BI商业智能>> ThinkPad-T560-HAP-Bit>> 返回
项目作者: patbec

项目描述 :
Ein Tutorial wie auf einem ThinkPad mit Skylake CPU die Intel Management Engine (ME) vollständig deaktiviert werden kann.
高级语言:
项目地址: git://github.com/patbec/ThinkPad-T560-HAP-Bit.git
创建时间: 2017-10-20T14:35:30Z
项目社区:https://github.com/patbec/ThinkPad-T560-HAP-Bit
开源协议:MIT License
下载


Set ThinkPad T560 HAP-Bit

Banner


Read this page in German

Description

Here a small tutorial how to completely deactivate the Intel Management Engine (ME) on a ThinkPad with Skylake CPU. The whole thing is made possible by setting the HAP bit and requires flashing the EEPROM with a modified firmware.
This tutorial explains how to use a ThinkPad T560 (20FH0023GE) with the ME 11.6 firmware.

Preparation

We need an external device to read the EEPROM and rewrite it with a different
firmware. The laptop CPU itself has no write access to the required flash areas.

Hardware

  • WINGONEER EEPROM Routing USB Programmer CH341A Writer LCD Flash for 25 SPI Serie 24 I2C
  • WINGONEER SOIC8 SOP8 Test Clip For EEPROM 93CXX / 25CXX / 24Cxx

To use the software you need a Linux based operating system like Ubuntu. It is recommended to do this on a 2nd laptop, if you have Windows installed on your
device there are the following alternatives:

  • Create a Ubuntu VM with VirtualBox and pass the CH341A Writer through
  • Using a Live Linux
  • Buy a RaspberryPi

Guide

The guide is divided into 3 steps:

  1. Updating the Laptop firmware
  2. Install the required software
  3. Create the modified firmware and describe the EEPROM

Step 1

First the laptop must be brought up to date:

Download ME firmware files, available at the official Lenovo website:
https://pcsupport.lenovo.com/de/de/downloads/ds112240

This package also contains the MEInfoWin Tool to display the current status of the Management Engine.
After downloading, start the application on your laptop and perform the update.

This command can be used to display the current status of the Management Engine:

  1. cmd /k "C:\DRIVERS\WIN\ME\MEInfoWin.exe -verbose"

Example output:

  1. Intel(R) MEInfo Version: 11.6.29.3287
  2. Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.
  7. Windows OS Version : 7.0
  9. ...
  11.   CurrentState:                               Normal
  12.   ManufacturingMode:                          Disabled
  13.   FlashPartition:                             Valid
  14.   OperationalState:                           CM0 with UMA
  15.   InitComplete:                               Complete
  16.   BUPLoadState:                               Success
  17.   ErrorCode:                                  No Error
  18.   ModeOfOperation:                            Normal
  19.   SPI Flash Log:                              Not Present
  20.   Phase:                                      ROM/Preboot
  21.   ICC:                                        Valid OEM data, ICC programmed
  22.   ME File System Corrupted:                   No
  23.   PhaseStatus:                                AFTER_SRAM_INIT
  24.   FPF and ME Config Status:                   Match

As expected, the state Normal is output under CurrentState.

Now boot into the BIOS and activate the service mode, which temporarily deactivates the internal battery. It will be deactivated the next time it is started up.

  1. F1 -> Config -> Power -> Disable Built-in Battery

Unscrew the laptop and search for the EEPROM.

ThinkPad BIOS
At https://www.lenovoservicetraining.com find instructions and videos for the respective model.

Step 2

Once the EEPROM has been found, you are ready to go: Connect the CH341A Writer
to your laptop / desktop PC and install flashrom:

  1. sudo apt-get install flashrom

Create a folder we will work with

  1. # Create working directory and change to it
  2. mkdir ThinkPad-T560 && cd ThinkPad-T560

Download the me_cleaner repository

  1. git clone https://github.com/corna/me_cleaner

Python is already included, in a standard Ubuntu installation, if not it can be installed with the following command:

  1. sudo apt-get install python
  2. sudo apt-get install python-pip

Step 3

Connect the SOIC8 clip to the EEPROM.

SOIC8 clip
ThinkPad overview

The command flashrom -p ch341a_spi can be used to check whether the clip is correctly seated and the EEPROM is recognized.

  1. sudo flashrom -p ch341a_spi
  2. flashrom v0.9.9-rc1-r1942 on Linux 4.10.0-37-generic (x86_64)
  3. flashrom is free software, get the source code at https://flashrom.org
  5. Calibrating delay loop... OK.
  6. Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on ch341a_spi.
  7. No operations were specified.

Read out the EEPROM and export the original firmware into the working directory:

  1. sudo flashrom -p ch341a_spi -r factory_ME_11.6_Consumer_T560.bin
  2. flashrom v0.9.9-rc1-r1942 on Linux 4.10.0-37-generic (x86_64)
  3. flashrom is free software, get the source code at https://flashrom.org
  5. Calibrating delay loop... OK.
  6. Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on ch341a_spi.
  7. Reading flash... done.

Set the HAP bit, here there are 2 different possibilities:

me_cleaner sets this HAP/AltMeDisable bit when the -s (enable only the kill-switch, but don’t remove the extra code from the firmware) or the -S (enable the kill-switch and remove the extra code from the firmware) are passed.

We will only activate the kill-switch and save the edited firmware after patched_ME_11.6_Consumer_T560.bin.

  1. sudo me_cleaner/me_cleaner.py -s factory_ME_11.6_Consumer_T560.bin -O patched_ME_11.6_Consumer_T560.bin
  2. Full image detected
  3. The ME/TXE region goes from 0x3000 to 0x700000
  4. Found FPT header at 0x3010
  5. Found 13 partition(s)
  6. Found FTPR header: FTPR partition spans from 0x4000 to 0x133000
  7. Found FTPR manifest at 0x4448
  8. ME/TXE firmware version 11.6.29.3287
  9. Setting the HAP bit in PCHSTRP0 to disable Intel ME...
  10. Checking the FTPR RSA signature... VALID
  11. Done! Good luck!

Install the modified firmware:

  1. sudo flashrom -p ch341a_spi -w patched_ME_11.6_Consumer_T560.bin
  2. flashrom v0.9.9-rc1-r1942 on Linux 4.10.0-37-generic (x86_64)
  3. flashrom is free software, get the source code at https://flashrom.org
  5. Calibrating delay loop... OK.
  6. Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on ch341a_spi.
  7. Reading old flash chip contents... done.
  8. Erasing and writing flash chip... Erase/write done.
  9. Verifying flash... VERIFIED.

Finally, adjust the permissions of the two firmware files using chown:

  1. # Example
  2. chown -R USERNAME:GROUPNAME /PATH/TO/FILE
  4. # The users group should be present on most Linux distributions.
  5. chown -R $USER:users factory_ME_11.6_Consumer_T560.bin
  6. chown -R $USER:users patched_ME_11.6_Consumer_T560.bin

At the first start an error message can occur that the BIOS settings cannot be loaded.

To check if ME is disabled boot into BIOS:

  1. F1 -> Config -> Intel(R) AMT

The menu item Intel (R) AMT Control l should now be displayed with [Permanently Disabled] and should no longer be selectable.

MEInfoWin can also be used to check whether the Management Engine is deactivated:

  1. cmd /k "C:\DRIVERS\WIN\ME\MEInfoWin.exe -verbose"

The output should now look like this:

  1.   CurrentState:                               Disabled
  2.   ManufacturingMode:                          Disabled
  3.   FlashPartition:                             Valid
  4.   OperationalState:                           Transitioning
  5.   InitComplete:                               Initializing
  6.   BUPLoadState:                               Success
  7.   ErrorCode:                                  Disabled
  8.   ModeOfOperation:                            Alt Disable Mode
  9.   SPI Flash Log:                              Not Present
  10.   Phase:                                      BringUp
  11.   ICC:                                        Valid OEM data, ICC programmed
  12.   ME File System Corrupted:                   No
  13.   PhaseStatus:                                UNKNOWN
  14.   FPF and ME Config Status:                   Match

Congratulations!

Sources

tl;dr

  1. # Install flashrom
  2. sudo apt-get install flashrom
  4. # Create working directory
  5. mkdir ThinkPad-T560 && cd ThinkPad-T560
  7. # Download me_cleaner
  8. git clone https://github.com/corna/me_cleaner
  10. # Connect SOIC8 clip to the EEPROM and check if flashrom recognizes the EEPROM
  11. flashrom -p ch341a_spi
  13. # Read out EEPROM and save the firmware
  14. sudo flashrom -p ch341a_spi -r factory_ME_11.6_Consumer_T560.bin
  16. # Set HAP bit
  17. sudo me_cleaner/me_cleaner.py -s factory_ME_11.6_Consumer_T560.bin -O patched_ME_11.6_Consumer_T560.bin
  19. # Install the modified firmware
  20. sudo flashrom -p ch341a_spi -w patched_ME_11.6_Consumer_T560.bin
  22. # Adapt rights
  23. chown -R $USER:users factory_ME_11.6_Consumer_T560.bin
  24. chown -R $USER:users patched_ME_11.6_Consumer_T560.bin

Check if ME is deactivated, boot into BIOS:

  1. F1 -> Config -> Intel(R) AMT

AMT Control should now be displayed with [Permanently Disabled] and should no longer be selectable.

Congratulations!