Intel ME, AMT, SMT, V-Pro… All of these acronyms are kind of intimidating, all we know about them is that they are tied to remote control technologies rooted deep in Intel CPUs, way deeper than even operating systems go. Sometimes though, you want remote control for your own purposes, and that’s what [ABy] achieved. He’s got a HP ProDesk 600 G3 Mini, decided to put it into a hard to reach spot in his flat, somewhere you couldn’t easily fetch a monitor and a keyboard for any debugging needs. So, he started looking into some sort of remote access option in case he’d need to access the BIOS remotely, and went as far as it took to make it work. (Google Translate)
The features he needed are covered by Intel AMT — specifically, BIOS access over a WiFi connection. However, his mini PC only had SMT enabled from the factory, the cut-down version of AMT without features like wireless support. He figured out that BIOS dumping was the way, promptly did just that, found a suitable set of tools for his ME region version, and enabled AMT using Intel’s FIT (Flash Image Tool) software.
Now, dumping the image could be done from a running system fully through software, but apparently, flashing back requires an external programmer. He went with the classic CH341, did the 3.3 V voltmod that’s required to make it safe for flash chip use, and proceeded to spend a good amount of time making it work. Something about the process was screwy, likely the proprietary CH341 software. Comments under the article highlight that you should use flashrom for these tasks, and indeed, you should.
This article goes into a ton of detail when it comes to working with Intel BIOS images — whichever kind of setting you want to change, be it AMT support or some entirely different but just as tasty setting, you will be well served by this write-up. Comments do point out that you might want to upgrade the Intel ME version while at it, and for what it’s worth, you can look into disabling it too; we’ve shown you a multitude of reasons why you should, and a good few ways you could.
Um, is the BIOS/CSM still a thing? I thought it’s all UEFI now. 🤷♂️
Or is “BIOS” used as a synonym for firmware here?
I remember that people talked about “entering BIOS” when they really just meant running CMOS Setup Utility.
yeah I’m defo using it as a synonym, so that people can easily understand the headline. It’s UEFI alright, but “BIOS menu” is burned into peoples’ brains (and mine!) to the point it’s the best shorthand if I want the largest amount of people to actually understand me.
Thank you very much for your reply, that makes sense to me.
I just wasn’t sure. I believe I haven’t seen an up-to-date PC since the mid 2010s or so.
Um, is the CMOS Setup still a thing? I thought all settings are stored in flash now. 🤷♂️
In the BIOS days the information was stored in the CMOS RAM of the RTC (Real-Time Clock)..
Not sure how it’s now.
hmmm the clock certainly isn’t? and I’ve had very new laptops reset all their settings when I unplugged the RTC battery (and all other power sources), which leads me to believe that NVRAM is alive and well. efivars are in the flash, I’d guess, but hey maybe even that isn’t a given.
Yup, CMOS is still a thing, had a board replaced on an 18 month old ZBook earlier this week and there it was, a CMOS battery, some settings are in flash, some (usually security, I’m lead to believe the BIOS password too) are in a ‘secure’ chip (not the TPM) and some, which will reset when you remove the battery, are in a chunk of battery backed memory I.E. the CMOS.
I’ve got a chromebook that doesn’t have a CMOS battery, instead it has two little supercapacitors all shrimkwrapped up and soldered to tiny wires which run off to the CMOS battery connector. I guess you’re not expected to ever loose battery power for too long with it. Wonder what it does with the CMOS cleared? Well, it’s dechromed now, so I know what it’ll do now, but I wonder what it originally would have done when it was a chromebook still.
Mind you, some boards (i.e. damn Asus) don’t have an RTC battery anymore, that pin is now supplied from the main system battery. So, when your laptop’s battery gets to “0%” and it shuts down, you have to re-set the RTC date&time =(
it’s not, you should look into what’s happening with that CH341 mod (btw everyone should mod their CH341 board like this, for safety reasons!), and also how “voltmod” has been used as a word for a whiiiile now
It´s not because it is used that it is CORRECT.
voltmod means nothing. period.
? please remember that not everyone is a language prescriptivist
“When I use a word,’ Humpty Dumpty said in rather a scornful tone, ‘it means just what I choose it to mean — neither more nor less.’
’The question is,’ said Alice, ‘whether you can make words mean so many different things.’
’The question is,’ said Humpty Dumpty, ‘which is to be master — that’s all.”
― Lewis Carroll, Through the Looking Glass
Voltage wasn’t a word until someone made it up. It was came from Alessandro Volta’s last name
Languages evolve constantly
You don’t need to spell out your punctuation: “period”
I mean… “voltmod” is obviously a portmanteau of “voltage” and “modification” which absolutely means something.
You do realize that ALL words are made up, right? Language is a social construct. Words are imbued with meaning by people. They don’t have any inherent or immutable meaning.
You’re on a site called “hackaday”. The word “hack” has many different meanings in many different contexts. At some point, someone decide to use it to describe amature tinkering. That usage caught on and now people generally agree on the additional meaning.
I’m curious what you imagine you’re contributing to the conversation. Do you think anyone finds such pedantry insightful or helpful or impressive or charming?
Looks like they are just cutting a trace and manually rounting another from a voltage regulator to “voltmod” this thing. Basically hooking the chip’s VCC to 3.3V than 5V is enough for a “voltmod”
yeah messing with a chip’s supply voltage to achieve some sort of goal, ‘voltmod’ is a good enough shorthand for the action.
KVM with raspberry pi wouldn’t suffice?
could, but that’s its own can of worms. Besides, you can even do things like add boot images with AMT iirc!
is there any proven exploit/use of this “backdoor”?
Well, this literally is a proverbs exploit of this, and many low maintenance systems exist that no one will likely check for modifications so it’s completely viable in cases where this is true.
I’ve done BIOS modifications like this quite often, the issue with flashing a custom file is that during an update certain regions are omitted.
You can however boot the system with these protections disabled to allow full reading and writing… but you likely need to make modifications to show the menu option for it.
Some laptops also come with a key combination you can press to initiate flashing from USB stick, you can usually find the correct filename by a simple string search. This method worked for me on older Intel platforms.
Watch out flashing without making a backup, it holds more information than just the BIOS! It also holds the MAC address of Intel NICs and if you overwrite it with garbage data… Your MAC will turn into 00’s with 86 (Intel devid) and on systems past third generation I was never able to correct this.
If I remember correctly, you can write some value to a register (MSR) before rebooting the system to unlock full read and write.
I saw [ABy] used a SOIC-8 clip, so why did he desolder the SPI flash from the motherboard?
apparently, he destroyed a router while doing programming with the clip? so he decided to take no risks. that’s how the original reads to me, at least.
This is one of the few cases where Intel ME is actually useful for a normal user.
yeah that’s why I highlight it! with a healthy sprinkle of links showing the opposite, to balance it out =D