MBT-2220/MBT-4220 aka. SG-2320/SG-2340 Disabling (potential) IME Backdor in UEFI

  • Preambule:
    Flashing custom bios image is RISKY and i am not taking responsibility for your actions.
    Threat this post as educational only!
    You have been warned!

    BTW if you brick your device, don't panic , it can be fixed with external flash programer (links below)


    As you know there Netgate almost released SG-2320/SG-2340 based on Minnowboard Turbot Dual-Ethernet system.
    In day before official release they canceled those routers as HDMI Bug in hardware present (if device boot without hdmi Display connected, you will not get console until reboot) https://www.netgate.com/blog/introducing-sg-2320-and-sg-2340-appliances.html
    IMHO, it can be mitigated by hooking FTDI->USB adapter, and use Serial console instead. (at last i am using that as option)
    I am happy owner of MBT-4220 (pfSense identifies it as SG-2340 btw.)
    Some tests of unofficial SG-2340 https://forum.pfsense.org/index.php?topic=135128.msg740048

    After recent news about vulnerabilities in Intel Management Engine and because i don't like to have potential backdoors in my system, also don't like idea that something other than pfSense have full access to my hardware, memory, network traffic (yes IME can silently sniff all your traffic and as it have direct access to RAM it can recover IPSec Keys from it - greetings from #NSA)
    more info about IME and why it should be treated as hardware backdoor:
    Google presentation about replacing UEFI with linux: https://www.youtube.com/watch?v=iffTJ1vPCSo
    Me_cleaner utility documentation: https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F

    Note this tutorial is about how to completely and safe disable Intel ME in minnowboard. UEFI (Tianocore) Stays as is.

    What do you need:
    linux vm / windows with installed python.

    me_cleaner: https://github.com/corna/me_cleaner
    Latest Bios for minnowboard turbot: https://firmware.intel.com/projects/minnowboard-max
    Flashdrive (FAT32 Formated)
    instructions step by step:
    go to your linux vm
    $ git clone https://github.com/corna/me_cleaner.git
    $ wget https://firmware.intel.com/sites/default/files/MinnowBoard_MAX-Rel_0_97-Firmware.Images.zip
    $ unzip MinnowBoard_MAX-Rel_0_97-Firmware.Images.zip
    $ cd MinnowBoard_MAX-Rel_0_97-Firmware.Images
    $ python ../me_cleaner/me_cleaner.py -S -r -d ./MNW2MAX1.X64.0097.R01.1709211052.bin -O MNW2MAX1.X64.0097.R01.1709211052-NoIME.bin

    now copy MNW2MAX1.X64.0097.R01.1709211052-NoIME.bin and MinnowBoard.MAX.FirmwareUpdateX64.efi to your flashdrive.

    reboot to EfiShell
    follow normal bios upgrade instructions: https://minnowboard.org/tutorials/updating-the-firmware

    NOTE: if you bricked your device , you need to follow: https://minnowboard.org/tutorials/updating-firmware-via-spi-flash-programmer ( i bricked my device many times ;) )

    What next?: i am working on replacement of Tianocore with Coreboot + SAGEBios

    Feel Free To ask questions.

  • This is great. I have been reading up on Coreboot for Intel mobile CPUs/SoCs for a bit to see if I can make a coreboot image for the Qotom boxes. I have zero need for UEFI, and if possible at all, having far more open firmware would be great on any platform. As far as I know, the coreboot project basically is screwed since the Core 2 Duo days because of Intel's secret sauce required to boot their CPUs. Google uses some mobile Intel chips in the chromeOS-based devices and uses coreboot as firmware for those. They open sourced much if not all of their work, so in theory, as long as a close relative or exact match of Intel CPU/PCH or SoC is used you can port coreboot to any board.

    For the embedded boards where coreboot is already available or made public (some ADI tech has that), this also provides enough code for some Atom chips.

    Since you mentioned working on Coreboot for the MBT, do you have a repo or some spot where you can share notes? I'm looking to buy a separate Qotom barebone just to do some hardware hacking, and since it's SPI flash is a nice 8 pin SOIC (not a BGA or QFN) it's relatively easy to read/write it externally.

  • Netgate Administrator

    Ooo fun.  :)

    I too looked into Coreboot but the requirements were just outside my comfort zone at the time IIRC. I'd definitely be interested in your results though.

    I also experimented with the Winzent legacy BIOS which works great on the original Minnowboard models but not on the dual Ethernet boards.


  • i will share when i will get first success.
    for now no luck :(

  • Maybe NERF/heads is easier as you leave UEFI in to init the RAM timings and setup the CPU, but remove all the Dxe and post-boot stuff.

    Youtube Video

  • We did a basic ME_Cleaner on the Qotom firmware in the Qotom hardware topic, works fine (both IME firmware strip as well as HAP bit). So there's one way to get a low-risk reduction of attack surface.

Log in to reply