1me_cleaner(1) General Commands Manual me_cleaner(1)
2
6 me_cleaner - Tool for partial deblobbing of Intel ME/TXE firmware
7 images
8
10 me_cleaner.py [-h] [-v] [-O output_file] [-S | -s] [-r] [-k] [-w
11 whitelist | -b blacklist] [-d] [-t] [-c] [-D output_descriptor] [-M
12 output_me_image] file
13
15 me_cleaner is a tool able to disable parts of Intel ME/TXE by:
16 · removing most of the code from its firmware
18 · setting a special bit to force it to disable itself after the
20 hardware initialization
21 Using both the modes seems to be the most reliable way on many plat‐
23 forms.
24 The resulting modified firmware needs to be flashed (in most of the
26 cases) with an external programmer, often a dedicated SPI programmer or
27 a Linux board with a SPI master interface.
28 me_cleaner works at least from Nehalem to Coffee Lake (for Intel ME)
30 and on Braswell/Cherry Trail (for Intel TXE), but may work as well on
31 newer or different architectures.
32 While me_cleaner have been tested on a great number of platforms, fid‐
34 dling with the Intel ME/TXE firmware is very dangerous and can easily
35 lead to a dead PC.
36 YOU HAVE BEEN WARNED.
38
40 file ME/TXE image or full dump.
41
43 -h, --help
44 Show the help message and exit.
45 -v, --version
47 Show program's version number and exit.
48 -O, --output
50 Save the modified image in a separate file, instead of modifying
51 the original file.
52 -S, --soft-disable
54 In addition to the usual operations on the ME/TXE firmware, set
55 the MeAltDisable bit or the HAP bit to ask Intel ME/TXE to dis‐
56 able itself after the hardware initialization (requires a full
57 dump).
58 -s, --soft-disable-only
60 Instead of the usual operations on the ME/TXE firmware, just set
61 the MeAltDisable bit or the HAP bit to ask Intel ME/TXE to dis‐
62 able itself after the hardware initialization (requires a full
63 dump).
64 -r, --relocate
66 Relocate the FTPR partition to the top of the ME region to save
67 even more space.
68 -t, --truncate
70 Truncate the empty part of the firmware (requires a separated
71 ME/TXE image or --extract-me).
72 -k, --keep-modules
74 Don't remove the FTPR modules, even when possible.
75 -w, --whitelist
77 Comma separated list of additional partitions to keep in the
78 final image. This can be used to specify the MFS partition for
79 example, which stores PCIe and clock settings.
80 -b, --blacklist
82 Comma separated list of partitions to remove from the image.
83 This option overrides the default removal list.
84 -d, --descriptor
86 Remove the ME/TXE Read/Write permissions to the other regions on
87 the flash from the Intel Flash Descriptor (requires a full
88 dump).
89 -D, --extract-descriptor
91 Extract the flash descriptor from a full dump; when used with
92 --truncate save a descriptor with adjusted regions start and
93 end.
94 -M, --extract-me
96 Extract the ME firmware from a full dump; when used with --trun‐
97 cate save a truncated ME/TXE image.
98 -c, --check
100 Verify the integrity of the fundamental parts of the firmware
101 and exit.
102
104 Currently me_cleaner has been tested on the following platforms:
105 ┌───────────────────┬───────────────────┬──────┬──────────┐
107 │ PCH │ CPU │ ME │ SKU │
108 ├───────────────────┼───────────────────┼──────┼──────────┤
109 │ Ibex Peak * │ Nehalem/Westmere │ 6.0 │ Ignition │
110 ├───────────────────┼───────────────────┼──────┼──────────┤
111 │ Ibex Peak * │ Nehalem/Westmere │ 6.x │ 1.5/5 MB │
112 ├───────────────────┼───────────────────┼──────┼──────────┤
113 │ Cougar Point │ Sandy Bridge │ 7.x │ 1.5/5 MB │
114 ├───────────────────┼───────────────────┼──────┼──────────┤
115 │ Panther Point │ Ivy Bridge │ 8.x │ 1.5/5 MB │
116 ├───────────────────┼───────────────────┼──────┼──────────┤
117 │Lynx/Wildcat Point │ Haswell/Broadwell │ 9.x │ 1.5/5 MB │
118 ├───────────────────┼───────────────────┼──────┼──────────┤
119 │Wildcat Point LP │ Broadwell Mobile │ 10.0 │ 1.5/5 MB │
120 ├───────────────────┼───────────────────┼──────┼──────────┤
121 │ Sunrise Point │ Skylake/Kabylake │ 11.x │ CON/COR │
122 ├───────────────────┼───────────────────┼──────┼──────────┤
123 │ Union Point │ Kabylake │ 11.x │ CON/COR │
124 └───────────────────┴───────────────────┴──────┴──────────┘
125 ┌──────────────────────┬─────┬──────────┐
126 │ SoC │ TXE │ SKU │
127 ├──────────────────────┼─────┼──────────┤
128 │Braswell/Cherry Trail │ 2.x │ 1.375 MB │
129 └──────────────────────┴─────┴──────────┘
130 * Not working on coreboot
131 All the reports are available on the project's GitHub page
133 ⟨https://github.com/corna/me_cleaner/issues/3⟩.
134
136 Check whether the provided image has a valid structure and signature:
137 me_cleaner.py -c dumped_firmware.bin
139 Remove most of the Intel ME firmware modules but don't set the
141 HAP/AltMeDisable bit:
142 me_cleaner.py -S -O modified_me_firmware.bin dumped_firmware.bin
144 Remove most of the Intel ME firmware modules and set the HAP/AltMeDis‐
146 able bit, disable the Read/Write access of Intel ME to the other flash
147 region, then relocate the code to the top of the image and truncate it,
148 extracting a modified descriptor and ME image:
149 me_cleaner.py -S -r -t -d -D ifd_shrinked.bin -M me_shrinked.bin
151 -O modified_firmware.bin full_dumped_firmware.bin
152
154 Bugs should be reported on the project's GitHub page
155 ⟨https://github.com/corna/me_cleaner⟩.
156
158 Nicola Corna ⟨nicola@corna.info⟩
159
161 flashrom(8), me_cleaner's Wiki
162 ⟨https://github.com/corna/me_cleaner/wiki⟩
163 MARCH 2018 me_cleaner(1)