Intel ME Manufacturing Mode Detection Tools

This repository contains Python 2.7 scripts for checking the state of the Intel ME Manufacturing Mode.

Manufacturing Mode

Intel ME has a Manufacturing Mode designed to be used exclusively by motherboard manufacturers. This mode provides some additional opportunities that an attacker can take advantage of. When Manufacturing Mode is enabled, Intel ME allows execution of the command which makes the ME region writable via the SPI controller built into the motherboard. The ability to run code and send commands to Intel ME on the attacked system allows the attacker to rewrite the Intel ME firmware onto another version. So the attacker is able to deploy the firmware (full disclosure) which is vulnerable to INTEL-SA-00086 and execute arbitrary code on Intel ME even if the system is patched.

Usage

mmdetect.py [-h] [--path PATH]

Manufacturing mode detection tool.

optional arguments:
	-h, --help   show this help message and exit
	--path PATH  path to lspci binary

Limitations

1. Tools work only if HECI device isn't hidden.
2. 'pciutils' library (WIN, LIN) is required.
3. 'requests' library is needed for installing 'pciutils' on Windows.

pip install requests

Related URLs:

How to Hack a Turned-Off Computer or Running Unsigned Code in Intel Management Engine

CVE-2018-4251 (MacOS High Sierra 10.13.5, Security Update)

Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability CVE-2018-4251

Author

Maxim Goryachy (@h0t_max)

Research Team

Mark Ermolov (@_markel___)

Maxim Goryachy (@h0t_max)

Dmitry Sklyarov (@_Dmit)

License

This software is provided under a custom License. See the accompanying LICENSE file for more information.