Hope for newer hardware?

48 replies [Last post]
ivanB1975
Offline
Joined: 08/29/2017

I found this article: http://www.csoonline.com/article/3220476/security/researchers-say-now-you-too-can-disable-intel-me-backdoor-thanks-to-the-nsa.html
I am wondering if this open the possibility to have newer hardware free from ME.

ivanB1975
Offline
Joined: 08/29/2017

I found that an italian developer created this tool: https://github.com/corna/me_cleaner
and that the tool is included in the sources of coreboot. I am thinking to attempt the cleaning on a Lenovo Y70.
I used the intelmetool to check the MEI state on that laptop. Almost all MEI functionalities are disabled the nastier ones, but still the laptop has the whitelist on.
I will open it next days and check where the flash chip is located.
Anyone else has experience on external flashing on this laptop?

ivanB1975
Offline
Joined: 08/29/2017

It works!

I applied the process on my lenovo Y70 keeping the OEM bios (meah) with the whitelist on but I completely disabled the intel ME :)
I used a banana pro to do that and a test clip applied to the bios chip directly.

Now ME is disabled (I tested it with the intelmetool from the coreboot project).
From the BIOS menu an entire section dedicated to ME disappeared. But all is working perfectly.
Next step is to free the bios from the whitelist.

flash.jpg
Alij
Offline
Joined: 05/07/2012

"Since 2008, Intel’s chipsets have contained a separate always-on Management Engine computer that could not be disabled."

So what about buying hardware build before 2008? this is disturbing. I dont have the technicals skills to free any hardware at all.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Those are the Libreboot computers.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>So what about buying hardware build before 2008?

That's what I do and it works great for me. I have a 2004 potato and a 2006 dual core potato. The second one is more than enough for me for everything I need to do. Use lightweight software and you'll be just fine with old hardware.

ivanB1975
Offline
Joined: 08/29/2017

I think that the x200 is for example more than enough for everyday use. I considered to buy it but then I would end up having 5 laptops at home comprising the working ones. So I thought that ethically is best to reuse what I have and study and learn how to do it myself. it is fun also the learning process and yesterday when I saw the ME disabled I felt like I have the power to decide. learning is in the path of freedom.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>So I thought that ethically is best to reuse what I have and study and learn how to do it myself. it is fun also the learning process and yesterday when I saw the ME disabled I felt like I have the power to decide. learning is in the path of freedom.

I could not agree more with you. I also see a few comments above you left a guide for calmstorm (and anyone interested), much appreciated! +1

Alij
Offline
Joined: 05/07/2012

Thanks Heather :)

ivanB1975
Offline
Joined: 08/29/2017

I think that 300 dollars for a completely free machine is a deal. In my case I wanted to use what I have already. I could have bought a x200 for 70 dollars as well. But I was able to make my lenovo free. I had to learn and it was a nice process. I think I could do an howto about this since many information are scattered in different places in the web.
If I would not have a laptop I would have probably purchased one from vikings or technoethical.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>I think I could do an howto about this since many information are scattered in different places in the web.

You could and you should. How about you add it somewhere in the wiki? Looking forward to one such entry!

ivanB1975
Offline
Joined: 08/29/2017

I had the option to buy a x200 lenovo for about 80 dollars, but I would have to apply the same procedure also on that to be able to install libreboot. So I decided to go for disabling intel ME. Non free Blobs are still in place but at least a big backdoor is eliminated. Now I will try to get rid of the whitelist so I can install a different wifi that can work with trisquel. If you look around you can find ready librebooted x200. But usually they are sold for over 300 dollars.
The procedure I used is very well documented online and in youtube. But it is not free from possible failures.
I agree with you it is insane that to be the owner of something we payed we had to deal with so many problems...

ivanB1975
Offline
Joined: 08/29/2017

Unfortunately the lenovo y70-70 is not supported by coreboot. But I have also an old macbook air mid 2011 that is supported fully. I will install on it coreboot and linux :)
Replace the battery and I will have a perfect portable laptop for coding :)

I have to edit the post since it is more complicated on the mac. The chip is on the other side of the motherboard. But at the same time there is a special flat connector that connects to the chip. If I find the adaptor for that I will be able to flash the chip with coreboot.
It is unlikely but not impossible.

Slowly freeing the hardware....

ivanB1975
Offline
Joined: 08/29/2017

Continuing the saga....
I am still on the lenovo Y70. Yesterday I tried to get rid of the whitelist following this: https://www.tonymacx86.com/threads/guide-lenovo-g50-70-and-z50-70-bios-whitelist-removal.187340/

I managed to find the exact position as suggested on the guide. But I am suspecting I am doing some mistakes in handling the image. I am doing that on os x and I will switch to linux today night attempt. Last attempt didn't work, but I am learning.

ivanB1975
Offline
Joined: 08/29/2017

Almost there with the Lenovo Y70. I managed to eliminate the white list from the BIOS. I used these steps:

     1 Taking the last rom image with the modified ME region
     2 Using the UEFITool (https://github.com/LongSoft/UEFITool) load the image
     3 Go to the guide here: https://www.tonymacx86.com/threads/guide-lenovo-g50-70-and-z50-70-bios-whitelist-removal.187340/ and note the hex code of the region surrounding the value 74, it represents a conditional jump instruction in assembly:
         In this case the 74 values and region to look for are 3:
           - 00 00 74 20 83 3D
           - 00 00 74 40 48 83
           - 84 DB 74 10 C7 44
     4 Search the HEX pattern of the first region with UEFITool. It will find this: Hex pattern "00007420833D" found as "00007420833D" in PE32 image section at header-offset 2FBh
      5 Double click on it and it will show a PE32 image section
      6 Right click and extract as is, saving the file as pe32_section.sct
      7 Now it is time to use an HEX editor. I used this http://www.suavetech.com/0xed/
      8 Open the file pe32_section.sct on the HEX editor and search for the first pattern. it is important that the editor is in overwrite mode.
      9 It will find it and the value 74 is in a different offset respect the guide since this is a different bios. Overwrite the value 74 with the value EB
      10 Do the same for the other two regions
      11 Save the file
      12 Go back in UEFITool and right click on the same PE32 image section and choose replace as is. Select the file saved before with the new values.
      13 Under the file menu choose save image file and choose a different name than the original file. This will trigger the re-packing of the bios rom with the updated section.
      14 Use the new rom to flash the bios.
The unfortunate thing is that the UEFITool is only available for Windows and Os X. It is a replacement for the phoenix tools.
Now the Lenovo can use different WIFI cards than Lenovo. I tested it and it works.
Next final step is to buy a wifi card mini-pcie M2 that is working without non free firmware, install it and enjoy a modern laptop without the intel ME on it.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

\o/

ivanB1975
Offline
Joined: 08/29/2017

@SuperTramp83 I don't know why but your avatar makes me smile :)

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

An elegant and happy RMS always makes you smile, it's only natural :)

Jodiendo
Offline
Joined: 01/09/2013

SuperTramp83 said: An elegant and happy RMS always makes you smile, it's only natural :)

RMS
ELEGANT? I must be looking with a sore eye.

Happy? depends on his level of caliber and entertainment.
Natural?
True there is a parallel universe.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

RMS exhibiting his "power tie" is the most elegant he gets.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>RMS exhibiting his "power tie" is the most elegant he gets.

+2

ivanB1975
Offline
Joined: 08/29/2017

The saga will continue with an aesthetic change, the BIOS bootsplash :)
I found this nice howto: http://www.thinkwiki.org/wiki/How_to_change_the_BIOS_bootsplash_screen
I will study it and apply it.
I am also looking for a wlan card NGFF M.2 that works without firmware. It is not easy and I will have to trade with performances if I want to keep the system completely libre.
Now I have installed an intel 7265 that works egregiously with ubuntu. But the idea to have another intel closed firmware there makes me nervous....
So I will buy a cheap atheros card. I am currently looking cards supported by the atk9 driver that is the latest one that doesn't require firmwares.

ivanB1975
Offline
Joined: 08/29/2017

I ordered a cheap Atheros based wifi card that will use the atk9 diver. Looking forward to wipe out ubuntu and install trisquel 8 :)

ivanB1975
Offline
Joined: 08/29/2017

Almost there with the modification of the BIOS logo. In this tutorial: https://www.bios-mods.com/forum/Thread-Extracting-boot-logo-other-stuff-from-a-UEFI-Tiano-Insyde-FD-image
I found that searching with UEFITool the GUID: 6F0CF054-AE6A-418C-A7CE-3C7A7CD74EC0 I found a result GUID pattern "6F0CF054-AE6A-418C-A7CE-3C7A7CD74EC0" as "54F00C6F6AAE8C41A7CE3C7A7CD74EC0" in 6F0CF054-AE6A-418C-A7CE-3C7A7CD74EC0 at header-offset 0h
If I expand that scrolling to the bottom there are files with subtype "Freeform". In total 9 files.
Opening one of them I can access other 2 sublevels:
0F85BFDB-B54B-4C5E-85E6-6A9419F814F6 File of subtype "Freeform"
FC1BCDB0-7D31-49AA-936A-A4600D9DD083 Section subtype "GUID defined"
Raw section Section of subtype "raw"

With right click on the raw section and choosing the option "Extract body..." it save a ".raw" file that is a ".tga" file (Truevision Graphics X File).
And the preview show exactly the logo that I want to change. The 9 files show all the same but with different sizes. Probably the same BIOS section is used in many different machine with different panel resolution.
Now I have to modify the TGA file and re-add it with the UEFITool and flash the bios again.

ivanB1975
Offline
Joined: 08/29/2017

Adding it on the wiki?
Possibly, I am only concerned on legal things in case someone that will use the wiki could end up with a damaged bios chip.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>concerned on legal things

Pretty sure a loud and clear (capsed & bold) disclaimer on top will take care of that. :)

ivanB1975
Offline
Joined: 08/29/2017

Yes probably. Let me first complete the process. I will be not happy until I change the logo :)

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Sure, you take all the time you need :)

ivanB1975
Offline
Joined: 08/29/2017

@here if someone knows how to make a wiki on the topic that not create legal issues I would be happy to do that.
In the meantime I cannot yet modify the logo image.
The original is a TGA and in GIMP it shows just the alfa channel. I used also xnView on the mac and I could modify them but at the boot the logo is skipped. I guess the BIOS see the image as corrupted. It is a stupid thing I know, trying to change the logo at the boot but it is also a technical challenge and I like to learn as well.
I would be happy to know if someone has already attempted to modify TGA image for the BIOS and if yes which tools used. :)

ivanB1975
Offline
Joined: 08/29/2017

Update to the BIOS customization attempt. It worked!!!!!
Now at the start of the Laptop I have my personal logo. I had to modify the TGA image in GIMP in Linux. In Os X it was not working. I am very happy. I started with a completely closed hardware, with a BIOS with intel ME, the Lenovo whitelist and now I have a much more free machine. I am waiting the arrival of a new wifi card (bought for 8 bucks online all included) that should work only with the atk9 drivers and this will make the laptop fully compatible with Trisquel.
Next days I will post the updates when I will install Trisquel :)

ivanB1975
Offline
Joined: 08/29/2017

It is possible to do everything in Linux. The UEFITool is available here: https://github.com/LongSoft/UEFITool
and after installing qt4: sudo apt-get install libxtst-dev build-essential libqt4-dev qt4-qmake
running the commands "qmake" and then "make" in the cloned repository of UEFITool will generate the executable.
So everything can be achieved in Linux :)

ivanB1975
Offline
Joined: 08/29/2017

Final step on the saga. Today after only 10 days I received the atheros wifi card from china (8 bucks) that was not supposed to work with Lenovo laptops but it does once eliminated the white list. And now booted on the live of Trisquel 8 I am writing the final post of this saga. The Lenovo Y70 is now free. Almost all.
I am pretty satisfied.

User0
Offline
Joined: 09/20/2017

If you make a thinkpad x200 Libreboot installation .
You need extra to remove ME or just removing auto with flashing?

ivanB1975
Offline
Joined: 08/29/2017

If you look here: https://libreboot.org/docs/install/x200_external.html
you find all information. Since you are flashing a completely custom bios the Intel ME is removed in this image.

ivanB1975
Offline
Joined: 08/29/2017

Today I received from china the pentalobe screwdriver for the mac book air. I will check which type of chip and adapter I need. In this case there is full support of coreboot. So it should be easier.

ivanB1975
Offline
Joined: 08/29/2017

The saga is not yet ended. At the beginning of this post I shared a link about the possibility to shut down the Intel ME. The person that developed the me_cleaner added this possibility to his code and it is what I will try today. Here the link: https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit

ivanB1975
Offline
Joined: 08/29/2017

Using the "-S" option I reapplied the me_cleaner to the latest bios image I created and doing so I should have disabled the ME also using the intel way. I will flash it now

ivan@ivan-free-pc:~/Documents/BIOS/me_cleaner$ python me_cleaner.py mod_image_nowhite_lastlogo_big.rom -S -O mod_image_nowhite_lastlogo_big_hap.rom
Full image detected
The ME/TXE region goes from 0x1000 to 0x180000
Found FPT header at 0x1010
Found 1 partition(s)
Found FTPR header: FTPR partition spans from 0x48000 to 0xd0000
ME/TXE firmware version 9.0.22.1467
Removing extra partitions...
Removing extra partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0x0a)...
Reading FTPR modules list...
UPDATE (LZMA , 0x0a32de - 0x0a3413): removed
ROMP (Huffman, fragmented data ): NOT removed, essential
BUP (Huffman, fragmented data ): NOT removed, essential
KERNEL (Huffman, fragmented data ): removed
POLICY (Huffman, fragmented data ): removed
HOSTCOMM (LZMA , 0x0a3413 - 0x0ab746): removed
TDT (LZMA , 0x0ab746 - 0x0b0b01): removed
The ME minimum size should be 393216 bytes (0x60000 bytes)
The ME region can be reduced up to:
00001000:00060fff me
Setting the AltMeDisable bit in PCHSTRP10 to disable Intel ME...
Checking the FTPR RSA signature... VALID
Done! Good luck!

ivanB1975
Offline
Joined: 08/29/2017

I flashed the new firmware and the result is:

MEI was hidden on PCI, now unlocked
MEI found: [8086:8c3a] 8 Series/C220 Series Chipset Family MEI Controller #1

ME Status : 0x1e020191
ME Status 2 : 0x104d2142

ME: FW Partition Table : OK
ME: Bringup Loader Failure : NO
ME: Firmware Init Complete : NO
ME: Manufacturing Mode : YES
ME: Boot Options Present : NO
ME: Update In Progress : NO
ME: Current Working State : Initializing
ME: Current Operation State : Bring up
ME: Current Operation Mode : Debug
ME: Error Code : No Error
ME: Progress Phase : BUP Phase
ME: Power Management Event : Clean Moff->Mx wake
ME: Progress Phase State : 0x4d

ME: Extend SHA-256: ######

ME: failed to become ready
ME: failed to become ready
ME: GET FW VERSION message failed
ME: failed to become ready
ME: failed to become ready
ME: GET FWCAPS message failed
Re-hiding MEI device...done

The interesting part is that now there is no more error in the ME error code

GrevenGull
Offline
Joined: 12/18/2017

Hey, did you manage to get Trisquel on the Air? I am currently trying to get Trisquel on my MacBookPro9,1 (2012) and I take all the tips.

ivanB1975
Offline
Joined: 08/29/2017

Eh no, I need for that a special crappy adaptor to interface it with the BIOS chip since it is placed on the opposite face of the PCB respect the back panel. But once obtained or self build the adaptor then the process should be easier since it is supported by coreboot.
But at the moment I am so full of work and family things that I cannot do anything except coming here sometime.

Alij
Offline
Joined: 05/07/2012

What about Thninkpad T420 i would love to get one.

ivanB1975
Offline
Joined: 08/29/2017

Here the official coreboot page: https://www.coreboot.org/Board:lenovo/t420
Not completed I think

gnutastyc
Offline
Joined: 11/13/2017

@ivanB1975, what you have done is very, very impressive. It gave me some energy to try it in my Toshiba Satellite. However, I didn't find you Y70 in coreboot supported motherboards. Does it uses some other Thinkpad's motherboard? If not, would it be possible for you to add it? It might be useful for many other people later on.

ivanB1975
Offline
Joined: 08/29/2017

ehi no no, it is not my work it is the work achieved by Corna https://github.com/corna/me_cleaner with his me_cleaner tool.
Now there are a lot of howtos online about this.
My motherboard is not supported by coreboot unfortunately. The only way is to port it. It is a task extremely difficult that requires the knowledge of low level architecture. I had a look on it, the starting point is to use a board listed on coreboot that uses the same chips (northbridge and southbridge). From there it is unknown. I should look into the code itself but time is small for these things. So far I am happy with the degree of freedom I achieved.

ivanB1975
Offline
Joined: 08/29/2017

PS I created this wiki page https://github.com/ivanB1975/y70_mecleaner/wiki/howto
I asked Corna to add the link to his wiki. Let's see.

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

Do you think a C.H.I.P. would work in place of a RPi?

ivanB1975
Offline
Joined: 08/29/2017

It depends if the CHIP board support SPI. If yes then you have to install the proper driver for it, find the right connections to the pomona clip and also be lucky that the CHIP provide enough current to the BIOS chip.
I found this about SPI on the CHIP: https://bbs.nextthing.co/t/using-spi-on-c-h-i-p/6652
If you have a CHIP board I suggest to have a look on the CHIP forums and so on. If you don't have the easiest way is to get a rPI.

Jodiendo
Offline
Joined: 01/09/2013

CalmStorm

said: but we would need someone to hack the crap out of the gen 4 processors beyond any reasonable time frame. to 100% remove the me. I have no idea how long that would take, but given 95% of the code can be removed now I think it might be more conceivable. heck maybe even fifth gen if we are really lucky...
It would involve the me cleaner though...

The answer is a combination of a good motherboard 1150 class and type of processor you are using. I dont use 1155 socket boards but 1150 boards made in taiwan you could disable via the bios a lot of stupid crap that intel wants you to do. but having a 1155 socket board it is very hard because the architecture design is different.

my i5 processor is a 1150 socket and I could overclock easily, but the board is made by asus in Taiwan, not on the 1155 sockets class.

I run gnu linux on the I5 NOT TRISQUEL BUT Debian with no issues. on my 13 I run trisquel quiet nicely. and I have another machine 13 running devuan with no issues. It is all about the architecture of the CPU AND BOARD.

JUST MY OPINION.

ivanB1975
Offline
Joined: 08/29/2017

Now the wikipage about the me_cleaner on the lenovo Y70 is available in the official me_cleaner project here: https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner
And it points to this link: https://github.com/ivanB1975/y70_mecleaner/wiki/howto
I am very happy about this :)