Intel vPro - What it can do, what it *can't* do, and what it means for your future hardware choices

I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.

It seems like sections of the dump gets zeroed out when you permanently disable ATM.

When I saved the change and exited the bios, the system reboots 4 times before starting normally, could be a POST to make sure the system actually is able to boot.

Would be curious to see what happens if one used a programmer to restore the missing zones of firmware.

B

I think you are right about something in the CPU gets locked.

I can try and restore the original dump, but I’m pretty sure it doesn’t work. From what I know, the only way to restore ATM is to replace the CPU/motherboard.

1 Like

I tried restoring the rom, and it seems to also restore AMT.

The T430 is a naked motherboard, so I can’t boot a OS to confirm AMT is working, but the bios options are restored.

$ sudo flashrom -p ch341a_spi -c MX25L6405 -w dump1A-on.rom 
flashrom v1.2 on Linux 5.15.0-25-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6405" (8192 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... FAILED at 0x00001000! Expected=0xff, Found=0x28, failed byte count from 0x00000000-0x0000ffff: 0xa422
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
Erase/write done.
Verifying flash... VERIFIED.

I kept getting that write error on address 0xa422, maybe all they do is somehow write protect a byte in the rom, but flashrom somehow knows how to erase the byte.

I tried 3 times, it failed at the same address every time.

Right…the important bit is: does it work after firmware restore or not? E.g. can you set up remote vnc or whatever on a dhcp Ethernet and watch the bios/boot via VNC remotely?

I don’t have a working NIC on that motherboard, so I can’t be 100% sure.

Ctrl+P at the boot screen allows me to access the IME menu and configure AMT, I’m as sure as I can be that it’s fully functional.

I tried to permanently disable it again, and I can no longer use Ctrl+P to access the IME menu.

So interesting. I wonder what would happen if one flashed the same firmware image onto the model with the non-vPro version of that CPU.

B

1 Like

[quoteq=“renehoj, post:21, topic:12645”]
I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.

It seems like sections of the dump gets zeroed out when you permanently disable ATM.
[/quote]

:partying_face::tada:

@renehoj Well, that’s surprised me in both good and bad ways….

I honestly never would have thought that a hardware vendor would give the end user the option to “brick” parts of their hardware….

I guess I stand corrected :slightly_smiling_face:

….but still concerned that vPro could potentially be exploited without the user’s knowledge or awareness…

But there’s at least that’s one model that has been moved from the “untrusted hardware” lost to “somewhat trusted” list :grin:

Ah, ThinkPads, you never seem to let us down!

I guess that goes for anyone making a public statement :grimacing:

This is why this has surprised me. Let’s say you have a work laptop, and you permanently disable vPro on the board. Your laptop reaches end of life, and you then sell the laptop.

  1. What’s stopping you from lying about it having vPro functionality, and charging more money for it?

(Obviously a ROM dump would clearly show that you were lying, but the buyer wouldn’t know until they inspected the laptop)

Also:
2. Is a ROM flash with an external programmer the only way to “restore” vPro functionality, or is there user space software?

(If there is user space software, then that means there’s potential for it to be remotely executed by an attacker….)

@brendanhoar Theres only one way to find out :sunglasses:

I’d happily buy a laptop for testing, but have you seen the price of used hardware these days?!?!! :sob:

That is normal. Intel Firmware Descriptor (IFD) locks itself and the ME region. An external backup with a programmer would be able to dump that firmware.

Interesting that setting ME to be permanently deactivated is bypassing IFD to be able to modify ME region here. I would love to know what happens in those multiple reboots.

1 Like

I just tried dumping the firmware from an T430 with ATM enabled and with ATM permanently disabled.

thank for your very helpful experiment!
Still we don’t really have choices here, but at least we may trust more that BIOS settings… and all the laptops that offer such option.

Hard to say, but the Wikipedia article says that AMT doesn’t make the CPU vPro, VT-d/x, TXT, and AMT are all vPro technology, including all the security features. I don’t think it’s impossible that none of the CPU features are needed for AMT, and that it can run on any version of IME as long as you have a chipset that supports AMT.

My guess would be that the chipset and not the CPU decides if you can use AMT, but I also wouldn’t be surprised if they used the CPU ID as a “license key” to make sure you couldn’t use it without paying.

Reread this and wanted to clarify that this is not factual in all cases. You can have ME neutered/CSME disabled while still having VT-x and VT-d. TXT as well on some models. What can be disabled though is thr fTPM if provided by ME. And I think, unsure, rhat Bootguard requires CSME (nee name for ME) but I would love to read more on what happens on newer systems there.

I know as well that newer suspend mechanisms require CSME as well to keep idle on low power consumption (Alder Lake).

Nitpicking, but important distinctions. Haven’t read wikipedia page on that for a while but that was not my reading and thought it was pretty factual. Quotes?

2 Likes