It is actually a scandal that the world depends on chips and operating systems – that are designed to do mass-surveillance – it seems – in order to build up a world-wide-dictatorship that no-one can escape… by information and money.
„The Intel Management Engine (Intel ME) refers to the hardware features that operate at the baseboard level, below the operating system. By enabling interaction with low-level hardware, Intel gives administrators the ability to perform tasks that previously required someone to be physically present at the desktop.“ (src: http://www.tomshardware.com/reviews/vpro-amt-management-kvm,3003-6.html)
But why do they not give you the documentation and the manual – to use and utilize this supreme cool feature they build into your computer?
Because you are not meant to use it. I have NEVER seen an Administrator using it.
Intel’s ME is deeply integrated in the chipset, or SoC.
In computers with Intel processors, the so-called Management Engine (ME) is using undocumented functions;
to remove the encrypted Firmware, there are now Tools for brave hobbyists.
The Italian programmer Nicola Corna has the Tool me_cleaner developed a proprietary and encrypted (see Update 2) Firmware of the Intel Management Engine (ME) BIOS Images removed.
It is, ultimately, a Python script, which some of the so-called Firmware-partitions of the modular (UEFI)BIOS clears simply or overrides. Then fit me_cleaner the Firmware Partition Table (FPT) of the BIOS Images to the System BIOS Code at all to load and to re-boot.
The aim of the campaign is to prevent the execution of the ME, or to block at least their communication and interfaces, for example, by the network Stack is removed from the BIOS Code.
Indeed, there are significant concerns about the undocumented functionality of the ME, which is, in principle, be able to all of the data of an ongoing computer access.
Nicola Corna expressly points out that the me_cleaner can lead to total failure of a treated computer and many unknown effects on the PC-operation possible.
So, for example, on the Hand, the ME Firmware without a network Stack can provide remote maintenance via Ethernet.
[Update 2:] it was here that the Removal of the ME-network Firmware via Ethernet via PXE blocked, but this Boot Code has nothing to do with the ME Firmware to do.
me_cleaner away, but probably also the Basis of the Protected Audio/Video Path (PAVP), which is likely to undermine on Windows computers DRM-systems, the commercial Streaming services such as Netflix or Amazon Prime Video.
Finally, Trusted Platform Modules according to the fTPM 2.0 should not work – Microsoft BitLocker may be in turn.
However, for people running Windows systems with proprietary Code, the shutdown of the ME is in any case little sense. (in terms of privacy and security)
Since the full functionality of the ME undocumented, but also has an impact on power consumption and stability of the computer possible – and also on how feedback brave hobbyists on the GITHub page of the project me_cleaner documents.
Use of the me_cleaner is some prior knowledge and special Hardware required: With an external programming adapter for SPI(NOR)Flash Chips, you have to at first, the BIOS Code or the BIOS Image from the memory chip (Notebook)motherboard extract. Then, to edit a copy of the BIOS Image on another System with the me_cleaner to write it again with the programming adapter in the Chip.
[Update:] Of course, you can edit the BIOS-Image is also of a suitable BIOS Update file to extract for each Computer, with me_cleaner and then with a Flash Tool under DOS, Linux, or Windows in the Chip to write or in many BIOS Setups the built-in Flash Tools. However, many manufacturer-specific Flash-Tool checks the BIOS Image before Writing, universal Tools work on every System.And if the computer with the me_cleaner edited the BIOS-no more boot Image, you need a device with an external programmer.
Quite frankly, Nicola Corna explained that there is of course no proof of this, that can give me_cleaner binds the function to the ME. He developed me_cleaner on the Basis of new findings of inventors such as Trammell Hudson and Igor Skochinsky more and also hopes for feedback from volunteer testers. On systems with Intel Boot Guard works me_cleaner not, because the execution of unsigned Firmware to prevent.
The ME consists of a micro controller, which is part of the chipset or CPU SoCs, as well as the compressed and encrypted ME Firmware that’s in the BIOS Code Image.
Image: Intel Ultimately, it is up to Intel, finally, the function and the Code of ME to disclose, in order to strengthen the cracked confidence in their own processors and platforms.
[Update 3:] The ME Firmware is signed and compressed, but not in the real sense in an encrypted form, For parts of the code uses Intel conventional LZMA compression, a proprietary (Huffman)coding, in the corresponding dictionary, but in the chip-set is stored. In April 2015 there is a decompressor for ME Firmware up to the Haswell Generation (ME versions 6 to 10). With Skylake (ME Version 11) has Intel switched for ME to a different micro controller than the previously used ARC-core.
- Speculation about secret backdoors in Intel chipsets
- Free Software Foundation criticized for AMD and Intel
- BSI warns of risk in the case of Intel’s remote maintenance technology AMT
Non-free service access
- Although iAMT may be included for free in devices sold to the public and to small businesses, the full capabilities of iAMT, including encrypted remote access via a public key certificate and automatic remote device provisioning of unconfigured iAMT clients, are not accessible for free to the general public or to the direct owners of iAMT equipped devices. iAMT cannot be fully utilized to its maximum potential without purchasing additional software or management services from Intel or another 3rd party independent software vendor (ISV) or value added reseller (VAR).
Intel itself provides a developer’s toolkit software package which allows basic access to iAMT, but is not intended to be normally used to access the technology. Only basic modes of access are supported, without full access to the encrypted communications of the complete purchased management system.
- The „Management Engine“ in Intel chipsets
- German authorities it gets out of control over critical IT systems
- Innovation Engine complements the Management Engine (ME)
- Libiquity Taurinus X200: Linux Notebook without Intel’s Management Engine
- POWER8 Workstation with open Firmware and Linux
- AMD Platform Security Processor (PSP)
- Core boot developers recommend TPM for secure booting
auto-translated by: https://translate.yandex.com/translate