
Reverse-Engineering the Intel Management Engine - laamalif
https://puri.sm/posts/reverse-engineering-the-intel-management-engine-romp-module/
======
prodmerc
Meanwhile I'm trying to find a way to remove the hard lock on CPU and RAM
frequencies (extreme CPUs can't be overclocked, RAM is locked at 1333 MHz) :)

Looks like it can be done through Management Engine, which has access to
everything apparently.

Only success so far is unlocking BCLK, but the overclock is small and unstable
that way.

Another roadblock was the read only lock, which can fortunately be bypassed on
POST on xx67/77 chipsets.

~~~
floatboth
> extreme CPUs can't be overclocked

You mean non-extreme?

> unlocking BCLK, but the overclock is small and unstable that way

On desktop Skylake, BCLK can get you to anywhere you want (I run an i5-6400 at
4.5GHz daily, over 4.7 for benchmarks). You're talking about laptops, right?

~~~
prodmerc
Laptop, and extreme CPU. HP and Dell block TPL/TRL adjustment even for XM
processors, and HP took it even further with their 1333 MHz limit on RAM. I
have 1600 MHz sticks that can run fine at 1866 and probably more (tried with
Thaiphoon Burner), so that's really annoying. I don't want an Alienware to get
that.

And BCLK allows for a 5MHz overclock, which is not much, anything more and the
system crashes. Which is really strange, may have something to do with PCIE as
Dogma said.

I just want to get everything out of my extreme processor and RAM.

~~~
tomxor
Isn't that a bad idea... laptops have significant thermal limitations, things
start going wrong quickly when you push beyond those. I've not done any
serious overclocking but most seem to stick to desktop and buy more capable
cooling systems to make it sustainable.

~~~
prodmerc
Aside from heatsink limitations (which can be modded to achieve better
cooling), people are pushing their gaming laptops to 80W and beyond, with
overclocked GPUs as well.

Some are resorting to dual PSU's to handle the power requirements, so the
system boards are capable of handling some insane load.

I myself squeezed another year out of a Core 2 Quad laptop by overclocking
everything as much as possible. Temperatures were averaging 90-95 under load,
but I didn't care at that point, as I was going to upgrade. It still works :D

------
Animats
This is nice, but it just allows you to replace some of the the Management
Engine code. What we need to know in detail is what it's doing. There's
probably a backdoor in there that hasn't been discovered yet.

~~~
wolfgke
On the other hand, if we get "our" code into the IME, we can really do
interesting stuff. For example reading out data that one should not be read
out? ;-)

------
ReverseCold
Hopefully we can get a fully libre boot on purism laptops soon.

I feel like there would be legal problems though...

~~~
d33
What kind of legal problems would you anticipate?

~~~
cryptarch
Perhaps by ways the DMCA, for "p0wning" DRM('d) modules?

~~~
Buge
Only the people actually subverting the DRM would have legal problems. The
people manufacturing the laptop would be fine.

~~~
cryptarch
What sections of the law and precedents make you so sure about that?

~~~
Buge
I tend to take the view that if the law doesn't prevent it, it's ok to do. I
don't need legal permission to do something, I just need to avoid things that
the law specifically bans.

~~~
marssaxman
If someone with a lot of money has a problem with what you're doing, they'll
hire lawyers to discover some way that the law prevents you from doing it. If
the ensuing lawsuit, which will bankrupt you regardless of its outcome,
doesn't serve as a sufficient warning for anyone else who wants to do whatever
it was you did, they'll proceed to _buy_ a law that prevents you from doing
it.

------
turbohedgehog
Did the author notify Intel about the bug they found?

~~~
mmastrac
Respectfully, why would they? The goal here is to find exploits in ME and use
them to make Intel chips more end-user friendly.

When we were rooting Android devices we sat on a _lot_ of exploits that we
believed we could use to give end-users freedom. There were a handful that
were bad enough to warrant disclosure [1], but we still offered them as ways
for users to control their own devices with a few layers of obfuscation on
top.

[1]
[http://www.unrevoked.com/rootwiki/doku.php/public/unrevoked1...](http://www.unrevoked.com/rootwiki/doku.php/public/unrevoked1_disclosure)

~~~
qb45
Publishing a blog post isn't exactly sitting on a vuln. I would understand if
they kept it to themselves and I would understand if they reported to Intel,
but this?

~~~
bigiain
I'm not entirely sure the same "responsible disclosure" arguments for software
apply to hardware.

With software, a patch release is a common enough thing that it's a solid
argument that letting companies like Microsoft or Apple or Google or others
who've demonstrated they'll actually fix security bugs (so, maybe not Oracle,
for example), or any of the hundreds or thousands of widely-used OSS projects
- I'm _much_ less convinced that any company like Intel will ever manage to
get even a single digit percentage of their users to reflash CPU firmware - if
that's even possible - and I've never heard of a hardware company freely
replacing all user's CPUs where remote exploits are known.

Where the option of "give them 90 days to get a patch out - possibly give them
an extension if they ask and explain why, but otherwise sit on the bug with
the vendor until it's fixed or being actively exploited in the wild" à la
Google Zero & Tavis seems to work reasonably well enough of the time for
software bugs - it seems to me unlikely to be as beneficial for hardware bugs
which are much much harder to get fixes to end users - and early disclosure
giving the opportunity to mitigate with firewalls or unplugging the device
seems more likely to be the better choice.

~~~
pkaye
Isn't the whole purpose of this IME to facilitate remote updates and
management of systems? As for patching hardware, Intel does have the ability
to apply microcode patches. At the least they are able to disable features
that are buggy.

~~~
bigiain
Sure - it's _possible_ to patch the microcode - but can your dentist's
receptionist do it? Or your mom? Unless there's a tool that automatically
applies security microcode updates as easily and as widespread as automatic
Windows updates - it's really only of use to enterprise/corporate networks...
I've never bumped into a small or medium sized business that runs remote
management for all the machines on their office networks...

~~~
pkaye
I know the Linux kernel on my Ubuntu system applies microcode patches early on
bootup. I also know that Microsoft has microcode patches as updates. For
example [https://support.microsoft.com/en-
us/help/3064209/june-2015-i...](https://support.microsoft.com/en-
us/help/3064209/june-2015-intel-cpu-microcode-update-for-windows)

