IBM gave me Thinkpad 560X notebook, about year ago (thanx, it is
nice beast). I discovered few misfeatures, and few bugs, some of them
are related to security. Here it goes: (I got a letter from one
person at IBM, explaining things.)
- Thinkpad will boot from floppy, even if it has boot-up
sequence set to hard drive first and hard disk is
bootable. Floppy has to have IBM bootsector for this to
work, for example personality setting boot disk distributed
by IBM has it. I've successfully created Linux boot disk,
which can be used on Thinkpad with floppy booting
disabled. If someone relied on boot up sequence for security
(I believe many people do), they are screwed. I got a
letter from IBM explaining it is feature. As they think it
would not benefit ordinary users, they did not document
it. This can help you boot otherwise unbootable computer
- supervisor password is not a problem for this to work.
- Thinkpad will allow people to change personality
information, even without supervisor password. Thinkpad
has "personality" feature which allows people to mark their
computer with their name, address, and picture. I use
penguin ;-). Unfortunately, this info is changeable even
without supervisor password. (And BTW floppy which allows
you to change it has "magic" format.) This might be more
severe than it seems, because, IMHO, setting personality
information means flashing bios. I was told personality
info is stored in separate page of flash memory, so main BIOS should
- Easy setup - HDD tests. Easy setup is just plain
ugly. It looks like a perfectly safe thing. Well, it will
overwrite part of your hard drive without even asking for
confirmation. It seems like hard drives come preformated to
slightly lower capacity then they really have. The rest is test
zone, used for easy setup's rw tests. But if you happen to
re-fdisk your drive, it is pretty easy to put normal partition
into this zone (this zone is not documented anywhere). This one
killed 2000 of my inodes 4 times. Last two times was random
person coming around my computer, and launching tests because
machine asked them to do so. I'm
told this area is not accessible using normal int 13h
calls. Unfortunately, linux does not use this calls so it did not
- Thinkpad Forgeting Passwords. I tried to set
supervisor password on my notebook. I set it successfully, but
notebook does not seem to recognize it. It is simple. If you
enter 8-chars-long password, thinkpad simply will not recognize
it. You have to enter only first 7-chars in order to log
in. Great feature, knowing that IBM actually charges money for
unlocking your notebook. This was partly my fault. In user's
manual, it is written password is 7 characters max. What confused me
was that when enterring password, additional characters echoed as *'s
- Neomagic close/reopen corrupting screen. I do not know
if this is bug or not, but if I try to move screen to top left
corner using following lines from SVGATextMode (they are in
newest SVGATextMode distribution), which is required to get
100x37 text mode working (there are no docs about Neomagic, so
this is guesswork. Anyway, I'm going to
complain, just because there are not docs).
+ case CS_NEOMAGIC:
+ Outb_GR_CTL( 0x09, 0x26 );
+ case CS_NEOMAGIC:
+ if (OFLG_ISSET(OPT_TOPLEFT))
+ Outb_GR_CTL( 0x25, 0 );
+ Outb_GR_CTL( 0x2f, 0 );
+ Outb_GR_CTL( 0x30, 0 );
+ Outb_GR_CTL( 0x82, 0 );
...then this setting is lost after closing and re-opening the lid.
- Thinkpad not powering off. After certain kind of
crashes (run MS-Windows for a while :-), Thinkpad will not power
off even when holding its power button. You have to turn it
over, take a pencil, and press well-hidden reset button (blue, I
was told about it by IBM technician, I would not find it
otherwise). Pretty annoying. (I have now reproducible way to
make thinkpad crash like this ;-)
Ok, above are things that I know. But there are things I do not
know (do not even ask me, I don't know; but if you find out some
answer, let me know!): I did not even open my
thinkpad... yet ;-).
- How to remove supervisor password -- IBM does it by removing all
parts from board and essentialy creating new system board. Of course
there's other, "easier" way how to do this, but IBM does it hard way
and even people at IBM do not know how to do it easily. Clearing your
CMOS probably will not help. I do not even know where password is
stored: is it CMOS or some part of flash? Unknown. And before you ask,
"easier" way of course is possible: for example pulling out flash ROM
and flashing in modified bios which does not ask for passwords would
work, but a) it involves soldering of SMD chips b) you'd have to find
out what modification to do to BIOS. [Ok, if you want to work on
computer and not to remove password, try to see if you can make your
ThinkPad touch floppy for more than initial seek test. If you can,
stuff in personality disk and it might boot. play with personality
disk a bit and it will happily boot linux.]
- Who can remove your supervisor password -- well, I know few people
able to solder SMD chips, but I would not let them play with my
notebook, and they are generally too far away from you.
- How to remove harddisk password
- How to remove power-on password -- I was told that it is relatively
easy to do, but I know no details... Well, now I'm told the details ;-).
* How to remove power-on password -- I was told that it is relatively
easy to do, but I know no details.
You can remove the power-on password by shorting the 2 pins left of the
power connector (used for an extra battery) in the floppy/cdrom bay.
You're supposed to use a jumper, but I didn't have any that fit so I just
jammed a piece of wire in it. Replace the floppy/cdrom, power on the
system until POST is done, turn it off, remove the jumper and you should
be good to go as long as there is no supervisor or hard drive password.
(thanks to Adam Slattery )
FAQ (added 2001/08/23)
*Common mistake #1: if BIOS can change/read password,
I can do it, too.
Not true: think trapdoor. Register "TRAP" is set to zero during reset.
Once "TRAP" is set, it can not be reset using software and password data
are not accessible. BIOS sets the "TRAP" bit during bootup.
I am not sure thinkpad uses a "TRAP" register, but it very well might for its
* How do I reset supervisor password?
OTOH, password is probably stored in a serial EEPROM. You can try to wire the data pin to the ground, and try booting. This involves opening your computer, and if some esstial info
is also stored in that PROM, or if the passwords are stored encrypted in the PROM, it will not work. Oh, you might also kill your machine. I don't know if it will work for thinkpads, I never tried it. Ask shaddack.
It is told that, IBM does really replace mainboards in order to get rid of password...
[Soldering on mainboard may cause hidden damage and IBM apparently
does not want to risk that.]
Oops, it might be even more tricky than that. It seems that thinkpad stores password for its hdd, somewhere:
(from Paul Mullen:)
On the Thinkpad's I have seen setting the Supervisor password also sets the hard drive
password. The computer appears to work normally. But if you remove the hard drive
and place it in another computer it won't work - it simply appears as a controller failure
(unless you run IBM Drive Fitness Test or place it in a computer like Thinkpad which
understands hard disk passwords). I have come accross this several times recently
when a notebook computer failed and the owner asked me to backup data from the hard
drive. The most recent case was actually someone who worked for IBM here! The only
way I had to get to the data was to get the Thinkpad working again! Once working
there was no password prompt (unless I set a user password) but the hard disk worked.
In any other computer, including other Thinkpad's, the drive was password locked. So
obviously the Thinkpad bios had stored the hard disk password somewhere and was
passing it to the hard drive on startup.
It should be possible to clear 560X by shorting two test pads on the mainboard during boot. Untested.
Someone who says they can remove TP passwords. I hope they do not dissappear, again.
Detailed instructions how to get rid of supervisor password
How to make magic floppy
This page was created by Pavel Machek.