Comments (22)
Hi guys. i am logicboard(Apple's motherboard) technician, i have experience with apple EFI BIOS flashing using external programmer(RT809F). For now, i still havent tried to remove the ME from the BIOS, i just Cleared the ME with RGN ME. I'll let you guys know if i get any results.
from me_cleaner.
IMO, it is worth the risk, but I'm the author of me_cleaner so my opinion is a bit biased ;)
Consider that, once you have the external programmer and a valid dump (that you can do the first time you connect the programmer), you're safe (unless you break the hardware obviously).
from me_cleaner.
It seems to work guys! #76
from me_cleaner.
According to #3 and the issues, no one has tried me_cleaner on a Macbook so far. You can be the first one though ;)
from me_cleaner.
Also got it out using flashrom-0.9.9 (I'm running Linux not OS X):
$ sudo ./flashrom -p internal -V -c "MX25L6406E/MX25L6408E" -r ../original_dump.bin
ifdtool reports:
...
Found Master Section
FLMSTR1: 0x0aff0000 (Host CPU/BIOS)
Platform Data Region Write Access: disabled
GbE Region Write Access: enabled
Intel ME Region Write Access: disabled
Host CPU/BIOS Region Write Access: enabled
Flash Descriptor Write Access: disabled
Platform Data Region Read Access: enabled
GbE Region Read Access: enabled
Intel ME Region Read Access: enabled
Host CPU/BIOS Region Read Access: enabled
Flash Descriptor Read Access: enabled
Requester ID: 0x0000
FLMSTR2: 0x0c0d0000 (Intel ME)
Platform Data Region Write Access: disabled
GbE Region Write Access: enabled
Intel ME Region Write Access: enabled
Host CPU/BIOS Region Write Access: disabled
Flash Descriptor Write Access: disabled
Platform Data Region Read Access: disabled
GbE Region Read Access: enabled
Intel ME Region Read Access: enabled
Host CPU/BIOS Region Read Access: disabled
Flash Descriptor Read Access: enabled
Requester ID: 0x0000
FLMSTR3: 0xffff0118 (GbE)
Platform Data Region Write Access: enabled
GbE Region Write Access: enabled
Intel ME Region Write Access: enabled
Host CPU/BIOS Region Write Access: enabled
Flash Descriptor Write Access: enabled
Platform Data Region Read Access: enabled
GbE Region Read Access: enabled
Intel ME Region Read Access: enabled
Host CPU/BIOS Region Read Access: enabled
Flash Descriptor Read Access: enabled
Requester ID: 0x0118
...
from me_cleaner.
The Intel ME region is read-only, you need an external programmer. Unfortunately the MX25L6406E/MX25L6408E are also available in non-SOIC8 packages, let's hope Apple didn't use some weird small footprint package.
from me_cleaner.
Looking at https://www.terapeak.com/worth/820-3787-a-apple-macbook-pro-retina-15in-late-2013-a1398-16gb-i7-logic-board/291664089801/ (2nd pic) my late 2013 A1398 model should be packing Micron 25Q064A SO8W powered by 1.8V.
from me_cleaner.
Big enough and it is supported by flashrom (N25Q064..3E), the only issue is the 1.8 V, which is not very common. You'll need either a 1.8 V programmer or a level shifter.
from me_cleaner.
Just chiming in... I'm planning on attempting this on my rather old MacbookPro5,1 which has an SST25VF032B flash chip, here on the right:
https://d3nevzfk7ii3be.cloudfront.net/igi/plv2D1eTcMZFmIQY.huge
http://ww1.microchip.com/downloads/en/DeviceDoc/20005071B.pdf
Likely going down the £5 pi as SPI programmer route 😜
from me_cleaner.
FYI, I tried your tool on EFI update image that I extracted manually on Linux, from https://support.apple.com/kb/DL1848 dmg and it says:
$ python me_cleaner.py -c Mac2015002EFIUpdate.pkg/Tools/EFIPayloads/MBP112_0138_B16_LOCKED.scap
Unknown image
Also:
$ ./ifdtool -d Mac2015002EFIUpdate.pkg/Tools/EFIPayloads/MBP112_0138_B16_LOCKED.scap
File Mac2015002EFIUpdate.pkg/Tools/EFIPayloads/MBP112_0138_B16_LOCKED.scap is 8520304 bytes
No Flash Descriptor found in this image
from me_cleaner.
@hinxx
It should not be a firmware image, but an efi capsule, which contains no Flash Descriptor.
from me_cleaner.
Is there a way to extract scap files?
Edit: Found something here:
"It is also possible to use the scap files available on EFI firmware updates published by Apple. UEFITool is able to process and extract the files. You can find firmware updates for newer machines on Yosemite updates."
Source: https://www.sentinelone.com/blog/reverse-engineering-mac-os-x/
from me_cleaner.
@archfan you should read the full SPI image from flash; the capsule contains the ME firmware but not in a form usable for flashing; besides the capsule is signed and replacing ME image inside it won't work; you likely need an external flasher (unless you installed Linux in which case flashrom might work).
from me_cleaner.
Yes, that makes perfect sense. I just wanted to take a look at the files in the capsule.
from me_cleaner.
You can use UEFITool to look at the stuff inside. The ME region image seems to be in the file with GUID FC1BCDB0-7D31-49AA-936A-A4600D9DD083
(search for $FPT
)
from me_cleaner.
Thanks @skochinsky! Got it:
$ python me_cleaner.py -c me.bin
ME/TXE image detected
Found FPT header at 0x10
Found 19 partition(s)
Found FTPR header: FTPR partition spans from 0x47000 to 0xcf000
ME/TXE firmware version 9.0.5.1367
Checking the FTPR RSA signature... VALID
from me_cleaner.
Good to know it would be possible.. I will need to think this through if it is worth the risk, though. Thanks for the help all!
from me_cleaner.
@caingraywood Keep us updated, I'm really interested in this.
from me_cleaner.
Has anyone had success with just setting the HAP bit on a macbook?
from me_cleaner.
@p1g30n You could probably do that, and you might remove potential attack vectors (or you might not)... point being that setting the HAP bit alone means that you must still trust the ME to do what it says, and the base problem with ME is that it relies solely on trust to be secure.
If you trust IME anyway... then you might as well not bother setting the HAP bit, I duno if that's an extreme view? but it seems pretty clear to me.
from me_cleaner.
@ThomasBrierley Good point. I assume there's no way to determine wether setting the bit actually consistently disables ME (and is unable to be reset)?
from me_cleaner.
I guess, you could periodically probe it with ifdtool? other people here will be able to answer this better than me. but (again from the more extreme point of view) you are still trusting ME that way (remember that as long as it's potentially running you can't even trust your OS), that's why using an external SPI programmer is the sure way to disable it because it's independent of ME.
from me_cleaner.
Related Issues (20)
- I may have found a MODERN laptop with INTEL ME corrupted but with the laptop still able to boot HOT 14
- what version of python to use for this utility? thx (in osx what to use brew?port? thx)
- how to shrink 11mb (from 16mb chip) hp8300 into smaller ME but keep it active because need for hd4000 osx acceleration? thx HOT 4
- question, about me_cleaner
- Question about flashrom...
- HUANANZHI X99-QD4: Success?
- New public key for ME 16.1.25.2124
- Failure: MSI PRO Z790-P WIFI / Intel 13900K
- What is the reason that has stopped the development of this project? HOT 5
- Lenovo Thinkpad T410 / Nozomi-1 / Core i7-620M (Westmere Arrandale) HOT 1
- Re-enable ME or reset HAP bit without hardware re-flashing? (CFL) HOT 1
- [HELP] Disabling IME on Coffe Lake HOT 2
- FYI: HAP (Alt Disable) Flag Descriptor Location Changed on Alder Lake (ADL)
- Have you investigated the CMOS enable/disable method As Used by System76?
- `more than one $FPT found` HOT 1
- Thinkpad T440p, used me_cleaner to obtain ifd_shrinked.bin and me_shrinked.bin and used them to build Coreboot
- Sucess Coffee Lake Z390 Gaming X
- Chip model?
- cambio de chipset
- Unknown Image
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from me_cleaner.