I did it. I neutralized Intel ME on desktop PC.

submitted by LarrySwinger2 from i.ibb.co

all 15 comments
sorted by:
top
newinsightfulfun

[–][deleted] 10 insightful - 8 fun10 insightful - 7 fun11 insightful - 8 fun -  (0 children)

It smells like freedom in here

[–]LarrySwinger2[S] 6 insightful - 4 fun6 insightful - 3 fun7 insightful - 4 fun -  (0 children)

I actually did this a while ago, but I was only able to verify it now after switching back to GNU/Linux. The third and second to last lines show it: the original BIOS has 11 partitions and the HAP bit not set, while a dump of the patched BIOS has only the essential partition, and the HAP bit is set. It took some effort and I soft bricked the system while trying this (bootloop), so it feels great to have finally succeeded.

[–]solder0 5 insightful - 3 fun5 insightful - 2 fun6 insightful - 3 fun -  (7 children)

Nice! Too bad I have an AMD machine, but we'll see what can be done in the future. Wireshark isn't turning up any bad news, so that's good. I'm going to ditch x86 in the future and go with a POWER10 CPU with an FPGA along side instead.

[–]LarrySwinger2[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (6 children)

ME and PSP run on a separate chip and things like Wireshark won't detect it phoning home. In fact, nothing will, it's a black box. Although running Wireshark still sounds like a good idea to monitor whether or not your OS is compromised. POWER10 sounds exciting. Hopefully it'll be affordable.

[–]solder0 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (5 children)

Err, gonna need a HARD SOURCE on that one, otherwise it's FUD by default.

[–]LarrySwinger2[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (4 children)

Nothing's FUD by default; you need to show that the claims are false. Here's a source:

it can directly access the network interface using a dedicated link for out-of-band communication, thus even if you monitor traffic with a tool like Wireshark or tcpdump you might not necessarily see the data packet sent by Intel ME.

[–]solder0 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (3 children)

I was looking for something on amd's psp.

[–]LarrySwinger2[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (2 children)

It's the same situation: software on your OS won't detect it because it runs on a separate chip. Here's a source.

[–]solder0 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

Mmm...alright, I'll buy it. It is true that what you can't get at the OS level, you can get at the router level, since that's a critical bottleneck in a network. I'll be sure to get a router that functions transparently, and a very good packet sniffer. It's not a sunk cost mindset or anything, all I can do is adopt a mitigation strategy...and they do work.

[–]LarrySwinger2[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

That'd be great. Please share your results when you do this. MicroTik was recommended for this for its advanced sniffing features. You could also use a switch, mirror the port, and run Wireshark on a secondary computer.

You can also disable the fTPM-Trustlet from the BIOS. The setting is called something like "disable PSP" but it only disable runtime services, not the PSP itself.

[–]outra_pessoa 5 insightful - 2 fun5 insightful - 1 fun6 insightful - 2 fun -  (1 child)

Sorry for being dumb, but what does it mean? Why is it good?

[–]christnmusicreleases 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (2 children)

You got a link for this tool?

[–]LarrySwinger2[S] 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (1 child)

https://github.com/corna/me_cleaner

Be prepared to get your hands dirty if you're going to apply it. You have to make a backup of your BIOS (obviously), then patch a copy of your BIOS with the tool, and then flash your BIOS chip with the patched BIOS image. It's recommended that you do external flashing using a USB programmer with a SOIC clip. You have to open up your PC, locate the BIOS chip, and attach the clip to connect it to the programmer. The programmer is plugged into a laptop from which you send the flashing commands. This video provides a good demonstration.

If the above sounds too complex for you, you can try internal flashing. Many motherboards have a flashing tool in the BIOS, and otherwise there should be a tool that runs under DOS, so you should install FreeDOS, boot into it, and run the tool from there. However, you should definitely NOT do this on a machine you're using, because if you brick it, you're still going to have to get the USB programmer and do external flashing to at least unbrick it. That's how I did it: internal flashing first because I was impatient, then I got the tools and did it properly. I'd say that it requires effort, but for me the hardest part was getting over the feeling that you're intimidated by it. Actually applying the patch and troubleshooting was relatively straightforward.

[–]noice 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

This has motivated me to look into flashing libreboot on one of my older computers. I have considered it, but never very seriously