 Last year he presented how to get JTAG over USB at the 33 C 3 and today He will tell us how to interrogate the Intel management engine in a similarly ingenious and devious way Please join me in welcoming Maxime Goriachi to 34 C 3 Hello guys I'm speaking about Intel debug capabilities at Sysic phone conference for the second year in a row last time I talked about how a new Intel CPU a lot of debug technology called into direct connect interface Or DCI and now I'm going to talk how activates DCI for Intel management engine Sorry Connect DCI is a private implementation or widely known industry standards for debugging hardware and low-level software from Intel and addition I Will talk about how it can be used For research and how to use it in practice Unfortunately, my colleague mark Couldn't couldn't come and I will introduce our research alone and I think that you some Hungry and I will be quickly Out our management engine research team at positive technologies includes following researchers my colleague Dmitry Sklarov and Marker Molov and myself Marker Molov It's my colleague with him with whom we founded vulnerability in Intel management engine He's a system programmer and reverse engineer and Dmitry Sklarov well-known reverse engineer who did research of the ME file system He recovered Huffman codes for 11 version of me and You can find His tool for unpacking ME image and for parsing ME file system on our github pages and How you can see our previous talk related to me and our contacts so you can feel free to Communicate with us for any question You are interested about our research How I've just said I will talk about what is Intel ME how it's implemented and how we activated JTAC for ME core We vulnerability which mark and I found Then I disclose in details how our technique works and show Proving our humans How many people since this hall knows what is in E? Oh cool but in year overview as a topic of Management engine is very popular now First it's almost fully undocumented and very powerful at the same time for example it has full access to your platforms hardware including CPU complex it has capabilities to intercept All that you doing on UPC For example key keyboard He has access to keyboard to USB and of course say buses And it also a route of trust for many Intel security feature like TPM like Durium and AP team Intel has chosen the following design for EME 11 version independent microcontroller oven operation system based on minix Built-in Java machine it gets standard before main CPU it firmware has parts in PCH bird burned in memory and in SPI flash Many Intel technologies are implemented with help of management engine for example active management technology or PvP and Racing that HGX To Another question How many people in this whole knows what is G tech? cool but some overview of G tech G tech it's Stands for joint test action group and you can find its description in I triple E standards Which the details available in the standard itself? There is also the paper available on our blog where we design Where the design is described in closed details Out often manufacturing stands standard G tech by adding their own functions G tech in Intel processor is described rather poorly and some information Can be found in documents and Patent You can see our paper on the slide and Starting with Skylake Intel introduced direct connect interface technology and you can find the rather Description of it in the documents and In our works The diagram show two types of connection using a specific device The so-called Intel SVT closer chase adapter or common use USB 3 debug cable I would like to note that the target system in this case doesn't require any software hardware agent The drawback of this technology is that it works out of box Intel or silicon the technology closer chase itself Provides access to day fix feature like G tech and run control through USB 3 ports on Silicon on on platforms It works through USB through links but implements a Private protocol and makes it possible to manipulate the target system in deep sleep mode It means that in this mod you have independent lines between Independent links between Jtech adapter and PCH USB 3 hosting DCI is Common USB 3 debug cable which works as a OTG device That means that a special device appears on the host system Activation and commands are sent to device through the common USB interface The device itself is integrated into PSH And it transforms the command into Jtech If you have Jtech for some for me devices It means you have almost full control of me to main question Doesn't will provides of any technique for debugging cameo on public platforms and the second What does software and hardware need for any debugging? Okay Thanks for to the first question. Yes the found special partition called you talk which are located on the special On this very flash Where Storage me This partition has same structures if if PT and another partition of me Partition glutes entry of available debug capabilities on all these records means types of Unlock red or orange Please pay attention. It will be important later and What is what means the defects defects is collective term for? Next to bravation DFT designed for the stability and DFT designed for debugging DFT is set of Technique used for manufacturing the tech defects finding of integrated chips and Standard DFT it generally based on ordinary boundary scan Jtech commands, but Intel extent extends it It's DFT in its branded silicon view technology DFT joins all internal chip level logic used to organize hardware level debugging of core sequences executed by chips They fix is connected to internal world by Special thing called embedded day fix interface This bridge connects day fix with external industry interface like usb There is a special device in Intel platform controller hub called defects aggregator it function is to control access to defects and Two types orange types it means that Vendors may use Jtech debugging for ICH for example and We talk partition for orange unlock must be signed by vendors key This key stored in FPF fuses and More interesting is red unlock Because this unlock provides full access to PCH internal devices a Unlocks GTX for me quarry and Provides unlimited access to memory in E2 ME memory Intel management engine Uses two devices for support hardware debugging defects aggregator managements defects functionality and CCS erring register from device called again and only Bob and Rome uses this device it is CCS erring register We know we know only about one beats We called it Intel unlock request and This register means that You asked the platform to do red unlock Moin more interesting is defects aggregator register and personality register personality register specifies type of unlock retro orange and Consent used for allowed right to personality register it means that Consent register I It means that this beat To allow right data in defects personal personality register and Red unlock works working In two step On the one The Bob Fund is funding would talk partition If partition found the the Bob check Is checking partition Signature II and platform ID Also Bob checks Time Because we talk has Time limitation And after that if all okay is okay Bob parsing Entry in would talk partition called Knops if Intel Knop unlock founded And platform already is not already unlocked Bob set CCR and register And Doing reset in E After that in Rome Checking is checking CCR there and register and if it's set It To clean This register and switch on Consent and personality it means Red unlock after that Rome is cleaning in E keys and Working but If you have active But if they say is active in yet doesn't latch they fix a consent register it means that If you want to switch on JTAC You Don't need to reboot in E if you have the second action and How to How to wait Red unlock without into keys On black hat Europe we disclosed bug in Bob model this function as you can see has a vulnerability When it call other function reading in Bob city file it gives incorrect size of Data to read Instead of local buffer size the buffer the first read file function gets the size of the wall file how we Exploited this vulnerability you can find in our presentation from BlinkHat and Using the vulnerability we also have activated GTAC for management engine and To research in E into in internal of me All right activation without into keys May be doing After for simple steps On the first activate to manufacture mode for target it needs for DCI and Set the size strap in a flash descriptor and using the vulnerability to load values three to the effects personality register and After that you Will have Me quare and You can To research In terms of me, but unfortunately You will have one problem Because You Don't have software for debugging Kimi But it is small problem Next let's talk about software part of Technologies tech it's presented by doll doll into the effects of abstraction layer package It's a lh library Exposes all power of the effects software model As we found dull has lh history supports various platform and CPU architecture designed to work with different debug ports and Hardware We know that dull is a core of all instruments that Intel uses for testing and debugging Of it's hardware and firmware components so it's provided with Intel system studio for example and Can be done loud without any day and all is almost right in in C sharp and has Same structure On the top dull has Interface console interface and go interface and library layer and Driver transport and they fix on target We've found a patient from Intel in public description to relation of They fix EXI and internal interfaces You can see our previous walk to details about how how How internal structure of dull box dull is Architecture is based on not knowing notion. There are two type of notes physical and logical physical notes Represents three of hardware components Organize from prop unit and including the following levels detect E2C bus and another logical notes represents Certain functionality that can be used to perform debugging stuff and Many problems that public version of dull doesn't include configuration for in e-core However, that didn't stop us and we found the solution How I said dull has Has some configuration and As we investigated during Kravos engineering of the dull library it configuration is included in encrypted XML files Dull uses is cipher and key derivation function pbk df2 with fixed key and so the first of lines of poem it is sold and ATP is is a key the simple program The simple program allows the crypto device configuration of dull. Thank you Maybe another poems to decrypt For example Microquads of CPU. I don't know How there is no configuration of any devices we found that me core is LMT two devices and the configuration of this device can be found in decrypted XML files Therefore anybody can write configuration for me for example On the slide you can see internal structure of LP series of PhD it is use series of CPU and SELTAP divided on for part and on top Connected part system. Yeah, and I'm a core and How how to do custom configuration Fire for four first steps on the first decrypt XML files the second at the following lines to top SPT XML and Use dull environment for me debugging and It will be make your computer personal again some demo one moment Okay, it is trial version of system studio and we decrypt files with configuration of dull and to edit To add some lines the job it's for each series of PSH and The bottom for LP series it is in e-core and it is linked between in e-core and SELTAP we hold their execution We loaded some we are loading some Library our library we set up Reset breaks it needs for To stop on the reset vector in in e how you can see Gtt table and Current instruction and register value LDT value and we're doing receipt a reset me stepping instruction Into into me the initialize of segments and new gtt value okay and Okay and demo from Blackhead it is our stand It is host platform with you felt it we In it settings for any core. Oh sorry It is not a me reset vector how you can see in Hitcher interface It is special device between which a manufacturer for for links between host CPU and ME and Now we read some red on the register for CPU from Hitcher and Set The value of this register From me the magic the my demo is is more interesting that my English sorry and I have a Live demo if internet Will be good One moment. It's my machine on the work and The internet is not good. Sorry Maybe maybe later okay, and our achievement Jtech activation we we do detecting we're achievement in respect to the vulnerability in addition We Activate GTek for in E Also, we dumped the me started code and Found the way to extract platforms key used by their flash Flash file system it means that you can decrypt and Integrate you files into in E and in E doesn't detect it and our links on August hype page you can found Our tools for in your version a researching and our blocks with our article our reference and Thank you for your attention question. Please So anyone that has a question for Maxine, please line up by one of the microphones They are one two three four on this side of the room and five six seven eight on that side of the room If you are watching online, we have a signal angel who is monitoring the internet for all of your interesting questions and They will be asked So already here at microphone number one Okay, so you mentioned you mentioned that you dumped the room and Previously there were some firmers with wrong bypass available. Did you compare as a dump? Yeah, it's from bypass. Yeah, and is it the same? No, no we found There's some difference but it relate with that in E bypass code starts into protected mode but real Rome starts into a real mode Otherwise, it's actually almost the same We found some difference in cryptography But I think it is not important So if you were if you are leaving, please be quiet. So the talk is still going on We're still having questions and answers and please be considerate of the people asking questions. Thank you The next one from microphone number five Yeah, so you said the personality Register to read and then you reset the ME and it will break at the reset Is that register? Persistence over reboots or you have to do the exploit and set it every time. Yeah, you need to do it every time This only cc is there link persist between or is that Signal angel is there's a question from the internet? Yes, they'd like to know Where to find the internal USB port on the main board? Sorry, please repeat the question The question is where to find the internal USB port on the main board for the JTAC access How I know all USB ports now has access to The effects functionality you don't need to find each ports on your system if you have platform with Skylake always has this functionality on your USB ports. Oh Of course if this ports Link it directly to PSH if if it is ports Link connected via some Another controller You probably don't have DCI on this port Microphone microphone number two Does your work means you can extract any key from me for example key for SGX remote access station. I didn't know we We are starting this research how M.E. relates with SGX and we I don't know How key in M.E. Extract Derive and load it and relate to this. I don't know. Sorry Microphone number one Did you receive any Any messages any recognition about this from Intel? You mean that Did we charge this information with Intel? Did they react to did they react in any way to that? After our vulnerability they said okay Okay, no, so nothing much except for patches. Okay, thank you signal angel. Is there another question from the internet? Yeah, how can you this is able that they take access? It's just disabling the M.E. enough or what do you have to do? Sorry you mean how Intel disabled Decide functionality for me and How can you fix it now? How could the Intel fix it or how can you secure your own system? It is not it is a switch. It is not bug Sorry don't have any chance a chance to switch on JTEC For M.E. if you don't have you talk or you don't have vulnerability and JTEC for M.E. Switch on only Inter BOP model In into in BOP model if we have vulnerability in other model for example in in M.T. we mustn't do it and if you have you talk it's It's feature. It is not bug you you can see a switched off DCI in flash descriptor and To fix the same problem which we found in last year last year and It will be okay Microphone number four in the back. I believe one of your previous slides mentioned that they incorporated a Java virtual machine Why and God's earth did they do that? How I know This it is dull and it has some Relative with HGX when I know I don't know details So microphone number five on the last slide you mentioned the extraction of platform keys Simple question. Are they enough to sign a firmer update Which you would modify so that I mean would accept it No, sorry Please repeat Okay, so let me rephrase I understand you Okay The firmware sign it by public Intel public key. I Don't have private key of Intel and this key is not Built-in into a me it is platform. It is only platform key this key for Symmetric encryption Files and sign it files on the file system If you have the ski You can only modify any file system, but unfortunately the execution module Stored In in other places Okay, I get it. So no easy path for Castrating system from me yet. Thank you. Thank you signal angel Can you have only free software running on the ME? Sorry, please repeat question slowly Can you have only free software running on the ME by modifying the flash content? I don't understand. Sorry You mean that How how how we can modify the file systems or not Yeah, and replace the the ME firmware by no free code. No, no unfortunately because we We mustn't to change The The chain between ROM and Bob module and we mustn't to change kernel of ME and Bob module I don't know how use it functionality for change in me to open source Solution but Yeah, of course you can to do you can do special device with JTEC functionality which to replace after reboot all in E from reset vector and Executed but it is some Some Some In Possible I think Microphone number two Anywhere where the minix image has been leaked somewhere where perhaps it could be downloaded and analyzed Unfortunately ME as a kernel of in E Only based on minix and The Intel guys almost all to to rewrite all Almost all kernel and on the reverse engineering and maybe in DA you can Get information from Intel after science and sign it in DA. I don't know Microphone number eight Do you think it do you think it wouldn't will ever be possible to add your own? Public keys or are the Intel public keys for signing the firmware stored in a room only oh Sorry you mean Could you add your own public keys for signing firmware with or is that not possible because the ME checks the public key that is Me checks ME checks only only hash of public key and we know that Rom has That in E made a lot Version of in E which signs on two keys we so only one keys from from boss and I Rom checked that Chacks other Shaw from public key Exists in in white white list Rom has hard-coded eight key eight Hashes of keys and some list for Some white list of this hashes and If you keys in this list you can run You any firmware Okay, but that list of hashes is in Rome. Yeah. Yeah, okay. Thank you Signal angel What is your general impression of this security of me? How vulnerable is it to tax? Sorry You mean how vulnerable? You mean How vulnerability to help us do it? Sorry and know how vulnerable is it to other attacks? On other model. Yeah Sorry on the what in other module So I think the question is in general. How good is the security of the Intel ME? So sorry echo How good is the security of the Intel me? Oh, I think that of course. Yes, because The independent researcher can use it for dynamic analysis of ME codes. It's It's cool. I I think microphone number seven Do you have plans to research some specific parts of the Intel M a in the future? Yeah, of course Intel Will published 11 version and I know that they changed half-moon tables for example and the next The next round of this game We'll start it. Is there another question at microphone seven So if I understood you correctly just to make sure This means that you If you have a CPU of this Skylake architecture you and the USB 3 ports you can always get low-level access to the ME exactly So if I were to own such a chip, I would want that patched. What's the usual? Path does the path does that come in a Windows patch or a BIOS update or what is it? you Have some some ways to To use it if you have SPI programmer you You can rewrite flash You mean how we How how you can? Exploited it here. No, how does how would how? Sorry, how will Intel? Distribute a patch for this vulnerability. Oh Unfortunately because Don't great all this possible Intel patched only error in Bob function, but Researcher or attacker can always to don't great version or to Early ME and exploited it Without any problem We are SPI controller or SPI programmer and Maybe another way Okay, thank you Microphone number one In the demo with video we saw the connection between the two machines with this blue box Yeah, but I think there's another one way to connect them with just a USB cable Is there anything you can do with the blue box that you can't do without it? Yeah, we we checked it We use only USB 3 debug cable, but it is not possible for us because We need to To recover The state of Bob for loading in E I do it, but I don't like that because I need to stop execution for my For for my research it easy for me and because we are using a blue box signal angel Do you plan to publish a mask rom dump in the future? Yeah We'll plan to do it here signal angel again Just give me a moment I Didn't know maybe when I come back to Moscow any other burning questions Please come up to one of the numbered microphones Then with that, let's give Maxim a great warm welcome. Thank you