summaryrefslogtreecommitdiff
path: root/util/intelmetool/intelmetool.c
diff options
context:
space:
mode:
Diffstat (limited to 'util/intelmetool/intelmetool.c')
-rw-r--r--util/intelmetool/intelmetool.c369
1 files changed, 369 insertions, 0 deletions
diff --git a/util/intelmetool/intelmetool.c b/util/intelmetool/intelmetool.c
new file mode 100644
index 0000000000..bde32041ff
--- /dev/null
+++ b/util/intelmetool/intelmetool.c
@@ -0,0 +1,369 @@
+/* intelmetool Dump interesting things about Management Engine even if hidden
+ * Copyright (C) 2014 Damien Zammit <damien@zamaudio.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include <stdio.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <unistd.h>
+
+#ifdef __NetBSD__
+#include <machine/sysarch.h>
+#endif
+
+#include "me.h"
+#include "mmap.h"
+#include "intelmetool.h"
+
+#define FD2 0x3428
+#define ME_COMMAND_DELAY 10000
+
+extern int fd_mem;
+int debug = 0;
+
+static uint32_t fd2 = 0;
+static const int size = 0x4000;
+static volatile uint8_t *rcba;
+
+static void dumpmem(uint8_t *phys, uint32_t size)
+{
+ uint32_t i;
+ printf("Dumping cloned ME memory:\n");
+ for (i = 0; i < size; i++) {
+ printf("%02X",*((uint8_t *) (phys + i)));
+ }
+ printf("\n");
+}
+
+static void zeroit(uint8_t *phys, uint32_t size)
+{
+ uint32_t i;
+ for (i = 0; i < size; i++) {
+ *((uint8_t *) (phys + i)) = 0x00;
+ }
+}
+
+static void dumpmemfile(uint8_t *phys, uint32_t size)
+{
+ FILE *fp = fopen("medump.bin", "w");
+ uint32_t i;
+ for (i = 0; i < size; i++) {
+ fprintf(fp, "%c", *((uint8_t *) (phys + i)));
+ }
+ fclose(fp);
+}
+
+static void rehide_me() {
+ if (fd2 & 0x2) {
+ printf("Re-hiding MEI device...");
+ fd2 = *(uint32_t *)(rcba + FD2);
+ *(uint32_t *)(rcba + FD2) = fd2 | 0x2;
+ printf("done, ");
+ }
+}
+
+/* You need >4GB total ram, in kernel cmdline, use 'mem=1000m'
+ * then this code will clone to absolute memory address 0xe0000000
+ * which can be read using a mmap tool at that offset.
+ * Real ME memory is located around top of memory minus 64MB. (I think)
+ * so we avoid cloning to this part.
+ */
+static void dump_me_memory() {
+ uint32_t me_clone = 0x60000000;
+ uint8_t *dump;
+
+ dump = map_physical_exact(me_clone, me_clone, 0x2000000);
+ zeroit(dump, 0x2000000);
+ printf("Send magic command for memory clone\n");
+
+ mei_reset();
+ usleep(ME_COMMAND_DELAY);
+ void* ptr = &me_clone;
+ int err = mkhi_debug_me_memory(ptr);
+
+ if (!err) {
+ printf("Wait a second...");
+ usleep(ME_COMMAND_DELAY);
+ printf("done\n\nHere are the first bytes:\n");
+ dumpmemfile(dump, 0x2000000);
+ //printf("Try reading 0x%zx with other mmap tool...\n"
+ // "Press enter to quit, you only get one chance to run this tool before reboot required for some reason\n", me_clone);
+ while (getc(stdin) != '\n') {};
+ unmap_physical(dump, 0x2000000);
+ }
+}
+
+static int pci_platform_scan() {
+ struct pci_access *pacc;
+ struct pci_dev *dev;
+ char namebuf[1024], *name;
+
+ pacc = pci_alloc();
+ pacc->method = PCI_ACCESS_I386_TYPE1;
+
+ pci_init(pacc);
+ pci_scan_bus(pacc);
+
+ for (dev=pacc->devices; dev; dev=dev->next) {
+ pci_fill_info(dev, PCI_FILL_IDENT | PCI_FILL_BASES | PCI_FILL_SIZES | PCI_FILL_CLASS);
+ name = pci_lookup_name(pacc, namebuf, sizeof(namebuf),
+ PCI_LOOKUP_DEVICE, dev->vendor_id, dev->device_id);
+ if (dev->vendor_id == 0x8086) {
+ if (PCI_DEV_HAS_ME_DISABLE(dev->device_id)) {
+ printf(CGRN "Good news, you have a `%s` so ME is present but can be disabled, continuing...\n\n" RESET, name);
+ break;
+ } else if (PCI_DEV_HAS_ME_DIFFICULT(dev->device_id)) {
+ printf(CRED "Bad news, you have a `%s` so you have ME hardware on board and you can't control or disable it, continuing...\n\n" RESET, name);
+ break;
+ } else if (PCI_DEV_CAN_DISABLE_ME_IF_PRESENT(dev->device_id)) {
+ printf(CYEL "Not sure if ME hardware is present because you have a `%s`, but it is possible to disable it if you do, continuing...\n\n" RESET, name);
+ break;
+ } else if (PCI_DEV_ME_NOT_SURE(dev->device_id)) {
+ printf(CYEL "Found `%s`. Not sure whether you have ME hardware, exiting\n\n" RESET, name);
+ pci_cleanup(pacc);
+ return 1;
+ break;
+ }
+ }
+ }
+
+ if (!PCI_DEV_HAS_ME_DISABLE(dev->device_id) &&
+ !PCI_DEV_HAS_ME_DIFFICULT(dev->device_id) &&
+ !PCI_DEV_CAN_DISABLE_ME_IF_PRESENT(dev->device_id) &&
+ !PCI_DEV_ME_NOT_SURE(dev->device_id)) {
+ printf(CCYN "ME is not present on your board or unkown\n\n" RESET);
+ pci_cleanup(pacc);
+ return 1;
+ }
+
+ pci_cleanup(pacc);
+
+ return 0;
+}
+
+static struct pci_dev *pci_me_interface_scan(char **name) {
+ struct pci_access *pacc;
+ struct pci_dev *dev;
+ char namebuf[1024];
+
+ pacc = pci_alloc();
+ pacc->method = PCI_ACCESS_I386_TYPE1;
+
+ pci_init(pacc);
+ pci_scan_bus(pacc);
+
+ for (dev=pacc->devices; dev; dev=dev->next) {
+ pci_fill_info(dev, PCI_FILL_IDENT | PCI_FILL_BASES | PCI_FILL_SIZES | PCI_FILL_CLASS);
+ *name = pci_lookup_name(pacc, namebuf, sizeof(namebuf),
+ PCI_LOOKUP_DEVICE, dev->vendor_id, dev->device_id);
+ if (dev->vendor_id == 0x8086) {
+ if (PCI_DEV_HAS_SUPPORTED_ME(dev->device_id)) {
+ break;
+ }
+ }
+ }
+
+ if (!PCI_DEV_HAS_SUPPORTED_ME(dev->device_id)) {
+ rehide_me();
+
+ printf("MEI device not found\n");
+ pci_cleanup(pacc);
+ return NULL;
+ }
+
+ return dev;
+}
+
+static int activate_me() {
+ struct pci_access *pacc;
+ struct pci_dev *sb;
+ uint32_t rcba_phys;
+
+ pacc = pci_alloc();
+ pacc->method = PCI_ACCESS_I386_TYPE1;
+
+ pci_init(pacc);
+ pci_scan_bus(pacc);
+
+ sb = pci_get_dev(pacc, 0, 0, 0x1f, 0);
+ if (!sb) {
+ printf("Uh oh, southbridge not on BDF(0:31:0), please report this error, exiting.\n");
+ pci_cleanup(pacc);
+ return 1;
+ }
+ pci_fill_info(sb, PCI_FILL_IDENT | PCI_FILL_BASES | PCI_FILL_SIZES | PCI_FILL_CLASS);
+
+ rcba_phys = pci_read_long(sb, 0xf0) & 0xfffffffe;
+ rcba = map_physical(rcba_phys, size);
+
+ //printf("RCBA at 0x%08" PRIx32 "\n", (uint32_t)rcba_phys);
+ fd2 = *(uint32_t *)(rcba + FD2);
+ *(uint32_t *)(rcba + FD2) = fd2 & ~0x2;
+ if (fd2 & 0x2) {
+ printf("MEI was hidden on PCI, now unlocked\n");
+ } else {
+ printf("MEI not hidden on PCI, checking if visible\n");
+ }
+
+ pci_cleanup(pacc);
+
+ return 0;
+}
+
+static void dump_me_info() {
+ struct pci_dev *dev;
+ uint32_t stat, stat2;
+ char *name;
+
+ if (pci_platform_scan()) {
+ exit(1);
+ }
+
+ dev = pci_me_interface_scan(&name);
+ if (!dev) {
+ exit(1);
+ }
+
+ if (activate_me()) {
+ exit(1);
+ }
+
+ printf("MEI found: [%x:%x] %s\n\n", dev->vendor_id, dev->device_id, name);
+ stat = pci_read_long(dev, 0x40);
+ printf("ME Status : 0x%x\n", stat);
+ stat2 = pci_read_long(dev, 0x48);
+ printf("ME Status 2 : 0x%x\n\n", stat2);
+
+ intel_me_status(stat, stat2);
+ printf("\n");
+ intel_me_extend_valid(dev);
+ printf("\n");
+
+ if ((stat & 0xf000) >> 12 != 0) {
+ printf("ME: has a broken implementation on your board with this BIOS\n");
+ }
+
+ intel_mei_setup(dev);
+ usleep(ME_COMMAND_DELAY);
+ mei_reset();
+ usleep(ME_COMMAND_DELAY);
+ mkhi_get_fw_version();
+ usleep(ME_COMMAND_DELAY);
+ mei_reset();
+ usleep(ME_COMMAND_DELAY);
+ mkhi_get_fwcaps();
+ usleep(ME_COMMAND_DELAY);
+
+ rehide_me();
+
+ munmap((void*)rcba, size);
+}
+
+static void print_version(void)
+{
+ printf("intelmetool v%s -- ", INTELMETOOL_VERSION);
+ printf("Copyright (C) 2015 Damien Zammit\n\n");
+ printf(
+ "This program is free software: you can redistribute it and/or modify\n"
+ "it under the terms of the GNU General Public License as published by\n"
+ "the Free Software Foundation, version 2 of the License.\n\n"
+ "This program is distributed in the hope that it will be useful,\n"
+ "but WITHOUT ANY WARRANTY; without even the implied warranty of\n"
+ "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n"
+ "GNU General Public License for more details.\n\n");
+}
+
+static void print_usage(const char *name)
+{
+ printf("usage: %s [-vh?sd]\n", name);
+ printf("\n"
+ " -v | --version: print the version\n"
+ " -h | --help: print this help\n\n"
+ " -s | --show: dump all me information on console\n"
+ " -d | --debug: enable debug output\n"
+ "\n");
+ exit(1);
+}
+
+int main(int argc, char *argv[])
+{
+ int opt, option_index = 0;
+ unsigned cmd_exec = 0;
+
+ static struct option long_options[] = {
+ {"version", 0, 0, 'v'},
+ {"help", 0, 0, 'h'},
+ {"show", 0, 0, 's'},
+ {"debug", 0, 0, 'd'},
+ {0, 0, 0, 0}
+ };
+
+ while ((opt = getopt_long(argc, argv, "vh?sd",
+ long_options, &option_index)) != EOF) {
+ switch (opt) {
+ case 'v':
+ print_version();
+ exit(0);
+ break;
+ case 's':
+ cmd_exec = 1;
+ break;
+ case 'd':
+ debug = 1;
+ break;
+ case 'h':
+ case '?':
+ default:
+ print_usage(argv[0]);
+ exit(0);
+ break;
+ }
+ }
+
+ #if defined(__FreeBSD__)
+ if (open("/dev/io", O_RDWR) < 0) {
+ perror("/dev/io");
+ #elif defined(__NetBSD__)
+ # ifdef __i386__
+ if (i386_iopl(3)) {
+ perror("iopl");
+ # else
+ if (x86_64_iopl(3)) {
+ perror("iopl");
+ # endif
+ #else
+ if (iopl(3)) {
+ perror("iopl");
+ #endif
+ printf("You need to be root.\n");
+ exit(1);
+ }
+
+ #ifndef __DARWIN__
+ if ((fd_mem = open("/dev/mem", O_RDWR)) < 0) {
+ perror("Can not open /dev/mem");
+ exit(1);
+ }
+ #endif
+
+ switch(cmd_exec) {
+ case 1:
+ dump_me_info();
+ break;
+ default:
+ print_usage(argv[0]);
+ break;
+ }
+
+ return 0;
+}