[gima]

[continued..] You can't generalize, but you can assume. Quite likely many Thinkpads use the same piece of code to handle firmware password-checking. Once the code is changed, it'll likely propagate (slowly) inside the company to all of the new (or firmware-updated) laptops.

That being said, it's likely the firmware's failsafe-mechanism kicking in when it cannot access the memory chip that stores the password (because access to the chip is hindered).

Yet utilizing the "WP" (write protect) pin on the memory chip ought to do nothing in my opinion - unless the firmware tries to store something to the memory at boot time (which is entirely possible). On the other hand, forcing clock or data pins to ground - in effect disallowing any signalling via them - should be a sureproof way to force the firmware to trigger it's failsafe mechanism.

[xiphmont]

I'm not using the WP pin, I'm using the PROT pin. It forces the EEPROM to behave differently, because it signals it does not have a good power state. The EEPROM can be 'read', but the data it hands back is different. You can go read the spec sheets for the EEPROMs in question. You have the part numbers.

But I was more interested in the end-to-end test, as I expected others reading would also be:

SDL to SDA (the usual instructions given elsewhere) only works on some models.

PROT to GND appears to work on all. In my collection of ~ 30 machines, it works on all the models SCL to SDA does, as well as all the models SCL to SDA does not.

PROT to GND was the original hack as discovered around the time of the T20.

[gima]

Ahh, my mistake. WP != PROT. Utilizing the PROT-pin appears to force memory chip's internal read&write protection flags active, causing read and write operations to fail (unless I understood incorrectly). This kind of information could be beneficial to others if it's correct: You could add it to your post?

Source: http://cache.nxp.com/documents/data_sheet/PCA24S08.pdf (Section 6.4 Access Protection)