Clean EFI ME Region

Problem, Symptoms, and Background:

There are many issues that can be addressed by cleaning the Intel Management Engine (ME) region of your Mac's firmware. When clean, the ME region performs an initial handshake with your board's PCH on first boot and stores values related to that specific PCH in its EEPROM memory. When the ME region gets damaged or when swapping an SPI ROM chip from one logic board to another, there will more than likely be a mismatch between what the firmware expects to see and what it actually registers. This can lead to a number of issues, including:

• A long POST delay (prior to Apple chime and boot menu)
• The system hanging indefinitely on its loading screen with the Apple icon and a partially or even fully filled bar
• The system being able to boot into Windows/Linux/etc. but never successfully into MacOS or any MacOS installers
• The system being able to boot into EFI ASDs but not OS ASDs
• Freezing or kernel panics while booting macOS
• Error messages during verbose boot mode resembling "busy timeout[0], (60s): 'IGPU'"
• The fan always running at full speed
• Hard, spontaneous shutdown after 30 minutes
• No POST situations
• More obscure, fringe symptoms like the webcam not working on some Mac boards

To resolve these issues, the ME region has to be cleaned with a specific procedure. Using copy/paste hex editing or tools like MEInject will write in a raw ME region without Apple's Mac-specific manufacturer settings for the ME region, which can result in similar symptoms as a "dirty" ME region. Many replacement chips purchased off of the internet may not have a properly cleaned ME region - either they'll be dirty or raw, and neither will function properly.

The proper and reliable way is to use the Intel Flash Image Tool (FITC) from the Intel Management Engine Tools set that matches your firmware's ME version.

The following instructions have been derived directly from the "How to clean ME Region on Apple machines" video posted by the legendary Piernov here: https://www.youtube.com/watch?v=exfG5Iywmjk

Quick Notes:

In short, the process involves these steps:

1. Desolder and attach the board's SPI ROM chip to your programmer.
2. Save a full image of the firmware exactly as it was found.
3. Analyze the image to know what ME version you're working with.
4. Extract and save the settings stored in the original firmware.
5. Extract a clean ME region file from a firmware in a repository.
6. Create a clean ME region binary from the extracted region file.
7. Replace the ME region binary from your original image with the clean ME region binary you've just created.
8. Rebuild the firmware image with your original settings and a clean ME region.
9. Verify your rebuilt firmware image.
10. Reflash the rebuilt image to your SPI ROM chip.
11. Reattach the chip to the logic board, NVRAM reset, and enjoy a clean ME region!

Some helpful context:

• Firmwares are identical amongst all logic boards with the same model number - e.g. 820-00165. Different board specs do NOT require different firmwares - e.g. An 820-00165 i7 / 8GB board will use the same firmware as an 820-00165 i5 / 4GB board.
• ME regions are generally intercompatible within the same primary model line of Macs - e.g. MacBook Air 7,1 and MacBook Air 7,2 use the same ME region. This process depends on access to a repository of firmwares uploaded by gdbinit on GitHub, and within that repository for any given Mac___ X,Y, as long as there's an image that matches your generation's primary model number (X), you can use that even if there may not be a ME region for your specific submodel (Y).
• Always use the most recent firmware that matches your model.
• Always use the Intel Management Engine Tools package that matches the ME version found with ME Analyzer.
• If it becomes necessary to replace the original BIOS chip on your logic board, BE SURE TO ONLY USE A BIOS CHIP FROM THE SAME BOARD MODEL (or, if necessary, at least the same model year). Different years may have different voltage or SPI mode settings that could be fully incompatible.
• This is the manual, guaranteed-to-work, straight-from-Piernov means of getting a clean ME region in your board's firmware. Other folks have found success using the Apple-EFI-Patchers created by sadponyguerillaboy and uploaded on GitHub, found here: https://github.com/sadponyguerillaboy

For this method, you will need:

• A EEPROM programmer and appropriate adapters to fit your SPI ROM chip. A common recommendation is the TL866II Plus.
• A WSON8 8x6 and 6x5 combo adapter board for MacBook Pro and MacBook Air SPI ROM chips (or 6mm / 0.25in width kapton tape and a SOP8 ZIF riser)
• Reading/programming software for your EEPROM programmer. For the TL866II Plus, that software is called Xgpro.
• ME Analyzer: https://github.com/platomav/MEAnalyzer
• UEFITool: https://github.com/LongSoft/UEFITool
• Intel Flash Image Tools: https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html
• Firmware with a clean ME region, pulled from a repository hosted by gdbinit on GitHub: https://github.com/gdbinit/firmware_vault

A FINAL NOTE BEFORE YOU BEGIN:

• The symptoms exhibited by a dirty, mismatched, or raw ME Region can also be induced by a faulty PCH [ME Disable Strap] circuit. Therefore, before going through all of this work, be sure you've checked to see that your PCH ME Disable Strap circuit is intact, undamaged, and functional. No matter how clean your ME Region is, your system will not function properly with the PCH ME Disable Strap engaged. See ME Disable Strap for more info.

Step-By-Step Guide:

1) Desolder and attach the board's SPI ROM chip to your programmer.

• Before beginning work, take a reference photo of the SPI ROM chip on your logic board, making sure the SPI ROM chip's text is clear and legible.
• Desolder original or donor SPI ROM chip from the source logic board.
• Solder the new chip to the appropriate side of your WSON8 ZIF riser. Be sure that pin 1 of the chip - indicated by a dot etched/silkscreened in one of the corners - is aligned with where pin 1 should be on your riser.
  • If you don't happen to have a WSON8 ZIF riser on hand you can use the SOP8 riser that most likely came with your programmer, but you'll need to insulate the WSON8's central ground plane from the pins on the SOP8 riser, as there will be overlap. A small strip of 6mm kapton tape placed on the edge of one side of the SOP8's pads should overlap over the other side's pads enough so that the chip's ground plane is prevented from shorting on any of the SOP8 riser's pads.
    • IF YOU DO THIS, USE A MULTIMETER TO CHECK ALL POINTS AGAINST GROUND TO ENSURE NOTHING IS SHORTED TO GROUND! ONLY PIN 4 OF WSON8 PACKAGE CHIPS SHOULD CONNECT TO GROUND.
• Install the ZIF riser in your programmer so that pin 1 of the riser is aligned with slot 1 of the ZIF connector. Typically pin 1 of the ZIF connector is closest to the ZIF lever.
• Connect your programmer to your computer.

2) Save a full image of the firmware exactly as it was found. Create EXTRACTED.BIN

• Open your programmer software on the connected computer.
• Detect and select the SPI ROM chip model from the software's list.
  • Within Xgpro (the software that comes with a TL866II Plus), and go the "Select" menu --> "25 Flash Detect". Press the "Detect" button to have the software approximate the connected model of chip, but then be sure to select the specific chip from the software's menu BASED ON THE ACTUAL PRINTING ON THE CHIP ITSELF, not just what's detected. The photo you took in step 1 will be a great reference!
• Read the firmware into the software, then save the entirety of what's read off the chip as a BIN file. (You can name it whatever you like but for the purposes of this guide, I'd suggest naming it EXTRACTED.BIN and placing it in a temporary folder for use with this project that we'll refer to as your "working folder" throughout this guide.) --> EXTRACTED.BIN
  • Within Xgpro, you read the chip with the green-circled READ button, and once it's completely read, you can use the Back button to close the read window.
  • Once the chip data has been read, just use File --> Save to create your EXTRACTED.BIN file. All of default settings for reading and saving should be just fine.
  • It wouldn't be a bad idea to create a duplicate of the file as a backup and call it something like EXTRACTED.BIN.BACKUP
• You can either close or leave Xgpro open after this, but if you close it, be sure that you have the correct SPI ROM chip model selected when you reopen it!

3) Analyze the extracted image to know what ME version you're working with. Create EXTRACTED.TXT

• Duplicate your saved BIN file to the folder with the ME Analyzer tool (MEA.exe).
• Run the MEA.exe
• Load the BIOS you've just saved by typing in its filename or dragging the file into the command prompt window where MEA.exe is running, then press enter.
• Copy/paste the output displayed in the command prompt window into a text file and save it as a text file. --> EXTRACTED.TXT

4) Extract and save the settings stored in the original firmware. Create EXTRACTED.XML

• Download and unpack the Intel ME System Tools for the ME Version listed from the ME Analyzer output.
• Open the extracted folder, then the Flash Image Tool subfolder, then launch fitc.exe.
• Open EXTRACTED.BIN by dragging it into the Flash Image Tool window.
• Verify that "ME Region\Configuration\Boot Guard" has the "Boot Guard Profile Configuration" item value set to "Boot Guard Profile 0 - No_FVME"
• Verify that "ME Region\Configuration\Integrated Clock Controller" has the "Default Lock Enables Mask" item value set to "0:Default"
• Save the settings into an XML file in your working folder. --> EXTRACTED.XML

5) Extract a clean ME region from a firmware in a repository. Create REPOSITORY.RGN

• Access gdbinit's firmware repository at https://github.com/gdbinit/firmware_vault
• Find the most recent (highest numbered) firmware in the firmware repository that matches your device and duplicate it into your working folder.
  • If there isn't a perfect match to your Mac model - e.g. MacBookAir7,2 - then use the most recent file matching the first number of your model instead. (e.g. Both MacBookAir7,1 -AND- MacBookAir7,2 would use MBA71_0178_B00.fd)
• Open UEFITool and load the firmware file you pulled from the repository.
• In firmwares for systems from 2015 and later, you'll see "ME Region" at the top level of the hierarchy displayed upon loading the file. Right click on "ME Region", select "Extract As Is", and save that file with a .rgn extension --> REPOSITORY.RGN
• In pre-2015 EFI files you will probably have to dig deep to find the "Raw section" of the EfiCrc32GuidedSectionExtract folder, then right click on the "Raw section" select "Extract Body", and safe that file with a .rgn extension --> REPOSITORY.RGN
  • In Piernov's video, the firmware from an 820-3437 board for a 2013/2014 13in MacBook Air has its ME region stored in the following path:
    • UEFI Capsule / UEFI image / EfiFirmwareFileSystemGuid / EfiUpdateDataFileGuid / EfiFirmwareFileSystemGuid/MeRegionUpdateVolume/Compressed section / EfiCrc32GuidedSEctionExtract/Raw Section

6) Create a clean ME region binary from the extracted region file. Create ./REPOSITORY/ME Region.bin

• Open the Intel Flash Image Tool you used earlier (FITC.exe), drag the REPOSITORY.RGN file into the window, and then close the Flash Image Tool without saving anything. (This seemed counterintuitive at first, but this actually does something - when FITC.exe opens the region file, it creates a file we'll pull out and use now.)
• Now browse into the folder where FITC.exe is stored and you'll see a folder named after your RGN file - "REPOSITORY" in our case - and within the "REPOSITORY" folder there will be a "Decomp" folder that's storing a "ME Region.bin" file in it.
• View the "ME Region.bin" file's properties and note its file size (specifically "Size", NOT "Size on disk").
  • You can save that file size info into your EXTRACTED.TXT file if you want, but it's not necessary.

7) Replace the ME region binary from your original image with the clean ME region binary you've just extracted. Overwrite ./EXTRACTED/ME Region.bin with ./REPOSITORY/ME Region.bin

• Navigate back to the Intel Flash Image Tool folder with FITC.exe in it, and alongside the REPOSITORY subfolder you'll see another folder named after your original BIN file - "EXTRACTED" - and just like in the previous step, within the "Decomp" folder contained therein, you'll see several binary files that were decompiled out of your original chip's firmware, including one called "ME Region.bin".
• View THAT file's properties and ensure that its file size (again, just "Size", NOT "Size on disk") are identical.
• Assuming they are, you want duplicate the ./REPOSITORY/ME Region.bin over to the ./EXTRACTED/ folder, thereby overwriting the original "ME Region.bin" file (which you don't need anymore) with the one you exported from firmware pulled from the repository.

8) Rebuild the firmware image with your original settings and a clean ME region. Create ./Build/outimage.bin

• Finally, open the Intel Flash Image Tool - FITC.exe - again.
• Go to File --> Open and select the EXTRACTED.XML file you saved earlier. (It will point to all of the assets you need - no need to load any BIN files manually.)
• From the menu, choose Build --> Build Image.
  • You may have a BootGuard warning pop up, as well as a warning about setting PTT HW to Disabled. Say yes to continue, ignoring both warnings - they are expected, okay, and those settings are REQUIRED for Macs, despite the scary text about irreversible changes being locked in.
• Congratulations! With that, you have created your complete firmware image with a properly cleaned ME Region in the "Build" subfolder of the Flash Image Tool. --> outimage.bin

9) Verify your rebuilt firmware image.

• Duplicate the outimage.bin to your working folder.
• Double check that everything went as it should by running outimage.bin through the ME Analyzer again as described in step 3.
  • If it doesn't pop any errors you should be good, but you can also compare it to the output from your original run of MEA.exe that you copy/pasted into EXTRACTED.TXT.

10) Reflash the rebuilt image to your SPI ROM chip.

• Open your programmer software, load the outimage.bin file that you copied to your working folder, and write it back to the chip!
  • If you closed your software after step 2, be sure that the correct SPI ROM chip is selected before attempting to program it!
  • Before writing back to the chip, it would be a good idea to be sure that the programmer, software, and SPI ROM chip are all talking to each other properly by reading the chip again by following the instructions in step 2. If you do this, you'll need to reopen the outimage.bin file again before attempting to reprogram the chip!
  • With Xgpro, you use the PROG button to rewrite the SPI ROM chip! All of its default settings work just fine.

11) Reattach the chip to the logic board, NVRAM reset, and enjoy a clean ME region!

• Desolder the SPI ROM chip from your ZIF riser and resolder it to the logic board, ensuring that you have the chip in the proper orientation by using the photo you took before you began work and/or the dot on the SPI ROM chip (which indicates pin 1) to match where pin 1 is on the schematic.
• Rebuild and power on the computer, but for good measure perform a series of 3x NVRAM resets on first boot by holding Cmd + Opt + P + R until the system has chimed a total of FOUR times before releasing the key combination.
• After this if your issues were caused by a damaged or dirty Intel ME Region, they should now be fully resolved!

ENJOY! :D