me_cleaner.1 5.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162
  1. .TH me_cleaner 1 "OCTOBER 2018"
  2. .SH me_cleaner
  3. .PP
  4. me_cleaner \- Tool for partial deblobbing of Intel ME/TXE firmware images
  5. .SH SYNOPSIS
  6. .PP
  7. \fB\fCme_cleaner.py\fR [\-h] [\-v] [\-O output_file] [\-S | \-s] [\-r] [\-k]
  8. [\-w whitelist | \-b blacklist] [\-d] [\-t] [\-c] [\-D output_descriptor]
  9. [\-M output_me_image] \fIfile\fP
  10. .SH DESCRIPTION
  11. .PP
  12. \fB\fCme_cleaner\fR is a tool able to disable parts of Intel ME/TXE by:
  13. .RS
  14. .IP \(bu 2
  15. removing most of the code from its firmware
  16. .IP \(bu 2
  17. setting a special bit to force it to disable itself after the hardware
  18. initialization
  19. .RE
  20. .PP
  21. Using both the modes seems to be the most reliable way on many platforms.
  22. .PP
  23. When used on ME firmware older than Nehalem (versions 1.x\-5.x), Intel ME is
  24. fully disabled and its firmware is removed completely.
  25. .PP
  26. The resulting modified firmware needs to be flashed (in most of the cases) with
  27. an external programmer, often a dedicated SPI programmer or a Linux board with
  28. a SPI master interface.
  29. .PP
  30. \fB\fCme_cleaner\fR works at least up to Coffee Lake (for Intel ME) and on
  31. Braswell/Cherry Trail (for Intel TXE), but may work as well on newer or
  32. different architectures.
  33. .PP
  34. While \fB\fCme_cleaner\fR have been tested on a great number of platforms, fiddling
  35. with the Intel ME/TXE firmware is \fIvery dangerous\fP and can easily lead to a
  36. dead PC.
  37. .PP
  38. \fIYOU HAVE BEEN WARNED.\fP
  39. .SH POSITIONAL ARGUMENTS
  40. .TP
  41. \fB\fCfile\fR
  42. ME/TXE image or full dump.
  43. .SH OPTIONAL ARGUMENTS
  44. .TP
  45. \fB\fC\-h\fR, \fB\fC\-\-help\fR
  46. Show the help message and exit.
  47. .TP
  48. \fB\fC\-v\fR, \fB\fC\-\-version\fR
  49. Show program's version number and exit.
  50. .TP
  51. \fB\fC\-O\fR, \fB\fC\-\-output\fR
  52. Save the modified image in a separate file, instead of modifying the
  53. original file.
  54. .TP
  55. \fB\fC\-S\fR, \fB\fC\-\-soft\-disable\fR
  56. In addition to the usual operations on the ME/TXE firmware, set the
  57. MeAltDisable bit or the HAP bit to ask Intel ME/TXE to disable itself after
  58. the hardware initialization (requires a full dump).
  59. .TP
  60. \fB\fC\-s\fR, \fB\fC\-\-soft\-disable\-only\fR
  61. Instead of the usual operations on the ME/TXE firmware, just set the
  62. MeAltDisable bit or the HAP bit to ask Intel ME/TXE to disable itself after
  63. the hardware initialization (requires a full dump).
  64. .TP
  65. \fB\fC\-r\fR, \fB\fC\-\-relocate\fR
  66. Relocate the FTPR partition to the top of the ME region to save even more
  67. space.
  68. .TP
  69. \fB\fC\-t\fR, \fB\fC\-\-truncate\fR
  70. Truncate the empty part of the firmware (requires a separated ME/TXE image or
  71. \fB\fC\-\-extract\-me\fR).
  72. .TP
  73. \fB\fC\-k\fR, \fB\fC\-\-keep\-modules\fR
  74. Don't remove the FTPR modules, even when possible.
  75. .TP
  76. \fB\fC\-w\fR, \fB\fC\-\-whitelist\fR
  77. Comma separated list of additional partitions to keep in the final image.
  78. This can be used to specify the MFS partition for example, which stores PCIe
  79. and clock settings.
  80. .TP
  81. \fB\fC\-b\fR, \fB\fC\-\-blacklist\fR
  82. Comma separated list of partitions to remove from the image. This option
  83. overrides the default removal list.
  84. .TP
  85. \fB\fC\-d\fR, \fB\fC\-\-descriptor\fR
  86. Remove the ME/TXE Read/Write permissions to the other regions on the flash
  87. from the Intel Flash Descriptor (requires a full dump).
  88. .TP
  89. \fB\fC\-D\fR, \fB\fC\-\-extract\-descriptor\fR
  90. Extract the flash descriptor from a full dump; when used with \fB\fC\-\-truncate\fR
  91. save a descriptor with adjusted regions start and end.
  92. .TP
  93. \fB\fC\-M\fR, \fB\fC\-\-extract\-me\fR
  94. Extract the ME firmware from a full dump; when used with \fB\fC\-\-truncate\fR save a
  95. truncated ME/TXE image.
  96. .TP
  97. \fB\fC\-c\fR, \fB\fC\-\-check\fR
  98. Verify the integrity of the fundamental parts of the firmware and exit.
  99. .SH SUPPORTED PLATFORMS
  100. .PP
  101. Currently \fB\fCme_cleaner\fR has been tested on the following platforms:
  102. .TS
  103. allbox;
  104. cb cb cb cb
  105. c c c c
  106. c c c c
  107. c c c c
  108. c c c c
  109. c c c c
  110. c c c c
  111. c c c c
  112. c c c c
  113. c c c c
  114. .
  115. PCH CPU ME SKU
  116. 1.x\-5.x
  117. Ibex Peak Nehalem/Westmere 6.0 Ignition
  118. Ibex Peak Nehalem/Westmere 6.x 1.5/5 MB
  119. Cougar Point Sandy Bridge 7.x 1.5/5 MB
  120. Panther Point Ivy Bridge 8.x 1.5/5 MB
  121. Lynx/Wildcat Point Haswell/Broadwell 9.x 1.5/5 MB
  122. Wildcat Point LP Broadwell Mobile 10.0 1.5/5 MB
  123. Sunrise Point Skylake/Kabylake 11.x CON/COR
  124. Union Point Kabylake 11.x CON/COR
  125. .TE
  126. .TS
  127. allbox;
  128. cb cb cb
  129. c c c
  130. .
  131. SoC TXE SKU
  132. Braswell/Cherry Trail 2.x 1.375 MB
  133. .TE
  134. .PP
  135. All the reports are available on the project's GitHub page \[la]https://github.com/corna/me_cleaner/issues/3\[ra]\&.
  136. .SH EXAMPLES
  137. .PP
  138. Check whether the provided image has a valid structure and signature:
  139. .IP
  140. \fB\fCme_cleaner.py \-c dumped_firmware.bin\fR
  141. .PP
  142. Remove most of the Intel ME firmware modules but don't set the HAP/AltMeDisable
  143. bit:
  144. .IP
  145. \fB\fCme_cleaner.py \-S \-O modified_me_firmware.bin dumped_firmware.bin\fR
  146. .PP
  147. Remove most of the Intel ME firmware modules and set the HAP/AltMeDisable bit,
  148. disable the Read/Write access of Intel ME to the other flash region, then
  149. relocate the code to the top of the image and truncate it, extracting a modified
  150. descriptor and ME image:
  151. .IP
  152. \fB\fCme_cleaner.py \-S \-r \-t \-d \-D ifd_shrinked.bin \-M me_shrinked.bin \-O modified_firmware.bin full_dumped_firmware.bin\fR
  153. .SH BUGS
  154. .PP
  155. Bugs should be reported on the project's GitHub page \[la]https://github.com/corna/me_cleaner\[ra]\&.
  156. .SH AUTHOR
  157. .PP
  158. Nicola Corna \[la]nicola@corna.info\[ra]
  159. .SH SEE ALSO
  160. .PP
  161. .BR flashrom (8),
  162. me_cleaner's Wiki \[la]https://github.com/corna/me_cleaner/wiki\[ra]