
Exploiting Intel’s Management Engine - DyslexicAtheist
https://kakaroto.homelinux.net/2019/11/exploiting-intels-management-engine-part-1-understanding-pts-txe-poc/
======
derefr
> The ME does have a legitimate function, but it does so much more now, as it
> takes care of the hardware initialization, the main CPU boot up, control of
> the clock registers, DRM management for Audio/Video, software based TPM and
> more.

In other words, the ME is to Intel boards as Apple’s T2 chip is to their
recent notebooks: an SoC that takes on the real role of being the “system
processor”, turning the [rest of the] socketed CPU into effectively an
“application processor.”

In fact, given that it’s so self-sufficient, it’s interesting that Intel
choose to ship the ME as an “IP core” of the CPU itself, rather than making it
part of the off-die Intel PCH chipset that they supply to mobo vendors. Is it
just to provide the ME with low-latency access to CPU components like ALUs
(for TPM encryption circuits) and d-cache (for packet sniffing)? Because it
seems like it isn’t really built this way, and an “external ME” would be just
fine running without a CPU socketed in at all. (Which would be neat, honestly;
if you could exploit an external ME, you could run software on your Intel-
chipset motherboard without a “real” CPU!)

Given that industry players seem to be all trending toward this design in one
way or another (even game consoles did the “system SoC” / “application CPU”
split with the last two generations), I wonder if this design pattern will
ever be standardized, in the way that interrupt controllers or MMUs were
standardized. Will we ever see an open-hardware board with its own open-
hardware system-management SoC running FOSS firmware?

~~~
elagost
This has been the case in Server systems for a while - IPMI[1] has been used
for remote KVM, power management, remote mounting of ISOs, etc. on many
servers for years. HP's iLO, Dell's iDRAC, and even SuperMicro boards have an
implementation. This pattern is pretty standard, but none of it's FOSS.

[1][https://en.wikipedia.org/wiki/Intelligent_Platform_Managemen...](https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface)

~~~
plausibilities
Wasn't NordVPN recently pwned via an IPMI security hole?

iLO is kind of a piece of crap, but I do love my Xen and resource pools

~~~
tyingq
Pretty sure the IPMI software is crap no matter the brand. I know the
SuperMicro one requires a very old Java version fat client to interact with
it, and is very flaky.

~~~
petschge
The newer versions finally support a HTML5 console instead of the old java
webstart horror they used to ship with.

~~~
kelleyk
Also, if you need to interact with a Supermicro BMC that doesn't support the
HTML5 console (for example, because it's running older firmware), I reverse-
engineered the proprietary "iKVM" protocol (along with a lot of other parts of
the BMC) and implemented support for it on a branch of noVNC, which you can
find here:
[https://github.com/kelleyk/noVNC](https://github.com/kelleyk/noVNC)

~~~
dboreham
Waaaat! Praise be. Now I can justify the last 45min reading HN...

------
Jonnax
So I keep hearing that the IME can do remote KVM.

I've got an old laptop lying around, could I hook at up to my router and
access it without remote desktop software from another PC on my network?

Or does this require some expensive intel software with a subscription?

~~~
vbezhenar
Key words: AMT, vPro. You should have compatible CPU and board. Remote KVM is
provided via VNC protocol, so any VNC viewer should work. You need to open web
interface and proceed from there.

Basically it's a business feature and usually not available on consumer
laptops.

~~~
rwmj
And very annoyingly not available on the Intel NUC, even though remote-
managing those would be very useful. I guess something about not wanting to
canabalise their server market.

If IME could be reprogrammed then maybe there would be a way to add these
features.

~~~
vetinari
You are looking for NUC7i7DN(HE,KE). These SKUs do have AMT. They also have
iSCSI support in UEFI. Yes, nice little machines.

~~~
usr1106
Well, AMT looks very tempting because of the functionality.

On the other side because of security, I'm not sure whether I should be glad
to use NUC models that don't have it at all.

So assuming I take the risk, what networking link does AMT require? Do I guess
correctly that it works only over Ethernet? Thinking of mobile devices that
have only a cellular modem link.

~~~
vetinari
It works with ethernet and newer versions with wifi. The eth and wifi chips
also must be the Intel ones.

------
elagost
It is possible to use an Intel machine without the ME. Since there are
constant vulnerabilities and exploits around the ME, many enthusiasts do not
like the idea of a vulnerable and secret super-admin computer on their
computer. There is the option to disable the ME on supported devices (usually
old Thinkpads) using me_cleaner[1].

I personally run Coreboot on my Thinkpad with the ME "disabled" (essentially
just broken and stuck in a constant bring-up state), and System76[2],
Purism[3], and Dell sell machines with the option of disabling the ME
entirely, if one is super-paranoid.

[1] [https://github.com/corna/me_cleaner](https://github.com/corna/me_cleaner)

[2] [https://system76.com/laptops](https://system76.com/laptops)

[3] [https://puri.sm/learn/intel-me/](https://puri.sm/learn/intel-me/)

~~~
red_phone
I’m confused... other comments reference ME as the root-of-trust for the
system, the chip that brings the CPU out of reset. How can a system be
operational without that functionality?

~~~
criddell
Why wouldn't it work? Intel-based motherboards didn't always have a ME.

~~~
wolf550e
Current Intel chipsets and CPUs cannot initialize the system without the ME.
You can disable all the applications running on the ME, but it is required to
bring up the system.

------
mynameiskyleok
Just wanted to say that this was written really well. As someone who doesn’t
know anything about the subject, I was easily able to follow along and
understand. That’s kind of rare around here for me.

------
nes350
Seems to be hugged to death.

[https://archive.is/ty7Yu](https://archive.is/ty7Yu)

~~~
msla
[https://web.archive.org/web/20191115161514/https://kakaroto....](https://web.archive.org/web/20191115161514/https://kakaroto.homelinux.net/2019/11/exploiting-
intels-management-engine-part-1-understanding-pts-txe-poc/)

archive.is is nice, but the Wayback Machine makes URLs which are a lot more
transparent.

~~~
egdod
archive.is also breaks if you use Cloudflare DNS.

