Lenovo Thinkpad Ec Pwd Bypass

**claudio21s** · 10-10-2024, 11:32 AM

Hello, could someone help me to bypass an L14 GEN3 AMD?

Attached Files

if you find these attachements useful please consider making a small donation to the site

213039-1 (BDV)(.BRD).zip (119.6 KB, 24 views)

**Maxpower3** · 10-10-2024, 11:53 AM

Originally posted by claudio21s

Hello, could someone help me to bypass an L14 GEN3 AMD?

**rediii** · 10-11-2024, 12:31 AM

Originally posted by Maxpower3

it won't work. the device is using the espi bus.

**claudio21s** · 10-11-2024, 10:53 AM

Originally posted by rediii

it won't work. the device is using the espi bus.

Yes, I tried and it didn't work, thanks anyway

**Halpert** · 10-14-2024, 08:25 AM

Hello, I need help with a T14 Gen1 with a MEC 1663 and NM-931.

I watched the video but couldn't get the timings from the video. I have tried many many times and have gotten errors but still haven't gotten anything at all. Could you help out with the timings? Or is this impractical? Should I try to desolder the EC and replace it?

Cheers.

**Andreasbest** · 10-14-2024, 01:23 PM

Originally posted by Halpert

Hello, I need help with a T14 Gen1 with a MEC 1663 and NM-931.

I watched the video but couldn't get the timings from the video. I have tried many many times and have gotten errors but still haven't gotten anything at all. Could you help out with the timings? Or is this impractical? Should I try to desolder the EC and replace it?

Cheers.

In my case ( P52, T480s, T490s ) i found the correct timing at the beginning of Lenovo logo, very short and fast short to ground and all fine.

**Halpert** · 10-14-2024, 02:16 PM

Originally posted by Andreasbest

In my case ( P52, T480s, T490s ) i found the correct timing at the beginning of Lenovo logo, very short and fast short to ground and all fine.

What did you use to ground? I'm trying to use a probe connected to a usb drive in the always on port and have gotten some errors, but is there a better way to do this?

Cheers.

**Andreasbest** · 10-14-2024, 02:56 PM

Originally posted by Halpert

What did you use to ground? I'm trying to use a probe connected to a usb drive in the always on port and have gotten some errors, but is there a better way to do this?

Cheers.

I made a simple circuit with a button, usb plug and probe. USB is always connected and probe on pin 4 or 6. Then i try with random button press but i found out that near or at Lenovo logo works.

**feherhollo** · 10-15-2024, 11:10 AM

Still no solution for T14 Gen 3? Based on MEC1723

Thanks

**Faheem khan** · 10-20-2024, 02:10 AM

hi good morning
i have lenovo yoga 6th gen motherboard part number is nm-d341 i have to remove bios password plz if any one have bypass point in this motherboard thanks

**ok escape** · 10-20-2024, 03:30 PM

Originally posted by Usering

Share experience
1)
very Risk method lpc on espi board
killed 2 laptop cpu short
nm-d362 io mec1503
nm-981 io npcx997
I would have made a little money, now I would have paid over $500 for the board on aliexpress .

2)
regarding changing the chip, you must be a professional because the chip is glued from the inside with a black substance that can spoil the welding place and also the source of purchasing the chip.

maybe add a 10K resistor on your short loop, that way you limit the current and less likely to damage anything.

**ok escape** · 10-20-2024, 03:51 PM

Originally posted by rediii

it won't work. the device is using the espi bus.

I just started researching this today as I am looking to potentially buy some P1G6, have no schematic and no idea of what's inside but I'm tempted the test.
My humble opinion is that this not working has nothing to do with the eSPI itself basically by shorting the LPC or any bus at the time the bootloader tries to read the bios it makes it fail. this is actually patchable via software an I think if any laptop with an EC (even the ones that worked previously) has a updated FW it might not work.
This might need some serious reverse engineering, basically plug into the bus, listen and decode. the thing is while the previous versions with a ROM chip were encrypted the communication on the bus is most likely not. it takes time and experience, if someone is willing to collaborate I'm happy to give a hand with the HW side of things

**rediii** · 10-21-2024, 12:30 AM

Originally posted by ok escape

I just started researching this today as I am looking to potentially buy some P1G6, have no schematic and no idea of what's inside but I'm tempted the test.
My humble opinion is that this not working has nothing to do with the eSPI itself basically by shorting the LPC or any bus at the time the bootloader tries to read the bios it makes it fail. this is actually patchable via software an I think if any laptop with an EC (even the ones that worked previously) has a updated FW it might not work.
This might need some serious reverse engineering, basically plug into the bus, listen and decode. the thing is while the previous versions with a ROM chip were encrypted the communication on the bus is most likely not. it takes time and experience, if someone is willing to collaborate I'm happy to give a hand with the HW side of things

this could be right. the p1 g6 won't work with the "classic lpc method” either, but nice to hear that you are willing to help.
the most elegant method would be to modify the main bios in a way, that the ec chip would erase or reset its eeprom content, so that the mainboard is like factory new. the u1 golden key tool is working with the newer thinkpad generations as well, so you can erase/reset the eeprom flash via initialization with the help of this tool.
i tried to modify the main and ec bios for hours (t15 g2i) and end up with nothing. thanks for the input though.
and i think you are right, the espi bus is most likely not the culprit, it's the logic design (new EC, EC AND MAIN BIOS + new bus system).

**Usering** · 10-23-2024, 08:11 AM

Originally posted by ok escape

I just started researching this today as I am looking to potentially buy some P1G6, have no schematic and no idea of what's inside but I'm tempted the test.
My humble opinion is that this not working has nothing to do with the eSPI itself basically by shorting the LPC or any bus at the time the bootloader tries to read the bios it makes it fail. this is actually patchable via software an I think if any laptop with an EC (even the ones that worked previously) has a updated FW it might not work.
This might need some serious reverse engineering, basically plug into the bus, listen and decode. the thing is while the previous versions with a ROM chip were encrypted the communication on the bus is most likely not. it takes time and experience, if someone is willing to collaborate I'm happy to give a hand with the HW side of things

I agree with you, because Victor, the Romanian Allservice team, uses a patch on UEFI to break the security BIOS, the new generation gen 2, gen 3, gen4, patch.

**azanwaqas771** · 10-23-2024, 11:47 AM

Originally posted by Usering

I agree with you, because Victor, the Romanian Allservice team, uses a patch on UEFI to break the security BIOS, the new generation gen 2, gen 3, gen4, patch.

no have anyupdate at allservices web site about new model unlocking gen2 gen3 gen 4 with patch

**rediii** · 10-24-2024, 12:37 AM

Originally posted by ok escape

I just started researching this today as I am looking to potentially buy some P1G6, have no schematic and no idea of what's inside but I'm tempted the test.
My humble opinion is that this not working has nothing to do with the eSPI itself basically by shorting the LPC or any bus at the time the bootloader tries to read the bios it makes it fail. this is actually patchable via software an I think if any laptop with an EC (even the ones that worked previously) has a updated FW it might not work.
This might need some serious reverse engineering, basically plug into the bus, listen and decode. the thing is while the previous versions with a ROM chip were encrypted the communication on the bus is most likely not. it takes time and experience, if someone is willing to collaborate I'm happy to give a hand with the HW side of things

at least you can use the stock bios to use the machine. with secure boot set off (natively), you are even able to boot the u1 golden key tool. i've done some tests: the eeprom is software locked as soon as you set a svp. in the sixth block (1st line) of the eeprom dump hex code block 00 00 is set to e2 e2. if you don't enter the pw at startup you won't be able to read the full eeprom (error reading code block 6,7) bin AND can't initialize/erase (error writing block 0,1 etc.) it either. it is possible to set the machine type model, but nothing else. this is at least the case for mec1503.

**rediii** · 10-24-2024, 12:39 AM

Originally posted by Usering

I agree with you, because Victor, the Romanian Allservice team, uses a patch on UEFI to break the security BIOS, the new generation gen 2, gen 3, gen4, patch.

wrong

**Usering** · 10-24-2024, 08:23 PM

Originally posted by rediii

wrong

True, it has a bios patch for the 32mb chip, all models and all generation .
Victor is the only person who was able to unlock the via driver dxe uefi

**electro01** · 10-24-2024, 09:31 PM

Hello, could someone help to bypass an L14 GEN 3 AMD?

**Andreasbest** · 10-24-2024, 10:58 PM

Originally posted by Usering

True, it has a bios patch for the 32mb chip, all models and all generation .
Victor is the only person who was able to unlock the via driver dxe uefi

DXE patch worked until Intel 7th gen Lenovo.
Not working on 8th gen and above.

Lenovo Thinkpad Ec Pwd Bypass

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics