[coreboot] Experiments with disabling the ME on Sandybridge x230

Trammell Hudson hudson at trmm.net
Thu Sep 15 21:23:39 CEST 2016

On Mon, Sep 12, 2016 at 09:27:18PM +0000, Peter Stuge wrote:
> Trammell Hudson wrote:
> > I've experimented with clearing additional bits, from 0x3000 to 0x10000
> > with the same results.  If I were really motivated I might binary search
> > how much of the firmware it needs...
> That would be interesting.

After a fairly brief binary search, I have determined a significantly
reduced chunk of code required to have the Intel Management Engine bring
up the hardware and then stay in the "ROM Phase".  This also allowed
me to adjust the flash descriptor to give an extra 3 MB of storage to
coreboot for my payload, as well as removed some of the problematic
ME applications.

The only piece that must be present for my x230 to function is the 512 KB
FTPR partition at offset 0x183000, which contains these compressed
modules (some Huffman, some LZMA):

      'UPDATE' 000001BE
      'ROMP' 0000070A
      'BUP' 0000E064
      'KERNEL' 00021B62
      'POLICY' 00016AE2
      'HOSTCOMM' 00006DDB
      'RSA' 00005255
      'CLS' 00005791
      'TDT' 000066E5
      'FTCS' 00004680
      'ClsPriv' 000003E1
      'SESSMGR' 0000E909

This means that the ME no longer has any network stack (stored in the
NFTP partition that has been removed), nor the protected video path
or JCOM modules from the MDMV parition.  I do not know if the various
anti-theft and timeout measures are also now neutralized.

If I leave the firmware partition table at offset 0x3000 in place,
the ME faults after bringup (but the system continues to function).
Without the partition table it stays in the ROM phase.  I'm not sure if
one outcome is preferable to the other.

Relocating the FTPR partition did not work unfortunately, so there is
some wasted space.


More information about the coreboot mailing list