On Fri, 8 Dec 2017 21:34:57 +0100 (CET) echelon@free.fr wrote:
For those who are interested in the Intel ME, the slides and white papers from the Black Hat Europe are public.
https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-T... https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-T... https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-... https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-...
I read the documents above and in:
https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-T...
we have:
The file /home/bup/ct was unsigned, enabling us to slip a modified version into the ME firmware with the help of Flash Image Tool. Now we were able to cause a buffer overflow inside the BUP process with the help of a large BUP initialization file.
[...]
By exploiting the vulnerability that we found in the bup module, we were able to turn on a mechanism, PCH red unlock, that opens full access to all PCH devices for their use via the DFx chain—in other words, using JTAG. One such device is the x86 ME processor itself, and so we obtained access to its internal JTAG interface. With such access, we could debug code executed on ME, read memory of all processes and the kernel, and manage all devices inside the PCH. We found a total of about 50 internal devices to which only ME has full access, while the main processor has access only to a very limited subset of them.
As I understand, this by itself isn't sufficient yet to boot a post-GM45 Intel with free software, however it gives a lot of insight on how things work and enables all researchers to understand better the Management Engine and recent Intel systems to, maybe one day, make free software booting possible on such platforms.
I hope that one day someone would find and publish a way to do that, like for instance by finding a bit in the flash descriptor that would enable "PCH red unlock".
As I understand enabling DCI is already possible trough some flash descriptor bits.
Thanks a lot for all the research that was done!
Denis.