Thinkpads Forum

Is the BIOS editions for the T510 and T520 vulnerable to hacking or back door entry or holes?

I know nothing about hacking and it's not that I want to know how, but I do want to know if the BIOS used in these two series are fairly secure.

If they are not, is there anything I can do short of flashing the BIOS (which is not an option) to increase their security?

Cant understand the logic in any hacker being interested in hacking a 5yr old laptop that has the same bios structure that has been around since 2005 or whatever.

I havent heard of any hacks targeting these laptops.

More or less, I am mostly interested in this from the standpoint of the owner, and not the age of the machine.

Ironically you have more to fear from bios hacks from the manufacturer if you buy a brand new Lenovo laptop.

So I've read...

Hello,

I've read about Computrace, and SuperFish.

An article about Computrace :
https://en.wikipedia.org/wiki/LoJack_for_Laptops

And another about SuperFish (which is not installed in the BIOS, but it's really a crap)... :
https://en.wikipedia.org/wiki/Superfish

(Note that the T510 ans the T520 don't avec SuperFish).

W.

MikalE wrote:Is the BIOS editions for the T510 and T520 vulnerable to hacking or back door entry or holes?

Nobody knows what is in the bios code.

MikalE wrote:If they are not, is there anything I can do short of flashing the BIOS (which is not an option) to increase their security?

These machines are no longer supported by Lenovo. Yes, the BIOS is very likely vulnerable but you can not do anything with that. It is possible there are SMM vulnerabilities https://support.lenovo.com/cz/cs/solutions/LEN-8324 reported for newer models as well but Lenovo provides fixes for .20 series and above only.

MikalE wrote:Is the BIOS editions for the T510 and T520 vulnerable to hacking or back door entry or holes?

Every BIOS is potentially open to hacking. Having said that, the structure between *10 and *20 series is vastly different, with the latter being the first ThinkPad to offer UEFI boot.

If they are not, is there anything I can do short of flashing the BIOS (which is not an option) to increase their security?

Flashing the BIOS - excluding options such as Coreboot/Libreboot which I don't believe even work on the chipsets involved - will not do anything in the respect of improving the security of the system involved.

Unless you're doing something that requires a *very* high level of confidentiality, I wouldn't lose any sleep over BIOS hacks.

My $0.02 only...

I'm surprised that there have been cases of "Computrace" style machine hijacks that may or may not be false positives... even if it was a legit 'hijack' as in its the original owner of the machine getting its serial flagged, its annoying just the same, since its ridiculous that the original owner wants a sub $100 10yr old machine back.

Still you'd worry more about browser hijacks and that sort of high level attacks rather than something 'low level' like bios attacks.

ajkula66 wrote:options such as Coreboot/Libreboot

Coreboot runs on the T520: https://www.coreboot.org/Board:lenovo/t520 but it does not disable "Intel Management Engine" which is, as far as I can tell, designed to allow remote visitors full access to your machine. See https://stallman.org/intel.html

TonyJZX wrote:Still you'd worry more about browser hijacks and that sort of high level attacks rather than something 'low level' like bios attacks.

Yes, any Google software represents much higher risk than a possible BIOS hack.

jaspen-meyer wrote:

ajkula66 wrote:options such as Coreboot/Libreboot

Coreboot runs on the T520: https://www.coreboot.org/Board:lenovo/t520 but it does not disable "Intel Management Engine" which is, as far as I can tell, designed to allow remote visitors full access to your machine. See https://stallman.org/intel.html

Yes, see, that's what I don't want to get into is physically flashing the BIOS chip. Even as a former electronics technician, this is some delicate work and I've never worked with surface mount components. Even with a magnifier, I don't know that my near vision is good enough for this micro work either.

I was thinking of buying a ready-to-go T500 that has already been flashed with Libreboot and has had the Wi-Fi card replaced. A T60 or X200 that has been re-flashed are candidates too, but I haven't found any of those for sale.

MikalE wrote: I was thinking of buying a ready-to-go T500 that has already been flashed with Libreboot and has had the Wi-Fi card replaced. A T60 or X200 that has been re-flashed are candidates too, but I haven't found any of those for sale.

The T60 can be flashed from software, as can an X60. Looks like just a selection of T60 screens are compatible:
https://libreboot.org/docs/hcl/index.ht ... d_t60_list

I've flashed a dozen x60s with libreboot using: Linux, zip from libreboot https://libreboot.org/release/20150208/ ... bin.tar.xz. The entire process is just two commands, three if you want to first make a backup of the factory ROM.

Doing this myself on a T60 or X60, the problem becomes how to get a seller to check which display is in the computer they are selling. I don't know of any way to tell that without taking it apart. Hopefully, they would also be able to get to the current BIOS to tell what chipset is on the motherboard.

A software flash is not out of the question for me. I just need to find compatible hardware and try and get a seller to tell me exactly what hardware is in their machine.

Is any X60 compatible, or are certain components like displays and wireless adapters (T60 problems) incompatible?

Can I just pick an X60 from e-Bay without any concerns for compatability?

If the seller still has a bootable OS HDD, they can bot it and find out what is installed. OR, if the system's display was NEVER changed, most are not changed, then you can look up the MTM on this site or DL the 22MB file with 500,000 ThinkPad models in it. However if the system is a CTO, and it doesn't have a unique 3 digit model, on the bottol label next to the bar code, and most do Not have this, then you can't look up the CTO in either MTM or the huge spreadsheet, but the spreadsheet will still tell you what type of graphics it has, just not the display resolution.

The Lenovo reference books (available here somewhere) can also tell you the intro date of models and full original specs, except for CTS options, but again, you can tell by the TYPE (first 4 numbers) what graphics options it came with, screen type (14W, 15W, 14S), and common default options, etc. I use it when I have the full type - Model and the book actually lists it, e.g. my 8898-AGM is Not listed in the books, in fact no 8898s are in it, but my wife's 8897-03U is

Do not despair Mika, there is still a way to tell what display was Originally installed. You need the serial number and machine type (the first 4 numbers of the MTM).

Go to Lenovo's warranty lookup site:

http://support.lenovo.com/us/en/warrant ... y%20Status

And enter the serial number (no dashes) followed by a dot (period, or .) then the 4 digit machine type. eg L2P9321.8898 (for a fictitious T61) and verify that the correct type of computer shows up.

THEN, up top, click on Parts & Accessories / Parts Lookup. Let the page load and on the left find the drop down and select the "As built only" link / button and somewhere in that link is the LCD Panel, something like "FRU 14.1 SXGA+" and you can translate that to the screen. You can also tell the initial memory and original processor, although those do tend to get updated.

If a seller is the Original owner, they should be forthcoming. If its an asset recovery liquidator, good luck in getting the BIOS screen and bottom label pics, but if you do, and the display has not changed AND someone has not messed with the SN in the BIOS (it SHOULD match the label on the bottom it things were not messed with), you can get a pretty good idea of the original specs.

I've used this to pick up some bargain T61s on fleabay. I look for the better screens (WSXGA+ or WUGA or SXGA+) and / or original Penryn CPUs. And I can avoid old date nvidia systems (or offer a low price for them!)

Apart from the TYPE, on older laptops there also was the PRODUCT ID on that same label, looking like:
TYPE: 8890-CTO S/N: L3-12345 07/02
PRODUCT ID: 889026U

Thanks for the help. There's a lot more in those numbers than at first glance.

I use that MTM feature a lot if there is a shot of the bottom of the unit or if a newer model and they have a BIOS screen shot.

Thanks for the info. I'll have my eye out for one or the other.

RealBlackStuff wrote:Apart from the TYPE, on older laptops there also was the PRODUCT ID on that same label, looking like:
TYPE: 8890-CTO S/N: L3-12345 07/02
PRODUCT ID: 889026U

That's what I was referring to. Unfortunately many CTO systems still have CTO after the Type in that Product ID. Only one of my T61 CTOs has an actual 3 digit model there. But that one IS in the giant spreadsheet and the MTM lookup here.

Fortunately, if you have the serial number and type (and the SN is maintained by Lenovo, which apparently one of my systems is not!), then you can still find out what the Original LCD Panel installed was.

MikalE wrote:Thanks for the help. There's a lot more in those numbers than at first glance.

I use that MTM feature a lot if there is a shot of the bottom of the unit or if a newer model and they have a BIOS screen shot.

Thanks for the info. I'll have my eye out for one or the other.

If a seller does not have these two pics, ask them. Some of them have no clue. And them some won't provide it. Well they can find another buyer AFAIC

For any T60 or X60 on ebay you'll need to replace the wifi card - it's simple enough that you could do it with your eyes closed.

Get either an ar9280 or ar9380:
http://www.ebay.com/itm/-/111003280872
http://www.ebay.com/itm/-/151981990156

Just about every X60 and X60s on ebay will work, the exceptions are machines with uncommon, and much sought after, displays which are expensive and usually just on the x60 tablet.

Libreboot installed on every x60 I tried it on; the T60 requires a little research before jumping into it:
https://github.com/bibanon/Coreboot-Thi ... inkPad-T60