- Joined
- Aug 20, 2007
- Messages
- 22,161 (3.43/day)
- Location
- Olympia, WA
| System Name | Pioneer |
|---|---|
| Processor | Ryzen 9 9950X |
| Motherboard | MSI MAG X670E Tomahawk Wifi |
| Cooling | Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans... |
| Memory | 128GB (4x 32GB) G.Skill Flare X5 @ DDR5-4000(Running 1:1:1 w/FCLK) |
| Video Card(s) | XFX RX 7900 XTX Speedster Merc 310 |
| Storage | Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs, 1x 2TB Seagate Exos 3.5" |
| Display(s) | 55" LG 55" B9 OLED 4K Display |
| Case | Thermaltake Core X31 |
| Audio Device(s) | TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED |
| Power Supply | FSP Hydro Ti Pro 850W |
| Mouse | Logitech G305 Lightspeed Wireless |
| Keyboard | WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps |
| Software | Gentoo Linux x64, other office machines run Windows 11 Enterprise |
THIS PROJECT IS PRESENTLY ON HOLD.
This is simply 1.80 "Instant Flash" firmware for the Z370 Taichi (and now with help from @Mork_vom_Ork, the Z270 SuperCarrier v2.40) straight from ASRock stock unmodifed (minus some sig checks disabled) other than the Intel Management Engine firmware being scrubbed/disabled/neutered with the available me_cleaner tools from github.
There are also experimental images for other boards.
It should be noted that me_cleaner does not completely remove the Intel ME anymore (that's impossible) however it does rather install "neutered" firmware that removes as much as it can and instructs the coprocessor to shutdown the management engine completely following POST.
The effect is the management engine and all it's features no longer function. Don't install this if you depend on something the management engine provides (Intel's software TPM functionality or similar come to mind, SGX extensions maybe, not much else if anything really).
Everything else on the board works as far as I can tell, including overclocking (though I did not test BCLK OCing) and fan control.
You can revert to the old firmware at any time.
INSTRUCTIONS:
File is a zip. Unzip single contained file to FAT32 USB. Do not rename the file. Instant Flash tool in their stock UEFI will now find it and allow you to flash it (unless you turned USB support off at boot time, of course).
If you get a sig check warning, try flashing from an older stock bios.
Also, you are downloading this from a PC that is actively crypto mining. It shouldn't effect anything, and is being done to save energy over a separate server, but needless to say if your download breaks, it probably rebooted. Try again.
Questions/comments go in this thread. Technical discussion / bug reports only please. I want to keep this thread clean of any politics besides my own.
Stable Board Downloads here:
Experimental Board Firmware here: (be sure and read the readme/warning for these images)
The two sections are optional reading, and apply (mostly) to when this thread only supported the Z370 Taichi.
Some tech notes: This was a bit more than just running "me_cleaner.py" on the bios image. ASRock won't flash the ME region of the bios unless it thinks it's newer than the existing one. So I had to splice in newer than ASRock's latest ME firmware (it exists) and then disable that particular ME image with me_cleaner. ASRock Firmware then accepts it as newer and will flash it to the ME region, disabling the Intel ME entirely. From there, you can revert back to ME-enabled firmware freely, because this special image identifies as "Intel ME version 0.0.0.0" so ASRock thinks literally ANY other image on earth is newer than this one. It's harmless to try, though obviously you do so at your own risk, like any BIOS flash. I will say I have had absolutely zero issues.
Note that I can support other boards but I'm familiar most with GIGABYTE and ASRock sig checks (with maybe a side of ASUS), and I won't be able to test preflash, so you would have to flash at your own risk with no testing done.
Some political notes: I do not subscribe to the idea that the Intel Management Engine is a "NSA backdoor" or any of that tinfoil-hat garbage. People who don't understand technology need to get a grip and listen to those who at least somewhat do: There's really no way it can be, as it's web traffic and stack is wiresharkable so if that were the case we'd know by today. Yes they could encrypt it but we'd still see an encrypted data stream at random times that'd be suspicious, and we don't. To Intel's limited credit, it actually seems to try to do exactly what it says on the tin. But what I object to (and what I hate equally about AMD's PSP) is that this is effectively a closed binary which has been found to have many holes, many times. From a security perspective, you are much better off disabling it, regardless of what Intel intends. As far as AMD vs Intel, there is no "psp_cleaner" and little research has been done into AMD's PSP, so for the security minded, I'd say an Intel platform is still far better given we understand far more about this ghost in our machine (and thus how to defeat it) than the other teams. I am unaware of anyway to defeat the PSP, and if AMD's claims are to be believed, it's actually not possible as it sets up essential boot time memory. Seriously bad practice if true, IMO.
EDIT:
The z390 Taichi is now supported. It was a very diffilcult board but all z390 boards will likely be the same if not harder.
Why? Intel changed the format of the management engine region of the bios in ME 12, which is used in z390 on up. This means we can't mod it using open source tools like me_cleaner anymore.
Not content to just give up with that, I used an undocumented mode intended for government targets to instruct the ME to turn itself off (credit to people much more skilled than me for finding this). Since the government trusts intel with this mdoe and it is pretty much certainly Intel's mode for computers they sell to government clients with data sensitive needs, I think we can assume that even though the management engine firmware is still present, it turns itself off just like it tells you. The government would be all over them if they were lying about that.
How long that mode will remain now that the public has discovered it is anyones guess... For now, here is bios 1.80 for the Z390 Taichi with ME disabled. Find it in the usual spot.
Be aware, the procedure to activate this mod is slightly different. You MUST first flash official 1.80. This is not negotiable, it must happen.
After that, unzip the archive, open an admin command prompt, and cd to the directory you unzipped the archive too.
Type "flashme" and wait for it to finish.
Reboot and go straight to bios.
You should be presented for a few moments with a menu similar to the following, the full unlocked bios. You don't want to horse around with 90% of this stuff, it's dangerous. The only thing you want is under "PCH-FW Configuration." Go there.
View attachment 113943
Under that menu you have a nice menu option that lets you turn the ME on and off at whim. NOTE: Despite the wording "ME Temporarily Disabled," it is permanent short of anything that resets your CMOS. Not often that happens and if it does, you can just turn it off again.
View attachment 113944
So, test, enjoy, and let me know if any bugs appear. Seems to work for me!
This is simply 1.80 "Instant Flash" firmware for the Z370 Taichi (and now with help from @Mork_vom_Ork, the Z270 SuperCarrier v2.40) straight from ASRock stock unmodifed (minus some sig checks disabled) other than the Intel Management Engine firmware being scrubbed/disabled/neutered with the available me_cleaner tools from github.
There are also experimental images for other boards.
It should be noted that me_cleaner does not completely remove the Intel ME anymore (that's impossible) however it does rather install "neutered" firmware that removes as much as it can and instructs the coprocessor to shutdown the management engine completely following POST.
The effect is the management engine and all it's features no longer function. Don't install this if you depend on something the management engine provides (Intel's software TPM functionality or similar come to mind, SGX extensions maybe, not much else if anything really).
Everything else on the board works as far as I can tell, including overclocking (though I did not test BCLK OCing) and fan control.
You can revert to the old firmware at any time.
INSTRUCTIONS:
File is a zip. Unzip single contained file to FAT32 USB. Do not rename the file. Instant Flash tool in their stock UEFI will now find it and allow you to flash it (unless you turned USB support off at boot time, of course).
If you get a sig check warning, try flashing from an older stock bios.
Also, you are downloading this from a PC that is actively crypto mining. It shouldn't effect anything, and is being done to save energy over a separate server, but needless to say if your download breaks, it probably rebooted. Try again.
Questions/comments go in this thread. Technical discussion / bug reports only please. I want to keep this thread clean of any politics besides my own.
Stable Board Downloads here:
Experimental Board Firmware here: (be sure and read the readme/warning for these images)
The two sections are optional reading, and apply (mostly) to when this thread only supported the Z370 Taichi.
Some tech notes: This was a bit more than just running "me_cleaner.py" on the bios image. ASRock won't flash the ME region of the bios unless it thinks it's newer than the existing one. So I had to splice in newer than ASRock's latest ME firmware (it exists) and then disable that particular ME image with me_cleaner. ASRock Firmware then accepts it as newer and will flash it to the ME region, disabling the Intel ME entirely. From there, you can revert back to ME-enabled firmware freely, because this special image identifies as "Intel ME version 0.0.0.0" so ASRock thinks literally ANY other image on earth is newer than this one. It's harmless to try, though obviously you do so at your own risk, like any BIOS flash. I will say I have had absolutely zero issues.
Note that I can support other boards but I'm familiar most with GIGABYTE and ASRock sig checks (with maybe a side of ASUS), and I won't be able to test preflash, so you would have to flash at your own risk with no testing done.
Some political notes: I do not subscribe to the idea that the Intel Management Engine is a "NSA backdoor" or any of that tinfoil-hat garbage. People who don't understand technology need to get a grip and listen to those who at least somewhat do: There's really no way it can be, as it's web traffic and stack is wiresharkable so if that were the case we'd know by today. Yes they could encrypt it but we'd still see an encrypted data stream at random times that'd be suspicious, and we don't. To Intel's limited credit, it actually seems to try to do exactly what it says on the tin. But what I object to (and what I hate equally about AMD's PSP) is that this is effectively a closed binary which has been found to have many holes, many times. From a security perspective, you are much better off disabling it, regardless of what Intel intends. As far as AMD vs Intel, there is no "psp_cleaner" and little research has been done into AMD's PSP, so for the security minded, I'd say an Intel platform is still far better given we understand far more about this ghost in our machine (and thus how to defeat it) than the other teams. I am unaware of anyway to defeat the PSP, and if AMD's claims are to be believed, it's actually not possible as it sets up essential boot time memory. Seriously bad practice if true, IMO.
EDIT:
The z390 Taichi is now supported. It was a very diffilcult board but all z390 boards will likely be the same if not harder.
Why? Intel changed the format of the management engine region of the bios in ME 12, which is used in z390 on up. This means we can't mod it using open source tools like me_cleaner anymore.
Not content to just give up with that, I used an undocumented mode intended for government targets to instruct the ME to turn itself off (credit to people much more skilled than me for finding this). Since the government trusts intel with this mdoe and it is pretty much certainly Intel's mode for computers they sell to government clients with data sensitive needs, I think we can assume that even though the management engine firmware is still present, it turns itself off just like it tells you. The government would be all over them if they were lying about that.
How long that mode will remain now that the public has discovered it is anyones guess... For now, here is bios 1.80 for the Z390 Taichi with ME disabled. Find it in the usual spot.
Be aware, the procedure to activate this mod is slightly different. You MUST first flash official 1.80. This is not negotiable, it must happen.
After that, unzip the archive, open an admin command prompt, and cd to the directory you unzipped the archive too.
Type "flashme" and wait for it to finish.
Reboot and go straight to bios.
You should be presented for a few moments with a menu similar to the following, the full unlocked bios. You don't want to horse around with 90% of this stuff, it's dangerous. The only thing you want is under "PCH-FW Configuration." Go there.
View attachment 113943
Under that menu you have a nice menu option that lets you turn the ME on and off at whim. NOTE: Despite the wording "ME Temporarily Disabled," it is permanent short of anything that resets your CMOS. Not often that happens and if it does, you can just turn it off again.
View attachment 113944
So, test, enjoy, and let me know if any bugs appear. Seems to work for me!
Last edited:
