Tictactouc
commented
5 months ago Hi, I will make a README tonight but the goal of this repository was to document my process to unlock a Thinkpad x270 locked with supervisor password (If I recall correctly, the BIOS was still accessible if I entered the pass "0000" but all BIOS option was greyed out if ) and the TPM security chip was enabled too.
So, in short, the process involved multiple step :
Setup
A lot of the above process is well described in this link : https://winraid.level1techs.com/t/guide-flash-bios-with-ch341a-programmer/32948
-
The first step was to buy the CH341A programmer in order to access the memory of the BIOS chip, and modding the programmer in order to get an output of 3.3v from the data line instead of the 4.8v that it was outputting. Apparently it was caused by a conception defect prior to the v1.6 of the programmer. Also from what I've understood this defect is not a big deal because the current is very very low and it is very unlikely to fry the chip with this defect. Anyway, I really didn't wanted to broke the bios chip and loose the Laptop so I did the mod. A good ressource about this process is well described here : https://www.youtube.com/watch?v=HwnzzF645hA
-
The next step was to install the software "AsProgrammer" and the driver of the programmer that can be found here (the good one is CH341PAR.EXE) : https://www.onetransistor.eu/2017/08/ch341a-mini-programmer-schematic.html
-
The last step for completing the setup is to locate the chip (which is a Winbond W25Q128FV) under the black plastic; right next to the CPU and to connect the clip to it (be careful with the orientation).
At this point the setup should look like this :
Dumping and patching the BIOS EEPROM data
-
Using AsProgrammer, I made multiple dump of the data and I compared it to make sure it was not corrupted.
-
Now the real game begin, the dump need to be patched with a special tool found in the Band cap forum (all the credit go to these guys) THIS IS THE MAGICAL LINK WHERE ALL THE WITCHCRAFT HAPPEN : https://badcaps.net/forum/showthread.php?t=87588 From what I have understood, the tool modify some region of data, notably the DXE drivers and replace it with a custom one made to exploit some vulnerability to trick the BIOS into thinking it's brand new and erase the password stored in the TPM security chip . (I will try to understand and explain it better when I will write the README). Anyway, I've ran the tool accordingly to the steps described in the link above and applied the patch. Then I checked that the patch had made modification to the data by comparing the patched bios with the old one using WinMerge
-
After that, using AsProgrammer I've erased the bios and writted the patched one.
Running the exploit and rewriting the old one
Now that the patched bios have been written to the bios I just followed the step described in the Band Cap forum : (this is copied from the original post)
- Boot the machine
- Press ENTER/F1/etc. to enter BIOS settings
- Enter any character when asked for Supervisor Password
- Press enter when it shows Hardware ID
- Press space bar 2x when asked
- Turn off machine
And voila the laptop was unlocked
I intend to use this message as a base for writing the README
Can you explain what the file is for?