mostav02
commented
4 years ago Ok I found so far here that FWUpdLcl backups can't be processed by me_cleaner. But still, there is a guy who has successfully killed ME via Local FWUpdate (???), I would like to have more info on that. Logically, since we can flash some part of ME via FWUpdLcl, there should be some tools to modify those images. I didn't find any.
Anyway, I was able to kill ME on this laptop by unlocking the FD via [Flash Descriptor Security Override "HDA_SDO"] and using Intel Flash Programming Tool (FPT, fptw) to dump ME region and write it back after passing with me_cleaner.
The Realtek sound chip is located between the RAM and HDD modules. All you need to do is to short pins 1 and 5 during power on. I made it using an adjustable spanner with 2 needles customly attached on two sides with superglue and electrical tape, using a little wire between the needles in order to short them because superglue reduces conductivity (don't forget to ring them with a multimeter).
Below are the logs from the entire process.
me_cleaner:
$ python ~/me_cleaner/me_cleaner.py ME_N53SV.bin
ME/TXE image detected
Found FPT header at 0x10
Found 11 partition(s)
Found FTPR header: FTPR partition spans from 0x37000 to 0xa1000
ME/TXE firmware version 7.0.4.1197 (generation 2)
Public key match: Intel ME, firmware versions 7.x.x.x, 8.x.x.x
Reading partitions list...
FOVD (0x00000400 - 0x000001000, 0x00000c00 total bytes): removed
MDES (0x00001000 - 0x000002000, 0x00001000 total bytes): removed
FCRS (0x00002000 - 0x000003000, 0x00001000 total bytes): removed
EFFS (0x00003000 - 0x000037000, 0x00034000 total bytes): removed
NVCL (NVRAM partition, no data, 0x000095d9 total bytes): nothing to remove
NVJC (NVRAM partition, no data, 0x00005000 total bytes): nothing to remove
NVKR (NVRAM partition, no data, 0x0000f650 total bytes): nothing to remove
NVQS (NVRAM partition, no data, 0x00000def total bytes): nothing to remove
NVTD (NVRAM partition, no data, 0x00001e44 total bytes): nothing to remove
FTPR (0x00037000 - 0x0000a1000, 0x0006a000 total bytes): NOT removed
NFTP (0x000a1000 - 0x00017d000, 0x000dc000 total bytes): removed
Removing partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0x05)...
Reading FTPR modules list...
UPDATE (LZMA , 0x077ed4 - 0x077f66 ): removed
BUP (Huffman, fragmented data, ~43 KiB ): NOT removed, essential
KERNEL (Huffman, fragmented data, ~113 KiB ): removed
POLICY (Huffman, fragmented data, ~84 KiB ): removed
HOSTCOMM (LZMA , 0x077f66 - 0x07d4db ): removed
RSA (LZMA , 0x07d4db - 0x08002e ): removed
CLS (LZMA , 0x08002e - 0x0849e4 ): removed
TDT (LZMA , 0x0849e4 - 0x08aaac ): removed
FTCS (Huffman, fragmented data, ~16 KiB ): removed
The ME minimum size should be 307200 bytes (0x4b000 bytes)
Checking the FTPR RSA signature... VALID
Done! Good luck!FPT:
C:\Intel ME System Tools v7 r2\Intel ME System Tools v7 r2\Flash Programming Tool\WIN64>fptw64.exe -i -verbose
Intel (R) Flash Programming Tool. Version: 7.1.50.1166
Copyright (c) 2007-2011, Intel Corporation. All rights reserved.
Number of LPC Devices supported: 109
LPC Device Id: 1C49.
Platform: Intel(R) HM65 Express Chipset Revision: Unknown
Revision Id register value is 0x5
Initializing SPI utilities
Reading HSFSTS register... Flash Descriptor: Valid
Region Limits as programmed into the SPI Registers
FREG0 - DESC Region:Base Address: 0x000000 Limit : 0x000FFF
FREG1 - BIOS Region:Base Address: 0x180000 Limit : 0x3FFFFF
FREG2 - ME Region:Base Address: 0x001000 Limit : 0x17FFFF
FREG3 - GbE Region:Base Address: 0xFFF000 Limit : 0x000FFF
FREG4 - PDR Region:Base Address: 0xFFF000 Limit : 0x000FFF
Address Limit 0x400000 Maximum Memory 4096kB
--- Flash Devices Found ---
W25Q32FV ID:0xEF4016 Size: 4096KB (32768Kb)
Flash program registers are locked! HSFSTS[15] (FLOCKDN) <<<< THIS REMAINS EVEN WHEN YOU UNLOCK THE FD, IGNORE!!!
Using software sequencing.
Reading region information from flash descriptor.
Base: 0x000000, Limit: 0x000FFF
Base: 0x180000, Limit: 0x3FFFFF
Base: 0x001000, Limit: 0x17FFFF
FW Status Register1: 0x1E040185
FW Status Register2: 0x10520006
Reading FOV configuration file "fptcfg.ini"
--- Flash Image Information --
Signature: VALID
Number of Flash Components: 1
Component 1 - 4096KB (32768Kb)
Regions:
Descriptor - Base: 0x000000, Limit: 0x000FFF
BIOS - Base: 0x180000, Limit: 0x3FFFFF
ME - Base: 0x001000, Limit: 0x17FFFF
GbE - Not present
PDR - Not present
Master Region Access:
CPU/BIOS - ID: 0x0000, Read: 0x0B, Write: 0x0A
ME - ID: 0x0000, Read: 0x0D, Write: 0x0C
GbE - ID: 0x0118, Read: 0x08, Write: 0x08
Total Accessable SPI Memory: 4096KB, Total Installed SPI Memory : 4096KB
FPT Operation Passed
C:\Intel ME System Tools v7 r2\Intel ME System Tools v7 r2\Flash Programming Tool\WIN64>fptw64.exe -ME -f ME_N53SV.bin
Intel (R) Flash Programming Tool. Version: 7.1.50.1166
Copyright (c) 2007-2011, Intel Corporation. All rights reserved.
Platform: Intel(R) HM65 Express Chipset Revision: Unknown
Reading HSFSTS register... Flash Descriptor: Valid
--- Flash Devices Found ---
W25Q32FV ID:0xEF4016 Size: 4096KB (32768Kb)
PDR Region does not exist.
- Erasing Flash Block [0x180000] - 100% complete.
- Programming Flash [0x180000] 1532KB of 1532KB - 100% complete.
- Verifying Flash [0x180000] 1532KB of 1532KB - 100% complete.
RESULT: The data is identical.
FPT Operation Passedintelmetool -m after a neutralized ME was flashed:
root@system:/home/user/coreboot/util/intelmetool# ./intelmetool -m
Bad news, you have a `HM65 Express Chipset Family LPC Controller` so you have ME hardware on board and you can't control or disable it, continuing...
MEI found: [8086:1c3a] 6 Series/C200 Series Chipset Family MEI Controller #1
ME Status : 0x1e003052
ME Status 2 : 0x16320002
ME: FW Partition Table : OK
ME: Bringup Loader Failure : NO
ME: Firmware Init Complete : NO
ME: Manufacturing Mode : YES
ME: Boot Options Present : NO
ME: Update In Progress : NO
ME: Current Working State : Recovery
ME: Current Operation State : M0 with UMA
ME: Current Operation Mode : Normal
ME: Error Code : Image Failure
ME: Progress Phase : BUP Phase
ME: Power Management Event : Pseudo-global reset
ME: Progress Phase State : M0 kernel load
ME: Extend SHA-256: 755a2bf605b8bc0233b94609e179e578a9d619571726eba8dbf437ecbf527ad7
ME: has a broken implementation on your board withthis firmware
ME: failed to become ready
ME: failed to become ready
ME: GET FW VERSION message failedOriginal and neutralized ME images attached: N53SV_IntelME_dumps.bin.zip
I have an Asus N53SV laptop running a HM65 chipset (i7-2670QM) with ME 7.0.4.1197
It seems it's possible to flash the ME firmware using Intel Firmware Update Utility (FWUpdate), because I have dumped the image using
FWUpdLcl.exe -SAVE fwbackupME7.binand flashed it back usingFWUpdLcl.exe -F fwbackupME7.binsuccessfully.The problem is that me_cleaner rejects the image:
Why me_cleaner doesn't read fw update images?
Here is the ME FW backup dump, along with the Flash Descriptor and BIOS which I was able to dump via
fptw: fwbackupME7.bin.zipAlso, pasting various outputs with info from various tools below, just in case it may help: