The Intel Management Engine (ME) has proprietary hardware independent of the CPU and runs an independent operating system. It has its own CPU, DRAM, and ROM, and it has access to the main CPU, DRAM, and even the entire network, and it is designed to run many of the CPU's additional functions, such as firmware-based TMP and remote management functions. Since Intel ME runs on Ring-3[1], this means that this separate piece of hardware can fully control the entire computer, both physically and software.
There are very few details on Intel ME, but there are some analysis articles worth reading[2][3]. We're disabling it because it's a huge attack vector, if you don't need the functionality it provides, please disable it.
This guide relies on the me_cleaner project, @dt-zero's modified version of me_cleaner, and this guide written by @mostav02. Of course, special thanks to Positive Technologies for finding a way to disable Intel ME by setting the HAP bit.
Since this involves flashing the IME firmware, if you do it wrong, or if you flash a corrupted image, your computer may not boot and will need to be repaired using a flash programmer. I don't take any responsibility for this, so make sure you're going to do this before you start and make sure you haven't done anything wrong, and if you get a brick please don't complain to me because there's nothing I can do about it.
-
8th Gen Intel NUC NUC8i3BE(H/HS/K/...) / NUC8i5BE(H/HS/K/...) / NUC8i7BE(H/HS/K/...) (Other models may be similar, but we don't guarantee, you have to test it yourself, and let everyone know your successes through pull requests)
-
a Phillips screwdriver
-
a USB drive
-
Windows operating system (why?)
-
me_cleaner by dt-zero
-
Windows with Python 3 already installed
After flashing the IME partition, you will need to revert the changes every time you update the BIOS, otherwise you may not be able to update the BIOS, so it is best to keep the BIOS up to date before starting. If you already have the latest BIOS firmware installed, please ignore this step.
-
Find your NUC BIOS from the Intel Download Center
-
Update your NUC BIOS by following the Intel NUC BIOS update guide (the F7 update is recommended)
-
First, install Python for your Windows, you will need version 3.X, you can download it on the Python website
-
Download dt-zero's modified me_cleaner
-
Download the Intel ME System Tools v12, which we will use to backup and flash the IME in Windows. Unzip it to the root directory of the C drive. there should be no spaces or special symbols in the path
-
Download the
head.exeprogram provided by GNU utilities, which we will use to split files later
You should have unzipped the Intel ME System Tools to the root of C drive, now we open the Command Prompt (not PowerShell) with administrator privileges[4] and type the following command:
cd "C:\Flash Programming Tool\WIN64"
Note: Here we use a 64-bit system, if you use a 32-bit system, modify WIN64 to WIN32.
fptw64.exe -DESC -D ifd.bin
This is the region we will be modifying and flashing, always keep the original Intel Flash Descriptor image, if you are interested in what it does please read the references[5]. After disabling the IME, please flash back the original IFD before each BIOS upgrade to avoid BIOS update failure. However, after each BIOS update, you must re-backup all images and then recreate the modified IFD image according to this guide. Never flash a different version of the image.
fptw64.exe -ME -D ime.bin
The first 4KB of the IME is the IFD that was just backed up, but since the me_cleaner script does not support directly modifying the IFD, we need to modify the IME and extract the first 4KB of the modified IME.
fptw64.exe -BIOS -D bios.bin
Although we don't touch the BIOS partition, but it's good to make a backup, just in case you get a brick, you can flash this backup with a flash programmer.
fptw64.exe -D full.bin
This one contains the BIOS, IFD and IME, this is a full dump of the flash, we won't be using it, but just in case, I hope you'll never use it.
Every image should be backed up again and check that the file hashes are exactly the same, because if you back up a broken image and flash the broken image in, you're bound to get a brick.
fptw64.exe -DESC -D ifd2.bin
fptw64.exe -ME -D ime2.bin
fptw64.exe -BIOS -D bios2.bin
fptw64.exe -D full2.bin
Use the following command to check whether the SHA 1 of the two backups are exactly the same
certutil -hashfile .\ifd.bin SHA1
certutil -hashfile .\ifd2.bin SHA1
certutil -hashfile .\ime.bin SHA1
certutil -hashfile .\ime2.bin SHA1
certutil -hashfile .\bios.bin SHA1
certutil -hashfile .\bios2.bin SHA1
certutil -hashfile .\full.bin SHA1
certutil -hashfile .\full2.bin SHA1
Now copy these files to your USB flash drive, why? Because after a failed refresh, you still have a chance to save your computer with these files. a USB flash drive is a safe place to prevent you from losing access to your computer's drive.
Because the Intel NUC has Intel Boot Guard enabled, and cannot be disabled, the IME region cannot be refreshed because this protection exists, but the IFD region allows the refresh, and the HAP/AltMeDisable bit we need to modify is in the IFD region.
You may ask what is HAP, it is the High Assurance Platform (HAP) Program of the US government. HAP is designed to provide trusted computers for US government agencies including NSA[6]. After HAP mode is enabled, most of the functions of the IME will be disabled, but the power management functions that the IME is responsible for will be retained. There is very little disclosure about HAP on the Internet, but it is certain that the US government does not trust the IME on their computers, and Intel has provided disabling measures for this.
On Intel computers, pressing the power button and turning the computer on is the job of the IME, so HAP mode is designed to keep the computer's basic functionality while disabling all other IME functions. So it's not really disabling the IME, just disabled many features. of course, if the IME is really disabled, the computer won't boot[7].
We can enable HAP mode by simply adjusting the HAP/AltMeDisable bit located in the IFD area. and we use @dt-zero modified me_cleaner to make this change. since me_cleaner is not used to modify the IFD, but the entire IME (IFD is the first 4KB of the IME), we also need to extract the IFD from the modified IME after modification.
ii. Open a command prompt and run the command below to generate the modified IME image[8]:
python me_cleaner.py --soft-disable-only --output hap-ime.bin ./full.binSpecify your actual path to me_cleaner.py and original full.bin in the command above, It's the IME (through full.bin) that needs to be modified here, not the IFD!
Use the following command in the command prompt
head.exe -c 4096 hap-ime.bin > hap-ifd.bin
Now we have an IFD image that we can use to flash
python me_cleaner.py --soft-disable-only --output hap-ime2.bin ./full.bin
head.exe -c 4096 hap-ime2.bin > hap-ifd2.bin
certutil -hashfile .\hap-ime.bin
certutil -hashfile .\hap-ime2.bin
certutil -hashfile .\hap-ifd.bin
certutil -hashfile .\hap-ifd2.bin
If everything is done, now you have the image ready for flashing.
If you have BitLocker Disk Encryption enabled, please suspend the protection before going to the next step. otherwise please ignore this step.
Intel ME includes a feature called Intel Platform Trust Technology (Intel PTT)[9], which allows devices without TPM hardware to use IME firmware-based TPM features, allowing the use such as BitLocker disk encryption, but the TPM feature will not work when the IME is disabled, this means that the disk will not be decrypted automatically, however you can use the USB flash drive as a way to read the key each time you power on, and in the last step I will show you how to do it.
Suspend BitLocker protection [10]:
-
Open Control Panel.
-
Select System and Security > BitLocker Drive Encryption > Suspend protection.
-
Select Yes.
To be on the safe side, I also recommend backing up your BitLocker Recovery Keys to USB.
Use shorting two pins on the motherboard's audio chip (HDA) to unlock the flash so that it can be written to[5][11]. If you enable BitLocker, after each failure to short the pins, BitLocker will be enabled again, you have to suspend BitLocker again, otherwise you will be locked out of the system after a successful short.
Hold down the shift and click Shutdown in the start menu, this will shut down the power completely.
iFixit has a very detailed guide on how to take apart the 8th Gen NUC.
Next, remove the fan without removing the CPU cooling copper pipe.
Install the computer's drives, DRAM and plug in the power and video-out cables. There will be a solid green light on the motherboard, which is normal. but do not turn on the power now
v. Now keep the short circuit and press the power button, the power light is on for 3-5 seconds and then disconnect the short circuit
You can try the next step. If the short is unsuccessful, you will not be able to flash in. and you will need to redo the steps of Suspend BitLocker, Completely shutdown the computer, short and turning it on.
Be patient, you may need to try many times until you succeed with the short circuit. A magnifying glass may help.
Enter the following command in the command prompt to rewrite the modified IFD
fptw64.exe -DESC -F hap-ifd.bin
Do not flash the hap-ime.bin (IME), as there is Intel Boot Guard protection, we cannot determine whether it is safe to change the IME. Always just flash the 4KB IFD, not the IME.
If the flash is successful, you're almost done! if it fails, repeat the above steps (5. Suspend BitLocker Protection in Windows, 6. Make the Flash Chip Writable and 7. Flash the hap-ifd.bin).
Shut down the NUC now, Assemble your NUC back and put the motherboard back, Now let's turn on the NUC,the first boot after disabling the IME may be slow, this is normal.
-
You can go into the BIOS to check the IME version, if it shows 0.0.0.0 it means disabled.
-
Or use
MEInfoin command prompt to query
MEInfoWin64.exe -verbose
If you plan to continue using Windows and BitLocker, follow this How to Geek guide to set up BitLocker without a TPM, you will need a USB drive with BitLocker key to be plugged into your computer every time you turn it on.
Leave the computer on for now. see if your NUC can be exempted from the limitation of automatic shutdown after more than 30 minutes after modifying the BIOS/IME. If it is still not automatically shut down after 30 minutes, then everything is normal, congratulations that you have completed all the settings.
Please remember, before updating the BIOS firmware in the future, please flash back the original ifd.bin you backed up and then update, yes, every flashing needs to be short and disassembled. After an update you still need to disable the IME just keep following this guide and don't forget to always regenerate all images after an update, flashing an older version of the image will bring a brick.
If you are successful, please share your experience and process in the discussion. Help improve this guide with Issues and PRs. If you want to translate this guide, just translate it and submit a PR.
Enjoy your NUC with IME disabled.
[1] Intel Management Engine - Wikipedia
Privilege rings for the x86 architecture. The ME is colloquially categorized as ring −3, below System Management Mode (ring −2) and the hypervisor (ring −1), all running at a higher privilege level than the kernel (ring 0)...
[2] What is the Intel ME? - Bitkeks Blog
The Intel Management Engine (ME) is a hardware chip embedded on Intel motherboards in addition to the main CPU. The chip is integrated in most modern Intel chipsets. The ME is most commonly mistaken as vPro or AMT, but is in fact the hardware chip for out-of-band (OOB) control which other Intel vPro software products use for their purpose. One of these implementations using the Intel ME is the Advanced Management Technology (AMT). The ME also exists for Intels server boards, named the Server Platform Services (SPS), and for Atom System on a Chip (SoC) chips, called the Security Engine (SEC)...
[3] Neutralize ME firmware on SandyBridge and IvyBridge platforms - Hardened GNU/Linux
First introduced in Intel’s 965 Express Chipset Family, the Intel Management Engine (ME) is a separate computing environment physically located in the (G)MCH chip (for Core 2 family CPUs which is separate from the northbridge), or PCH chip replacing ICH(for Core i3/i5/i7 which is integrated with northbridge).
The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system’s memory as well as to reserve a region of protected external memory to supplement the ME’s limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or PCH)...
[4] Start a Command Prompt as an Administrator - Microsoft Docs
- Click the Start charm.
- Type
cmd, right-click the Command Prompt tile, and then click Run as administrator.
[5] Guide-How To: Unlock Intel Flash Descriptor Read/Write Access Permissions for SPI Servicing - Win-Raid Forum
The Intel Flash Descriptor (FD) is a data structure that is programmed on the SPI flash chip on all Intel based platforms. It contains information such as space allocated for each region of the flash image, read-write permissions for each region, reserved space for vendor-specific data, chipset configuration parameters and more. The fixed size of the Flash Descriptor is 4 KB (0x1000) and, depending on platform generation, roughly consists of these sections:
- Header: Consists of a 0x16 sized Reset Vector and a 0x4 sized Signature tag 0x5AA5F00F.
- Map: Pointers to all the descriptor sections as well as the size of each.
- Component: Information about the number & density of all components, read, write and erase frequencies as well as invalid instructions.
- Region: Defines the offsets & sizes of all available regions which are Flash Descriptor (FD), BIOS, Management Engine (Engine), Gigabit Ethernet (GbE), Platform Data (PDR), Device Expansion 1, Secondary BIOS, CPU Microcode, Embedded Controller (EC), Device Expansion 2, Innovation Engine, 10 Gigabit Ethernet 1, 10 Gigabit Ethernet 2, Reserved 1, Reserved 2 and Platform Trust Technology (PTT).
- Master: Contains the hardware security settings for the flash, granting read/write permissions for each region and identifying each master.
- Chipset Soft Strap: Contains PCH/SoC configurable parameters.
- CPU Complex Soft Strap: Contains Processor configurable parameters.
- ROM-Bypass Size: Stores the Engine firmware regions’ debug partition size.
- Reserved: For future use or FD revisions.
- VSCC Table: Holds the JEDEC ID and the Engine VSCC information for all the SPI Flash chip(s) supported by the SPI image.
- Upper Map: Determines the length and base address of the Engine VSCC Table.
- OEM Section: Reserved for use by the OEM/ODM and 0x100 in size.
Older platforms used the (community-named) Flash Descriptor v1 which, among others differences, could support up to 8 SPI regions. More modern platforms (>= 100-series or APL) utilize Flash Descriptor v2-3 which can support up to 16 SPI regions.
[6] Public mention of the High Assurance Platform Program by the National Security Agency - NSA
[7] Disabling Intel ME 11 via undocumented mode - Positive Technologies
The first process that the kernel creates is BUP, which runs in its own address space in ring-3. The kernel does not launch any other processes itself; this is done by BUP itself, as well as a separate LOADMGR module, which we will discuss later. The purpose of BUP (BringUP platform) is to initialize the entire hardware environment of the platform (including the processor), perform primary power management functions (for example, starting the platform when the power button is pressed), and start all other ME processes. Therefore, it is certain that the PCH 100 Series or later is physically unable to start without valid ME firmware...
[8] Disabling IME command on 8th generation NUC using me_cleaner by @Yannik - GitHub
Needs to use #282 with LP-Variant (LP = low power = U suffix).
python me_cleaner.py --soft-disable-only --output nuc8-soft-disable-only.rom ../me_cleaner/nuc8.romsuccessfully removes
[9] Trusted Platform Module (TPM) Information for Intel NUC - Intel Support
Intel® Platform Trust Technology (Intel® PTT) - Intel® Platform Trust Technology (Intel® PTT) offers the capabilities of discrete TPM 2.0. Intel PTT is a platform functionality for credential storage and key management used by Windows 8 , Windows® 10 and Windows* 11. Intel PTT supports BitLocker* for hard drive encryption and supports all Microsoft requirements for firmware Trusted Platform Module (fTPM) 2.0.
[10] How to Suspend BitLocker Protection - Microsoft Docs
[11] Setting HDA_SDO pin HIGH on Intel High Definition Audio chips - GitHub
Originally written by @oood in 2022, this guide is licensed under the CC0 license.
