Intel Management Engine

S

stadtaffe

Orthodox
Heirloom
As everyone in the privacy lounge thread can't stop talking about the IME I couldn't help but do a quick exploration with this repo -
which also has a detailed wiki -
The other reason is that it is more likely to work for my older machine. It 'cleans' away most of the binary and just leaves the bit that needs to run during boot. In some cases users find that the machine automatically powers down 30 minutes after boot once you have tampered with the IME. Given that this machine is ready for the rubbish anyway and the data is backed up I thought it wouldn't hurt to have a small attempt, kill the monster living inside. There is a risk of 'bricking' it and flashing back to original firmware once it has been 'bricked' is probably too complex for those of us who don't work with this kind of thing.

I've flashed a lot of android ROMS in the past as well as patched and modified them but never before tried to mess with with my PC's firmware. Have 'bricked' some Android devices as well.. Still, my smartphone has had either Cyanogenmod or LineageOS for many years now and I once successfully flashed GrapheneOS for someone else. So has given me some confidence to 'flash' this evil management engine, although it does not sound like as much of a tried and tested process.

You can either do it with the device off whereby you open the cover, find the relevant chip and somehow reflash its firmware with something else. I've got no experience with that sort of thing so would go for the flashing while the machine is running. It's a bit like surgery with full anesthesia or with the patient awake..

Anyway, it's not as simple as just running
$ python me_cleaner.py -S -O modified_image.bin original_dump.bin
..so I learned.

You need to create original_dump.bin and probably then run some software on it to create modified_image.bin.
It is probably best to either live with the IME or buy from one of these :

Bird said:
To sum it up, these vendors sell their hardware with IME disabled or deactivatable:

puri.sm - USA
nitrokey.com - Germany
system76.com - USA
tuxedocomputers.com - Germany
Click to expand...

I thought I'd nevertheless create a thread in case anyone actually is inclined to pursue this cleaning process of the 'IME' binary and can report back on their experience, what they did, whether it bricked the machine or caused it to shut itself down after thirty minutes.

Also any discussion about whether the IME really is spyware or if that is just a conspiracy theory without basis.
 
Last edited:
Based on my reading, I decided not to flash the firmware. My notebook is only five years old and not ready for the trash bin.
If any of you are brave enough to try it anyway, please record your session with a tool like simplescreenrecorder and post the video here in this thread.

But when I buy new hardware, it will definitely be from one of the vendors mentioned here.
 
Several days ago I did some more reading, took notes.

I can't go through it all now but there was one quite interesting mitigating measure you can take :


- don't use your wireless use the (traditionally blue) LAN cable.

I already felt the cables are a better idea anyway and now there is an even better reason.

It would be okay in one of the 2 spots I use the PC here but I would have to run one into another room in a messy way to do that. It would be cool to have your place wired with LAN cables in the walls so you can just plug in in various places.

My latest part replacement on the ten year old notebook worked very well, so am probably a bit less likely to risk bricking it now for an IME disabling attempt.

Actually, given the 2 methods, HAP bit and me_cleaner, I still think the latter looks easier.

Found another potential supplier from the Netherlands :
They offer
All European keyboard layouts
Click to expand...
!
 
For inspiration, here are some success stories :
Were a few misadventures in there, someone who needed to reflash to make it boot again but no permanent bricks, at least not from a quick read.

From here,
https://pythonrepo.com/repo/corna-me_cleaner
commands to run before and after to see if it's worked :
$ ls /dev | grep mei[nothing] $ lspci | grep -i communi[nothing] $ cat /proc/bus/pci/devices | grep a13a[nothing]

It may have to wait till Winter, some rainy day when I am stuck somewhere and will try to take it further.

Actually, interesting that the 'Bios' is an 8 pin chip in that one user's case that they simply unplugged. I had no idea it was one specific chip, I thought it just lived on one of the other chips. Doubt on a laptop that it is something you can just unplug like that however.

I get the impression that me_cleaner software is quite carefully made to check numerous things and reduce the chances of a bricking. Have not listened to it yet but this is its author :
Nicola Corna, an Italian academic
 
The only way around the IME from my understanding is to either run 14 year old hardware or partially neuter it using Coreboot/Libreboot. I believe that there are still some blobs on more recent machines using Coreboot, but I run an x230 with Skulls/Coreboot that effectively has the management engine fairly harmless. I think there are big things coming for RISC-V and this would be the way forward away from the big Intel/AMD duopoly.
 
You must log in or register to reply here.
Back
Top