Experiments with disabling the ME on Sandybridge x230
56 views
Skip to first unread message
Trammell Hudson
Sep 15, 2016, 4:58:49 PM9/15/16
to qubes...@googlegroups.com
Reposting from my note to the coreboot list -- I have determined a
significantly reduced chunk of code required to have the Intel Management
Engine bring up the hardware and then stay in the "ROM Phase" on my
Thinkpad x230. This also allowed me to remove some of the problematic
ME applications. Qubes runs just fine on the machine with these mods.
The only piece that must be present for my x230 to function is the 512 KB
FTPR partition at offset 0x183000, which contains these compressed
modules (some Huffman, some LZMA):
'UPDATE' 000001BE
'ROMP' 0000070A
'BUP' 0000E064
'KERNEL' 00021B62
'POLICY' 00016AE2
'HOSTCOMM' 00006DDB
'RSA' 00005255
'CLS' 00005791
'TDT' 000066E5
'FTCS' 00004680
'ClsPriv' 000003E1
'SESSMGR' 0000E909
This means that the ME no longer has any network stack (stored in the
NFTP partition that has been removed), nor the protected video path
or JCOM modules from the MDMV parition. I do not know if the various
anti-theft and timeout measures are also now neutralized.
If I leave the firmware partition table at offset 0x3000 in place,
the ME faults after bringup (but the system continues to function).
Without the partition table it stays in the ROM phase. I'm not sure if
one outcome is preferable to the other.
Using the Huffman decompression code from http://io.netgarage.org/me/
it is posible to decompress and disassemble the small number of modules
that are still present. There is some code in (on CPU die) ROM that we
can't see, but my guess is that the major parts are here. With the
WP# pin on the SPI flash grounded, the ME can't update itself so we
could at least know that no new code is added after the fact.
--
Trammell
significantly reduced chunk of code required to have the Intel Management
Engine bring up the hardware and then stay in the "ROM Phase" on my
Thinkpad x230. This also allowed me to remove some of the problematic
ME applications. Qubes runs just fine on the machine with these mods.
The only piece that must be present for my x230 to function is the 512 KB
FTPR partition at offset 0x183000, which contains these compressed
modules (some Huffman, some LZMA):
'UPDATE' 000001BE
'ROMP' 0000070A
'BUP' 0000E064
'KERNEL' 00021B62
'POLICY' 00016AE2
'HOSTCOMM' 00006DDB
'RSA' 00005255
'CLS' 00005791
'TDT' 000066E5
'FTCS' 00004680
'ClsPriv' 000003E1
'SESSMGR' 0000E909
This means that the ME no longer has any network stack (stored in the
NFTP partition that has been removed), nor the protected video path
or JCOM modules from the MDMV parition. I do not know if the various
anti-theft and timeout measures are also now neutralized.
If I leave the firmware partition table at offset 0x3000 in place,
the ME faults after bringup (but the system continues to function).
Without the partition table it stays in the ROM phase. I'm not sure if
one outcome is preferable to the other.
Using the Huffman decompression code from http://io.netgarage.org/me/
it is posible to decompress and disassemble the small number of modules
that are still present. There is some code in (on CPU die) ROM that we
can't see, but my guess is that the major parts are here. With the
WP# pin on the SPI flash grounded, the ME can't update itself so we
could at least know that no new code is added after the fact.
--
Trammell
Reply all
Reply to author
Forward
0 new messages