KMX1 Zap

 

Home
Up
Read this First
KeyMaker X1
KeyMaker LCD
Buy Now
Delivery times
Firmware Update
Functionality Upgrade
Damaged Board
Safety Precautions
User's Guides
EEPROM Locations
Customer Feedback
Reference Docs
New Page 3

Up Activate KMX1 Activate KMX1PRO Activate KMX1PROS KMX1 unlocks TP KMX1 Zap KMX1 + KMX-LCD KMX1 + PC 93C46 Connections Save EEPROM Write EEPROM KMX1 Diagnostic FTDI Driver Install

Safety Precautions to ensure that your KeyMaker Board and ThinkPad are not damaged

In order to avoid damage to your KeyMaker Board as well as the ThinkPad you are using it on, there are certain precautions you MUST observe.

If you ignore these precautions you will join the 3% of customers who bought a KeyMaker board - ignored these precautions and damaged their KeyMaker Board  by being careless - then had to pay to have it replaced - and lost a lot of time in the process.

Your KeyMaker has electrical contacts on both sides, you must ensure that no part of your KeyMaker USB board comes into contact with any conductive surfaces such as bare metal or bare wires.

You should place down a piece of paper and place your KeyMaker USB on top of it in order to avoid any electrical contact which may damage your KeyMaker.

There is no danger of receiving an electrical shock from your KeyMaker USB as the highest voltage anywhere on the board is 5 Volts which is a safe voltage to touch.

If you prefer you can place your KeyMaker USB board inside an Anti-Static  plastic bag during use, the board does not get warm at all, so there is no issue with ventilation.

The same precautions apply to your ThinkPad when you are performing any operation and BEFORE your ThinkPad is switched ON, you must ensure that nothing can short out by coming into contact with other parts, you can use sheets of plastic or plain paper to make sure things remain electrically isolated.

You MUST NOT allow the SDA and SCL leads from any KeyMaker KMX1 or KMX2 to come into contact with ANYTHING other than the correct SDA and SDA EEPROM connections points and ONLY AFTER;

You have traced the wire you are using for your probe right back to the label on the I2C header on the KeyMaker board which reads SDA for YOUR SDA lead and reads SCL for YOUR SCL lead.

You have absolutely confirmed that you have correctly identified the SDA and SCL connection points on your ThinkPad System Board.

3% of customers who purchased a KeyMaker Board have somehow managed to damaged their KeyMaker board.

NOT ONE of those customers can tell me exactly what he or she did to damage it.

I have tried all sorts of seriously ridiculous ways to damage a KeyMaker board and I have NOT BEEN ABLE TO DAMAGE ONE !

I only tried MILDLY STUPID THINGS like connecting a solid 9 Volt source to SDA and SCL - theoretically that should have damaged the I/O pin on that KeyMaker powered from 3.3 Volts, IT DIDN'T.

Your KeyMaker board is a delicate piece of equipment, treat it with respect.

Do NOT experiment or connect to anything if you are not certain you have the correct connection points identified.

There are voltages much higher than 3.3 Volts inside your ThinkPad, in fact up to 20 Volts. 

20 Volts is not a danger to YOU but it is to the KeyMaker KMX1 or KMX2.

Connect SDA and SCL leads ONLY if you have double checked and are CERTAIN you have correctly identified SDA and SCL connection points

The above is VERY IMPORTANT - don't ignore it else you WILL damage your KeyMaker KMX1 or KMX2 board and that is expensive, wastes a lot of time and is not much fun.

Read more on Safety Precautions here

Before you can use KMX1 to unlock any TP you must first Activate it

If the Activity LED on your KMX1 is flashing continuously that means
it has not been Activated

Put simply, do not waste your time trying to use the KMX1 series board until after it has been Activated.

The following videos use earlier board revisions with Red colour
Activity LED, current V4 board has Blue Activity Led

NOT activated KMX1 flashing Activity LED


 

Please read this entire page, more than once if you have to, until you have a really good understanding of ALL the steps involved, only then start unlocking your ThinkPad

Zap

You can unlock any ThinkPad (TP) with KeyMaker KMX1 except the SL300 SL400 SL500 G550 T*40 X*40 X1 Carbon (Gen 2), TPs

All TPs which on the EEPROM Locations page state "treat as 24RF08" or "treat as LSI" can have their Supervisor Password removed using the Zap SVP button on KMX1

If you have determined that the TP has a Hard Disk Password (HDP):

On newer models, the HDP cannot be recovered from anywhere inside the TP.
The Hard Disk, itself, looks after the HDP internally. Sometimes, if you are lucky the HDP is the SAME as the SVP.

Before you Zap or Clear the SVP, you should consider recovering the SVP and test if it can be used to also unlock the Hard Disk.

If the SVP turns out to be encrypted (TPM/TCPA  enabled), then it won't help to unlock the HDP.

Clearing a Supervisor Password (SVP) from a TP is fairly straightforward.

Once you know how to avoid all the TRAPS IBM/Lenovo have set for you the customer.

I know this is all very exciting and you are ready to start stripping down your TP and jump into it, but WAIT! read all of this first.

Most people are absolutely certain they have a Supervisor Password (SVP) set.

There is a chance you may not have a SVP set in your TP.

I have exchanged emails with many people who have gone through all the SVP unlocking thing read the EEPROM, wasted days,  only to discover there is no SVP set at all.

How is that possible, are these people really dumb or something.

The answer is NO, these are all perfectly sane intelligent people. 

The real problem is IBM/Lenovo and their warped sense of humour.

When you really do have strong security, you challenge people to try and defeat it, you invite peer review  to make sure it is in fact secure.

When you have flimsy pretend security and you obstinately pretend it is so secure even you cant unlock it, well you have to get all secretive and vague about everything HOPING people wont find out, in other words an illusion of strong security where none really exist, which is what we have here.

Trap number 1, the Hard Disk Password (HDP)

If at any time you see this Password prompt icon

That icon with the small number 1 (it may be a small number 2 or 3 if you have more than one Hard Disk] means the HDP is set. You will not be able to easily recover or clear the HDP, KeyMaker KMX1 will NOT recover or clear HDP.

It will cost you more to clear the HDP than a new Hard disk is worth.

Clearing a HDP is only worth the expense and effort if there is valuable data on the Hard disk that MUST be recovered.

If HDP is set then remove the Hard Disk [HD] before continuing so that you can determine which other passwords (IF ANY) you need to recover or clear.

There may not be any other password set!

Ok, you removed the HD and you see yet another Password Prompt icon.

Trap number 2, the guessing game - is it  SVP or POP -

The trap is that IBM/Lenovo in their wisdom chose to have THE SAME PASSWORD PROMPT ICON for BOTH SVP and Power on Password (POP)

The password prompt icon pictured above
Does NOT define which PASSWORD it is asking you to enter.

It can be either POP or SVP

Only ONE way to find out for sure which one it is and maybe save a LOT of time.

  1. Identify your TP model

  2. Download the Hardware Maintenance Manual (HMM) for your TP model

Spend the time to read the first part of the HMM which deals with Cautions some of which like for example Shock Sensors  are very important, you would not want to roughly handle your System board to find out when you power it up to unlock it that in fact you have ruined it.

Read the HMM section dealing with Passwords and become familiar with how to remove Power on Password [POP

Then follow the instructions for POP Removal 

After performing POP Removal if there is no password prompt icon displayed, you are done, your TP is unlocked.

if you have performed POP Removal and you continue to see this password prompt icon

It does NOT mean you didn't perform POP Removal correctly

It means that with POP removed, you have now absolutely confirmed that you do indeed have a SVP set and you can now put the time and effort into removing or clearing it.

How to Zap SVP using KMX1

You must ACTIVATE your KMX1 before it will do anything useful.

If you jumped straight in here without reading all of the above information - STOP - and read the all the information above FIRST!

KMX1 Zap SVP button unlocking a Pass phrase SVP from an R60
 

Zap

  1. Identify your TP model.
  2. Find the location of the EEPROM connection points and EEPROM Type.
  3. Download and save the HMM, then follow the HMM to enable you strip down the TP [without damaging it as you would if you don't follow the HMM] down to the point you can access that EEPROM location, depending on the model this could be ONE Screw or a total strip down.
  4. Connect 3 leads between the EEPROMs connection points and KeyMaker KMX1
  5. Switch on the TP 
  6. Press the Zap SVP button, you see the Activity LED on the KMX1 board turn On, stay on for 15 seconds and go off, if it flashes slowly twice, that means the SVP is gone forever, your TP is now unlocked. If it flashes rapidly that means the operation failed.

More detail on those 5 steps follows below, please continue reading

The connection Points on KMX1 are, VCC - GND - SCL - SDA

Most times we only use GND - SCL - SDA and leave VCC NOT connected.

KMX1 hardware revision can be one of the 4 boards depicted below which are functionally identical

When you purchase KMX1 you are supplied with a 4 wire lead.

Most of the time you will ONLY be using 3 of those 4 wire leads.

In the photo above on the right, the 4 wire lead is connected onto the I2C header pins

NOTE: The orientation, by convention, much like a car battery, RED is Positive Voltage, in this case it is called VCC.

Black is Negative or as we will be referring to it as GND which stands for Ground, in plain English Ground is the negative or common point in a circuit.

You do NOT connect VCC [the RED lead] unless you are reading an unsoldered 24xx series EEPROM and I can't see you doing that very often if at all unless you run a Laptop Repair Shop.

All the EEPROM location pages show 3 connection points;

  1. GND which you connect to the BLACK lead above.
  2. SCL which you connect to the YELLOW lead above.
  3. SDA which you connect to the WHITE lead above.

If your KMX1 is powered via the mini USB cable connected to the locked TP then you do NOT need to  connect the GND wire from the ThinkPad to the KeyMaker KMX1 I2C interface connector, the reason is the mini USB provides the GND connection between KMX1 and the TP GND.

If your KMX1 is NOT powered via the mini USB cable connected to the locked TP then you DO NEED TO connect the GND wire from the ThinkPad to the KeyMaker KMX1 I2C interface connector.

Read more about GND connection

Make it a habit of connecting the 4 wire lead as per above with the RED wire over VCC.

When it comes to making those 3 connections between KMX1 and the EEPROM you have the choice of using;

  1. Clips to make the connections
  2. Using Sharp Probes, that are skinny and come to a sharp point, they also have an insulated handle for you to hold without your sweaty hands interfering with the low power signals on SDA and SCL.

Read more about clips and probes.

Whichever method you chose to make the 3 connections is up to you, so long as there is a good electrical connection during any Read or Write operation between the connection points at both the EEPROM and KMX1 I2C header pins all is well.

You really want to unlock your TP and use it again?

It does not get any easier than this!

Yes, you can easily do it yourself!

 

 

If you have read all the preceding information on this page and not simply skipped all that boring IMPORTANT information,  - if you skipped it, go back and read all of this page above.

 You should already have:

  1. Identified your TP model.

  2. Downloaded and saved the HMM, then followed the HMM POP removal procedure to be certain it isn't simply a POP and NOT SVP you are faced with

  3. Having confirmed it is a SVP, found the location of the EEPROM connection points and EEPROM Type for your TP Model.

  4. Followed the HMM to enable you to strip down the TP [without damaging it as you would if you don't follow the HMM] down to the point you can access that EEPROM location, depending on the model this could be ONE Screw or a total strip down.

Having found the EEPROM connection point for your TP Model, having decided if you solder wires or use clips or sharp probes to make the actual connections.

Some older model TPs will have an EEPROM type 24C01 or 24C03 or 93C46 you cannot Zap those, you can however Recover the SVP and type it in at the SVP Prompt using the keyboard, for that YOU WILL need to use the Terminal Software on a second PC or use the KMX-LCD to display the Recovered SVP

KMX1 will ONLY Zap EEPROM Type LSI and 24RF08 which luckily is the MAJORITY of TP models.

Whichever connection method you chose, your KMX1 should be powered up, if your KMX1 is powered by the USB cable connected to the locked TP then it will be powered up when you switch on the locked TP.

First, you connect the 3 wires (GND, SDA, SCL) from the KMX1 I2C header to the EEPROM connection points on your Password Protected TP.

You can use a clip on each wire, or you can use a clip for GND and sharp probes for SDA and SCL.

For example:

Below are photos of an R52 being unlocked, using Joe's KeyMaker KMX1. 

The R52 has been opened and placed on its side to allow access to the ON/OFF push button and also to allow access to the underside of the R52.

The Memory cover underneath the R52 has been removed to allow access to the EEPROM connection points, only 1 screw to undo.

KMX1 is powered by the USB port of the R52 which is being unlocked

Making the 2 probes used is described here

No other PC or anything else is required.

A black clip is being used for the GND connection attached to the metal clip which normally holds the Memory in place.

Leaving one hand free to operate the Zap SVP button.

Looks easy - because - it is easy when you have the right tools.

The 2 probes held in place, GND clip visible at bottom of photo.

Zap SVP button about to be pressed

KMX1 hardware can be either of the 2 boards depicted below which are functionally identical

The 3 connections MUST be made to the correct connection points.

Double check you have not mixed up the 3 wires.

With some models, you will have a totally stripped down bare, yet able to be switched on and run TP for this operation. 

In that case make sure the metal parts of the keyboard cannot come into electrical contact with any part of the circuitry on the system board you can use paper or plastic or insulating tape to keep things electrically isolated. 

Make sure you do have attached the CPU heat sink and that the CPU cooling fan is connected and will operate when the TP is switched on, else you will fry your CPU.

On some models it helps if you open the LCD screen at 90 degrees and stand the TP vertical so one side of the LCD screen and one side of the Machine are resting on the table surface, that way you can access the front and back of the TP after it is switched ON.

If you are using sharp probes to make the connections then you can wait until the locked TP has Powered UP and is at a password prompt before making the connections using your sharp probes.

You have made sure nothing can 'short out' ?

Plug a mini-USB cable from one of the USB Ports on the locked TP to the USB socket on your KMX1, that will power KMX1 once the locked TP is switched ON.

If your KMX1 is powered via the mini USB cable connected to the locked TP then you do NOT need to  connect the GND wire from the ThinkPad to the KeyMaker KMX1 I2C interface connector, the reason is the mini USB provides the GND connection between KMX1 and the TP GND.

If your KMX1 is NOT powered via the mini USB cable connected to the locked TP then you DO NEED TO connect the GND wire from the ThinkPad to the KeyMaker KMX1 I2C interface connector.

Of course you do need to connect some power to the ThinkPad via your TP AC adaptor, else nothing useful will occur.

Switch the ThinkPad ON.

PRESS AND HOLD DOWN the ThinkPad F1 KEY

If you don't hear the sound of the CPU cooling fan running for about 3 seconds after switching ON, switch off and check it before continuing, normally the fan runs the instant you switch the TP ON, it may stop in the next few seconds, that's OK, so long as it does run at start up you know you have not forgotten to connect it during re-assembly.

WAIT until you see the message 'Entering Bios setup' or similarly worded message or you see a Password Prompt icon or you see an error message that is NOT about a boot error.

ONLY THEN RELEASE THE F1 KEY

If the ThinkPad has booted to any operating System, switch it OFF and pay MORE ATTENTION, hold down the F1 key and continue to hold it down while switching the ThinkPad ON, you may see an error message about a stuck key - that is OK as the TP will eventually stop and you can do your work of unlocking it.

VERY IMPORTANT THAT YOU DO NOT continue unless the ThinkPad is displaying the message 'Entering Bios setup' or similarly worded message or you see a Password Prompt icon or you see an error message that is NOT about an operating system boot error.

If you see this password prompt icon with either the number 1 or 2 or 3 etc

That means, that like a LOT OF PEOPLE, you are rushing and you completely skipped the important information at the start of this page, please switch the TP OFF, and start reading from the top of this page, this time do NOT skip anything!

You should be seeing this icon or an error message

One final reminder for those in a huge rush who skip important information, you did already follow the POP Removal procedure detailed at the top of this page, YES?

Did you notice that each page showing the location of the EEPROM connection point for your TP model, starts off with, for example for R52;

R52 EEPROM you treat it as LSI

That is telling us that the EEPROM TYPE for an R52 is LSI.

If your EEPROM Type is not an LSI or 24RF08 then you will need to use a second PC running Terminal Software or the KMX-LCD to display the recovered SVP. This short tutorial assumes you do have an LSI or 24RF08 EEPROM TYPE and are using the KMX1 Zap feature.

Do not press the Zap SVP button before the EEPROM connections have been made or you are ready to make the EEPROM connections during the selected delay.

If you are using sharp probes to make the EEPROM connections, you must now apply them to the EEPROM connection points for SDA and SCL, you did connect GND earlier, right?.

Now press the Zap SVP button to Zap the SVP.

By default KMX1 is set to a 5 second DELAY between the time you press the Zap SVP Button and when the operation actually starts to happen.

This feature [first available on KMX1] saves you from having to find another person to operate the Zap SVP Button while you position and hold the SDA and SCL probes.

The delay can be varied if 5 seconds is not sufficient, you can change the delay to 0,5,10 or 15 seconds, you can change the delay by connecting KMX1 to a working PC running Terminal software and using the KMX1 menu or by using the Joystick to scroll down the LCD menu to DELAY if you are using the KMX-LCD.

If you are using sharp probes, the variable delay should give you enough time between pushing the Zap SVP button then placing and holding the sharp probes so that there is a good solid electrical connection before the operation commences and during the entire operation.

When the delay is over you should see the Activity LED on the KMX1 board turn On, stay on for 15 seconds and then go off, if it flashes slowly twice, that means the SVP is gone forever, your TP is now unlocked. 

If the connections are not made correctly the Activity LED will display a fast burst of flashes, that means failure, check the connections and try again. 

With strong excellent lighting carefully using a magnifying glass check the SDA and SCL connection points on the System board.

If there is any corrosion or coating over the SDA and SCL connection points - switch OFF the TP and VERY GENTLY scrape away the corrosion and or coating from the SDA and SCL connection points, after you have done that switch the ThinkPad back ON again and try again.

If the Activity LED turned on for about 15 seconds followed by 2 slow 1/2 second flashes at the end, your TP is now UNLOCKED, that SVP is gone.

Your TP is now unlocked,  as a reward, when you switch the TP OFF and switch it back ON again , press F1 to enter BIOS setup and it will not ask for a SVP.

Now you have full access to your TP

Time to congratulate yourself on a job well done.

Following Zap SVP if you see a CRC1 or CRC2 error message displayed - DON'T PANIC - it is OK, the steps below will take care of it.

I would recommend that you set a new Supervisor Password, one you can remember. If you don't set one someone else can and you may have to do this all over again, much easier to set your own password so no one else can set one and frustrate you.

CAUTION: IF your laptop is set to boot over a Corporate Network then do not tinker with BIOS setup unless you know the required settings for your Corporate network.

While in BIOS setup, SET DEFAULT setting, the F9 key does that, select BOOT and also set defaults there by using F9.

Then Press F10 to SAVE those settings, switch the TP OFF and switch it back ON again to continue using it.

Those last F9, F10 steps above are VERY IMPORTANT else you may see  errors reported, your TP may not find the Hard Disk to boot from etc.

A quick lesson;

When using KeyMaker KMX1, connection leads to the EEPROM inside a TP can be connected whilst the TP is switched OFF or ON, the leads can be left connected while the TP is being switched ON and OFF.

If you are new to TP unlocking you might be thinking - so what! well read on and you will see what a significant difference that can make.

RS-232 based simple interfaces when connected to the EEPROM inside a TP impose a substantial load on the EEPROM's signal lines and if left connected will interfere with the power on and power off functions of the TP. 

Which means that when using an old RS-232 interface the EEPROM leads  must be disconnected while the TP is powering up, connected to perform a function then disconnected again before switching the TP OFF. 

When using an old RS-232 interface the EEPROM leads can ONLY be connected after the TP has been switched ON and has completed its power up functions.

KeyMaker KMX1 EEPROM connections do NOT have those restrictions because the KMX1 EEPROM connection points are High Impedance, they do not load down the signals, therefore they can be left connected at all times without affecting TP power up or power down.

A lot of TP unlock operations require that you Power Cycle the TP, in other words Switch OFF, Switch ON the TP, having to disconnect leads from the EEPROM and  reconnect those EEPROM leads each time the TP is switched ON or OFF becomes tedious and can lead to mistakes.

Another plus for Joe's KeyMaker KMX1

Disclaimer

I make no warranty that any of my information is correct, or safe, or does or does not breach any warranty clause,  or anything else, it is up to you to decide if you will follow all or any of the instructions to recover the Supervisor Password from a TP. It is up to you to decide, I am not responsible for the results or for any consequential or incidental damages whatsoever.

Up Activate KMX1 Activate KMX1PRO Activate KMX1PROS KMX1 unlocks TP KMX1 Zap KMX1 + KMX-LCD KMX1 + PC 93C46 Connections Save EEPROM Write EEPROM KMX1 Diagnostic FTDI Driver Install

If you have any questions, email Joe at

Hit Counter