[gima]

> "I'm telling you to use different pins than ~all the other instructions on the web."

sigh Please, Please, provide reasons along with your arguments. Simply stating something doesn't help, especially when there is contradicting information floating around.

[gima]

[continued..] You can't generalize, but you can assume. Quite likely many Thinkpads use the same piece of code to handle firmware password-checking. Once the code is changed, it'll likely propagate (slowly) inside the company to all of the new (or firmware-updated) laptops.

That being said, it's likely the firmware's failsafe-mechanism kicking in when it cannot access the memory chip that stores the password (because access to the chip is hindered).

Yet utilizing the "WP" (write protect) pin on the memory chip ought to do nothing in my opinion - unless the firmware tries to store something to the memory at boot time (which is entirely possible). On the other hand, forcing clock or data pins to ground - in effect disallowing any signalling via them - should be a sureproof way to force the firmware to trigger it's failsafe mechanism.

[xiphmont]

I'm not using the WP pin, I'm using the PROT pin. It forces the EEPROM to behave differently, because it signals it does not have a good power state. The EEPROM can be 'read', but the data it hands back is different. You can go read the spec sheets for the EEPROMs in question. You have the part numbers.

But I was more interested in the end-to-end test, as I expected others reading would also be:

SDL to SDA (the usual instructions given elsewhere) only works on some models.

PROT to GND appears to work on all. In my collection of ~ 30 machines, it works on all the models SCL to SDA does, as well as all the models SCL to SDA does not.

PROT to GND was the original hack as discovered around the time of the T20.

[gima]

Ahh, my mistake. WP != PROT. Utilizing the PROT-pin appears to force memory chip's internal read&write protection flags active, causing read and write operations to fail (unless I understood incorrectly). This kind of information could be beneficial to others if it's correct: You could add it to your post?

Source: http://cache.nxp.com/documents/data_sheet/PCA24S08.pdf (Section 6.4 Access Protection)

[xiphmont]

I did. Keep reading.

[gima]

You said it's because of a mix-up when reading documentation, but you said nothing about /why/ changing the write-protect pin's state should work - or why tying clock and data pins together should not.

[xiphmont]

To be fair, I cannot say with certainty why it works; I don't have code for the BIOS or EC. The CoreBoot and LibreBoot people might be able to shed some light.

The more interesting aspect, verified by testing, is that it does work.

In my own testing, SCL to SDA will not work on the T2X, T3X, T4X, T60, X2X, X3X, X4X, or X60. It does work on the T61/X61 and T400/500.

PROT to GND works on all of the above. I also tested it on an X230 (works), but I didn't check SCL to SDA on that machine.

[sethos]

thanks for the list of combinations of Thinkpad models regarding SCL/SDA and PROT/GND. I tried SCL/SDA on my T60, of course it did not work... Do you happen to know how to locate PROT and GND on the top of T60 mainboard? Unfortunately the guide on ja.axxs shows only where SCL and SDA is located. Really appreciate it, thanks!

[xiphmont]

GND and PROT are pins 31 and 32 on the same chip, right next to SCL and SDA on the 8356908. I don't know where PROT might be exposed on the top of the PCB, it very well might not be. I soldered leads directly to the chip to test.

[xiphmont]

I also said 'SCL to SDA does not work everywhere, whereas in testing, PROT to GND does'.

PROT is not the WP pin. They're different. Go read the spec sheets.

The original hack as discovered was PROT to GND, not SCL to SDA. My only speculation was as to why the hack as reposted changed over time.