Removing the Intel Management Engine from a Thinkpad T400

Abstract

Most Intel CPU's can be monitored remotely from a separate processor running firmware called the Intel Management Engine. This proprietary firmware can be replaced with the free and open source Libreboot firmware on some Thinkpads, including the T400. On the T400, the boot firmware is stored on a SOIC16 flash chip that can be accessed after disassembling most of the laptop. In this guide I share some pictures and notes from disassembling and flashing libreboot on my T400.

Details

In Intel CPU's introduced after 2006, the Intel Management Engine (IME) runs on a seperate processor with full access to the computer's memory and network card. The IME implements DRM and remote monitoring, and it has vulnerabilities which can be exploited to install even more malware. The IME was redesigned in 2009 to be impossible to remove completely. AMD introduced a system similar to the IME called the Platform Security Processor (PSP) around 2016. Thinkpad models released between 2006 and 2009, including the T400, have decent performance and can run without malicious firmware. They are also much cheaper than other freedom-respecting laptops, costing about $60 on ebay. For more information about the issues with modern computer firmware, see Leah Rowe's detailed articles about the IME and PSP.

The T400's SOIC16 chip is tantalizingly close after removing the keyboard, hidden behind part of the metal chassis. However, most of the laptop must be disassembled to gain access to it.

imgs/compress/30.jpg imgs/compress/31.jpg

You can find disassembly instructions in this guide, libreboot's guide, and Lenovo's Hardware Maintenance Manual (HMM). I have an incomplete set of high-resolution pictures, libreboot's guide has a larger set of blurry pictures, and the HMM has a large set of diagrams. You will need or want the following equipment:

  • Phillips-head screwdriver
  • Flat-head screwdriver, needle-nose pliers for prying out components
  • SOIC16 test clip (the Pomona 5252 is recommended)
  • Computer that can communicate over SPI (Raspberry Pi recommended)
  • Six jumper wires to connect the test clip to the computer with SPI
  • A camera to take reference images for reassembly
  • A large area of cloth to place screws so they don't roll around
  • CPU paste because you will separate the heat sink from the processors
  • Tape to fasten wires during reassembly, preferably Kapton tape

Disassembly

Most wires and components will end up detached so you can lift the chassis out of the case. Then you will unscrew the motherboard from the chassis and detach it.

Screws

Remove all screws on the back of the laptop, except for the ones shown in red boxes which secure the docking station. Organize them spatially on a cloth.

imgs/compress/27.jpg imgs/compress/02.jpg

Palm Rest

Disconnect the data cable highlighted in a red box on the over-exposed image below.

imgs/compress/29.jpg imgs/compress/13.jpg

Keyboard

The keyboard's data cable can be difficult to detatch.

imgs/compress/15.jpg imgs/compress/18.jpg

Keyboard Bezel

The bezel is very delicate and hooked into the main laptop chassis, so be careful taking it off.

imgs/compress/14.jpg

Speaker Assembly

Unscrew the speakers, then pull the wires out from underneath hooks and tape.

imgs/compress/19.jpg

Wireless Card

I had to unscrew the large metal cover in the top left section of the T400, but you may not have one. Detach the white, gray, and black cables attached to the wireless card, then remove it and its daughter card left of it. Then detach the network cable outlined in red and the two antenna cables outlined in green.

imgs/compress/33.jpg

LCD Cables and Optical Disc

Detach the cables outlined in red and pass them to the right of where they come out of the display. Remove the optical disc.

imgs/compress/34.jpg

LCD Assembly

Detach the clip outlined in red, then remove the data cable underneath it. The LCD data cable is attached to the chassis with some adhesive, so it will be hard to detach. Then pull out the display from the rest of the laptop.

imgs/compress/35.jpg

NVRAM Battery

imgs/compress/36.jpg

Fan Assembly & Heat Sink

The fan clip is hard to disconnect. I mangled the plastic part and accidentally unplugged the orange wire, but I plugged it back in and the fans now seem to work for the most part.

imgs/compress/37.jpg imgs/compress/05.jpg

Power Cable

Disconnect this.

imgs/compress/38.jpg

Battery Chip

Disconnect this and and remove the chip it's attached to.

imgs/compress/39.jpg

imgs/compress/12.jpg

Miscellaneous Screws

Remove the screws over the firewire port, near the LCD display, below the CPU, and on the right of the front face of the laptop.

imgs/compress/41.jpg imgs/compress/40.jpg imgs/compress/43.jpg imgs/compress/42.jpg

Case

imgs/compress/24.jpg

Chassis

Flip over the motherboard and chassis. The screws circled in red should be removed, and the screws circled in green may or may not have to be removed.

imgs/compress/11.jpg imgs/compress/44.jpg

Flashing

Attach the SOIC16 test clip to the chip with the red dot. Then follow libreboot's SPI flashing guide.

imgs/compress/10.jpg imgs/compress/04.jpg

Reassembly

For the most part, follow the instructions for disassembly, but in reverse.

CPU Paste

With an alcohol wipe, clean off the old paste from the components that were attached to the heat sink. Apply a pea-sized amount of new CPU paste to each component. Press the heatsink back down. This will spread the paste out without creating any bubbles.

Organizing wires

Refer to the pictures to find how the wires are grouped and passed under each other. Kapton tape is well-suited for keeping the wires down because it's strong and resistant to heat.

Libreboot Customization

At the time of writing the libreboot build system was failing, so I used cbfstool to modify the released binary. I removed the original GRUB bootsplash and replaced it with the "Levitating, Meditating, Flute-playing Gnu". The original image is available here: https://www.gnu.org/graphics/meditate.html. I modified the image on 2022-07-10 to fit better on the GRUB menu.

imgs/gnu.png
Copyright © 2001 Free Software Foundation, Inc. This image is available under the GNU General Public License, version 3 or any later version.