The Intel Management Engine See also: http://www.eevblog.com/forum/chat/windows-is-getting-disgusting/ 20160602 http://www.eevblog.com/forum/chat/is-microsoft-into-trojans-or-spyware/msg953469/#msg953469 lilos iot-dev.net team member Re: Is Microsoft into trojans or spyware? « Reply #108 on: June 02, 2016, 08:37:20 AM » Withdraw Thanks Quote https://libreboot.org/faq/#intelme Not only windows 10 is spying intel use ME ARC processor core ! Introduced in June 2006 in Intel's 965 Express Chipset Family of (Graphics and) Memory Controller Hubs, or (G)MCHs, and the ICH8 I/O Controller Family, the Intel Management Engine (ME) is a separate computing environment physically located in the (G)MCH chip. In Q3 2009, the first generation of Intel Core i3/i5/i7 (Nehalem) CPUs and the 5 Series Chipset family of Platform Controller Hubs, or PCHs, brought a more tightly integrated ME (now at version 6.0) inside the PCH chip, which itself replaced the ICH. Thus, the ME is present on all Intel desktop, mobile (laptop), and server systems since mid 2006. The ME consists of an ARC processor core (replaced with other processor cores in later generations of the ME), code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited internal RAM. The ME also has network access with its own MAC address through an Intel Gigabit Ethernet Controller. Its boot program, stored on the internal ROM, loads a firmware "manifest" from the PC's SPI flash chip. This manifest is signed with a strong cryptographic key, which differs between versions of the ME firmware. If the manifest isn't signed by a specific Intel key, the boot ROM won't load and execute the firmware and the ME processor core will be halted. The ME firmware is compressed and consists of modules that are listed in the manifest along with secure cryptographic hashes of their contents. One module is the operating system kernel, which is based on a proprietary real-time operating system (RTOS) kernel called "ThreadX". The developer, Express Logic, sells licenses and source code for ThreadX. Customers such as Intel are forbidden from disclosing or sublicensing the ThreadX source code. Another module is the Dynamic Application Loader (DAL), which consists of a Java virtual machine and set of preinstalled Java classes for cryptography, secure storage, etc. The DAL module can load and execute additional ME modules from the PC's HDD or SSD. The ME firmware also includes a number of native application modules within its flash memory space, including Intel Active Management Technology (AMT), an implementation of a Trusted Platform Module (TPM), Intel Boot Guard, and audio and video DRM systems. The Active Management Technology (AMT) application, part of the Intel "vPro" brand, is a Web server and application code that enables remote users to power on, power off, view information about, and otherwise manage the PC. It can be used remotely even while the PC is powered off (via Wake-on-Lan). Traffic is encrypted using SSL/TLS libraries, but recall that all of the major SSL/TLS implementations have had highly publicized vulnerabilities. The AMT application itself has known vulnerabilities, which have been exploited to develop rootkits and keyloggers and covertly gain encrypted access to the management features of a PC. Remember that the ME has full access to the PC's RAM. This means that an attacker exploiting any of these vulnerabilities may gain access to everything on the PC as it runs: all open files, all running applications, all keys pressed, and more. Intel Boot Guard is an ME application introduced in Q2 2013 with ME firmware version 9.0 on 4th Generation Intel Core i3/i5/i7 (Haswell) CPUs. It allows a PC OEM to generate an asymmetric cryptographic keypair, install the public key in the CPU, and prevent the CPU from executing boot firmware that isn't signed with their private key. This means that coreboot and libreboot are impossible to port to such PCs, without the OEM's private signing key. Note that systems assembled from separately purchased mainboard and CPU parts are unaffected, since the vendor of the mainboard (on which the boot firmware is stored) can't possibly affect the public key stored on the CPU. ME firmware versions 4.0 and later (Intel 4 Series and later chipsets) include an ME application for audio and video DRM called "Protected Audio Video Path" (PAVP). The ME receives from the host operating system an encrypted media stream and encrypted key, decrypts the key, and sends the encrypted media decrypted key to the GPU, which then decrypts the media. PAVP is also used by another ME application to draw an authentication PIN pad directly onto the screen. In this usage, the PAVP application directly controls the graphics that appear on the PC's screen in a way that the host OS cannot detect. ME firmware version 7.0 on PCHs with 2nd Generation Intel Core i3/i5/i7 (Sandy Bridge) CPUs replaces PAVP with a similar DRM application called "Intel Insider". Like the AMT application, these DRM applications, which in themselves are defective by design, demonstrate the omnipotent capabilities of the ME: this hardware and its proprietary firmware can access and control everything that is in RAM and even everything that is shown on the screen. The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can't be ignored. Before version 6.0 (that is, on systems from 2008/2009 and earlier), the ME can be disabled by setting a couple of values in the SPI flash memory. The ME firmware can then be removed entirely from the flash memory space. libreboot does this on the Intel 4 Series systems that it supports, such as the Libreboot X200 and Libreboot T400. ME firmware versions 6.0 and later, which are found on all systems with an Intel Core i3/i5/i7 CPU and a PCH, include "ME Ingition" firmware that performs some hardware initialization and power management. If the ME's boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes. Due to the signature verification, developing free replacement firmware for the ME is basically impossible. The only entity capable of replacing the ME firmware is Intel. As previously stated, the ME firmware includes proprietary code licensed from third parties, so Intel couldn't release the source code even if they wanted to. And even if they developed completely new ME firmware without third-party proprietary code and released its source code, the ME's boot ROM would reject any modified firmware that isn't signed by Intel. Thus, the ME firmware is both hopelessly proprietary and "tivoized". In summary, the Intel Management Engine and its applications are a backdoor with total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the libreboot project strongly recommends avoiding it entirely. Since recent versions of it can't be removed, this means avoiding all recent generations of Intel hardware. More information about the Management Engine can be found on various Web sites, including me.bios.io, unhuffme, coreboot wiki, and Wikipedia. The book Platform Embedded Security Technology Revealed describes in great detail the ME's hardware architecture and firmware application modules. « Last Edit: June 02, 2016, 03:54:08 PM by lilos » Report to moderator Logged www.iot-dev.net team member ------------------------------------------- TerraHertz Re: Is Microsoft into trojans or spyware? « Reply #115 on: June 02, 2016, 09:04:07 PM » lilos it's sad isn't it? You post a reveal of irremovable spyware and DRM enforcement crap being built into the fundamental architecture of modern PCs, in ways that should be absolutely and unequivocally unacceptable to everyone who learns of them. What should be 'enraged mob with pitchforks and firebrands' stuff, resulting in Intel/Microsoft execs being hunted down and killed. Yet all most readers have to say is complaints about the text formatting. This civilization is hopelessly doomed. -------------------------------------------- lilos Re: Is Microsoft into trojans or spyware? « Reply #116 on: June 02, 2016, 10:31:06 PM » Quote from: TerraHertz on June 02, 2016, 09:04:07 PM lilos it's sad isn't it? You post a reveal of irremovable spyware and DRM enforcement crap being built into the fundamental architecture of modern PCs, in ways that should be absolutely and unequivocally unacceptable to everyone who learns of them. What should be 'enraged mob with pitchforks and firebrands' stuff, resulting in Intel/Microsoft execs being hunted down and killed. Yet all most readers have to say is complaints about the text formatting. This civilization is hopelessly doomed. --- I completely agree with you TerraHertz! --------------------------------------------- lilos Contributor Posts: 13 Country: iot-dev.net team member Re: Is Microsoft into trojans or spyware? « Reply #121 on: June 04, 2016, 10:41:56 AM » Say Thanks Quote https://github.com/zamaudio/intelmetool This tool by Damien Zammit can query the status of the ME on your system. It uses the MEI (ME interface, previously called HECI) a bidirectional PCI interface between the host cpu and the ME cpu. You need linux to compile it and tun it it is very simple information tool so you can know is ME is active on your pc! I have one laptop that is intel core i5 and here is my output: ./intelmetool Bad news, you have a `HM55 Chipset LPC Interface Controller` so you have ME hardware on board and it is very difficult to remove, continuing... RCBA at 0xfed1c000 MEI not hidden on PCI, checking if visible MEI found: [8086:3b64] 5 Series/3400 Series Chipset HECI Controller ME Status : 0x245 ME Status 2 : 0x60000000 ME: FW Partition Table : OK ME: Bringup Loader Failure : NO ME: Firmware Init Complete : YES ME: Manufacturing Mode : NO ME: Boot Options Present : NO ME: Update In Progress : NO ME: Current Working State : Normal ME: Current Operation State : M0 with UMA ME: Current Operation Mode : Normal ME: Error Code : No Error ME: Progress Phase : Host Communication ME: Power Management Event : Clean Moff->Mx wake ME: Progress Phase State : Host communication established PCI READ [bc] : 0x000000bc ME: Extend SHA-256: 7aa32b527fe97b0374f01427d2fd18b93da7e88bddbc586038f67210c377d411 ME seems okay on this board WRITE [00] : CB: 0x80040007 WRITE [00] : CB: 0x000002ff ME: timeout waiting for data: expected 8, available 0 ME: GET FW VERSION message failed WRITE [00] : CB: 0x80080007 WRITE [00] : CB: 0x00000203 WRITE [00] : CB: 0x00000000 ME: timeout waiting for data: expected 5, available 0 ME: GET FWCAPS message failed exiting For people that want method to be on safe side use usb to Ethernet adapters it is know that they don`t have DMA access so ME can`t access it. This is in case we are on Linux computer for windows no one knows what happens in windows kernel « Last Edit: June 04, 2016, 10:55:31 AM by lilos » -------------------------------------------------------- lilos Re: Is Microsoft into trojans or spyware? « Reply #131 on: Today at 11:04:31 AM » Say Thanks Quote Intel & ME, and why we should get rid of ME - FSF official statement! http://www.fsf.org/blogs/licensing/intel-me-and-why-we-should-get-rid-of-me --------------------------------------------------------- 20160618 https://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html Intel x86s hide another CPU that can take over your machine (you can't audit it) Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I posted a mention: http://www.eevblog.com/forum/chat/is-microsoft-into-trojans-or-spyware/msg964363/#msg964363 Also, a scraped copy here: http://investmentwatchblog.com/revealed-intels-secret-microchip-that-can-take-over-your-pc/ --------------------------------------------------------- 20160706 https://www.superstation95.com/index.php/world/1593 ALL Intel x86 Computer Chips COMPROMISED! Intel included Backdoor . . . for CLANDESTINE use by Government??? References this, which is very interesting: http://www.slideshare.net/codeblue_jp/igor-skochinsky-enpub Secret of Intel Management Engine by Igor Skochinsky (mod on reddit.com/r/ReverseEngineering/ ) Posted: -------- http://www.eevblog.com/forum/chat/is-microsoft-into-trojans-or-spyware/msg977386/#msg977386 Here's an entertaining slideshow of investigation of the Intel Management Engine internals: http://www.slideshare.net/codeblue_jp/igor-skochinsky-enpub Secret of Intel Management Engine by Igor Skochinsky (mod on reddit.com/r/ReverseEngineering/ ) But it can only be downloaded as a file if logged into linkedin... urrgh. Nevermind, here it is as a pdf: http://documents.tips/download/link/secret-of-intel-management-engine-by-igor-skochinsky I came upon that via https://www.superstation95.com/index.php/world/1593 (Hal Turner's new site.) Very hyperbolic prose there. But I completely agree with his views on this. Except that while the ME insanity _should_ mean the end of Intel, it likely won't. Because most people are just too numb to care. Until someone cracks those keys, and suddenly all PCs with recent Intel CPUs get permanently bricked. --------- http://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/