1 /* intelmetool Dump interesting things about Management Engine even if hidden
2 * Copyright (C) 2014 Damien Zammit <damien@zamaudio.com>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; version 2 of the License.
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
24 #include <machine/sysarch.h>
27 #include "intelmetool.h"
36 static uint32_t fd2
= 0;
37 static int ME_major_ver
= 0;
38 static int ME_minor_ver
= 0;
40 static void dumpmem(uint8_t *phys
, uint32_t size
)
43 printf("Dumping cloned ME memory:\n");
44 for (i
= 0; i
< size
; i
++) {
45 printf("%02X",*((uint8_t *) (phys
+ i
)));
50 static void zeroit(uint8_t *phys
, uint32_t size
)
53 for (i
= 0; i
< size
; i
++) {
54 *((uint8_t *) (phys
+ i
)) = 0x00;
58 static void dumpmemfile(uint8_t *phys
, uint32_t size
)
60 FILE *fp
= fopen("medump.bin", "w");
62 for (i
= 0; i
< size
; i
++) {
63 fprintf(fp
, "%c", *((uint8_t *) (phys
+ i
)));
68 static int isCPUGenuineIntel(void)
71 unsigned int level
= 0;
74 __get_cpuid(level
, &eax
, ®s
.ebx
, ®s
.ecx
, ®s
.edx
);
76 return !strncmp((char *)®s
, "GenuineIntel", CPU_ID_SIZE
-1);
79 /* You need >4GB total ram, in kernel cmdline, use 'mem=1000m'
80 * then this code will clone to absolute memory address 0xe0000000
81 * which can be read using a mmap tool at that offset.
82 * Real ME memory is located around top of memory minus 64MB. (I think)
83 * so we avoid cloning to this part.
85 static void dump_me_memory(void)
87 uintptr_t me_clone
= 0x60000000;
90 dump
= map_physical_exact((off_t
)me_clone
, (void *)me_clone
, 0x2000000);
92 printf("Could not map ME memory\n");
95 zeroit(dump
, 0x2000000);
96 printf("Send magic command for memory clone\n");
99 usleep(ME_COMMAND_DELAY
);
100 void* ptr
= &me_clone
;
101 int err
= mkhi_debug_me_memory(ptr
);
104 printf("Wait a second...");
105 usleep(ME_COMMAND_DELAY
);
106 printf("done\n\nHere are the first bytes:\n");
107 dumpmemfile(dump
, 0x2000000);
108 //printf("Try reading 0x%zx with other mmap tool...\n"
109 // "Press enter to quit, you only get one chance to run"
110 // "this tool before reboot required for some reason\n",
112 while (getc(stdin
) != '\n') {};
113 unmap_physical(dump
, 0x2000000);
117 static int pci_platform_scan(void)
119 struct pci_access
*pacc
;
125 pacc
->method
= PCI_ACCESS_I386_TYPE1
;
130 for (dev
=pacc
->devices
; dev
; dev
=dev
->next
) {
131 pci_fill_info(dev
, PCI_FILL_IDENT
| PCI_FILL_BASES
|
132 PCI_FILL_SIZES
| PCI_FILL_CLASS
);
133 name
= pci_lookup_name(pacc
, namebuf
, sizeof(namebuf
),
134 PCI_LOOKUP_DEVICE
, dev
->vendor_id
, dev
->device_id
);
137 if (dev
->vendor_id
!= PCI_VENDOR_ID_INTEL
)
140 if (PCI_DEV_HAS_ME_DISABLE(dev
->device_id
)) {
141 printf(CGRN
"Good news, you have a `%s` so ME is "
142 "present but can be disabled, continuing...\n\n"
145 } else if (PCI_DEV_HAS_ME_DIFFICULT(dev
->device_id
)) {
146 printf(CRED
"Bad news, you have a `%s` so you have ME "
147 "hardware on board and you can't control or "
148 "disable it, continuing...\n\n" RESET
, name
);
150 } else if (PCI_DEV_CAN_DISABLE_ME_IF_PRESENT(dev
->device_id
)) {
151 printf(CYEL
"Not sure if ME hardware is present "
152 "because you have a `%s`, but it is possible to "
153 "disable it if you do, continuing...\n\n" RESET
,
156 } else if (PCI_DEV_ME_NOT_SURE(dev
->device_id
)) {
157 printf(CYEL
"Found `%s`. Not sure whether you have ME "
158 "hardware, exiting\n\n" RESET
, name
);
165 !PCI_DEV_HAS_ME_DISABLE(dev
->device_id
) &&
166 !PCI_DEV_HAS_ME_DIFFICULT(dev
->device_id
) &&
167 !PCI_DEV_CAN_DISABLE_ME_IF_PRESENT(dev
->device_id
) &&
168 !PCI_DEV_ME_NOT_SURE(dev
->device_id
)) {
169 printf(CCYN
"ME is not present on your board or unknown\n\n"
180 static int activate_me(void)
182 if (read_rcba32(FD2
, &fd2
)) {
183 printf("Error reading RCBA\n");
186 if (write_rcba32(FD2
, fd2
& ~0x2)) {
187 printf("Error writing RCBA\n");
192 printf("MEI was hidden on PCI, now unlocked\n");
194 printf("MEI not hidden on PCI, checking if visible\n");
199 static void rehide_me(void)
203 printf("Re-hiding MEI device...");
204 if (read_rcba32(FD2
, &fd2
)) {
205 printf("Error reading RCBA\n");
208 if (write_rcba32(FD2
, fd2
| 0x2)) {
209 printf("Error writing RCBA\n");
217 static struct pci_dev
*pci_me_interface_scan(const char **name
, char *namebuf
,
220 struct pci_access
*pacc
;
225 pacc
->method
= PCI_ACCESS_I386_TYPE1
;
230 for (dev
=pacc
->devices
; dev
; dev
=dev
->next
) {
231 pci_fill_info(dev
, PCI_FILL_IDENT
| PCI_FILL_BASES
|
232 PCI_FILL_SIZES
| PCI_FILL_CLASS
);
233 *name
= pci_lookup_name(pacc
, namebuf
, namebuf_size
,
234 PCI_LOOKUP_DEVICE
, dev
->vendor_id
, dev
->device_id
);
235 if (dev
->vendor_id
!= PCI_VENDOR_ID_INTEL
)
238 if (PCI_DEV_HAS_SUPPORTED_ME(dev
->device_id
)) {
247 printf("MEI device not found\n");
255 static void dump_me_info(void)
258 uint32_t stat
, stat2
;
260 const char *name
= NULL
;
262 if (pci_platform_scan())
268 dev
= pci_me_interface_scan(&name
, namebuf
, sizeof(namebuf
));
275 printf("MEI found: [%x:%x] %s\n\n",
276 dev
->vendor_id
, dev
->device_id
, name
);
277 stat
= pci_read_long(dev
, 0x40);
278 printf("ME Status : 0x%x\n", stat
);
279 stat2
= pci_read_long(dev
, 0x48);
280 printf("ME Status 2 : 0x%x\n\n", stat2
);
282 intel_me_status(stat
, stat2
);
284 intel_me_extend_valid(dev
);
288 printf("ME: has a broken implementation on your board with"
291 if (intel_mei_setup(dev
))
293 usleep(ME_COMMAND_DELAY
);
295 usleep(ME_COMMAND_DELAY
);
296 if (mkhi_get_fw_version(&ME_major_ver
, &ME_minor_ver
))
298 usleep(ME_COMMAND_DELAY
);
300 usleep(ME_COMMAND_DELAY
);
301 if (mkhi_get_fwcaps())
303 usleep(ME_COMMAND_DELAY
);
309 static void dump_bootguard_info(void)
314 uint64_t bootguard
= 0;
316 if (pci_platform_scan())
322 dev
= pci_me_interface_scan(&name
, namebuf
, sizeof(namebuf
));
324 printf("Can't access ME PCI device\n");
329 printf("BootGuard MSR Output: 0x%" PRIx64
"\n", bootguard
);
333 /* ME_major_ver is zero on some platforms (Mac) */
336 (ME_major_ver
== 9 && ME_minor_ver
< 5) ||
337 !BOOTGUARD_CAPABILITY(bootguard
))) {
338 print_cap("BootGuard ", 0);
339 printf(CGRN
"\nYour system isn't bootguard ready. You can "
340 "flash other firmware!\n" RESET
);
345 if (msr_bootguard(&bootguard
, debug
) < 0) {
346 printf("ME Capability: %-43s: " CCYN
"%s\n" RESET
,
347 "BootGuard Mode", "Unknown");
351 print_cap("BootGuard ", 1);
352 if (pci_read_long(dev
, 0x40) & 0x10)
353 printf(CYEL
"Your southbridge configuration is insecure!! "
354 "BootGuard keys can be overwritten or wiped, or you are "
355 "in developer mode.\n"
359 case BOOTGUARD_DISABLED
:
360 printf("ME Capability: %-43s: " CGRN
"%s\n" RESET
,
361 "BootGuard Mode", "Disabled");
362 printf(CGRN
"\nYour system is bootguard ready but your vendor "
363 "disabled it. You can flash other firmware!\n" RESET
);
365 case BOOTGUARD_ENABLED_COMBI_MODE
:
366 printf("ME Capability: %-43s: " CGRN
"%s\n" RESET
,
367 "BootGuard Mode", "Verified & Measured Boot");
368 printf(CRED
"\nVerified boot is enabled. You can't flash other "
369 "firmware. !\n" RESET
);
371 case BOOTGUARD_ENABLED_MEASUREMENT_MODE
:
372 printf("ME Capability: %-43s: " CGRN
"%s\n" RESET
,
373 "BootGuard Mode", "Measured Boot");
374 printf(CGRN
"\nYour system is bootguard ready but only running "
375 "the measured boot mode. You can flash other firmware!\n"
378 case BOOTGUARD_ENABLED_VERIFIED_MODE
:
379 printf("ME Capability: %-43s: " CGRN
"%s\n" RESET
,
380 "BootGuard Mode", "Verified Boot");
381 printf(CRED
"\nVerified boot is enabled! You can't flash other "
382 "firmware.\n" RESET
);
388 static void print_version(void)
390 printf("intelmetool v%s -- ", INTELMETOOL_VERSION
);
391 printf("Copyright (C) 2015 Damien Zammit\n");
392 printf("Copyright (C) 2017 Philipp Deppenwiese\n");
393 printf("Copyright (C) 2017 Patrick Rudolph\n\n");
394 printf(GPLV2COPYRIGHT
);
397 static void print_usage(const char *name
)
399 printf("usage: %s [-vh?smdb]\n", name
);
401 " -v | --version: print the version\n"
402 " -h | --help: print this help\n\n"
403 " -d | --debug: enable debug output\n"
404 " -m | --me dump all me information on console\n"
405 " -b | --bootguard dump bootguard state of the platform\n"
410 int main(int argc
, char *argv
[])
412 int opt
, option_index
= 0;
413 unsigned cmd_exec
= 0;
415 static struct option long_options
[] = {
416 {"version", 0, 0, 'v'},
419 {"bootguard", 0, 0, 'b'},
420 {"debug", 0, 0, 'd'},
424 while ((opt
= getopt_long(argc
, argv
, "vh?smdb",
425 long_options
, &option_index
)) != EOF
) {
431 case 's': /* Legacy fallthrough */
445 print_usage(argv
[0]);
452 print_usage(argv
[0]);
454 #if defined(__FreeBSD__)
455 if (open("/dev/io", O_RDWR
) < 0) {
457 #elif defined(__NetBSD__)
462 if (x86_64_iopl(3)) {
469 printf("You need to be root.\n");
474 fd_mem
= open("/dev/mem", O_RDWR
);
476 perror("Can not open /dev/mem");
480 if (!isCPUGenuineIntel()) {
481 perror("Error CPU is not from Intel.");
489 dump_bootguard_info();