me_cleaner man page
me_cleaner - Tool for partial deblobbing of Intel ME/TXE firmware images
me_cleaner.py [-h] [-v] [-O output_file] [-S | -s] [-r] [-k] [-w whitelist | -b blacklist] [-d] [-t] [-c] [-D output_descriptor] [-M output_me_image] file
me_cleaner is a tool able to disable parts of Intel ME/TXE by:
- removing most of the code from its firmware
- setting a special bit to force it to disable itself after the hardware initialization
Using both the modes seems to be the most reliable way on many platforms.
The resulting modified firmware needs to be flashed (in most of the cases) with an external programmer, often a dedicated SPI programmer or a Linux board with a SPI master interface.
me_cleaner works at least from Nehalem to Coffee Lake (for Intel ME) and on Braswell/Cherry Trail (for Intel TXE), but may work as well on newer or different architectures.
me_cleaner have been tested on a great number of platforms, fiddling with the Intel ME/TXE firmware is very dangerous and can easily lead to a dead PC.
YOU HAVE BEEN WARNED.
ME/TXE image or full dump.
Show the help message and exit.
Show program's version number and exit.
Save the modified image in a separate file, instead of modifying the original file.
In addition to the usual operations on the ME/TXE firmware, set the MeAltDisable bit or the HAP bit to ask Intel ME/TXE to disable itself after the hardware initialization (requires a full dump).
Instead of the usual operations on the ME/TXE firmware, just set the MeAltDisable bit or the HAP bit to ask Intel ME/TXE to disable itself after the hardware initialization (requires a full dump).
Relocate the FTPR partition to the top of the ME region to save even more space.
Truncate the empty part of the firmware (requires a separated ME/TXE image or
Don't remove the FTPR modules, even when possible.
Comma separated list of additional partitions to keep in the final image. This can be used to specify the MFS partition for example, which stores PCIe and clock settings.
Comma separated list of partitions to remove from the image. This option overrides the default removal list.
Remove the ME/TXE Read/Write permissions to the other regions on the flash from the Intel Flash Descriptor (requires a full dump).
Extract the flash descriptor from a full dump; when used with
--truncatesave a descriptor with adjusted regions start and end.
Extract the ME firmware from a full dump; when used with
--truncatesave a truncated ME/TXE image.
Verify the integrity of the fundamental parts of the firmware and exit.
me_cleaner has been tested on the following platforms:
|Ibex Peak *||Nehalem/Westmere||6.0||Ignition|
|Ibex Peak *||Nehalem/Westmere||6.x||1.5/5 MB|
|Cougar Point||Sandy Bridge||7.x||1.5/5 MB|
|Panther Point||Ivy Bridge||8.x||1.5/5 MB|
|Lynx/Wildcat Point||Haswell/Broadwell||9.x||1.5/5 MB|
|Wildcat Point LP||Broadwell Mobile||10.0||1.5/5 MB|
|Braswell/Cherry Trail||2.x||1.375 MB|
* Not working on coreboot
All the reports are available on the project's GitHub page ⟨https://github.com/corna/me_cleaner/issues/3⟩.
Check whether the provided image has a valid structure and signature:
me_cleaner.py -c dumped_firmware.bin
Remove most of the Intel ME firmware modules but don't set the HAP/AltMeDisable bit:
me_cleaner.py -S -O modified_me_firmware.bin dumped_firmware.bin
Remove most of the Intel ME firmware modules and set the HAP/AltMeDisable bit, disable the Read/Write access of Intel ME to the other flash region, then relocate the code to the top of the image and truncate it, extracting a modified descriptor and ME image:
me_cleaner.py -S -r -t -d -D ifd_shrinked.bin -M me_shrinked.bin -O modified_firmware.bin full_dumped_firmware.bin
Bugs should be reported on the project's GitHub page ⟨https://github.com/corna/me_cleaner⟩.
Nicola Corna ⟨email@example.com⟩
flashrom(8), me_cleaner's Wiki ⟨https://github.com/corna/me_cleaner/wiki⟩