# Making sense of Intel IME



## rhsbsd (Jan 17, 2018)

...---+++Sky Net is already here+++---...
CPU: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz (2494.38-MHz K8-class CPU)
The management engine includes as of now unknown outward facing hardware
and an inward facing interface (IME/AMT). Nothing can be done about the hardware
but the inward facing interface must have a switch? Therefore I dusted off the
windows partition to do a little research. Below are the results returned from
Intel's security type scan tool for windows. You can find tool HERE. It is
saying that I dodged this bullet because apparently version 7 of the IME does
not have any AMT i/f, or code, whatsoever. Any versions of IME>7 have AMT
(Active Management Technology) which needs to be updated to the latest version
to mitigate the CVE's shown in the image. The windows driver (HECI) does have a
switch in the registry but, that begs the question, "will I get invaded even if the 
driver is off?" Notice the use of "will" and not "is it possible." Some answers are HERE.





See below graphic for details on HM65 express chip set which can be found HERE.
The page displays general attribute/capabilities of the chip set so when
you view it and see 'NO' beside firmware version that means you have no
control, i.e. no AMT. Please also note that when referring to the management
engine as a whole 'IME' is used but, when referring to the inward facing software
interfaces 'MEI' and/or 'AMT' is used. The platform is intelligent enough to set up
a serial port, hack into your LAN and then you. I wasted my time on this project
because I foolishly thought that I could razor blade the offending trace and the
whole thing would be over with, as opposed to the mind numbing complex solutions
being sought for a problem which should not even exist! Yes back in the day it was
routine to cut and jumper say a Cincinnati Milacron discrete 3 board CPU to move an
interrupt/change hardware address.​




Below represents most of the platform as seen by Windows along with ROM debug
results only for IME. The one undeniable fact glaring you in-the-face is the
integration into 'Cougar Point' of a bunch of other PCI devices on the dye with
the MEI. "I don't need any stinking permissions." It's the equivalent of a potential​hardware rootkit.



```
------[ AIDA64 Extreme v5.20.3400 ]------

------[ Microsoft Windows 7 Home Premium 6.1.????.???? Service Pack 1 (64-bit)]------
------[ Motherboard Info ]------

Motherboard ID : <DMI>
DMI MB Manufacturer : LENOVO
Motherboard Model : Lenovo Ideapad Z570
Motherboard Chip-set : Intel Cougar Point HM65, Intel Sandy Bridge

DMI MB Product : Emerald Lake
DMI MB Version : FAB1
DMI MB Serial :
DMI SYS Manufacturer: LENOVO
DMI SYS Product : 1024AFU
DMI SYS Version : Ideapad Z570
DMI SYS Serial :
DMI BIOS Version : 45CN47WW


------[ PCI Devices ]------


B00-D00-F00 [8086-0104] [17AA-3975] [CC0600]: Intel Sandy Bridge-MB - Host Bridge/DRAM Controller
B00-D01-F00 [8086-0101] [0000-0000] [CC0604]: Intel Sandy Bridge - PCI Express Controller
B00-D02-F00 [8086-0126] [17AA-397D] [CC0300]: Intel Sandy Bridge-MB - Integrated Graphics Controller (MB GT2 1.3GHz+)
B00-D16-F00 [8086-1C3A] [17AA-3975] [CC0780]: Intel Cougar Point PCH - Manageability Engine Interface 1 [B-2]
B00-D1A-F00 [8086-1C2D] [17AA-3975] [CC0C03]: Intel Cougar Point PCH - USB EHCI #2 Controller [B-3]
B00-D1B-F00 [8086-1C20] [17AA-3975] [CC0403]: Intel Cougar Point PCH - High Definition Audio Controller [B-3]
B00-D1C-F00 [8086-1C10] [0000-0000] [CC0604]: Intel Cougar Point PCH - PCI Express Port 1 [B-3]
B00-D1C-F01 [8086-1C12] [0000-0000] [CC0604]: Intel Cougar Point PCH - PCI Express Port 2 [B-3]
B00-D1C-F03 [8086-1C16] [0000-0000] [CC0604]: Intel Cougar Point PCH - PCI Express Port 4 [B-3]
B00-D1D-F00 [8086-1C26] [17AA-3975] [CC0C03]: Intel Cougar Point PCH - USB EHCI #1 Controller [B-3]
B00-D1F-F00 [8086-1C49] [17AA-3975] [CC0601]: Intel HM65 PCH - LPC Interface Controller [B-3]
B00-D1F-F02 [8086-1C03] [17AA-3975] [CC0106]: Intel Cougar Point-M PCH - SATA AHCI 6-Port Controller [B-3]
B00-D1F-F03 [8086-1C22] [17AA-3975] [CC0C05]: Intel Cougar Point PCH - SMBus Controller [B-3]
B00-D1F-F06 [8086-1C24] [17AA-3975] [CC1180]: Intel Cougar Point PCH - Thermal Management Controller [B-3]
B01-D00-F00 [10DE-0DF4] [17AA-397D] [CC0300]: nVIDIA GeForce GT 540M (Lenovo) Video Adapter
B03-D00-F00 [8086-0084] [8086-1315] [CC0280]: Intel WiFi Link 1000 BGN HMC Wireless Network Adapter (Lenovo)
B04-D00-F00 [10EC-8136] [17AA-3975] [CC0200]: Realtek RTL8139/810x Fast Ethernet Adapter

B00 D16 F00: Intel Cougar Point PCH - Manageability Engine Interface 1 [B-2]

Offset 000: 86 80 3A 1C 06 00 10 00 04 00 80 07 00 00 80 00
Offset 010: 04 50 60 F1 00 00 00 00 00 00 00 00 00 00 00 00
Offset 020: 00 00 00 00 00 00 00 00 00 00 00 00 AA 17 75 39
Offset 030: 00 00 00 00 50 00 00 00 00 00 00 00 10 01 00 00
Offset 040: 45 02 00 1E 08 00 01 80 06 00 00 6B F8 1F 00 10
Offset 050: 01 8C 03 C8 08 00 00 00 00 00 00 00 00 00 00 00
Offset 060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 080: 00 00 00 00 00 00 00 00 00 00 00 00 05 00 80 00
Offset 090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0B0: 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 C0
Offset 0C0: 53 99 39 CA 7C 15 96 0D AB AC 2C 9F 60 14 14 52
Offset 0D0: D6 7D 5D AA 6E 90 FB 50 9F BB 47 0C 01 9C 3F D5
Offset 0E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Offset 0F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
```
Last but not least is a screen shot of the ME analyzer tool which can be
found HERE.[3] I believe that it is looking for an AMT interface and does not
see my old decrepit out of date IME only interface. What a relief!
	

	
	
		
		

		
		
	


	



See below. FreeBSD either does not detect, or, set up its own driver i/f, for
above mentioned hardware. I am curious to know what others are seeing here? I
guess the C200 series chip set includes the PCH (Programmable Controller Hub)
which does most of the heavy lifting. Not acknowledging the presence of this
hardware is perfect. Thanks again FreeBSD. No really, I mean it.​

```
pciconf -lv

none0@pci0:0:22:0: class=0x078000 card=0x397517aa chip=0x1c3a8086 rev=0x04
hdr=0x00
vendor = 'Intel Corporation'
device = '6 Series/C200 Series Chip-set Family MEI Controller'
class = simple comms
```
Do we as consumers have a right to a plain language disclosure that states
"anyone can wake up your box remotely, so long as the batteries are in it, and
take a look at your LIFE"??? Oh, yeah, also gives an entirely new meaning to
"air-gapped" security. At the minimum a 'jumper' to terminate the entire thing 
permanently. So to patch things up I have decided to block all known ports for the 
out-of-band protocol.
Certainly it was not the creators intention for this to evolve into what it has become
but: DOES ANYONE HAVE A CLUE ABOUT AN AFFORDABLE NON-BORKED PLATFORM 
THAT FreeBSD CAN LIVE ON??? It has come to my attention that in order to completely 
avoid the above and use Intel it is required to go all the way back to Pentium II.​That's not gonna work. Also, "be careful" the evil Russians are everywhere.


----------



## Deleted member 30996 (Jan 17, 2018)

Being the proud owner of a budding Thinkpad farm this has been of particular interest to me, but I hear next to nothing about it in Lenovo forums.

I do have an Intel-SA-00075 Mitigation Guide.pdf dated May 17, 2017 that addresses Intel AMT and how to disable or remove LMS, Intel Security Application Local Management Service, but you're talking 00086.

Edit: In fact, I read something about it just the other day:

Now you, too, can disable Intel ME 'backdoor' thanks to the NSA

With included caveat "Use at your own risk; the methods to disable Intel ME were described as risky and may damage or destroy your computer.”


----------



## rhsbsd (Jan 18, 2018)

*Trihexagonal*.30996/">*Trihexagonal*
After researching your post (in August) my only option ended up something like this:

gather up all necessary components for a home made pie burner or buy one. I'm a hardware idiot so that's not out of the question.
remove key board and any thing else in the way of PCH.
apply controlled electroshock  therapy until the other personality has been tamed, (it's still gonna be there). Impossible to remove completely due to the high level of integration I previously mentioned (it's in the boot path).

reboot.
It's definitely doable. All that time and effort and its STILL there. WHY? So I can do something I already know how to do. PC manufacturers using Intel's technology are already privy to the information required to completely disable this. I have the prints for the Huron River platform and the 500 or so jumpers are there. WHICH ONE? I just brought this quirk back up at this time because it seems to me that:
`pref _SKYNET_ (is.already.here):` is more of a threat to PC's than an buffer overrun?​


----------



## Deleted member 30996 (Jan 18, 2018)

You have one thing going for you: You are aware of the risks and can take what measures you deem necessary to minimize them, as much as is possible.

Everybody has their own ideas about security and maybe the one good thing that comes of this and the other Intel exploits, which make almost every computer vulnerable, is that it raises awareness of Internet security to the masses. Not that there won't always be those who think the world a better place knowing what they had for breakfast.

Windows98, the Swiss Cheese of Operating Systems, brought acute awareness to me of the importance of Internet security and I try to conduct myself accordingly, but there is just so much you can do when it comes down to it and it's up to the individual to decide what risks are and are not acceptable.

BTW, you need to update your sig or computer. It shows you're still at:

# freebsd-version -ku
11.1-RELEASE-p4
11.1-RELEASE-p5


----------

