Hello,

A friend of mine approached me with request for help to recover access to a few electronic devices left after tragic death of his son. One of the devices is a Lenovo T480s laptop with UEFI Supervisor laptop. I did my research on internet for possible methods and couple of them lead to BadCaps forum.

Laptop: Lenovo T480s
MB: ET481 NS-B471 Rev: 1.0 2017-10-30
Type: 20L7-002CUS
S/N: PC-0WWFM7 18/08
BIOS IC: 25Q128JVSQ

Method #1: Lenovo autopatcher
Video: https://www.youtube.com/watch?v=s9XlN2Hl0ag
lenovo_autopatcher_0.2
The BIOS has been read and stored 3 times in a files, CRC is the same for each file. The BIOS was processed by lenovo_autopatcher_0.2 successfully. The result bin file was written into the BIOS chip. At next laptop's boot a procedure to disable TPM was completed successfully. Then original BIOS was written/restored into BIOS chip. Following boot of the laptop still asks for password input.

The procedure was completed/repeated a few times (with connected/disconnected batteries) with exactly same result.

Method #2: Supervisor password decryption
Video: https://www.youtube.com/watch?v=IhRw7ePhLKs
Followed the video in attempt to decript Supervisor's password. Using UEFItool was found padding value (00700000h) and BIOS file was scanned for an offset (0003FC20h). Looking at 0073FC20h in BIOS file the password has 168 bites and bytes values way beyond keyboard scan codes. It is considered that this attempt/method is not applicable to Lenovo T480s.

Keyboard scancodes: https://aeb.win.tue.nl/linux/kbd/scancodes-1.html

Method #3: JLPC ADC shorting to GND
Video: https://www.youtube.com/watch?v=D-PFVJpBcTY
URL: https://www.badcaps.net/forum/troubl...-ec-pwd-bypass

Followed the video, in many attepts to GND any pin 4,6,8,10 (ADC0:3) on JLPC pads and only once I was offered to press F1 go get into BIOS settings, for some unexplicable reason keyboard refused to respond on key presses. All following attempts was unsuccessful so far (to catch a right timing to corrupt data exchange and get into BIOS settings).

Please suggest how Supervisor password can be remove.
Your help is greatly appreciated.

Hi,
when i try to autopatch a file the fill generated and immediately deleted, pls assist me for this problem, Thanks

Hello Knucklegrumble,

per your suggestion I would like to report unsuccessful case with Lenovo T480s. I followed your procedure and everything was going according plan except that after restoring original BIOS and reboot laptop asks for a password.

I've made a post for my case with a details. I would appreciate if you take a look at it.

Thank you for your work and help

Polar Bear

Hi,

you can use any of 25Q128BV or 25Q128FV they share same chip ID as your IC 25Q128JVSQ (see page 21).

Or you can add your chip into list of supported chips yourself. Just edit file chiplist.xml,

find line

add after it

save the file.

Now try identify chip in AsProgrammer and you will see your chip in the list.

Note: you can download more recent AsProgrammer 3.7 or AsProgrammer 2.1.2

Polar Bear

I just saw that I uploaded the file, but it's 6MB. The original BIOS is 16MB, but when I run the autopatcher, it doesn't work and the siren is activated.

serial number, type etc ... respect rules please

method 1 should work
Method 2 doesn't work. Password is in EC. Can't decrypt. It's not registered in the BIOS.
Method 3: You must use a USB keyboard because the shunt disables the keyboard. Watch the other videos to understand, the timing of the shunt is important
f1 is pressed before the shunt.