Intel ME Cleaner
Using me_cleaner
Needless to say, there is a certain amount of risk of bricking your system when it comes to this procedure. Proceed with caution!
Make sure that any kind of battery is unplugged from the computer
- This includes your laptop battery as well as your RTC (coin cell) battery!
Clip an SPI reader that is compatible with flashrom onto your motherboard's bios chip
- Supported programmers
- Make sure to consult the datasheet for the specific EEPROM that your motherboard uses when wiring the pins to the programmer. For example, on a
On a separate computer, interface with the SPI programmer and try reading off of the EEPROM
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -r original_dump.bin- May need to mess around with SPI speed
- If you are using a Raspberry Pi, make sure to enable SPI using
raspi-config!
- If you are using a Raspberry Pi, make sure to enable SPI using
- Dump the firmware multiple times and store them safely.
Use me_cleaner to modify the original firmware dump
Consult the project's wiki. Essentially, you can do one of two things:
# Set HAP bit as well as attempt to remove portions of the ME firmware
python me_cleaner.py -S -O modified_image.bin original_dump.bin
# Only sets HAP bit. Used if the above command fails
python me_cleaner.py -s -O modified_image.bin original_dump.binWrite to the EEPROM
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1000 -w modified_image.binYou may also want to, after writing to the EEPROM, read the firmware again and use me_cleaner to verify that the firmware has been cleaned properly.
python me_cleaner.py -c firmware_to_check.bin
# You can also use intelmetool
sudo intelmetool -m
# Output:
# Can't find ME PCI deviceYou can also check in your bios. On my T480 and L390, the ME Firmware Version is blanked out.
Cheers!
Other Notes
Updating the BIOS
For whatever reason, my T480 really does not want to update its own bios after using me_cleaner. In contrast, my L390 does not have this issue. Anyways, if you choose to update the bios, make sure that me_cleaner is still active afterwards using the aforementioned methods. My L390 for example keeps its HAP bit set even after a bios upgrade.