Thinkpad stuff
Getting it to boot
Recently I got a Thinkpad 760EL at auction (9547-a4f) for a reasonable price, it works quite reasonably, but had a major problem of the trackpoint not working, and causing the system to refuse to boot. The actual error code being:
08611 - corresponds to "8611: System bus error. I/F between 8042 and IPDC (Pointing device error when TrackPoint III is enabled.)"
I dismantled the entire thing right down to the cpu, put it back together, and still didn't have any luck. Eventually, I discovered if you press ctrl-d in the "config" section of easysetup, you get a hex editor to edit the cmos contents directly. After fiddling, I discovered that byte 0x20 of "Base 128 Cmos" had some interesting features. According to the tpctl docs, bits 1 and 2 set whether to enable the trackpoint. I couldn't make these do much, but found the following:
Bit 5 - when set, the system runs very slowly, as if the memory bus is slowed.
Bit 6 - when set, disable the Trackpoint and boot even with errors <- this is what I was looking for. Bit 7 - unless this is set, the laptop locks/reboots/blanks soon after starting whatever OS/program is running. Unsure why I need to set this, as it is off by default. As an example, the base128 section of my 760EL has:
52 ff 46 ff 15 ff 06 07 02 03 26 02 70 80 00 00
40 00 f0 00 03 80 02 ff ff 7f 00 00 00 00 11 00
*02*20 c9 8a 13 fc 70 e2 03 39 51 00 80 03 09 89
ff ff 20 01 00 00 80 03 00 00 00 00 00 00 00 00
98 88 00 01 00 03 00 04 00 0b f0 00 00 ff ff ff
*snip* The stared 02 byte should change to 62 to ignore
the trackpoint failing (bit 6) and to stop lockups on boot (bit
7). You might need to fiddle about with some other bytes too,
byte 0x21 or the lower bits of 0x20 seem promising. Let me know
if others are successful and I'll add that info. Password
Bypassing After getting the actual laptop booting, I was playing
about with the IBM dos util disks, and found that they could boot
a floppy even if a supervisor password was set, and boot from
floppy was disabled... The start of the disk is the obvious place
to look. Below is the start of Debian's woody rescue.bin:
Normal:
0000000: eb3c 9053 5953 4c49 4e55 5800 0201 0100
0000010: 02e0 0040 0bf0 0900 1200 0200 0000 0000
0000020: 0000 0000 0000 29c3 dd84 284e 4f20 4e41
0000030: 4d45 2020 2020 4641 5431 3220 2020 fafc
0000040: 31c9 8ed1 bc00 7c8e c1b1 08bf b054 f3a5
0000050: 8ed9 fb88 1624 7cf6 c280 7428 f645 f07f
0000060: 750a 8d75 f8bf 1c7c b102 f3a5 b408 cd13
Modified:
0000000: eb3c 9049 424d 2035 2033 7900 0201 0100
0000010: 02e0 0040 0bf0 0900 1200 0200 0000 0000
0000020: 0000 0000 0000 29e8 1753 154e 4f20 4e41
0000030: 4d45 2020 2020 4641 5431 3220 2020 fafc
0000040: 31c9 8ed1 bc00 7c8e c1b1 08bf b054 f3a5
0000050: 8ed9 fb88 1624 7cf6 c280 7428 f645 f07f
0000060: 750a 8d75 f8bf 1c7c b102 f3a5 b408 cd13
Spot the difference... This method will only work with a supervisor
password (which also sets the HD password to be the same), if there
is _just_ a HD password, it won't work, as even the BIOS doesn't know
what it is. It won't remove the supervisor password, however it could
let you access the disk contents if it has a corrupt boot sector and
the supervisor password is forgotten etc.
No comments:
Post a Comment