Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MBT-2220/MBT-4220 aka. SG-2320/SG-2340 Disabling (potential) IME Backdor in UEFI

    Scheduled Pinned Locked Moved Hardware
    6 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NineX
      last edited by

      Preambule:
      Flashing custom bios image is RISKY and i am not taking responsibility for your actions.
      Threat this post as educational only!
      You have been warned!

      BTW if you brick your device, don't panic , it can be fixed with external flash programer (links below)

      Background:

      As you know there Netgate almost released SG-2320/SG-2340 based on Minnowboard Turbot Dual-Ethernet system.
      In day before official release they canceled those routers as HDMI Bug in hardware present (if device boot without hdmi Display connected, you will not get console until reboot) https://www.netgate.com/blog/introducing-sg-2320-and-sg-2340-appliances.html
      IMHO, it can be mitigated by hooking FTDI->USB adapter, and use Serial console instead. (at last i am using that as option)
      I am happy owner of MBT-4220 (pfSense identifies it as SG-2340 btw.)
      Some tests of unofficial SG-2340 https://forum.pfsense.org/index.php?topic=135128.msg740048

      After recent news about vulnerabilities in Intel Management Engine and because i don't like to have potential backdoors in my system, also don't like idea that something other than pfSense have full access to my hardware, memory, network traffic (yes IME can silently sniff all your traffic and as it have direct access to RAM it can recover IPSec Keys from it - greetings from #NSA)
      more info about IME and why it should be treated as hardware backdoor:
      https://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/
      https://www.reddit.com/r/conspiracy/comments/610d38/anonimous_intel_employee_leaks_intels/
      Google presentation about replacing UEFI with linux: https://www.youtube.com/watch?v=iffTJ1vPCSo
      Me_cleaner utility documentation: https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F

      Note this tutorial is about how to completely and safe disable Intel ME in minnowboard. UEFI (Tianocore) Stays as is.

      What do you need:
      linux vm / windows with installed python.

      me_cleaner: https://github.com/corna/me_cleaner
      Latest Bios for minnowboard turbot: https://firmware.intel.com/projects/minnowboard-max
      Flashdrive (FAT32 Formated)
      instructions step by step:
      go to your linux vm
      $ git clone https://github.com/corna/me_cleaner.git
      $ wget https://firmware.intel.com/sites/default/files/MinnowBoard_MAX-Rel_0_97-Firmware.Images.zip
      $ unzip MinnowBoard_MAX-Rel_0_97-Firmware.Images.zip
      $ cd MinnowBoard_MAX-Rel_0_97-Firmware.Images
      $ python ../me_cleaner/me_cleaner.py -S -r -d ./MNW2MAX1.X64.0097.R01.1709211052.bin -O MNW2MAX1.X64.0097.R01.1709211052-NoIME.bin

      now copy MNW2MAX1.X64.0097.R01.1709211052-NoIME.bin and MinnowBoard.MAX.FirmwareUpdateX64.efi to your flashdrive.

      reboot to EfiShell
      follow normal bios upgrade instructions: https://minnowboard.org/tutorials/updating-the-firmware

      NOTE: if you bricked your device , you need to follow: https://minnowboard.org/tutorials/updating-firmware-via-spi-flash-programmer ( i bricked my device many times ;) )

      What next?: i am working on replacement of Tianocore with Coreboot + SAGEBios

      Feel Free To ask questions.
      23698603_1728923823819558_68814917_o.jpg
      23698603_1728923823819558_68814917_o.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        This is great. I have been reading up on Coreboot for Intel mobile CPUs/SoCs for a bit to see if I can make a coreboot image for the Qotom boxes. I have zero need for UEFI, and if possible at all, having far more open firmware would be great on any platform. As far as I know, the coreboot project basically is screwed since the Core 2 Duo days because of Intel's secret sauce required to boot their CPUs. Google uses some mobile Intel chips in the chromeOS-based devices and uses coreboot as firmware for those. They open sourced much if not all of their work, so in theory, as long as a close relative or exact match of Intel CPU/PCH or SoC is used you can port coreboot to any board.

        For the embedded boards where coreboot is already available or made public (some ADI tech has that), this also provides enough code for some Atom chips.

        Since you mentioned working on Coreboot for the MBT, do you have a repo or some spot where you can share notes? I'm looking to buy a separate Qotom barebone just to do some hardware hacking, and since it's SPI flash is a nice 8 pin SOIC (not a BGA or QFN) it's relatively easy to read/write it externally.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Ooo fun.  :)

          I too looked into Coreboot but the requirements were just outside my comfort zone at the time IIRC. I'd definitely be interested in your results though.

          I also experimented with the Winzent legacy BIOS which works great on the original Minnowboard models but not on the dual Ethernet boards.

          Steve

          1 Reply Last reply Reply Quote 0
          • N
            NineX
            last edited by

            i will share when i will get first success.
            for now no luck :(

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              Maybe NERF/heads is easier as you leave UEFI in to init the RAM timings and setup the CPU, but remove all the Dxe and post-boot stuff.

              https://www.youtube.com/watch?v=iffTJ1vPCSo

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                We did a basic ME_Cleaner on the Qotom firmware in the Qotom hardware topic, works fine (both IME firmware strip as well as HAP bit). So there's one way to get a low-risk reduction of attack surface.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.