[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:19.15,Default,,0000,0000,0000,,{\i1}36C3 preroll music{\i0}
Dialogue: 0,0:00:19.15,0:00:22.52,Default,,0000,0000,0000,,Herald: The next talk is an intel\Nmanagement engine, deep dive.
Dialogue: 0,0:00:22.52,0:00:27.23,Default,,0000,0000,0000,,Understanding the ME at the OS and\Nhardware level and it is by Peter Bos,
Dialogue: 0,0:00:27.23,0:00:31.09,Default,,0000,0000,0000,,Please welcome him with a great round of\Napplause!
Dialogue: 0,0:00:31.09,0:00:38.78,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:00:38.78,0:00:49.41,Default,,0000,0000,0000,,Peter Bosch: Right. So everybody. Harry.\NNice. OK. So welcome. Well, this is me.
Dialogue: 0,0:00:49.41,0:00:59.51,Default,,0000,0000,0000,,I'm a student at Leiden University. Yeah,\NI've always been really interested in how
Dialogue: 0,0:00:59.51,0:01:04.61,Default,,0000,0000,0000,,stuff works. And when I got a new laptop,\NI was like, you know, how does this thing
Dialogue: 0,0:01:04.61,0:01:08.41,Default,,0000,0000,0000,,really boot? I knew everything from reset\Nvector onwards. I wanted to know what
Dialogue: 0,0:01:08.41,0:01:15.22,Default,,0000,0000,0000,,happened before it. So first I started\Nlooking at the boot guard ACM. While
Dialogue: 0,0:01:15.22,0:01:21.42,Default,,0000,0000,0000,,looking through it, I realized that not\Neverything was as it was supposed to be.
Dialogue: 0,0:01:21.42,0:01:26.28,Default,,0000,0000,0000,,That led to a later part in the boot\Nprocess being vulnerable, which ended up
Dialogue: 0,0:01:26.28,0:01:34.25,Default,,0000,0000,0000,,being discovered by me. And I found out\Nhere last year that I wasn't the only one
Dialogue: 0,0:01:34.25,0:01:38.31,Default,,0000,0000,0000,,to find it. Trammell Hudson also found it,\Nand we reported it together, presented it
Dialogue: 0,0:01:38.31,0:01:43.40,Default,,0000,0000,0000,,at Hack in the Box. And then at the same\Ntime, I was already also looking at the
Dialogue: 0,0:01:43.40,0:01:49.35,Default,,0000,0000,0000,,management engine. Well, there had been a\Nlot of research done on that before. The
Dialogue: 0,0:01:49.35,0:01:58.14,Default,,0000,0000,0000,,public info was mostly on the file system\Nand on specific vulnerabilities, which
Dialogue: 0,0:01:58.14,0:02:04.40,Default,,0000,0000,0000,,still made it pretty hard to get started\Non reverse-engineering it. So that's why I
Dialogue: 0,0:02:04.40,0:02:10.34,Default,,0000,0000,0000,,thought it might be useful for me to\Npresent this work here. It's basically
Dialogue: 0,0:02:10.34,0:02:16.91,Default,,0000,0000,0000,,broken up into three parts. The first bit\Nis just a quick introduction into the
Dialogue: 0,0:02:16.91,0:02:22.25,Default,,0000,0000,0000,,operating system it runs. So if you want\Nto work on this yourself, you're more
Dialogue: 0,0:02:22.25,0:02:28.69,Default,,0000,0000,0000,,easily able to understand whats in your\Nface in your Disassembler. So and then
Dialogue: 0,0:02:28.69,0:02:37.95,Default,,0000,0000,0000,,after that, I'll go over its role in the\Nboot process and then also how this
Dialogue: 0,0:02:37.95,0:02:45.78,Default,,0000,0000,0000,,information can be used to to start\Ndeveloping a new firmware for it or do
Dialogue: 0,0:02:45.78,0:02:49.73,Default,,0000,0000,0000,,more security research on it. So first of\Nall, what exactly is the management
Dialogue: 0,0:02:49.73,0:02:57.28,Default,,0000,0000,0000,,engine? There's been a lot of fuss about\Nit being a backdoor and everything, in
Dialogue: 0,0:02:57.28,0:03:05.00,Default,,0000,0000,0000,,reality, if it is or not depends on the\Nsoftware that it runs. It's basically a
Dialogue: 0,0:03:05.00,0:03:09.11,Default,,0000,0000,0000,,processor with his own RAM and his own IO\Nand MMUs and everything's sitting inside
Dialogue: 0,0:03:09.11,0:03:16.05,Default,,0000,0000,0000,,your south ridge. It's not in the CPU,\NIt's in its outreach. So when I say this
Dialogue: 0,0:03:16.05,0:03:24.01,Default,,0000,0000,0000,,is gonna be about the sixth and seventh\Ngeneration of Intel chips, I mean, mostly
Dialogue: 0,0:03:24.01,0:03:28.49,Default,,0000,0000,0000,,motherboards from those generations. If\Nyou run a newer CPU on it, it will also
Dialogue: 0,0:03:28.49,0:03:39.58,Default,,0000,0000,0000,,work for that. So yeah. Bit more detail.\NCPU it runs is based on the 80486, which,
Dialogue: 0,0:03:39.58,0:03:43.51,Default,,0000,0000,0000,,you know, is funny. It's quite an old CPU\Nyou and it's still being used in almost
Dialogue: 0,0:03:43.51,0:03:51.08,Default,,0000,0000,0000,,every computer nowadays. So it has a\Nlittle bit of its own RAM. It has quite a
Dialogue: 0,0:03:51.08,0:03:58.15,Default,,0000,0000,0000,,bit of built in ROM, has a hardware\Naccelerated cryptographic unit and it has
Dialogue: 0,0:03:58.15,0:04:05.45,Default,,0000,0000,0000,,fuses which are right once memory is used\Nto store security settings and keys and
Dialogue: 0,0:04:05.45,0:04:11.08,Default,,0000,0000,0000,,everything. Some of the more scary\Nfeatures it has: Bus bridges to all of the
Dialogue: 0,0:04:11.08,0:04:16.42,Default,,0000,0000,0000,,buses inside the south ridge, it can\Naccess the RAM on the CPU and it can
Dialogue: 0,0:04:16.42,0:04:21.36,Default,,0000,0000,0000,,access the network, which makes it really\Nquite dangerous. If there is a
Dialogue: 0,0:04:21.36,0:04:28.41,Default,,0000,0000,0000,,vulnerability or if it runs anything\Nnefarious and it's tasks nowadays include
Dialogue: 0,0:04:28.41,0:04:35.86,Default,,0000,0000,0000,,starting the computer as well as adding\Nmanagement features. This is mostly used
Dialogue: 0,0:04:35.86,0:04:41.19,Default,,0000,0000,0000,,in servers where it can serve as a board\Nmanagement controller, do like a remote
Dialogue: 0,0:04:41.19,0:04:49.00,Default,,0000,0000,0000,,keyboard and video and it does security\Nboot guard, which is the signing of a
Dialogue: 0,0:04:49.00,0:04:54.83,Default,,0000,0000,0000,,firmware and verification of signatures.\NIt implements a firmware TPM and there is
Dialogue: 0,0:04:54.83,0:05:02.59,Default,,0000,0000,0000,,also a SDK to use it as a general purpose\Nsecure enclave. So on the software side of
Dialogue: 0,0:05:02.63,0:05:12.65,Default,,0000,0000,0000,,it, it runs a custom operating system,\Nparts of which are taken from MINIX, the
Dialogue: 0,0:05:12.65,0:05:17.25,Default,,0000,0000,0000,,teaching operating system by Andrew\NTanenbaum. It's a micro kernel operating
Dialogue: 0,0:05:17.25,0:05:32.93,Default,,0000,0000,0000,,system. It runs binaries that are in a\Ncompletely custom format. It's really
Dialogue: 0,0:05:32.93,0:05:36.03,Default,,0000,0000,0000,,quite high level system actually. If you\Nlook at it in terms of the operating
Dialogue: 0,0:05:36.03,0:05:40.68,Default,,0000,0000,0000,,system, it runs, it's mostly like Unix,\Nwhich makes it kind of familiar, but it
Dialogue: 0,0:05:40.68,0:05:46.82,Default,,0000,0000,0000,,also has large custom parts. Like I said\Nbefore in this talk, I'm going to be
Dialogue: 0,0:05:46.82,0:05:52.74,Default,,0000,0000,0000,,speaking about sixth and seventh\Ngeneration Intel core chipsets, so that's
Dialogue: 0,0:05:52.74,0:05:58.95,Default,,0000,0000,0000,,Sunrise Point. Lewisburg, which is the\Nserver version of this and also the laptop
Dialogue: 0,0:05:58.95,0:06:04.41,Default,,0000,0000,0000,,system on a chip they're just called Intel\Ncore low power. They also include the
Dialogue: 0,0:06:04.41,0:06:08.36,Default,,0000,0000,0000,,chipset as a separate die. So it also\Napplies to them. In fact, I've been
Dialogue: 0,0:06:08.36,0:06:11.98,Default,,0000,0000,0000,,testing most of this stuff. I'm going to\Ntell you about on the laptop that's
Dialogue: 0,0:06:11.98,0:06:19.43,Default,,0000,0000,0000,,sitting right here, which is a Lenovo T\N460. The version of the firmware I've been
Dialogue: 0,0:06:19.43,0:06:30.82,Default,,0000,0000,0000,,looking at is 11001205. Right. So I do\Nneed to put this up there. I'm not a part
Dialogue: 0,0:06:30.82,0:06:38.52,Default,,0000,0000,0000,,of Intel, nor have I signed any contracts\Nto them. I've found everything in ways
Dialogue: 0,0:06:38.52,0:06:43.50,Default,,0000,0000,0000,,that you could also do. I didn't have any\Nleaked NDA stuff or anything that you
Dialogue: 0,0:06:43.50,0:06:53.10,Default,,0000,0000,0000,,couldn't get your hands on. It's also a\Nvery wide subject area, so there might be
Dialogue: 0,0:06:53.10,0:07:00.58,Default,,0000,0000,0000,,some mistakes here or there, but generally\Nit should be right. Well, if you want to
Dialogue: 0,0:07:00.58,0:07:04.22,Default,,0000,0000,0000,,get started working on an ME firmware,\Nwant to reverse-engineer it or modify it
Dialogue: 0,0:07:04.22,0:07:08.58,Default,,0000,0000,0000,,in some way first, you've got to deal with\Nthe image file. You've got your SPI flash.
Dialogue: 0,0:07:08.58,0:07:12.01,Default,,0000,0000,0000,,It's where most of its firmware lives in\Nthe same flash chip as your BIOS. So
Dialogue: 0,0:07:12.01,0:07:17.41,Default,,0000,0000,0000,,you've got that image. And then how do you\Nget the code out? Well, there's tools for
Dialogue: 0,0:07:17.41,0:07:22.95,Default,,0000,0000,0000,,that. It's already been extensively\Ndocumented, documented by other people.
Dialogue: 0,0:07:22.95,0:07:28.68,Default,,0000,0000,0000,,And you can basically just download a tool\Nand run it against it. Which makes this
Dialogue: 0,0:07:28.68,0:07:31.69,Default,,0000,0000,0000,,really easy. This is also the reason why\Nthere hasn't been a lot of research done
Dialogue: 0,0:07:31.69,0:07:35.94,Default,,0000,0000,0000,,yet before these tools were around. You\Ncouldn't get to all of the code. The
Dialogue: 0,0:07:35.94,0:07:41.35,Default,,0000,0000,0000,,kernel was compressed using Huffman\Ntables, which were stored in ROM. You
Dialogue: 0,0:07:41.35,0:07:45.36,Default,,0000,0000,0000,,couldn't get to the ROM without getting\Ncode execution on the thing. So there was
Dialogue: 0,0:07:45.36,0:07:52.64,Default,,0000,0000,0000,,basically no way of getting access to the\Nkernel code. And I think also to see some
Dialogue: 0,0:07:52.64,0:07:55.80,Default,,0000,0000,0000,,library. But that's not a problem anymore.\NYou can just download a tool and unpack
Dialogue: 0,0:07:55.80,0:08:02.52,Default,,0000,0000,0000,,it. Also, the intel tool to generate\Nfirmware images, which you can find in
Dialogue: 0,0:08:02.52,0:08:11.98,Default,,0000,0000,0000,,some open directories on the internet, has\NQt resources, XML-files which basically have the
Dialogue: 0,0:08:11.98,0:08:18.33,Default,,0000,0000,0000,,description for all of the file formats\Nused by these ME versions, including names
Dialogue: 0,0:08:18.33,0:08:26.05,Default,,0000,0000,0000,,and comments to go with those structured\Ndefinitions. So that's really useful. So
Dialogue: 0,0:08:26.05,0:08:30.43,Default,,0000,0000,0000,,we look at one of these images. It has a\Ncouple of partitions, some of them overlap
Dialogue: 0,0:08:30.43,0:08:38.15,Default,,0000,0000,0000,,and some of them are storage, some are\Ncode. So there is the main partitions,
Dialogue: 0,0:08:38.15,0:08:45.71,Default,,0000,0000,0000,,FTPR and NFTP, which contain the programs\Nit runs. There's MFS, which is the read-write
Dialogue: 0,0:08:45.71,0:08:51.98,Default,,0000,0000,0000,,file system it uses for persistent\Nstorage. And then there is a log to flash
Dialogue: 0,0:08:51.98,0:08:57.32,Default,,0000,0000,0000,,option, the possibility to embed a token\Nthat will tell the system to unlock all
Dialogue: 0,0:08:57.32,0:09:02.85,Default,,0000,0000,0000,,debug access which has to be signed by\NIntel so it's not really of any use to us.
Dialogue: 0,0:09:02.85,0:09:07.44,Default,,0000,0000,0000,,And then there is something interesting,\NROM bypass. Like I said, you can't get
Dialogue: 0,0:09:07.44,0:09:13.16,Default,,0000,0000,0000,,access to the ROM without running code on\Nit. And ROM is mask ROM. So it's internal
Dialogue: 0,0:09:13.16,0:09:17.54,Default,,0000,0000,0000,,to the chip, but Intel has to develop new\NROM code and have to test it without
Dialogue: 0,0:09:17.54,0:09:23.27,Default,,0000,0000,0000,,respinning the die every time. So they\Nhave a possibility on a unlocked
Dialogue: 0,0:09:23.27,0:09:28.17,Default,,0000,0000,0000,,preproduction chipset to completely bypass\Nthe internal ROM and load even the early
Dialogue: 0,0:09:28.17,0:09:33.67,Default,,0000,0000,0000,,boot code from the flash chip. Some of\Nthese images have leaked and you can use
Dialogue: 0,0:09:33.67,0:09:39.25,Default,,0000,0000,0000,,them to get a look at the ROM code, even\Nwithout being able to dump it. That's
Dialogue: 0,0:09:39.25,0:09:45.61,Default,,0000,0000,0000,,going to be really useful later on. So\Nthen you've got these code partitions and
Dialogue: 0,0:09:45.61,0:09:51.23,Default,,0000,0000,0000,,they contain a whole lot of files. So\Nthere is the binaries themselves which
Dialogue: 0,0:09:51.23,0:09:57.57,Default,,0000,0000,0000,,don't have any extension. There is the\Nmetadata files. So the binary format they
Dialogue: 0,0:09:57.57,0:10:05.35,Default,,0000,0000,0000,,use has no headers, nothing included. And\Nall of that data is in the metadata file.
Dialogue: 0,0:10:05.35,0:10:12.00,Default,,0000,0000,0000,,And when you use the unME11 tool, you can\Nactually, it'll convert those to text
Dialogue: 0,0:10:12.00,0:10:16.07,Default,,0000,0000,0000,,files for you so you can just get started\Nwithout really understanding how they
Dialogue: 0,0:10:16.07,0:10:26.64,Default,,0000,0000,0000,,work. Yes. So the metadata. It's type-\Nlength-value structure, which contains a
Dialogue: 0,0:10:26.64,0:10:31.18,Default,,0000,0000,0000,,whole lot of information the operating\Nsystem needs. It has the info on the
Dialogue: 0,0:10:31.18,0:10:35.82,Default,,0000,0000,0000,,module, whether it's data or code, where\Nit should be loaded, what the privileges
Dialogue: 0,0:10:35.82,0:10:43.39,Default,,0000,0000,0000,,of the process should be, a SHA\Nchecksum for validating it and also some
Dialogue: 0,0:10:43.39,0:10:49.00,Default,,0000,0000,0000,,higher level stuff such as device file\Ndefinitions if it's a device driver or any
Dialogue: 0,0:10:49.00,0:10:55.43,Default,,0000,0000,0000,,other kind of server. I've actually\Nwritten some code that uses this, that's
Dialogue: 0,0:10:55.43,0:11:01.46,Default,,0000,0000,0000,,on GitHub, so if you want a closer look at\Nit, some of the slides have a link to to
Dialogue: 0,0:11:01.46,0:11:09.78,Default,,0000,0000,0000,,get a file in there which contains the\Nfull definitions. Right. So all the code
Dialogue: 0,0:11:09.78,0:11:16.80,Default,,0000,0000,0000,,on the ME is signed and verified by Intel.\NSo you can't just go and put in a new
Dialogue: 0,0:11:16.80,0:11:24.69,Default,,0000,0000,0000,,binary and say, hey, let's run this. The\Nway they do this is in Intel's
Dialogue: 0,0:11:24.69,0:11:30.30,Default,,0000,0000,0000,,manufacture-time fuses, they have a hash\Nof the public key that they use to sign
Dialogue: 0,0:11:30.30,0:11:36.07,Default,,0000,0000,0000,,it. And then on each flash partition,\Nthere is a manifest which is signed by the
Dialogue: 0,0:11:36.07,0:11:40.82,Default,,0000,0000,0000,,key and it contains the SHA hashes for all\Nthe metadata files, which then contain a
Dialogue: 0,0:11:40.82,0:11:47.15,Default,,0000,0000,0000,,SHA hash for the code files. It doesn't\Nseem to be any major problems in verifying
Dialogue: 0,0:11:47.15,0:11:52.53,Default,,0000,0000,0000,,this, so it's useful to know, but it's\Nyou're not really gonna use this. And then
Dialogue: 0,0:11:52.53,0:12:00.30,Default,,0000,0000,0000,,the modules themself, as I've said,\Nthey're flat binaries. Mostly. The
Dialogue: 0,0:12:00.30,0:12:05.56,Default,,0000,0000,0000,,metadata contains all the info the kernel\Nuses to reconstruct the actual program
Dialogue: 0,0:12:05.56,0:12:13.53,Default,,0000,0000,0000,,image in memory. And a curious thing here\Nis that the actual base address for all
Dialogue: 0,0:12:13.53,0:12:17.46,Default,,0000,0000,0000,,the modules for old programs is the same\Nacross an image. So if you have a
Dialogue: 0,0:12:17.46,0:12:19.93,Default,,0000,0000,0000,,different version, it's going to be\Ndifferent. But if you have two programs
Dialogue: 0,0:12:19.93,0:12:25.95,Default,,0000,0000,0000,,from the same firmware it's gonna be\Nloaded at the same virtual address. Right.
Dialogue: 0,0:12:25.95,0:12:32.82,Default,,0000,0000,0000,,So when you want to look at it, you're\Ngonna load it in some disassembler, like
Dialogue: 0,0:12:32.82,0:12:39.54,Default,,0000,0000,0000,,for example IDA, and you'll see this, it\Ndisassembles fine, but it's gonna
Dialogue: 0,0:12:39.54,0:12:44.27,Default,,0000,0000,0000,,reference all kinds of memory that you\Ndon't have access to. So usually you'd
Dialogue: 0,0:12:44.27,0:12:49.46,Default,,0000,0000,0000,,think maybe I've loaded up a wrong address\Nor or am I missing some library? Well,
Dialogue: 0,0:12:49.46,0:12:55.15,Default,,0000,0000,0000,,here you've loaded it correctly if you use\Nthat, the address from the metadata file.
Dialogue: 0,0:12:55.15,0:13:02.31,Default,,0000,0000,0000,,But you are in fact missing a lot of\Nmemory segments. And let's just take a
Dialogue: 0,0:13:02.31,0:13:09.83,Default,,0000,0000,0000,,look at each of these. It's calling and\Nswitching code. It's pushing a pointer
Dialogue: 0,0:13:09.83,0:13:15.89,Default,,0000,0000,0000,,there, which is data. And what's that? So\Nit has shared libraries, even though it's
Dialogue: 0,0:13:15.89,0:13:19.92,Default,,0000,0000,0000,,flat binaries. It actually does use shared\Nlibraries because you only have 1.5
Dialogue: 0,0:13:19.92,0:13:24.32,Default,,0000,0000,0000,,megabyte of RAM. You don't want to\Nlink your C library into everything and
Dialogue: 0,0:13:24.32,0:13:32.80,Default,,0000,0000,0000,,waste what little memory you have. So\Nthere is the main system library which is
Dialogue: 0,0:13:32.80,0:13:39.27,Default,,0000,0000,0000,,like libc on a Linux system. It's in a\Nflash partition, so you can actually just
Dialogue: 0,0:13:39.27,0:13:45.69,Default,,0000,0000,0000,,load it and take a look at it easily and\Nit starts out with a jump table. So
Dialogue: 0,0:13:45.69,0:13:48.77,Default,,0000,0000,0000,,there's no symbols in the metadata file or\Nanything. It doesn't do dynamic linking.
Dialogue: 0,0:13:48.77,0:13:56.55,Default,,0000,0000,0000,,It loads the pages for the shared library\Nat a fixed address, which is also in the
Dialogue: 0,0:13:56.55,0:14:01.62,Default,,0000,0000,0000,,shared library's metadata. And then it's\Njust there in the processor's memory and
Dialogue: 0,0:14:01.62,0:14:06.13,Default,,0000,0000,0000,,it's gonna jump there if it needs a\Nfunction. And the functions themself are
Dialogue: 0,0:14:06.13,0:14:12.89,Default,,0000,0000,0000,,just using the normal System V, x86\Ncalling conventions. So it's pretty easy
Dialogue: 0,0:14:12.89,0:14:17.98,Default,,0000,0000,0000,,to look at that using your normal tools.\NThere's no weird register argument passing
Dialogue: 0,0:14:17.98,0:14:24.56,Default,,0000,0000,0000,,going on here. So, right. Now, shared\Nlibraries. There's two of them. And this
Dialogue: 0,0:14:24.56,0:14:28.16,Default,,0000,0000,0000,,is where it gets annoying. The system\Nlibrary, you've got access to that so you
Dialogue: 0,0:14:28.16,0:14:32.85,Default,,0000,0000,0000,,can just take your time and go through it\Nand try to figure out, you know, oh, hey,
Dialogue: 0,0:14:32.85,0:14:39.88,Default,,0000,0000,0000,,is this open or is this read or what's\Nthis function doing? But then there's also
Dialogue: 0,0:14:39.88,0:14:49.15,Default,,0000,0000,0000,,another second really large library, which\Nis in ROM. They have all the C library
Dialogue: 0,0:14:49.15,0:14:54.30,Default,,0000,0000,0000,,functions and some of their custom helper\Nroutines that don't interact with the
Dialogue: 0,0:14:54.30,0:15:00.92,Default,,0000,0000,0000,,kernel directly, such as strings\Nfunctions. They live in ROM. So when
Dialogue: 0,0:15:00.92,0:15:04.70,Default,,0000,0000,0000,,you've got your code and this is basically\Nwhere I was when I was here last year,
Dialogue: 0,0:15:04.70,0:15:07.04,Default,,0000,0000,0000,,you're looking through it and you're\Nseeing calls to a function you don't have
Dialogue: 0,0:15:07.04,0:15:11.01,Default,,0000,0000,0000,,the code for all over the place. And you\Nhave to figure out by its signature what
Dialogue: 0,0:15:11.01,0:15:14.87,Default,,0000,0000,0000,,is it doing. And that works for some of\Nthe functions and it's really difficult
Dialogue: 0,0:15:14.87,0:15:20.61,Default,,0000,0000,0000,,for other ones. That really had me stopped\Nfor a while. Then I managed to find one of
Dialogue: 0,0:15:20.61,0:15:25.07,Default,,0000,0000,0000,,these ROM bypass images and I had the code\Nfor a very early development build of the
Dialogue: 0,0:15:25.07,0:15:29.37,Default,,0000,0000,0000,,ROM. This is where I got lucky. So the\Nactual entry point addresses are fixed
Dialogue: 0,0:15:29.37,0:15:33.94,Default,,0000,0000,0000,,across a entire chipset family. So if you\Nhave an image for the server version of
Dialogue: 0,0:15:33.94,0:15:39.31,Default,,0000,0000,0000,,like 100 series chipset or for client\Nversion or for a desktop or laptop
Dialogue: 0,0:15:39.31,0:15:47.54,Default,,0000,0000,0000,,version, it's all gonna be the same ROM\Naddresses. So even though the code might
Dialogue: 0,0:15:47.54,0:15:51.93,Default,,0000,0000,0000,,be different, you'll have the jump table,\Nwhich means the addresses can say fixed.
Dialogue: 0,0:15:51.93,0:15:56.76,Default,,0000,0000,0000,,So this only needs to be done once. And in\Nfact when I upload my slides later, there
Dialogue: 0,0:15:56.76,0:16:02.92,Default,,0000,0000,0000,,is a slide in there at the end that has\Nthe addresses for the most used functions.
Dialogue: 0,0:16:02.92,0:16:07.35,Default,,0000,0000,0000,,So you're not going to have to repeat that\Nwork, at least not for this chipset. So if
Dialogue: 0,0:16:07.35,0:16:15.16,Default,,0000,0000,0000,,you want to look at a simple module,\Nyou've loaded it, now you've applied the
Dialogue: 0,0:16:15.16,0:16:21.86,Default,,0000,0000,0000,,things I just said, and you still don't\Nhave the data sections. If I don't know
Dialogue: 0,0:16:21.86,0:16:26.67,Default,,0000,0000,0000,,what that function there is doing, but\Nit's not very important. It actually
Dialogue: 0,0:16:26.67,0:16:33.23,Default,,0000,0000,0000,,returns a value, I think, that's not used\Nanywhere, but it must have a purpose
Dialogue: 0,0:16:33.23,0:16:40.22,Default,,0000,0000,0000,,because it's there. Right. So then you\Nlook at the entry point and this is a lot
Dialogue: 0,0:16:40.22,0:16:44.66,Default,,0000,0000,0000,,of stuff. And the main thing that matters\Nhere is on the right half of the screen,
Dialogue: 0,0:16:44.66,0:16:50.19,Default,,0000,0000,0000,,there is a listing from a MINIX repository\Nand on the left half there is a
Dialogue: 0,0:16:50.19,0:16:54.81,Default,,0000,0000,0000,,disassembly from an ME module. So it's\Nmostly the same. There is one key
Dialogue: 0,0:16:54.81,0:16:58.42,Default,,0000,0000,0000,,difference, though. The ME module actually\Nhas a little bit of code that runs before
Dialogue: 0,0:16:58.42,0:17:06.23,Default,,0000,0000,0000,,its C library startup function. And that\Nfunction actually does all the ME specific
Dialogue: 0,0:17:06.23,0:17:13.98,Default,,0000,0000,0000,,initialization, does a lot of stuff\Nrelated to how C library data is kept
Dialogue: 0,0:17:13.98,0:17:21.52,Default,,0000,0000,0000,,because there is also no data segments for\Nthe C library being allocated by the
Dialogue: 0,0:17:21.52,0:17:25.82,Default,,0000,0000,0000,,kernel. So each process actually reserves\Na part of its own memory and tells the C
Dialogue: 0,0:17:25.82,0:17:31.29,Default,,0000,0000,0000,,library, like, any global variables you\Ncan store in there. But when you look at
Dialogue: 0,0:17:31.29,0:17:37.61,Default,,0000,0000,0000,,that function, one of the most important\Nthings that it calls is this function.
Dialogue: 0,0:17:37.61,0:17:41.51,Default,,0000,0000,0000,,It's very simple, it just copies a bunch\Nof RAM. So they don't have support for
Dialogue: 0,0:17:41.51,0:17:46.65,Default,,0000,0000,0000,,initialized data sections. It's a flat\Nbinary. What they do is they they actually
Dialogue: 0,0:17:46.65,0:17:51.52,Default,,0000,0000,0000,,use the .bss segment, the zeroed segment\Nat the end of the address space, and copy
Dialogue: 0,0:17:51.52,0:17:57.07,Default,,0000,0000,0000,,over a bunch of data in the program. The\Nprogram itself is not aware of this. It's
Dialogue: 0,0:17:57.07,0:18:04.18,Default,,0000,0000,0000,,really in the initialization code and in\Nlinker script. So this is also something
Dialogue: 0,0:18:04.18,0:18:09.17,Default,,0000,0000,0000,,that's very important because you're going\Nto need to also at that address in the
Dialogue: 0,0:18:09.17,0:18:13.31,Default,,0000,0000,0000,,data section, you're going to need to load\Nthe last bit of the of the binary.
Dialogue: 0,0:18:13.31,0:18:20.52,Default,,0000,0000,0000,,Otherwise you're missing constants or at\Nleast initialization values. Right. Then
Dialogue: 0,0:18:20.52,0:18:26.15,Default,,0000,0000,0000,,there is the full memory map to the\Nprocesses themselves. It's a flat 32 bit
Dialogue: 0,0:18:26.15,0:18:31.97,Default,,0000,0000,0000,,address space. It's got everything you\Nexpect in there. It's got a stack and a
Dialogue: 0,0:18:31.97,0:18:39.50,Default,,0000,0000,0000,,heap and everything. There's a little bit\Nof heap allocated right on initialization.
Dialogue: 0,0:18:39.50,0:18:44.69,Default,,0000,0000,0000,,This is this is basically how you derive\Nthe address space layout from the
Dialogue: 0,0:18:44.69,0:18:51.10,Default,,0000,0000,0000,,metadata, especially like the data\Nsegment, then, and the stack itself is
Dialogue: 0,0:18:51.10,0:18:56.18,Default,,0000,0000,0000,,like the address location varies a lot\Nbecause of the number of threads that are
Dialogue: 0,0:18:56.18,0:19:03.38,Default,,0000,0000,0000,,in use or the size of data sections. And\Nalso those stack guards, they're not
Dialogue: 0,0:19:03.38,0:19:07.96,Default,,0000,0000,0000,,really stack guards. There is also\Nmetadata for each thread in there. But
Dialogue: 0,0:19:07.96,0:19:13.64,Default,,0000,0000,0000,,that's nothing that's relevant to the\Nprocess itself, only to the kernel. And
Dialogue: 0,0:19:13.64,0:19:21.89,Default,,0000,0000,0000,,well, if you then skip forward a bit and\Nyou've done all these - you look at your
Dialogue: 0,0:19:21.89,0:19:28.79,Default,,0000,0000,0000,,simple driver like this. This is taken\Nfrom a driver used to talk to the CPU,
Dialogue: 0,0:19:28.79,0:19:34.63,Default,,0000,0000,0000,,like, OK. So when I say CPU or host, by\Nthe way, I mean the CPU, like your big
Dialogue: 0,0:19:34.63,0:19:39.37,Default,,0000,0000,0000,,SkyLake, or KabyLake, or CoffeeLake,\Nwhatever your big CPU that runs your own
Dialogue: 0,0:19:39.37,0:19:46.07,Default,,0000,0000,0000,,operating system. Right. So this is used\Nto to send messages there. But if you look
Dialogue: 0,0:19:46.07,0:19:51.68,Default,,0000,0000,0000,,at what's going on here, OK - think I had\Na problem with the animation here - it
Dialogue: 0,0:19:51.68,0:19:57.00,Default,,0000,0000,0000,,sets up some stuff and then it calls a\Nlibrary function that's in the main syslib
Dialogue: 0,0:19:57.00,0:20:01.27,Default,,0000,0000,0000,,library, which actually has a main loop\Nfor the program. That's because Intel was
Dialogue: 0,0:20:01.27,0:20:06.44,Default,,0000,0000,0000,,smart and they added a nice framework for\Ndevice driver implementing programs,
Dialogue: 0,0:20:06.44,0:20:10.13,Default,,0000,0000,0000,,because it's a micro kernel, so device\Ndrivers are just usual programs, calling
Dialogue: 0,0:20:10.13,0:20:20.06,Default,,0000,0000,0000,,specific APIs. Then there's normal POSIX\Nfile I/O. No standard I/O, but it has all
Dialogue: 0,0:20:20.06,0:20:26.53,Default,,0000,0000,0000,,the normal open, and read, and ioctl and\Neverything functions. And then there's
Dialogue: 0,0:20:26.53,0:20:30.17,Default,,0000,0000,0000,,more initialization for the srv library.\NAnd this is basically what all the simple
Dialogue: 0,0:20:30.17,0:20:38.89,Default,,0000,0000,0000,,drivers look like in it. And then there's\Nthis. Because they're so low a memory,
Dialogue: 0,0:20:38.89,0:20:50.04,Default,,0000,0000,0000,,they don't actually use standard I/O, or\Neven printf itself to do most of the
Dialogue: 0,0:20:50.04,0:20:54.82,Default,,0000,0000,0000,,debugging. It uses a thing that's called\N"sven", I'll touch on that later. So there
Dialogue: 0,0:20:54.82,0:20:59.15,Default,,0000,0000,0000,,is the familiar APIs that I talked about.\NIt even has POSIX threads, or at least a
Dialogue: 0,0:20:59.15,0:21:04.51,Default,,0000,0000,0000,,subset of it, and there is all the\Nfunctions that you'd expect to find on
Dialogue: 0,0:21:04.51,0:21:08.70,Default,,0000,0000,0000,,some generic Unix machine. So that\Nshouldn't be too much of a problem to do
Dialogue: 0,0:21:08.70,0:21:14.57,Default,,0000,0000,0000,,with, but then there's also their own\Ntracing solution, sven. That's what Intel
Dialogue: 0,0:21:14.57,0:21:17.35,Default,,0000,0000,0000,,calls it. The name is in all the development\Ntools that you can download
Dialogue: 0,0:21:17.35,0:21:23.37,Default,,0000,0000,0000,,from their site, and basically, they don't\Ninclude format strings for a lot of the
Dialogue: 0,0:21:23.37,0:21:28.39,Default,,0000,0000,0000,,stuff. They just have a 32-bit identifier\Nthat is sent over debug port, and it
Dialogue: 0,0:21:28.39,0:21:34.27,Default,,0000,0000,0000,,refers to a format string in a dictionary\Nthat you don't have. There is one of the
Dialogue: 0,0:21:34.27,0:21:38.82,Default,,0000,0000,0000,,dictionaries for a server chip that's\Nfloating around the internet, but even
Dialogue: 0,0:21:38.82,0:21:45.94,Default,,0000,0000,0000,,that is incomplete. And the normal non-NDA\Nversion of the Intel developer tools has
Dialogue: 0,0:21:45.94,0:21:53.81,Default,,0000,0000,0000,,some 50 format strings for really common\Nstatus messages it might output, but yeah,
Dialogue: 0,0:21:53.81,0:21:57.39,Default,,0000,0000,0000,,like, if you see these functions, just\Nrealize it's doing some debug print. There
Dialogue: 0,0:21:57.39,0:22:00.55,Default,,0000,0000,0000,,might be dumping some states or just\Ntelling it it's gonna do something else.
Dialogue: 0,0:22:00.55,0:22:12.02,Default,,0000,0000,0000,,It's no important logic actually happens\Nin here. Right. So then for device files.
Dialogue: 0,0:22:12.02,0:22:16.19,Default,,0000,0000,0000,,They're actually defined in a manifest.\NWhen the kernel loads a program, and that
Dialogue: 0,0:22:16.19,0:22:20.83,Default,,0000,0000,0000,,program wants to expose some kind of\Ninterface to other programs its manifest
Dialogue: 0,0:22:20.83,0:22:27.78,Default,,0000,0000,0000,,will contai,n or it's metadata file will\Ncontain a special file producer entry, and
Dialogue: 0,0:22:27.78,0:22:33.12,Default,,0000,0000,0000,,that says, you know, you have these device\Nfiles, with a name, and an access mode and
Dialogue: 0,0:22:33.12,0:22:39.21,Default,,0000,0000,0000,,the user, and group ID, and everything,\Nand the minor numbers, and the kernel
Dialogue: 0,0:22:39.21,0:22:42.83,Default,,0000,0000,0000,,sends this to the- or not kernel- the\Nprogram loader sends this to the virtual
Dialogue: 0,0:22:42.83,0:22:47.72,Default,,0000,0000,0000,,file system server and it automatically\Ngets a device file, pointing to the right
Dialogue: 0,0:22:47.72,0:22:51.80,Default,,0000,0000,0000,,major or minor number. And then there's\Nalso a library, as I said, to provide a
Dialogue: 0,0:22:51.80,0:23:03.68,Default,,0000,0000,0000,,framework for a driver. And that looks\Nlike this. It's really easy to use. If you
Dialogue: 0,0:23:03.68,0:23:08.07,Default,,0000,0000,0000,,were a ME developer you just write some\Ncallbacks for open, and close, and
Dialogue: 0,0:23:08.07,0:23:11.00,Default,,0000,0000,0000,,everything, and it automatically calls\Nthem for you, when a message comes in,
Dialogue: 0,0:23:11.00,0:23:15.40,Default,,0000,0000,0000,,telling you that that happened, which also\Nmakes it really easy to reverse engineer,
Dialogue: 0,0:23:15.40,0:23:21.10,Default,,0000,0000,0000,,'cause if you look at a driver, it just\Nloads some callbacks, and you can know, by
Dialogue: 0,0:23:21.10,0:23:27.51,Default,,0000,0000,0000,,their offset in a structure, what actual\Ncall they're implementing. Right, so then
Dialogue: 0,0:23:27.51,0:23:31.95,Default,,0000,0000,0000,,there is one of the more weird things\Nthat's going on here: How the actual
Dialogue: 0,0:23:31.95,0:23:37.47,Default,,0000,0000,0000,,userland programs get access to memory map\Nregisters. There's a lot of this going on.
Dialogue: 0,0:23:37.47,0:23:42.83,Default,,0000,0000,0000,,Calls to a couple of functions that have\Nsome magic arguments. The second one you
Dialogue: 0,0:23:42.83,0:23:50.64,Default,,0000,0000,0000,,can easily tell is the offset, because it\Nhas- it increases in very nice power-of-
Dialogue: 0,0:23:50.64,0:23:54.67,Default,,0000,0000,0000,,two steps, so it's probably the register\Noffsets, and then what comes after it
Dialogue: 0,0:23:54.67,0:24:00.16,Default,,0000,0000,0000,,looks like a value. And then the first bit\Nseems to be a magic number. Well, it's
Dialogue: 0,0:24:00.16,0:24:05.48,Default,,0000,0000,0000,,not. There is also an extension in the\Nmetadata, saying these are the memory
Dialogue: 0,0:24:05.48,0:24:12.17,Default,,0000,0000,0000,,mapped I/O ranges, and those ranges,\Nthey'd each list a physical base address,
Dialogue: 0,0:24:12.17,0:24:19.36,Default,,0000,0000,0000,,and a size, and permissions for them. Then\Nthe index in that list does not directly
Dialogue: 0,0:24:19.36,0:24:23.15,Default,,0000,0000,0000,,correspond to the magic value. The magic\Nvalue actually you need to do a little
Dialogue: 0,0:24:23.15,0:24:27.68,Default,,0000,0000,0000,,computation on the offset, and you can\Naccess it through those functions. The
Dialogue: 0,0:24:27.68,0:24:38.60,Default,,0000,0000,0000,,computation itself might be familiar.\NYeah, so these are the functions. The
Dialogue: 0,0:24:38.60,0:24:44.61,Default,,0000,0000,0000,,value is a segment selector. So they use\Nthem. Actually, don't use paging for inter
Dialogue: 0,0:24:44.61,0:24:51.82,Default,,0000,0000,0000,,process isolation, they use segments like\Nx86 Protected Mode segments. And for each
Dialogue: 0,0:24:51.82,0:24:56.61,Default,,0000,0000,0000,,memory mapped I/O range there is a\Nseparate segments, and you manually specify
Dialogue: 0,0:24:56.61,0:25:04.28,Default,,0000,0000,0000,,that, which is just weird to me, like, why\Nwould you use x86 segmenting on a modern
Dialogue: 0,0:25:04.28,0:25:10.61,Default,,0000,0000,0000,,system? Minix does it, but, yeah, to\Nextent that even to this? Luckily, normal
Dialogue: 0,0:25:10.61,0:25:16.13,Default,,0000,0000,0000,,address space is flat, like, to the\Nprocess, not to the kernel. Right, so now
Dialogue: 0,0:25:16.13,0:25:24.87,Default,,0000,0000,0000,,we can access memory mapped I/O. That's\Nall the, like the really high level stuff.
Dialogue: 0,0:25:24.87,0:25:28.70,Default,,0000,0000,0000,,So what's going on under there? It's got\Nall the basic microkernel stuff, so
Dialogue: 0,0:25:28.70,0:25:33.02,Default,,0000,0000,0000,,message passing, and then some\Noptimizations to actually make it perform
Dialogue: 0,0:25:33.02,0:25:40.14,Default,,0000,0000,0000,,well on a really slow CPU. The basics are,\Nyou can send a message, you can receive a
Dialogue: 0,0:25:40.14,0:25:46.16,Default,,0000,0000,0000,,message, and you can send and receive a\Nmessage, where you basically say "Send a
Dialogue: 0,0:25:46.16,0:25:50.93,Default,,0000,0000,0000,,message, wait till a response comes in,\Nthen continue", which is used to wrap
Dialogue: 0,0:25:50.93,0:25:58.40,Default,,0000,0000,0000,,function calls. This is mostly the same as\Nin Minix. There's some subtle changes,
Dialogue: 0,0:25:58.40,0:26:08.23,Default,,0000,0000,0000,,which I'll get to later. And then memory\Ngrants are something that only appeared in
Dialogue: 0,0:26:08.23,0:26:13.08,Default,,0000,0000,0000,,Minix really recently. It's a way for a\Nprocess to basically create a new name for
Dialogue: 0,0:26:13.08,0:26:16.69,Default,,0000,0000,0000,,a piece of memory it has, and give a\Ndifferent process access to it, just by
Dialogue: 0,0:26:16.69,0:26:21.63,Default,,0000,0000,0000,,sharing the number. These are referred to\Nby the process ID and a number of that
Dialogue: 0,0:26:21.63,0:26:28.47,Default,,0000,0000,0000,,range. So the process IDs are actually\Nlocal per process, so to uniquely identify
Dialogue: 0,0:26:28.47,0:26:35.46,Default,,0000,0000,0000,,one you need to say process ID plus that\Nnumber, and they're only granted to a
Dialogue: 0,0:26:35.46,0:26:38.30,Default,,0000,0000,0000,,single process. So when a process creates\None of these, it can't even access it
Dialogue: 0,0:26:38.30,0:26:42.49,Default,,0000,0000,0000,,itself, unless it creates a grant for\Nitself, which is not really that useful,
Dialogue: 0,0:26:42.49,0:26:51.88,Default,,0000,0000,0000,,usually. These grants are used to prevent\Nhaving to copy over all the data inside
Dialogue: 0,0:26:51.88,0:26:57.50,Default,,0000,0000,0000,,the IPC message used to implement a system\Ncall. Yeah, these are the basic operations
Dialogue: 0,0:26:57.50,0:27:03.19,Default,,0000,0000,0000,,on it. You can create one, you can copy\Ninto and from it. So, you can't actually
Dialogue: 0,0:27:03.19,0:27:07.01,Default,,0000,0000,0000,,map it. A process that receives one of\Nthese has to say to the kernel, using a
Dialogue: 0,0:27:07.01,0:27:12.72,Default,,0000,0000,0000,,system call, "please write this data into\Nthat area of memory that belongs to a
Dialogue: 0,0:27:12.72,0:27:17.93,Default,,0000,0000,0000,,different process." And then there's also\Nindirect grants, because, you know, in
Dialogue: 0,0:27:17.93,0:27:25.31,Default,,0000,0000,0000,,Minix they do have this, but also only\Nrecently, and usually if you have a
Dialogue: 0,0:27:25.31,0:27:30.36,Default,,0000,0000,0000,,microkernel system, you would have to copy\Nyour buffer for a read call first to the
Dialogue: 0,0:27:30.36,0:27:36.54,Default,,0000,0000,0000,,file system server and then back to, like,\Neither the hard disk driver, or the device
Dialogue: 0,0:27:36.54,0:27:40.62,Default,,0000,0000,0000,,driver that's implementing a device file.\NSo the ME actually allows you to create a
Dialogue: 0,0:27:40.62,0:27:45.86,Default,,0000,0000,0000,,grant, pointing to a grant, that was given\Nto you by someone else. And then that
Dialogue: 0,0:27:45.86,0:27:52.82,Default,,0000,0000,0000,,grant will inherit the privileges of the\Nprocess that creates it, combined with
Dialogue: 0,0:27:52.82,0:27:57.53,Default,,0000,0000,0000,,those that it assignes to it. So if the\Nprocess has a read/write grant it can
Dialogue: 0,0:27:57.53,0:28:01.34,Default,,0000,0000,0000,,create a read-only or write-only grant,\Nbut it cannot, if it only has a read
Dialogue: 0,0:28:01.34,0:28:08.86,Default,,0000,0000,0000,,grant, it cannot add write rights to it\Nfor a different process, obviously. So
Dialogue: 0,0:28:08.86,0:28:12.88,Default,,0000,0000,0000,,then there is also some big differences\Nfrom MINIX. In MINIX you address a process
Dialogue: 0,0:28:12.88,0:28:18.08,Default,,0000,0000,0000,,by its process ID or thread ID with a\Ngeneration number attached to it. In the
Dialogue: 0,0:28:18.08,0:28:25.44,Default,,0000,0000,0000,,ME you can actually address IPC to a file\Ndescriptor. Kernel doesn't actually know a
Dialogue: 0,0:28:25.44,0:28:28.61,Default,,0000,0000,0000,,lot about file descriptors, it just\Nimplements the basic thing where you have
Dialogue: 0,0:28:28.61,0:28:32.35,Default,,0000,0000,0000,,a list of files and each process has a\Nlist of file descriptors assigning integer
Dialogue: 0,0:28:32.35,0:28:39.32,Default,,0000,0000,0000,,numbers to those files to refer to them\Nby. And this is used so you can as a
Dialogue: 0,0:28:39.32,0:28:43.04,Default,,0000,0000,0000,,process, you can actually directly talk to\Na device driver without knowing what is
Dialogue: 0,0:28:43.04,0:28:47.11,Default,,0000,0000,0000,,process ID is. So you don't send it to the\Nfile system server, you send it to the
Dialogue: 0,0:28:47.11,0:28:51.74,Default,,0000,0000,0000,,file descriptor or the Kernel just\Nmagically corrects it for you. And they
Dialogue: 0,0:28:51.74,0:28:55.55,Default,,0000,0000,0000,,moved select into the kernel so you can\Ntell the kernel: "Hey, I want to wait till
Dialogue: 0,0:28:55.55,0:28:59.72,Default,,0000,0000,0000,,the file system server tells me that it\Nhas not available or till a message comes
Dialogue: 0,0:28:59.72,0:29:05.44,Default,,0000,0000,0000,,in." This is one of the most complicated\Nsystem calls the ME offers that's used in
Dialogue: 0,0:29:05.44,0:29:12.01,Default,,0000,0000,0000,,a normal program. You can mostly ignore it\Nand just look like: "Hey, those arguments
Dialogue: 0,0:29:12.01,0:29:16.76,Default,,0000,0000,0000,,sort of define a file descriptor set as a\Nbit field." And then there's the message
Dialogue: 0,0:29:16.76,0:29:21.04,Default,,0000,0000,0000,,that might have been received and there's\NDMA locks because you don't just want to
Dialogue: 0,0:29:21.04,0:29:24.79,Default,,0000,0000,0000,,write to registers. You actually might\Nwant to do the direct memory access from
Dialogue: 0,0:29:24.79,0:29:30.72,Default,,0000,0000,0000,,hardware so you you can actually tell the\Nkernel to lock one of these memory grounds
Dialogue: 0,0:29:30.72,0:29:38.26,Default,,0000,0000,0000,,in RAM for you, it won't be swapped out\Nanymore. And yeah, it will even tell you
Dialogue: 0,0:29:38.26,0:29:42.02,Default,,0000,0000,0000,,the physical address so you can just load\Nthat into a register and it's not really
Dialogue: 0,0:29:42.02,0:29:46.76,Default,,0000,0000,0000,,that complicated. Just lock it, get a\Nphysical access, write into the register
Dialogue: 0,0:29:46.76,0:29:53.58,Default,,0000,0000,0000,,and continue. Well, that's the most\Nimportant stuff about the operating
Dialogue: 0,0:29:53.58,0:29:58.93,Default,,0000,0000,0000,,system. The hardware itself is a lot more\Ncomplicated because the operating system,
Dialogue: 0,0:29:58.93,0:30:03.30,Default,,0000,0000,0000,,once you have the code, you can just\Nreverse engineer it and get to know it.
Dialogue: 0,0:30:03.30,0:30:11.01,Default,,0000,0000,0000,,The hardware. Well, let's just say it's a\Nreal pain to have to reverse engineer a
Dialogue: 0,0:30:11.01,0:30:16.18,Default,,0000,0000,0000,,piece of hardware together with its\Ndriver. Like if you've got the driver
Dialogue: 0,0:30:16.18,0:30:18.45,Default,,0000,0000,0000,,code, but you don't know what the\Nregisters do. So you don't know what a lot
Dialogue: 0,0:30:18.45,0:30:24.44,Default,,0000,0000,0000,,of logic does. And you're trying to both\Nfigure out what the logic is and what the
Dialogue: 0,0:30:24.44,0:30:30.05,Default,,0000,0000,0000,,actual registers do. Right. So first you\Nwant to know which physical address goes
Dialogue: 0,0:30:30.05,0:30:39.88,Default,,0000,0000,0000,,where? The metadata listings I showed you\Nactually have names in there. Those are
Dialogue: 0,0:30:39.88,0:30:47.94,Default,,0000,0000,0000,,not in the metadata files themself, I\Nannotated those. So you just see the
Dialogue: 0,0:30:47.94,0:30:56.68,Default,,0000,0000,0000,,physical address and size. But there is\None module, the bus driver module and the
Dialogue: 0,0:30:56.68,0:31:04.23,Default,,0000,0000,0000,,bus driver is normal user process, but it\Nimplements stuff like PCI configuration
Dialogue: 0,0:31:04.23,0:31:09.55,Default,,0000,0000,0000,,space accesses and those things. And it\Nhas a nice table in it with names for
Dialogue: 0,0:31:09.55,0:31:17.05,Default,,0000,0000,0000,,devices. So if you just run strings on it,\Nyou'll see these things. When I saw this,
Dialogue: 0,0:31:17.05,0:31:20.96,Default,,0000,0000,0000,,I was was pretty glad because at least I\Ncould make sense what device was being
Dialogue: 0,0:31:20.96,0:31:26.68,Default,,0000,0000,0000,,talked to in a in a certain program. So\Nthe bus driver does all these things. It
Dialogue: 0,0:31:26.68,0:31:30.99,Default,,0000,0000,0000,,manages power getting to devices, it\Nmanages configuration space access, it
Dialogue: 0,0:31:30.99,0:31:35.96,Default,,0000,0000,0000,,manages the different kinds of buses and\NIOMU that are on the system. And it makes
Dialogue: 0,0:31:35.96,0:31:39.50,Default,,0000,0000,0000,,sure that the normal driver never has to\Nknow any of these details. It just asked
Dialogue: 0,0:31:39.50,0:31:45.52,Default,,0000,0000,0000,,it for a device by a number assigned to it\Na build time. And then the bus driver
Dialogue: 0,0:31:45.52,0:31:50.36,Default,,0000,0000,0000,,says, OK, here's a range of physical\Naddress space you can now write to. So
Dialogue: 0,0:31:50.36,0:31:56.64,Default,,0000,0000,0000,,that's a really nice abstraction and also\Ngives us a lot of information because the
Dialogue: 0,0:31:56.64,0:32:01.64,Default,,0000,0000,0000,,really old builds for sunrise point\Nactually have a hell of a lot of debug
Dialogue: 0,0:32:01.64,0:32:07.02,Default,,0000,0000,0000,,strings in there as printf format strings,\Nnot as catalogue ID. It's
Dialogue: 0,0:32:07.02,0:32:11.91,Default,,0000,0000,0000,,one of the only pieces of code for the ME\Nthat does this, so that already tells you
Dialogue: 0,0:32:11.91,0:32:15.48,Default,,0000,0000,0000,,a lot. And then there's also the table\Nthat I just talked about that has the
Dialogue: 0,0:32:15.48,0:32:23.76,Default,,0000,0000,0000,,actual info on the devices and names. So I\Ngenerated some DocuWiki content from this
Dialogue: 0,0:32:23.76,0:32:28.57,Default,,0000,0000,0000,,that I use myself and this is what's in\Nthe table, part of it. So it tells you
Dialogue: 0,0:32:28.57,0:32:33.07,Default,,0000,0000,0000,,what address PCI configuration space lives\Nat. That tells you to do the bus device
Dialogue: 0,0:32:33.07,0:32:38.13,Default,,0000,0000,0000,,function for it through that. It tells you\Non what chipset SKU they're present using
Dialogue: 0,0:32:38.13,0:32:44.64,Default,,0000,0000,0000,,a bitfield. And it tells you their names\Nin different fields. It also contains the
Dialogue: 0,0:32:44.64,0:32:48.54,Default,,0000,0000,0000,,values that are used to write the base\Naddress registers for PCI. So also their
Dialogue: 0,0:32:48.54,0:32:54.19,Default,,0000,0000,0000,,normal memory ranges. And there's even\Nmore devices. So the ME has access to a
Dialogue: 0,0:32:54.19,0:32:58.86,Default,,0000,0000,0000,,lot of stuff. A lot of it is private to\Nit. A lot of it is components that also
Dialogue: 0,0:32:58.86,0:33:06.11,Default,,0000,0000,0000,,exist in the rest of the computer. And\Nthere's not a lot of information. A lot of
Dialogue: 0,0:33:06.11,0:33:11.41,Default,,0000,0000,0000,,these are basically all the things that\Nare out there together with conference
Dialogue: 0,0:33:11.41,0:33:15.14,Default,,0000,0000,0000,,slides published by other people who have\Ndone research on the ME. I didn't have
Dialogue: 0,0:33:15.14,0:33:21.98,Default,,0000,0000,0000,,time to add links to those, but they're\Neasy to find on Google. I'll get later to
Dialogue: 0,0:33:21.98,0:33:28.23,Default,,0000,0000,0000,,this, I actually wrote a emulator for the\NME, a partial emulator to be able to run
Dialogue: 0,0:33:28.23,0:33:34.23,Default,,0000,0000,0000,,ME code and analyze it, which obviously\Nneeds to know a bit about the hardware so
Dialogue: 0,0:33:34.23,0:33:41.03,Default,,0000,0000,0000,,you can look at the app. There is some\Nfiles in Intel's debugger package,
Dialogue: 0,0:33:41.03,0:33:46.15,Default,,0000,0000,0000,,specific versions of that that have really\Ndetailed info on some of the devices, also
Dialogue: 0,0:33:46.15,0:33:51.46,Default,,0000,0000,0000,,not all of it. And I wrote some tool to\Nparse some of the files. It's really rough
Dialogue: 0,0:33:51.46,0:33:57.04,Default,,0000,0000,0000,,code. I published it because people wanted\Nto see what I was doing. It doesn't work
Dialogue: 0,0:33:57.04,0:34:04.08,Default,,0000,0000,0000,,out of the box. And there is a nice talk\Non this by Mark Ermolov and Maxim
Dialogue: 0,0:34:04.08,0:34:06.87,Default,,0000,0000,0000,,Goryachy.. Actually I don't know if I'm\Npronouncing that correctly, but they've
Dialogue: 0,0:34:06.87,0:34:12.05,Default,,0000,0000,0000,,done a lot of work on the ME and this\Nparticular talk by them is really useful.
Dialogue: 0,0:34:12.05,0:34:16.34,Default,,0000,0000,0000,,And then there's also something else.\NThere is a second ME on server chipsets,
Dialogue: 0,0:34:16.34,0:34:21.30,Default,,0000,0000,0000,,the innovation engine. It's basically a\Ncopy paste of the ME to provide a ME that
Dialogue: 0,0:34:21.30,0:34:24.76,Default,,0000,0000,0000,,the vendor can write code for. Don't think\Nit's used a lot. I've only been able to
Dialogue: 0,0:34:24.76,0:34:31.64,Default,,0000,0000,0000,,find HP software that actually targets it\Nand that has some more debug strings, but
Dialogue: 0,0:34:31.64,0:34:36.64,Default,,0000,0000,0000,,also not a lot, it mostly has a table\Ncontaining register names, but they're
Dialogue: 0,0:34:36.64,0:34:41.87,Default,,0000,0000,0000,,really abbreviated and for a really small\Nsubset of the devices, there is
Dialogue: 0,0:34:41.87,0:34:48.28,Default,,0000,0000,0000,,documentation out there in a Pentium N and\NJ series datasheet. It's seems like they
Dialogue: 0,0:34:48.28,0:34:52.41,Default,,0000,0000,0000,,compile their a lot of code or whatever\Nwith the wrong defines because it doesn't
Dialogue: 0,0:34:52.41,0:35:00.35,Default,,0000,0000,0000,,actually fit into the manual that well,\Nit's just a section that has like some 20
Dialogue: 0,0:35:00.35,0:35:08.64,Default,,0000,0000,0000,,tables that shouldn't be in there. So this\Nis from that talk I just referenced and
Dialogue: 0,0:35:08.64,0:35:12.61,Default,,0000,0000,0000,,it's a overview of the innovation engine\Nand the bus bridges and everything in
Dialogue: 0,0:35:12.61,0:35:20.07,Default,,0000,0000,0000,,there. This isn't very precise. So based\Non some of those files from System Studio,
Dialogue: 0,0:35:20.07,0:35:24.50,Default,,0000,0000,0000,,I try to get a better understanding of\Nthis, which is this. This is the entire
Dialogue: 0,0:35:24.50,0:35:29.76,Default,,0000,0000,0000,,chipset. The little DMA block in the top\Nleft corner is what connects to your CPU.
Dialogue: 0,0:35:29.76,0:35:36.57,Default,,0000,0000,0000,,And all of the big blocks with a lot of\Nports are our bus bridges or switches for
Dialogue: 0,0:35:36.57,0:35:45.47,Default,,0000,0000,0000,,PCIexpress-like fabric. So there's a lot\Ngoing on. The highlighted area is the
Dialogue: 0,0:35:45.47,0:35:59.08,Default,,0000,0000,0000,,management engine memory space and the\Nrest of it is like the global chipset. The
Dialogue: 0,0:35:59.08,0:36:02.84,Default,,0000,0000,0000,,things I've highlighted in green hair are\Non the primary PCI bus. So there's this
Dialogue: 0,0:36:02.84,0:36:08.21,Default,,0000,0000,0000,,weird thing going on where there seems to\Nbe two PCI hierarchies, at least
Dialogue: 0,0:36:08.21,0:36:13.74,Default,,0000,0000,0000,,logically. So in reality it's not even\NPCI, but on intel systems, there's a lot
Dialogue: 0,0:36:13.74,0:36:19.60,Default,,0000,0000,0000,,of stuff that behaves as if it is PCI. So\Nit has like a bus device function and
Dialogue: 0,0:36:19.60,0:36:28.65,Default,,0000,0000,0000,,numbers, PCI configuration space registers\Nand they have two different roots for the
Dialogue: 0,0:36:28.65,0:36:32.31,Default,,0000,0000,0000,,configuration space. So even though the\Nconfiguration space address includes a bus
Dialogue: 0,0:36:32.31,0:36:36.48,Default,,0000,0000,0000,,number, they have two completely different\Nthings with each. Each of which has its
Dialogue: 0,0:36:36.48,0:36:41.29,Default,,0000,0000,0000,,own bus zero. So that's that's weird also\Nbecause they don't make sense when you
Dialogue: 0,0:36:41.29,0:36:45.68,Default,,0000,0000,0000,,look at how the hardware is laid out. So\Nthis is stuff that's on the primary PCI
Dialogue: 0,0:36:45.68,0:36:50.78,Default,,0000,0000,0000,,configuration space that's directly\Naccessed by the EM, by the north bridge on
Dialogue: 0,0:36:50.78,0:36:55.26,Default,,0000,0000,0000,,the ME CPU. So that's the minute I A\Nsystem agent. System agent is what Intel
Dialogue: 0,0:36:55.26,0:37:00.62,Default,,0000,0000,0000,,calls a Northbridge nowadays, now that\Nit's not a separate chip anymore. It's
Dialogue: 0,0:37:00.62,0:37:07.53,Default,,0000,0000,0000,,basically just a Northbridge and a crypto\Nunit that's on there and the stuff that's
Dialogue: 0,0:37:07.53,0:37:12.53,Default,,0000,0000,0000,,directly attached to Northbridge being the\NROM and the RAM. So the processor itself
Dialogue: 0,0:37:12.53,0:37:16.96,Default,,0000,0000,0000,,is, as I said, derived from a 486, but it\Ndoes actually have some more modern
Dialogue: 0,0:37:16.96,0:37:21.83,Default,,0000,0000,0000,,features that it does CPU ID, at least on\Nmy systems. Some other researchers said
Dialogue: 0,0:37:21.83,0:37:29.37,Default,,0000,0000,0000,,theirs didn't. It's basically the core\Nthat's in the quark MCU, which is really
Dialogue: 0,0:37:29.37,0:37:33.26,Default,,0000,0000,0000,,great because it's one of the only cores\Nmade by Intel that has public
Dialogue: 0,0:37:33.26,0:37:39.80,Default,,0000,0000,0000,,documentation on how to do run control. So\Nbreakpoints and accessing registers and
Dialogue: 0,0:37:39.80,0:37:44.42,Default,,0000,0000,0000,,everything over JTAG. Intel doesn't\Npublish this stuff except for the quark
Dialogue: 0,0:37:44.42,0:37:50.92,Default,,0000,0000,0000,,MCU, because they were targeted makers.\NBut they reused that in here, which is
Dialogue: 0,0:37:50.92,0:37:58.20,Default,,0000,0000,0000,,really useful. It even has an official\Nport to the OpenOCD debugger, which I have
Dialogue: 0,0:37:58.20,0:38:03.10,Default,,0000,0000,0000,,not gotten to test because I don't have a\NJTAG probe, which is compatible with Intel
Dialogue: 0,0:38:03.10,0:38:11.00,Default,,0000,0000,0000,,voltage levels and supported by OpenOCD\Nand also has like a set CPU ID and MSRs.
Dialogue: 0,0:38:11.00,0:38:21.17,Default,,0000,0000,0000,,It has some really fancy features like\Nbranch tracing and some more strict paging
Dialogue: 0,0:38:21.17,0:38:30.48,Default,,0000,0000,0000,,permission enforcement stuff. They don't\Nuse the interrupt pins on this. So it's an
Dialogue: 0,0:38:30.48,0:38:34.71,Default,,0000,0000,0000,,IP block but if there are some files out\Nthere, that's where it is this screenshot
Dialogue: 0,0:38:34.71,0:38:40.60,Default,,0000,0000,0000,,is from, that actually are used by a\Nbuilt in logic analyzer Intel has on the
Dialogue: 0,0:38:40.60,0:38:46.68,Default,,0000,0000,0000,,chipset and you can select different\Nsignals on the chip to to watch, which is
Dialogue: 0,0:38:46.68,0:38:50.90,Default,,0000,0000,0000,,a really great source of information on\Nhow the IP blocks are laid out and what
Dialogue: 0,0:38:50.90,0:38:54.20,Default,,0000,0000,0000,,signals are in there, because you\Nbasically get a tree view of the IP blocks
Dialogue: 0,0:38:54.20,0:39:00.80,Default,,0000,0000,0000,,and chip and some of their signals. They\Ndon't use the legacy interrupt system,
Dialogue: 0,0:39:00.80,0:39:07.92,Default,,0000,0000,0000,,they only use message based interrupts by\Nwhat a device writes a value into a
Dialogue: 0,0:39:07.92,0:39:13.05,Default,,0000,0000,0000,,register on the interrupt controller\Ninstead of asserting a pin. And then there
Dialogue: 0,0:39:13.05,0:39:21.70,Default,,0000,0000,0000,,is the Northbridge. It's partially\Ndocumented in that data sheet I mentioned,
Dialogue: 0,0:39:21.70,0:39:29.02,Default,,0000,0000,0000,,it does support x86 IO address space, but\Nit's never used. Everything in the ME is
Dialogue: 0,0:39:29.02,0:39:36.60,Default,,0000,0000,0000,,in memory space or expose as memory space\Nthrough bridges, in the Northbridge
Dialogue: 0,0:39:36.60,0:39:43.07,Default,,0000,0000,0000,,implements access to the ROM,RAM, it has a\NIOMMU which is only used for transactions
Dialogue: 0,0:39:43.07,0:39:48.75,Default,,0000,0000,0000,,coming from the rest of the system and\Nit's always initialized to, at least in
Dialogue: 0,0:39:48.75,0:39:51.66,Default,,0000,0000,0000,,the firmware I looked up, it's always\Ninitialized to the inverse of the page
Dialogue: 0,0:39:51.66,0:40:00.20,Default,,0000,0000,0000,,table, so linear addresses can be used for\Nmemory maps, sorry, for DMA. It also does
Dialogue: 0,0:40:00.20,0:40:06.27,Default,,0000,0000,0000,,PCI configuration space access to the\Nprimary PCI bus. And it has a firewall
Dialogue: 0,0:40:06.27,0:40:15.08,Default,,0000,0000,0000,,that allows the operating system to deny\Nany IP block in the chipset from sending a
Dialogue: 0,0:40:15.08,0:40:18.89,Default,,0000,0000,0000,,completion on the bus request. So it can\Nactually say: "Hey, I want to read some
Dialogue: 0,0:40:18.89,0:40:25.04,Default,,0000,0000,0000,,register and only these devices are\Nallowed to send me value for it." So
Dialogue: 0,0:40:25.04,0:40:29.57,Default,,0000,0000,0000,,they've actually thought about security\Nhere, which is great. Then there is one of
Dialogue: 0,0:40:29.57,0:40:38.19,Default,,0000,0000,0000,,the most important blocks in the ME, which\Nis the crypto engine. It does some sort of
Dialogue: 0,0:40:38.19,0:40:47.10,Default,,0000,0000,0000,,more well-known crypto algorithms. AES,\NSHA hashes, RSA and it has a secure key
Dialogue: 0,0:40:47.10,0:40:56.33,Default,,0000,0000,0000,,store, which I'm not gonna [audio dropped]\N... all about it in their ME talk at
Dialogue: 0,0:40:56.33,0:41:04.25,Default,,0000,0000,0000,,Blackhat. And a lot of these things have\NDMA engines, which all seem to be the
Dialogue: 0,0:41:04.25,0:41:09.50,Default,,0000,0000,0000,,same. And there is no other DM agents ...\Nengines in ME, so this is also used from
Dialogue: 0,0:41:09.50,0:41:23.17,Default,,0000,0000,0000,,memory to memory copy or DMA into other\Ndevices. So that's used in a lot of
Dialogue: 0,0:41:23.17,0:41:27.40,Default,,0000,0000,0000,,things. This is actually a diagram which I\Ndon't have the vector for anymore. So
Dialogue: 0,0:41:27.40,0:41:35.26,Default,,0000,0000,0000,,that's why the libre office background is\Nin there. I'm sorry. So this is basically
Dialogue: 0,0:41:35.26,0:41:39.02,Default,,0000,0000,0000,,what that crypto engine looks like when\Nyou look at that signal tree that I was
Dialogue: 0,0:41:39.02,0:41:44.91,Default,,0000,0000,0000,,talking about earlier. The DMA engines are\Nboth able to do memory to memory copies
Dialogue: 0,0:41:44.91,0:41:52.57,Default,,0000,0000,0000,,until directly targets the crypto unit\Nthey're part of. Basically, when you, I
Dialogue: 0,0:41:52.57,0:41:57.49,Default,,0000,0000,0000,,don't know about the control bits that go\Nwith this, but when you set the target
Dialogue: 0,0:41:57.49,0:42:02.15,Default,,0000,0000,0000,,address to zero and the right control\Nbits, it will copy into the buffer that's
Dialogue: 0,0:42:02.15,0:42:11.96,Default,,0000,0000,0000,,used for the encryption. So that is how it\Naccelerates memory access for crypto. And
Dialogue: 0,0:42:11.96,0:42:15.59,Default,,0000,0000,0000,,these are the actual register offsets.\NThey're the same for all of the DMA
Dialogue: 0,0:42:15.59,0:42:21.58,Default,,0000,0000,0000,,engines in there relative to the base\Naddress of the subunit they're in. And
Dialogue: 0,0:42:21.58,0:42:27.29,Default,,0000,0000,0000,,then there's the second PCI bus or bus\Nhierarchy, which is like in some places
Dialogue: 0,0:42:27.29,0:42:33.54,Default,,0000,0000,0000,,called the PCI fixed bus. I'm actually not\Nentirely sure whether this is actually
Dialogue: 0,0:42:33.54,0:42:38.84,Default,,0000,0000,0000,,implemented as a PCI bus as I've drawn it\Nhere, but this is what it behaves like. So
Dialogue: 0,0:42:38.84,0:42:43.92,Default,,0000,0000,0000,,it has all the ME private stuff, that's\Nnot a part of the normal chipset. So it's
Dialogue: 0,0:42:43.92,0:42:51.31,Default,,0000,0000,0000,,timers for the ME, it has the\Nimplementation of the secure enclave
Dialogue: 0,0:42:51.31,0:42:58.01,Default,,0000,0000,0000,,stuff, that the firmware TPM registers.\NAnd it has the gen device which I've
Dialogue: 0,0:42:58.01,0:43:01.78,Default,,0000,0000,0000,,mostly ignored because it's only used the\Nboot time. It's only used by the actual
Dialogue: 0,0:43:01.78,0:43:10.87,Default,,0000,0000,0000,,boot ROM for the ME mostly. It is what the\NME uses to get the fuses Intel burns. So
Dialogue: 0,0:43:10.87,0:43:15.42,Default,,0000,0000,0000,,that's the intel public key, whether it's\Na production or pre-production part, but
Dialogue: 0,0:43:15.42,0:43:20.26,Default,,0000,0000,0000,,it's pretty much a black box. It's not\Nused that much, fortunately. There is the
Dialogue: 0,0:43:20.26,0:43:24.34,Default,,0000,0000,0000,,IPC block which allows the ME to talk to\Nthe sensor hub, which is a different CPU
Dialogue: 0,0:43:24.34,0:43:28.19,Default,,0000,0000,0000,,in the chipset. It allows it to talk to\Npower management controller and all kinds
Dialogue: 0,0:43:28.19,0:43:34.18,Default,,0000,0000,0000,,of other embedded CPUs. So it's inter\Nprocessor communication not interprocess.
Dialogue: 0,0:43:34.18,0:43:39.09,Default,,0000,0000,0000,,Confused me for a bit. And here's the host\Nembedded controller interface, which is
Dialogue: 0,0:43:39.09,0:43:44.32,Default,,0000,0000,0000,,how the ME talks to the rest of the\Ncomputer when it wants the computer to
Dialogue: 0,0:43:44.32,0:43:47.96,Default,,0000,0000,0000,,know that it's talking so it can directly\Naccess a lot of stuff. But when it wants
Dialogue: 0,0:43:47.96,0:43:54.25,Default,,0000,0000,0000,,to send a message to the EFI or to Windows\Nor Linux, it'll use this. And it also has
Dialogue: 0,0:43:54.25,0:43:59.08,Default,,0000,0000,0000,,status registers, which are really simple\Nthings where the ME writes in a value. And
Dialogue: 0,0:43:59.08,0:44:05.29,Default,,0000,0000,0000,,even if the ME crashes, the host can still\Nread the value, which is how you can see
Dialogue: 0,0:44:05.29,0:44:11.16,Default,,0000,0000,0000,,whether the ME is running, whether it's\Ndisabled, whether it fully booted, or
Dialogue: 0,0:44:11.16,0:44:15.40,Default,,0000,0000,0000,,whether it crashed halfway through. But at\Na point where it could still get the rest
Dialogue: 0,0:44:15.40,0:44:21.23,Default,,0000,0000,0000,,of the computer running and there is some\Ncorporate code to to read it. I've also
Dialogue: 0,0:44:21.23,0:44:27.08,Default,,0000,0000,0000,,implemented some decoding for it on the\Nemulator because it's useful to see what
Dialogue: 0,0:44:27.08,0:44:33.21,Default,,0000,0000,0000,,those values mean. So then there's\Nsomething really interesting, the primary
Dialogue: 0,0:44:33.21,0:44:37.24,Default,,0000,0000,0000,,adverse translation table, which is the\Nbus bridge that allows the ME to actually
Dialogue: 0,0:44:37.24,0:44:44.20,Default,,0000,0000,0000,,access the PCIexpress fabric of the\Ncomputer. For a lot of the, what in this
Dialogue: 0,0:44:44.20,0:44:50.01,Default,,0000,0000,0000,,table call ME peripherals, that are\Nactually outside the ME domain and the
Dialogue: 0,0:44:50.01,0:45:00.32,Default,,0000,0000,0000,,chipset, it uses this to access it. It\Nalso uses it to access the UMA, which is
Dialogue: 0,0:45:00.32,0:45:04.96,Default,,0000,0000,0000,,an area of host RAM that's used as a swap\Ndevice for the ME and to Trace Hub, which is
Dialogue: 0,0:45:04.96,0:45:11.19,Default,,0000,0000,0000,,the debug port, but also has a couple of\Nwindows which allow the ME to access any
Dialogue: 0,0:45:11.19,0:45:19.06,Default,,0000,0000,0000,,random area of host RAM, which is the most\Nscary bit because UMA is specified by
Dialogue: 0,0:45:19.06,0:45:24.65,Default,,0000,0000,0000,,host, but the host DRAM area is where you\Ncan just point it anywhere. You can read
Dialogue: 0,0:45:24.65,0:45:28.75,Default,,0000,0000,0000,,or write any value that that Windows or\NLinux or whatever you're running has
Dialogue: 0,0:45:28.75,0:45:37.46,Default,,0000,0000,0000,,sitting there. So that's scary to me. So\Nand then there's the rest of it, the rest
Dialogue: 0,0:45:37.46,0:45:46.49,Default,,0000,0000,0000,,of the devices which are behind the\Nprimary ATT. And that's a lot of stuff,
Dialogue: 0,0:45:46.49,0:45:53.45,Default,,0000,0000,0000,,that's debug, that's also the older normal\Nperipherals that your P.C. has, but it
Dialogue: 0,0:45:53.45,0:45:56.20,Default,,0000,0000,0000,,also includes things like the power\Nmanagement controller, which actually
Dialogue: 0,0:45:56.20,0:45:59.79,Default,,0000,0000,0000,,turns on and off all the different parts\Nof your computer. It controls clocks and
Dialogue: 0,0:45:59.79,0:46:07.68,Default,,0000,0000,0000,,resets. So this is really important. There\Nis a concept that you'll come across where
Dialogue: 0,0:46:07.68,0:46:14.26,Default,,0000,0000,0000,,you're reading Intel manuals or ME related\Nstuff that's root spaces besides your
Dialogue: 0,0:46:14.26,0:46:20.32,Default,,0000,0000,0000,,normal addressing information for a PCI\Ndevice, it also has a root space number,
Dialogue: 0,0:46:20.32,0:46:24.98,Default,,0000,0000,0000,,which is basically how you have a single\NPCI device exposing two completely
Dialogue: 0,0:46:24.98,0:46:31.15,Default,,0000,0000,0000,,different address spaces. And it's 0 for\Nthe host, it's one for the ME. Some
Dialogue: 0,0:46:31.15,0:46:34.94,Default,,0000,0000,0000,,devices expose the same information on\Nthere. Other ones behave completely
Dialogue: 0,0:46:34.94,0:46:43.37,Default,,0000,0000,0000,,different. That's something you don't\Nusually see. And then there's the side
Dialogue: 0,0:46:43.37,0:46:48.56,Default,,0000,0000,0000,,band fabric. So besides all this stuff\Nthey just covered, which is PCI like at
Dialogue: 0,0:46:48.56,0:46:52.88,Default,,0000,0000,0000,,least. There is also something completely\Ndifferent, side band fabric, which is a
Dialogue: 0,0:46:52.88,0:47:00.99,Default,,0000,0000,0000,,completely packet switched network, where\Nyou don't use any memory mapping by
Dialogue: 0,0:47:00.99,0:47:06.37,Default,,0000,0000,0000,,default. You just have a one byte address\Nfor a device and some other addressing
Dialogue: 0,0:47:06.37,0:47:09.59,Default,,0000,0000,0000,,fields and you're just sending a message\Nsaying: "Hey, I want to read configuration
Dialogue: 0,0:47:09.59,0:47:14.32,Default,,0000,0000,0000,,or data or memory." And there is actually\Na lot of information out there on this,
Dialogue: 0,0:47:14.32,0:47:18.48,Default,,0000,0000,0000,,because Intel, it seems like I just copy\Npasted their internal specification into a
Dialogue: 0,0:47:18.48,0:47:26.86,Default,,0000,0000,0000,,patent. This is how you address it. This\Nis all devices on there, which is quite a
Dialogue: 0,0:47:26.86,0:47:32.59,Default,,0000,0000,0000,,lot. It's also what you, if any of you are\Nkernel developers, and you've had to deal
Dialogue: 0,0:47:32.59,0:47:40.11,Default,,0000,0000,0000,,with GPIO on Intel SoCs. There's this P2SB\Ndevice that you have to use. That's what
Dialogue: 0,0:47:40.11,0:47:48.24,Default,,0000,0000,0000,,the host uses to access this. Their\Ndocumentation on it is really, really bad.
Dialogue: 0,0:47:48.24,0:47:52.42,Default,,0000,0000,0000,,This was all done using static analysis.\NBut then I wanted to figure out how some
Dialogue: 0,0:47:52.42,0:47:57.41,Default,,0000,0000,0000,,of the logic actually works and it was\Nreally complicated to play around with the
Dialogue: 0,0:47:57.41,0:48:07.31,Default,,0000,0000,0000,,ME. There was this nice talk by Ermolov\Nand Goryachy, where they said: "You know,
Dialogue: 0,0:48:07.31,0:48:11.79,Default,,0000,0000,0000,,we found a an exploit that gives you code\Nexecution and you can you can get JTAG
Dialogue: 0,0:48:11.79,0:48:18.81,Default,,0000,0000,0000,,access to." It sounds really nice. It's\Nactually not that easy. So arbitrary code
Dialogue: 0,0:48:18.81,0:48:23.36,Default,,0000,0000,0000,,execution in the BUP module, they actually\Ndescribe their exploit and how you should
Dialogue: 0,0:48:23.36,0:48:30.27,Default,,0000,0000,0000,,use it. But they didn't describe anything\Nthat's needed to actually implement that.
Dialogue: 0,0:48:30.27,0:48:35.69,Default,,0000,0000,0000,,So if you want to do that, what you need\Nto do to figure out where to stack lives,
Dialogue: 0,0:48:35.69,0:48:40.23,Default,,0000,0000,0000,,you need to know where you need to write a\Npayload that will actually get it from a
Dialogue: 0,0:48:40.23,0:48:44.64,Default,,0000,0000,0000,,buffer overflow on a stack that, by the\Nway, uses stack cookies. So you can't just
Dialogue: 0,0:48:44.64,0:48:51.37,Default,,0000,0000,0000,,overwrite the return address to turn that\Ninto an arbitrary write. And you need to
Dialogue: 0,0:48:51.37,0:48:56.37,Default,,0000,0000,0000,,find out what the return pointer address\Nis so you can overwrite it and find ROP
Dialogue: 0,0:48:56.37,0:49:03.32,Default,,0000,0000,0000,,gadgets because the stack is not\Nexecutable. And then when you've done
Dialogue: 0,0:49:03.32,0:49:09.92,Default,,0000,0000,0000,,that, you can just turn on debug access or\Nchange to custom firmware or whatever. So
Dialogue: 0,0:49:09.92,0:49:13.66,Default,,0000,0000,0000,,what I did is I had a bit of trouble\Ngetting that running and in order to test
Dialogue: 0,0:49:13.66,0:49:17.72,Default,,0000,0000,0000,,your payload, you have to flash it into\Nthe system and it takes a while and then
Dialogue: 0,0:49:17.72,0:49:20.88,Default,,0000,0000,0000,,the system just doesn't power on if the\NME's not working, if you're crashing it
Dialogue: 0,0:49:20.88,0:49:24.58,Default,,0000,0000,0000,,instead of getting code execution. So it's\Nnot really valuable to to develop it that
Dialogue: 0,0:49:24.58,0:49:32.91,Default,,0000,0000,0000,,way, I think. Some people did. I respect\Nthat because it's really, really hard. And
Dialogue: 0,0:49:32.91,0:49:38.79,Default,,0000,0000,0000,,then I wrote this ME Loader, it's called\NLoader because at first I started out like
Dialogue: 0,0:49:38.79,0:49:42.85,Default,,0000,0000,0000,,writing it as a sort of a wine thing where\Nyou where you would just mmap the right
Dialogue: 0,0:49:42.85,0:49:47.38,Default,,0000,0000,0000,,ranges at the right place and jump into\Nit, execute it, patch some system calls.
Dialogue: 0,0:49:47.38,0:49:51.85,Default,,0000,0000,0000,,But because the ME is a micro kernel\Nsystem in almost every user space program
Dialogue: 0,0:49:51.85,0:49:57.48,Default,,0000,0000,0000,,accesses hardware directly, it ended up\Nimplementing like a good part of the
Dialogue: 0,0:49:57.48,0:50:08.08,Default,,0000,0000,0000,,chipset, at least as stubs or enough logic\Nto get the code running. And I later on
Dialogue: 0,0:50:08.08,0:50:14.51,Default,,0000,0000,0000,,added some features that actually allowed\Nto talk to the hardware. I can use it as a
Dialogue: 0,0:50:14.51,0:50:18.53,Default,,0000,0000,0000,,debugger, but just because it's actually\Nrunning the ME firmware or parts of it
Dialogue: 0,0:50:18.53,0:50:26.20,Default,,0000,0000,0000,,inside a normal Linux process, I can just\Nuse gdb to debug it. And back in April
Dialogue: 0,0:50:26.20,0:50:30.32,Default,,0000,0000,0000,,last year, I got that working to the point\Nwhere I could run the bootstrap process,
Dialogue: 0,0:50:30.32,0:50:38.58,Default,,0000,0000,0000,,which is where the vulnerability is. And\Nthen you just develop the exploit against
Dialogue: 0,0:50:38.58,0:50:43.96,Default,,0000,0000,0000,,it, which I did. And then I made a mistake\Ncleaning up some old change root
Dialogue: 0,0:50:43.96,0:50:52.01,Default,,0000,0000,0000,,environments for close source software.\NAnd I nuked my home dir. Yeah. I hadn't
Dialogue: 0,0:50:52.01,0:50:56.60,Default,,0000,0000,0000,,yet pushed everything to GitHub. So I\Nstuck with an old version and I decided,
Dialogue: 0,0:50:56.60,0:51:00.16,Default,,0000,0000,0000,,you know, let's refactor this and turn it\Ninto something that might actually at some
Dialogue: 0,0:51:00.16,0:51:03.93,Default,,0000,0000,0000,,point be published, which by the way I \Ndid last summer. This is all public code. The
Dialogue: 0,0:51:03.93,0:51:09.79,Default,,0000,0000,0000,,ME Loader thing. It's on GitHub. And\Nsomeone else beat me to it and replicated
Dialogue: 0,0:51:09.79,0:51:15.25,Default,,0000,0000,0000,,that exploit by the Russian guys. Which up to\Nthen they have produced a proof of concept
Dialogue: 0,0:51:15.25,0:51:22.76,Default,,0000,0000,0000,,thing for Apollo like chipsets, which were\Ncompletely different for from what you had
Dialogue: 0,0:51:22.76,0:51:33.69,Default,,0000,0000,0000,,to do for normal ME. I was a bit\Ndisappointed by that one, not being the
Dialogue: 0,0:51:33.69,0:51:38.58,Default,,0000,0000,0000,,first one to actually replicate this. But\Nthen I did about a week later, I got it
Dialogue: 0,0:51:38.58,0:51:44.27,Default,,0000,0000,0000,,got my loader back to the point where I\Ncould actually get to the vulnerable code
Dialogue: 0,0:51:44.27,0:51:51.12,Default,,0000,0000,0000,,and develop that exploit and got it\Nworking not too long after. And here's the
Dialogue: 0,0:51:51.12,0:51:54.72,Default,,0000,0000,0000,,great thing. Then I went to the hacker\Nspace. I flash it into my laptop. The
Dialogue: 0,0:51:54.72,0:51:59.04,Default,,0000,0000,0000,,image that I had just been using only on\Nthe emulator. I didn't change it. I flash.
Dialogue: 0,0:51:59.04,0:52:05.28,Default,,0000,0000,0000,,I was like, this is never gonna work on\Nit. It works. {\i1}some laughter{\i0} And I've still got an image
Dialogue: 0,0:52:05.28,0:52:08.48,Default,,0000,0000,0000,,on a flash ship with me because that's\Nwhat I used to actually turn on the
Dialogue: 0,0:52:08.48,0:52:14.49,Default,,0000,0000,0000,,debugger. And then you need a debug probe\Nbecause that USB based debugging stuff
Dialogue: 0,0:52:14.49,0:52:18.81,Default,,0000,0000,0000,,that's mentioned here only works pretty\Nlate in boot. Which is also why I only
Dialogue: 0,0:52:18.81,0:52:21.88,Default,,0000,0000,0000,,really see Apollo Lake stuff because on\Nthose chipsets you can actually use this
Dialogue: 0,0:52:21.88,0:52:33.01,Default,,0000,0000,0000,,for the ME. And then you need this thing\Nbecause there's a second channel, that is
Dialogue: 0,0:52:33.01,0:52:36.36,Default,,0000,0000,0000,,using the USB plug, but it's a completely\Ndifferent physical layer and you need an
Dialogue: 0,0:52:36.36,0:52:40.91,Default,,0000,0000,0000,,adapter for it, which I don't think was\Nintended to be publicly available. Because
Dialogue: 0,0:52:40.91,0:52:44.86,Default,,0000,0000,0000,,if you go to Intel site to say, I want to\Nbuy this, they say, here's the C-NDA,
Dialogue: 0,0:52:44.86,0:52:54.46,Default,,0000,0000,0000,,please sign it. But it appeared on mouser.\NAnd luckily I knew some people, who had
Dialogue: 0,0:52:54.46,0:52:59.12,Default,,0000,0000,0000,,done some other stuff, got a nice bounty\Nfor it and bought it and I let me use it.
Dialogue: 0,0:52:59.12,0:53:05.43,Default,,0000,0000,0000,,Thanks to them. It's expensive, but you\Ncan buy it if it's still up there. Haven't
Dialogue: 0,0:53:05.43,0:53:11.52,Default,,0000,0000,0000,,checked. That's the Link. So I'm a bit\Nlate, so I'm gonna use the time for
Dialogue: 0,0:53:11.52,0:53:15.76,Default,,0000,0000,0000,,questions as well. So the main thing the\NME does that you cannot replace is the
Dialogue: 0,0:53:15.76,0:53:21.25,Default,,0000,0000,0000,,boot process. It's not just breaking the\Nsystem. If you don't turn it on, it
Dialogue: 0,0:53:21.25,0:53:25.24,Default,,0000,0000,0000,,actually does stuff that has to be done.\NSo you gonna have to use the ME anyway if
Dialogue: 0,0:53:25.24,0:53:30.73,Default,,0000,0000,0000,,you want to boot a computer. I don't\Nnecessarily have to use Intel's firmware.
Dialogue: 0,0:53:30.73,0:53:35.81,Default,,0000,0000,0000,,The ME itself boots is like a micro kernel\Nsystem, so it has a process which
Dialogue: 0,0:53:35.81,0:53:39.86,Default,,0000,0000,0000,,implements a lot of the servers that will\Nallow it to get to a point where it can
Dialogue: 0,0:53:39.86,0:53:44.71,Default,,0000,0000,0000,,start those servers. This process has very\Nhigh privileges in older versions, which
Dialogue: 0,0:53:44.71,0:53:49.16,Default,,0000,0000,0000,,is what is being used on these chipsets.\NAnd if you exploit that, you're still ring
Dialogue: 0,0:53:49.16,0:53:55.68,Default,,0000,0000,0000,,3, but you can turn on debugger and you\Ncan use the debugger to become ring 0. So
Dialogue: 0,0:53:55.68,0:53:59.17,Default,,0000,0000,0000,,this is what normal boot process for a\Ncomputer looks like. And this is what
Dialogue: 0,0:53:59.17,0:54:02.05,Default,,0000,0000,0000,,happens when you use Boot Guard. There's a\Nbit of code that runs even before the
Dialogue: 0,0:54:02.05,0:54:07.17,Default,,0000,0000,0000,,reset vector, and that's started by micro\Ncode initialization, of course. And this
Dialogue: 0,0:54:07.17,0:54:12.12,Default,,0000,0000,0000,,is what actually happens. The ME loads a\Nnew firmware into a power management
Dialogue: 0,0:54:12.12,0:54:16.39,Default,,0000,0000,0000,,controller, it then ready some stuff in a\Nchipset and it tells the power mentioning
Dialogue: 0,0:54:16.39,0:54:23.66,Default,,0000,0000,0000,,controller like please stop pulling that\NCPU reset pin low and the CPU will start.
Dialogue: 0,0:54:23.66,0:54:28.16,Default,,0000,0000,0000,,Power managment controller is a completely\Nindependent thing I say 8051 derived
Dialogue: 0,0:54:28.16,0:54:32.69,Default,,0000,0000,0000,,microcontroller that runs a real time\Noperating system from the 90s. This is the
Dialogue: 0,0:54:32.69,0:54:38.69,Default,,0000,0000,0000,,only string in the firmware by the way,\Nthat's quoted there. And depending on the
Dialogue: 0,0:54:38.69,0:54:42.41,Default,,0000,0000,0000,,chipsset that you have, it's either loaded\Nwith a patch or with a complete binary
Dialogue: 0,0:54:42.41,0:54:46.69,Default,,0000,0000,0000,,from the ME, and it does a lot of\Nimportant stuff. No documentation on it
Dialogue: 0,0:54:46.69,0:54:52.12,Default,,0000,0000,0000,,besides ACPI interface, which is not\Nreally any useful. The ME has to do these
Dialogue: 0,0:54:52.12,0:54:58.71,Default,,0000,0000,0000,,things. It needs to load the keys for the\NBoot Guard process needs to set up clock
Dialogue: 0,0:54:58.71,0:55:06.55,Default,,0000,0000,0000,,controllers and then tell the PMC to turn\Non the power to to the CPU. It needs to
Dialogue: 0,0:55:06.55,0:55:15.24,Default,,0000,0000,0000,,configure PCI express fabric and reset -\Nlike get the CPU to come out of reset.
Dialogue: 0,0:55:15.24,0:55:18.29,Default,,0000,0000,0000,,There's a lot of code involved in this, so\NI really didn't want to do this all
Dialogue: 0,0:55:18.29,0:55:22.15,Default,,0000,0000,0000,,statically. What I did is I added hardware\Nsupport, hardware passthrough support to
Dialogue: 0,0:55:22.15,0:55:28.50,Default,,0000,0000,0000,,the emulator and booted my laptop that\Nway. Actually had a video of this, but I
Dialogue: 0,0:55:28.50,0:55:33.97,Default,,0000,0000,0000,,don't have the time to show it, which is a\Npity. But this is what I - the bring up
Dialogue: 0,0:55:33.97,0:55:38.03,Default,,0000,0000,0000,,process from the ME running in a Linux\Nprocess, sending whatever hardware access
Dialogue: 0,0:55:38.03,0:55:43.34,Default,,0000,0000,0000,,as it was trying to do that are important\Nfor boot to the debugger. And then that
Dialogue: 0,0:55:43.34,0:55:49.88,Default,,0000,0000,0000,,was using a ME in real hardware that was\Nhalted to actually do to register accesses
Dialogue: 0,0:55:49.88,0:55:56.52,Default,,0000,0000,0000,,and it works. It's not going to show this.\NIt actually booted the computer reliably.
Dialogue: 0,0:55:56.52,0:56:02.41,Default,,0000,0000,0000,,Then Boot Guard configuration is fun\Nbecause you know where they say they fuse
Dialogue: 0,0:56:02.41,0:56:10.99,Default,,0000,0000,0000,,in the keys. Well yeah. But the ME loads\Nthem from fuses and then manually loads
Dialogue: 0,0:56:10.99,0:56:14.53,Default,,0000,0000,0000,,them into registers. So if you have code\Nexecution on the ME before it does this,
Dialogue: 0,0:56:14.53,0:56:18.00,Default,,0000,0000,0000,,you can just load your own values and you\Ncan run core boot even on a machine that
Dialogue: 0,0:56:18.00,0:56:24.19,Default,,0000,0000,0000,,has Boot Guard. Yeah. So I'm gonna go\Nthrough this really quickly. This is, by
Dialogue: 0,0:56:24.19,0:56:29.57,Default,,0000,0000,0000,,the way, these are the registers that\Nconfigure what security model the CPU is
Dialogue: 0,0:56:29.57,0:56:34.58,Default,,0000,0000,0000,,gonna enforce for the firmware. I'm going\Nto release this code after my talk. It's
Dialogue: 0,0:56:34.58,0:56:39.81,Default,,0000,0000,0000,,part of a Python script that I wrote that\Nuses the debugger to start the CPU without
Dialogue: 0,0:56:39.81,0:56:45.67,Default,,0000,0000,0000,,ME firmware. I traced all the of the ME\Nfirmware did. And I now have a Python
Dialogue: 0,0:56:45.67,0:56:51.47,Default,,0000,0000,0000,,script that can just start a computer\Nwithout Intel's code. If you translate
Dialogue: 0,0:56:51.47,0:56:55.92,Default,,0000,0000,0000,,this into a rough sequence or even into\Nbinary for the ME, you can start a
Dialogue: 0,0:56:55.92,0:57:02.85,Default,,0000,0000,0000,,computer without the ME itself or at least\Nwithout it running the operating system.
Dialogue: 0,0:57:02.85,0:57:12.71,Default,,0000,0000,0000,,{\i1}applause{\i0}\NSo, yeah, future goals. I really do want
Dialogue: 0,0:57:12.71,0:57:20.42,Default,,0000,0000,0000,,to share this because if there is a way to\Nescalate, to ring 0 fruit, a rope chain,
Dialogue: 0,0:57:20.42,0:57:24.36,Default,,0000,0000,0000,,then you could just start your own kernel\Nin the ME and have custom firmware, at
Dialogue: 0,0:57:24.36,0:57:29.60,Default,,0000,0000,0000,,least from the vulnerability on. But you\Ncould also build a mod chip that uses the
Dialogue: 0,0:57:29.60,0:57:34.83,Default,,0000,0000,0000,,debugger interface to load a new firmware.\NThere's lots of stuff still needs to be
Dialogue: 0,0:57:34.83,0:57:41.21,Default,,0000,0000,0000,,discovered, but I'm gonna hang out at the\Nopen source firmware village later, at
Dialogue: 0,0:57:41.21,0:57:46.69,Default,,0000,0000,0000,,least part of the week here. So because I\Nreally want to get started on open source
Dialogue: 0,0:57:46.69,0:57:55.25,Default,,0000,0000,0000,,ME firmware using this. Right. And there's\Na lot of people that's played a role in
Dialogue: 0,0:57:55.25,0:58:00.70,Default,,0000,0000,0000,,getting me to this point. Also would like\Nto thank the guy from Hague hacker space,
Dialogue: 0,0:58:00.70,0:58:07.68,Default,,0000,0000,0000,,BinoAlpha, who basically allowed me to use\Nhis laptop to prepare the demo, which I
Dialogue: 0,0:58:07.68,0:58:14.66,Default,,0000,0000,0000,,ended up not being able to show, but.\NRight. I was gonna ask what are the
Dialogue: 0,0:58:14.66,0:58:17.38,Default,,0000,0000,0000,,worrying questions? But I don't think\Nthere's really any time for any more.
Dialogue: 0,0:58:17.38,0:58:22.57,Default,,0000,0000,0000,,Herald: Peter, thank you so much. {\i1}Applause{\i0}\NUnfortunately, we don't have any more time
Dialogue: 0,0:58:22.57,0:58:30.72,Default,,0000,0000,0000,,left.\NPeter: I'll be around. I'll be around.
Dialogue: 0,0:58:30.72,0:58:35.66,Default,,0000,0000,0000,,Herald: I think it's very, very\Ninteresting because I hope that your talk
Dialogue: 0,0:58:35.66,0:58:41.12,Default,,0000,0000,0000,,will inspire many people to keep looking\Ninto how the management engine works and
Dialogue: 0,0:58:41.12,0:58:46.93,Default,,0000,0000,0000,,hopefully uncover even more stuff. I think\Nwe have time for just one single question.
Dialogue: 0,0:58:46.93,0:58:51.04,Default,,0000,0000,0000,,I don't know, do we? How one from the\NInternet. Thank you so much.
Dialogue: 0,0:58:51.04,0:58:56.79,Default,,0000,0000,0000,,Signal Angel: OK. First off, I have to\Ntell you. Your shirt is nice. Chat wanted
Dialogue: 0,0:58:56.79,0:59:05.00,Default,,0000,0000,0000,,me to say this. And they asked how\Nreliable this exploit is and does it work
Dialogue: 0,0:59:05.00,0:59:09.16,Default,,0000,0000,0000,,on every boot?\NPeter: Right, Yeah. That's actually
Dialogue: 0,0:59:09.16,0:59:14.96,Default,,0000,0000,0000,,something really important that I forgot\Nto mention. So they patch a vulnerability,
Dialogue: 0,0:59:14.96,0:59:17.34,Default,,0000,0000,0000,,but they didn't provide downgrade\Nprotection. If you could flash a
Dialogue: 0,0:59:17.34,0:59:24.17,Default,,0000,0000,0000,,vulnerable image with an exploit in it,\Nit'll just boot every time on these chips
Dialogue: 0,0:59:24.17,0:59:27.85,Default,,0000,0000,0000,,that's so six or seven generation chips\Nthat's put in that image and it will
Dialogue: 0,0:59:27.85,0:59:31.23,Default,,0000,0000,0000,,reliably turn on the debugger every time\Nyou turn on the computer. {\i1}applause{\i0}
Dialogue: 0,0:59:31.23,0:59:36.65,Default,,0000,0000,0000,,Herald: Thank you so much for the\Nquestion. And Peter Bosch thank you so
Dialogue: 0,0:59:36.65,0:59:39.16,Default,,0000,0000,0000,,much. Please give him a great round of\Napplause.
Dialogue: 0,0:59:39.16,0:59:43.62,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:59:43.62,1:00:08.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 20??. Join, and help us!