ThinkPad X13 G1 Remove supervisor password

I recently bought a ThinkPad X13 G1 with an Intel processor that had a supervisor password set. I was able to reset it with the following steps. This page is for my personal reference only, I take no responsibility for any damage you may cause if you follow these steps.

The motherboard in my X13 is labeled as a “GT4A3/GX3A2 NM-C891 Rev 1.0” (see image).

This motherboard features a “Winbond 25Q80DVSIG” which contains the BIOS, however, the supervisor password is not located here so doing anything to this chip will not help. The motherboard also features a “ThinkShield MEC1663-BA0” which is where the password is stored, this chip is only visible when the motherboard is removed from the laptop body since it is on the side facing the keyboard. This image shows the MEC1663 at the bottom, with the keyboard connector to the right.

During boot, the BIOS will load from the Winbond chip and then query the MEC1663 to check if a supervisor password is set. If this query is interrupted, it will allow the BIOS to be opened and modified as if there is no password set at all. This means that a new password can be set, overwriting the original.

Since the communication between the CPU and the MEC1663 happens over the LPC Bus, the communication can be interrupted by shorting some of the data pins, such as LAD0, on the MEC1663. This needs to happen with precise timing since the system will detect a fault if it is shorted for too long (or at the wrong time), or the system may load the password as normal if you short it too late.

In my experience, the best time to short the data pin to ground is right after the screen backlight comes on, and then stop shorting right before the Lenovo logo appears. It took me around 10 attempts to get it right, and it is a case of trial and error. If a password is set, you will see the following screen when attempting to access the BIOS (by pressing F1):

It is best to remove the SSD and any other storage before starting so your ThinkPad will prompt you to enter the BIOS instead of booting an OS which only wastes your time. If you see the password prompt, press ctrl+alt+delete to restart and try again.

You may see a lot of errors on the screen, and this means you likely shorted the data pin for too long and the system detected a fault. In this situation, the ThinkPad will likely auto-restart. This means you have the right technique but wrong timings.

Once you are in the BIOS, you need to set a supervisor password (but you can leave the boxes blank, which will remove the password). Afterwards, do not save the changes, but simply reboot the machine. Changes to the password are immediately saved so saving is unnecessary. This is because the BIOS may load some corrupt data while you are shorting pins, if you save the changes, this may result in corrupt data being permanently saved to your Winbond chip! The image below shows the supervisor prompt you should see:

First, securely attach a wire to ground somewhere on the motherboard. My personal preference is to strip one end of a solid-core wire and wrap it through one of the grounded screw holes, then screw it securely into place. This prevents having to solder anything and gives a very secure connection. See image:

On my motherboard, the LPC bus is routed to an unpopulated component labeled “J9301” which is directly below the left-most RAM chip. See image:

(tip: click the image to see it in higher resolution)

Here is an overview of the full board with arrows pointing to J9301 to make it easier to find:

Here it is at a higher magnification:

Note that the black ink was added by me, not by the factory. The ink marks the spot where I was attaching the ground wire.

Specifically, you want pin 10. That is on the bottom row, 5 pins from the left. I also accidentally tapped pin 12 a few times during the process which didn't seem to have any adverse effects.

• Thanks to this comment by thinkpadg6 on badcaps.net I was able to find the data lines quicker.
• badcaps.net forum thread documenting this attack vector.
• scribd.com X13 / T14S board schematics (low quality)
• hnfix.vn X13 / T14s board schematics
• MEC1633 datasheet (PDF) this is a different, but similar, chip. Gave some clues about how things may be connected.