Recovering an unknown supervisor password from IBM 600X

Background

I acquired an IBM 600E laptop for use by my younger daughter's Lego Robotics team back in 2001. It served its purpose by being small, light, reliable and extremely well supported both by IBM and the aftermarket. It was passed onto my older daugther for her use when she started high school. Several years later, when my younger daughter needed a computer for school work I saw that the 600E was replaced by the 600X. I bought a 500Mhz 600X off of eBay for her and thus begun my accumulation of 600X laptops. Currently I have three 500Mhz systems and the one 650Mhz machine, which I have just successfully read and removed an unknown supervisor password. I have taken the 600 laptops apart several times to replace a keyboard, a broken LCD, an intermittent inverter for the display, clean out some spilled water which shorted out the display and installed an 802.11b/g antenna into the lid for a mini-PCI wireless card. I had not dissassembled the laptop to the point of removing the motherboard until this project. If you are reading this page and want to know how to take your 600X laptop apart, download this IBM Hardware Maintenence Manual (954Kb), in Adobe Acrobat Reader (.PDF) format. This page documents what I did to extract the unknown supervisor password and can be used as a reference if you attempt to try this yourself. You should have an understanding on how to read an electronic schematic diagram and be able to build the circuit. You need to be comfortable with tearing apart a laptop and keeping track of the numerous screws and bits and pieces. You do not need any specialized tools or equipment (other than a low-wattage soldering iron and the skill to use it). Work slow and refer to the hardware manual if you get stuck. Also, the usual disclaimer applies: I cannot be held responsible for additional damage you may incur if you follow the advice on this page. This procedure worked for me. It has worked for others. It may or may not work for you. Your mileage may vary, etc., etc., etc.

IBM 600X - type 2645-9FU

Note: This procedure was performed on a 650Mhz 600X. According to the IBM Hardware Maintenence Manual, there is a different motherboard used by this speed of processor, than the one used by the 450Mhz and 500Mhz versions. At this time I am assuming that the location of the Atmel 24RF08 EEPROM is the same for the two motherboards. I will know for sure in the first couple of weeks of May 2006 when I have a chance to compare the motherboards.

May 7th: Confirmed! The location of the Atmel 24RF08 is the same between the two motherboards (10L1353 and 08K3110). Although it doesn't really matter now since I have found an alternate connection point! I have left my original descriptions intact from this point on and added my simpler method near the end of the page.

I had noticed that from time to time, eBay sellers were listing 600X laptops for "parts" or "repair". They were described as having a forgotten BIOS or supervisor password. Researching the issue, I found that IBM was willing to fix the problem by replacing the entire motherboard (many $$$$). I also saw people offering either a mail-in service or a do-it-yourself service (for fewer $$$$). That's when I encountered Victor's method (no $$$$!) and bookmarked his site for IBM password help for future reference. In March 2006 I saw a 600X laptop being offered on eBay which was described as being fully functional before he had a problem with the CMOS battery. After replacing the battery the laptop booted with errors 161 and 163, well known issues with the system clock and backup battery. That's when he said the laptop started asking for the supervisor password (lost system clock setting requires entry into BIOS to correct, which requires the proper password). Because the laptop was bought from a previous employer who was no longer in business, he decided to sell the system for parts. Along with the laptop was a docking station, PCMCIA adapter for the docking station, external battery charger, extra battery, three AC adapters and a very nice Targus carrying case. Figuring it was worth around $200 in parts alone, I ended up sniping it at $132 :-). I thought that this would be the perfect opportunity to see if I could duplicate Victor's (and other people's) success of password recovery. At worst, I could use the new laptop for parts. I didn't need the docking station (have 4) or AC adapters (probably 6 of those), but thought the PCMCIA add-on to the docking station would be useful. I never knew the external battery chargers were available until then. Side note: As eBay can be a dumping ground for stolen equipment I would caution people to check into each seller's feedback to get a feel for their reason(s) for offering the items. Since the seller I dealt with appeared to be both honest and reliable, I even e-mailed him the password I found so he could retrieve the data off of the original hard drive he kept.

Starting the process to read the EEPROM

I got to work collecting the parts needed for the driven interface circuit. I work as a Memory Test Engineer so I found all of the parts I needed at work, except for the MAX232 and a small breadboard. A trip to the local major electronics retailer yielded the Elenco 9830C breadboard for $6.00 and a box of jumper wires for $10. A visit to the local surplus store resulted in the MAX232 for about $2.50 each. Using the instructions provided by Victor, this is what my driven-interface circuit looks like:

Overview of breadboard

and a close-up of the layout:

Closeup of breadboard

Since I used the MAX232 (and not the A version) all of the capacitors are 1µF. The diodes are actually 1N914 which is close enough to the 1N4148s. Since the breadboard had power busses on both sides, I tied them together to simplify the layout of the parts. You may notice some "extra" capacitors; they are only being used so I had something the small clips could grab onto. Four differently colored wires were soldered to the appropriate pins of the female DB-9 connector and the loose ends pushed into the breadboard at the selected locations. A small amount of duct tape was placed over the 4 wires to the DB-9 connector and three test clips (not shown in these pictures) so they wouldn't accidentally be pulled out. The battery pack solution needed a little thought: the interface specified 3 AA batteries (4.5v) as the source of power. I had located a battery holder (with alligator clips!) for 4 AAs at work. Wanting to stay within the design parameters of the MAX232 circuit, I had to figure a way to get only 3 batteries into the holder and have it work. My solution:

4 AA battery pack using only 3 batteries

A stack of screws as the fourth battery

The screws you see masquerading as the fourth battery are the screws that mount serial and parallel port jacks into equipment panels. You know, the ones you are supposed to use when you attach the serial/parallel cables to the computer and you don't want them yanked out when you tug on them. Six of them screwed together and finished off with two washers and a nut. Exactly the distance I needed to simulate a double-A battery. Of course, now that I think about it, I could have used 4 partially-discharged NiMH batteries (total of around 5.2v), but this was fun to figure out. With the circuit ready for work, now came the time to disassemble the laptop.

Disassembly - Where's the 24RF08? (or use the easier method)

Using these instructions that I had found at servicefourm.lx.ro, I knew that I was looking for an Atmel 24RF08 EEPROM. I removed the keyboard and searched around the top of the motherboard. No luck. Look again... still not there. Going back to the servicefourm.lx.ro site I searched and found this thread, which at the time, had an answer that it was located at "U79" and that it was at the bottom left side of the processor. I took this to mean the Intel CPU processor board which sits atop the motherboard. I removed the heat sink/fan assembly and found... nothing again. I removed the entire processor board and looked at the bottom of it. Not there either. I then posted a question in the thread and waited for a response. At that time I had decided that it must be on the back side of the motherboard but wanted confirmation of that fact before continuing to take the laptop apart. Almost immediately, Ricardo responded, "that's right. It is at the back of the motherboard...". Looking at the hardware maintanence manual, you have to remove almost everything to get the motherboard out (sigh)! A little while later this is what I saw:

Bottom of motherboard

...the elusive Atmel 24RF08!

Location of 24RF08

Connecting the interface

After a quick run to Radio Shack to pick up some 30 gauge wirewrap wire (that I thought I already had), I attached the three wires to the motherboard as shown in the photos below:

Overview of three connection points

A closer inspection of pins 8 and 10 of the Atmel 24RF08...

The two wires on the Atmel 24RF08

and where I picked up the ground connection at one end of a large capacitor. Since I wanted to minimize the amount of soldering I had to do directly on the EEPROM, I decided to look for something easier for ground. This spot happened to be along the way where I had decided the wires were going to exit the laptop case.

Ground connection at one end of a capacitor

Putting the motherboard back into the bottom of the case you can see the spot where I threaded the three wires out of the case:

Wires coming out of RJ-11 jack

A closer view of where, normally, the RJ-11 jack is located.

Closeup of RJ-11 jack area

I decided that it wasn't necessary to re-attach all of the pieces back inside the laptop. I left out the modem cable assembly (section 1150 of the maintenence manual), the PCMCIA card cage (1100), and microphone cable and TV output card (1130). Basically, just the stuff needed to boot the laptop and see what's happening (CPU, keyboard, LCD).

The moment of truth, otherwise known as the "smoke test"

Booting the partially assembled laptop, this is what I was greeted with:

Lock icon

Well, so far, so good. Nothing unexpected was happening... surely a good sign. I had already prepared my spare 600X laptop (reserved as a backup in case either daughter's system goes down) with the R24RF08.EXE and IBMPASS2.EXE programs. A command prompt window was opened and the R24RF08 program started with the /x /d and /i switches since I was using the driven interface circuit:

          c:\>  r24rf08 mytp.bin /x /d /i

(I apologize for not having the screen shots or pictures of this part of the process; I was so excited that it worked that I forgot to document this step!) The program reported that the EEPROM was read and the file created. I disconnected the interface circuit and powered down the locked laptop. I then executed the IBMPASS2 program using the following command:

          c:\>  ibmpass2 mytp.bin

The program started and displayed the EEPROM contents as a hexadecimal dump. The instructions said to go to address 0x330 so I scrolled down and found...

IBMPASS2 screenshot without alternate scancode

Hmmm... there's definitely something there but it's not being displayed as recognizable ASCII characters. Re-reading the instructions again I saw the item about using a different scancode. The program has a button which toggles the alternate scancode off and on so I clicked on it and found:

IBMPASS2 screenshot with alternate scancode

EUREKA!

I powered up the locked laptop and waited for the padlock icon to appear again. I entered the discovered password and pressed "ENTER" and was rewarded with...

OKAY!

Epilogue (Part 1)

A few random thoughts on the next time I may need/want to do this:

Before I actually soldered the wires directly onto the EEPROM, I tried to find an easier place (i.e. the TOP side of the motherboard) to tap into the SDA and SCL pins of the EEPROM by attempting to follow the printed circuit traces. I think I was able to find where the SDA signal is on top of the motherboard but it too was on a part that had the fine-pitch lead spacing as the 24RF08. What I was hoping for was to find a via (a plated hole through the board) or a pad or a larger component such as a chip cap or resistor to solder to. I did not find where the SCL signal goes.
If anyone knows of a set of schematics for the 600X motherboard, I would be happy to hear from them. Use the e-mail address at the bottom of this page to contact me
Actually, truth be told, the ground wire I attached on the motherboard came off just before I tried to read the EEPROM. When I first ran the R24RF08 program it said that the EEPROM was not available. That's when I saw the loose ground wire. I didn't want to disassemble the laptop again, so since it was only the ground connection, I held it into a screw hole next to the DIMM memory (not the hole that holds the door closed; the other one next to the battery, it's ground as well) while I started the R24RF08 program a second time. It worked :)
To remove the supervisor password (once it is known), requires that you enter into the BIOS setup, select the padlock icon, type the password into the box that is displayed and then immediately follow it by pressing the SPACE BAR. That will cause a second box to be displayed to the right of the original password box. This enables you to change the password (by entering in the new password) or remove the existing password by pressing the ENTER key. You can then click on the OK button to exit the password setup screen. Restart the computer and you're done.
By posting this page I think I just may have shot myself in the foot if I ever want to bid on another eBay-offered, password-locked, IBM 600X :-P

Alternate Connection Method (you don't need to remove the LCD or motherboard!)

As I had stated above, I had tried to find out where the SDA and SCL signals were routed onto the top side of the motherboard. Not having any wires soldered onto the EEPROM at the time, made it very difficult to trace the two signals. Being eager to get on with the password recovery, I didn't persue the signal tracing. However, after I was able to read the password and unlock the 600X, I started thinking about this some more. It would be very useful to figure out a way to get at the two signals without having to totally disassemble the laptop. I did not want to fool around with any of my working systems so it was back to eBay to find someone selling just a motherboard. Within a week and for $3.50, plus $9 shipping, I got ahold of a motherboard from a 500Mhz system (FRU 10L1353) and began inspecting it. I attached the two wires to the 24RF08 EEPROM and got out my multimeter and started probing. I confirmed that the SDA signal was going to the same IC near the docking port as on the 650Mhz motherboard (FRU 08K3110). I also found that the SCL signal went to the same part! Even though both signals could be tapped from the top side, they were on a part with the same lead spacing as the 24RF08. Not satisfied with what I found, I started looking around to see if these signals were available elsewhere. After about 5 minutes of work, I found a way of reading the EEPROM without having to remove the LCD or the motherboard from the case. You only need to take off the keyboard and CPU/heat sink on a 600X. Here's is my method:

Alternate connection

...and a closer look...

Closeup of alternate connection

Both the SDA and SCL signals go their own 2K ohm chip resistor, located almost directly on the opposite side of the motherboard from the 24RF08. It is much easier, and safer in my opinion, to solder on a wire to this type of component than the high-density leads of an IC. The only problem you might have is if you apply too much heat and lift the resistor from the board. If you do that, you're using way more heat than you should. There is also a place to attach a ground wire nearby. There are two empty pads on the motherboard just to the left of the chip resistors. You can use either one of them for ground (see note below). The technique to prepare and solder on the wires is:

cut three, 10" lengths of wire (I used 30 gauge wirewrap wire)
strip off the insulation and cut the exposed wire down to only 1mm
'tin' each wire with a small amount of solder
route one wire underneath the modem cable assembly
place the tinned wire next to the end of the component, or on the copper pad of the motherboard
heat the tip of the wire for only about 2 seconds with a low-wattage soldering iron (about 25w will do)
repeat the last three steps for the other two wires

This is what it should look like after the wires are soldered on:

Wires on alternate connections

During processing of this picture I noticed a potential problem...

Use top-most ground pad for safety

It's probably best to use the top-most ground pad in order to minimize the chance of shorting out the trace that runs just below the two pads. Once you have attached the three wires, shove the loose ends out next to the battery terminals as shown above. Re-install the CPU/heat sink assembly.

CPU installed with wire routed out

As you can see in the previous photo, it may be possible to solder on the wires without having to remove the CPU, but you would need a very narrow tip on your soldering iron. It is possible to remove the wires without first having to remove the CPU/heat sink. Replace the keyboard and proceed to the next step.

Reading and decoding the EEPROM

I had already defined a new supervisor password prior to this second disassembly. This way I knew what I was looking for and could verify that the alternate connection points were correct. Having previously prepared the MAX232 interface circuit and installing the two programs on the reading/decoding laptop, it was easy to get everything set up for this step. The "locked" laptop was being powered by the AC adapter (no battery was installed because of the three wires). I turned it on while pressing the F1 key to get it to enter into the Easy-Setup routine. When the lock icon appeared I connected the three wires from the laptop to the interface circuit and plugged it into the reading/decoding laptop's serial port. Since it was running Windows XP, I opened a DOS box (also known as a Command Prompt window) and entered the appropriate command. This is what you should see when reading the EEPROM:

Output from 24RF08 program

With the contents of the EEPROM written into the "readtp.bin" file, the next step is to run the IBMPASS2 program on the file. Scrolling down to 0x330 will display the area in memory where the supervisor password is stored.

IBMPASS2 without alternate scancode

Clicking the "AA" button toggles the alternate scancode selection and reveals...

IBMPASS2 with alternate scancode

This is indeed the password that I had entered before trying my alternate connection method. It proves to me that the two places to pick up the SDA and SCL signals on the topside of the motherboard works just as well as a direct connection to the EEPROM.

Epilogue (Part 2)

More thoughts on this procedure...

This alternate connection method was performed on my 650Mhz laptop after inspecting a 450/500Mhz motherboard. The IBM hardware manual says that these two boards are different. However, they appear to be the same where the 24RF08 EEPROM is concerned.
This method should work on any 600X system but proceed at your own risk. If anything looks different on your board than what you see in my pictures then STOP.
My understanding is that the 600 and 600E motherboards are totally different and none of the information about the location of the 24RF08 EEPROM, or the alternate locations for the signals that I have posted here can be applied
I would be interested in hearing from anyone else who has followed the instructions I posted here. My e-mail address is below.
Now I KNOW I've definitely hurt my chances at getting a cheap, password-locked 600X laptop off of eBay.

P.S.

May 13, 2006 - I have verified that my alternate connection points also work on a 500Mhz motherboard. Before purchasing my stripped down motherboard, I had also bought a pair of 500Mhz 600X systems off of eBay. They were described as both having CMOS battery issues:

Pair of 600X from eBay
(Image copied from eBay auction page; not mine)

Before these two systems arrived, the motherboard was delivered and I started working on it and then used my 650Mhz system to verify my method. The two laptops came while I was still documenting my procedure. I put them aside until I finished updating this site and then I started to work on them. The first one was easy to fix (the one on the right). Pop in a new CMOS battery, boot it, enter the current date and time, re-format the drive and everything tested fine with PC-Doctor. The second one (above, on the left) also had a totally dead CMOS battery. I replaced it but when booted, the laptop showed the "locked system" icon (the seller had said that there was no BIOS password; I had specifically asked about this). This situation was not expected but it did provide another opportunity for me to test out my connection method. 30 minutes later the password was history. Well, actually it was "14218" (which, as it turns out, is the last part of the seller's eBay ID!) but that doesn't matter now :) If you look closely at the picture above, you will see that there is a difference between the two error screens that I didn't notice at first. Both systems are using the same version of firmware; ITET54WW. The one on the right, without the BIOS password, has the two error code numbers in the center portion of the screen and the "buttons" on the bottom-left (OK and Cancel, I believe). The system on the left, that had the BIOS password, shows the 161 and 163 error codes on the left side of the screen, with an arrow pointing at a picture of a book. This means that you should be checking the owner's manual on what to do next. There are no buttons provided to exit this screen. All you can do is power off the computer. As I found out, the way to get to this screen is to simply hit the ENTER key when prompted for the password. The "OK" icon still appears but it leads you to this message. Perhaps that's why the seller thought that there was no BIOS password; he got an "OK" response but he apparently did not know what the laptop was asking for. In any event, once the laptop was provided with the proper password, entry into the Easy-Setup BIOS routine was granted and I was able to reset the date and time, and also to remove the password.

Credit and thanks

Firstly, total credit for this process goes to Victor at serviceforum.lx.ro for his work in developing the software to read and decode the contents of the 24RF08 EEPROM. Thanks also goes out to Ricardo for quickly responding to my question about confirming the location of the EEPROM in the 600X. And finally, thanks to Nicolas who sold the laptop on eBay and allowed me to experiment with this procedure. It was a great learning experience.

Raymond Kawakami
San Jose, CA
E-Mail: r k a w a k a m i AT y a h o o DOT COM

Copyright 2006
Version 1.4 - Released May 14, 2006 - Added P.S. about recovering unexpected password from 500Mhz system
Version 1.3 - Released May 12, 2006 - Corrected original diode part number from 1N4149 to 1N4148; changed note under section "IBM 600X - type 2645-9FU" from normal font to strikethrough; changed "1uF" to "1µF"
Version 1.2 - Released May 8, 2006 - Added Alternate Connection Method
Version 1.1 - Released April 30, 2006 - Added note about differences between 450/500Mhz motherboard and 650Mhz; corrected legend of memory modules in "motherboard_bottom1.jpg" image
Version 1.0 - Released April 17, 2006

All photos were taken by me (except where noted) using a Canon A10 camera and prepared for web posting using Paint Shop Pro 7. You have permission to link to this page but not to claim it as your own.