1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
.TH me_cleaner 1 "MARCH 2018"
.SH me_cleaner
.PP
me_cleaner \- Tool for partial deblobbing of Intel ME/TXE firmware images
.SH SYNOPSIS
.PP
\fB\fCme_cleaner.py\fR [\-h] [\-v] [\-O output_file] [\-S | \-s] [\-r] [\-k]
[\-w whitelist | \-b blacklist] [\-d] [\-t] [\-c] [\-D output_descriptor]
[\-M output_me_image] \fIfile\fP
.SH DESCRIPTION
.PP
\fB\fCme_cleaner\fR is a tool able to disable parts of Intel ME/TXE by:
.RS
.IP \(bu 2
removing most of the code from its firmware
.IP \(bu 2
setting a special bit to force it to disable itself after the hardware
initialization
.RE
.PP
Using both the modes seems to be the most reliable way on many platforms.
.PP
The resulting modified firmware needs to be flashed (in most of the cases) with
an external programmer, often a dedicated SPI programmer or a Linux board with
a SPI master interface.
.PP
\fB\fCme_cleaner\fR works at least from Nehalem to Coffee Lake (for Intel ME) and on
Braswell/Cherry Trail (for Intel TXE), but may work as well on newer or
different architectures.
.PP
While \fB\fCme_cleaner\fR have been tested on a great number of platforms, fiddling
with the Intel ME/TXE firmware is \fIvery dangerous\fP and can easily lead to a
dead PC.
.PP
\fIYOU HAVE BEEN WARNED.\fP
.SH POSITIONAL ARGUMENTS
.TP
\fB\fCfile\fR
ME/TXE image or full dump.
.SH OPTIONAL ARGUMENTS
.TP
\fB\fC\-h\fR, \fB\fC\-\-help\fR
Show the help message and exit.
.TP
\fB\fC\-v\fR, \fB\fC\-\-version\fR
Show program's version number and exit.
.TP
\fB\fC\-O\fR, \fB\fC\-\-output\fR
Save the modified image in a separate file, instead of modifying the
original file.
.TP
\fB\fC\-S\fR, \fB\fC\-\-soft\-disable\fR
In addition to the usual operations on the ME/TXE firmware, set the
MeAltDisable bit or the HAP bit to ask Intel ME/TXE to disable itself after
the hardware initialization (requires a full dump).
.TP
\fB\fC\-s\fR, \fB\fC\-\-soft\-disable\-only\fR
Instead of the usual operations on the ME/TXE firmware, just set the
MeAltDisable bit or the HAP bit to ask Intel ME/TXE to disable itself after
the hardware initialization (requires a full dump).
.TP
\fB\fC\-r\fR, \fB\fC\-\-relocate\fR
Relocate the FTPR partition to the top of the ME region to save even more
space.
.TP
\fB\fC\-t\fR, \fB\fC\-\-truncate\fR
Truncate the empty part of the firmware (requires a separated ME/TXE image or
\fB\fC\-\-extract\-me\fR).
.TP
\fB\fC\-k\fR, \fB\fC\-\-keep\-modules\fR
Don't remove the FTPR modules, even when possible.
.TP
\fB\fC\-w\fR, \fB\fC\-\-whitelist\fR
Comma separated list of additional partitions to keep in the final image.
This can be used to specify the MFS partition for example, which stores PCIe
and clock settings.
.TP
\fB\fC\-b\fR, \fB\fC\-\-blacklist\fR
Comma separated list of partitions to remove from the image. This option
overrides the default removal list.
.TP
\fB\fC\-d\fR, \fB\fC\-\-descriptor\fR
Remove the ME/TXE Read/Write permissions to the other regions on the flash
from the Intel Flash Descriptor (requires a full dump).
.TP
\fB\fC\-D\fR, \fB\fC\-\-extract\-descriptor\fR
Extract the flash descriptor from a full dump; when used with \fB\fC\-\-truncate\fR
save a descriptor with adjusted regions start and end.
.TP
\fB\fC\-M\fR, \fB\fC\-\-extract\-me\fR
Extract the ME firmware from a full dump; when used with \fB\fC\-\-truncate\fR save a
truncated ME/TXE image.
.TP
\fB\fC\-c\fR, \fB\fC\-\-check\fR
Verify the integrity of the fundamental parts of the firmware and exit.
.SH SUPPORTED PLATFORMS
.PP
Currently \fB\fCme_cleaner\fR has been tested on the following platforms:
.TS
allbox;
cb cb cb cb
c c c c
c c c c
c c c c
c c c c
c c c c
c c c c
c c c c
c c c c
.
PCH CPU ME SKU
Ibex Peak * Nehalem/Westmere 6.0 Ignition
Ibex Peak * Nehalem/Westmere 6.x 1.5/5 MB
Cougar Point Sandy Bridge 7.x 1.5/5 MB
Panther Point Ivy Bridge 8.x 1.5/5 MB
Lynx/Wildcat Point Haswell/Broadwell 9.x 1.5/5 MB
Wildcat Point LP Broadwell Mobile 10.0 1.5/5 MB
Sunrise Point Skylake/Kabylake 11.x CON/COR
Union Point Kabylake 11.x CON/COR
.TE
.TS
allbox;
cb cb cb
c c c
.
SoC TXE SKU
Braswell/Cherry Trail 2.x 1.375 MB
.TE
.PP
* Not working on coreboot
.PP
All the reports are available on the project's GitHub page \[la]https://github.com/corna/me_cleaner/issues/3\[ra]\&.
.SH EXAMPLES
.PP
Check whether the provided image has a valid structure and signature:
.IP
\fB\fCme_cleaner.py \-c dumped_firmware.bin\fR
.PP
Remove most of the Intel ME firmware modules but don't set the HAP/AltMeDisable
bit:
.IP
\fB\fCme_cleaner.py \-S \-O modified_me_firmware.bin dumped_firmware.bin\fR
.PP
Remove most of the Intel ME firmware modules and set the HAP/AltMeDisable bit,
disable the Read/Write access of Intel ME to the other flash region, then
relocate the code to the top of the image and truncate it, extracting a modified
descriptor and ME image:
.IP
\fB\fCme_cleaner.py \-S \-r \-t \-d \-D ifd_shrinked.bin \-M me_shrinked.bin \-O modified_firmware.bin full_dumped_firmware.bin\fR
.SH BUGS
.PP
Bugs should be reported on the project's GitHub page \[la]https://github.com/corna/me_cleaner\[ra]\&.
.SH AUTHOR
.PP
Nicola Corna \[la]nicola@corna.info\[ra]
.SH SEE ALSO
.PP
.BR flashrom (8),
me_cleaner's Wiki \[la]https://github.com/corna/me_cleaner/wiki\[ra]
|
