Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Set the HAP bit (ME >= 11) or the AltMeDisable bit (ME < 11)
Positive Technologies discovered the presence of an undocumented HAP bit
in the PCHSTRP0 field of the descriptor which, when set to 1, disables
completely Intel ME just after the initialization. This is confirmed both
by an analysis of the status of Intel ME after the setting of the bit and
by reverse engineering the BUP module.

More information in their blog post:
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

Moreover Igor Skochinsky discovered a bit in the PCHSTRP10, which achieves
more or less the same result as the HAP bit for ME < 11.

With this commit one of these bits is set to 1: instead of halting due to
corrupted modules, Intel ME now halts before trying to load them, possibly
leading to a cleaner shutoff of the ME subsystem.
  • Loading branch information
corna committed Aug 30, 2017
1 parent 5ffeaff commit ced3b46
Showing 1 changed file with 17 additions and 1 deletion.
18 changes: 17 additions & 1 deletion me_cleaner.py
Expand Up @@ -501,6 +501,7 @@ def start_end_to_flreg(start, end):
flmap0, flmap1 = unpack("<II", f.read(8))
frba = flmap0 >> 12 & 0xff0
fmba = (flmap1 & 0xff) << 4
fpsba = flmap1 >> 12 & 0xff0

f.seek(frba)
flreg = unpack("<III", f.read(12))
Expand Down Expand Up @@ -590,7 +591,7 @@ def start_end_to_flreg(start, end):

mef = RegionFile(f, me_start, me_end)

if args.descriptor or args.extract_descriptor:
if me_start > 0:
fdf = RegionFile(f, fd_start, fd_end)

print("Removing extra partitions...")
Expand Down Expand Up @@ -651,6 +652,21 @@ def start_end_to_flreg(start, end):
print("Truncating file at {:#x}...".format(end_addr))
f.truncate(end_addr)

if me_start > 0:
if me11:
print("Setting the HAP bit in PCHSTRP0 to disable Intel ME...")
fdf.seek(fpsba)
pchstrp0 = unpack("<I", fdf.read(4))[0]
pchstrp0 |= (1 << 16)
fdf.write_to(fpsba, pack("<I", pchstrp0))
else:
print("Setting the AltMeDisable bit in PCHSTRP10 to disable "
"Intel ME...")
fdf.seek(fpsba + 0x28)
pchstrp10 = unpack("<I", fdf.read(4))[0]
pchstrp10 |= (1 << 7)
fdf.write_to(fpsba + 0x28, pack("<I", pchstrp10))

if args.descriptor:
print("Removing ME/TXE R/W access to the other flash regions...")
fdf.write_to(fmba + 0x4, pack("<I", 0x04040000))
Expand Down

3 comments on commit ced3b46

@rminnich
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just can't stop smiling. I can't. I can't.

@archfan
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stop smiling. The world is a horrendous place. We must frown at our achievements. This will remind us that the past wasn't really that much worse in the first place.

@sellerie98
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@archfan Or just dont stop smiling, as the world is a horrendous place, loaded with a level of irony that is hilarious again.

Please sign in to comment.