Why would someone replace their firmware?

Starting around 2006, Intel’s chipsets began incorporating an autonomous subsystem called the Intel Management Engine (ME). This component runs continuously, even when the computer is powered off, and operates independently of the operating system. The ME’s code is entirely proprietary, signed, and tightly controlled by Intel, meaning it’s impossible to inspect, audit, or modify it.

This lack of transparency raises significant concerns. The ME's access to critical system functions like network interfaces, storage, and hardware controls makes it a potential target for vulnerabilities, backdoors, or hidden surveillance. For example CVE-2017-5689 was previously discovered in the ME, highlighting the risks of relying on proprietary firmware.

The solution? Replace the firmware entirely with open-source alternatives like Coreboot, Libreboot, Canoeboot, or in this case, Heads. These projects aim to remove or replace the Intel ME, eliminating its risks and reclaiming control over your hardware.

Prerequisites for Heads

Your ThinkPad must be based on the Intel Haswell architecture, such as the T440p, T430, X230, or other models listed in the compatibility list. You'll also need a Heads compatible USB security dongle and a USB storage drive to store your public GPG key.

To flash the firmware you will need a SPI programmer such as the CH341A, make sure you purchase the 3.3V compatible version. If you accidentally purchase the 5V version (like I did), you can still use the CH341A programmer clip. Just connect it to a Raspberry Pi Pico (if you’ve got one lying around) running pico-serprog and it'll work just fine. Check out this page for more info on flashing the serprog firmware on the Pi Pico and how to wire it up. This image should give you an idea of what it should look like.

Raspberry Pi Pico serprog

Flashing the firmware

After downloading the correct Heads firmware package for your specific machine, you can begin disassembling the laptop. I followed this video made for the T440p model. In my case, there are two BIOS chips: one that's 4MB in size and referred to as the top chip, while the other is 8MB and called the bottom chip.

ThinkPad T440p bios chips

Start with the top chip, before proceeding ensure the Raspberry Pi Pico is disconnected from your computer. Align the red wire of the programmer clip with the tiny dot on the chip, then securely connect the clip. Once the clip is properly positioned and attached, you can safely connect the Raspberry Pi Pico to your PC.

ThinkPad T440p top chip

Proceed by reading and backing up the current data on the chip using these commands. It’s a good idea to do this first so you don’t lose anything if things go sideways.

sudo flashprog -p serprog:dev=/dev/ttyACM0,spispeed=16M -c W25Q32FV -r top_4mb_1.img
sudo flashprog -p serprog:dev=/dev/ttyACM0,spispeed=16M -c W25Q32FV -r top_4mb_2.img
diff top_4mb_1.img top_4mb_2.img

If the diff command returns anything, that means the files aren’t identical. In this case disconnect the Pi Pico and the programming clip, then reconnect them just like before and try again. Now, move on to the bottom chip. It’s upside down compared to the top one, so you’ll need to be extra careful with the alignment. Make sure the red wire of the programmer clip is lined up with the tiny dot on the chip.

ThinkPad T440p bottom chip

Proceed with the same commands as before. Read the contents of the bottom chip twice, just like you did with the top one. Once you’ve got both files, run the diff command to compare them. If there’s any difference, that means something went wrong, so you’ll need to start over.

sudo flashprog -p serprog:dev=/dev/ttyACM0,spispeed=16M -c W25Q64BV/W25Q64CV/W25Q64FV -r bottom_8mb_1.img
sudo flashprog -p serprog:dev=/dev/ttyACM0,spispeed=16M -c W25Q64BV/W25Q64CV/W25Q64FV -r bottom_8mb_2.img
diff bottom_8mb_1.img bottom_8mb_2.img

Once you’ve got both chips read, combine the files you obtained into a single file and store it somewhere safe.

cat top_4mb_1.img bottom_8mb_1.img > t440p.rom

Now, it’s time to write the Heads firmware. Since we're already connected to the bottom chip, start with that one.

sudo flashprog -p serprog:dev=/dev/ttyACM0,spispeed=16M -c W25Q64BV/W25Q64CV/W25Q64FV -w heads-EOL_UNTESTED_t440p-maximized--bottom.rom

This will take a bit longer than reading, expect a few extra seconds for the write process. If everything goes smoothly, the command’s output should end with VERIFIED. That’s your sign that the firmware was written correctly. Now, move back to the top chip.

sudo flashprog -p serprog:dev=/dev/ttyACM0,spispeed=16M -c W25Q32FV -w heads-EOL_UNTESTED_t440p-maximized--top.rom

After putting everything back together, you can boot up the laptop and assuming all steps were successful, you should be greeted with the Heads boot screen.

ThinkPad T440p heads menu

In conclusion

We’ve successfully removed the Intel ME, reclaiming full control of our hardware. I won't go into how to configure the keys since that's pretty much straight forward. If you're having trouble setting up the keys, I recommend checking out this video. Just be sure not to accidentally erase your GPG key from the dongle if you've already created one.

Here’s one last tip: when setting the time use the recovery shell and always use UTC format.

date -s 'yyyy-mm-dd hh:mm:ss' && hwclock -w

This ensures your TOTP token syncs with the one on your phone. If you keep running into time shifts after rebooting, it might be time to replace the CMOS battery.