[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.10,0:00:15.75,Default,,0000,0000,0000,,{\i1}34c3 preroll music{\i0}
Dialogue: 0,0:00:15.75,0:00:22.45,Default,,0000,0000,0000,,Herald: Last year he presented how to get\NJTAG over USB at the 33C3. Today he will
Dialogue: 0,0:00:22.45,0:00:28.12,Default,,0000,0000,0000,,tell us how to interrogate the Intel\NManagement Engine in a similarly ingenious
Dialogue: 0,0:00:28.12,0:00:36.08,Default,,0000,0000,0000,,and devious way. Please join me in\Nwelcoming Maxim Goryachy to 34C3.
Dialogue: 0,0:00:36.08,0:00:44.13,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:00:44.59,0:00:54.80,Default,,0000,0000,0000,,Maxim Goryachy: Hello guys. I'm speaking\Nabout Intel debug capabilities at the CC
Dialogue: 0,0:00:54.80,0:01:02.58,Default,,0000,0000,0000,,Conference for the second year in a row.\NLast time I talked about how new Intel
Dialogue: 0,0:01:02.58,0:01:11.92,Default,,0000,0000,0000,,CPUs allow debug technology called Intel\NDirect Connect Interface or DCI and now
Dialogue: 0,0:01:11.92,0:01:24.67,Default,,0000,0000,0000,,I'm going to talk how activates DCI for\NIntel Management Engine. (Sorry) DCI is a
Dialogue: 0,0:01:24.67,0:01:31.75,Default,,0000,0000,0000,,private implementation of widely known\Nindustry standards for debugging hardware
Dialogue: 0,0:01:31.75,0:01:40.73,Default,,0000,0000,0000,,and low level software from Intel. And\Naddition I will talk about how it can be
Dialogue: 0,0:01:40.73,0:01:51.55,Default,,0000,0000,0000,,used for research and how to use it in\Npractice. Unfortunately my colleague Mark
Dialogue: 0,0:01:51.55,0:02:00.94,Default,,0000,0000,0000,,couldn't come and I will introduce our\Nresearch alone. And I think that you some
Dialogue: 0,0:02:00.94,0:02:09.64,Default,,0000,0000,0000,,hungry and I will be quickly. Out our\NManagement Engine research team at
Dialogue: 0,0:02:09.64,0:02:15.53,Default,,0000,0000,0000,,Positive Technologies includes following\Nresearchers: my colleague Dmitry Sklyarov
Dialogue: 0,0:02:15.53,0:02:27.47,Default,,0000,0000,0000,,and Mark Ermolov and myself. Mark Ermolov\Nis my colleague. With him, with whom we
Dialogue: 0,0:02:27.47,0:02:32.79,Default,,0000,0000,0000,,found Intel vulnerability in Intel\NManagement Engine. He is a system
Dialogue: 0,0:02:32.79,0:02:38.62,Default,,0000,0000,0000,,programmer and a reverse engineer and\NDmitry Sklyarov a well known reverse
Dialogue: 0,0:02:38.62,0:02:45.83,Default,,0000,0000,0000,,engineer who did 5 #research of the ME\Nfilesystem. He recovered Huffman codes for
Dialogue: 0,0:02:45.83,0:02:59.20,Default,,0000,0000,0000,,version 11 of ME and you can find his tool\Nfor unpacking ME image and for parsing ME
Dialogue: 0,0:02:59.20,0:03:09.73,Default,,0000,0000,0000,,file system on our Github pages. How you\Ncan see our previous talk related to ME
Dialogue: 0,0:03:09.73,0:03:16.98,Default,,0000,0000,0000,,and our contacts so you can feel free to\Ncommunicate with us for any question
Dialogue: 0,0:03:16.98,0:03:25.37,Default,,0000,0000,0000,,you're interested about our research. How\NI have just said I will talk about what is
Dialogue: 0,0:03:25.37,0:03:32.40,Default,,0000,0000,0000,,Intel ME, how it's implemented and how we\Nactivated JTAG for ME Core vulnerability
Dialogue: 0,0:03:32.40,0:03:40.65,Default,,0000,0000,0000,,which Mark and I found. Then I disclose in\Ndetails how our technique works and show
Dialogue: 0,0:03:40.65,0:03:55.40,Default,,0000,0000,0000,,proven our achievements. How many people\Nin this hall know what is ME? Oh cool! But
Dialogue: 0,0:03:55.40,0:04:05.04,Default,,0000,0000,0000,,in here, a review. As a topic, the\NManagement Engine is very popular now.
Dialogue: 0,0:04:05.04,0:04:08.94,Default,,0000,0000,0000,,First it's almost fully undocumented and\Nvery powerful at the same time. For
Dialogue: 0,0:04:08.94,0:04:15.26,Default,,0000,0000,0000,,example it has full access to your\Nplatforms hardware including CPU complex,
Dialogue: 0,0:04:15.26,0:04:23.46,Default,,0000,0000,0000,,it has capabilities to intercept all that\Nyou are doing on your PC. For example
Dialogue: 0,0:04:23.46,0:04:34.00,Default,,0000,0000,0000,,keyboard, he has access to keyboard to\NUSB and of course PCI buses. It is also a
Dialogue: 0,0:04:34.00,0:04:46.60,Default,,0000,0000,0000,,root of trust for many Intel security\Nfeatures like TPM, like DRM and APT. Intel
Dialogue: 0,0:04:46.60,0:04:52.38,Default,,0000,0000,0000,,has chosen the following design for ME\Nversion 11: independent microcontroller,
Dialogue: 0,0:04:52.38,0:05:03.71,Default,,0000,0000,0000,,own operating system based on Minix, built\Nin Java Machine. It gets started before
Dialogue: 0,0:05:03.71,0:05:13.37,Default,,0000,0000,0000,,main CPU. Its firmware has parts in PCH,\Nbeyond in memory and in SPI flash. Many
Dialogue: 0,0:05:13.37,0:05:19.29,Default,,0000,0000,0000,,Intel technologies are implemented with\Nhelp of Management Engine for example
Dialogue: 0,0:05:19.29,0:05:34.01,Default,,0000,0000,0000,,Active Management Technology or PVT and we\Nthink that SGX, too. Another question how
Dialogue: 0,0:05:34.01,0:05:51.69,Default,,0000,0000,0000,,many people in this hall know what is\NJTAG? Cool! But some review of JTAG. JTAG
Dialogue: 0,0:05:51.69,0:05:58.30,Default,,0000,0000,0000,,stands for Joint Test Action Group and you\Ncan find its description in IEEE standards
Dialogue: 0,0:05:58.30,0:06:05.91,Default,,0000,0000,0000,,which the details available in the\Nstandard itself. As the results of the
Dialogue: 0,0:06:05.91,0:06:16.35,Default,,0000,0000,0000,,paper available on our blog where the\Ndesign is described in close details. Out
Dialogue: 0,0:06:16.35,0:06:23.38,Default,,0000,0000,0000,,often manufacture extend standard JTAG by\Nadding their own functions. JTAG in Intel
Dialogue: 0,0:06:23.38,0:06:31.53,Default,,0000,0000,0000,,processor is described rather poorly and\Nsome information can be found in documents
Dialogue: 0,0:06:31.53,0:06:46.37,Default,,0000,0000,0000,,and patent. You can see our paper on the\Nslide and starting with Skylake, Intel
Dialogue: 0,0:06:46.37,0:06:50.58,Default,,0000,0000,0000,,introduced\NDirect Connect Interface technology
Dialogue: 0,0:06:50.58,0:06:55.89,Default,,0000,0000,0000,,and you can find the description
Dialogue: 0,0:06:55.89,0:07:06.54,Default,,0000,0000,0000,,of it in the documents and in our works.\NThe diagrams show two types of connection:
Dialogue: 0,0:07:06.54,0:07:14.67,Default,,0000,0000,0000,,using a specific device, a so-called Intel\NSVT Closed Chassis Adapter or a common
Dialogue: 0,0:07:14.67,0:07:23.08,Default,,0000,0000,0000,,used USB3 debug cable. I would like to\Nnote that the target system in this case
Dialogue: 0,0:07:23.08,0:07:30.79,Default,,0000,0000,0000,,doesn't require the use of a hardware\Nagent. The drawback of this technology is
Dialogue: 0,0:07:30.79,0:07:37.98,Default,,0000,0000,0000,,that it works out of box. Intel or Silicon\NValley technology closed {\i1}unintelligible{\i0}
Dialogue: 0,0:07:37.98,0:07:51.18,Default,,0000,0000,0000,,provides access to day fix features like\NJTAG and RAM control through USB3 ports on
Dialogue: 0,0:07:51.18,0:08:02.16,Default,,0000,0000,0000,,platforms. It works through USB3 links but\Nimplements a private protocol and makes it
Dialogue: 0,0:08:02.16,0:08:07.96,Default,,0000,0000,0000,,possible to manipulate the target system\Nin deep sleep mode. It means that in this
Dialogue: 0,0:08:07.96,0:08:26.27,Default,,0000,0000,0000,,mode you have independent links between\NJTAG adapter and PCH. USB3 host on DCI is
Dialogue: 0,0:08:26.27,0:08:32.84,Default,,0000,0000,0000,,common USB3 debug cable which works as OTG\Ndevice that means that a special device
Dialogue: 0,0:08:32.84,0:08:38.64,Default,,0000,0000,0000,,appears on the host system and activation\Nand commands are sent to device through
Dialogue: 0,0:08:38.64,0:08:46.84,Default,,0000,0000,0000,,the common USB interface. As the device\Nitself is integrated into PCH and it
Dialogue: 0,0:08:46.84,0:08:58.45,Default,,0000,0000,0000,,transforms the command into JTAG. If you\Nhave JTAG for ME devices it means you have
Dialogue: 0,0:08:58.45,0:09:04.87,Default,,0000,0000,0000,,almost full control of ME. Two main\Nquestions: Doesn't who provides of any
Dialogue: 0,0:09:04.87,0:09:09.80,Default,,0000,0000,0000,,technique for debugging ME on public\Nplatforms? And the second: What does
Dialogue: 0,0:09:09.80,0:09:20.89,Default,,0000,0000,0000,,software and hardware need for any\Ndebugging? Ok. The answer to the first
Dialogue: 0,0:09:20.89,0:09:28.42,Default,,0000,0000,0000,,question: Yes they found a special\Npartition called UTOK which allocated on
Dialogue: 0,0:09:28.42,0:09:40.75,Default,,0000,0000,0000,,the special, on the SPI flash where\Nstorage ME. This partition has same
Dialogue: 0,0:09:40.75,0:09:47.61,Default,,0000,0000,0000,,structures FPT and another partition of\NME. Partition builts entry of available
Dialogue: 0,0:09:47.61,0:09:55.60,Default,,0000,0000,0000,,debug capabilities. One of this records\Nmeans types of unlock: Red or orange.
Dialogue: 0,0:09:55.60,0:10:04.90,Default,,0000,0000,0000,,Please pay attention, it will be important\Nlater. And what is, what means DFx? DFx is
Dialogue: 0,0:10:04.90,0:10:13.06,Default,,0000,0000,0000,,collective term for next to privation DFT\Ndesigned for testability and DFD designed
Dialogue: 0,0:10:13.06,0:10:27.18,Default,,0000,0000,0000,,for debugging. DFT is set of technique\Nused for manufacturing defects finding of
Dialogue: 0,0:10:27.18,0:10:38.26,Default,,0000,0000,0000,,integrated chips and standard DFT it\Ngenerally buys it on ordinary boundaries
Dialogue: 0,0:10:38.26,0:10:48.88,Default,,0000,0000,0000,,can detect comments but Intel extends it's\NDFT in its branded silicone view
Dialogue: 0,0:10:48.88,0:10:55.49,Default,,0000,0000,0000,,technology. DFD joins all internal chip\Nlevel logic used to organize Hardware
Dialogue: 0,0:10:55.49,0:11:02.40,Default,,0000,0000,0000,,level debugging of course sequences\Nexecuted by chips. DFx is connected to
Dialogue: 0,0:11:02.40,0:11:13.94,Default,,0000,0000,0000,,internal world by a special thing called\Nembedded day fix interface. This bridge
Dialogue: 0,0:11:13.94,0:11:20.20,Default,,0000,0000,0000,,connects dayfix whith external industry\Ninterface like USB there is a special
Dialogue: 0,0:11:20.20,0:11:26.75,Default,,0000,0000,0000,,device in interpret from controller hub\Ncalled defects aggregator its function is
Dialogue: 0,0:11:26.75,0:11:44.97,Default,,0000,0000,0000,,to control access to DFx. 2 types : orange\Ntypes it means that vendors may use the
Dialogue: 0,0:11:44.97,0:11:54.79,Default,,0000,0000,0000,,JTAG debugging for ICH for example and\Nauto partition for orange unlock must be
Dialogue: 0,0:11:54.79,0:12:06.74,Default,,0000,0000,0000,,signed by vendor scheme. This key stored\Nin FPF fuses and more interesting is read
Dialogue: 0,0:12:06.74,0:12:17.67,Default,,0000,0000,0000,,unlock because this unlock provides full\Naccess to besiege. The internal devices
Dialogue: 0,0:12:17.67,0:12:31.89,Default,,0000,0000,0000,,unlocks JTAG for ME core and provides\Nunlimited access to ME memory. Intel
Dialogue: 0,0:12:31.89,0:12:37.36,Default,,0000,0000,0000,,management engine uses two devices for\Nsupport Hardware debugging the fixed
Dialogue: 0,0:12:37.36,0:12:44.28,Default,,0000,0000,0000,,aggregator management's defects\Nfunctionality and the CSE zeroing register
Dialogue: 0,0:12:44.28,0:12:55.84,Default,,0000,0000,0000,,from device called GEN and only\NBUP and ROM uses this device.
Dialogue: 0,0:12:55.84,0:13:02.99,Default,,0000,0000,0000,,It is CSE zeroing register\Nwhen we know only
Dialogue: 0,0:13:02.99,0:13:09.40,Default,,0000,0000,0000,,about 1 bit.\NWe called it Intel unlock
Dialogue: 0,0:13:09.40,0:13:26.37,Default,,0000,0000,0000,,request and this register means that you\Nasked the platform to do read unlock. More
Dialogue: 0,0:13:26.37,0:13:36.34,Default,,0000,0000,0000,,interesting is DFx aggregator register and\Npersonal to register. Personality register
Dialogue: 0,0:13:36.34,0:13:45.15,Default,,0000,0000,0000,,specifies type of unlock red or orange and\Nconsent used for allowed right to personal
Dialogue: 0,0:13:45.15,0:13:58.88,Default,,0000,0000,0000,,to register. It means that consent\Nregister or it means that this bit to
Dialogue: 0,0:13:58.88,0:14:16.85,Default,,0000,0000,0000,,allow write data in DFx personal to\Nregister and read and lock works in 2
Dialogue: 0,0:14:16.85,0:14:28.98,Default,,0000,0000,0000,,steps. On the first, the BUP fun is\Nfinding who talked partition. If partition
Dialogue: 0,0:14:28.98,0:14:43.17,Default,,0000,0000,0000,,found, the BUP checked is checking\Npartition signatory and platform ID. Also
Dialogue: 0,0:14:43.17,0:15:02.59,Default,,0000,0000,0000,,BUP checks time because the talk has time\Nlimitation and after that if all is okay,
Dialogue: 0,0:15:02.59,0:15:11.53,Default,,0000,0000,0000,,BUP parses an entry in who talked\Npartition called knobs if intel knob
Dialogue: 0,0:15:11.53,0:15:27.03,Default,,0000,0000,0000,,unlock founded and platform is not already\Nunlocked BOB set these aren't register and
Dialogue: 0,0:15:27.03,0:15:38.19,Default,,0000,0000,0000,,do not reset in it. After set in ROM,\Ncheck is checking TCS errant register and
Dialogue: 0,0:15:38.19,0:15:53.70,Default,,0000,0000,0000,,if it's set, it to clean this register and\Nswitch on consent and personality it means
Dialogue: 0,0:15:53.70,0:16:11.85,Default,,0000,0000,0000,,read and lock after that ROM is cleaning\NME keys and working but if you have active
Dialogue: 0,0:16:11.85,0:16:18.45,Default,,0000,0000,0000,,but if dci is active immediate doesn't\Nlatch the fix consent register. It means
Dialogue: 0,0:16:18.45,0:16:31.60,Default,,0000,0000,0000,,that if you want to switch on JTAG you\Ndon't need to reboot ME. if you have the
Dialogue: 0,0:16:31.60,0:16:43.78,Default,,0000,0000,0000,,second action {\i1}inhales deply{\i0} and how active\Nhow to wait read and lock without intel
Dialogue: 0,0:16:43.78,0:16:50.94,Default,,0000,0000,0000,,keys on blockhead Europe we disclosed bug\Nin BUP model. This function as you can see
Dialogue: 0,0:16:50.94,0:16:56.92,Default,,0000,0000,0000,,has a vulnerability when it called other\Nfunction reading in BUP CT file it gives
Dialogue: 0,0:16:56.92,0:17:05.17,Default,,0000,0000,0000,,incorrect size of data to read instead of\Nlocal buffer size the buffer DFS file read
Dialogue: 0,0:17:05.17,0:17:14.01,Default,,0000,0000,0000,,function gets the size of the role file\Nhow we exploited this vulnerability you
Dialogue: 0,0:17:14.01,0:17:22.64,Default,,0000,0000,0000,,can found in our presentation from\Nblockhead and using the vulnerability we
Dialogue: 0,0:17:22.64,0:17:34.96,Default,,0000,0000,0000,,also have activated attack for management\Nengine and to research ME in internal of
Dialogue: 0,0:17:34.96,0:17:48.31,Default,,0000,0000,0000,,in ME right activation without intel keys\Nmay be doing after 4 simple steps on the
Dialogue: 0,0:17:48.31,0:17:56.70,Default,,0000,0000,0000,,first activate manufacture mode for target\Nit means for DCI and set the size drop in
Dialogue: 0,0:17:56.70,0:18:02.82,Default,,0000,0000,0000,,a flash descriptor and using the\Nvulnerability to a lot well with 3 to
Dialogue: 0,0:18:02.82,0:18:19.72,Default,,0000,0000,0000,,defects personal register and after that\Nyou you will have MEquerem? and you can do
Dialogue: 0,0:18:19.72,0:18:32.79,Default,,0000,0000,0000,,research in internal semi but\Nunfortunately you will have one problem
Dialogue: 0,0:18:32.79,0:18:44.06,Default,,0000,0000,0000,,because you don't have software for\Ndebugging Keeney but it is small problem
Dialogue: 0,0:18:44.06,0:18:52.73,Default,,0000,0000,0000,,and next let's talk about software part of\Ntechnologists tech it's presented by DAL..
Dialogue: 0,0:18:52.73,0:19:00.15,Default,,0000,0000,0000,,Intel DFX abstraction layer package\Nit's alleged library exposes all power of
Dialogue: 0,0:19:00.15,0:19:09.61,Default,,0000,0000,0000,,DFx software model as we found DAL\Nheslage history supports various platform
Dialogue: 0,0:19:09.61,0:19:23.47,Default,,0000,0000,0000,,and CPU architecture designed to work with\Ndifferent debug ports and hardware were we
Dialogue: 0,0:19:23.47,0:19:28.82,Default,,0000,0000,0000,,know that DAL is a core of all\Ninstruments that Intel uses for testing
Dialogue: 0,0:19:28.82,0:19:38.10,Default,,0000,0000,0000,,and debugging of its hardware and firmware\Ncomponents so it's provided with Intel
Dialogue: 0,0:19:38.10,0:19:47.66,Default,,0000,0000,0000,,systems studio for example and can be\Ndownload without an ID and DAL is almost
Dialogue: 0,0:19:47.66,0:20:02.33,Default,,0000,0000,0000,,writen in C# and has same structure on the\Ntop DAL has console interface
Dialogue: 0,0:20:02.33,0:20:14.02,Default,,0000,0000,0000,,and GUI interface and library\Nlayer and Driver transport and DFX on
Dialogue: 0,0:20:14.02,0:20:24.35,Default,,0000,0000,0000,,target we found a patient from Intel in\Npublic description corelation of DFX exci
Dialogue: 0,0:20:24.35,0:20:34.26,Default,,0000,0000,0000,,internal interfaces you can see our\Nprevious work to details about how
Dialogue: 0,0:20:34.26,0:20:49.25,Default,,0000,0000,0000,,internal structure of dialogues DAL's\Narchitecture is based on notion there
Dialogue: 0,0:20:49.25,0:20:57.85,Default,,0000,0000,0000,,are two type of nodes physical and logical\Nphysical nodes represents 3 of hardware
Dialogue: 0,0:20:57.85,0:21:08.54,Default,,0000,0000,0000,,components organized from probe unit and\Nincluding the following levels gdect e to
Dialogue: 0,0:21:08.54,0:21:15.63,Default,,0000,0000,0000,,c bus and an other logical nodes\Nrepresents certain functionalities that
Dialogue: 0,0:21:15.63,0:21:22.15,Default,,0000,0000,0000,,can be used to perform debugging stuff and\Nmany problems at public version of DAL
Dialogue: 0,0:21:22.15,0:21:28.21,Default,,0000,0000,0000,,doesn't include configuration for\NME core however that didn't stop us
Dialogue: 0,0:21:28.21,0:21:47.49,Default,,0000,0000,0000,,and we found the solution how I said DAL\Nhas some configuration and as
Dialogue: 0,0:21:47.49,0:21:52.57,Default,,0000,0000,0000,,we investigated during reverse engineering\Nof the DAL library each configuration is
Dialogue: 0,0:21:52.57,0:22:01.20,Default,,0000,0000,0000,,included in encrypted XML files DAL uses\Naes cipher and key derivation function
Dialogue: 0,0:22:01.20,0:22:13.21,Default,,0000,0000,0000,,pbkdf2 with fixed key and salt the first\Nof lines of poem it is salt and ATP is
Dialogue: 0,0:22:13.21,0:22:22.96,Default,,0000,0000,0000,,easy key the simple program on is a simple\Nprogram allows the crypto device
Dialogue: 0,0:22:22.96,0:22:26.88,Default,,0000,0000,0000,,configuration of DAL \N{\i1}applause{\i0}
Dialogue: 0,0:22:26.88,0:22:34.18,Default,,0000,0000,0000,,Thank you.\N{\i1}applause continues{\i0}
Dialogue: 0,0:22:34.18,0:22:42.46,Default,,0000,0000,0000,,Maybe another poems to decrypt,\Nfor example
Dialogue: 0,0:22:42.46,0:22:50.71,Default,,0000,0000,0000,,microcode of CPU, I don't know.\NHow there is no configuration of any
Dialogue: 0,0:22:50.71,0:22:56.93,Default,,0000,0000,0000,,devices, we found that ME core is an LMT2\Ndevices and the configuration of this
Dialogue: 0,0:22:56.93,0:23:02.25,Default,,0000,0000,0000,,device can be found in decrypted XML\Nfiles, before anybody can write
Dialogue: 0,0:23:02.25,0:23:12.00,Default,,0000,0000,0000,,configuration for ME. I don't know, for\Nexample on the slide you can see internal
Dialogue: 0,0:23:12.00,0:23:25.67,Default,,0000,0000,0000,,structure of LP series of PCH. It is U\Nseries of cpu and at the top divided
Dialogue: 0,0:23:25.67,0:23:42.77,Default,,0000,0000,0000,,on four part and on top connected parts\Nin the end ME core. and how to do
Dialogue: 0,0:23:42.77,0:23:51.88,Default,,0000,0000,0000,,custom configuration, four first\Nsteps: on the first decrypt XML files, the
Dialogue: 0,0:23:51.88,0:24:01.79,Default,,0000,0000,0000,,second adds the following clients to top\NSPT XML and use DAL environment for any
Dialogue: 0,0:24:01.79,0:24:40.64,Default,,0000,0000,0000,,debugging and it will make you computer\Npersonal again. Some demo. One moment.
Dialogue: 0,0:24:40.64,0:24:55.66,Default,,0000,0000,0000,,Okay. It is version of systems studio\Nand we decrypt files, with configuration
Dialogue: 0,0:24:55.66,0:25:18.50,Default,,0000,0000,0000,,of DAL, and to edit to add some lines.\NThe top is for each series of PCH and the
Dialogue: 0,0:25:18.50,0:25:35.35,Default,,0000,0000,0000,,bottom for LP series. It is ME core, it is\Nlinked between ME core and {\i1}unintelligible{\i0}
Dialogue: 0,0:25:46.59,0:26:01.13,Default,,0000,0000,0000,,We halt the execution, we load some,\Nreloading some library, our library, we
Dialogue: 0,0:26:01.13,0:26:31.01,Default,,0000,0000,0000,,set up reset breaks, it needs for to stop\Non the reset vector in ME. How you can see
Dialogue: 0,0:26:31.01,0:26:50.73,Default,,0000,0000,0000,,GDT table and current instruction and the\Nregister value, LDT value and we are doing
Dialogue: 0,0:26:50.73,0:27:32.47,Default,,0000,0000,0000,,a reset on ME and step in\Ninstruction in to ME. Then initialize
Dialogue: 0,0:27:32.47,0:28:17.17,Default,,0000,0000,0000,,of segments and new GDT value, ok and okay\Nand demo from black hat. it is our stand,
Dialogue: 0,0:28:17.17,0:28:54.22,Default,,0000,0000,0000,,it is host platform, already halted, init\Nsettings for any core. Oh sorry. It is not
Dialogue: 0,0:28:54.22,0:29:12.08,Default,,0000,0000,0000,,ME. The reset vector, how you can see in\Ncatcher interface it is
Dialogue: 0,0:29:12.08,0:29:26.12,Default,,0000,0000,0000,,special device between which manufacture\Nfor for links between host CPU and ME and
Dialogue: 0,0:29:26.12,0:29:39.83,Default,,0000,0000,0000,,now we read some read only register for\NCPU from (???????) and set the value of
Dialogue: 0,0:29:39.83,0:30:01.40,Default,,0000,0000,0000,,this register from ME. The magic. \N{\i1}applause{\i0}
Dialogue: 0,0:30:01.40,0:30:07.21,Default,,0000,0000,0000,,And then my demo\Nis more interesting than my english
Dialogue: 0,0:30:07.21,0:30:53.78,Default,,0000,0000,0000,,sorry and I have a live demo if internet\Nwill be good. One moment. It's my machine
Dialogue: 0,0:30:53.78,0:31:31.62,Default,,0000,0000,0000,,at work and the internet is not good\Nsorry. maybe maybe later. Okay. And our
Dialogue: 0,0:31:31.62,0:31:38.83,Default,,0000,0000,0000,,achievement: JTAG activation, we we do\NJTAG - well achievement in respect to the
Dialogue: 0,0:31:38.83,0:31:49.23,Default,,0000,0000,0000,,vulnerability, in addition we activate\NJTAG for ME. Also we dumped the ME startup
Dialogue: 0,0:31:49.23,0:32:01.59,Default,,0000,0000,0000,,code and found the way to extract\Nplatform's key used by the flash file
Dialogue: 0,0:32:01.59,0:32:17.26,Default,,0000,0000,0000,,system. It means that you can decrypt and\Nintegrate your files into ME and ME
Dialogue: 0,0:32:17.26,0:32:28.93,Default,,0000,0000,0000,,doesn't detect it. And our links: on our\NGitHub page you can find our tools for ME
Dialogue: 0,0:32:28.93,0:32:37.38,Default,,0000,0000,0000,,reversing researching and our blogs, where\Nis our article, our reference and thank
Dialogue: 0,0:32:37.38,0:32:40.18,Default,,0000,0000,0000,,you for your attention. Questions please.
Dialogue: 0,0:32:40.18,0:32:49.57,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:32:49.57,0:32:54.20,Default,,0000,0000,0000,,Herald: So anyone that has a question for\NMaxim please line up by one of the
Dialogue: 0,0:32:54.20,0:32:59.13,Default,,0000,0000,0000,,microphones. They are 1, 2, 3, 4 on this\Nside of the room and 5, 6, 7, 8 on that
Dialogue: 0,0:32:59.13,0:33:03.26,Default,,0000,0000,0000,,side of the room. If you are watching\Nonline we have a signal angel, who is
Dialogue: 0,0:33:03.26,0:33:08.47,Default,,0000,0000,0000,,monitoring the internet for all of your\Ninteresting questions and they will be
Dialogue: 0,0:33:08.47,0:33:12.37,Default,,0000,0000,0000,,asked. So already here\Nat microphone number one.
Dialogue: 0,0:33:12.37,0:33:17.91,Default,,0000,0000,0000,,Mic 1: Okay so it mentions, you mention\Nthat you dumped the ROM. And previously,
Dialogue: 0,0:33:17.91,0:33:22.16,Default,,0000,0000,0000,,as there were some rumors with ROM bypass\Navailable, did you compare the dumped
Dialogue: 0,0:33:22.16,0:33:23.55,Default,,0000,0000,0000,,Maxim: Yeah.\NMic 1: ROM against ROM bypass
Dialogue: 0,0:33:23.55,0:33:25.03,Default,,0000,0000,0000,,Maxim: Yeah.\NMic 1: and is it the same?
Dialogue: 0,0:33:25.03,0:33:26.04,Default,,0000,0000,0000,,Maxim: No.\NMic 1: No?
Dialogue: 0,0:33:26.04,0:33:37.84,Default,,0000,0000,0000,,Maxim: We found there's some difference\Nbut it relates with that ME bypass code
Dialogue: 0,0:33:37.84,0:33:46.89,Default,,0000,0000,0000,,starts into protected mode but a\Nreal ROM starts into real mode.
Dialogue: 0,0:33:46.89,0:33:51.85,Default,,0000,0000,0000,,Mic 1: Okay, so otherwise it's\Nfunctioning almost the same.
Dialogue: 0,0:33:51.85,0:33:59.38,Default,,0000,0000,0000,,Maxim: Hmm, we found some difference in\Ncryptography but I think it is not
Dialogue: 0,0:33:59.38,0:34:02.55,Default,,0000,0000,0000,,important.\NHerald: So, if you if you are leaving
Dialogue: 0,0:34:02.55,0:34:06.35,Default,,0000,0000,0000,,please be quiet, so the talk is still\Ngoing on, we're still having questions and
Dialogue: 0,0:34:06.35,0:34:13.08,Default,,0000,0000,0000,,answers and please be considerate of the\Npeople asking questions. Thank you. The
Dialogue: 0,0:34:13.08,0:34:20.39,Default,,0000,0000,0000,,next one, from microphone number five.\NMic 5: Yeah, so you set the personality
Dialogue: 0,0:34:20.39,0:34:27.39,Default,,0000,0000,0000,,register to read and then you reset the ME\Nand it will break at the reset. Is that
Dialogue: 0,0:34:27.39,0:34:32.91,Default,,0000,0000,0000,,register persistence over reboots or you\Nhave to do the exploit and set it every
Dialogue: 0,0:34:32.91,0:34:36.70,Default,,0000,0000,0000,,time?\NMaxim: Yeah, you need to do it every time.
Dialogue: 0,0:34:36.70,0:34:47.13,Default,,0000,0000,0000,,This only persist between resets.\NHerald: Signal angel, is there's a
Dialogue: 0,0:34:47.13,0:34:50.84,Default,,0000,0000,0000,,question from the internet.\NSignal Angel: Yes, they'd like to know
Dialogue: 0,0:34:50.84,0:34:54.38,Default,,0000,0000,0000,,where to find the internal USB port on the
Dialogue: 0,0:34:54.38,0:34:59.09,Default,,0000,0000,0000,,main board.\NMaxim: Sorry please repetition.
Dialogue: 0,0:34:59.09,0:35:05.54,Default,,0000,0000,0000,,Sig Ang: The question is where to find the\Ninternal USB port on the main board for
Dialogue: 0,0:35:05.54,0:35:14.32,Default,,0000,0000,0000,,the JTAG access.\NMaxim: How I know all USB ports now has
Dialogue: 0,0:35:14.32,0:35:23.17,Default,,0000,0000,0000,,access to this functionality. You don't\Nneed to find its ports on your system. If
Dialogue: 0,0:35:23.17,0:35:34.79,Default,,0000,0000,0000,,you have platform with Skylake you always\Nhas this functionality on your USB ports.
Dialogue: 0,0:35:34.79,0:35:48.77,Default,,0000,0000,0000,,Oh, of course if this ports link directly\Nto PCH, if if it is port- link- connected
Dialogue: 0,0:35:48.77,0:36:01.41,Default,,0000,0000,0000,,where some another controller you probably\Ndon't have to stay on these ports.
Dialogue: 0,0:36:01.41,0:36:09.02,Default,,0000,0000,0000,,Herald: Microphone, microphone number two.\NMic 2: Does it work, means you can extract
Dialogue: 0,0:36:09.02,0:36:14.89,Default,,0000,0000,0000,,any key from ME, for example key for SGX\Nremote as a station?
Dialogue: 0,0:36:14.89,0:36:26.15,Default,,0000,0000,0000,,Maxim: I didn't know. We are starting this\Nresearch how ME relates with SGX and we -
Dialogue: 0,0:36:26.15,0:36:41.72,Default,,0000,0000,0000,,I don't know how key in ME extract, derive\Nand loaded and relate with SGX. I don't
Dialogue: 0,0:36:41.72,0:36:45.04,Default,,0000,0000,0000,,know, sorry.\NHerald: Microphone number one.
Dialogue: 0,0:36:45.04,0:36:52.17,Default,,0000,0000,0000,,Mic 1: Did you receive any any messages,\Nany recognition about this from Intel?
Dialogue: 0,0:36:52.17,0:36:59.84,Default,,0000,0000,0000,,Maxim: You mean that - did we share this\Ninformation with Intel?
Dialogue: 0,0:36:59.84,0:37:05.60,Default,,0000,0000,0000,,Mic 1: No, did they react to, did they\Nreact in any way to that?
Dialogue: 0,0:37:05.60,0:37:10.11,Default,,0000,0000,0000,,Maxim: After our vulnerabilities they said\N"okay"
Dialogue: 0,0:37:10.11,0:37:12.54,Default,,0000,0000,0000,,{\i1}audience laughs{\i0}
Dialogue: 0,0:37:12.54,0:37:15.05,Default,,0000,0000,0000,,Mic 1: Okay, so nothing much\Nexcept for patches?
Dialogue: 0,0:37:15.05,0:37:17.01,Default,,0000,0000,0000,,Maxim: Yeah.\NMic 1: Okay, thank you.
Dialogue: 0,0:37:17.01,0:37:20.34,Default,,0000,0000,0000,,Herald: Signal angel, is there another\Nquestion from the internet?
Dialogue: 0,0:37:20.34,0:37:27.82,Default,,0000,0000,0000,,Sig Ang: Yeah - how can you disable the\NJTAG access? is just disabling the ME
Dialogue: 0,0:37:27.82,0:37:36.91,Default,,0000,0000,0000,,enough or what do you have to do?\NMaxim: Sorry, you mean how Intel disabled
Dialogue: 0,0:37:36.91,0:37:44.81,Default,,0000,0000,0000,,decide functionality for ME and\NSig Ang: How can you fix it now, how could
Dialogue: 0,0:37:44.81,0:37:48.77,Default,,0000,0000,0000,,the Intel fix it or how can you secure\Nyour own system?
Dialogue: 0,0:37:48.77,0:37:59.01,Default,,0000,0000,0000,,Maxim: It is not, it is just feature it is\Nnot bug, sorry. You don't have any chance
Dialogue: 0,0:37:59.01,0:38:06.64,Default,,0000,0000,0000,,a chance to switch on JTAG for in ME if\Nyou don't have UTAG or you don't have
Dialogue: 0,0:38:06.64,0:38:23.48,Default,,0000,0000,0000,,vulnerability. And JTAG for ME switch on\Nonly inter BUP mode module - in inter-in
Dialogue: 0,0:38:23.48,0:38:31.13,Default,,0000,0000,0000,,BUP module. If we have vulnerability in\Nother module, for example in AMT, we
Dialogue: 0,0:38:31.13,0:38:46.26,Default,,0000,0000,0000,,mustn't do it. And if you have to try -\Nit's its feature, it is not bug. You can
Dialogue: 0,0:38:46.26,0:38:54.43,Default,,0000,0000,0000,,switch off the HECI flash descriptor and\Nto fix this side problem which we found in
Dialogue: 0,0:38:54.43,0:39:01.11,Default,,0000,0000,0000,,last year, and it will be ok.
Dialogue: 0,0:39:01.11,0:39:03.65,Default,,0000,0000,0000,,Herald: Microphone number four \Nin the back.
Dialogue: 0,0:39:03.65,0:39:07.50,Default,,0000,0000,0000,,Mic 4: I believe one of your previous\Nslides mentioned that they incorporated a
Dialogue: 0,0:39:07.50,0:39:12.12,Default,,0000,0000,0000,,Java Virtual Machine - why in god's earth\Ndid they do that?
Dialogue: 0,0:39:12.12,0:39:30.19,Default,,0000,0000,0000,,Maxim: How I know; this it is DAL and it\Nhas some relative with jeeks when I know.
Dialogue: 0,0:39:30.19,0:39:36.49,Default,,0000,0000,0000,,I didn't have details.\NHerald: So microphone number five.
Dialogue: 0,0:39:36.49,0:39:44.85,Default,,0000,0000,0000,,Mic 5: The last slide mentioned the\Nextraction of platform keys. So a simple
Dialogue: 0,0:39:44.85,0:39:54.42,Default,,0000,0000,0000,,question - are they enough to sign a\Nfirmware update which you would modify so
Dialogue: 0,0:39:54.42,0:40:04.82,Default,,0000,0000,0000,,that ME would accept it--\NMaxim: No, sorry. Please repeat.
Dialogue: 0,0:40:04.82,0:40:16.37,Default,,0000,0000,0000,,Mic 5: Okay so let me rephrase\NMaxim: I understand. You, okay, the
Dialogue: 0,0:40:16.37,0:40:27.12,Default,,0000,0000,0000,,firmware sign it by Intel public key. I\Ndon't have private key of Intel and this
Dialogue: 0,0:40:27.12,0:40:36.12,Default,,0000,0000,0000,,key is not built-in into ME. It is\Nplatform it is only platform key - this
Dialogue: 0,0:40:36.12,0:40:47.29,Default,,0000,0000,0000,,key for symmetric encryption files and\Nsign it files on the file system. If you
Dialogue: 0,0:40:47.29,0:40:56.48,Default,,0000,0000,0000,,have this key, you can only modify any\Nfile system. But unfortunately the
Dialogue: 0,0:40:56.48,0:41:08.76,Default,,0000,0000,0000,,execution module start in in other places.\NMic 5: Okay, I get it so now is the path
Dialogue: 0,0:41:08.76,0:41:13.58,Default,,0000,0000,0000,,for castrating system from ME yet,\Nthank you.
Dialogue: 0,0:41:13.58,0:41:19.20,Default,,0000,0000,0000,,Herald: Signal angel?\NSignal Angel: Can you have only free
Dialogue: 0,0:41:19.20,0:41:23.26,Default,,0000,0000,0000,,software running on the ME?
Dialogue: 0,0:41:23.26,0:41:26.98,Default,,0000,0000,0000,,Maxim: Sorry,\Nplease repeat question, slowly.
Dialogue: 0,0:41:26.98,0:41:34.05,Default,,0000,0000,0000,,Signal Angel: Can you have only free\Nsoftware running on the ME by modifying
Dialogue: 0,0:41:34.05,0:41:42.03,Default,,0000,0000,0000,,the flash contents?\NMaxim: I don't understand, sorry. You mean
Dialogue: 0,0:41:42.03,0:41:51.33,Default,,0000,0000,0000,,that how how how we can modify the file\Nsystems or not?
Dialogue: 0,0:41:51.33,0:41:56.28,Default,,0000,0000,0000,,Signal Angel: Yeah replace the ME firmware\Nwith free code
Dialogue: 0,0:41:56.28,0:42:10.57,Default,,0000,0000,0000,,Maxim: No no, unfortunately because we we\Nmustn't to change the the chain between
Dialogue: 0,0:42:10.57,0:42:21.43,Default,,0000,0000,0000,,ROM and BUP module. And we mustn't to\Nchange kernel of ME and BUP module. I
Dialogue: 0,0:42:21.43,0:42:32.89,Default,,0000,0000,0000,,don't now how use it functionality for\Nchange in need to open source solution.
Dialogue: 0,0:42:32.89,0:42:41.98,Default,,0000,0000,0000,,But of course you can to do you can do\Nspecial device with detection finality
Dialogue: 0,0:42:41.98,0:42:50.44,Default,,0000,0000,0000,,which to replace after reboot all ME from\Nreset vector and executed. But it is some
Dialogue: 0,0:42:50.44,0:43:05.95,Default,,0000,0000,0000,,quirks, somehow some - impossible, I think\NHerald: Microphone number two.
Dialogue: 0,0:43:05.95,0:43:11.94,Default,,0000,0000,0000,,Mic 2: Are you aware anywhere the MINIX\Nimage has been leaked somewhere where
Dialogue: 0,0:43:11.94,0:43:14.87,Default,,0000,0000,0000,,perhaps it could be\Ndownloaded and analyzed?
Dialogue: 0,0:43:14.87,0:43:23.12,Default,,0000,0000,0000,,Maxim: Unfortunately the kernel of ME only
Dialogue: 0,0:43:23.12,0:43:36.43,Default,,0000,0000,0000,,based on MINIX. And the Intel guys almost\Nall to rewrite all, almost all kernel. And
Dialogue: 0,0:43:36.43,0:43:44.20,Default,,0000,0000,0000,,on the reverse engineering. And maybe\Nindeed you can get information from Intel
Dialogue: 0,0:43:44.20,0:43:52.27,Default,,0000,0000,0000,,after signs NDA, I don't know.\NHerald: Microphone number eight.
Dialogue: 0,0:43:52.27,0:43:58.19,Default,,0000,0000,0000,,Mic 8: Do you think it do you think it\Nwould ever be possible to add your own
Dialogue: 0,0:43:58.19,0:44:02.33,Default,,0000,0000,0000,,public keys or are the Intel public keys\Nfor signing the firmware
Dialogue: 0,0:44:02.33,0:44:04.93,Default,,0000,0000,0000,,stored in a ROM only?
Dialogue: 0,0:44:04.93,0:44:12.42,Default,,0000,0000,0000,,Maxim: I'm sorry, you mean..\NMic 8: Could you add your own public keys
Dialogue: 0,0:44:12.42,0:44:19.78,Default,,0000,0000,0000,,for signing firmware with, or is not\Npossible because the ME checks the public
Dialogue: 0,0:44:19.78,0:44:30.50,Default,,0000,0000,0000,,key.\NMaxim: ME checks only hash of public key
Dialogue: 0,0:44:30.50,0:44:45.19,Default,,0000,0000,0000,,and we know that ROM has that in ME major\Na lot version of any which signs on two
Dialogue: 0,0:44:45.19,0:45:07.71,Default,,0000,0000,0000,,keys. We saw only one keys front from bus.\NAnd a ROM checked that check SHA from
Dialogue: 0,0:45:07.71,0:45:26.33,Default,,0000,0000,0000,,public key exist in whitelist. ROM has\Nhard-coded 8 hashes of keys and some lists
Dialogue: 0,0:45:26.33,0:45:39.54,Default,,0000,0000,0000,,for some white list of all these hashes.\NAnd if you keys in this list you can run
Dialogue: 0,0:45:39.54,0:45:43.58,Default,,0000,0000,0000,,your ME firmware
Dialogue: 0,0:45:43.58,0:45:46.56,Default,,0000,0000,0000,,Mic 8: Okay but that\Nlist of hashes is in ROM?
Dialogue: 0,0:45:46.56,0:45:49.23,Default,,0000,0000,0000,,Maxim: Yeah yeah.\NMic 8: Okay, thank you.
Dialogue: 0,0:45:49.23,0:45:53.57,Default,,0000,0000,0000,,Herald: Signal angel.\NSignal Angel: What is your general
Dialogue: 0,0:45:53.57,0:46:01.07,Default,,0000,0000,0000,,impression of this security of ME - how\Nvulnerable is it to attacks?
Dialogue: 0,0:46:01.07,0:46:12.82,Default,,0000,0000,0000,,Maxim: Sorry, you mean how vulnerable you\Nmean have an ability to help us do it?
Dialogue: 0,0:46:12.82,0:46:15.38,Default,,0000,0000,0000,,Sorry.\NSignal Angel: You know, how vulnerable is
Dialogue: 0,0:46:15.38,0:46:20.42,Default,,0000,0000,0000,,it to other attacks?\NMaxim: On other module, yeah?
Dialogue: 0,0:46:20.42,0:46:26.50,Default,,0000,0000,0000,,Signal Angel: Sorry, on what?\NMaxim: In other module.
Dialogue: 0,0:46:26.50,0:46:31.67,Default,,0000,0000,0000,,Herald: So I think the question is in\Ngeneral how good is the security of the
Dialogue: 0,0:46:31.67,0:46:35.29,Default,,0000,0000,0000,,Intel ME?\NMaxim: So sorry..
Dialogue: 0,0:46:35.29,0:46:42.57,Default,,0000,0000,0000,,Herald: In general, how good is the\Nsecurity of the Intel ME, altogether?
Dialogue: 0,0:46:42.57,0:46:50.21,Default,,0000,0000,0000,,Maxim: I think it is because is\Nindependent researcher can use it for
Dialogue: 0,0:46:50.21,0:46:57.57,Default,,0000,0000,0000,,dynamic analysis of any codes - it's it's\Ncool I I think.
Dialogue: 0,0:46:57.57,0:47:04.71,Default,,0000,0000,0000,,Herald: Microphone number seven.\NMic 7: Do you have plans to research some
Dialogue: 0,0:47:04.71,0:47:10.00,Default,,0000,0000,0000,,specific parts of the\NIntel ME in the future?
Dialogue: 0,0:47:10.00,0:47:19.47,Default,,0000,0000,0000,,Maxim: Yeah of course. Intel will publish
Dialogue: 0,0:47:19.47,0:47:28.31,Default,,0000,0000,0000,,an ME 11 version and I know that they\Nchanged Huffman tables for example. And
Dialogue: 0,0:47:28.31,0:47:38.15,Default,,0000,0000,0000,,the next the next round of this game will\Nstart it.
Dialogue: 0,0:47:38.15,0:47:42.12,Default,,0000,0000,0000,,Herald: Is there another\Nquestion at microphone 7?
Dialogue: 0,0:47:42.12,0:47:51.73,Default,,0000,0000,0000,,Mic 7: So if I understood you correctly,\Njust to make sure, this means that you -
Dialogue: 0,0:47:51.73,0:48:00.27,Default,,0000,0000,0000,,if you have a CPU of this Skylake\Narchitecture and a USB 3 port, you can
Dialogue: 0,0:48:00.27,0:48:06.56,Default,,0000,0000,0000,,always get low-level access to the ME.\NMaxim: Exactly.
Dialogue: 0,0:48:06.56,0:48:12.44,Default,,0000,0000,0000,,Mic 7: So, if I were to own such a chip,\NI would want that patched. What's the
Dialogue: 0,0:48:12.44,0:48:20.05,Default,,0000,0000,0000,,usual path? Does the patch come in a\NWindows patch or a BIOS update or what is
Dialogue: 0,0:48:20.05,0:48:26.94,Default,,0000,0000,0000,,it?\NMaxim: You have some some ways to use it.
Dialogue: 0,0:48:26.94,0:48:38.50,Default,,0000,0000,0000,,If you have a SPI programmer, you you can\Nrewrite flash. You mean how we can exploit
Dialogue: 0,0:48:38.50,0:48:45.28,Default,,0000,0000,0000,,it?\NMic 7: No, how does, sorry, how will Intel
Dialogue: 0,0:48:45.28,0:48:53.56,Default,,0000,0000,0000,,distribute a patch for this vulnerability?\NMaxim: Oh, unfortunately because downgrade
Dialogue: 0,0:48:53.56,0:49:01.57,Default,,0000,0000,0000,,always possible. Intel punched only error\Nin BUP function.
Dialogue: 0,0:49:01.57,0:49:11.01,Default,,0000,0000,0000,,But researcher or attacker\Ncan always to downgrade version or to
Dialogue: 0,0:49:11.01,0:49:17.39,Default,,0000,0000,0000,,earlier ME and exploit it without any\Nproblem.
Dialogue: 0,0:49:17.39,0:49:27.48,Default,,0000,0000,0000,,We are is SPI controller or a SPI\Nprogrammer and maybe another way.
Dialogue: 0,0:49:27.48,0:49:32.09,Default,,0000,0000,0000,,Mic 7: Okay, thank you.\NHerald: Microphone number one.
Dialogue: 0,0:49:32.09,0:49:37.33,Default,,0000,0000,0000,,Mic 1: In the demo with video, we saw the\Nconnection between the two machines with
Dialogue: 0,0:49:37.33,0:49:43.96,Default,,0000,0000,0000,,this blue box, but I think there's another\None way to connect them with just a USB
Dialogue: 0,0:49:43.96,0:49:51.08,Default,,0000,0000,0000,,cable. Is there anything you can do with\Nthe blue box that you can't do without it?
Dialogue: 0,0:49:51.08,0:49:59.69,Default,,0000,0000,0000,,Maxim: Yeah we checked it - we use only\NUSB3 debug cable. But it is not possible
Dialogue: 0,0:49:59.69,0:50:12.99,Default,,0000,0000,0000,,for us because we need to to recover the\Nstate of work for loading in ME. I do it
Dialogue: 0,0:50:12.99,0:50:26.16,Default,,0000,0000,0000,,but I don't like that because I need to\Nstop execution for my research. It easy
Dialogue: 0,0:50:26.16,0:50:31.19,Default,,0000,0000,0000,,for me and because \Nwe were using a blue box.
Dialogue: 0,0:50:31.19,0:50:32.58,Default,,0000,0000,0000,,Mic 1: Thank you.
Dialogue: 0,0:50:32.58,0:50:37.11,Default,,0000,0000,0000,,Herald: Signal angel.\NSignal Angel: Do you plan to publish
Dialogue: 0,0:50:37.11,0:50:44.65,Default,,0000,0000,0000,,mask ROM dump in the future?\NMaxim: Yeah, we will plan to do it, yeah.
Dialogue: 0,0:50:44.65,0:50:51.64,Default,,0000,0000,0000,,Herald: Signal angel again.\NSignal Angel: Just give me a moment.
Dialogue: 0,0:50:51.64,0:51:01.80,Default,,0000,0000,0000,,Maxim: I didn't know, maybe when I\Ncome back to Moscow.
Dialogue: 0,0:51:01.80,0:51:09.99,Default,,0000,0000,0000,,Herald: Any other burning questions?\NPlease come up to one of the numbered
Dialogue: 0,0:51:09.99,0:51:18.57,Default,,0000,0000,0000,,microphones. Then with that let's give\NMaxim of great warm well applause-
Dialogue: 0,0:51:18.57,0:51:22.05,Default,,0000,0000,0000,,Maxim: Thank you much for your attention.\NHerald: Thank you so much Maxim.
Dialogue: 0,0:51:22.05,0:51:25.03,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:51:25.03,0:51:41.06,Default,,0000,0000,0000,,{\i1}34c3 outro{\i0}
Dialogue: 0,0:51:41.06,0:51:47.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!