Reverse-Engineering the Intel Management Engine (opens in new tab)

(puri.sm)

273 pointslaamalif8y ago34 comments

34 comments

Meanwhile I'm trying to find a way to remove the hard lock on CPU and RAM frequencies (extreme CPUs can't be overclocked, RAM is locked at 1333 MHz) :)

Looks like it can be done through Management Engine, which has access to everything apparently.

Only success so far is unlocking BCLK, but the overclock is small and unstable that way.

Another roadblock was the read only lock, which can fortunately be bypassed on POST on xx67/77 chipsets.

floatboth8y ago

> extreme CPUs can't be overclocked

You mean non-extreme?

> unlocking BCLK, but the overclock is small and unstable that way

On desktop Skylake, BCLK can get you to anywhere you want (I run an i5-6400 at 4.5GHz daily, over 4.7 for benchmarks). You're talking about laptops, right?

prodmerc8y ago

Laptop, and extreme CPU. HP and Dell block TPL/TRL adjustment even for XM processors, and HP took it even further with their 1333 MHz limit on RAM. I have 1600 MHz sticks that can run fine at 1866 and probably more (tried with Thaiphoon Burner), so that's really annoying. I don't want an Alienware to get that.

And BCLK allows for a 5MHz overclock, which is not much, anything more and the system crashes. Which is really strange, may have something to do with PCIE as Dogma said.

I just want to get everything out of my extreme processor and RAM.

1 more reply

dogma11388y ago

BCLK overclocking is heavily motherboard dependent, you need a very good external clock reference and in any case once you go over 3-5mhz you drop your PCIE rates from 3.0 to 2.0.

Intel's HEDT platform supports proper CPU strap overclocking withou adverse effects, but even then it's usually not recommended unless you are doing extreme OC and that's liquid nitro :)

Namidairo8y ago

> On desktop Skylake, BCLK can get you to anywhere you want

I thought Intel shut this down with microcode updates.

1 more reply

jlg238y ago

e_context? but good luck anyway.

lightedman8y ago

Try SetFSB.

Animats8y ago

This is nice, but it just allows you to replace some of the the Management Engine code. What we need to know in detail is what it's doing. There's probably a backdoor in there that hasn't been discovered yet.

wolfgke8y ago

On the other hand, if we get "our" code into the IME, we can really do interesting stuff. For example reading out data that one should not be read out? ;-)

ReverseCold8y ago

Hopefully we can get a fully libre boot on purism laptops soon.

I feel like there would be legal problems though...

wolfgke8y ago

Just develop it anonymously and make information on how to flash it yourself either on an .onion page or on a server in a jurisdiction that does not care (so much) about US American intellectual property.

d338y ago

What kind of legal problems would you anticipate?

cryptarch8y ago

Perhaps by ways the DMCA, for "p0wning" DRM('d) modules?

1 more reply

eikenberry8y ago

My guess would be DMCA anti-circumvention issues.

turbohedgehog8y ago

Did the author notify Intel about the bug they found?

mmastrac8y ago

Respectfully, why would they? The goal here is to find exploits in ME and use them to make Intel chips more end-user friendly.

When we were rooting Android devices we sat on a lot of exploits that we believed we could use to give end-users freedom. There were a handful that were bad enough to warrant disclosure [1], but we still offered them as ways for users to control their own devices with a few layers of obfuscation on top.

[1] http://www.unrevoked.com/rootwiki/doku.php/public/unrevoked1...

qb458y ago

Publishing a blog post isn't exactly sitting on a vuln. I would understand if they kept it to themselves and I would understand if they reported to Intel, but this?

1 more reply

wolfgke8y ago

> When we were rooting Android devices we sat on a lot of exploits that we believed we could use to give end-users freedom.

I often think whether one should really help people who decide to buy locked-down Android devices.

1 more reply

phire8y ago

Even if it was exploitable, it's not like Intel can fix it as they have no mechanism to revoke the old version.

Sure, they could release a new version with the bug fixed, but the attacker doesn't have to use the new version, they can deliberately use the old flawed version in their modified version of the bios.

turblety8y ago

Hopefully this is true. Though we really don't know what all the components in the Intel ME can do. They might be able to remotely update all chips so long as they have connected to a network that still exists. But I think (hope) this is unlikely and you are right.

j / k navigate · click thread line to collapse

34 comments

prodmerc8y ago

Meanwhile I'm trying to find a way to remove the hard lock on CPU and RAM frequencies (extreme CPUs can't be overclocked, RAM is locked at 1333 MHz) :)

Looks like it can be done through Management Engine, which has access to everything apparently.

Only success so far is unlocking BCLK, but the overclock is small and unstable that way.

Another roadblock was the read only lock, which can fortunately be bypassed on POST on xx67/77 chipsets.

floatboth8y ago

> extreme CPUs can't be overclocked

You mean non-extreme?

> unlocking BCLK, but the overclock is small and unstable that way

On desktop Skylake, BCLK can get you to anywhere you want (I run an i5-6400 at 4.5GHz daily, over 4.7 for benchmarks). You're talking about laptops, right?

prodmerc8y ago

And BCLK allows for a 5MHz overclock, which is not much, anything more and the system crashes. Which is really strange, may have something to do with PCIE as Dogma said.

I just want to get everything out of my extreme processor and RAM.

1 more reply

dogma11388y ago

BCLK overclocking is heavily motherboard dependent, you need a very good external clock reference and in any case once you go over 3-5mhz you drop your PCIE rates from 3.0 to 2.0.

Intel's HEDT platform supports proper CPU strap overclocking withou adverse effects, but even then it's usually not recommended unless you are doing extreme OC and that's liquid nitro :)

Namidairo8y ago

> On desktop Skylake, BCLK can get you to anywhere you want

I thought Intel shut this down with microcode updates.

1 more reply

jlg238y ago

e_context? but good luck anyway.

lightedman8y ago

Try SetFSB.

Animats8y ago

wolfgke8y ago

On the other hand, if we get "our" code into the IME, we can really do interesting stuff. For example reading out data that one should not be read out? ;-)

ReverseCold8y ago

Hopefully we can get a fully libre boot on purism laptops soon.

I feel like there would be legal problems though...

wolfgke8y ago

d338y ago

What kind of legal problems would you anticipate?

cryptarch8y ago

Perhaps by ways the DMCA, for "p0wning" DRM('d) modules?

1 more reply

eikenberry8y ago

My guess would be DMCA anti-circumvention issues.

turbohedgehog8y ago

Did the author notify Intel about the bug they found?

mmastrac8y ago

Respectfully, why would they? The goal here is to find exploits in ME and use them to make Intel chips more end-user friendly.

[1] http://www.unrevoked.com/rootwiki/doku.php/public/unrevoked1...

qb458y ago

Publishing a blog post isn't exactly sitting on a vuln. I would understand if they kept it to themselves and I would understand if they reported to Intel, but this?

1 more reply

wolfgke8y ago

> When we were rooting Android devices we sat on a lot of exploits that we believed we could use to give end-users freedom.

I often think whether one should really help people who decide to buy locked-down Android devices.

1 more reply

phire8y ago

Even if it was exploitable, it's not like Intel can fix it as they have no mechanism to revoke the old version.

turblety8y ago

j / k navigate · click thread line to collapse