Thinkpads Forum

Today I was absolutely stumped by seeing a warning in a T61 BIOS that Computrace was active!
I just put a new T61 mobo from TuuS in a T60 chassis, to create my Frankie #74 (I kid you not!).
During installation last week of this new mobo with nVidia NVS140M chip from 2010 I had no problems.
When I used the HDM to put in TYPE, S/N and UUID I had no problems either.
When I put in Middleton's BIOS I had no problems either.
Everything was hunky-dory, UNTIL I put in one of my test-HDs with W7-Pro.
Checking the functionality of the new Frankie went without a hitch and I had a test-run of almost 24 hours.
Still no problems.
Checked it again the next day to start charging the battery, still no problem.
However, I hadn't gone into the BIOS again, since I had no need for checking/changing anything there, yet.
On Friday last week I finished my testing, which was still all OK as far as I knew.

Then today (Monday morning) I was ready to pack up this T601FL and ship it out to its new owner.
To make sure, I had removed the HD, battery and AC were in, just wanted to check the BIOS settings before shipping.
All alarm bells went ringing when I went into the BIOS and saw this Computrace warning:


If above picture/link fails, see instead: http://www.kundracomputers.co.uk/laptop ... utrace.jpg

In the T61 BIOS there are no settings for Computrace, so what had happened?
After a lot of investigation I found this:
The HD I used for testing this Frankie came from a T400 I have.
That T400 has Anti-Theft settings in BIOS, including Computrace (not available in T61).
Upon checking that T400, I found that Computrace was ENabled, but NOT activated.
Apparently that is enough to install the rpcnet*.* files in Windows or Linux!
These files make a call to http://www.absolute.com at every fresh computer start.
But here is the crunch!
When I installed this T400 HD as a test-HD in my new T601 Frankie, it created havoc in the T601 innards and put in an activated Computrace in the BIOS! WTF?

Luckily I know how to kill Computrace (a.k.a. LoJack), so I got rid of it in no time.
But herewith you are WARNED TO NOT EVER put in a HD/SSD from a Computrace-activated laptop in any other machine!

Interesting indeed RBS. Thanks for sharing.

This software gets more insane the more I read about it, so not only can computrace inject code from the bios into the OS, the OS from a computrace computer can alter the bios of another laptop it runs on and rewrite the bios? I thought computrace needed a dedicated chip on the board for it to actually work??

Digitalhorizons wrote: I thought computrace needed a dedicated chip on the board for it to actually work??

The "hooks" for it are present on T43 and later ThinkPads. So yes, this stuff has been around for well over a decade.

If you get hit: Make sure to also clean up this junk:

Might I suggest that if you want to re-use a computrace HDD the following:

1. Wipe it with Dban
2. Wipe it with Linux
3. Wipe it with Dban again
4. Reload the OS and see if computrace it still there. If so I can only advise to either use the HDD as a non-OS drive (i.e. - external drive in a carrier), or use it as a linux drive.

This is of course assuming that CompuTrace doesn't write or save anything into the HDD controllers and pre-inject it's "crap" onto a system. If that's the case, then if it were me, I would physically destroy the drive. It's simply not to be trusted at that point.

Computrace probably injected something into the boot sector, or something loaded by the boot sector.
You didn't mention whether it was GPT or MBR, but it probably does something sneaky at boot,
either way.

No, they don't go that far.
As mentioned above, any ThinkPad from T43 onward has Computrace in an EEPROM on the motherboard.
From T400/T500 onward there are also settings in the BIOS available.
When activated, the EEPROM installs the phone-home crap on the HD/SSD somewhere inside the Operating System.
So it's irrelevant whether you use MBR or GPT.
Wiping the HD/SSD gets rid of the installed crap, but as soon as you install ANY fresh OS, the EEPROM also starts afresh, UNLESS you permanently disabled that pest!

RealBlackStuff wrote:No, they don't go that far.
As mentioned above, any ThinkPad from T43 onward has Computrace in an EEPROM on the motherboard.
From T400/T500 onward there are also settings in the BIOS available.
When activated, the EEPROM installs the phone-home crap on the HD/SSD somewhere inside the Operating System.
So it's irrelevant whether you use MBR or GPT.
Wiping the HD/SSD gets rid of the installed crap, but as soon as you install ANY fresh OS, the EEPROM also starts afresh, UNLESS you permanently disabled that pest!

Hey RBS,

I was actually curious, does CompuTrace work on OS/2 under HPFS & JFS since IBM supported OS/2 on T43s?

Last time I played with OS/2 (Warp 3) was last century, around 1996 or so.
That was donkeys years before the T43 first came out.
You'd need to first find a way to activate Computrace in that T43.
Then stick a drive with OS/2 in it and see what happens.
That's all I can say.
Methinks it's relatively safe to assume that it won't install, but you won't know till you try it!

Crazy to hear, I never would of expected a hard drive to trigger another laptop!

Hi guys

See what I found in several sources ( including Wikipedia) :

This maybe explain your case.

"HPA is also used by various theft recovery and monitoring service vendors. For example, the laptop security firm Computrace use the HPA to load software that reports to their servers whenever the machine is booted on a network. HPA is useful to them because even when a stolen laptop has its hard drive formatted the HPA remains untouched."

The host protected area (HPA) is an area of a hard drive or solid-state drive that is not normally visible to an operating system.

So if the drive is wiped or even secure erased this sh!t stays until you remove HPA from your HDD/SDD ( where computrace is located on the hdd ).

So you need to check if HPA is enabled or disabled , here is the command ( you can use parted magic) :

hdparm -N /dev/sdX
( where X is your HDD letter) , output is :

/dev/sdc:
max sectors = 586070255/586072368, HPA is enabled

You can then disable HPA :

hdparm -N p586072368 /dev/sdc

(permanently (!) set max visible number of sectors, see example above)

Then you need to secure erase / wipe the SDD/HDD - and you will WIPE all the space (there will be no more HPA , and these sectors will be available for wipe /usage )

And hdd will be free from computrace and you can put in other system.

Also if there is no HPA , probably computrace will be not able to install in your OS. But this need to be checked I can't confirm now.

Be carefull with hdparm!

Cheers,

I'm having a possibly similar situation, but with odd results so far.

TP #1 is a X61s from eBay, a "company surplus" which came with original HD, fresh Ubuntu, and had the CT BIOS pop-up.

I never connected it to the web, then replaced its 80G HD with a SDD on which I installed Win7 (without reformat), still without connection. At this point, oddly, the CT pop-up has disappeared.

I then installed the 80G HD with Ubuntu on TP#2, one of my other X61s, and repartitionned/installed Win7, still without connecting to the net. The pop-up does NOT appear at this point (and no suspect processes I can see).

So why is the CT not activating on #1? And on #2?

If it's because I did not connect, that's odd. Indeed, eventhough CT is pretty useless without a connection, why would CT not activate itself as soon as possible, internet or no internet ? Afterall, it is still lurking in the BIOS, and I did a regular repartition, nothing fancy.

(Btw, what about "trac"'s suggestion above?)

Check your drives for the files as mentioned above, where it says: Make sure to also clean up this junk:
And CT does NO CHECKING if you do NOT go online.

I'm sorry, but I still don't get it fully.

1- To make the online check, CT first needs to install the files on the HD and run.
2- To do so, it needs to be active in the BIOS to start with.
3- But the CT code is present in all vaguely recent TPs's BIOS, even if "dormant".
Therefore some TP have an inactive CT in BIOS, some have an active CT.

But in what condition does the pop-up appears?
A) If there's an active CT?
B) If there's an active CT AND it has phoned home and reported it should go live?

...but case B is odd because it's already live, inasmuch as it has already messed up with my HD and OS files to do the check!

That's important. Because the pop-up does not appear on my TP right now.
- If it's A, then it means it somehow went inactive. Pray the Black Gods. The matte ones.
- If it's B, then, before I connect it to the net, it might be time to try and preemptively prevent it from activating, but how?

(Knowing that, right now, I found some, but not all files: no process [though they don't last?], but the files rpcnetp in Win32, wcepriv and identprv in WOW64, and no reg keys.)

It's possible you may never get it fully, because it's possible that the behavior described here originally by RBS was, due to some bug in Computrace, or some configuration corner case. Since Computrace is dubious proprietary software, with a long history of "accidental" activations, I am not certain anyone can know the expected behavior in all corner cases.

Does the X61s have a BIOS setting to "Permanently disable" Computrace? I forgot in which generation it was first introduced.

Once there is active CT on your machine, the pop-up will show EVERY time you go into BIOS.
Unless somehow activated, T43/R52/X41/T60/T61/R60/R61/X60/X61 do not show any CT signs in BIOS.
Even when activated, there is no way in those machines to change CT, other than calling Absolute (if they still react to such old machines), or removing CT, or replacing the motherboard with a CT-free one, or selling/dumping it.

CT BIOS-settings only started with T400/T500 series.

my T61 I had strange issues with in other post, has CT Bios settings all set to inactive but I am going to permanently disable it after reading these weird issues.

How are you going to change CT settings in a T61?
I just told you: DOES NOT EXIST.

yeah lol so I found I was mixed up with one of my W500. Great news though after switching from SATA to the other HDD type I finally got my old HDD to boot with the new (to me) T61 and that is what I am on now after over 4 months YAY! this group Rocks! one question I cant get my TP monitor to turn off when docked with my larger monitor like my W500 running Win7 64bit is that how Win XP 32bit/T61 is supposed to work? seems ubuntu boots fine in either Sata o the other type. and win wanted to run check disk before rebooting. I also have fingerprint reader active just FYI for anyone following.

I'm not a tech guy, so there's still something I can't figure out:
if computrace operates WITHIN the OS (e.g. windows) why a good firewall is NOT able to intercept the "phone home" application while it is attempting to connect.
Can someone shed a light on me ?

https://serverfault.com/questions/15429 ... ng-traffic
But if that would work, why has nobody ever mentioned that about CT?

maybe parental rights settings could prevent sending to adult sites or known addresses you dont trust if setup manualy. but do you even know the address its sending to? to input in the untrusted site list. its like trying to block auto-update apps that dont even need browser to transmit on an available internet connection or phone line. also there are only a handful of anti-virus/firewalls that may have this kind of ability and most are NOT freeware. I saved the top 15 free brands and only 3 were worthy of all their hipe and they limit features until you buy full version. also the top 5 paid only support Windows 10 or current supported other brands of OS. e.g. I use Comodo and only allow updating of virus data, NO app upgrades as those will be for Win 10 which screws up older versions of Windows which happened to me last year and took a month to get fixed and back graded for Win7 64bit.

I only made the question because my firewall (business class one) specifically prompts if a program wants to establish an outbound connection with a another machine (e.g. search for updates) and asks "what do you want me to do?".
So the point is:
can we trust a software firewall or CT has the ability to get a super-admin level ?

A firewall on the computrace-infected machine is useless. Low-level spyware, like CT, does not need the OS to communicate over the internet.

A firewall placed between the infectred machine and the internet could stop CT's communication, incomming and outgoing, but you would need to know what you're looking for.

For an update on my own situation. Upon connecting the laptop to the net for the first time, nothing happened. The only precaution I took was access-protecting a couple of the CT files. After trying a few reboots and leaving it connected a little while, it's still not activated. Really not sure why.

Very interesting - wouldn't this software be imitated and lead to attacks?

I never thought that a program would be able to do that seeing as the T61 has absolutely NO settings in the bios for computrace

I acquired a T61 that had no drive installed when I got it.
I fired it up to bios and there was pop up This computer is equipped with computrace..... hitting ok allowed me to continue.
I booted to Linux Mint 19.2 xfce that I have installed on 128 GB thumb drive and ran some operational checks.

After reading through information here about computrace, I am not sure if my thumbdrive is safe to use on any other computer.

Can computrace contamination occur in a linux thumbdrive that I used on this machine ?

If that is possible, will reformatting the thumbdrive clean contamination on that drive ?

I do not have the skills to summon magical incantations to lock down or remove computrace, so, is replacing the board, or calling absolute the only option ?

I am still not sure, does computrace works in a linux environment ?

Thanks for any clues.

Eugor,

Your thumb drive Might be contaminated. CT does work on some linux builds. I would wipe it and re-create it from a clean system.

All: if you see options for Intel AT module, you might want to permanently disable that one as well, because it does similar things if "activated"

Can windows DISKPART be used to wipe a drive and the HPA if any?