Skip to content

Internal flashing with coreboot

Jump to bottom
Nicola Corna edited this page Aug 8, 2017 · 13 revisions

Internal flashing with coreboot

Since you're using coreboot this procedure is much easier than the non-coreboot case. First get a copy of your current firmware (and save it somewhere safe, in case something goes wrong) and check the ME region protections with ifdtool; if you have a laptop run

 $ flashrom -p internal:laptop=force_I_want_a_brick -c <CHIP MODEL> -r dump.bin

otherwise run

 $ flashrom -p internal -c <CHIP MODEL> -r dump.bin

Now run ifdtool -d dump.bin and check the section

 FLMSTR1:   0x........ (Host CPU/BIOS)

If the lines Intel ME Region Write Access and Intel ME Region Read Access are disabled you're out of luck, you have to use an external programmer to apply me_cleaner (or you can directly unlock the read/write access to the ME region with ifdtool -u dump.bin, but you still need an external programmer to flash the new permissions). Otherwise, if you have read/write access to the ME regions, you can proceed with this guide.

Neutralize Intel ME

If you don't need to recover the space freed by me_cleaner just change the coreboot build option Strip down the Intel ME/TXE firmware (CONFIG_USE_ME_CLEANER) to y, rebuild coreboot and flash it with the usual methods.

Neutralize and shrink Intel ME

If you instead want to recover the extra ROM space (which is a considerable amount of space, ~1 MB or ~5 MB, depending on the firmware type):

 $ python me_cleaner.py -r -t -d -O out.bin -D ifd_shrinked.bin -M me_shrinked.bin original_dump.bin

me_cleaner should print some output; note the lines

Modifying the regions of the extracted descriptor...
 00003000:004fffff me   --> 00003000:00017fff me
 00500000:007fffff bios --> 00018000:007fffff bios

This means that me_cleaner has modified the original descriptor with this layout

before

to this new one, where the BIOS region is 4.9 MB bigger than before.

after

Three files should have been generated:

  • out.bin, a flashable full image with the original layout (which we don't need)
  • ifd_shrinked.bin, an Intel Flash Descriptor with the new layout
  • me_shrinked.bin, a modified Intel ME image, truncated to fit in the ME region of the new layout

Rebuild coreboot selecting descriptor_shrinked.bin as IFD_BIN_PATH, me_shrinked.bin as ME_BIN_PATH and increasing CBFS_SIZE accordingly and flash the resulting image.

It works!!

Great! If you want to check the status of Intel ME you can use intelmetool in coreboot/util/intelmetool:

 $ cd coreboot/util/intelmetool
 $ make
 # ./intelmetool -s

The relevant lines are

 ME: Error Code              : Image Failure

and (on pre-Skylake platforms)

 ME: Progress Phase State    : M0 kernel load

If it shows an error like

 Error mapping physical memory 0x..... [0x4000] ERRNO=1 Operation not permitted
 Could not map MEI PCI device memory

you just have to run your kernel with the iomem=relaxed option.

It doesn't work...

Don't panic! Just use an external programmer to flash back a working firmware:

 $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=10000 -c <CHIP MODEL> -w dump.bin

Everything should be now exactly as before, and the system should boot again. If you really want to have a deblobbed Intel ME firmware you can open an issue on GitHub and look for possible solutions.

Clone this wiki locally