Last time we talked about Intel Management Engine (ME) - a subsystem that is built into all modern computer platforms (desktops, laptops, servers, tablets) with Intel chipsets. This technology is perceived by many as a hardware “bookmark”, and there are reasons for this. Suffice it to say that Intel ME is the only runtime that:

• It works even when the computer is turned off (but power is supplied);
• has access to all the contents of the computer's RAM;
• has out-of-band access to the network interface.

Stunned by the presence of such a component in the computer, the user (it turns out that it is the “user” and not the “owner”) probably wondered: is it possible to turn off Intel ME?

This article is entirely devoted to this issue.

Introduction

Recall that the main component of Intel ME is a microcontroller built into the chipset with a custom architecture. Only the basic model is known, it is 32-bit ARCtangent-A4 (ME 1.x - 5.x), ARCtangent-A5 (ME 6.x - 10.x), SPARC (TXE) or x86 (ME 11.x - ...).

Starting with version 6, ME-controllers are integrated into all Intel chipsets.


[drawing taken from here ]

The bootloader of its firmware is stored in the internal ROM and is not available for analysis. The firmware itself is located in the ME region in the external SPI flash memory (i.e. in the same memory where the BIOS is stored). The structure of this firmware is such that the entire executable code is divided into modules that are stored in a compressed form (either a custom implementation of the Huffman algorithm or LZMA). These code modules are cryptographically protected from modifications.

If you want to upgrade the firmware, we recommend using these two tools to study its structure and unpack the code modules.

So, the subsystem under consideration is the hardware and software basis for various system functions (some were previously implemented in the BIOS) and Intel technologies. Their implementation is included in the Intel ME firmware. One such technology that uses several of the special privileges of Intel ME is Active Management Technology (AMT).

AMT monitoring

AMT is a technology for remote administration of computer systems for which official support for Intel vPro has been announced (it is a brand that combines several technologies, including AMT). We are talking about systems with Q-series chipsets (for example, Q57 or Q170).

Given the high cost of such platforms, it is unlikely that anyone will accidentally purchase a computer with AMT in order not to use this technology in principle. Nevertheless, if such a product is at hand and you need to make sure that AMT is currently turned off, you should use the ACUwizard utility :


[Figure taken from here ]

or the Intel Management and Security Status tool (included with Intel ME software for vPro- platforms can be found in the tray):






Finally, in order to protect computers on your network from unauthorized control from the outside, you need to configure an external firewall to filter AMT requests by attributes. A clear sign of an AMT request may be the port that is being accessed:

• 5900 - AMT VNC server without encryption;
• 16992 - AMT web server via HTTP;
• 16993 - AMT web server via HTTPS;
• 16994 - AMT redirection for SOL, IDE-R, KVM without encryption;
• 16995 - AMT redirection for SOL, IDE-R, KVM with TLS.

In products that are not classified as vPro-platforms, AMT cannot be included, but Intel ME firmware includes network drivers:



This means that the ME controller (let's not forget that it is always on) has the technical ability to use a network interface.

Therefore, the problem should be solved thoroughly - try to turn off the Intel ME subsystem.

Shutting down Intel ME using utilities from the Intel System Tool Kit

Motherboard vendors Intel provides:

1. Intel ME firmware in binary form;
2. MEBx modules for BIOS;
3. Intel ME OS software;
4. Intel System Tool Kit (STK) is a set of software tools and documentation for assembling SPI flash memory images, applying these images and obtaining information about the current state of Intel ME.

Despite the fact that this kit is distributed according to the NDA (judging by the Intel Confidential tags in the attached documents), many vendors forget to cut it out of the archive with Intel ME software, which is transmitted to users. And still do not close their ftp-servers from external access. As a result, there are a lot of leaked STK versions. Here you can merge the kit for any version of Intel ME.

It is important that the major and minor versions (first and second digits) of the STK used coincide with the Intel ME version of the target system, information about which can be obtained, for example, using the ME analyzer : You can



check the current status of Intel ME using MEinfo utility, which through the Management Engine Interface (MEI) receives information about the operation of this subsystem:



Recall that MEI is an interface for connecting the main CPU with the Intel ME subsystem and is a set of registers in the PCI configuration space and in MMIO. The commands of this interface are not documented, like the protocol itself.

Flash image tool

On older platforms (Intel ME version 5.x and lower), you can turn off this subsystem using the Flash Image Tool (a utility from STK designed to build SPI images of flash memory from individual BIOS, ME, GbE regions). During assembly, parameters are set that are specified in these regions and in the Flash Descriptors region. In the latter there is one very interesting flag, “ME disable”:



Thus, to turn off Intel ME on the target computer system, a new image with the “ME disable” flag set (programmer) should be written in its SPI flash memory.

Whether this method works is unknown to us. But it sounds plausible, given that the ME controller in those versions was integrated only into the Q-series chipsets, i.e. was an optional component for all platforms.

Flash programming tool

Starting with Intel ME version 9, the Flash Programming Tool for programming SPI flash memory for computer platforms has been added with the ability to temporarily turn off Intel ME:



Shutdown is done by sending a command to MEI. After working out, Intel ME does not show “signs of life”, even MEI does not respond:



According to the documentation, the Intel ME subsystem is in this state until the next computer startup or reboot.

On vPro platforms, the ability to send this command is also available in earlier versions. To do this, use the ME / AMT configuration section in the BIOS, where the option “Intel ME disable” should be:


[figure taken from here ]

We can’t say that this method allows you to completely disable Intel ME, if only because before the command to turn off the ME-controller has time to boot, which means that it will execute some part of the firmware code.
Despite the fact that Intel ME does not show “signs of life” after this operation, it is not known whether any signal from the outside can re-enable this subsystem. It is also unclear how Intel ME is off.

Forced shutdown Intel ME

In the interest of eliminating the possibility of execution of the firmware code by the ME controller, it is logical to try to restrict access to it to it. And what? No code - no problem.

After analyzing the documentation that came with the STK, and with a little thought, we suggested that this could be done in the following ways.


1. Cut (zero) the ME region from the SPI flash memory.

Those who have tried to do so report that their platform either did not boot without genuine ME firmware, or turned off exactly after 30 minutes of operation.

The failure of the computer system to boot without Intel ME firmware can be explained by the importance of the ME-controller during the initialization of the hardware component. A 30-minute timeout suggests WDT (Watch Dog Timer).


2. Enable non descriptor mode of SPI flash memory, ie "The old fashioned way" when it contained only the BIOS. This requires one of two things:

• delete the first 0x20 bytes in it (thus damaging the signature 0x0FF0A55A, which determines the operating mode of the flash memory);
• set the jumper HDA_SDO (if any).

Thus, the ME controller will not gain access to its region, and therefore will not execute firmware.

On the one hand, the ME controller, as in the previous case, can interfere with the normal operation of a computer system. On the other hand, non-descriptor mode includes the so-called manufacturing mode, which is used by vendors for debugging purposes, and there is a chance that the system will start.


3. It is known that Intel ME firmware is unpacked into the allocated and hidden from the main CPU area of ​​RAM - ME UMA. The BIOS selects and locks this area during configuration of the memory card. Then why not cut out these pieces of code from the BIOS so that this area does not stand out. Then the ME firmware will not be unpacked and executed.

The experiments showed that this method is also not suitable, and the system does not start. In addition, the ME controller has an internal SRAM that is used when ME UMA is unavailable. Therefore, part of the firmware will still be executed.

Conclusion

We talked about proposed and developmental ways to turn off Intel ME:

• disabling at each start by the team in MEI or disabling the flag in the flash descriptors region (depending on version);
• restricting access to the ME controller to its firmware or transferring the computer platform to manufacturing mode.
• interfering with the normal operation of the ME controller without providing its runtime memory.

Obviously, some of the proposed solutions entail the inoperability of the computer system, others do not give any guarantee that the Intel ME subsystem is really turned off. In this regard, we came to the conclusion that it is extremely difficult to completely turn off Intel ME.

This is probably due to the fact that by disabling Intel ME, we neutralize an important component in the architecture of a computer system. For example, without ME there will be nobody to solve important system tasks like ACPI or ICC (which were once implemented in the BIOS). To make the platform work stably without ME, at a minimum, you need to return the implementation of these technologies to the BIOS.

One way or another, the question of how to disable Intel ME without losing the performance of a computer system remains open.