Tool for partial deblobbing of Intel ME/TXE firmware images - How does it work?

The official HECI method for disabling Intel ME

The HAP disabling method: a more secure option

Published: 02 Jun 2022

Leaked data reveals Conti ransomware operators were exploring attacks on Intel Management Engine -- or Intel ME -- and CSME, according to new research from Eclypsium.

me_cleaner supports two ways to disable Intel ME:

by removing the non-fundamental partitions and modules from the Intel ME firmware
by setting the HAP (Intel ME >= 11) or the AltMeDisable (Intel ME < 11) bit in the flash descriptor

Nice diagram with ring [ME = (-4) & (-3) ring] p.5

Heavily patent document with drawings, charts and tech Info about ME (referred as CSME)

The purpose of this white paper is to describe the security design and implementation of Intel ® CSME 14.0 (Comet Lake), Intel ® CSME 15.0 (Tiger Lake) and Intel ® CSME 16.0 (Alder Lake) and its role in the platform.

Bookmars/Chapter

Chapter 2: Basics

• definition
• diagram
• 3 main fuctions of ME
  • Silicon Initialization
  • Manageability
  • Security

Chapter 4: ME firmware

• nice diagram of ME rings (ME CPU rings and not the Main CPU rings)
• Description of Firmware Components

The white paper content is based on: “BlackHat 2019 - Behind the Scenes of Intel Security and Manageability Engine”

Presentation Black Hat 2019

Covers ME 12 on Intel 8th and 9th Gen

CSME=ME

• ME system diagram p.5

• ME boot flow + diagram p.9

• isolation from the rest

• Roles (what ME is for)

• ME hardware parts

• OEM decides if boot guard on/off

• ME firmware update

  • Downgrade allowed by Intel only for certain versions
  • Upgrade over the internet

Presentation Material
Video

This document contains information on how to get started with Intel® Active Management Technology (Intel® AMT). It provides an overview of the features, as well as information on minimum system requirements, configuration of an Intel AMT client, tools to use Intel AMT features on a PC, and the developer tools available to help create applications for Intel AMT.

Has Intel AMT Definition

Some of the claims we plan to cover:

• It's a backdoor made for NSA and serves no useful purpose
• It is always on even if the PC is turned off
• It can read all data on PC/spy on the user
• It can't be disabled
• It can lock the PC with a command sent over the air
• It a black box which can't be audited because it's closed source
• End users can't do anything about it.

You can audit it even without source code (and maybe even without reverse engineering).

The firmware size is greatly reduced:
Original Modified
Generation 2 1.5 MiB / 5 MiB 84 KiB
Generation 3 2 MiB / 6.6 MiB 330 KiB

What stuff of ME things are working and what not