Extracting the supervisor password from an IBM ThinkPad 365XD

I got a second hand IBM ThinkPad 365XD from Marktplaats, the local version of eBay in The Netherlands. It contained a very old installation of SuSE Linux, but with a corrupt ext3 filesystem. Adding a different disk required entering a supervisor password, which I didn’t have.

IBM wrote on their manual: “How to Disable the Power-On Password: This information is not available in this HMM online format. See your IBM Servicer or IBM Authorized Dealer for this procedure”. Well, thanks a lot IBM!

The EEPROM that stored the password is an ST93C46C (as the name implies, by ST Microelectronics). The chip uses the “Microwire” protocol, which is a subset of SPI. I suspect this was done to avoid licensing the protocol from Motorola. Using a TL866+ programmer, it was not possible to get the data out of the chip by using a SOIC-8 clip or with wires and probes, but after desoldering I succeeded.

I could dump the code using the following command:

I haven’t tested the chip with flashrom and a Raspberry Pi, but that might work as well.

Zeroing the whole EEPROM makes the BIOS halt at a CRC error, so I know that the data dump contains at least both a password (hash) and a CRC. Thanks to Victor Voinea, who made me realize how the bytes are stored: they are grouped by words (two bytes), in little endian. The password bytes aren’t ASCII, but keyboard scancodes. For example, the password “ABCDEFG” would be encoded in scancodes like BADCFEG, with a different byte that does not map to an alphanumeric scancode between E and G. See the GitLab repo for the code on how to read the password from an EEPROM dump.

Links

• https://hackaday.com/2019/06/27/reverse-engineering-cyclic-redundancy-codes/
• http://www.os2museum.com/wp/cracking-a-thinkpad-755c/
• https://www.allservice.ro/forum/viewtopic.php?t=47