How to use IVPREP and 1VYRAIN and Disable Intel ME on a Lenovo x230

HOW TO USE IVPREP AND 1VYRAIN

TO DISABLE INTEL MANAGEMENT ENGINE

ON A LENOVO X230

STEP BY STEP INSTRUCTIONS

WARNING AND DISCLAIMER: Based on all I read and based on my own experience, this is a fairly safe process. However, I am only a low level nerd, and my skills are limited. I wrote this up for my own records so I could retrace my steps in the future; this was never meant as instructions for others. So while the following could be useful for some people and is to the best of my understanding, it is absolutely possible that I’m wrong in parts of it. Keep your brain switched on, make your own decisions. I’m not responsible if you break anything, or if your laptop suddenly becomes sentient and hails an alien space ship the inhabitants of which end up abducting you to torture you with bad poems, so proceed at your own risk. I recommend having a towel and a copy of the hitchhiker’s guide to the galaxy handy. Happy travels!

PLEASE SHARE THE LOVE: If you find these instructions helpful, and if you can and want to improve them and / or spread them to more people, you are absolutely welcome to do so. The more people level up their skills, the better for all of us. Thank you for helping others to join us!

Sorry for bad formatting, didn’t have the time to fix that. Feel free to copy paste into a text editor and format any way you like

Here goes:

STEP 0

BEFORE DOING ANYTHING: SET, WRITE DOWN, then DISABLE all BIOS, supervisor, hardware, and other passwords. You must know all passwords even if they are disabled!

Ensure that Windows 10 is installed on the X230

STEP 1: IVPREP - FLASH OLDER, EXPLOITABLE BIOS

Download IVprep zip file
Start the X230 with Windows 10
Go to GitHub - n4ru/IVprep: Downgrade any xx30 series ThinkPad to an 1vyrain compatible BIOS version.
Click “Code”, then “Download zip”
Save IVprep-master.zip to the X230 hard drive

Extract zip file
In File Explorer, create a folder called IVprep; e.g. in “Documents” folder
Navigate to where you saved the downloaded zip file
Move the downloaded zip file into the new IVprep folder
Right click the zip file, select “7Zip” and “Extract here”

Boot X230 into BIOS
In Windows 10 menu, search for “BIOS”
This will lead you to “Change advanced startup options”
Click “Restart now”
Select “Turn off your PC”
The X230 will restart
Start into BIOS by hitting F1 repeatedly as it restarts

Set BIOS to allow end user BIOS flashing
In the BIOS, go to “Security” => UEFI BIOS Update Option"
Set “Flash BIOS Updating by End-Users” to “Enabled”
Set “Secure RollBack Prevention” to “Disabled”
X230 must be plugged in and have a full battery
Save and exit the BIOS, reboot into Windows 10

Run IVprep, flash older, hackable BIOS
In the extracted zip file folder called “IVprep-master”, run the file “downgrade.bat” by double clicking it
but NOT as Windows administrator!
The system will reboot and flash the BIOS back to an older version that is compatible / suitable to then do 1vyrain next
Windows warns and asks if you want Winflash64.exe to run - say yes
Windows warns computer will shut down in 5 seconds - let it
Computer shuts down and reboots
Older, hackable BIOS version gets flashed, you can watch the process on a white on black screen
X230 shuts down and reboots into Windows

Verify older BIOS got flashed
Boot X230 into BIOS again
In Windows 10 menu, search for “BIOS”
This will lead you to “Change advanced startup options”
Click “Restart now”
Select “Turn off your PC”
The X230 will restart
Start into BIOS by hitting F1 repeatedly as it restarts
At the “Main” BIOS screen, top row, read entry behind “UEFI BIOS Version”
The number in brackets at the end of the line, in black, is the installed BIOS number; e.g. G2EFA0BZ (2.60)
Compare this number with the list of BIOS versions that are compatible with 1vyrain, here:
GitHub - gch1p/thinkpad-bios-software-flashing-guide: flashing coreboot on thinkpads without external programmer
As of March 2023, those are:
X230 2.60
X230t 2.58
T430 2.64
T430s 2.59
T530 2.60
W530 2.58

STEP 2: 1VYRAIN: FLASH MODIFIED BIOS, WHICH ENABLES DISABLING OF INTEL ME AND MORE

STEP 2.1 - ON A SEPARATE LINUX MACHINE:

Download 1vyrain image
Go here:
https://1vyra.in/
Or here (same target destination):
1vyrain.iso - Google Drive
Top left corner says “1vyrain.iso” - on the right side of the screen, same line, there’s a download arrow icon - click it
“Google drive can’t scan this file for viruses” - download anyway
Downloading the file can take a while, especially via a VPN
Copy or move the 1vyrain.iso file to the “Documents” folder

Write the downloaded 1vyrain.iso file to a flash drive, in DD mode
DD mode writes the image file itself directly to the drive, preserving the image’s filesystem
While ISO mode extracts the image’s files on the drive with a newly formatted filesystem, usually FAT32 for best compatibility
One method do identify the /dev/sd… path for the CORRECT flash drive
Plug in the flash drive
Open USB Image Writer
Select the .iso image
Click the down arrow on the “to” field
See all USB devices in the drop down list
Note their size
Note /dev/sdX path, where X is e.g. a, b, c etc
Unplug the flash drive, observe which one disappears
That’s the one you want to write to - note down its full path
CLOSE USB Image Writer - we are not using this to actually write the image

For the example /dev/sdc:
sudo dd if="./1vyrain.iso" of="/dev/sdc" status="progress" conv="fsync"

Write the image
    INFO: https://itsfoss.com/live-usb-with-dd-command/
    sudo dd if="./Documents/1vyrain.iso" of="/dev/sdX" status="progress" conv="fsync"
    Be sure to replace the X  with the letter that corresponds to the correct flash drive that you want to write the ISO to
    as identified before!
    After that, just let dd do it’s thing, and it’ll print a completion message once it’s done.

STEP 2.2 - ON THE X230, STILL ON WINDOWS 10

Some people have to turn off fast startup (Control Panel > Power Options > Choose what the power buttons do > Uncheck “Fast Startup”. You may have to click on “Change settings that are currenly unavailable” to unclick fast start.

Boot X230 into BIOS
In Windows 10 menu, search for “BIOS”
This will lead you to “Change advanced startup options”
Click “Restart now”
Select “Turn off your PC”
The X230 will restart
Start into BIOS by hitting F1 repeatedly as it restarts

Set BIOS to boot in UEFI mode only, plug in flash drive, restart
Set “Startup” => “UEFI / Legacy Boot” to “UEFI Only”:
Make sure that you are booting “UEFI only” (not “both” or “Legacy”) and the CSM is disabled.
Save and allow restart.
You can shut the machine down at the login screen if you want.
Disable CSM
Disable “Secure boot”
Plug in flash drive
F10 Save and exit
Restart X230:
Insert the thumb drive and boot the machine again, this time using F12 to the boot menu (F12 at the splash screen).
Select the 1vyrain bootable thumb drive you inserted earlier. Hit enter.
Wait til the machine hibernates.
Make sure it’s really hibernated ((can take five minutes or more in some cases).
I think I remember it asks you if you want to load a modified bios (selection1) or a custom one (option 2).
Choose 1.
Hit the power button once to restart the thing and let the process finish. Five, maybe ten minutes?

The white on black 1vyrain menu appears and asks you to press “Enter” to start flashing the modifid BIOS

“Please enter a choice: …” - select option 1 to flash a standard 1vyrain modified BIOS here
1 Flash modified Lenovo BIOS - this is what to use to simply install 1vyrain on an X230, without any payload
0 Flash LVDS Modified Lenovo BIOS for X330 (X230 FHD/QHD)
2 Flash a custom BIOS from URL; this is where a payload such as Skulls can be added to 1vyrain
3 Shutdown / Abort Procedure

Now 1vyrain flashes the modified BIOS onto the chip.

Don’t be alarmed if your ThinkPad/ThinkLight power cycles a few times after a flash, or you get a CRC Security error. That is normal and will go away after another restart.

There is an initial error flagged on the next boot. Ignore it. I think I remember there are some questions asked, too. Ignore them - don’t respond. They time out. Just let the machine boot.

Or, you could hit F1 on boot and check to see if the advanced option is available and can be used to change stuff. This would confirm your jailbreak.

STEP 3: DISABLE INTEL ME

Boot into BIOS
Go into the “advanced” tab
Find the option to disable Intel ME
Disable
Save and exit BIOS
Reboot

STEP 4: CHECK INTEL ME IS ACTUALLY DISABLED

Info on this:

Make a Linux live image flash drive

Start X230 and boot into Linux live image on flash drive

Connect to the internet

Install a TEMPORARY Linux Mint - details:

a) If you want to keep your Windows install until you have positively confirmed that Intel ME is disabled (so you can use the Windows OS again to retry 1vyrain, if that should be needed) then you can choose “Install Linux Mint alongside Windows 10”

b) If you want to install QUBES and then Mint on top of that in a VM, then in any case this is only a temporary Linux install just to do the Intel ME disabled check (the check doesn’t seem to work on a Linux Live Image unfortunately)

c) If parallel install to Windows fails (which it often does), the only remaining option is to try a full disk wipe and install of only Linux Mint, losing your Windows installation.

Use intelmetool to check current status of Intel ME.
If git is not installed, install it now:
sudo apt install git
Or you can also do that via the Linux Mint Software Centre
Clone coreboot repository:
git clone --depth=1 https://review.coreboot.org/coreboot
Run:
cd coreboot/util/intelmetool
make
if Error 1 / “please install libpci-dev and zlib1g-dev”"
sudo apt install libpci-dev
sudo apt install zlib1g-dev
./intelmetool -m
Compare the output of intelmetool with the table on the bottom of this page:
Get the status of Intel ME · corna/me_cleaner Wiki · GitHub
Also, read the output and interpret it with the help of the following information:
If it reads “Bad news, you have a XYZ chipset so your ME can’t be controlled or disabled”, don’t worry
Intelmetool seems to just make that statement at the beginning based on just the type of hardware that you have
What really counts is the status report of Intel ME that follows below that
1. Firmware init complete - NO
means ME was unable to finish initializing
2. Current operation state - Bring up
means ME is stuck in “bring up” mode, which is essentially its booting phase
3. Current operation mode - soft temporary disable
means ME is stuck in “temporary” disable, except it’s actually permanent
4. Progress phase state - ME in temp disable
again means ME is “temporarily” disabled, except it’s actually permanent
5. ME: failed to become ready
means ME was unable to get ready, can’t be used by anyone, and can’t do anything

All this demonstrates nicely that 1vyrain really does what it claims: It can not remove Intel ME, the code is still on the chip - but it can “crash” Intel ME and lock it up permanently, sort of like in a jail cell that it can’t get out of (unless you go into the modified advanced BIOS and enable it again, but why would you)

STEP 5: INSTALLING THE OS OF YOUR CHOICE

CONGRATULATIONS! You now have an X230 with a disabled Intel ME.

It either has a dual install of Linux and Windows 10 right now, or just Linux.

If you want to install a different OS, this is the time to do that now.

STEP 6: UPDATING 1VYRAIN

Keep it updated.

To my understanding, at the time of writing this, March 2023, to be able to do this, Windows 10 needs to be reinstalled first. Correct me if I’m wrong here.

To update from an older version of 1vyrain, to a newer version follow the follwing steps. Updates may include security bug fixes.

1 Write down and remove any BIOS passwords, including supervisor passwords
2 It is suggested to reset BIOS to default settings, and save
3 Take out any non-whitelisted devices because the FL1's are untouched
4 Use IVprep to downgrade to a flashable stock BIOS version (very important, do not skip!)
5 Obtain the latest 1vyrain image compatible with your machine.
6 Follow the original installation steps above.

DO NOT SKIP the IVprep process at step 4. This is needed to safely reset to a stock BIOS version. This is different from using IVprep during installation to ensure you are using the proper image. Do not skip step 4 above, this is a crucial step.

The steps to upgrade are essentially the same for downgrading, or moving to any version. Ensure you obtain a compatible 1vyrain image for your machine, reset all passwords, reset to default, and use IVprep to downgrade. You would then go through the installation steps to install the desired 1vyrain version.

I hope this is helpful. Don’t forget to help others learn more and set themselves up with more private and secure tech and communication options! Keep being awesome!

I’m not sure what the criteria are to place a thread in the Guides category, but I think this is a good candidate (@deeplow)

Thank you!!!

I found how to move it myself, please feel free to move it back or correct me if that wasn’t right @deeplow!

Thanks for the help here. I changed things a bit. I moved guide to its own topic along with replies. This way the guide is the actual first response.

On a X230, I am trying to get 1vyrain, skulls and clean/disable/break the Intel ME.

I would like to avoid making mistakes, troubleshooting, using the jumper cables (I have them), or flashing multiple times/versions.

Any help is welcome. Some questions, please, in order of perceived priority:

1. What is the order so that I get the three objectives?

Is it 1vyrain with the skulls custom BIOS, then run me_cleaner from a Live Linux (GitHub - corna/me_cleaner: Tool for partial deblobbing of Intel ME/TXE firmware images)?
I am not sure me_clener will work in this case.

And from what I read, if I run me_cleaner from a Live Linux before 1vyrain, it won’t work either.

Is it possible to first flash the 1vyrain modified bios with no payload and after cleaning ME with it, install skulls? Will this be a second round of boot-from-usb-and-flash 1vyrain (this second time on option 2 Flash from Custom BIOS)?

2. Does the direct internet URL to the tar.xz release file of skulls (Releases · merge/skulls · GitHub) work (option 2 Flash from Custom BIOS)? Or should I download it, untar it and make it available on the local network?

3. 1vyrain guide has a section on examining protections that uses chipsec_main. (GitHub - gch1p/thinkpad-bios-software-flashing-guide: flashing coreboot on thinkpads without external programmer)

Is it (GitHub - chipsec/chipsec: Platform Security Assessment Framework)?

When should this be run during the process? Is it fine if I boot from Live Linux to run this before flashing the 1vyrain with skulls?

To be able to flash, we need SMM_BWP=0, BIOSWE=1, BLE=0, FLOCKDN=0 or SPI protected ranges (PRx) to have a WP bit set to 0.

Thank you in advance.

This question has been also posted on:

I think I got myself in trouble stuck on 2.75 - I cannot downgrade to 2.60 (X230) via IVprep or the lenovo tool (I get “This app can’t run on your PC”). Is there a way forward, please?

Here is what I did and was planning to do:

1. EC Patching (accept all batteries and keyboards)

It recomends using on the last modifiable version: x230 -BIOS 2.75 (G2ETB5WW) EC 1.14 (G2HT35WW)

Therefore I upgraded from my 2.55 to 2.75, by downloading g2uj31us.exe, saving on a usb stick and running on the target machine’s windows (the bootable iso would not dd well to the usb stick).
https://support.lenovo.com/ec/en/downloads/ds029187

2. Downgrade from 2.75 to 2.60 (X230) (I cannot perform from here onwards):

Downloaded both IVprep and g2uj17us.exe and saved on the usb stick to run on target machine’s windows but then I get I get “This app can’t run on your PC”.

I have tested with both:
BIOS Setup → Security → UEFI BIOS Update Option. Set Flash BIOS Updating by End-Users to Enabled, and Secure RollBack Prevention to Disabled
BIOS Setup → Security → UEFI BIOS Update Option. Set Flash BIOS Updating by End-Users to Enabled, and Secure RollBack Prevention to Enabled

3. Get rid of the ME

I gues for this one, I should boot the target machine with a Live Linux, clone the repo and execute

4. Install Skulls via 1vyrain

This would be burn the usb stick to the 1vyrain, use the ethernet cable and the skulls release URL

Extra question step 4

• Here I have another question, please, which format to give as URL? zip, tar.gz, tar.xz?

You don’t give a .zip / tar.gz / tar.xz to the url. What I did was I got the skulls .rom on a 2nd laptop, hosted the file on my local network (python http server). I gave that URL to my laptop running 1vyrain (had to plug in ethernet cable).

I think the issue with IVPrep might be because because you specifically didn’t use dd (perhaps the USB wasn’t properly re-formatted // re-written).

As for the Intel ME, from what I understand, the X230 has two chips: a 4MB chip (BIOS) and an 8MB chip (Intel ME). When you use 1vyrain, it ONLY modifies the 4MB chip.

If you use the advanced BIOS unlocked by 1vyrain, you can disable Intel ME through the Advanced Menu in the BIOS. This method doesn’t strip Intel ME from the firmware, it just turns it “off” by modifying its configuration.

If you decide to flash Skulls .rom with 1vyrain, you’ll lose access to the Advanced Menu and the ability to disable Intel ME. Skulls itself doesn’t disable Intel ME unless you directly modify the 8MB chip.

So, it might be possible to disable Intel ME by running 1vyrain twice (run 1vyrain, unlock the advanced bios & disable Intel ME, then use IVprep to downgrade again so you can run 1vyrain to flash Skulls). If the BIOS disablement setting directly modified the ME firmware on the 8MB chip (by setting the HAP bit), the disablement might persist.

I tried downgrading the BIOS via a reputable method (GitHub - gch1p/thinkpad-bios-software-flashing-guide: flashing coreboot on thinkpads without external programmer). But I got:

ERROR 081 - Failed to load BIOS image file! Status = 14.

It booted and it tried to run autoexec.bat gave me this error and a DOS prompt. I tried again running:

dosflash.exe /sd /file G2ETB3WW\$01D3000.FL1

And I got the same error…

Therefore in my case: X230 - when EC Pathcing with thinkpad-ec - one must be very cautious not to upgrade to 2.75 as thinkpad-ec recommends…

Any ideas of what I could do to solve it with external (usb) flashing?

Will I need to internal flash with my hardware programmer? - I am enroute to this whilst I read more and more. Thank you for any help or clarification in advance!

Also posted on: Trouble Downgrading (Ivy Bridge Series) · Issue #19 · gch1p/thinkpad-bios-software-flashing-guide · GitHub

I installed IVYRAIN onto an X-230. There is a method to roll back the BIOS/EFI to one of the levels to allow that install.

I gorked an X230 attempting to hardware flash it. I had tried to get rid of IVYRAIN before the flash, as it is supposed to be contrary to the step into using a Nitrokey to verify that the hardwre had not been tampered with. ??

I read two things: One there is a resistor that can easily be physically damaged by clumsy fingers while clamping on the wires to the programmer. That will keep the X230 from booting later. Two, one is supposed to know the exact models of the two chips to hardware flash them to what they were originally. Someone said he never bothered with that, there was one of the choices he always used to restore (hardware flash the BIOS/EFI) back to factory condition. Always worked for him. I could not physically read the tops of the chips to find out what they were is where the problem occurs, if you need to flash back to factory condition. My backup that was created during the attempt to flash would not work.

One of the advantages for doing the IVYRAIN is it allows me to use another Wireless adapter model, and yes it was much faster. and do some things that the original Lenovo White-List would stop boot up for using, those specific bits of hardware. Keyboard, must use IBM battery. Someone experienced, wrote that actually, he had discovered no third party battery worked as well as the original Lenovo Batteries, which no longer worked.

Someone wrote a post that he was in Asia, found a company that built third party batteries, and they allowed him to reinstall new cells into what he had.

My only real experience is that I gorked an X230. I read that one should not do the hardware flash on an X230 with IVYRAIN on it. Perhaps that might include, even if I uninstalled IVYRAIN. All this other stuff is what I read. No experience myself.

To add a bit, on the Librem, forum there was a discussion once where a fellow was saying he felt that the Librem Key, and its security was “Theatre”, His words. I am not knowledgeable enough to comment. Tommy Tran also posts on the website. https://privsec.dev/

I have also read that if one lost control for laptop for a period of time. Like say at a border crossing, or even if just left in a hotel room. One can take the view of never trusting the hardware again, as techniques for modifying hardware have risen to that level of -spying.

but I don’t travel through passport control.

Are you trying to install v2.75 of the Lenovo firmware?

You can download the firmware ISO from Lenovo, and convert it to IMG format using the geteltorito script, which can be booted from USB.

Don’t know if it will give you the same error, but that is how I change the Lenovo firmware on old Thinkpads.

What is the method to “ method to roll back the BIOS/EFI”, please?

Notice I am pre-1vyrain… I did only the EC clean.

No. The opposite. It’s on v2.75 (by mistake I upgraded). Now I need to downgrade.

I did try eltorio - that’s the link I sent… it does not work, unfortunately.

This is where I was attempting something similar.

I think lenovo has a CD of all the BIOS versions.

https://support.lenovo.com/us/en/solutions/ht003029-lenovo-system-update-update-drivers-bios-and-applications

I have no way to test this.