I have a Lenovo G470, i3 processor(with integrated Intel hd 3000 graphics) with insyde H20 BIOS 40CN33WW (V2.19) (x64) whose bios is locked.

Back story

A year ago I had disabled UEFI boot and booting from Pendrive and added Admin by password, unfortunately, I forgot the admin password.but I can boot with hardrive and cd in legacy mode

In the case of boot failure, I have to insert live Linux cd to fix the issue. But I lost the live cd also, so I wish to boot with my bootable Pendrive but the problem is I can't, due reason mentioned above

NOTE: I'm not looking to replace motherboard,as paying that much money for motherboard for this old laptop is not worth it as

1.Since support has ended for this laptop, i doubt that i would be even getting a genuine motherboard), if do go ahead and install fake ones, i might risk damaging processor, ram and hard disk.

Pl suggest something else

Main questions

1.So how do I reset the bios password? Modified code? If yes how?

2.How is CMOS able to retain information even though there is no button cell battery inside, given that the main battery was removed and the laptop was kept unused for a year? (As far as I know CMOS is volatile memory, and bios setting is not stored in nvram in my laptop)

3. As many are suggesting motherboard replacement , so here is a follow up question

Also I have another Lenovo G580 laptop, but it's nvidia graphics Card (embedded )is fryed it doesn't proceed after BIOS, so can I put the Intel i3 chip (because it has integrated gpahics ) present in g470 laptop into g580 laptop's motherboard?

Attempts to reset the password and details of attempts

1. Contacted Lenovo customer care, they told replacing the motherboard is the only option ahead, which is not possible due to reasons mentioned above.

2. Link to bios firmware

3. I found That in bios firmware ,Iscflashx64.sys file has content related to password verification ,(sorry I don't know the line number , but it's a small file we can just scroll and find it easily)

4. There is no backdoor Password, as the computer shows no error code when I entered the BIOS password wrong for three times. , (note..It allows only 7 characters password)

5. I can boot into OS, and it's possible to flash bios firmware.

6. I have searched Google it didn't help that much.and I have shared everything possible

7. I did try some kill CMOS software on linux, it said it killed successfully (but it didn't)

8. Shorting pin’s, as there was no notch , I tried trial and error method, I shorted (8 pin 4+4)

   1. First pair-when the logo was about to come, when I pressed f2 to enter into bios setting, it was blank
   2. Second pair- the laptop turned off
   3. Third pair- again laptop turned off , By mistake I shorted 3pins and sparks came, I had to disconnect and reconnect for the laptop to turn off
   4. 4th pair- the screen goes black, when I remove the scredriver , the laptop turns off

So this method this not work

My ideas

1. Maybe I can modify the password verification code and make it accept any password and reflash the firmware. I don't have the expertise to do this, any ideas? proof of concept

2. Trying the “reset bios by shorting eeprom Method”, could anyone help me locate bios eeprom location or number (U45

** 3. Take the components and put it in other motherboard (G580), who’s graphics card is fried.**

Updates

1. After going through mother board schematicsschematics i found that on page 18, there is almost nothing connected to vram and next on pg.41 and 40 we find a cmos next to bios.

With code name U33 and is located on motherboard

so I concluded that the bios data Which might include my password is in CMOS , can someone confirm the same Please?

So then I’m think of proceeding with method given in this article So basically dump bios and find my password in it.

I strongly feel that Password you Is located EC, because it is directly connected to BIOS CMOS RAM chip, (as per schematics Of Motherboard ) And another proof is mentioned below.

Here is a pdf of(schematics and datasheet of cmos)

2. I tried the method mentioned in this website (2nd one), I. Changed the password flash as true in platform.ini file , but it didn't work (this BIOS is resilient 🙁) I found this in flasher log file

    FlashExtraData out
    EC in
    EC out
        Error code : 3010(0x00000BC2)
    Cleanup Stage
   

this is the only error in the entire file So I think this proves that password is stored in EC (embedded controller), is that true?

It looks more and more like Lenovo Support were right about needing to change the motherboard.

Insyde 10-characters unlock codes can be decoded using the insydious website that generates a password that fits the hash-code stored in the BIOS.

However, your particular BIOS refuses to give that lock code, so there is no possible vector of attack. I would call this irresponsible software design of your BIOS program, which explains the answer you got from Lenovo Support.

I found a video that describes a a method of wiping the CMOS EEPROM here: How to unlock BIOS Supervisor Password from Lenovo Thinkpad Laptop (no damage to laptop), but without trying there is no way to verify if it works for your computer. (Edit: The poster reports that it didn't work for his computer.)