Feasibility of DIY Intel ME neutralisation

Is anyone able to comment on the feasibility of carrying out this procedure to neutralise Intel ME on a Framework laptop?

The immediate concern is whether it can work on Intel 125H at all. It is in the Meteor Lake family, while the tutorial only mentions it works on Sandy Bridge and Ivy Bridge.

On the upside, the procedure leaves the vendor BIOS intact; therefore, cooperation from Framework might not be needed. Still, it would be interesting to know whether Framework themselves are locking the SPI flash; if they don’t, the procedure is slightly simplified, because step 6 would be unnecessary.

One might also ask if this can succeed, considering the fact that Framework are shipping the devices with the Intel Boot Guard functionality turned on; originally, its function was to verify the integrity of the ME backdoor. But despite Boot Guard, it now works to remove ME.

As per this other tutorial, neutralising ME on its own (without BIOS change) does mean “no memory, disk, or network access can take place after the system boots, and no access to the end user’s private data [by ME] can occur”. Like the first tutorial, it mentions that using me_cleaner on standard (i.e vendor) BIOS is possible.

But the security implications of this approach (ME neutralisation, without free BIOS) are not entirely clear to me, so others are encouraged to comment. On one hand, the remote access ME backdoor is removed; however, proprietary BIOS firmware will continue to run. Perhaps without the ME standalone network stack, this could still represent an improvement to some users?

For more context, Framework is licensing their BIOS from InsydeH2O. Note that this implies a collaboration with Intel.

Different ME version, removing the ME is nigh impossible without bricking the board. The only potential method of disablement is using the HAP bit.

Thanks. I suppose you’ve already looked into the available options? Have you attempted to disable it on your machine by just changing the HAP bit? Sure, it’s not the same as nuking the firmware, however it demonstrably switches ME off. So, I would say it’s a small victory.

Do you know if there is any reason in particular why the HAP bit method could fail on the Core Ultra Series 1?

On the issue of actual neutralisation, you said:

Do you perhaps have a source for this? Do you know if there is any specific reason in particular why it’s intractable?

The me_cleaner wiki mentions that internal flashing (the HAP bit method falls under this category) can potentially be harder to recover from a brick; but it doesn’t give details. On the other hand, the actual page for the procedure has apparently straight forward instructions for restoring the original firmware in case of a brick, although it requires an external programmer and I have no idea at the moment how difficult this is to obtain, how difficult it is to connect it to the correct location on the motherboard and then operate. An external programmer is also required for the external flashing procedure in the original post, so it’s a relevant concern either way.

I also couldn’t find specific details on the me_cleaner github about a higher likelihood of failure for external flashing in the case of modern CPUs like the Core Ultra Series 1. However, I also couldn’t find any reports of it being actually attempted; if they exist, it would be interesting to see how it went. What is clear is that it has not yet been reported to work on those modern Intel releases, either: github .com/corna/me_cleaner/wiki/me_cleaner-status

I have not.

Removal is different from neutralization. HAP bit should work on any platform utilizing it. Actual deletion of ME code results in shutdown of the laptop,iirc, 30 or 60 mins after boot. So it’s not exactly bricked but it’s not usable either.

They aren’t difficult to obtain at all, a Raspberry Pi would work, the difficult part is knowing what you are doing with it. Kinda like a mechanic. You don’t pay for the tools, you pay for the experience on how to use them.

I do know that turning off the ME eliminates SO sleep as an option so there must be S3 as a fallback or you don’t have any kind of functioning suspend.