User:Sakaki/Sakaki's EFI Install Guide/Disabling the Intel Management Engine

The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs. It has full network and memory access and runs proprietary, signed, closed-source software at ring -2,  independently of the BIOS, main CPU and platform operating system &mdash; a fact which many regard as an unacceptable security risk (particularly given that at least one remotely exploitable security hole has already been reported  ).

In this mini-guide, I'll run through the process of disabling the IME on your target PC. To do so, we will use Nicola Corna's. This software operates on the firmware stored in your PC's BIOS chip (where the bulk of the ME's code resides), and does two things:
 * sets the 'High Assurance Program' bit, an ME 'kill switch' that the US government reportedly had incorporated for PCs used in sensitive applications ;
 * removes the vast majority of the ME's software modules (including network stack, RTOS and Java VM), leaving only the essential 'bring up' components (the latter being necessary because, on modern systems, if the IME fails to initialize, a 30 minute watchdog timer resets the whole PC ).

This combined 'belt-and-braces' approach means that the ME ought to cleanly enter a self-induced null state (after resetting the 30-minute watchdog timer) but, should that not work, it will nevertheless enter a failed state shortly thereafter (as its real-time kernel, network stack etc. have been purged).

The process we will be following is as follows:
 * ensuring you have the necessary components available;
 * locating (and identifying) the BIOS flash chip on your target PC;
 * setting up a Raspberry Pi 3 Model B ('RPi3') as an in-system flash programmer;
 * reading the original firmware from the BIOS flash chip (and validating this), using the RPi3;
 * creating a modified copy of this firmware using ;
 * writing the modified copy of the firmware back to your PC's BIOS flash chip, again using the RPi3;
 * restarting your PC, and verifying that the IME has been disabled.

Although some systems do allow the full contents of the BIOS flash chip to be reprogrammed using software tools only (so called 'internal flashing'), on most PCs this facility is either completely unavailable, or can only write to the unprotected areas of the flash filesystem (excluding the ME area), or will only write vendor-signed images. Accordingly, we will describe the approach of using 'external' flashing in this guide, as that is the most reliable.

If you are ready, let's go!

Prerequisites
To proceed, you will require the following:


 * an Intel-CPU-based target PC &mdash; that does not have Boot Guard enabled &mdash; on which you wish to disable the IME;
 * (the target PC may be running an OEM BIOS (such as AMI, Dell etc.), or coreboot);
 * a Raspberry Pi 3 Model B single board computer ('RPi3'), for use as an external flash programmer;
 * a spare >= 8GB microSD card (to hold the 64-bit Gentoo O/S image we will use for the RPi3);
 * an appropriate IC clip for your target PC's flash chip, e.g.:
 * a Pomona 5250 for SOIC-8 chips;
 * a Pomona 5208 for unsocketed DIP-8 chips, or
 * a Pomona 5252 for SOIC-16 chips;
 * 8 female-female connector wires (to attach the appropriate clip to the RPi3's GPIO header);
 * a maintenance manual for your target PC, where available, to assist in safe disassembly / reassembly; and
 * whatever tools are stipulated in the above.

In the text, I will run through the process of reflashing the BIOS-chip firmware on a specific machine, namely the long-suffering Panasonic CF-AX3 Ultrabook used in the main body of this guide. This has a SOIC-8 BIOS flash chip, so we will be using a Pomona 5250 clip. Of course, you should adapt the following instructions to match your specific setup, flash chip type etc.

Locating (and Identifying) the Target PC's BIOS Flash Chip
To begin &mdash; always observing good ESD practices, and following the instructions given in your target system's maintenance manual &mdash; disconnect any external power sources and removable batteries, and then expose your target PC's motherboard.

For desktop machines, gaining access to the motherboard is generally easy, but for laptops the disassembly process is often quite fiddly. However, the Panasonic CF-AX3 is refreshingly straightforward in this regard &mdash; after removing the main battery and removing 19 small screws on the bottom-side, the rear panel of the laptop lifts off easily. With this done, a second (internal) li-ion battery must be disconnected, after which the mainboard is ready for inspection. Obviously, the approach required for your system will be different.

Once you have your target PC's motherboard exposed, locate its BIOS flash chip. On many machines, the BIOS chip will be marked with a sticker or paint dot. Laptops will generally have 8-pin or 16-pin SOIC packages;on desktop machines, 8-pin socketed (and unsocketed) DIP packages are also common.

The CF-AX3 has a SOIC-8 flash IC, as shown:



Once you have located the BIOS flash chip, with the help of a magnifying glass (good apps for this are available for IOS and Android phones) or digital camera, read off the maker's name and model number from the device. Then, use a search engine to locate the device's datasheet.

For example, as the above photo shows, the CF-AX3 has a Winbond W25Q64FV IC; its datasheet may be found here. This part uses a very commonly seen pinout, as follows (note how the pins are numbered counter-clockwise):



Note that on DIP packages, the top of the chip will generally be marked by a semicircular indent; on SOIC packages, a small circle or indent will mark pin 1 (NB, do not confuse this with any paint blobs the manufacturer may have used to highlight the flash chip, as for example with the blue paint blob used on the CF-AX3.)

Write down the pinout for your device, if it differs from that shown in the above diagram.

Setting up the RPi3 as an External Flash Programmer
Next, we will set up a Raspberry Pi 3 Model B ('RPi3') single board computer as an external flash programmer, running 64-bit Gentoo Linux as its operating system. For convenience we will use a pre-built image.

Software Configuration
Download, write and boot the Gentoo image provided here on your RPi3 (following the instructions given on that page).

The image starts up directly into an Xfce4 desktop, pre-logged in as the account. When the boot has completed, open a terminal window on (or in to) the RPi3 and become root:

If you have not modified the default image settings, no password will be required for this step.

Then, modify the file so that the SPI interface (used to communicate with the flash chip) is available via the RPi3's GPIO pins. As root, issue:

and modify that file, uncommenting the following line (if not already done):

Leave the rest of the file as-is. Save, and exit.

Next, fetch up-to-date copies of the and  ebuild repositories ('overlays') on the RPi3. Ensure your RPi3 has a valid network connection (you can easily setup a WiFi or Ethernet connection via the bundled applet, just click on the network icon in the status bar), then issue:

Next, we need to install the software, which will allow us to read and write the flash chip over the SPI interface. Issue:

Because it will fetch and then check the binhost packages metadata file, this command may take 3-4 minutes before prompting you whether to proceed, so please be patient. The actual package itself is available as a binary and will install quickly (with no local compilation required), once confirmed.

Then, we need to emerge the package, which provides  (a utility to parse and modify the structure of Intel firmware flash dumps). The package has an ebuild in the repository (aka 'overlay') used on the image, so issue:

The next step is to install Nicola Corna's software itself. This also has an ebuild in the repo, so issue:

is a reasonably straightforward Python script. Nevertheless, it is good hygiene to review scripts prior to running them (particularly when they impact such security-critical areas as the IME and BIOS), so do so now. Issue:

Use and  to navigate within the file, and press  to quit, when done.

Lastly, we'll pull in the library (and accompanying  utility, which will be used to set the GPIO pins on the header not directly controlled by ). This has an ebuild in the repo used on the image, so issue:

Hardware Configuration
With the necessary software prepared, we can proceed to attach the appropriate IC clip to the RPi3's GPIO (general purpose input-output) header.

Cleanly shutdown your RPi3:

Physically remove the RPi3's power connector once the shutdown sequence has completed.

With your RPi3 powered off, locate its 40-pin GPIO header, and connect one end of each of the 8 female-female cables to the appropriate RPi3 GPIO pin as shown in (the inner, light green section of) the diagram below :



Here is a photo showing these connections in place on an actual RPi3 (in an official 7" touchscreen enclosure; this is of course not necessary in order to use the board). Disregard the wires on the left-hand side, they are for the touchscreen. With the RPi3 oriented as it is in this picture, pin 1 is at the extreme left position on the nearer row, and pin 40 at the extreme right position on the farther row. The colours of the jumper wires used match those in the above pin mapping and flash chip pinout.



The other end of the 8 wires you should connect to an appropriate IC test clip, per the outer (lilac) section of the above pin mapping diagram. The photo above shows a 5250 clip attached (as is appropriate for the SOIC-8 flash chip in the Panasonic CF-AX3); obviously, adapt as required. The important thing is to look at your flash IC's pin names / functions (as given by its datasheet), and ensure that these are connected to the appropriate header wire from the RPi3. For example, with the Winbond W25Q64FV chip in a SOIC-8 package, as here, we have:

With the test clip connected, hardware setup of your RPi3 as a in-circuit flash programmer is complete.

Reading and Verifying the Original Contents of your BIOS Flash Chip
Power the RPi3 back up, wait for Gentoo to boot, and then and open a terminal window (or, at your option, log in over ). As before, become root:

Then, as root, ensure that and  are both pulled high. Issue:

This command (using the utility from ) activates the RPi3's internal pull-up resistors on  (RPi3 pin 16 &rarr; ) and  (RPi3 pin 18 &rarr; ) respectively.

Next, observing proper proper ESD precautions (and after double-checking that you have all external power supplies and batteries removed), attach the IC clip to your target PC's BIOS flash chip.

For example, the photo below shows the same RPi3 as shown earlier attached to the BIOS chip of the CF-AX3 laptop, using a Pomona 5250 test clip:



With the clip attached, request that 'probe' to see if it can identify your BIOS flash chip:

Obviously the output will reflect your particular version of flashrom, kernel and flash chip, but if you see something like the above, you are good to proceed.

However, if instead you got an output containing, then you have a problem. Double-check the wiring to your RPi3 and the IC clip, and make sure your RPi3's power supply is sufficient. If that all looks good, re-seat the IC clip on your flash chip, and try again. The clips are tricky to get seated properly, so it is not unusual for a few tries to be required before can successfully connect.

Once you have a successful probe, leaving the clip in place, dump a copy of your existing firmware :

Make another copy of the original firmware:

And check that both copies are identical (this is a useful check to ensure that neither image has been corrupted):

This should produce no output, indicating that the dumped images are identical.

Next, assuming the check passes, run  on one of the images, to ensure that it has a valid structure:

Your output will obviously be system-specific, but should resemble something like that shown here (at least in broad outline).

Finally, check that the dumped image has a structure that the tool understands, and can work with. To do so, issue:

As before, your output will be system-specific, but should pass all checks as for example shown here.

Modifying Firmware using, to Disable the IME
With all tests passed, you can now run on your firmware image. Issue:

Your output will obviously differ (and in particular, if you are using a more modern PC than the CF-AX3 you may see a larger number of modules listed (and on a server-class machine, many fewer); see the success reports, for examples of the sort of output that may be produced).

The resulting image is saved to the file ; the original firmware files are left untouched.

Writing Back the Modified Firmware
We can now write back ('reflash') the system firmware we have just modified. With the IC clip still in place, issue:

As before, your output will most likely differ somewhat, depending on the specifics of your setup.

Once the flash has been successfully programmed, disconnect the IC-clip (or, if you are using a socketed chip and have it e.g. mounted on a solderless breadboard, remove the flash chip and place it back carefully in its socket on your PC).

Restarting your PC and Verifying the IME is Disabled
Reassemble your target PC, following instructions given in your vendor's maintenance manual where available (and as always taking care to observe proper proper ESD protective measures). Ensure any batteries or power supplies are reconnected, and then try booting it up (into Gentoo) using your regular procedure.

If you experience serious problems upon restart &mdash; for example, the machine will not POST, or you are unable to enter the BIOS setup GUI after boot &mdash; then jump here for instructions on how to recover (by reflashing your original firmware again).

However, in the more likely case that your machine appears to start up correctly into Linux (after you enter your passphrase etc.), you can run the  to check the status of the ME. This is available as part of the package on the  ebuild repository (aka 'overlay') which we already set up earlier in the guide, so, to install it, open a terminal (on your target PC), become root, and issue:

Then issue:

Again, the output on your system will probably differ from this. You can safely ignore the ominous sounding Bad news... message, as that actually only indicates that the very low-level status registers of the ME are visible over PCI. The real indications that the ME is disabled are that you see (depending on your ME version) one or more of the below:
 * (as in the above);
 * (as in the above);
 * (as in the above);
 * (as in the above);
 * (as in the above);
 * (as in the above); or
 * (as in the above).
 * (as in the above);
 * (as in the above); or
 * (as in the above).
 * (as in the above); or
 * (as in the above).
 * (as in the above).

You can also browse through the `me_cleaner` success reports, to see the sort of output that may be produced on different platforms.

Next, wait for 30 minutes of wall time to elapse, and ensure that your target PC does not reset itself (thereby proving that the watchdog timer has been properly cleared).

If all that worked, congratulations! You have disabled the ME on your PC &mdash; click here to skip to the next step.

If however you experience a problem booting (and cannot e.g. start Windows either, assuming you are dual-booting), then continue reading immediately below, to restore the original firmware image again.

Recovery in Case of Error
The process just described does not work on all machines. Fortunately, since you saved a copy of your original firmware earlier, and have a functional flash reprogrammer (the RPi3) to hand, it is straightforward to roll things back.

To restore the original firmware image, simply follow the previous instructions to power down your PC, expose the system motherboard, and (re)connect the RPi3 flash programmer's IC clip. Then on the RPi3, working as root, issue:

to write the original firmware image back again. When done (make sure you see the  output), follow the earlier procedure to disconnect the IC clip, reassemble your target PC, and boot it up.

In this case, unfortunately it appears that the IME cannot be disabled on your system at this time.

Next Steps
If you were successful restarting your system after running (and it passed the  test), please consider posting details of your system here, to assist others.

However, if you experienced a problem during the process, please take the time to post an new issue here.

Finally, to rejoin the main guide, please click here or here.