Cyber Security News

Researchers Bypassed BIOS Passwords on Lenovo Laptops

CyberCX’s cyber security experts have recently unveiled a way to consistently bypass the security of older Lenovo Laptops with BIOS locked, raising severe security issues among users.

One of the executives at the company elaborated on a simple method using a regular screwdriver to connect specific pins on an EEPROM (Electrically Erasable Programmable Read-Only Memory) chip, allowing users to gain unrestricted entry into the BIOS.

After that, a quick analysis of the BIOS settings screen was needed to deactivate any BIOS password.

Moreover, the BIOS password bypass demonstrations conducted by CyberCX were done on several Lenovo laptops that were no longer actively used.

BIOS Password Bypass

It has been discovered that these laptops’ BIOS has a vulnerability due to the EEPROM being separate from the primary BIOS chip.

Lenovo laptop motherboards use an 8-Pin TSSOP (Thin Shrink Small Outline Package) for the EEPROM.

Security analysts can distinguish various SOP, TSSOP, and TMSOP-8 packages by carefully observing each chip on the laptop motherboard.

While communication via the Inter-Integrated Circuit (I2C or I2C) protocol is how the EEPROM operates.

Researchers used this information on a Lenovo laptop to identify the BIOS EEPROM.

Then proceed with an attack targeting the pins that we have mentioned below to exploit or disrupt the communication:-

  • Serial Clock (SCL) pins
  • Serial Data (SDA) pins

Here below, we have mentioned the laptop models that the security researchers use in this analysis:-

  • Lenovo ThinkPad L440 (launched Q4 2013)
  • Lenovo ThinkPad X230 (launched Q3 2012)

The following sequence of actions should be performed to accomplish a successful attack on the BIOS password of a Lenovo L440 laptop:-

  • Locate the correct EEPROM chip.
  • Locate the SCL and SDA pins.
  • Short the SCL and SDA pins at the right time.

The Lenovo L440 had three chips that partially met the package and pinout criteria experts were interested in.

To quickly identify if the chip is eligible, experts searched for the following two things:-

  • The serial number
  • The word EEPROM

By inspecting chips that appear promising on the mainboard and researching their series numbers, it is possible to pinpoint the correct EEPROM to target eventually.

For the ThinkPad L440, the chip is typically labeled as L08-1 X, although this may not always be right.

By placing a screwdriver tip between two of the chip’s legs, you can easily short the pins of the L08-1 X chip.

The experts initiated the laptop and utilized an advanced method known as the “elite” technique.

While this technique involves forcefully bridging the SCL and SDA pins with a small screwdriver to create a short circuit, which enables them to gain access to the BIOS.

Next, the primary task is to link the SCL and SDA pins with an oscilloscope.

Observing the communication between the BIOS and the EEPROM during the booting process becomes possible once the appropriate pins are connected to the oscilloscope.

Data transmission can occur solely when the bus is available and not in use. In addition to the “Bus not Busy” condition, the data and clock lines stay high.

Under the start and stop mechanism, the following things will happen in sequence:-

  • BIOS would perform a start command.
  • Send the data.
  • Lastly, send a stop signal to signify the end of a communication.

At this point, the BIOS needs a start signal. Otherwise, the laptop won’t start. That is why it is not possible to directly connect the pins before starting up the computer.

It is important to note that when reading the oscilloscope, the yellow line represents SCL (Clock), and the purple line represents SDA (Data). 

Additionally, contributing to the intricacy, certain BIOS variations incorporate the TPM or utilize encryption or hashing algorithms to secure the BIOS password.

Reading the data from the EEPROM is now entirely possible, and the bypass currently functions.

Prevention For Lenovo Laptops

First of all, this entire process requires complete physical access, and even it potentially requires a few hours at least.

But, here below, we have mentioned some preventive measures that the experts offer:-

  • Make sure to perform full disk encryption with a Passphrase and TPM.
  • To increase the difficulty, manufacturers may consider integrating the BIOS and EEPROM packages into a single SMD (Surface Mount Device).

Implementing the above-mentioned preventive measures will help you secure your old laptop.

This requires conducting a chip-off attack to intercept the communication similarly.

Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago