Wiki page, disclaimer, does it make sense at all
- Inicie sesión ou rexístrese para enviar comentarios
Recently I managed to re-flash the BIOS of my Lenovo Laptop with a modified BIOS that deactivates the intel management engine and eliminate the hardware whitelist and set a new logo boot image. I wrote a post on the Troll Lounge. I was wandering if it would make sense at all to write a wiki page about it. I just applied the information contained on other sources. There is no real added value except that some information are scattered around in the web, some are incomplete or obsolete.
I am also thinking to use a Disclaimer like this one:
The author cannot guarantee the completeness or accuracy of information contained on the document, and shall not be responsible for any errors,
omissions, or inaccuracies and accepts no liability whatsoever for any loss or damage howsoever arising. The Author reserves the right to make
changes or remove or alter any content at any time without notice.
This document contain links to many external websites that are not affiliated with the author. The Author is not responsible for and has no
control over these sites, and links to external sites should not be taken as a recommendation or endorsement of the external site’s information,
products or services.
The Author takes no responsibility for any loss or damage suffered as a result of using the linked web sites or as a result of using the information published on this document.
I am not concerned only about possible damages on the BIOS chips, but also the producer of the laptop in question taking legal actions.
Nobody with experience on this?
Does it make sense at all to write a wiki about it?
I am a translator!
I haz voted 'yep, go for it'
thanks but it looks that it doesn't have generated so much interest.
I am a translator!
What are you talking about? I am extremely interested. In fact I insist and persist. We can make a deal if you want to spare some time, if it is faster and easier for you write it in I-talian. It'll be a pleasure for me to translate it (and hopefully learn something in the process).
I'm sure I am not the only one interested btw :/
The English is not a problem. I don't speak italian since many years :) I need to find the time.
I am a translator!
I see. Good, then no problem, you take all the time you need. +1
Ok slowly working on it
You deactivated EME ? I thougt it was not possible.
Check this: "https://github.com/corna/me_cleaner/blob/master/README.md"
he wrote: This project is an attempt to remove as much code as possible from such firmware without falling into the 30 minutes recovery mode.
With his tool almost all ME partitions are overwritten with empty values.
I checked the ME status with the intelmetool (https://github.com/coreboot/coreboot/tree/master/util/intelmetool) provided by the coreboot project and the status is disabled. It doesn't boot without the missing partitions and at the same time it doesn't shut down the device after 30 minutes.
I am perfectly satisfied with this. A functionally disabled ME is fine with me even if some code still is in the Bios
Here the output of the intelmetool:
ivan@ivan-free-pc:~/Documents/BIOS/coreboot/util/intelmetool$ sudo ./intelmetool -s
[sudo] password for ivan:
MEI was hidden on PCI, now unlocked
MEI found: [8086:8c3a] 8 Series/C220 Series Chipset Family MEI Controller #1
ME Status : 0x1e003052
ME Status 2 : 0x10322152
ME: FW Partition Table : OK
ME: Bringup Loader Failure : NO
ME: Firmware Init Complete : NO
ME: Manufacturing Mode : YES
ME: Boot Options Present : NO
ME: Update In Progress : NO
ME: Current Working State : Recovery
ME: Current Operation State : M0 with UMA
ME: Current Operation Mode : Normal
ME: Error Code : Image Failure
ME: Progress Phase : BUP Phase
ME: Power Management Event : Clean Moff->Mx wake
ME: Progress Phase State : M0 kernel load
ME: Extend SHA-256: ########
ME: has a broken implementation on your board with this BIOS
ME: failed to become ready
ME: failed to become ready
ME: GET FW VERSION message failed
ME: failed to become ready
ME: failed to become ready
ME: GET FWCAPS message failed
Re-hiding MEI device...done
Ok, I assume intelmetool is trustworthy (or not, but I'm really a newbie). Anyway it is an interesting world. I will learn more about it. Please write your wiki! ;)
It should be ok considering that the laptop where I used it is "old" (Lenovo Y70-70) and with only the version 8 of the ME. Newer versions of the ME are more difficult and more complex. The wiki that I am writing is very simple, just the description of the steps I followed and where I found the information. It could be applied to other laptops but each case is different. Here for example the status of attempts of other people: https://github.com/corna/me_cleaner/issues/3
Citing the author of the me_cleaner: For pre-Skylake firmware (ME version < 11) this tool removes almost everything, leaving only the two fundamental modules needed for the correct boot, ROMP and BUP. The code size is reduced from 1.5 MB (non-AMT firmware) or 5 MB (AMT firmware) to ~90 kB of compressed code.
Starting from Skylake (ME version >= 11) the ME subsystem and the firmware structure have changed, requiring substantial changes in me_cleaner. The fundamental modules required for the correct boot are now four (rbe, kernel, syslib and bup) and the minimum code size is ~300 kB of compressed code (from the 2 MB of the non-AMT firmware and the 7 MB of the AMT one).
In fact in my case the ME stops at the BUP phase (bring up).
In the slide 17 everything is explained very well here: https://recon.cx/2014/slides/Recon%202014%20Skochinsky.pdf
I did finished the howto, but I decided to not share it. To me the legal implications are a nightmare. Even the removal of the whitelist can be considered illegal since the wifi card not approved by Lenovo could exceed the legal limitations. This is only an example.
I think that who has the technical skills to do this can easily find all the information needed. In the Troll Lounge there are many links.
In the me_cleaner github wiki there is a lot of documentation. I applied the latest version of the tool that uses this finding:
https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
and in the latest iteration the intel me was disabled as documented by Positive Technologies and the partitions of the ME were almost all erased (left BUP and ROMP).
I think that this is the way to go for the latest hardware.
I hope libreboot will support this.
Here the message from the intelmetool after disabling the ME:
MEI was hidden on PCI, now unlocked
MEI found: [8086:8c3a] 8 Series/C220 Series Chipset Family MEI Controller #1
ME Status : 0x1e020191
ME Status 2 : 0x104d2142
ME: FW Partition Table : OK
ME: Bringup Loader Failure : NO
ME: Firmware Init Complete : NO
ME: Manufacturing Mode : YES
ME: Boot Options Present : NO
ME: Update In Progress : NO
ME: Current Working State : Initializing
ME: Current Operation State : Bring up
ME: Current Operation Mode : Debug
ME: Error Code : No Error
ME: Progress Phase : BUP Phase
ME: Power Management Event : Clean Moff->Mx wake
ME: Progress Phase State : 0x4d
ME: Extend SHA-256: ######
ME: failed to become ready
ME: failed to become ready
ME: GET FW VERSION message failed
ME: failed to become ready
ME: failed to become ready
ME: GET FWCAPS message failed
Re-hiding MEI device...done
There is no more error messages and the intel ME is gracefully disabled after the BUP phase.
Thank you, anyway for all these links ;)
Anyone interested in this world will find useful information.
I'll learn about it.
libre greetings !
Thanks :) Yes if you read also the post in the Troll Lounge: "Hope for new hardware" you can find even more detailed information. And in internet is all at grasp. No need of another wiki :)
Here a good wiki about the topic: https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Disabling_the_Intel_Management_Engine
Thanks for the information. If you ever change your mind about sharing the howto, I think having the information consolidated in a clear guide would be very valuable as well. I have wanted to deactivate the ME on my x230 for a while but haven't had the courage yet.
I think that the wiki of Sakaki is very good.
If you have an external way to flash the firmware then you are quite safe, unless you make mistake on the connection. But it is quite difficult.
I reflashed the firmware many many times with incremental changes and I had always a backup ready. One of the flash end up also in a brick but flashing back the prior version solved the problem.
For the x230 you can even flash coreboot (lucky you) https://www.coreboot.org/Board:lenovo/x230
It is written that the only way to flash the ME is externally.
You can use this guide as well: https://github.com/corna/me_cleaner/wiki/External-flashing
I think you could get a pretty close to freedom laptop even more than I achieved.
- Inicie sesión ou rexístrese para enviar comentarios