We've covered that it was possible and in theory how to do so before but I think having a proper How-To written up will save even us nerd types some hair pulling. Here's what you'll need to start:
- an Intel-CPU-based target PC — that does not have Boot Guard enabled — on which you wish to disable the IME;
- the target PC may be running an OEM BIOS (such as AMI, Dell etc.), or coreboot;
- a Raspberry Pi 3 Model B single board computer ('RPi3'), for use as an external flash programmer;
- a spare >= 8GB microSD card (to hold the 64-bit Gentoo O/S image we will use for the RPi3);
- an appropriate IC clip for your target PC's flash chip, e.g.:
- a Pomona 5250 for SOIC-8 chips;
- a Pomona 5208 for unsocketed DIP-8 chips, or
- a Pomona 5252 for SOIC-16 chips;
- 8 female-female connector wires (to attach the appropriate clip to the RPi3's GPIO header);
- a maintenance manual for your target PC, where available, to assist in safe disassembly / reassembly; and
- whatever tools are stipulated in the above.
Given the above list, you'll obviously need to be comfortable identifying and connecting an IC clip to your flash chip. So, it's not a procedure for most grandmothers but neither is especially complex or difficult for the vast majority of desktop machines (laptop/other difficulty will vary widely). Also, the guide explicitly does not cover PLCC or WSON flash chips, so you're out of luck here if your board has such.
Happy hacking, folks.
Related Stories
It looks like it's nearly game over for the Intel Management Engine:
Positive Technologies, which in September said it has a way to attack the Intel Management Engine, has dropped more details on how its exploit works.
The firm has already promised to demonstrate [a] God-mode hack in December 2017, saying the bug "allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard".
For some details, we'll have to wait, but what's known is bad enough: Intel Management Engine (IME) talks to standard Joint Test Action Group (JTAG) debugging ports. As [does] USB, so Positive Technologies researchers put the two together and crafted a way to access IME from the USB port.
[...] The latest attack came to Vulture South's attention via a couple of Tweets:
Game over! We (I and @_markel___ ) have obtained fully functional JTAG for Intel CSME via USB DCI. #intelme #jtag #inteldci pic.twitter.com/cRPuO8J0oG
— Maxim Goryachy (@h0t_max) November 8, 2017
Full access the Intel ME( >=Skylake) by JTAG debugging via USB DCI https://t.co/TMvOirXOVI @ptsecurity @h0t_max @_markel___
— Hardened-GNU/Linux (@hardenedlinux) November 8, 2017
The linked blog post [in Russian] explains that since Skylake, the PCH – Intel's Platform Controller Hub, which manages chip-level communications – has offered USB access to JTAG interfaces that used to need specialised equipment. The new capability is DCI, Direct Connect Interface.
Reddit discussion linked by LoRdTAW in a journal.
Previously: Intel Management Engine Partially Defeated
Disabling Intel ME 11 Via Undocumented Mode
How-To: Disabling the Intel Management Engine
Andrew Tanenbaum's Open Letter to Intel About MINIX 3
Professor Andrew S. Tanenbaum from the Department of Computer Science at Vrije Universiteit Amsterdam wrote "An Open Letter to Intel" regarding Intel's use of MINIX 3 to run the Intel Management Engine (video) built into their processors:
Thanks for putting a version of MINIX 3 inside the ME-11 management engine chip used on almost all recent desktop and laptop computers in the world. I guess that makes MINIX the most widely used computer operating system in the world, even more than Windows, Linux, or MacOS. And I didn't even know until I read a press report about it. Also here and here and here and here and here (in Dutch), and a bunch of other places.
[...] Note added later: Some people have pointed out online that if MINIX had a GPL license, Intel might not have used it since then it would have had to publish the modifications to the code. Maybe yes, maybe no, but the modifications were no doubt technical issues involving which mode processes run in, etc. My understanding, however, is that the small size and modular microkernel structure were the primary attractions. Many people (including me) don't like the idea of an all-powerful management engine in there at all (since it is a possible security hole and a dangerous idea in the first place), but that is Intel's business decision and a separate issue from the code it runs. A company as big as Intel could obviously write its own OS if it had to. My point is that big companies with lots of resources and expertise sometimes use microkernels, especially in embedded systems. The L4 microkernel has been running inside smartphone chips for years.
Professor Tanenbaum did the initial design and development of MINIX, a microkernel used primarily for teaching. He has helped guide it through the years as a small community around it has grown. Lately it has adopted much of the NetBSD userspace. The IME is a full operating system system running inside x86 computers. It gets run before whatever system on the actual hard disk even starts booting.
Purism Disables Intel ME On Its Privacy-Focused Librem Laptops
Purism, a startup that aims to develop privacy-focused devices, announced that it has now disabled Intel's Management Engine (ME). The company, and many privacy activists, believe that because Intel's ME is a black box to the user, it could hide backdoors from certain intelligence agencies. Alternatively, it may contain vulnerabilities that could even be unknown to Intel, but which might still be exploited by sophisticated attackers to bypass the operating system's security.
[...] The Librem laptops use Coreboot firmware, which is an open source alternative to BIOS and UEFI for Linux. The company said that using Coreboot is one of the primary reasons why they were able to disable Intel ME in the first place. Coreboot allowed them to dig down on how the processor interacts with this firmware and with the operating system.
Purism had already "neutralized" the Intel ME system on its Librem laptops, which essentially meant that the mission-critical components of Intel ME were removed. However, this could still cause some errors, because the Intel ME would still be "fighting" Coreboot's attempt to neutralize it. With the new method that disables it, the Intel ME can be shut down gracefully. Purism's laptops will continue to support both methods for extra security, just in case the Intel ME is able to "wake-up" somehow, after it's disabled.
[...] Both Librem 13 and Librem 15 laptop models will now ship with Intel ME disabled by default. Customers who have purchased the older Librem laptops will also receive an update that will disable Intel ME on their systems.
Related: Purism Exceeds $1 Million in Funding for Librem 5 Linux-Based Smartphone
How-To: Disabling the Intel Management Engine
(Score: 5, Insightful) by takyon on Monday October 16 2017, @01:59AM (21 children)
Will you buy superior price/performance x86 chips, or pin your hopes on SoylentNews favorite RISC-V to break the monopoly?
Does this mean Intel is a better buy than AMD?
Is this just a ruse to get you to disable the management engine you know about?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Informative) by Anonymous Coward on Monday October 16 2017, @02:19AM
Using a turquoise case is the only way to shut down the one the lizard people put in there.
(Score: 5, Informative) by The Mighty Buzzard on Monday October 16 2017, @02:22AM (13 children)
Well, RISC-V is years away from giving the world a chip comparable with even the low-end x86_64 chips, so that's out. ARM would be a better bet but while finding a respectable ARM chip isn't too hard, finding a board that gives you options comparable to a modern desktop is exceedingly difficult, so that's out as well for a bit longer. If you need a desktop this year, you have no realistic choice but x86_64 unless you're willing to pay thousands of dollars extra for an underperforming Talos II.
My rights don't end where your fear begins.
(Score: 1) by Ethanol-fueled on Monday October 16 2017, @02:28AM (8 children)
YES!
https://www.youtube.com/watch?v=LdH1hSWGFGU [youtube.com]
(Score: 1) by Ethanol-fueled on Monday October 16 2017, @02:36AM (2 children)
https://youtu.be/LdH1hSWGFGU?t=97 [youtu.be]
HAHHAHAHA
YEAH!
(Score: 2) by takyon on Monday October 16 2017, @02:41AM
ni🅱️️🅱️️a wot m9
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by RS3 on Monday October 16 2017, @04:23AM
OK, I'm missing something: why are you posting those links?
Obviously off topic, but certainly awesome.
I was not at this concert but I saw this woman do this piece 2 years ago: https://www.youtube.com/watch?v=YKGPe31nWZs/ [youtube.com]
(Score: 2) by The Mighty Buzzard on Monday October 16 2017, @02:46AM (3 children)
If you're going to go all Offtopic and link that song at least link the Bugs Bunny version.
My rights don't end where your fear begins.
(Score: 2) by c0lo on Monday October 16 2017, @03:10AM
Those bugs were closed as "fixed" a long time ago.
Wanna reopen them? Fair warning: bugs is trademarked [justia.com] to them.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 1) by Ethanol-fueled on Monday October 16 2017, @04:34AM
They are all Bugs Bunny versions.
From Hungarian Rhapsody to The Marrage of Figaro, [youtube.com] We were taught well.
Hahahhaahheeheehooooo!
(Score: 1) by Ethanol-fueled on Monday October 16 2017, @05:10AM
Gotdammit, why the hell does all the good shit have to be posted when I'm drunk off my ass and unable to use it at the moment?!
(Score: 2) by curunir_wolf on Monday October 16 2017, @05:06PM
I am a crackpot
(Score: 0) by Anonymous Coward on Monday October 16 2017, @02:48AM (1 child)
It seems all three major manufacturers love to piss final users. ARM can come with TrustZone, so you are under board maker's will about chip selection and what is loaded in it. https://en.wikipedia.org/wiki/ARM_architecture#TrustZone_.28for_Cortex-A_profile.29 [wikipedia.org]
(Score: 1) by Ethanol-fueled on Monday October 16 2017, @05:16AM
Yeah, really. Qualcomm loves to hand out their Snapdragon (ARM based) dev boards but those sonsabitches are known for being difficult, just as the cell processors were.
(Score: 1, Interesting) by Anonymous Coward on Monday October 16 2017, @04:08AM (1 child)
Any real stats about that Talos II? It's not a crappy embedded CPU abused to be a PC. It seems to come with 2 CPUs, each with 4 cores, and each with 4 threads (called SMT4 by IBM, instead of x86's 2 so far, and Power9 also has SMT8 option). 2 sockets, 8 cores, 32 threads, with 180W TDP. The board has 16 ECC DDR4 slots, can fit up to 2TB. Also three 16x PCIe 4.0 and two 4x. That is going to cost money on x86 too, if avaliable at all.
So how does it really compare to AMD/Intel offerings? Anyone with Power8 experience (Power 9 is 1.5-2.2x times better by IBM paper)?
For reference (sparse on final GHz or even bogomips to get an idea):
https://en.wikipedia.org/wiki/POWER9 [wikipedia.org]
https://www.raptorcs.com/content/TL2WK2/intro.html [raptorcs.com]
https://www.ibm.com/developerworks/community/wikis/form/anonymous/api/wiki/61ad9cf2-c6a3-4d2c-b779-61ff0266d32a/page/1cb956e8-4160-4bea-a956-e51490c2b920/attachment/56cea2a9-a574-4fbb-8b2c-675432367250/media/POWER9-VUG.pdf [ibm.com]
(Score: 2) by driverless on Monday October 16 2017, @10:36AM
A system can be underperforming in two senses, you pay PC prices for something with the performance of a cellphone, or you pay high-end server prices for something that performs like a PC. The Talos II is the latter, the price makes it a top-of-the-line PowerEdge, the specs make it an eBayed Inspiron.
(Score: 2) by isostatic on Monday October 16 2017, @10:35AM (3 children)
Is this just a ruse to get you to disable the management engine you know about?
Unless they have some real spy stuff infecting every chip like Uraei or similar, somebody would be able to see traffic passing through their router
(Score: 3, Funny) by takyon on Monday October 16 2017, @10:47AM (2 children)
The chips use an internal neutrino router to communicate directly with the NSA.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Funny) by Anonymous Coward on Monday October 16 2017, @11:25PM (1 child)
Great, now I have to build a million gallon tank directly below my house just so I can see what the NSA is siphoning off!?! I have stuff to do this weekend!
(Score: 2) by Wootery on Tuesday October 17 2017, @09:55AM
Try siphoning the stream of bile from YouTube comments. You'll have it full in no time.
(Score: 2) by crafoo on Tuesday October 17 2017, @02:04AM (1 child)
Days like this I really miss my Amiga. Assembly was more fun on it too.
(Score: 1) by anubi on Tuesday October 17 2017, @04:08AM
That's the reason I stay with my simple stuff.
I do not need to refresh a HD screen 60 FPS, but I *must* be able to trust the thing.
If I can't trust it, I am really afraid to connect anything really important to it.
I'd be more comfortable knowing my systems are running Arduinos than running something someone else can pwn me anytime he wants.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 5, Interesting) by jmorris on Monday October 16 2017, @04:22AM
It is possible to disable this by the vendor, Intel apparently will allow it.
Dell Lattitude 14 Rugged Laptop [dell.com]
Note they ship the default of "No Out-of-Band management" but sell two options, "vPro Enabled" and "vPro ME Disabled, Custom Order" for the same $20.92 upcharge.
Haven't seen the option on other Dell offerings yet but somebody yelled at their sales rep loudly enough to get that option added. We need to yell until we make that universal, then a zero charge option, finally get it to be the default. PC sales are flat right now, customers have the whip hand. USE. IT.
(Score: 2) by bradley13 on Monday October 16 2017, @05:39AM (4 children)
It's great that someone has produced this how-to, but it remains a scary process with a non-zero chance of bricking your machine. What I want to know is why. Why does Intel make this necessary? Why not just make the management engine a cleanly switchable option? Is this laziness, of is it more nefarious?
Everyone is somebody else's weirdo.
(Score: 4, Interesting) by Geezer on Monday October 16 2017, @09:40AM (1 child)
Making sure things like DRM and "customer experience research" always work could certainly be described as nefarious. Intel has long been Microsoft's hardware bitch.
(Score: 0) by Anonymous Coward on Tuesday October 17 2017, @04:22AM
ref provided https://en.wikipedia.org/wiki/Wintel [wikipedia.org]
(Score: 5, Informative) by pkrasimirov on Monday October 16 2017, @11:15AM
> Is this laziness, of is it more nefarious?
It is more nefarious.
(Score: 3, Insightful) by sjames on Monday October 16 2017, @03:34PM
Better yet, remote management alone is a good thing. Why couldn't they stick to BMCs that have control over power, reset, and the serial port, can present a virtual DVD drive on USB, and NOTHING else?
(Score: 5, Informative) by RamiK on Monday October 16 2017, @10:23AM
Get yourself a CH341A instead. Cheaper and safer since you want a real-time clock doing the R/W which the Pi can't guarantee.
As an additional side-note, some EEPROMS are 1.8v Vcc and high logic so pushing 3.3v down their lanes is dangerous even for the first probing operation. For those you'll need a relatively expensive TL866CS and its respective 1.8v adapter module (~40$).
I guess the only caveat with the CH341A is the incomplete linux software compared to the windows software. But I doubt the Pi is doing any better.
compiling...