Removing the Intel Management Engine from a Thinkpad T400
Most Intel CPU's can be monitored remotely from a separate processor running firmware called the Intel Management Engine. This proprietary firmware can be replaced with the free and open source Libreboot firmware on some Thinkpads, including the T400. On the T400, the boot firmware is stored on a SOIC16 flash chip that can be accessed after disassembling most of the laptop. In this guide I share some pictures and notes from disassembling and flashing libreboot on my T400.
In Intel CPU's introduced after 2006, the Intel Management Engine (IME) runs on a seperate processor with full access to the computer's memory and network card. The IME implements DRM and remote monitoring, and it has vulnerabilities which can be exploited to install even more malware. The IME was redesigned in 2009 to be impossible to remove completely. AMD introduced a system similar to the IME called the Platform Security Processor (PSP) around 2016. Thinkpad models released between 2006 and 2009, including the T400, have decent performance and can run without malicious firmware. They are also much cheaper than other freedom-respecting laptops, costing about $60 on ebay. For more information about the issues with modern computer firmware, see Leah Rowe's detailed articles about the IME and PSP.
The T400's SOIC16 chip is tantalizingly close after removing the keyboard, hidden behind part of the metal chassis. However, most of the laptop must be disassembled to gain access to it.
You can find disassembly instructions in this guide, libreboot's guide, and Lenovo's Hardware Maintenance Manual (HMM). I have an incomplete set of high-resolution pictures, libreboot's guide has a larger set of blurry pictures, and the HMM has a large set of diagrams. You will need or want the following equipment:
Most wires and components will end up detached so you can lift the chassis out of the case. Then you will unscrew the motherboard from the chassis and detach it.
Remove all screws on the back of the laptop, except for the ones shown in red boxes which secure the docking station. Organize them spatially on a cloth.
Disconnect the data cable highlighted in a red box on the over-exposed image below.
The keyboard's data cable can be difficult to detatch.
The bezel is very delicate and hooked into the main laptop chassis, so be careful taking it off.
Unscrew the speakers, then pull the wires out from underneath hooks and tape.
I had to unscrew the large metal cover in the top left section of the T400, but you may not have one. Detach the white, gray, and black cables attached to the wireless card, then remove it and its daughter card left of it. Then detach the network cable outlined in red and the two antenna cables outlined in green.
Detach the cables outlined in red and pass them to the right of where they come out of the display. Remove the optical disc.
Detach the clip outlined in red, then remove the data cable underneath it. The LCD data cable is attached to the chassis with some adhesive, so it will be hard to detach. Then pull out the display from the rest of the laptop.
The fan clip is hard to disconnect. I mangled the plastic part and accidentally unplugged the orange wire, but I plugged it back in and the fans now seem to work for the most part.
Disconnect this and and remove the chip it's attached to.
Remove the screws over the firewire port, near the LCD display, below the CPU, and on the right of the front face of the laptop.
Flip over the motherboard and chassis. The screws circled in red should be removed, and the screws circled in green may or may not have to be removed.
Attach the SOIC16 test clip to the chip with the red dot. Then follow libreboot's SPI flashing guide.
For the most part, follow the instructions for disassembly, but in reverse.
With an alcohol wipe, clean off the old paste from the components that were attached to the heat sink. Apply a pea-sized amount of new CPU paste to each component. Press the heatsink back down. This will spread the paste out without creating any bubbles.
Refer to the pictures to find how the wires are grouped and passed under each other. Kapton tape is well-suited for keeping the wires down because it's strong and resistant to heat.
At the time of writing the libreboot build system was failing, so I used cbfstool
to modify the released binary.
I removed the original GRUB bootsplash and replaced it with the "Levitating, Meditating, Flute-playing Gnu".
The original image is available here: https://www.gnu.org/graphics/meditate.html.
I modified the image on 2022-07-10 to fit better on the GRUB menu.