PC8394T Tools 1.

0d
Doc.ver. 4.0en, (c) ALLservice, 2006
http://www.allservice.ro, [email protected]
Author: Victor Voinea

Password recovery procedure for IBM Thinkpad

T43, R52, T60, R60, Z60 and X60

1. Introduction.
IBM ThinkPads T43 and R52 use Winbondtm PC8394T-VJG, the super I/O chip with TPM functions, to
store the supervisor password (SVP) and different OEM issues like serial number, UUID, etc.
To retrieve the SVP, the chips must me accessed with RPC8394, which is a special built reader that
can securely access the chip without tampering the original data.
Once the chip data is copied into a binary file, other utility, IBMpass, can be used to translate the
password. However, in case of passphrase encoded passwords, the chip needs to be reprogrammed
using the chip writer, WPC8394.

2. Interfacing the chip.

PC8394T-VJG uses 2 pins to connect to the TPM module memory, noted conventionally TPM1 and
TPM2. T43 and R52 have these connection pins available without tearing them apart, see the marks
in the pictures below (Fig.1 and Fig.2).
For T60 and R60, the connection points are near to PC82573L (see Fig.3), the laptop must be partially
disassembled to get access to the connection points.
For Z60 and X60, the connections can be made directly to ATMEL 8356908 (Fig. 4 and Fig. 5).

Fig 1. T43 connection points close to the DDR2 SO-DIMM socket.

Fig 2. R52 and T43 (18xx) connection points close to the DDR2 SO-DIMM socket.

Fig 3. T60 and R60 connection points near to PC82573L.

Fig. 4. Z60 connection points to ATMEL 8356908 pins #33 and #34.

Fig. 4. X60 connection points to ATMEL 8356908 pins #33 and #34.
3. Interface signals and connections.
The interface used is driven-i2cprog, based on max232 driver. This circuit was published before with
24RF08 tools, you can find the document interface.pdf in the install folder. Please check the
interface.pdf to see the connection diagram for TPM1 and TPM2 signals.

To adapt the interface circuit to the TPM connection points (marks), it is hardly recommended to use 2
probes with very fine tips. GND can be clipped to the SO-DIMM fasteners or soldered directly to the
laptop GND.
The usage of the interface is described in the next paragraph, “4. How is it working”. Be sure the
batteries are in good shape.

4. How to read the chip using RPC8394

Prepare your technician PC by connecting the interface to the COM1 port (don’t connect the
wires/probes to TPM1 and TPM2 yet!). Power on the interface using the batteries.
Remove the external PS cord and main battery from the locked laptop. Insert the PS cord again, hold
down the Fn key and turn on the locked ThinkPad by pressing Power-On button. When the POST
screen appears, release the Fn key and press Access IBM to access BIOS Setup utility.
When you are prompted for the SVP password and there’s no other activity (i.e. HDD access), connect
the wires: GND to laptop GND, then TPM2 and TPM1 probes to the corresponding marks on the PCB,
exactly as shown in the figures above.
Keep the probes firmly connected to the board marks while you execute the reader:

rpc8394.exe filename.bin, where filename.bin is the file where data is be stored.

Finally, remove the probes in reverse order TPM1, TPM2, and GND last! and turn off the ThinkPad by
pressing on/off switch. Remove the PS cord.

5. How to write the chip using WPC8394.

The preparations and the procedure is the same as described in the paragraph 4. How to read the
chip using RPC8394.

To write the TPM chip, first you have to remove the protection using “/p” switch. Execute from
command line:

wpc8394 /p
wpc8394 filename.bin, where filename.bin contains the binary data to be written into the chip.

Finally, remove the probes in reverse order TPM1, TPM2, and GND last! and turn off the ThinkPad by
pressing on/off switch. Remove the PS cord.

6. Retrieving the Supervisor password.

Since the .bin file has been created, you only need to dump in scan code to retrieve the password.
IBMpass 2.0 is the software to decode Thinkpad passwords. Open the dump file you’ve created
before in IBMpass, activate the A-A button and search for 0x330, 0x340 lines. The password is
located on 0x338 and 0x340 in scan code.
When the pass phrase is activated, the password is encrypted using TCPA RSA-SHA1 algorithm. In
this case the dump must be modified and the TPM chip reprogrammed.

The TCPA reset service is provided separately, and must be done manually. It is not included
in the software license.

7. Cautions
- Always connect GND wire first, then TPM2 and finally TPM1 (TPM2 before TPM1)!
- Never try to connect TPM wires or probes simultaneously or try to reverse the TPM1 and TPM2
signals!

End of document.