i have been running hw with intel ME neutered or disabled for the past several years, and i am interested to know if anyone has any useful information to share on recent dell laptops.
the reason i am asking about dell here is that i have had a variety of issues with other laptop manufacturers. i have run purism machines for several years, and they have serious issues with batteries, lid hinges, and replacement parts. i have run thinkpads for many years, and the newer models have non-trivial countermeasures to prevent bios modification.
when i inquired about disabling intel ME on /r/dell, someone who claimed to be dell staff said that intel ME is disabled by default on recent laptops. i will be manually verifying this once a test machine arrives, where i can read the bios and use csme system tools to confirm the HAP enable bit is set.
i am interested to know if anyone running dell hw here can confirm or deny the claim that recent dell laptops have intel ME disabled, i.e. HAP enable bit set, by default.
The website says the option disables out-of-band management, which probably means they disable AMT.
If you use HAP to disable ME, on modern laptops you also break S0ix suspend, and there doesn’t seem to be any warnings that the option will break suspend.
They could be using HECI to disable ME, but it doesn’t truly disable ME, it’s only blocks access to the ME interface.
Dell’s definition of “ME disabled” may be very different than your own.
They want you to pay extra for enterprise management capability, in which case ME will be activated. You need to pay more to get some crypto license key needed to unlock that feature, so yes they consider it disabled by default until you pony up that extra cash.
The problem is you have no idea if anyone else also knows how to enable that same feature set. Can it be done remotely by Dell? A three letter agency? There is no way to know that. We know there is a special UDP port that silently absorbes messages that the processor never sees. Since the code for ME is always present one must assume that someone knows how to use it. Pinging that port with the proper crypto payload may be enough to bring ME to life.
My thought is if you use a non-native network controller you might be bypassing this silent port integration with the internal bios. One could test to see if that same udp port can receive messages properly rather than silently absorbing them. Wish I could remember the specifics on this port number, but if you Google you may find that info.
The fact that they won’t either confirm or deny is pretty telling. If I was a big company and my customers were accusing me of installing backdoors on the hardware I sell them, and the accusations were unfounded, I’d do my best to prove them wrong to clear my company’s name and avoid losing future customers. Intel is obviously cucked by the gxvernment, along with everybody else who does anything important in tech.
I don’t mean to derail the thread, but do you think this trick would also work for AMD PSP?
it does seem to be the case that intel ME network access depends directly on tight integration with the network card(s), so your hypothesis is decent.
i have recently acquired a dell laptop for testing, and at first pass, the results are not encouraging:
i have not yet disconnected main battery and cmos/backup battery, and i cannot even read the soic8 ec chip or the wson8 main bios chip. in comparison, i was able to read both these chips without issue with a recent thinkpad, despite not being able to write to the wson8 chip without triggering a countermeasure that blocked or overwrote the image i flashed.
if necessary, i will desolder the bios chip to read its contents.
given how countermeasures against external reading and writing of bios chips on laptops have been deployed in the past several years, it only adds to the metadata suggesting intel ME is indeed the backdoor people have suspected it is.
on a positive note, it’s still possible to toggle the HAP bit to disable ME on whitebox motherboards.
it appears unlikely that it is possible to disable ME using the HAP enable bit on recent (post 8th gen intel) thinkpads, but i still need to do more testing to confirm this.
i’ve done some further reading and it would appear that thinkpads with intel cpus after 8th gen make use of boot guard profile 5 “LVME”, which is a verified and measured boot process. i would be unsurprised to learn dell laptops are configured similarly, with boot guard set to verified and measured boot.
