Flakke
November 19, 2019, 10:52am
1
Hi Everyone, i read for hours und googled even longer for a way to set back or bypass the supervisor password for my Yoga370. As far as i understand i have following chances to do that: Somebody here knows what to rewrite in the uefi-bios.bin to get the Job done The (maybe - maybe not) supersecret leaked code from allservice(.ro) gets spread around the internet which seems to work even without their key Its still possible to overwrite the SVP with zero´s like DasLabor mentioned. (Sry its german if google translator doesn´t help i can translate)
Bei neueren Thinkpads (z.B. X220, T4x0, T5x0 usw.), vor allem auch die mit UEFI-Support reicht es weiterhin aus, Teile des EEPROMs durch Nullen zu ersetzen. Der Bereich dafür umfasst nach Aussagen von Lenovo die Adressen 0x10 bis 0x1F, sowie 0x20 bis 0x2F auf dem Block 6 (also die vierte I2C-Adresse des EEPROMs: 0x57). Die zwei genannten Adressbereiche enthalten das SVP und sollten identisch sein (2. das Backup vom 1.). Neben dem Ausnullen dieser beiden SVPs, scheint es nötig zu sein, das SVP noch deaktivieren, indem noch die zwei Bytes 0x02 und 0x03 auf 0 gesetzt werden. Bei einem X220 führte dies zum gewünschten Erfolg.
But i am still not sure if i use the hex editor correct Am i correct? My setup:
MyImage on googleDrive if someone want to have with it. The informations i already extracted:
±-----------------------------------------+ ¦ ME Analyzer v1.96.4 r177 ¦ ±-----------------------------------------+ ±--------------------------------------------+ ¦ newgen7000.rom (1/1) ¦ ¦---------------------------------------------¦ ¦ Family ¦ CSE ME ¦ ¦-------------------------±------------------¦ ¦ Version ¦ 11.6.29.3287 ¦ ¦-------------------------±------------------¦ ¦ Release ¦ Production ¦ ¦-------------------------±------------------¦ ¦ Type ¦ Region, Extracted ¦ ¦-------------------------±------------------¦ ¦ SKU ¦ Corporate LP ¦ ¦-------------------------±------------------¦ ¦ Chipset ¦ SPT/KBP-LP C ¦ ¦-------------------------±------------------¦ ¦ Security Version Number ¦ 1 ¦ ¦-------------------------±------------------¦ ¦ Version Control Number ¦ 193 ¦ ¦-------------------------±------------------¦ ¦ Production Ready ¦ Yes ¦ ¦-------------------------±------------------¦ ¦ Power Down Mitigation ¦ No ¦ ¦-------------------------±------------------¦ ¦ Lewisburg PCH Support ¦ No ¦ ¦-------------------------±------------------¦ ¦ OEM RSA Signature ¦ No ¦ ¦-------------------------±------------------¦ ¦ OEM Unlock Token ¦ No ¦ ¦-------------------------±------------------¦ ¦ Date ¦ 2017-05-04 ¦ ¦-------------------------±------------------¦ ¦ File System State ¦ Initialized ¦ ¦-------------------------±------------------¦ ¦ Size ¦ 0x643000 ¦ ¦-------------------------±------------------¦ ¦ Flash Image Tool ¦ 11.6.29.3287 ¦ ¦-------------------------±------------------¦ ¦ Latest ¦ No ¦ ±--------------------------------------------+
parseVendorHashFile: Phoenix hash file found parsePadFileBody: non-UEFI data found in pad-file findFitRecursive: FIT table candidate found, but not referenced from the last VTF findFitRecursive: real FIT table found at physical address FFE90000h --------------------------------------------------------------------------- Address | Size | Ver | CS | Type / Info ---------------------------------------------------------------------------FIT | 000000B0h | 0100h | E6h | FIT Header | 00000000FFDF0060h | 00018000h | 0100h | 00h | Microcode | CPUID: 000406E3h, Revision: 000000BAh, Date: 09.04.2017 00000000FFE08060h | 00017400h | 0100h | 00h | Microcode | CPUID: 000406E8h, Revision: 00000026h, Date: 14.04.2016 00000000FFE1F460h | 00017C00h | 0100h | 00h | Microcode | CPUID: 000806E9h, Revision: 00000062h, Date: 27.04.2017 00000000FFF88000h | 00008000h | 0100h | 00h | BIOS ACM | LocalOffset: 00000018h, EntryPoint: 00003BB1h, ACM SVN: 0002h, Date: 28.08.2016 00000000FFFFB6C0h | 00000494h | 0100h | 00h | BIOS Init | 00000000FFF90000h | 00005000h | 0100h | 00h | BIOS Init | 00000000FFEA0000h | 0000E800h | 0100h | 00h | BIOS Init | 00000000FFFE0000h | 00001ACCh | 0100h | 00h | BIOS Init | 00000000FFFFACC0h | 00000241h | 0100h | 00h | BootGuard Key Manifest | LocalOffset: 00000000h, KM Version: 10h, KM SVN: 00h, KM ID: 01h 00000000FFFFB1C0h | 000002DFh | 0100h | 00h | BootGuard Boot Policy | LocalOffset: 00000500h, BP SVN: 00h, ACM SVN: 02h
[/quote] I also atached the UEFI-Tool report tothis thread.I am thankful for every hint that gets me any further!
newgen7000.rom.report.txt (334 KB)
Flakke
November 23, 2019, 8:34am
2
Is my request that foolish or does just nobody knows the answer ? If it is foolish please give me a hint why it is :- /
SODA
December 3, 2019, 4:37am
3
password is saved in the EC not bios. allservice has it’s methode to overwrite the last (secure) page of the ec to remove the password. the old guide with shorting pins is obsolete with models equal/newer than the #40 series.