From ced3b46ba2ccd74602b892f9594763ef34671652 Mon Sep 17 00:00:00 2001 From: Nicola Corna Date: Mon, 28 Aug 2017 18:41:49 +0200 Subject: [PATCH] Set the HAP bit (ME >= 11) or the AltMeDisable bit (ME < 11) Positive Technologies discovered the presence of an undocumented HAP bit in the PCHSTRP0 field of the descriptor which, when set to 1, disables completely Intel ME just after the initialization. This is confirmed both by an analysis of the status of Intel ME after the setting of the bit and by reverse engineering the BUP module. More information in their blog post: http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Moreover Igor Skochinsky discovered a bit in the PCHSTRP10, which achieves more or less the same result as the HAP bit for ME < 11. With this commit one of these bits is set to 1: instead of halting due to corrupted modules, Intel ME now halts before trying to load them, possibly leading to a cleaner shutoff of the ME subsystem. --- me_cleaner.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/me_cleaner.py b/me_cleaner.py index 7245fea..95d3b25 100755 --- a/me_cleaner.py +++ b/me_cleaner.py @@ -501,6 +501,7 @@ def start_end_to_flreg(start, end): flmap0, flmap1 = unpack("> 12 & 0xff0 fmba = (flmap1 & 0xff) << 4 + fpsba = flmap1 >> 12 & 0xff0 f.seek(frba) flreg = unpack(" 0: fdf = RegionFile(f, fd_start, fd_end) print("Removing extra partitions...") @@ -651,6 +652,21 @@ def start_end_to_flreg(start, end): print("Truncating file at {:#x}...".format(end_addr)) f.truncate(end_addr) + if me_start > 0: + if me11: + print("Setting the HAP bit in PCHSTRP0 to disable Intel ME...") + fdf.seek(fpsba) + pchstrp0 = unpack("