the firmware I build is designed to be flashed on the system itself, and so assumes that the ME firmware region cannot be written to. If you want to disable the ME, you'll need an external programmer and to simply use ME Cleaner to disable the ME, then flash the "cleaned" image back to the device

nearly identical:

• read current firmware
• run ME cleaner on it
• flash back to device

yep, works fine on all them I've tested on

I have a question, after using ME Cleaner, and having flashed via external flashing, I understand that I will still need to use ME Cleaner on subsequent firmware updates, however will I be able to flash them internally now, or will I need to flash via external means each time?

My SOIC-8 clips have gotten detached from the wiring, and I am having a hard time pulling the wires out of the sleeves so I could solder them, so I am hoping that I wont need them for my sister's laptop now (I had already flashed the cleaned image with them before this had happened).

there is no need to use ME Cleaner on subsequent updates, simply keep the flash descriptor locked and the IFD/ME will remain unable to be written via internal flashing, same as they are now. Then internal updates will only apply to the BIOS region.

Thanks, though as a rookie (I am learning, though), I fail to understand what do you mean by "keeping the flash descriptor locked".

Essentially, I had removed the write-protect screw from the laptop the day it arrived in our home, though from what I had read over on the Win-Raid forum, this should be part of the firmware itself.

Does this mean that as long as I do not modify the firmware, I can flash it without worrying about the TXT firmware being flashed?

Update: In the end I modified the firmware.sh script to point directly at the cleaned firmware, since I won't be home for the next few weeks.
However, I'd still like to understand what you had meant.

"keeping the flash descriptor locked"

the flash descriptor (IFD) is a 4kb section at the start of the flash chip, it defines the layout of the flash chip and sets permissions for the various regions.

Especially, I had removed the write-protect screw from the laptop the day it arrived in our home, though from what I had read over on the Win-Raid forum, this should be part of the firmware itself.

completely separate from the flash descriptor

Does this mean that as long as I do not modify the firmware, I can flash it without worrying about the TXT firmware being flashed?

coreboot has a config option to either unlock the IFD or leave it locked. As long as it is locked when you flash externally, then subsequent internal flashes won't be able to modify the IFD or ME regions

Then I believe that I had left it locked, as other than using ME Cleaner, and specifying the default FlashROM arguments (with my CH341a), I did not do anything else.

@MrChromebox Wouldn't it be possible to somehow set the HAP bit from the UEFI settings / shell? Just asking because, while certainly doable, it's not exactly trivial to use an SPI programmer on internal mainboard ROM and so on - and some other devices (some Linux laptops) also allow disabling the ME from the internal UEFI, which is indeed installed on the system. Another idea would be to ship two versions, one with and one without ME, or just have it always disabled (I don't think anyone here would like to use the ME anyway).

Wouldn't it be possible to somehow set the HAP bit from the UEFI settings / shell?

no. The HAP bit is contained in the flash descriptor (IFD) region of the firmware, which is RO on a live/booted system. The only way to change any bits in the IFD is via external programmer.

some other devices (some Linux laptops) also allow disabling the ME from the internal UEFI, which is indeed installed on the system

that's using a different technique. I could likely disable the ME on SKL/KBL devices this way, but it wouldn't be user configurable.

Another idea would be to ship two versions, one with and one without ME, or just have it always disabled (I don't think anyone here would like to use the ME anyway).

there's not much point in me doing so, since it requires flashing with an external programmer on the fast majority of devices I support. Plus, if I shipped ME-disabled images, then the IFD wouldn't match the stock firmware and it would fail validation after flashing (even if I don't write that area, it still gets checked). And there's no way I'm going to double the number of images I build/support. 60+ is unbearable as it is

@MrChromebox

yep, works fine on all them I've tested on

nearly identical:

read current firmware
run ME cleaner on it
flash back to device

Could write a could guide/wiki on this for Flashing ME Cleaner on Chromebooks?

ME cleaner only works for a very small number of older Chromebooks. The process for using ME cleaner is well documented on the ME cleaner github, there's nothing I can add to it (other than I don't recommend it)