Last time, we talked about the Intel Management Engine (ME) - a subsystem that is built into all modern computer platforms (desktops, laptops, servers, tablets) with Intel chipsets. This technology is perceived by many as a hardware “bookmark”, and for good reason. Suffice it to say that Intel ME is the only execution environment that:

• it works even when the computer is turned off (but the power is on);
• has access to all the contents of the computer's RAM;
• has out-of-band access to the network interface.

Stunned by the presence of such a component in the computer, the user (it turns out that it is the “user” rather than the “owner”) probably wondered: can Intel ME be turned off?
')
This article is entirely devoted to this issue.

Introduction

Recall that the main component of Intel ME is a microcontroller built into the chipset with a custom architecture. Only the basic model is known; it is 32-bit ARCtangent-A4 (ME 1.x - 5.x), ARCtangent-A5 (ME 6.x - 10.x), SPARC (TXE) or x86 (ME 11.x - ...).

Starting with version 6, the ME controller is built into all Intel chipsets.


[drawing taken from here ]

The loader of its firmware is stored in the internal ROM and is not available for analysis. The firmware itself is located in the ME region in the external SPI flash memory (that is, in the same memory where the BIOS is stored). The structure of this firmware is such that the entire executable code is divided into modules that are stored in a compressed form (either by the custom implementation of the Huffman algorithm, or LZMA). These code modules are cryptographically protected from modifications.

If there is a desire to reverse the firmware, we recommend using these two tools to study its structure and unpack the code modules.

So, the considered subsystem is a hardware and software basis for various system functions (some were previously implemented in the BIOS) and Intel technologies. Their implementation is included in the Intel ME firmware. One such technology that uses Intel ME's several special privileges is Active Management Technology (AMT).

AMT State Monitoring

AMT is a technology for remote administration of computer systems for which official support for Intel vPro is claimed (this is a brand that combines several technologies, including AMT). We are talking about systems with Q line chipsets (for example, Q57 or Q170).

Given the high cost of such platforms, it is unlikely that anyone will accidentally acquire a computer with AMT in order not to use this technology in principle. However, if you have such a product at hand, and there is a need to make sure that AMT is currently turned off, you should use the ACUwizard utility:


[drawing taken from here ]

or by means of Intel Management and Security Status (included in Intel ME software for vPro platforms, can be detected in the tray):






Finally, in order to protect computers on your network from unauthorized control from the outside, you need to configure an external firewall to filter AMT requests by attributes. A clear sign of an AMT request may be the port that is being accessed:

• 5900 - AMT VNC server without encryption;
• 16992 - AMT web server via HTTP;
• 16993 - AMT Web Server over HTTPS;
• 16994 - AMT redirection for SOL, IDE-R, KVM without encryption;
• 16995 - AMT redirection for SOL, IDE-R, KVM with TLS.

Products that are not part of the AMT vPro-platform AMT cannot be included, however, the Intel ME firmware includes network drivers:



This means that the ME controller (let's not forget that it is always on) has the technical ability to use the network interface.

Therefore, the problem should be solved thoroughly - try to turn off the Intel ME subsystem.

Turn off Intel ME using utilities from the Intel System Tool Kit

Intel provides motherboard vendors with:

1. Intel ME firmware in binary form;
2. MEBx modules for BIOS;
3. Intel ME software for OS;
4. The Intel System Tool Kit (STK) is a set of software and documentation for assembling SPI flash memory images, applying these images, and getting information about the current state of Intel ME.

Despite the fact that this kit is distributed by NDA (judging by the labels "Intel Confidential" in the attached documents), many vendors forget to cut it from the archive with Intel ME software, which is transmitted to users. And still do not close their ftp-servers from external access. As a result, there are a lot of leaked STK versions. Here you can merge the kit for any version of Intel ME.

It is important that the major and minor version (first and second digits) of the STK used coincide with the Intel ME version of the target system, information about which can be obtained, for example, using the ME analyzer :



You can check the current status of Intel ME using the MEinfo utility, which, through the Management Engine Interface (MEI), obtains information about the operation of this subsystem:



Recall that the MEI is the interface for connecting the main CPU with the Intel ME subsystem and is a set of registers in the PCI configuration space and in the MMIO. The commands of this interface are not documented, as is the protocol itself.

Flash image tool

On older platforms (Intel ME version 5.x and below), this subsystem can be turned off using the Flash Image Tool (an STK utility designed to build SPI flash images from individual BIOS, ME, GbE regions). During assembly, parameters are set that are written in these regions and in the Flash Descriptors region. In the latter there is one very interesting flag, "ME disable":



Thus, to turn off Intel ME on the target computer system, in its SPI flash memory you should write (programmer) a new image with the “ME disable” flag set.

Whether this method works, is unknown to us. But it sounds plausible, considering that the ME controller in those versions was integrated only into the Q chipsets, i.e. was not a required component for all platforms.

Flash programming tool

Starting with Intel ME 9 version, the ability to temporarily turn off Intel ME was added to the Flash Programming Tool for programming SPI flash memory of computer platforms:



Shutdown is done by sending a command to MEI. After testing, Intel ME does not show "signs of life", even MEI does not respond:



According to the documentation, the Intel ME subsystem is in this state until the next computer startup or reboot.

On vPro platforms, the ability to send this command is also available in earlier versions. To do this, you must use the ME / AMT configuration section in the BIOS, where the “Intel ME disable” option should be:


[drawing taken from here ]

You cannot say that this method allows you to completely disable Intel ME, if only because before accepting the shutdown command, the ME controller will have time to boot, which means it will execute some part of the firmware code.
Despite the fact that Intel ME does not give "signs of life" after this operation, it is not known whether this subsystem can re-enable any signal from the outside. It is also unclear how much Intel ME is turned off.

Forced shutdown of Intel ME

In the interest of excluding the possibility of the ME controller executing the firmware code, it is logical to try to limit its access to it. Why? No code - no problem.

After analyzing the documentation that is attached to the STK, and after some thought, we assumed that this could be done in the following ways.


1. Cut (reset) the ME region from the SPI flash memory.

Those who tried to do so reported that their platform either did not boot without the presence of genuine ME firmware, or turned off exactly after 30 minutes of work.

The failure of a computer system to boot without Intel ME firmware can be explained by the importance of the ME controller in the process of initializing the hardware component. A 30-minute timeout suggests a WDT (Watch Dog Timer).


2. Enable non descriptor SPI flash memory mode, i.e. "The old way" when it contained only the BIOS. This requires one of two things:

• erase the first 0x20 bytes in it (thus damaging the signature 0x0FF0A55A, which determines the mode of operation of the flash memory);
• set the HDA_SDO jumper (if any).

Thus, the ME controller will not get access to its region, and, therefore, will not execute the firmware.

On the one hand, the ME controller, just as in the previous case, can interfere with the normal operation of the computer system. On the other hand, not descriptor mode includes so-called. manufacturing mode, which is used by vendors for debugging purposes, and there is a chance that the system will start.


3. It is known that the firmware Intel ME is unpacked into a dedicated memory area that is hidden and hidden from the main CPU - ME UMA. Selecting and locking this area is done by the BIOS during the configuration of the memory card. Then why not cut these code snippets from the BIOS so that this area does not stand out. Then the ME firmware will not be unpacked and executed.

Experiments have shown that this method is also not suitable, and the system does not start. In addition, the ME controller has an internal SRAM, which is used when ME UMA is unavailable. Therefore, part of the firmware will still be executed.

Conclusion

We talked about ways to shut down Intel ME and requiring development:

• shutdown at each start with a command in MEI or disabling a flag in the region flash descriptors (depending on the version);
• restriction of access to the ME controller for its firmware or transfer of the computer platform in manufacturing mode.
• obstructing the normal operation of the ME controller without providing it with runtime memory.

Obviously, some of the proposed solutions entail the inoperability of the computer system, the rest do not give any guarantee that the Intel ME subsystem is really turned off. In this regard, we concluded that completely shut down Intel ME is extremely difficult.

This is probably due to the fact that by disabling Intel ME, we neutralize an important component in the architecture of a computer system. For example, without ME, there will be no one to solve important system tasks like ACPI or ICC (which were once implemented in the BIOS). To make the platform work stably without ME, at a minimum, it is necessary to return the implementation of these technologies in the BIOS.

Anyway, the question of how to disable Intel ME without losing the performance of a computer system remains open.