me_cleaner on a MSI H110M ECO
As a reference, I'll explain here the full process to apply me_cleaner on my MSI H110M ECO.
This board has a Sunrise Point PCH and comes with Intel ME version 11.6.1.1142 CON (2 MB). It is sold without a CPU, therefore we are sure that Intel Boot Guard is not set in Verified Mode, and there are good chances that it will work with a disabled Intel ME.
As usual, you can flash the modified firmware in two ways:
- External flashing, heavily recommended (and used in this example)
- Internal flashing, on this board using the UEFI flash tool
Even if you want to use the internal flashing method, you should locate the flash chip and check whether it is supported by flashrom, to unbrick the board in case something goes wrong.
Recent motherboards (especially the desktop ones) uses SOIC-8 SPI flash chips, which are quite easy to locate and deal with. On this board it is here:
Searching on Google the code written on it confirms that it is a SPI flash chip. On page 4 of its datasheet we can see that it accepts 3.3 V as power supply, we can therefore use a common Raspberry Pi as a programmer. On page 7 there is the pinout, however I discovered that the manufacturer of the motherboard has routed the programming pins to the pin header next to the chip, which easies the flashing.
This chip is fully supported by flashrom (Probe, Read, Erase and Write):
$ flashrom -L | grep -C 4 25L6473E
MX25L6408E
Macronix MX25L6436E/ PREW 8192 SPI
MX25L6445E/
MX25L6465E/
MX25L6473E
Macronix MX25L12805D PREW 16384 SPI
Macronix MX25L12835F/ PREW 16384 SPI
MX25L12845E/
MX25L12865E
Power on the Raspberry Pi, open a shell and install the required tools:
$ sudo apt-get update
$ sudo apt-get install git flashrom
$ git clone --depth=1 https://review.coreboot.org/coreboot
$ make -C coreboot/util/ifdtool
$ git clone https://github.com/corna/me_cleaner.git
Open the file /boot/config.txt and uncomment the line dtparam=spi=on, to make the SPI interface available in userspace; reboot and you should see a file /dev/spidev0.0.
Turn off the Raspberry Pi, connect these pins of the Raspberry Pi
- +3.3 V
- GND
- MOSI
- MISO
- SCK
- CE0
to the corresponding pins on the header and turn the Raspberry Pi on. You can also use a SOIC clip if you prefer
Open a shell and run:
$ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=8000 -c MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E -r original.rom
Twice:
$ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=8000 -c MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E -r original2.rom
Now check if they are identical:
$ diff original.rom original2.rom
It should print nothing (which means that they're identical); if not try to reduce the spispeed parameter, the length of the cables and check if they're connected firmly. Check also if they a valid flash descriptor
$ coreboot/util/ifdtool/ifdtool -d original.rom
and if they contain a valid Intel ME firmware
$ python me_cleaner/me_cleaner.py -c original.rom
If they succeeds all the tests, copy one of them to a safe place.
Just run
$ python me_cleaner/me_cleaner.py -S -d original.rom -O modified.rom
modified.rom now contains:
- A descriptor with the HAP bit set and a restricted set of permissions for the flash access of Intel ME
- An unmodified BIOS
- An Intel ME image with the minimal required modules
With the same connections as before, run
$ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=8000 -c MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E -w modified.rom
Disconnect the Raspberry Pi, connect the power supply to the PC and turn it on. It will turn ON correctly, however:
- the boot takes longer, and the debug LEDs are stuck on "RAM" for some seconds
- the PC displays a warning message "The ME FW of system was found abnormal" at the boot
Success!