Neuter Intel ME with me_cleaner
Thanks to the work by the me_cleaner team!
Basic steps are
Obtain a copy of me_cleaner from Github
Install python, if not already installed
Dump BIOS firmware with SPI flash reader
Clean the image with the command python me_cleaner.py -S -O modified_image.bin original_dump.bin
Flash modified image
Check status of Intel ME with MEInfoWin.exe in Windows or intelmetool in Linux
Obtaining a Copy of me_cleaner
Run git clone
https://github.com/corna/me_cleaner.git [desired location]
Alternatively download straight from the project page
Dump BIOS
For this you will require
Some SPI programmer with drivers - I used a $3 CH341a USB-SPI programmer
A SOIC-8/SOP-8 test clip
Some jumper cables to connect the clip to the programmer
Flashrom installed
Some patience
Assuming you have the above we can then connected the programmer to the BIOS chip.
Disconnect the battery and AC from the laptop
Locate the BIOS chip on the motherboard directly right of the Expresscard cover
Connect the chip to the programmer as per below
For Linux run sudo flashrom -r original.bin -p ch341a_spi -c "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E"For Windows follow the GUI
An example output is shown at the bottom of the post
Run again and make sure MD5 hashes match
Notes
You may need to change the chip model depending on your motherboard
If flashrom says it cannot detect any chips, check your wiring and clip connection
Clean the Image
Run the command python me_cleaner.py -S -O modified_image.bin original_dump.bin
An example output is shown at the bottom of the post
-O specifies output filename
-S neuters the Intel ME firmware and sets the High Assurance Program (HAP) bit
-s leaves the firmware intact but sets the HAP bit
Read the readme for more details
Flash Modified Image
For Linux run sudo flashrom -w modified_image.bin -p ch341a_spi -c "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E"For Windows follow the GUI
An example output is shown at the bottom of the post
With luck flashrom will say "VERIFIED" meaning that the firmware was flashed successfully.
Check Status of Intel ME
For Linux
Install intelmetool
Add iomem=relaxed to kernel commandline to /etc/default/grub
Rebuild grub using sudo update-grub
Reboot
Run sudo rmmod mei_me; sudo rmmod mei; sudo intelmetool -S
Check what the output means here
For Window
Obtain MEInfoWin.exe tool via Intel ME firmware update extracted files
Run MEInfoWin.exe with admin privileges
Congratulations!
Now your system is mostly free of Intel ME!
Log Dumps
[arch@x220b me_cleaner-master]$ sudo flashrom -r original.bin -p ch341a_spi -c "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E"
flashrom v1.0 on Linux 4.18.9-arch1-1-ARCH (x86_64)
flashrom is free software, get the source code at
https://flashrom.org
flashrom was built with libpci 3.5.6, GCC 7.2.1 20171224, little endian
Command line (7 args): flashrom -r original.bin -V -p ch341a_spi -c MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Initializing ch341a_spi programmer
Device revision is 3.0.4
The following protocols are supported: SPI.
Probing for Macronix MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E, 8192 kB: probe_spi_rdid_generic: id1 0xc2, id2 0x2017
Found Macronix flash chip "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E" (8192 kB, SPI) on ch341a_spi.
Chip status register is 0x00.
Chip status register: Status Register Write Disable (SRWD, SRP, ...) is not set
Chip status register: Bit 6 is not set
Chip status register: Block Protect 3 (BP3) is not set
Chip status register: Block Protect 2 (BP2) is not set
Chip status register: Block Protect 1 (BP1) is not set
Chip status register: Block Protect 0 (BP0) is not set
Chip status register: Write Enable Latch (WEL) is not set
Chip status register: Write In Progress (WIP/BUSY) is not set
This chip may contain one-time programmable memory. flashrom cannot read
and may never be able to write it, hence it may not be able to completely
clone the contents of this chip (see man page for details).
Reading flash... done.
[arch@x220b me_cleaner-master]$ sudo flashrom -r original1.bin -p ch341a_spi -c "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E"
flashrom v1.0 on Linux 4.18.9-arch1-1-ARCH (x86_64)
flashrom is free software, get the source code at
https://flashrom.org
flashrom was built with libpci 3.5.6, GCC 7.2.1 20171224, little endian
Command line (7 args): flashrom -r original1.bin -V -p ch341a_spi -c MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Initializing ch341a_spi programmer
Device revision is 3.0.4
The following protocols are supported: SPI.
Probing for Macronix MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E, 8192 kB: probe_spi_rdid_generic: id1 0xc2, id2 0x2017
Found Macronix flash chip "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E" (8192 kB, SPI) on ch341a_spi.
Chip status register is 0x00.
Chip status register: Status Register Write Disable (SRWD, SRP, ...) is not set
Chip status register: Bit 6 is not set
Chip status register: Block Protect 3 (BP3) is not set
Chip status register: Block Protect 2 (BP2) is not set
Chip status register: Block Protect 1 (BP1) is not set
Chip status register: Block Protect 0 (BP0) is not set
Chip status register: Write Enable Latch (WEL) is not set
Chip status register: Write In Progress (WIP/BUSY) is not set
This chip may contain one-time programmable memory. flashrom cannot read
and may never be able to write it, hence it may not be able to completely
clone the contents of this chip (see man page for details).
Reading flash... done.
[arch@x220b me_cleaner-master]$ md5sum original.bin original1.bin
d039e30faa8411fae705df2701cabbc5 original.bin
d039e30faa8411fae705df2701cabbc5 original1.bin
[arch@x220b me_cleaner-master]$ python me_cleaner.py original.bin -O mecleaned.bin -S
Full image detected
Found FPT header at 0x3010
Found 19 partition(s)
Found FTPR header: FTPR partition spans from 0xcc000 to 0x142000
ME/TXE firmware version 7.1.91.3272 (generation 2)
Public key match: Intel ME, firmware versions 7.x.x.x, 8.x.x.x
The AltMeDisable bit is NOT SET
Reading partitions list...
FOVD (0x00000400 - 0x000001000, 0x00000c00 total bytes): removed
MDES (0x00001000 - 0x000002000, 0x00001000 total bytes): removed
FCRS (0x00002000 - 0x000003000, 0x00001000 total bytes): removed
EFFS (0x00003000 - 0x0000c7000, 0x000c4000 total bytes): removed
BIAL (NVRAM partition, no data, 0x0000adce total bytes): nothing to remove
BIEL (NVRAM partition, no data, 0x00003000 total bytes): nothing to remove
BIIS (NVRAM partition, no data, 0x00036000 total bytes): nothing to remove
NVCL (NVRAM partition, no data, 0x000095d9 total bytes): nothing to remove
NVCM (NVRAM partition, no data, 0x000036fc total bytes): nothing to remove
NVJC (NVRAM partition, no data, 0x00005000 total bytes): nothing to remove
NVKR (NVRAM partition, no data, 0x0000f650 total bytes): nothing to remove
NVOS (NVRAM partition, no data, 0x00035c3c total bytes): nothing to remove
NVQS (NVRAM partition, no data, 0x00000def total bytes): nothing to remove
NVSH (NVRAM partition, no data, 0x000056b7 total bytes): nothing to remove
NVTD (NVRAM partition, no data, 0x00001e44 total bytes): nothing to remove
PLDM (NVRAM partition, no data, 0x0000a000 total bytes): nothing to remove
GLUT (0x000c7000 - 0x0000cc000, 0x00005000 total bytes): removed
FTPR (0x000cc000 - 0x000142000, 0x00076000 total bytes): NOT removed
NFTP (0x00142000 - 0x0004fd000, 0x003bb000 total bytes): removed
Removing partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0xed)...
Reading FTPR modules list...
UPDATE (LZMA , 0x110a5a - 0x110aec ): removed
BUP (Huffman, fragmented data, ~48 KiB ): NOT removed, essential
KERNEL (Huffman, fragmented data, ~122 KiB ): removed
POLICY (Huffman, fragmented data, ~86 KiB ): removed
HOSTCOMM (LZMA , 0x110aec - 0x116082 ): removed
RSA (LZMA , 0x116082 - 0x11ab3f ): removed
CLS (LZMA , 0x11ab3f - 0x11f551 ): removed
TDT (LZMA , 0x11f551 - 0x1256fc ): removed
FTCS (Huffman, fragmented data, ~15 KiB ): removed
The ME minimum size should be 921600 bytes (0xe1000 bytes)
The ME region can be reduced up to:
00003000:000e3fff me
Setting the AltMeDisable bit in PCHSTRP10 to disable Intel ME...
Checking the FTPR RSA signature... VALID
Done! Good luck!
[arch@x220b me_cleaner-master]$ sudo flashrom -w mecleaned.bin -p ch341a_spi -c "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E"
flashrom v1.0 on Linux 4.18.9-arch1-1-ARCH (x86_64)
flashrom is free software, get the source code at
https://flashrom.org
flashrom was built with libpci 3.5.6, GCC 7.2.1 20171224, little endian
Command line (7 args): flashrom -w mecleaned.bin -V -p ch341a_spi -c MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Initializing ch341a_spi programmer
Device revision is 3.0.4
The following protocols are supported: SPI.
Probing for Macronix MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E, 8192 kB: probe_spi_rdid_generic: id1 0xc2, id2 0x2017
Found Macronix flash chip "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E" (8192 kB, SPI) on ch341a_spi.
Chip status register is 0x00.
Chip status register: Status Register Write Disable (SRWD, SRP, ...) is not set
Chip status register: Bit 6 is not set
Chip status register: Block Protect 3 (BP3) is not set
Chip status register: Block Protect 2 (BP2) is not set
Chip status register: Block Protect 1 (BP1) is not set
Chip status register: Block Protect 0 (BP0) is not set
Chip status register: Write Enable Latch (WEL) is not set
Chip status register: Write In Progress (WIP/BUSY) is not set
This chip may contain one-time programmable memory. flashrom cannot read
and may never be able to write it, hence it may not be able to completely
clone the contents of this chip (see man page for details).
Reading old flash chip contents... done.
Erasing and writing flash chip... Trying erase function 0... Erase/write done.
Verifying flash... VERIFIED.
[arch@x220b ~]$ sudo intelmetool -S
Bad news, you have a `QM67 Express Chipset Family LPC Controller` so you have ME hardware on board and it is very difficult to remove, continuing...
RCBA at 0xfed1c000
MEI was hidden on PCI, now unlocked
MEI found: [8086:1c3a] 6 Series/C200 Series Chipset Family MEI Controller #1
ME Status : 0x20191
ME Status 2 : 0x160a0000
ME: FW Partition Table : OK
ME: Bringup Loader Failure : NO
ME: Firmware Init Complete : NO
ME: Manufacturing Mode : YES
ME: Boot Options Present : NO
ME: Update In Progress : NO
ME: Current Working State : Initializing
ME: Current Operation State : Bring up
ME: Current Operation Mode : Debug
ME: Error Code : No Error
ME: Progress Phase : BUP Phase
ME: Power Management Event : Pseudo-global reset
ME: Progress Phase State : Check to see if straps say ME DISABLED
PCI READ [bc] : 0x000000bc
ME: Extend SHA-256: ...
ME seems okay on this board
ME: failed to become ready
WRITE [00] : CB: 0x80040007
WRITE [00] : CB: 0x000002ff
ME: failed to become ready
ME: GET FW VERSION message failed
ME: failed to become ready
WRITE [00] : CB: 0x80080007
WRITE [00] : CB: 0x00000203
WRITE [00] : CB: 0x00000000
ME: failed to become ready
ME: GET FWCAPS message failed
Re-hiding MEI device...done, exiting
Source
After
Before
Inainte de neutralizare am actualizat ME firmware in bios la ultima versiune disponibila pentru chipsetul meu, seria Z87 folosind utilitarul de
aici.
Placebo sau nu sistemul e mai "smooth" dupa inlaturarea "backdoor-ului Intel."
Nu faceti aceasta procedura nici macar pe partea de OEM Flash, folosind functia nativa a fiecarui producator daca nu aveti metoda de recovery gen "Dual BIOS".
Puteti incerca initial doar prin activarea modalitatii AltMeDisable iar daca e functionala mai apoi sa incercati si stergerea codului din chip.
Fiecare BIOS reactioneaza diferit la cele doua modalitati si totodata trebuie verificate USB urile, BCLK-ul, HDCP-ul in aplicatii gen Netflix samd. ME firmware se ocupa in principal cu partea de securitatea copyright protection, PAVP, Overclocking samd.
Utilitarul functioneaza pana la Z370 inclusiv. De la Z390 structura SPI-ului schimbandu-se nu mai este posibila inlaturarea, deocamdata.
Mai multe despre ME firmware (ce este? ce face?) in PDF-ul
asta.
Neuter Intel ME with me_cleaner
Linear Mode
Viziteaza-ne pe Facebook
Urmareste-ne pe Twitter
Vezi ce facem pe YouTube