CODEBLUE2004-I-Skochinsky-Intel-ME-Secrets.pdf

8/10/2019 CODEBLUE2004-I-Skochinsky-Intel-ME-Secrets.pdf

http://slidepdf.com/reader/full/codeblue2004-i-skochinsky-intel-me-secretspdf 1/50

Intel ME SecretsHidden code in your chipset and how to discover what exactly it does

Igor SkochinskyHex-Rays

CODE BLUE 2014Tokyo



2c! 2014 Igor Skochinsky

OutlineOutline

High-"e#e" o#er#ie$ o% &he 'ELo$-"e#e" (e&ai"s

'E sec)ri&y an( a&&acks

Dyna*ic +,,"ica&ion Loa(er

Res)"&s)&)re $ork



.c! 2014 Igor Skochinsky

About myself

/as in&eres&e( in so%&$are re#erse engineering %or aro)n(1 years

Long&i*e ID+ )ser

/orking %or Hex-Rays since 200

He",ing (e#e"o, ID+ an( &he (eco*,i"er a"so (oing&echnica" s),,or& &rainings e&c3!

Ha#e an in&eres& in e*e((e( hacking e3g3 5in("e SonyRea(er!

Recen&"y %oc)sing on "o$-"e#e" 6C research BIOS UEI'E!

'o(era&or o% re((i&3co*7r7Re#erseEngineering7

http://www.reddit.com/r/ReverseEngineering/

http://www.reddit.com/r/ReverseEngineering/


http://slidepdf.com/reader/full/codeblue2004-i-skochinsky-intel-me-secretspdf 4/504c! 2014 Igor Skochinsky

ME: Highlevel overview

'anage*en& Engine or 'anageai"i&y Engine! is a(e(ica&e( *icrocon&ro""er on a"" recen& In&e" ,"a&%or*s

In %irs& #ersions i& $as inc")(e( in &he ne&$ork car( "a&er*o#e( in&o &he chi,se& 8'CH &hen 6CH &hen 'CH!

Shares %"ash $i&h &he BIOS )& is co*,"e&e"y in(e,en(en&%ro* &he *ain C6U

Can e ac&i#e e#en $hen &he sys&e* is hierna&ing or&)rne( o%% )& connec&e( &o *ains!

Has a (e(ica&e( connec&ion &o &he ne&$ork in&er%ace9 canin&erce,& or sen( any (a&a $i&ho)& *ain C6U:s kno$"e(ge




Cre(i&; In&e" 200<


http://slidepdf.com/reader/full/codeblue2004-i-skochinsky-intel-me-secretspdf 6/50=c! 2014 Igor Skochinsky


Co**)nica&ing $i&h &he Hos& OS an( ne&$ork

HECI 'EI!; Hos& E*e((e( Con&ro""er In&er%ace9co**)nica&ion )sing a 6CI *e*ory-*a,,e( area

>e&$ork ,ro&oco" is SO+6 ase(9 can e ,"ain HTT6 orHTT6S


http://slidepdf.com/reader/full/codeblue2004-i-skochinsky-intel-me-secretspdf 7/50?c! 2014 Igor Skochinsky


So*e o% &he 'E co*,onen&s

+c&i#e 'anage*en& Techno"ogy +'T!; re*o&econ%ig)ra&ion a(*inis&ra&ion ,ro#isioning re,air 5@'

Sys&e* De%ense; "o$es&-"e#e" %ire$a""7,acke& %i"&er $i&h

c)s&o*iAa"e r)"esIDE Re(irec&ion IDE-R! an( Seria"-O#er-L+> SOL!; oo&%ro* a re*o&e CD7HDD i*age &o %ix non-oo&a"e orin%ec&e( OS an( con&ro" &he 6C conso"e

I(en&i&y 6ro&ec&ion; e*e((e( one-&i*e ,ass$or( OT6!&oken %or &$o-%ac&or a)&hen&ica&ion

6ro&ec&e( Transac&ion Dis,"ay; sec)re 6I> en&ry no&#isi"e &o &he hos& so%&$are




In&e" +n&i-The%&

6C can e "ocke( or (isa"e( i% i& %ai"s &o check-in $i&h &here*o&e ser#er a& so*e ,re(e%ine( in&er#a"9 i% &he ser#ersigna"s &ha& &he 6C is *arke( as s&o"en9 or on (e"i#ery o% a

,oison ,i""6oison ,i"" can e sen& as an S'S i% a .8 connec&ion isa#ai"a"e

Can no&i%y (isk encry,&ion so%&$are &o erase HDDencry,&ion keys

Reac&i#a&ion is ,ossi"e )sing ,re#io)s"y se& ), reco#ery,ass$or( or y )sing one-&i*e ,ass$or(






ME: !owlevel details

So)rces o% in%or*a&ion

In&e":s $hi&e,a,ers an( o&her ,)"ica&ions e3g3 ,a&en&s!

In&e":s o%%icia" (ri#ers an( so%&$are

HECI (ri#er *anage*en& ser#ices )&i"i&ies

+'T SD5 co(e sa*,"esLin)x (ri#ers an( s),,or&ing so%&$are9 coreoo&

BIOS ),(a&es %or oar(s on In&e" chi,se&s

E#en &ho)gh 'E %ir*$are is )s)a""y no& ),(a&ea"e

)sing nor*a" *eans i&:s co**on"y s&i"" inc")(e( in&he BIOS i*age

So*e&i*es se,ara&e 'E %ir*$are ),(a&es area#ai"a"e &oo




ME firmware "its

So)rces o% in%or*a&ion

In&e":s 'E ir*$are ki&s are no& s),,ose( &o e (is&ri)&e(&o en( )sers

Ho$e#er *any #en(ors s&i"" ,)& ), &he $ho"e ,ackageins&ea( o% )s& &he (ri#ers

or %orge& &o (isa"e &he T6 "is&ing

/i&h a %e$ ,icke( key$or(syo) can %in( &he goo( s&)%% ;!




Intel #S$

In&e" ir*$are S),,or& 6ackage $as re"ease( in 201.Lo$-"e#e" ini&ia"iAa&ion co(e %ro* In&e" %or %ir*$are $ri&ers

ree"y (o$n"oa(a"e %ro* In&e":s si&e

The ,ackage %or H'?=7'?? inc")(es 'E %ir*$are &oo"s

an( (oc)*en&a&ion

h&&,;77$$$3in&e"3co*7con&en&7$$$7)s7en7in&e""igen&-sys&e*s7in&e"-%ir*$are-s),,or&-,ackage7in&e"-%s,-o#er#ie$

Doc)*en&a&ion s&i"" con&ainscon%i(en&ia" *arkings ;!

http://www.intel.com/content/www/us/en/intelligent-systems/intel-firmware-support-package/intel-fsp-overview

http://www.intel.com/content/www/us/en/intelligent-systems/intel-firmware-support-package/intel-fsp-overview



1.c! 2014 Igor Skochinsky

S$I flash layout

The S6I %"ash is share( e&$een BIOS'E an( 8E

or sec)ri&y BIOS an( OS! sho)"( no&ha#e access &o 'E region

The chi,se& en%orces &his )singin%or*a&ion in &he Descri,&or region

The Descri,&or region *)s& e a& &he"o$es& a((ress o% &he %"ash an( con&aina((resses an( siAes o% o&her regions

as $e"" as &heir *)&)a" access,er*issions3




ME region layout

'E region i&se"% is no& *ono"i&hic

I& consis&s o% se#era" ,ar&i&ions an( &he &a"e a& &he s&ar&(escries &he*




ME code partition

Co(e ,ar&i&ions ha#e a hea(er ca""e( *ani%es&

I& con&ains #ersioning in%o n)*er o% co(e *o()"es*o()"e hea(er an( an RS+ signa&)re



1=c! 2014 Igor Skochinsky

ME core evolution

I& see*s &here ha#e een &$o genera&ions o% &he*icrocon&ro""er core an( corres,on(ing changes in%ir*$are "ayo)&

o""o$ing (isc)ssion co#ers *os&"y 8en 2; In&e" Seriesaka Iex 6eak! an( "a&er chi,se&s

8en 1 8en 2

'E #ersions 13x-3x =3x-<3xCore +RCTangen&-+4 +RC =00!

Ins&r)c&ion se& +RC .2-i&! +RCo*,ac& .271=!

'ani%es& &ag F'+> F'>2

'o()"e hea(er &ag F'OD F''E

Co(e co*,ression >one LG'+ >one LG'+ H)%%*an







1<c! 2014 Igor Skochinsky

ME: %OM &ypass

+,,aren&"y &he ,re-re"ease har($are a""o$s &o o#erri(e

&he on-chi, RO' an( oo& )sing co(e in %"ash ins&ea(This is )se( &o $ork aro)n( )gs in ear"y si"icon






ME: %OM &ypass

By "ooking a& &he co(e in &he RO'B region &he inner$orkings o% &he oo& RO' $ere (isco#ere(

The oo& RO' ex,oses %or o&her *o()"es;

co**on C %)nc&ions *e*c,y *e*se& s&rc,y e&c3!

Threa(K RTOS ro)&inesLo$-"e#e" har($are access +6Is

I& (oes asic har($are ini&

I& #eri%ies signa&)re o% &he T6R ,ar&i&ion "oa(s &he BU6*o()"e an( )*,s &o i&

Un%or&)na&e"y BU6 an( 5ER>EL e*,"oy H)%%*anco*,ression $i&h )nkno$n (ic&ionary so &heir co(e is no&a#ai"a"e %or ana"ysis ;




ME: Security and attac"s




ME: Security

'E inc")(es n)*ero)s sec)ri&y %ea&)res

Co(e signing; a"" co(e &ha& is s),,ose( &o e r)nning on &he'E is signe( $i&h RS+ an( is checke( y &he oo& RO'

'D)ring &he (esign ,hase a ir*$are Signing 5ey /S5! ,)"ic7,ri#a&e ,air isgenera&e( a& a sec)re In&e" Loca&ion )sing &he In&e" Co(e Signing Sys&e*3 The6ri#a&e /S5 is s&ore( sec)re"y an( con%i(en&ia""y y In&e"3 In&e" +'T RO'

inc")(es a SH+-1 Hash o% &he ,)"ic key ase( on RS+ 204 i& *o()")s%ixe(3 Each a,,ro#e( ,ro()c&ion %ir*$are i*age is (igi&a""y signe( y In&e" $i&h&he ,ri#a&e /S53 The ,)"ic /S5 an( &he (igi&a" signa&)re are a,,en(e( &o&he %ir*$are i*age *ani%es&3

+& r)n&i*e a sec)re oo& se)ence is acco*,"ishe( y *eans o% &he oo& RO'#eri%ying &ha& &he ,)"ic /S5 on "ash is #a"i( ase( on &he hash #a")e inRO'3 The RO' #a"i(a&es &he %ir*$are i*age &ha& corres,on(s &o &he *ani%es&Ms

(igi&a" signa&)re &hro)gh &he )se o% &he ,)"ic /S5 an( i% s)ccess%)" &hesys&e* con&in)es &o oo& %ro* "ash co(e3(

ro* +rchi&ec&)re 8)i(e; In&e"N +c&i#e 'anage*en& Techno"ogy 200<




ME: )nified Memory Architecture *)MA+ region

'E re)ires so*e R+' U'+! &o ,)& )n,acke( co(e an(

r)n&i*e #aria"es 'CU:s o$n *e*ory is &oo "i*i&e( an(s"o$!

This *e*ory is reser#e( y BIOS on 'E:s re)es& an(canno& e accesse( y &he hos& C6U once "ocke(3

+ *e*ory re*a,,ing a&&ack $as (e*ons&ra&e( y

In#isi"e Things La in 200< )& i& (oesn:& $ork on ne$erchi,se&s

Co"( oo& a&&ack *igh& e ,ossi"e &ho)gh333




ME: attac"ing )MA

I (eci(e( &o &ry an( ()*, &he U'+ region since i&con&ains )n,acke( H)%%*an co(e an( r)n&i*e (a&a

I(ea 1; si*,"y (isa"e &he co(e $hich se&s &he 'ESE8"ock i& in &he BIOS

Pso*e &i*e s,en& re#ersing *e*ory ini& ro)&ines333Q

6a&che( o)& &he co(e $hich se&s &he "ock i&

U,(a&e( necessary checks)*s in &he UEI #o")*e

Re%"ashe( &he %ir*$are an( reoo&e(

Res)"&; (ea( oar(

8oo( &hing I ha( ano&her oar( an( co)"( res&ore &he o"(%ir*$are )sing ho&s$a, %"ashing333




ME: attac"ing )MA

I(ea 2; co"( oo& a&&ack)ick"y s$a, &he DR+' s&icks so &ha& U'+ con&en&re*ains in *e*ory

Un%or&)na&e"y ()*,e( *e*ory con&ains on"y garage333

irs& Boo&; Le& 'E

)n,ack co(e in&o U'+

Secon( oo&; a%&er s$a,,ingO"( U'+ sho)"( e accessi"e



2?c! 2014 Igor Skochinsky

ME: attac"ing )MA

Trie( "o$er-s,ee( *e*ory (i( no& he",Bo)gh& ,ro%essiona" gra(e %reeAing s,ray (i( no& he",

E#en&)a""y (isco#ere( &ha& DDR. )se( in *y oar( cane*,"oy *e*ory scra*"ing

'The *e*ory con&ro""er incor,ora&es a DDR. Da&aScra*"ing %ea&)re &o *ini*iAe &he i*,ac& o% excessi#e (i7(&on &he ,"a&%or* DDR. @Rs ()e &o s)ccessi#e 1s an( 0s on&he (a&a )s3 P333Q +s a res)"& &he *e*ory con&ro""er )ses a(a&a scra*"ing %ea&)re &o crea&e ,se)(o-ran(o* ,a&&erns on&he DDR. (a&a )s &o re()ce &he i*,ac& o% any excessi#e

(i7(&3(

%ro* In&e" Cor,ora&ion Desk&o, .r( 8enera&ion In&e"N Core 6rocessora*i"y Desk&o, In&e"N 6en&i)*N 6rocessor a*i"y an( Desk&o, In&e"NCe"eronN 6rocessor a*i"y Da&ashee&!




ME: attac"ing )MA

I(ea .; )se (i%%eren& U'+ siAes across oo&sThe re)ire( U'+ siAe is a %ie"( in &he 6T

The 6T is ,ro&ec&e( on"y y checks)* no& signa&)re so i&:s easy &o change

I(ea;1! "ash 6T &ha& re)es&s .2'B reoo&3 BIOS $i"" reser#e &o,.2'B )& 'E $i"" )se on"y 1='B2! "ash 6T &ha& re)es&s 1='B reoo&3 BIOS $i"" reser#e &o,1='B so ,re#io)s"y )se( 1='B $i"" e accessi"e again

Un%or&)na&e"y go& garage again3 I& see*s &ha& *e*ory isreini&ia"iAe( $i&h (i%%eren& scra*"ing see( e&$een oo&s3





.0c! 2014 Igor Skochinsky

ME: attac"ing )MA

I(ea ; I s&i"" ha( so*e i(eas &o &ry )& &hey re)ire *ore &i*e an(e%%or&

So I s&ar&e( in#es&iga&ing co(e )sing o&her a,,roaches

or exa*,"e333




Server $latform Services

On In&e":s ser#er oar(s 'E is ,resen& &ooHo$e#er i& r)ns a (i%%eren& kin( o% %ir*$are

I&:s ca""e( Ser#er 6"a&%or* Ser#ices S6S!

I& has a re()ce( se& o% *o()"es ho$e#er i& (oes inc")(e

BU6 an( 5ER>EL8oo( ne$s 1; BU6 *o()"e is no& co*,resse(

5ER>EL is H)%%*an co*,resse( )&333

8oo( ne$s 2; a"" "ocks )se &ri#ia" co*,ression i3e3 noco*,ression!

So I no$ can in#es&iga&e ho$ &hese &$o *o()"es $ork

There are ,roa"y (i%%erences %ro* (esk&o, )& i&:s a s&ar&

,OM " -A




,OM a"a -A!

JO' is a *o()"e $hich a,,eare( in 'E ?31I& i*,"e*en&s $ha& In&e" ca""s Dyna*ic +,,"ica&ion Loa(erD+L!

I& a""o$s &o ),"oa( an( r)n a,,"ica&ions a,,"e&s! insi(e 'E(yna*ica""y

This %ea&)re is )se( &o i*,"e*en& In&e" I(en&i&y 6ro&ec&ionTechno"ogy In&e" I6T!

In &heory i& a""o$s a *)ch easier $ay %or r)nning c)s&o*co(e on &he 'E

Le&:s ha#e a "ook a& ho$ i&:s i*,"e*en&e(333

,OM " -A!



..c! 2014 Igor Skochinsky

,OM a"a -A!

So*e in&eres&ing s&rings %ro* &he inary;

Looks "ike Ja#a

Could not allocate an instance ofjava.lang.OutOfMemoryErrorlinkerInternalCheckFile: JEFF format version notsupportedcom.intel.cryptocom.trustedlogic.isditarting !M erver...

,OM " -A!




,OM a"a -A!

+,,aren&"y i&:s a Ja#a @' i*,"e*en&a&ion

In In&e" 'E (ri#ers &here is a %i"e oa&h3(a", $i&h a Base=4"o

+%&er (eco(ing a %a*i"iar *ani%es& hea(er a,,ears

I& has a s"igh&"y (i%%eren& *o()"e hea(er %or*a& an( a sing"e

*o()"e na*e( 'e(a" +,,The *o()"e con&ains a ch)nk $i&h signa&)re JE $hichis *en&ione( in &he s&rings o% JO'

S&rings in &his JE ch)nk a"so ,oin& &o i& eing Ja#a co(e

Ho$e#er &he o,co(e #a")es "ook (i%%eren& %ro* nor*a" Ja#aI $as so s)re i&:s a c)s&o* %or*a& I s,en& )i&e a "o& o% &i*ere#ersing i& %ro* scra&ch

,OM " -A!




,OM a"a -A!

There $as one s&ring in &he *o()"e333

There is no s)ch ins&r)c&ion in s&an(ar( Ja#a3 Le&:s &ry8oog"e333

.ascii "Invalid constant offset in the #$C instruction"

,E## #ile #ormat



.=c! 2014 Igor Skochinsky

,E## #ile #ormat

T)rns o)& &he JE %or*a& is a s&an(ar(

/as ,ro,ose( in 2001 y &he no$-(e%)nc& J Consor&i)*

Has een a(o,&e( as an ISO s&an(ar( ISO7IEC 20<?0!

Dra%& s,eci%ica&ion is s&i"" a#ai"a"e in a %e$ ,"aces

O,&i*iAe( %or e*e((e( a,,"ica&ions

Co*ines se#era" c"asses in one %i"e in a %or* $hich isrea(y %or exec)&ion

Share( cons&an& ,oo" a"so re()ces siAe

In&ro()ces se#era" ne$ o,co(es

S),,or&s na&i#e *e&ho(s (e%ine( y &he i*,"e*en&a&ion

,E## #ile #ormat



.?c! 2014 Igor Skochinsky

,E## #ile #ormat

I *a(e a ()*,er7(isasse*"er in 6y&hon ase( on &he s,ec

D)*,e( co(e in oa&h3(a", an( &he in&erna" JE in &he%ir*$are

>o o%)sca&ion $as )se( y In&e" $hich is nice

'os& asic Ja#a c"asses are i*,"e*en&e( in y&eco(e $i&h

a %e$ na&i#e he",ersThere are c"asses %or;

Cry,&ogra,hy

UI e"e*en&s (ia"ogs )&&ons "ae"s e&c3!

"ash s&orage accessI*,"e*en&ing "oa(a"e a,,"e&s

,E## #ile #ormat




,E## #ile #ormat

rag*en& o% a c"ass i*,"e*en&a&ion $i&ho)& y&eco(e!Class com.intel.util.Intel%pplet

private: &' ()(C '& *oolean m+invokeCommandIn,rocess- &' ()(( '& Outputuffer!ie/ m+outputuffer- &' ()($ '& *oolean m+outputuffer0oomall- &' ()(1 '& Output!alue!ie/ m+output!alue- &' ()(2 '& *yte34 m+sessionId-pu*lic:

void 5init678- final int get9esponseufferie78- final int getessionId7*yte34; int8- final int getessionId#ength78- final tring get<<I$78- final a*stract int invokeCommand7int; *yte348- int onClose78- final void onCloseession78-

final int onCommand7int; Command,arameters8- int onInit7*yte348- final int onOpenession7Command,arameters8- final void send%synchMessage7*yte34; int; int8- final void set9esponse7*yte34; int; int8- final void set9esponseCode7int8-



I$. applets




I$. applets

Un%or&)na&e"y e#en i% I crea&e *y o$n a,,"e&s I can:& r)n&he* insi(e 'E

+,,"e& inaries ha#e a signe( *ani%es& hea(er an( are#eri%ie( e%ore r)nning

S&i"" &here *ay e #)"nerai"i&ies in &he ,ro&oco" $hich is

,re&&y co*,"ica&e(Le&:s ha#e a "ook a& ho$ i& $orks333

I$. communication




I$. communication

In&e" ,ro#i(es se#era" DLLs $i&h high-"e#e" +6Is $hich are)sa"e %ro* C7C Ja#a or 3>ET a,,"ica&ions

These DLLs sen( re)es&s &o &he JHI ser#ice )sing CO' orTC67I6 (e,en(ing on &he (ri#er #ersion!

The ser#ice seria"iAes re)es&s an( sen(s &he* o#er

HECI7'EI &o &he 'E'E (is,a&ches &he re)es&s &o JO'

JO' ,arses &he re)es&s an( ,asses &he* &o &he a,,"e&

Re,"y )n(ergoes &he o,,osi&e con#ersion an( is e#en&)a""y

sen& ack &o &he a,,"ica&ionBeca)se ari&rary )%%ers can e sen& an( recei#e( &here isa ,o&en&ia" %or o)&-o%-o)n(s *e*ory rea( or $ri&e

.rusted Execution Environment





ro* &he s&rings insi(e JO' i&:s a,,aren& &ha& In&e" is )singa Tr)s&e( Exec)&ion En#iron*en& TEE! ,ro#i(e( y Tr)s&e(Logic 'oi"i&y no$ Tr)s&onic! ca""e( Tr)s&e( o)n(a&ions

So)rce;Tr)s&e( o)n(a&ions %"yer






Tr)s&e( o)n(a&ions is a"so )se( in se#era" s*ar&,hones

I*,"e*en&e( &here )sing +R':s Tr)s&Gone

D)e &o 86L so)rce co(e o% (ri#ers $hich co**)nica&e $i&hTr)s&e( o)n(a&ions is *a(e a#ai"a"e

The ,ro&oco" is no& &he sa*e as $ha& In&e" )ses

or exa*,"e Tr)s&Gone co**)nica&ions e*,"oy share(*e*ory $hi"e 'E7JO' on"y &a"ks o#er HECI7'EI

S&i"" &here are so*e co**on ,ar&s so i& he",s in re#erseengineering






There is a TEE s,eci%ica&ion re"ease( y &he 8"oa"6"a&%or*associa&ion Tr)s&e( Logic 'oi"i"&y7Tr)s&onic is a *e*er!

Descries o#era"" archi&ec&)re c"ien& +6I an( in&erna" +6I%or ser#ices r)nning insi(e TEE!

+gain i& (oes no& exac&"y *a&ch $ha& r)ns in &he 'E )& is

s&i"" a )se%)" re%erence

h&&,;77$$$3g"oa","a&%or*3org7s,eci%ica&ions(e#ice3as,

http://www.globalplatform.org/specificationsdevice.asp

http://www.globalplatform.org/specificationsdevice.asp



#uture wor"




Dyna*ic +,,"ica&ion Loa(er

'ake a JE &o 3c"ass con#er&er or *aye a (irec& JE(eco*,i"er

Re#erse an( (oc)*en& &he hos& co**)nica&ion ,ro&oco"

Lin)x I6T c"ien&

ES ,arsing an( *o(i%ying'os& o% &he 'E s&a&e is s&ore( &here

I% $e can *o(i%y %"ash $e can *o(i%y ES

Cri&ica" #aria"es are ,ro&ec&e( %ro* &a*,ering )& &he

*aori&y isn:&Co*,"ica&e( %or*a& eca)se o% %"ash $ear "e#e"ing

#uture wor"



4?c! 2014 Igor Skochinsky

H)%%*an co*,ression

Use( in ne$er %ir*$ares %or co*,ressing &he kerne" an(so*e o&her *o()"es

+,,aren&"y &he (ic&ionary is har(co(e( in si"icon

D)*,ing &he U'+ sho)"( he", reco#er i&

There is s&i"" so*e ho,e in &ha& area

'E Hos& ,ro&oco"s'os& *o()"es )se (i%%eren& *essage %or*a&

+ "o& o% )n(oc)*en&e( *essages9 so*e *o()"es see* &oe no& *en&ione( any$here

So*e c"ien& so%&$are has #ery #erose (e)gging*essages in &heir inaries333

+n&i-The%& is a goo( &arge&

#uture wor"




BIOS RE

In ear"y oo& s&ages 'E acce,&s so*e &hings $hich areno& ,ossi"e "a&er

Re#ersing BIOS *o()"es &ha& &a"k &o 'E is a goo( so)rceo% in%o

So*e *essages can e sen& on"y ()ring BIOS oo&

UEIToo" y >iko"a Sch"e he",s in e(i&ing UEI i*agesh&&,s;77gi&h)3co*7>iko"aSch"e7UEIToo"

Coreoo& has s),,or& %or 'E on so*e oar(s

Si*)"a&ion an( %)AAing

O,en @ir&)a" 6"a&%or* $$$3o#,$or"(3org! has *o()"es%or +RC=00 an( +RC?00 +RCo*,ac&-ase(!

S),,ose("y easy &o ex&en( &o e*)"a&e c)s&o* har($are

De)gging an( %)AAing sho)"( e ,ossi"e

%eferences and lin"s

https://github.com/NikolajSchlej/UEFITool

http://www.ovpworld.org/

http://www.ovpworld.org/

https://github.com/NikolajSchlej/UEFITool



4<c! 2014 Igor Skochinsky

h&&,;77so%&$are3in&e"3co*7en-)s7ar&ic"es7archi&ec&)re-g)i(e-in&e"-ac&i#e-*anage*en&-&echno"ogy7h&&,;77so%&$are3in&e"3co*7si&es7*anageai"i&y7+'TVI*,"e*en&a&ionVan(VRe%erenceV8)i(e7

h&&,;77&hein#isi"e&hings3"ogs,o&3co*7200<707#egas-&oys-,ar&-i-ring-.-&oo"s3h&*"

h&&,;77(o$n"oa(3in&e"3co*7&echno"ogy7i&72007#12i47,a,erP1-10Q3,(%

h&&,;77$e3i&3k&h3se7W*ag)ire7DE8REE-6ROJECT-RE6ORTS7100402-@assi"iosV@er#eris-$i&h-co#er3,(%

h&&,;77$$$3s&e$in3org7,a,ers7(i*#a,1-s&e$in3,(%

h&&,;77$$$3s&e$in3org7&echre,or&s7,s&e$inVs,ring20113,(%

h&&,;77$$$3s&e$in3org7s"i(es7,s&e$in-S6RI>8=-E#a")a&ingRing-.Roo&ki&s3,(%

h&&,;77%"ashro*3org7&rac7%"ashro*7ro$ser7&r)nk7Doc)*en&a&ion7*ys&eriesVin&e"3&x&

h&&,;77re#ie$3coreoo&3org7gi&$e,Xcoreoo&3gi&9aX"o9%Xsrc7so)&hri(ge7in&e"7(2x=x7*e3c

h&&,;77(o$n"oa(3in&e"3co*7&echno"ogy7,ro()c&7DC'I7DC'I-HIV1V03,(%

h&&,;77*e3ios3io7h&&,;77$$$3)er$a""3org7in7(o$n"oa(7(o$n"oa(71027"acon12Vin&e"Va*&3,(%

.han" you/

http://software.intel.com/en-us/articles/architecture-guide-intel-active-management-technology/

http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/

http://theinvisiblethings.blogspot.com/2009/08/vegas-toys-part-i-ring-3-tools.html

http://download.intel.com/technology/itj/2008/v12i4/paper%5B1-10%5D.pdf

http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf

http://www.stewin.org/papers/dimvap15-stewin.pdf

http://www.stewin.org/techreports/pstewin_spring2011.pdf

http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf

http://flashrom.org/trac/flashrom/browser/trunk/Documentation/mysteries_intel.txt

http://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=src/southbridge/intel/bd82x6x/me.c

http://download.intel.com/technology/product/DCMI/DCMI-HI_1_0.pdf

http://me.bios.io/

http://www.uberwall.org/bin/download/download/102/lacon12_intel_amt.pdf

http://www.uberwall.org/bin/download/download/102/lacon12_intel_amt.pdf

http://me.bios.io/

http://download.intel.com/technology/product/DCMI/DCMI-HI_1_0.pdf

http://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=src/southbridge/intel/bd82x6x/me.c

http://flashrom.org/trac/flashrom/browser/trunk/Documentation/mysteries_intel.txt

http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf

http://www.stewin.org/techreports/pstewin_spring2011.pdf

http://www.stewin.org/papers/dimvap15-stewin.pdf

http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf

http://download.intel.com/technology/itj/2008/v12i4/paper%5B1-10%5D.pdf

http://theinvisiblethings.blogspot.com/2009/08/vegas-toys-part-i-ring-3-tools.html

http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/

http://software.intel.com/en-us/articles/architecture-guide-intel-active-management-technology/




0uestions1

igor2hexrays3coms"ochins"y2gmail3com

mailto:[email protected]




Documents

CODEBLUE2004-I-Skochinsky-Intel-ME-Secrets.pdf