corna
Disabling ME on Lenovo T470
I'm having difficulty disabling ME on a Lenovo T470 updated to the latest UEFI firmware 1.78. I can see from the status reports that a couple of people have accomplished this but I haven't been able to find a guide yet.
The chip I'm reading is the W25Q128.V identified as U49 on the motherboard. I can produce consistent dumps using a SOIC8 clip, but any changes I make to the dumps break the boot process and the device won't pass POST. So far I've tried using the -S option and using no option. I haven't tested with -s yet because I'd prefer to neuter ME completely rather than trust the HAP setting indefinitely.
Here's the output of ifdtool on the dumps before I make any changes:
region sizes in the FLREGn section:
descriptor 4095 Bytes (4KiB)
BIOS, 7340032 Bytes (7.00MiB)
ME, 7327743 Bytes (6.99MiB)
GbE, 4096 Bytes (4KiB)
This looks appropriate so far, I think.
However, according to the me_cleaner wiki, each region in the FLMSTRn section should have RW access at least to itself. In my case, each item in each of the regions is marked disabled. This doesn't seem right but I don't know how to resolve it.
Here's the output of me_cleaner -c on the dumps:
Full image detected
Found FPT header at 0x3010
Found 11 partition(s)
Found FTPR header: FTPR partition spans from 0x1000 to 0xa8000 (684032 Bytes)
ME/TXE firmware version 11.8.86.3909 (generation 3)
Public key match: Intel ME, firmware versions 11.x.x.x
The HAP bit is NOT SET
Checking the FTPR RSA signature... VALID
This all looks good to my eyes.
Here's the output when I mod the dumps with me_cleaner -S. The output without the-S switch is identical except for the Setting the HAP bit message at the end, as you'd expect:
Full image detected
Found FPT header at 0x3010
Found 11 partition(s)
Found FTPR header: FTPR partition spans from 0x1000 to 0xa8000
Found FTPR manifest at 0x1478
ME/TXE firmware version 11.8.86.3909 (generation 3)
Public key match: Intel ME, firmware versions 11.x.x.x
The HAP bit is NOT SET
Reading partitions list...
FTPR (0x00001000 - 0x0000a8000, 0x000a7000 total bytes): NOT removed
FTUP (0x00110000 - 0x0001bc000, 0x000ac000 total bytes): removed
DLMP (0x000a6000 - 0x0000a9000, 0x00003000 total bytes): removed
PSVN (0x00000e00 - 0x000001000, 0x00000200 total bytes): removed
IVBP (0x0010c000 - 0x000110000, 0x00004000 total bytes): removed
MFS (0x000a8000 - 0x00010c000, 0x00064000 total bytes): removed
NFTP (0x00110000 - 0x0001bc000, 0x000ac000 total bytes): removed
ROMB ( no data here , 0x00000000 total bytes): nothing to remove
FLOG (0x001bc000 - 0x0001bd000, 0x00001000 total bytes): removed
UTOK (0x001bd000 - 0x0001bf000, 0x00002000 total bytes): removed
ISHC ( no data here , 0x00000000 total bytes): nothing to remove
Removing partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0xf2)...
Reading FTPR modules list...
FTPR.man (uncompressed, 0x001478 - 0x002064): NOT removed, partition manif.
rbe.met (uncompressed, 0x002064 - 0x0020fa): NOT removed, module metadata
fptemp.met (uncompressed, 0x0020fa - 0x002132): NOT removed, module metadata
kernel.met (uncompressed, 0x002132 - 0x0021c0): NOT removed, module metadata
syslib.met (uncompressed, 0x0021c0 - 0x002224): NOT removed, module metadata
bup.met (uncompressed, 0x002224 - 0x0027e6): NOT removed, module metadata
pm.met (uncompressed, 0x0027e6 - 0x002894): NOT removed, module metadata
vfs.met (uncompressed, 0x002894 - 0x0031c0): NOT removed, module metadata
evtdisp.met (uncompressed, 0x0031c0 - 0x00334e): NOT removed, module metadata
loadmgr.met (uncompressed, 0x00334e - 0x003476): NOT removed, module metadata
busdrv.met (uncompressed, 0x003476 - 0x0037fa): NOT removed, module metadata
gpio.met (uncompressed, 0x0037fa - 0x003944): NOT removed, module metadata
prtc.met (uncompressed, 0x003944 - 0x003af4): NOT removed, module metadata
policy.met (uncompressed, 0x003af4 - 0x003cb4): NOT removed, module metadata
crypto.met (uncompressed, 0x003cb4 - 0x003e3e): NOT removed, module metadata
heci.met (uncompressed, 0x003e3e - 0x00400a): NOT removed, module metadata
storage.met (uncompressed, 0x00400a - 0x004306): NOT removed, module metadata
pmdrv.met (uncompressed, 0x004306 - 0x00442a): NOT removed, module metadata
maestro.met (uncompressed, 0x00442a - 0x004514): NOT removed, module metadata
fpf.met (uncompressed, 0x004514 - 0x00462c): NOT removed, module metadata
hci.met (uncompressed, 0x00462c - 0x00472e): NOT removed, module metadata
fwupdate.met (uncompressed, 0x00472e - 0x004836): NOT removed, module metadata
ptt.met (uncompressed, 0x004836 - 0x004942): NOT removed, module metadata
touch_fw.met (uncompressed, 0x004942 - 0x004a80): NOT removed, module metadata
rbe (Huffman , 0x004a80 - 0x007940): NOT removed, essential
fptemp (LZMA/uncomp., 0x007940 - 0x009940): removed
kernel (Huffman , 0x009940 - 0x019980): NOT removed, essential
syslib (Huffman , 0x019980 - 0x02abc0): NOT removed, essential
bup (Huffman , 0x02abc0 - 0x054640): NOT removed, essential
pm (LZMA/uncomp., 0x054640 - 0x056900): removed
vfs (LZMA/uncomp., 0x056900 - 0x05ec00): removed
evtdisp (LZMA/uncomp., 0x05ec00 - 0x0605c0): removed
loadmgr (LZMA/uncomp., 0x0605c0 - 0x063440): removed
busdrv (LZMA/uncomp., 0x063440 - 0x064cc0): removed
gpio (LZMA/uncomp., 0x064cc0 - 0x065dc0): removed
prtc (LZMA/uncomp., 0x065dc0 - 0x066940): removed
policy (LZMA/uncomp., 0x066940 - 0x06b680): removed
crypto (LZMA/uncomp., 0x06b680 - 0x079340): removed
heci (LZMA/uncomp., 0x079340 - 0x07d200): removed
storage (LZMA/uncomp., 0x07d200 - 0x081640): removed
pmdrv (LZMA/uncomp., 0x081640 - 0x0827c0): removed
maestro (LZMA/uncomp., 0x0827c0 - 0x084540): removed
fpf (LZMA/uncomp., 0x084540 - 0x085f00): removed
hci (LZMA/uncomp., 0x085f00 - 0x086780): removed
fwupdate (LZMA/uncomp., 0x086780 - 0x08b4c0): removed
ptt (LZMA/uncomp., 0x08b4c0 - 0x0a0e00): removed
touch_fw (LZMA/uncomp., 0x0a0e00 - 0x0a8000): removed
The ME minimum size should be 364544 bytes (0x59000 bytes)
The ME region can be reduced up to:
00003000:0005bfff me
Setting the HAP bit in PCHSTRP0 to disable Intel ME...
Checking the FTPR RSA signature... VALID
Done! Good luck!
The behaviour on the T470 after I flash the modded dumps back is a black screen on boot along with a diagnostic tone sequence. There is no splash screen and the device refuses to boot at all. When I flash back the unmodified dump everything reverts to normal.
I can see the activity on the repo is low but if anyone who's successfully flashed a T470 could offer their ten cents I'd appreciate it.
have you tried with -S flag. trying booting with iomem=relaxed.
FLMSTRn Section RW Access: The issue with all regions bein marked as disabled in the FLMSTRn section might indicate a problem with the dump or the way it's being interpreted. Double-check the integrity of your dump files and ensure that your tools are up-to-date.
POST Failure After Flashing: The black screen and diagnostic tones suggest that the modified firmware isn't being accepted by the system. This could be due to:
do you have firmware updates turned on in bios ? you need to have flash by end user enabled all three , secure rollback turned off.
Disable Secure Boot: Ensure Secure Boot is turned off in the BIOS.
Enable Legacy Boot: If available, enable Legacy Boot instead of UEFI.
Wake-on-LAN: Enable Wake-on-LAN to ensure the flash chip is powered during operations.
Disable Intel AMT: If there's an option for Intel Active Management Technology (AMT), disable it.
Disable VT-d: Turn off Intel Virtualization Technology for Directed I/O.
Disable TPM: If Trusted Platform Module (TPM) is enabled, consider disabling it temporarily.
Kernel Parameters To add iomem=relaxed, follow these steps:
Open the GRUB configuration file:
bash sudo nano /etc/default/grub Locate the line starting with GRUB_CMDLINE_LINUX_DEFAULT and add iomem=relaxed. For example:
bash GRUB_CMDLINE_LINUX_DEFAULT="quiet splash iomem=relaxed" Save the file and update GRUB:
bash sudo update-grub Reboot your system:
bash sudo reboot Terminal Commands Check Flash Descriptor:
bash ifdtool -f dump.bin This will show the flash layout and permissions.
Run me_cleaner:
bash python3 me_cleaner -S dump.bin -O modified.bin This sets the HAP bit and removes unnecessary ME modules.
Flash the Modified Firmware:
bash flashrom -p internal -w modified.bin Ensure you have a backup of the original firmware before proceeding.
Verify Changes:
bash lspci | grep MEI If the ME interface disappears, it indicates success.
also blacklist the module using rmod first .
run lsmod find the mei_me , mei etc blacklist in /etc/modprobe.d/blacklist.conf. and the reboot confirm they are blacklisted then try again, also create a udev rule to to disable the lspci output of the management controller itself before you even dump fw and flash. dont ask me why. just do it.
I already tried it with -S flag. When I originally posted the only thing I hadn't tried was -s because I'd rather not trust the HAP Bit. Since then I decided it was either that or nothing so I tried it, and it works.
I'd still prefer to remove the Intel ME modules and set HAP together with -S, though, which is what worked for the other users in the status thread. Any thoughts on why it doesn't work in this case?
@ginto37
Are you running linux or Windows on this machine? If on windows, it would be great to see the output of:
Get-CimInstance -ClassName Win32_ComputerSystemProduct | select *
# WARNING:
# Remember to remove your IdentifyingNumber before posting output here.
Get-ItemProperty -Path HKLM:\HARDWARE\DESCRIPTION\System\BIOS
Get-ComputerInfo | select OsName, CsSystemFamily, CsSystemSKUNumber, CsProcessors, BiosBIOSVersion
