saying it needs to be reformatted. I assume that was just an
error in IBM's terminology (and they really don't do something like screwing
around with the drive firmware :)
It isn't an error. It is a "security feature". :-(
Zane
2:16 p.m.
On Thu, 18 Jun 2009, Jules Richardson wrote:
Reminds me of the story, quite likely apocrophal about
the poster with a cockroach dressed in a tuxedo. Under
the creature was the label "Feature."
BLS
It's weird how the manual states 'hdd
replacement' for forgotten password,
rather than just saying it needs to be reformatted. I assume that was just an
error in IBM's terminology (and they really don't do something like screwing
around with the drive firmware :)
It isn't an error. It is a "security feature". :-( 
4:03 p.m.
> It's weird how the manual states 'hdd
replacement' for forgotten
> password,
> rather than just saying it needs to be reformatted. I assume that was
> just an
> error in IBM's terminology (and they really don't do something like
> screwing
> around with the drive firmware :)
And it is true.
Thinkpad has two levels of password - system password and hard disk
password. The system password is stored in an EEPROM inside the computer, I
have the programs to read and decode this password here. But the HDD
password is **impossible** to crack with ease, there are specialist
programs/hardware to decode them, but they are expensive as hell.
I have one of these 600e (pentium 233 MMX, et al). Good notebook, but
too much problems (passwords, battery recharging circuit, passive matrix
screen, et al) in just one notebook.
2:18 p.m.
----- Original Message -----
From: "Jules Richardson" <jules.richardson99 at gmail.com>
To: "General Discussion: On-Topic and Off-Topic Posts"
<cctalk at classiccmp.org>
Sent: Thursday, June 18, 2009 1:58 PM
Subject: Re: IBM Thinkpad 600e can't get past password prompt...
Ray Arachelian wrote:
Seems like the drive itself is locked so moving the HD to another machine
will not help.
There are auctions on ebay that will unlock the machine itself (solder in an
unlocked security chip) but that will not let you get into the HD that is
locked.
Places like this: http://www.pwcrack.com/harddisk.shtml can unlock the drive
if you like paying $100 and letting somebody else get into your data.
Al Hartman wrote:
It's weird how the manual states 'hdd replacement' for forgotten password,
rather than just saying it needs to be reformatted. I assume that was just
an error in IBM's terminology (and they really don't do something like
screwing around with the drive firmware :)
You're probably onto something, though - I bet they just goof around with
the MBR or something to stop the drive booting (so with a bit of effort a
new MBR could be written via another box, or the filesystem read out 'raw'
and accessed as a loopback device under Linux / *BSD)
(I don't have an suitable 2.5" adapter with me here, or I'd do some tests
with my 600E - I've not got anything on its drive that I want to keep
right now anyway)
cheers
Jules
I bought a thinkpad 600e for a friend several
years ago on eBay. She put
it in storage for a year, and when she pulled it out the backup battery
has died. I replaced it, but now the unit is asking for a password.
You could get an external 2.5" USB<->ATA enclosure, move the drive to
that and get at the data that way.
1:40 p.m.
Al Hartman wrote:
I can buy another unit cheap, but that doesn't get
me into the HD.
Hmm, the hdd's locked and she never set a password for that?
Might be worth contacting IBM about it - I'd suggest perhaps trying a BIOS
upgrade, but doing that is risky if the hdd really is protected and the
protection is tied to a particular BIOS release.
The maintenance manual just says that a system board replacement's the only
official way around a forgotten supervisor password, and a hdd replacement's
the only way around a forgotten hdd password :-(
The CMOS battery died on my 600E a few months ago, and it never did this (in
fact I ran it with no CMOS battery at all for quite a while and just bashed in
new time/date info every time I cold-booted it) so it sounds like a bug /
hardware failure / corruption issue.
You could try a CMOS reset, I suppose (maintenance manual's here if you don't
have it already: ftp://ftp.software.ibm.com/pc/pccbbs/mobiles/09n1033.pdf ) as
I really doubt that'd make things any worse.
cheers
Jules
1:57 p.m.
On Thu, 18 Jun 2009, Jules Richardson wrote:
Al Hartman wrote:
The *ONLY* possitive thing I can say is that I'm pretty sure it isn't the
HD password that is set. When that is set you have to type it in to boot,
so that is a pretty good indication it is the Supervisor password. Hardware
passwords on Thinkpads are *BAD* news.
Zane
I can buy another unit cheap, but that
doesn't get me into the HD.
Hmm, the hdd's locked and she never set a password for that?
Might be worth contacting IBM about it - I'd suggest perhaps trying a BIOS
upgrade, but doing that is risky if the hdd really is protected and the
protection is tied to a particular BIOS release.
The maintenance manual just says that a system board replacement's the only
official way around a forgotten supervisor password, and a hdd replacement's
the only way around a forgotten hdd password :-(
The CMOS battery died on my 600E a few months ago, and it never did this (in
fact I ran it with no CMOS battery at all for quite a while and just bashed
in new time/date info every time I cold-booted it) so it sounds like a bug /
hardware failure / corruption issue.
You could try a CMOS reset, I suppose (maintenance manual's here if you don't
have it already: ftp://ftp.software.ibm.com/pc/pccbbs/mobiles/09n1033.pdf )
as I really doubt that'd make things any worse.
3 p.m.
Zane H. Healy wrote:
The *ONLY* possitive thing I can say is that I'm
pretty sure it isn't the
HD password that is set. When that is set you have to type it in to boot,
so that is a pretty good indication it is the Supervisor password.
Well, that's hopeful then, as at least a replacement system board should get in...
2:06 p.m.
New subject: Bad keyboards- repair
Quote from "Antique Electronic Supply".
CAIG, CAIKOTE 44 KIT - S-CK-CK44-G
Conductive Carbon Coating for most surfaces (rubber, epoxy, glass, plastic). It
is ideal for repairing membrane buttons,
keyboard buttons, and other carbon based surfaces. It may also be used as a
coating for shielding (EMI) of electronics.
$8.95
http://www.tubesandmore.com/
Ben.
1:57 p.m.
----------------------------------------
Date: Thu, 18 Jun 2009 10:21:44 -0700
From: alhartman at yahoo.com
Subject: IBM Thinkpad 600e can't get past password prompt...
To: cctalk at classiccmp.org
I bought a thinkpad 600e for a friend several years ago on eBay. She put it in storage
for a year, and when she pulled it out the backup battery has died. I replaced it, but now
the unit is asking for a password.
We never set a CMOS password, the eBay seller's email no longer works and I need to
get to her data on the HDD which is also locked.
Everything I searched tells how to wipe the HDD, but not how to recover the data without
shipping the drive to someone who will do it for much more than the laptop and drive is
worth.
Anyone have a way I can get into the unit and unlock it?
I can buy another unit cheap, but that doesn't get me into the HD.
Al
I also have a thinkpad that is locked and planning to crack it when I have time and
interest.
Have a look:
http://www.security-forums.com/viewtopic.php?t=23102
Cheers, Wizard
_________________________________________________________________
Create a cool, new character for your Windows Live? Messenger.
http://go.microsoft.com/?linkid=9656621
2:28 p.m.
Al Hartman wrote:
I bought a thinkpad 600e for a friend several years
ago on eBay. She put it in storage for a year, and when she pulled it out the backup
battery has died. I replaced it, but now the unit is asking for a password.
We never set a CMOS password, the eBay seller's email no longer works and I need to
get to her data on the HDD which is also locked.
Everything I searched tells how to wipe the HDD, but not how to recover the data without
shipping the drive to someone who will do it for much more than the laptop and drive is
worth.
Anyone have a way I can get into the unit and unlock it?
I can buy another unit cheap, but that doesn't get me into the HD.
I don't believe that it is possible. When a hard drive password for a
ThinkPad gets lost, it usually means buy a new hard drive and send the
old for recovery.
Peace... Sridhar
3:08 p.m.
Sridhar Ayengar wrote:
I don't believe that it is possible. When a hard
drive password for a
ThinkPad gets lost, it usually means buy a new hard drive and send the
old for recovery.
So why's it 'new drive' - what does it do to it that means it at least
can't
be reformatted by the user? I didn't think there was anything in the ATA spec
along the lines of 'hose this drive' - or does it try and keep track of drives
it's 'seen' before?
cheers
Jules
3:35 p.m.
Jules Richardson wrote:
Sridhar Ayengar wrote:
It could probably be reformatted by the user, but that precludes
retrieval of any of the data. I'm not completely sure, but I would
guess that the method it uses is to encrypt the partition table. It
sure seems that way.
Peace... Sridhar
I don't believe that it is possible. When a
hard drive password for a
ThinkPad gets lost, it usually means buy a new hard drive and send the
old for recovery.
So why's it 'new drive' - what does it do to it that means it at least
can't be reformatted by the user? I didn't think there was anything in
the ATA spec along the lines of 'hose this drive' - or does it try and
keep track of drives it's 'seen' before?
3:57 p.m.
Sridhar Ayengar wrote:
It could probably be reformatted by the user, but that
precludes
retrieval of any of the data. I'm not completely sure, but I would
guess that the method it uses is to encrypt the partition table. It
sure seems that way.
Hang on, if it's just the partition table, then you should
be able to
read past that point and find the file system on there, and guess what
should go in the partition table based on the size of the file system
(assuming there's only one, and if there is more than one, you could
read past the end of that file system, read the next file system, guess
what type it is and so forth.)
10:34 p.m.
At 02:57 PM 6/18/2009, Ray Arachelian wrote:
Hang on, if it's just the partition table, then you
should be able to
read past that point and find the file system on there, and guess what
should go in the partition table based on the size of the file system
(assuming there's only one, and if there is more than one, you could
read past the end of that file system, read the next file system, guess
what type it is and so forth.)
Yes, any good file recovery tool will search for filesystems
independently of the partition table... assuming they can read
the disk at all.
Here's Lenovo's page on their AES-128 "full disk encryption":
http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&…
At 05:06 PM 6/18/2009, Dan Gahlinger wrote:
take it to a data recovery place, ask for a free
estimate.
be prepared to pay $1200 or more.
Actually, in the case of electrically dead / medium-crazed media,
reasonably good hard disk recovery is down in the $400-600 range
(see www.gillware.com).
At 06:39 PM 6/18/2009, jpero at sympatico.ca wrote:
Hi, I thought I emailed this method to crack this
password I'll try again:
http://sodoityourself.com/hacking-ibm-thinkpad-bios-password/
To think they went to all that trouble, then left the password
in memory at a fixed location in plaintext.
- John
4 p.m.
Sridhar Ayengar wrote:
Jules Richardson wrote:
indeed - I'm just curious about IBM's statement that it would need replacing
with another drive, as though the machine somehow 'breaks' the old drive
(implying it won't even work in a different machine, or can't just be
reformatted and restored from backups).
Sridhar Ayengar wrote:
It could probably be reformatted by the user, but that precludes
retrieval of any of the data. I don't believe that it is possible. When a
hard drive password for
a ThinkPad gets lost, it usually means buy a new hard drive and send
the old for recovery.
So why's it 'new drive' - what does it do to it that means it at least
can't be reformatted by the user? I didn't think there was anything in
the ATA spec along the lines of 'hose this drive' - or does it try and
keep track of drives it's 'seen' before? I'm not completely sure, but I would
guess that the method it uses is to encrypt the partition table.
If that's all it is though, it should be possible to put the drive in another
system, figure out where the start and end blocks of the filesystem(s) is/are,
grab the raw data and mount it so that the individual files can be copied.
That or restore the MBR to something sensible.
I doubt it makes any attempt to encrypt the whole drive - too time-consuming.
But I'm just not aware of anything it could do to 'break' the drive, either.
5:28 p.m.
Jules Richardson wrote:
indeed - I'm just curious about IBM's
statement that it would need
replacing with another drive, as though the machine somehow 'breaks' the
old drive (implying it won't even work in a different machine, or can't
just be reformatted and restored from backups).
The drive CAN be used in another system. The catch is, the system in question
needs to support an oft-unimplemented part of the ATA specification.
Basically, most modern ATA (and SATA too, if memory serves) hard drives
support a few additional commands related to password-based security. These
have been part of the ATA standard since ATA-ATAPI 3:
- Set Password
- Unlock
- Erase Prepare
- Erase Unit
- Freeze Lock
- Disable Password
The spec calls for two 32-character passwords (the User and Master passwords)
and two security levels (High and Maximum). In High security mode, either the
User or Master password will unlock the device. In Maximum security mode, only
the User password will unlock the device. Generally speaking, the Master
password is set by the disk manufacturer at the factory, the user password
isn't set, and the lock is disabled. Both the Master and User passwords can be
changed at-will with the Set Password command.
Freeze Lock is intended to stop someone maliciously setting a password on an
unlocked drive. The system BIOS/bootloader/whatever is *supposed* to detect
drives that support ATA Security on boot, and send a Freeze command to them.
Most PC BIOSes.... don't do this. Big surprise.
Disable Password turns the lock mode off. That is to say, once you send it to
the device (assuming the password is correct), it nulls out the User password
and disables lock mode.
There are two ways to unlock the drive:
- Unlock it
- Reformat it
In High security mode, you can unlock or format the drive with the User or
Master password. In Maximum security mode, you need the User password to
unlock, but can reformat the drive with the Master password. If you haven't
got either password, the drive is "as useful, and as entertaining, as a brick."
For bonus points, there's also a "retry counter". The drive counts (or at
least is *supposed* to count) how many times you've sent a password. If it
exceeds a predetermined maximum (and the spec doesn't say what that is) then
you have to power-cycle the drive to try again.
As for the Thinkpad, most models of TP have two passwords -- a Supervisor
password (stored in the EEPROM) and a User password (usually stored in the
CMOS). The catch is, if the CMOS copy of the User password gets hosed, the
machine will lock up and demand the Supervisor password... This applies even
if the User password is disabled -- if a supervisor password is set, you're
going to need it as soon as the CMOS dies.
I don't know if this happens on all Thinkpads, but I've seen it happen on a
few, and this little "quirk" is the one single solitary reason I have both
passwords turned off. In any case, I set them both to passwords I have long
since committed to memory, *then* disabled them...
--
Phil.
classiccmp at philpem.me.uk
http://www.philpem.me.uk/
4:10 p.m.
On Thu, 18 Jun 2009, Sridhar Ayengar wrote:
Jules Richardson wrote:
It was my understanding that the password is stored on a chip on the HD.
Zane
Sridhar Ayengar wrote:
It could probably be reformatted by the user, but that precludes retrieval of
any of the data. I'm not completely sure, but I would guess that the method
it uses is to encrypt the partition table. It sure seems that way.
Peace... Sridhar I don't believe that it is possible. When a
hard drive password for a
ThinkPad gets lost, it usually means buy a new hard drive and send the old
for recovery.
So why's it 'new drive' - what does it do to it that means it at least
can't be reformatted by the user? I didn't think there was anything in the
ATA spec along the lines of 'hose this drive' - or does it try and keep
track of drives it's 'seen' before? 
4:41 p.m.
On Thu, 18 Jun 2009, Zane H. Healy wrote:
It was my understanding that the password is stored on
a chip on the HD.
Wow.
Yeah, that would be harder to circumvent. How hard a password is it?
Does it have any time delays or trial counts that would prevent a rapid
brute furce crack?
Anything preventing swapping board from another drive with chip holding
known password?
19 Jun
19 Jun
9:04 p.m.
Fred Cisin wrote:
On Thu, 18 Jun 2009, Zane H. Healy wrote:
That's the right thinking, Fred....
Warren
It was my understanding that the password is
stored on a chip on the HD.
Wow.
Yeah, that would be harder to circumvent. How hard a password is it?
Does it have any time delays or trial counts that would prevent a rapid
brute furce crack?
Anything preventing swapping board from another drive with chip holding
known password?
10:57 p.m.
Date sent: Fri, 19 Jun 2009 15:04:06 -1000
From: Warren Wolfe <lists at databasics.us>
Organization: DataBasics
To: General Discussion: On-Topic and Off-Topic Posts
<cctalk at classiccmp.org>
Subject: Re: IBM Thinkpad 600e can't get past password prompt...
Send reply to: "General Discussion: On-Topic and Off-Topic Posts"
<cctalk at classiccmp.org>
<cctalk.classiccmp.org>
<mailto:cctalk-request at classiccmp.org?subject=unsubscribe>
<mailto:cctalk-request at classiccmp.org?subject=subscribe>
Fred Cisin wrote:
Not quite what it is.
The design is more secure than you think, the locked HD is locked even with board swap.
The pwd the hard drive itself checks against is stored on the platter itself. The hard
drive
board checks for presence of pwd every power cycles. If present, it's unaccessible.
This is reason the NEED to extract the password by reading the thinkpad's eeprom IC
with
PC and homemade circuit while disassembled thinkpad powered on at the password
request. When pwd is known, reassemble the thinkpad and type in password to unlock the
whole thinkpad and that will unlock the hard drive, then go into bios and clear out
password
settings to disabled.
Cheers, Wizard
On Thu, 18 Jun 2009, Zane H. Healy wrote:
That's the right thinking, Fred....
Warren
It was my understanding that the password is
stored on a chip on the HD.
Wow.
Yeah, that would be harder to circumvent. How hard a password is it?
Does it have any time delays or trial counts that would prevent a rapid
brute furce crack?
Anything preventing swapping board from another drive with chip holding
known password?
18 Jun
18 Jun
4:19 p.m.
On Thu, 18 Jun 2009, Sridhar Ayengar wrote:
It could probably be reformatted by the user, but that
precludes
retrieval of any of the data. I'm not completely sure, but I would
guess that the method it uses is to encrypt the partition table. It
sure seems that way.
If THAT's all that they did, what's stopping someone from simply rewriting
the partition table - 20 years ago, that was FDISK /MBR
What OS are we talking about?
For example,
NT4 just sets a flag that tells windoze not to access it without password;
but booting Linux provides full access to a password "protected" NT4,
including ability to wipe the password flag.
4:39 p.m.
> It could probably be reformatted by the user, but
that precludes
> retrieval of any of the data. I'm not completely sure, but I would
> guess that the method it uses is to encrypt the partition table. It
> sure seems that way.
No, it locks any access to the hard disk. The password is stored on the
HDA, and no password, no access.
5488
days inactive
5490
days old
25 comments
14 participants
participants (14)
-
alexandre-listas@e-secure.com.br -
alhartman@yahoo.com -
bfranchuk@jetnet.ab.ca -
blstuart@bellsouth.net -
cisin@xenosoft.com -
classiccmp@philpem.me.uk -
healyzh@aracnet.com -
jfoust@threedee.com -
jpero@sympatico.ca -
jules.richardson99@gmail.com -
lists@databasics.us -
ploopster@gmail.com -
ray@arachelian.com -
teoz@neo.rr.com