Intel Management Engine Interface - What is it?

Discussion in 'alt.windows7.general' started by John Aldred, Nov 20, 2010.

  1. John Aldred

    John Aldred Guest

    Some time ago I did a fresh install of Windows 7 Home Premium 32 bit on a
    new machine.

    In Device Manager there was yellow bang against an unknown PCI
    communications device.

    I eventually tracked this down to a motherboard chip associated with the
    item in the subject line, but could find no 32 bit Win7 driver for it.

    Having looked at the Intel documentation and the Wiki entry, I found myself
    little wiser as to it's function.

    I concluded that as a home user I probably had no need of it.

    However, today, Windows Update has offered me a driver for it. Curiously it
    is classified as Important (rather than Optional as most driver updates seem
    to be).

    I would be grateful if someone could explain ( in non-specialist language)
    what this device does, and as a home user if I need to have it enabled.

    Does it, for instance, provide any function to assist Windows Update.

    --
    John
     
    John Aldred, Nov 20, 2010
    #1
    1. Advertisements

  2. John Aldred

    Joe Morris Guest

    "John Aldred" <> wrote:

    > Some time ago I did a fresh install of Windows 7 Home Premium 32 bit on a
    > new machine.
    >
    > In Device Manager there was yellow bang against an unknown PCI
    > communications device.

    [...]
    > I would be grateful if someone could explain ( in non-specialist language)
    > what this device does, and as a home user if I need to have it enabled.


    IMEI is one component of Intel's VPRO remote access technology. I'm a bit
    surprised that it's unexpectedly showing up in what I presume is a consumer
    computer; it's an extra-cost item (last time I talked to our account team we
    were told that they paid Intel $25 for each system shipped with the
    feature). Unless you plan to put the box in a remote location where it can't
    be accessed if (when) it gets hung it's probably not that much use to you.

    You don't say what make and model of computer is involved. Look at the BIOS
    setup options; assuming that you don't want it you might be able to disable
    the feature there (and thus get rid of the yellow bang in Device Manager).

    Joe Morris
     
    Joe Morris, Nov 20, 2010
    #2
    1. Advertisements

  3. John Aldred

    John Aldred Guest

    Joe Morris wrote:

    > "John Aldred" <> wrote:
    >
    >> Some time ago I did a fresh install of Windows 7 Home Premium 32 bit on a
    >> new machine.
    >>
    >> In Device Manager there was yellow bang against an unknown PCI
    >> communications device.

    > [...]
    >> I would be grateful if someone could explain ( in non-specialist
    >> language) what this device does, and as a home user if I need to have it
    >> enabled.

    >
    > IMEI is one component of Intel's VPRO remote access technology. I'm a bit
    > surprised that it's unexpectedly showing up in what I presume is a
    > consumer computer; it's an extra-cost item (last time I talked to our
    > account team we were told that they paid Intel $25 for each system shipped
    > with the feature). Unless you plan to put the box in a remote location
    > where it can't be accessed if (when) it gets hung it's probably not that
    > much use to you.
    >
    > You don't say what make and model of computer is involved. Look at the
    > BIOS setup options; assuming that you don't want it you might be able to
    > disable the feature there (and thus get rid of the yellow bang in Device
    > Manager).
    >


    The computer is a Dell Inspiron Desktop 580.
    It has the Intel Core i3 processor 540 and a H57 chipset.
    Sold in Europe as a mid-range consumer machine.

    There are no BIOS settings relating to IMEI or AMT.

    I have disabled the item in Device Manager.

    From what I can understand of the technical literature it is to allow remote
    access over a LAN for IT admin / repair purposes even when the system is
    powered down.

    I understand very little about it, but could it be used over the internet to
    allow an OEM to fix a customers machine?

    --
    John
     
    John Aldred, Nov 20, 2010
    #3
  4. John Aldred

    Paul Guest

    John Aldred wrote:
    > Joe Morris wrote:
    >
    >> "John Aldred" <> wrote:
    >>
    >>> Some time ago I did a fresh install of Windows 7 Home Premium 32 bit on a
    >>> new machine.
    >>>
    >>> In Device Manager there was yellow bang against an unknown PCI
    >>> communications device.

    >> [...]
    >>> I would be grateful if someone could explain ( in non-specialist
    >>> language) what this device does, and as a home user if I need to have it
    >>> enabled.

    >> IMEI is one component of Intel's VPRO remote access technology. I'm a bit
    >> surprised that it's unexpectedly showing up in what I presume is a
    >> consumer computer; it's an extra-cost item (last time I talked to our
    >> account team we were told that they paid Intel $25 for each system shipped
    >> with the feature). Unless you plan to put the box in a remote location
    >> where it can't be accessed if (when) it gets hung it's probably not that
    >> much use to you.
    >>
    >> You don't say what make and model of computer is involved. Look at the
    >> BIOS setup options; assuming that you don't want it you might be able to
    >> disable the feature there (and thus get rid of the yellow bang in Device
    >> Manager).
    >>

    >
    > The computer is a Dell Inspiron Desktop 580.
    > It has the Intel Core i3 processor 540 and a H57 chipset.
    > Sold in Europe as a mid-range consumer machine.
    >
    > There are no BIOS settings relating to IMEI or AMT.
    >
    > I have disabled the item in Device Manager.
    >
    > From what I can understand of the technical literature it is to allow remote
    > access over a LAN for IT admin / repair purposes even when the system is
    > powered down.
    >
    > I understand very little about it, but could it be used over the internet to
    > allow an OEM to fix a customers machine?
    >


    According to the chipset datasheet (322169), only the Q57 has AMT 6.0.
    The H57, H55, P55 don't.

    But yet, the data sheet, doesn't distinguish SKUs when it comes to
    the registers and the like. So unlike previous chips with AMT, it's unclear
    whether this one, places a firm boundary on having AMT or not.

    The 322170 document, shows the VID and PID of the two IME engine blocks.
    Again, there is no documentation to state why there are two. Previous
    chipsets might have had one (with only the Q series chip having that
    one enabled). In a quick comparison of the registers for them, they
    look identical. So I can't figure out from the register description,
    why there are two.

    IMEI #1 8086:3B64
    IMEI #2 8086:3B65

    It's not even clear to me, why you'd make them visible in the host space,
    because they're supposed to have control over the host. In other words,
    if your host had a virus, you had AMT, the Management Engine should be
    able to reset the machine. You wouldn't want a virus to interact with a
    driver pointed at 3B64 and 3B65, if it could prevent AMT from working.
    So I don't see the purpose of having a driver. Maybe it's just for
    observability or something ?

    I only have one slide set, from an IDF presentation, that does a decent
    job of describing the capabilities. And that slide set is a few years
    old now (and no longer available from the Intel site).

    An OEM would not need it to fix a consumer machine. There are other
    ways to do that (as long as the OS is running).

    So even if the IMEIs was disabled in Device Manager, or no driver was loaded,
    that doesn't convince me the hardware isn't still "armed". The solution
    is dependent on the firmware (stored in BIOS chip), and if the AMT
    firmware block is missing or neutered, that would certainly prevent
    a lot of stuff from happening. Perhaps reusing a BIOS intended for
    Q57, is why this is happening ? But if that was the case, you'd also
    expect to see some kind of BIOS control to disable it. Or a jumper
    or something... I checked the strap list in the datasheet, and I don't
    see something intended to disable IMEI. I did see a reference to
    cryptography, so it may not be possible to attack the computer,
    without knowing the key needed to facilitate communications.

    When I first read of AMT, I knew there'd be a day like this, where
    the user would lose control...

    While there are some details here, this info isn't up to date. With
    your hardware, there is no evidence that pulling memory DIMMs out
    of channel 0, makes any difference at all to the Management Engine.
    (I checked the Core i3 datasheet.)

    http://software.intel.com/en-us/articles/architecture-guide-intel-active-management-technology/

    Paul
     
    Paul, Nov 21, 2010
    #4
  5. John Aldred

    John Aldred Guest

    Paul wrote:

    [Snip]
    >
    > According to the chipset datasheet (322169), only the Q57 has AMT 6.0.
    > The H57, H55, P55 don't.
    >
    > But yet, the data sheet, doesn't distinguish SKUs when it comes to
    > the registers and the like. So unlike previous chips with AMT, it's
    > unclear whether this one, places a firm boundary on having AMT or not.
    >
    > The 322170 document, shows the VID and PID of the two IME engine blocks.
    > Again, there is no documentation to state why there are two. Previous
    > chipsets might have had one (with only the Q series chip having that
    > one enabled). In a quick comparison of the registers for them, they
    > look identical. So I can't figure out from the register description,
    > why there are two.
    >
    > IMEI #1 8086:3B64
    > IMEI #2 8086:3B65
    >
    > It's not even clear to me, why you'd make them visible in the host space,
    > because they're supposed to have control over the host. In other words,
    > if your host had a virus, you had AMT, the Management Engine should be
    > able to reset the machine. You wouldn't want a virus to interact with a
    > driver pointed at 3B64 and 3B65, if it could prevent AMT from working.
    > So I don't see the purpose of having a driver. Maybe it's just for
    > observability or something ?
    >
    > I only have one slide set, from an IDF presentation, that does a decent
    > job of describing the capabilities. And that slide set is a few years
    > old now (and no longer available from the Intel site).
    >
    > An OEM would not need it to fix a consumer machine. There are other
    > ways to do that (as long as the OS is running).
    >
    > So even if the IMEIs was disabled in Device Manager, or no driver was
    > loaded, that doesn't convince me the hardware isn't still "armed". The
    > solution is dependent on the firmware (stored in BIOS chip), and if the
    > AMT firmware block is missing or neutered, that would certainly prevent
    > a lot of stuff from happening. Perhaps reusing a BIOS intended for
    > Q57, is why this is happening ? But if that was the case, you'd also
    > expect to see some kind of BIOS control to disable it. Or a jumper
    > or something... I checked the strap list in the datasheet, and I don't
    > see something intended to disable IMEI. I did see a reference to
    > cryptography, so it may not be possible to attack the computer,
    > without knowing the key needed to facilitate communications.


    From what you say (if I understand your comments correctly), this device
    could be more of liability than an asset to home users, in respect of
    malicious attack. Unless access to it was blocked by default.

    >
    > When I first read of AMT, I knew there'd be a day like this, where
    > the user would lose control...
    >
    > While there are some details here, this info isn't up to date. With
    > your hardware, there is no evidence that pulling memory DIMMs out
    > of channel 0, makes any difference at all to the Management Engine.
    > (I checked the Core i3 datasheet.)
    >


    Someone in another forum pointed me at this:

    http://www.intel.com/en_US/Assets/PDF/general/ug_Intel_MEBX.pdf

    and suggested that I looked at pages 95 - 105.

    I guess It could explain why the device is on a home user desktop.

    --
    John
     
    John Aldred, Nov 21, 2010
    #5
  6. John Aldred

    Paul Guest

    John Aldred wrote:

    >
    > From what you say (if I understand your comments correctly), this device
    > could be more of liability than an asset to home users, in respect of
    > malicious attack. Unless access to it was blocked by default.
    >
    > Someone in another forum pointed me at this:
    >
    > http://www.intel.com/en_US/Assets/PDF/general/ug_Intel_MEBX.pdf
    >
    > and suggested that I looked at pages 95 - 105.
    >
    > I guess It could explain why the device is on a home user desktop.
    >


    Yes, I see only liability here. The document you provided mentions
    "PKI" or Public Key Infrastructure, so there is some notion of
    protecting communications with it. And the thing is, the hardware
    assets the microcontroller needs, have to be connected to make
    it work, so if some off-brand networking chip was used, perhaps
    it wouldn't work.

    It would really help, if we could tell exactly what firmware was
    loaded for the IMEI. If the only thing loaded, is some fan control
    firmware, that might not be so bad. But if the whole standard Intel
    package was loaded, I think we deserve to know that.

    Even if we knew what IP port it used, we could say "well, if
    you're using a firewall, block port X", that would be worth some
    small peace of mind. Of course, the firewall would have to be
    at your home router, because on the computer itself, the IMEI has
    access to the Inteo Pro/1000 network chip directly.

    I prefer to see the results of a Black Hat conference on the topic.
    To see if that interface has ever been abused. With VT-X from
    Intel, it was "Blue Pill".

    "The Blue Pill rootkit for x86-based computers was based on this
    concept: it presents the illusion of a computer that has not been
    tampered with but uses virtualization to monitor and control the
    system in a nearly undetectable fashion."

    I'm just concerned, that buying a non Qxx series chipset, has now resulted
    in a new set of exposures. Intel does try hard, to not open new holes,
    but every time you add features like this, it extended the reach of
    malware authors. Even SMM, a relatively old feature, offers a
    virtually invisible way for malware to control a computer. SMM
    is invisible, except if you use a stopwatch and notice chunks of
    time disappearing in the OS.

    http://en.wikipedia.org/wiki/System_Management_Mode

    Stuff like this generally doesn't happen, because of the number
    of variables presented to malware authors. It might be of more interest
    in a focused attack, where someone knows you have a Dell 580 and they
    cook up something specially for it.

    Paul
     
    Paul, Nov 21, 2010
    #6
  7. John Aldred

    John Aldred Guest

    Paul wrote:

    > John Aldred wrote:
    >
    >>
    >> From what you say (if I understand your comments correctly), this device
    >> could be more of liability than an asset to home users, in respect of
    >> malicious attack. Unless access to it was blocked by default.
    >>
    >> Someone in another forum pointed me at this:
    >>
    >> http://www.intel.com/en_US/Assets/PDF/general/ug_Intel_MEBX.pdf
    >>
    >> and suggested that I looked at pages 95 - 105.
    >>
    >> I guess It could explain why the device is on a home user desktop.
    >>

    >
    > Yes, I see only liability here. The document you provided mentions
    > "PKI" or Public Key Infrastructure, so there is some notion of
    > protecting communications with it. And the thing is, the hardware
    > assets the microcontroller needs, have to be connected to make
    > it work, so if some off-brand networking chip was used, perhaps
    > it wouldn't work.
    >
    > It would really help, if we could tell exactly what firmware was
    > loaded for the IMEI. If the only thing loaded, is some fan control
    > firmware, that might not be so bad. But if the whole standard Intel
    > package was loaded, I think we deserve to know that.
    >
    > Even if we knew what IP port it used, we could say "well, if
    > you're using a firewall, block port X", that would be worth some
    > small peace of mind. Of course, the firewall would have to be
    > at your home router, because on the computer itself, the IMEI has
    > access to the Inteo Pro/1000 network chip directly.
    >
    > I prefer to see the results of a Black Hat conference on the topic.
    > To see if that interface has ever been abused. With VT-X from
    > Intel, it was "Blue Pill".
    >
    > "The Blue Pill rootkit for x86-based computers was based on this
    > concept: it presents the illusion of a computer that has not been
    > tampered with but uses virtualization to monitor and control the
    > system in a nearly undetectable fashion."
    >
    > I'm just concerned, that buying a non Qxx series chipset, has now resulted
    > in a new set of exposures. Intel does try hard, to not open new holes,
    > but every time you add features like this, it extended the reach of
    > malware authors. Even SMM, a relatively old feature, offers a
    > virtually invisible way for malware to control a computer. SMM
    > is invisible, except if you use a stopwatch and notice chunks of
    > time disappearing in the OS.
    >
    > http://en.wikipedia.org/wiki/System_Management_Mode
    >
    > Stuff like this generally doesn't happen, because of the number
    > of variables presented to malware authors. It might be of more interest
    > in a focused attack, where someone knows you have a Dell 580 and they
    > cook up something specially for it.
    >


    Yes, I find this whole concept very disquieting.

    --
    John
     
    John Aldred, Nov 21, 2010
    #7
  8. John Aldred

    slinkyDog

    Joined:
    Oct 9, 2012
    Messages:
    2
    Likes Received:
    0
    found driver for Intel Management Engine Interface

    My situation is the following:

    1) Loaded Windows 7 32 bit on an Acer Aspire 5349 for a customer today.

    2) Found an unknown device with a yellow exclamation point in device manager
    with the following information in the details page: vendorID = 8086 and deviceID = 1c3a and the description of "PCI communications".

    3) I looked in www.pcidatabase.com and found out the description of:
    Intel Management Engine Interface

    4) I google'd this description which led me to this webpage.

    5) Under the Acer website I found a driver that worked under the name "TurboBoost":

    link= http://global-download.acer.com/GDF...tep3=Aspire 5349&OS=702&LC=en&BC=Acer&SC=PA_6

    filename= Turbo Boost_Intel_7.0.0.1144_W7x86W7x64_A.zip

    5) I downloaded and extracted the above zip file.
    6) I ran the setup file from the extracted content and it installed the driver. Now shows up as being installed correctly.

    =============================

    Still don't know what exactly this function does but at least we have a driver that works and another description of "turbo boost". Hope that helps others out. Have a good day.
     
    slinkyDog, Oct 9, 2012
    #8
  9. John Aldred

    slinkyDog

    Joined:
    Oct 9, 2012
    Messages:
    2
    Likes Received:
    0
    turbo boost

    http://en.wikipedia.org/wiki/Intel_Turbo_Boost

    First sentence from wikipedia says:

    "Intel Turbo Boost is a technology implemented by Intel in certain versions of their Nehalem-, Sandy-Bridge- and Ivy-Bridge-based CPUs, including Core i5 and Core i7 that enables the processor to run above its base operating frequency via dynamic control of the CPU's 'clock rate'."
     
    slinkyDog, Oct 9, 2012
    #9
  10. John Aldred

    Dan84

    Joined:
    Oct 20, 2012
    Messages:
    6
    Likes Received:
    0
    Location:
    Ohio, USA
    Reply to OP

    I am using a Z77X based motherboard, Intel i5 3750 CPU, and Windows 7 Home Premium. For the first time I received IMEI as a download option [as an automatic update from MS].

    I am not going to install it, as I my computer is a home computer, not laptop or portable of any kind [a Cooler Master computer case chocked full of large hardware, including a heavy CPU cooler does not lend itself to portability].

    I have everything in hardware and software related to IMEI turned off, and, I still received this option.

    This is one reason I do not allow automatic updates from MS, I only permit the OS to tell me when something new is available, so, I can make my own mind up as to what software I install on this computer.

    And, as regards to Intel Turbo Boost, I have it shut off in BIOS, as I manually overclock.
     
    Dan84, Oct 20, 2012
    #10
  11. John Aldred

    John Diggerö

    Joined:
    Dec 21, 2015
    Messages:
    1
    Likes Received:
    0
    I had the same thing. This is probably one of the NSA force-fed features that Windows has been pushing and forcing on people, that are needed to conspicuously spy on our computes.
     
    John Diggerö, Dec 21, 2015
    #11
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. Ian

    New Microsoft Search Engine

    Ian, May 31, 2009, in forum: Off-Topic Discussion
    Replies:
    1
    Views:
    1,881
  2. dzuchowski
    Replies:
    4
    Views:
    5,512
    dzuchowski
    Nov 2, 2009
  3. steveharrisonhome

    My Security Engine

    steveharrisonhome, May 9, 2010, in forum: General Discussion
    Replies:
    5
    Views:
    1,805
    Digerati
    May 10, 2010
  4. jimpick67

    SOLVED search engine

    jimpick67, May 3, 2011, in forum: General Discussion
    Replies:
    7
    Views:
    1,852
    catilley1092
    May 6, 2011
  5. Ricky Jimenez

    Frequent Engine Initialization Message in IE9

    Ricky Jimenez, Mar 3, 2012, in forum: alt.windows7.general
    Replies:
    2
    Views:
    3,298
    VanguardLH
    Mar 4, 2012
  6. Searching for a Good Search Engine

    , Jul 3, 2013, in forum: alt.windows7.general
    Replies:
    29
    Views:
    907
    Ashton Crusher
    Jul 6, 2013
  7. Adela

    Strange hijacking of Bing search engine....

    Adela, Sep 17, 2013, in forum: General Discussion
    Replies:
    5
    Views:
    1,683
    Adela
    Sep 21, 2013
  8. Joseph Hayhurst

    Help with search engine hijacker.

    Joseph Hayhurst, Nov 24, 2013, in forum: Windows 7 Support
    Replies:
    10
    Views:
    4,138
    TrainableMan
    Dec 1, 2013
Loading...