to ensure that your KeyMaker Board and ThinkPad are not damaged
In order to avoid damage to your
KeyMaker Board as well as the ThinkPad you are using it on, there are
certain precautions you MUST observe.
If you ignore these
precautions you will join the 3% of customers who bought a KeyMaker
board - ignored these precautions and damaged their KeyMaker Board
by being careless - then had to pay to have it replaced - and lost a
lot of time in the process.
Your KeyMaker has electrical contacts
on both sides, you must ensure that no part of your KeyMaker USB board
comes into contact with any conductive surfaces such as bare metal or
You should place down a piece of paper
and place your KeyMaker USB on top of it in order to avoid any
electrical contact which may damage your KeyMaker.
There is no danger of receiving an
electrical shock from your KeyMaker USB as the highest voltage
anywhere on the board is 5 Volts which is a safe voltage to touch.
If you prefer you can place your
KeyMaker USB board inside an Anti-Static plastic bag during use,
the board does not get warm at all, so there is no issue with
The same precautions apply to your
ThinkPad when you are performing any operation and BEFORE your
ThinkPad is switched ON, you must ensure that nothing can short out by
coming into contact with other parts, you can use sheets of plastic or
plain paper to make sure things remain electrically isolated.
You MUST NOT allow the SDA and SCL
leads from any KeyMaker KMX1 or KMX2 to come into contact with
ANYTHING other than the correct SDA and SDA EEPROM connections points
and ONLY AFTER;
You have traced the
wire you are using for your probe right back to the label on the I2C
header on the KeyMaker board which reads SDA for YOUR SDA lead and
reads SCL for YOUR SCL lead.
You have absolutely
confirmed that you have correctly identified the SDA and SCL
connection points on your ThinkPad System Board.
3% of customers who purchased a
KeyMaker Board have somehow managed to damaged their KeyMaker board.
NOT ONE of those customers can tell
me exactly what he or she did to damage it.
I have tried all sorts of seriously
ridiculous ways to damage a KeyMaker board and I have NOT BEEN ABLE TO
DAMAGE ONE !
I only tried MILDLY STUPID THINGS
like connecting a solid 9 Volt source to SDA and SCL - theoretically
that should have damaged the I/O pin on that KeyMaker powered from 3.3
Volts, IT DIDN'T.
Your KeyMaker board is a delicate
piece of equipment, treat it with respect.
Do NOT experiment or connect to
anything if you are not certain you have the correct connection points
There are voltages much higher than
3.3 Volts inside your ThinkPad, in fact up to 20 Volts.
20 Volts is not a danger to YOU but
it is to the KeyMaker KMX1 or KMX2.
Connect SDA and SCL leads ONLY if
you have double checked and are CERTAIN you have correctly identified
SDA and SCL connection points
The above is VERY IMPORTANT - don't ignore it
else you WILL damage your KeyMaker KMX1 or KMX2 board and that is
expensive, wastes a lot of time and is not much fun.
Put simply, do not waste
your time trying to use the KMX1 series board until after it has been Activated.
The following videos use
earlier board revisions with Red colour
Activity LED, current V4 board has Blue Activity Led
NOT activated KMX1 flashing Activity LED
Please read this entire page, more
than once if you have to, until you have a really good understanding of
ALL the steps involved, only then start unlocking your ThinkPad
There is a lot of text and a lot of photos on this
page which may give the incorrect impression that using KMX1 together
with KMX-LCD is really complicated, not so!
It is in fact very easy and convenient to use KMX1 together
Watch this short video first
Video - KMX1 working together with
[prototype] KMX-LCD recovering and Clearing Supervisor
Password from a Lenovo R60 NOTE: There are in fact 2 ITEMS, a KMX1 with the
KMX-LCD plugged in on top of the KMX1. KMX-LCD on its own does NOTHING!
Then read all the text below.
KMX1 series board
KMX1 hardware revision can be one of
the 4 boards depicted below which are functionally identical
The KMX-LCD board plugs in on top of the KMX1
Recovering or Clearing a Supervisor
Password (SVP) from a TP is fairly straightforward.
Once you know how to avoid all the
TRAPS IBM/Lenovo have set for you the customer.
I know this is all very exciting and you are ready
to start stripping down your TP and jump into it, but WAIT! read all
of this first.
Most people are absolutely certain they have a
Supervisor Password (SVP) set.
There is a chance you may not have a SVP set in
I have exchanged emails with many people who have
gone through all the SVP unlocking thing read the EEPROM, wasted days,
only to discover there is no SVP set at all.
How is that possible, are these people really dumb
The answer is NO, these are all perfectly sane
The real problem is IBM/Lenovo and their warped
sense of humour.
When you really do have strong security, you
challenge people to try and defeat it, you invite peer review to
make sure it is in fact secure.
When you have flimsy pretend security and you
obstinately pretend it is so secure even you cant unlock it, well you
have to get all secretive and vague about everything HOPING people
wont find out, in other words an illusion of strong security where
none really exist, which is what we have here.
Trap number 1, the Hard Disk Password
If at any time you see this Password
That icon with the small number 1 (it
may be a small number 2 or 3 if you have more than one Hard Disk]
means the HDP is set. You will not be able to easily recover or clear
the HDP, KMX1 will NOT recover or clear HDP.
It will cost you more to clear the HDP
than a new Hard disk is worth.
Clearing a HDP is only worth the
expense and effort if there is valuable data on the Hard disk that
MUST be recovered.
If HDP is set then
remove the Hard Disk [HD] before continuing so that you can determine
which other passwords (IF ANY) you need to recover or clear.
There may not be any other password set!
Ok, you removed the HD and you see yet another
Password Prompt icon.
Trap number 2, the guessing game - is it SVP
or POP -
The trap is that IBM/Lenovo in their wisdom chose to
have THE SAME PASSWORD PROMPT ICON for BOTH SVP and Power on
The password prompt icon pictured
Does NOT define which PASSWORD it is asking you to enter.
It can be either POP or SVP
Only ONE way to find out for sure
which one it is and maybe save a LOT of time.
Spend the time to read the first part of the HMM
which deals with Cautions some of which like for example Shock Sensors
are very important, you would not want to roughly handle your System
board to find out when you power it up to unlock it that in fact you
have ruined it.
Read the HMM section dealing with Passwords and
become familiar with how to remove Power on Password [POP]
Then follow the instructions for POP Removal
After performing POP Removal if there is no password
prompt icon displayed, you are done, your TP is unlocked.
if you have performed POP Removal and
you continue to see this password prompt icon
It does NOT mean you didn't
perform POP Removal correctly
It means that with POP removed,
you have now absolutely confirmed that you do indeed have a SVP set
and you can now put the time and effort into removing or clearing it.
and save the HMM, then follow the HMM to enable you strip
down the TP [without damaging it as you would if you don't
follow the HMM] down to the point you can access that EEPROM
location, depending on the model this could be ONE Screw or a
total strip down.
Connect 3 leads between the EEPROM's connection
points and KMX1 I2C connector
Switch on the TP and use the KM9A Menu to select
the EEPROM type which you would have from the EEPROM connection
That is the EEPROM type you select at this point from the menu
for your model TP if you are unlocking an R61, check for your
own model and select what that page says is the EEPROM in your
select the command to Recover or Clear your
More detail on those 5 steps follows below,
please continue reading
It will lead to this
The KMX-LCD board plugs in on top of the KMX1
When you purchase KMX1 you are supplied with a 4 wire
KMX1 hardware can be either of the 2 boards depicted
below which are functionally identical
Most of the time you will ONLY be using 2 of those 4
When KMX1 is used together with KMX-LCD and KMX1 is
powered by a USB port of the locked ThinkPad you will only be using 2 of
the 4 leads, SDA and SCL. GND connection is made by the USB cable
connecting KMX1 to the locked ThinkPad.
When using KMX1 together with
KMX-LCD you do NOT need to connect a separate GND.
IF and only IF the KMX1 is powered
by the USB cable plugged into the locked ThinkPad, the GND connection on
the USB cable supplies the GND connection between KMX1 board and the TP
EEPROM connection points.
When using KMX-LCD you do NOT need
to modify your cable by adding
2 x 180 Ohm resistors between KMX1 SCL and SDA, and the I2C
connector on KMX-LCD, the 2 resistors are already on the KMX-LCD board.
In the photo above on the right, the 4 wire lead is
connected onto the I2C header pins
NOTE: The orientation, by convention, much like a car
battery, RED is Positive Voltage, in this case it is called VCC.
Black is Negative or as we will be referring to it as
GND which stands for Ground, in plain English Ground is the negative or
common point in a circuit.
You do NOT connect VCC [the RED lead] or GND [the
BLACK lead] unless you are
reading an unsoldered 24xx series EEPROM and I can't see you doing that
very often if at all unless you run a Laptop Repair Shop.
When using KMX-LCD with KMX1 [the one with yellow
The eeprom cable supplied with KMX1 with yellow headers is
not 0.1" spacing so it will not fit the KMX-LCD I2C connector.
You have 2 choices for using the supplied eeprom cable
You can connect the separate leads to the KMX-LCD
connector, split the supplied 4 pin black header and plug in 1 pin for GND
and 2 pins for SDA and SCL
OR you can plug in the cable to the KMX1 board before
plugging the KMX-LCD on top, there is sufficient clearance
When it comes to making those 2 connections [SCL and
SDA] between KMX-LCD I2C connector and the EEPROM you have the choice of using;
Clips to make the connections
Using Sharp Probes, for example multimeter leads
that are skinny and come to a sharp point, they also have an
insulated handle for you to hold without your sweaty hands
interfering with the low power signals on SDA and SCL.
Whichever method you chose to make the 3 connections
is up to you, so long as there is a good electrical connection during
any Read or Write operation between the connection points at both the
EEPROM and KMx1 I2C CONNECTOR all is well.
EEPROM connector on KMX-LCD follows
the same convention as this early prototype.
want to unlock your TP and use it again?
It does not get any
easier than this!
Yes, you can easily do it
If you have read all the
preceding information on this page and not simply skipped all that
boring IMPORTANT information, - if you skipped it, go
back and read all of this page above.
Followed the HMM to
enable you to strip down the TP [without damaging it as you would
if you don't follow the HMM] down to the point you can access that
EEPROM location, depending on the model this could be ONE Screw or
a total strip down.
Having found the EEPROM
connection point for your TP Model, having decided if you use clips or sharp probes to make the actual connections.
The time has come to
actually make those connections.
method you chose.
You KMX1 + KMX-LCD
should be connected via the USB cable to the locked ThinkPad.
The locked ThinkPad
should be switched ON.
The locked ThinkPad
should be displaying a password prompt or be in BIOS setup, or
displaying an error message WHICH IS NOT A BOOT ERROR MESSAGE.
Your KMX1 should be switched ON,
this will happen anyway if it is connected by the USB cable to the
locked ThinkPad and that locked ThinkPad is switched on supplying
power to the KMX1 + KMX-LCD via the USB cable between them.
KeyMaker KMX-LCD functions are all selected by moving the Joystick tip Left, Right, Up and Down.
The KMX-LCD initial display will
vary depending on which KMX1 series board it is attached to
KMX1 Initial LCD Display
KMX1 PRO Initial LCD Display
KMX1 PRO S Initial LCD Display
If your KMX1_LCD is displaying 'Not
Activated' then BEFORE YOU CAN CONTINUE you
need to Activate
You need to select the correct Keyboard
in order that any recovered Supervisor Passwords are displayed correctly
for typing in on THAT TYPE OF KEYBOARD
A quick lesson: IBM and
Lenovo used three different key layouts for country specific
US English QWERTZ for DE German AZERTY for FR French
Since some keys are in
different places, the password could be different for each keyboard
if those keys were used.
Use the Joystick [move
joystick tip Down, release it and move it down again] to scroll down
the Keyboard select function
joystick tip to the Right to enter the ThinkPad Keyboard selection
US QWERTY Keyboard
selection is displayed
Joystick tip Down displays the next Keyboard option, German QWERTZ
Joystick tip Down displays the next Keyboard option, French AZERTY
move the Joystick tip UP and DOWN to scroll back and forth to
select your Keyboard, when your choice of Keyboard is displayed
move the Joystick tip to the left and your last displayed Keyboard
will be set as default Keyboard used to displayed recovered
password FOR THAT KEYBOARD, KMX1 remembers the keyboard selection
in Non Volatile Memory [NVM] so it not forgotten even if the KMX1
board is switched OFF.
series has a new 'DELAY' feature not found on previous versions of
solved by DELAY is that you will have to operate the Joystick to
start the operation to Recover or Clear the Supervisor Password.
should already be holding in place the SCL and SDA probes.
you probably do NOT have 3 hands !!
You could ask
another person to help you to operate the Joystick while you hold
the 2 probes in place ready for the operation to commence.
Or you can
do it on your own by working out how much time DELAY you will
need between the time you start the operation and when you have the
probes in place ready for that operation.
KMX1 is delivered with a delay of 5 seconds, you can change the
delay to 0, 5, 10 or 15 seconds.
change the delay, the new value is remembered by KMX1 in Non
Volatile Memory even if KMX1 is switched OFF.
how long a delay you need, and set that DELAY on KMX1
the delay from the default 5 second delay
being unlocked using KMX1 + KMX-LCD.
locked R52 has
been opened and placed on its side to allow access to the ON/OFF push
button and also to allow access to the underside of the R52.
cover underneath the R52 has been removed, the Memory has also been
removed to allow access to the EEPROM
connection points, only 1 screw to undo.
is powered by the USB port of the password locked R52
You can find the EEPROM
location and connection points for the R52 in this case on the EEPROM
Locations page, there you see the photo below of the R52 EEPROM
Later in this tutorial, the 2
sharp probes [for SCL and SDA] will need to held in place over the SCL
and SDA EEPROM connection points
The 2 connections MUST be
made to the correct connection points.
Double check you have not
mixed up the 2 wires.
With some models, you will
have a totally stripped down bare, yet able to be switched on and run
TP for this operation.
In that case make sure the
metal parts of the keyboard cannot come into electrical contact with
any part of the circuitry on the system board you can use paper or
plastic or insulating tape to keep things electrically isolated.
Make sure you do have
attached the CPU heat sink and that the CPU cooling fan is connected
and will operate when the TP is switched on, else you will fry your
On some models it helps if
you open the LCD screen at 90 degrees and stand the TP vertical so one
side of the LCD screen and one side of the Machine are resting on the
table surface, that way you can access the front and back of the TP
after it is switched ON.
If you are using sharp
probes to make the connections then you can wait until the locked TP
has been Switch ON and is at a password prompt before making the
connections using your sharp probes.
You have made sure
nothing can 'short out' ?
Plug a mini-USB cable from
one of the USB Ports on your password locked TP the other end of the
USB cable plugs into the KMX1 board USB connector.
Of course you do need to
connect some power to the ThinkPad via your TP AC adaptor, else
nothing useful will occur.
Switch the ThinkPad ON.
PRESS AND HOLD DOWN the
ThinkPad F1 KEY
If you don't hear the
sound of the CPU cooling fan running, switch off and check it before
continuing, normally the fan runs the instant you switch the TP ON, it
may stop in the next few seconds, that's OK, so long as it does run at
start up you know you have not forgotten to connect it during
WAIT until you see the
message 'Entering Bios setup' or similarly worded message or you see a
Password Prompt icon or you see an error message that is NOT about a
ONLY THEN RELEASE THE
If the ThinkPad has booted
to any operating System, switch it OFF and pay MORE ATTENTION, hold
down the F1 key and continue to hold it down while switching the
VERY IMPORTANT THAT YOU
DO NOT continue unless the ThinkPad is displaying the message
'Entering Bios setup' or similarly worded message or you see a
Password Prompt icon or you see an error message that is NOT about an
operating system boot error.
If you see this password
prompt icon with either the number 1 or 2 or 3 etc
means, that like a LOT OF PEOPLE, you are rushing and you completely
skipped the important information at the start of this page, please
switch the TP OFF, and start reading from the top of this page, this
time do NOT skip anything!
You should be seeing
final reminder for those in a huge rush who skip important
information, you did already follow the POP Removal procedure detailed
at the top of this page, YES?
Did you notice that each
page showing the location of the EEPROM connection points for each TP
model, starts off with, for example for R52;
EEPROM you treat it as LSI
That is telling us that
the EEPROM TYPE for an R52 is LSI.
You need to select that EEPROM TYPE
on the KMX-LCD by using the Joystick, push the Joystick tip down and
release it, push it down again until the EEPROM type for you TP is
displayed, in this example it is a 24RF08
the display above provides the following information
It is a KMX1
has been selected as the EEPROM type
Delay is set
to 5 seconds
set to US which is the standard QWERTY keyboard.
of those does not suit you, then use the KMX-LCD joystick to
navigate to a menu where you can change it.
Video - KMX1 together with KMX-LCD
recovering and Clearing Supervisor Password from a Lenovo R60
Now that you KNOW what
the Supervisor Password is.
Your TP is asking you to
enter the Supervisor Password?
Well now you have it!
You simply type in your
and press the ENTER key.
Your TP is
now unlocked, as a reward, you are greeted by this welcome sign of
an UNLOCKED TP
Now you have
full access to your TP
Time to congratulate
yourself on a job well done.
To permanently remove the
Supervisor Password, follow the instructions for turning off the
password option in the setup.
I would recommend that you
set a new Supervisor Password, one you can remember. If you don't set
one someone else can and you may have to do this all over again, much
easier to set your own password so no one else can set one and
To avoid confusion between
different language keyboards, you can select which Keyboard language
you wish to use to display your recovered passwords, see sample Screen
Shots further down at the foot of this webpage.
If the optional TPM/TCPA
Security (encryption) was enabled, then the SVP cannot be recovered -
it isn't a word or phrase that can be displayed. In that case
you would see *BADCS* or *NVPC**
NOT a problem!
KMX1 also has the SVP
This will clear ANY
password including the encrypted TPM/TCPA SVP or as some people call
it Reset TCPA.
You would move the
Joystick tip down to get to the LSI menu, move the joystick tip to
the right which would display SVP Recovery, move the joystick
tip Down to display SVP Clear, move the Joystick tip to the
right Clear SVP YES> asking you to confirm that you wish
to perform that operation, moving the Joystick tip to the right to
confirm would start the operation, you would see the count down
delay and then the operation to Clear SVP would be done.
A few seconds later
there is no longer an encrypted SVP and TCPA has been reset.
Switch OFF your TP,
switch it back ON again and it will NOT ask you for a SVP,
as if it never existed.
IF your laptop is set to boot over a Corporate Network then do not
tinker with BIOS setup unless you know the required settings for
your Corporate network.
If you have had to clear
SVP then (subject to the Caution above) you should while in BIOS
setup, SET DEFAULT setting, the F9 key does that, select BOOT and
also set defaults there by using F9.
Then Press F10 to SAVE
those settings, switch the TP OFF and switch it back ON again to
continue using it.
Those last F9, F10 steps
above are VERY IMPORTANT else you may see errors
reported, your TP may not find the Hard Disk to boot from etc.
Another quick lesson;
In the LCD display a
recovered SVP displayed as *BLANK*
means that there is no SVP set, the * (asterisk) on both sides of a
MESSAGE is used to indicate that the word displayed is not a recovered
Same thing with the
previous screen shot *BADCS*
You may also see *NVPC**
which stands for No Valid Password Characters.
The * character can never
be typed in as a password character on any TP, so it is used on either
side of a useful message when you go looking at the recovered SVP.
leaves you in any doubt about whether you are seeing a displayed
password or a message telling you it is a non recoverable encrypted
password *BADCS* [which stands for Bad Checksum] or that there
is no SVP set *BLANK*
If you see *BADCS* or
*NVPC** that is usually an indication the the TP has an encrypted TPM/TCPA
passwords set, your obvious option at that point is Clear SVP.
Final quick lesson;
When using KMX1,
connection leads to the EEPROM inside a TP can be connected whilst the
TP is switched OFF or ON, the leads can be left connected while
the TP is being switched ON and OFF.
If you are new to TP
unlocking you might be thinking - so what! well read on and you
will see what a significant difference that can make.
RS-232 based simple
interfaces when connected to the EEPROM inside a TP impose a
substantial load on the EEPROM's signal lines and if left connected
will interfere with the power on and power off functions of the TP.
Which means that when
using an old RS-232 interface the EEPROM leads must be
disconnected while the TP is powering up, connected to perform a
function then disconnected again before switching the TP OFF.
When using an old RS-232
interface the EEPROM leads can ONLY be connected after the TP has been
switched ON and has completed its power up functions.
connections do NOT have those restrictions because the KMX1 EEPROM connection points are High Impedance, they do not
load down the signals, therefore they can be left connected at all
times without affecting TP power up or power down.
A lot of TP unlock
operations require that you Power Cycle the TP, in other words
Switch OFF, Switch ON the TP, having to disconnect leads
from the EEPROM and reconnect those EEPROM leads each time the
TP is switched ON or OFF becomes tedious and can lead to mistakes.
Another plus for Joe's
KMX1 + KMX-LCD messages
If you abort
been allowed to boot into an Operating System such as Windows or DOS,
Access is therefore Blocked to parts of the EEPROM, you need to switch
ThinkPad OFF, switch ThinkPad ON and this time press F1 key BEFORE it
starts booting to an Operating System
from - error message - is displayed if KMX1 cannot communicate with
the EEPROM, check you have not mixed up SDA and SCL, check that you
have selected the correct EEPROM type AND make sure the ThinkPad is in
fact switched ON BEFORE trying to access the EEPROM
- error message - can be SDA LO, SCL LO or SDA SCL LO. All
these error messages mean that the displayed signal [SDA or
SCL or both] is shorted to GND or the ThinkPad is not switched
ON. It can also be a sign of damage to the KMX1 I2C interface,
check all your connections, make sure the ThinkPad is SWITCHED
ON BEFORE you try to access the EEPROM, if the error persists
run the KMX1 Diagnostic in case the I2C interface has been
I make no warranty that any of my
information is correct, or safe, or does or does not breach any warranty
clause, or anything else, it is up to you to decide if you will
follow all or any of the instructions to recover the Supervisor Password
from a TP. It is up to you to decide, I am not responsible for the
results or for any consequential or incidental damages whatsoever.