TL; DR
Absolute Computrace is a technology that allows you to block the car (and not ), even if they reinstalled the operating system or even replaced the hard drive, for $15 a year. I bought a laptop on eBay that was locked with this thing. The article describes my experience, how I struggled with it and tried to do the same on the basis of Intel AMT, but for free.
Let's agree right away: I do not break into open doors and do not write a lecture on these remote things, but I tell a little background and how to quickly raise remote access to my machine on my knee in any situation (if it is connected to the network via RJ-45) or, if it is connected via Wi-Fi, then only in OS Windows. Also, it will be possible to register the SSID, login and password of a specific point in Intel AMT itself, and then Wi-Fi access can also be obtained without booting into the system. And also, if you install the drivers for Intel ME on GNU / Linux, then all this should also work on it. As a result, it will not be possible to block the laptop remotely and display a message (I could not figure out whether this is possible at all with the help of this technology), but access will be to the remote desktop and Secure Erase, and this is the main thing.
The taxi driver left with my laptop and I decided to buy a new one on eBay. What could go wrong?
From buyer to thief - in one run
Having brought home a laptop from the post office, I set about completing the pre-installation of Windows 10, and after that I even managed to roll Firefox, when all of a sudden:
I perfectly understood that no one would modify the Windows distribution, and if they did, then everything would not look so clumsy and in general the blocking would then happen faster. And, in the end, there would be no point in blocking something, since everything would be treated by reinstallation. Okay, let's reboot.
Reboot into the BIOS, and now everything becomes a little clearer:
And finally, it's clear:
How did it happen that my own laptop hurts me? What is Computrace?
Strictly speaking, Computrace is such a set of modules in your EFI BIOS, which, after loading OS Windows, throw their Trojans into it, knocking on a remote Absolute software server and allowing, if necessary, to block the system over the Internet. More details can be read here . On operating systems other than Windows, Computrace does not work. Moreover, if we connect a drive with Windows encrypted by BitLocker, or any other software, then Computrace will not work again - the modules simply will not be able to put their files into the system.
Remotely, such technologies may seem cosmic, but only until we find out that all this is done on the native UEFI using one and a half dubious modules.
This thing seems to be cold and all-powerful until we try, for example, to boot into GNU/Linux:
Computrace lock is activated on this laptop right now
As the saying goes,
What to do?
There are four obvious vectors for resolving the problem:
- Write to the seller on eBay
- Write to Absolute software, creator and owner of Computrace
- Make a dump from the BIOS chip, send it to the muddy types so that they send back a dump with a patch that deactivates all locks and menus the device ID
- Call Lazard
Let's break them down in order:
- We, like all adequate people, first write to the seller who sold us such a product and discuss the problem with the one who is responsible for it in the first place.
Made:
- According to the advis found in the depths of the Internet,
You need to contact absolute software. They will want the machine serial number and the motherboard serial number. You will also need to supply "proof of purchase", like a receipt. They will contact the owner they have on file and get the OK to remove it. Assuming it is not stolen, they will then "flag it for delete". After that, the next time you connect to the internet or have an open internet connection, a miracle will occur and it will be gone. Send the stuff I mentioned to [email protected].
we can write directly to Absolute and talk about unlocking with them directly. I took my time and decided to resort to such a solution only towards the end.
- A brutal solution to the problem, too, fortunately, was already present. These ones and many other computer support masters on the same eBay and even the Indians on Facebook promise us to unlock our BIOS if we send them a dump and wait a couple of minutes.
The unlock process is described as follows:
Unlocking solution is finally available and requires SPEG programmer to be able to flash the BIOS.
The process is:
- Reading the BIOS and creating a valid dump. In a Thinkpad, the BIOS is married to the internal TPM chip and contains a unique signature of it, so it is important that the original BIOS to be a correct read out for the success of the whole operation and to restore the BIOS afterwards.
- Patching the BIOS binaries and injecting a small allservice.ro UEFI program. This program will read the secure eeprom, reset TPM certificate and password, write secure eeprom and reconstruct all data.
- Write the patched BIOS dump (this will only function in that TP btw), start the laptop and generate a Hardware ID. We will send you a unique key that will activate the Allservice BIOS, while the BIOS is loading it will execute the unlock routine and unlock the SVP and TPM.
- Finally, write the original BIOS dump back for normal operations and enjoy the laptop.
We can also disable Computrace or change the SN/UUID and reset RFID checksum error by using our UEFI program in the same manner, if necessary
The unlock service price is per machine (like we do for the Macbook/iMac, HP, Acer, etc) For service price and availability please read the next post below. You may contact [email protected] for any inquiries.
Seems legit! But this is also, for obvious reasons, an option for the most desperate situation, besides, all the pleasure costs $ 80. We leave it for later.
- If Lazard broke everything and asked me to call back, then you should not refuse! For business.
We call Lazard aka "the world's leading financial advisory and asset management firm, advises on mergers, acquisitions, restructuring, capital structure and strategy"
While the eBay seller is answering, I pour a few bucks on zadarma and look forward to talking with perhaps the most soulless interlocutor on the planet - support for a huge financial corporation from New York. The girl quickly picks up the phone, listens on my comradglish for timid explanations of how I bought this laptop, writes down its serial number and promises to pass it on to the admins, who will call me back. This process is exactly repeated twice with a difference of a day. For the third time, I deliberately waited for the evening, until it was 10 am in New York, and called, quickly reading the pasta already familiar to me about my purchase. Two hours later, the same woman called me back and began to read the instructions:
- Press escape.
I click but nothing happens.
βSomething doesnβt work, nothing changes.
- Press.
- I'm waiting.
- Now enter: 72406917
I enter. Nothing happens.
βYou know, Iβm afraid that wonβt helpβ¦ Wait a minuteβ¦β
The laptop suddenly reboots, the system boots, the annoying white screen has disappeared somewhere. To be sure, I go into the BIOS, Computrace is not activated. Everything seems to be. Thank you for your support, I write to the seller that I solved all the questions myself and relax.
OpenMakeshift Computrace Intel AMT based
What happened discouraged me, but I liked the idea, my phantom pain for the incompetently lost was looking for some way out, I wanted to protect my new laptop, as if it would return my old one to me. If someone uses Computrace, then I can use it too, right? After all, there was Intel Anti-Theft, according to the description - a great technology that works as it should, but it was killed by the inertia of the market, but there must be an alternative. It turned out that this alternative began where it ended - only Absolute software was able to gain a foothold in this field.
First, let's remember what Intel AMT is: this is a set of libraries that is part of Intel ME, embedded in the EFI BIOS, so that the administrator in some office can operate machines on the network without getting up from his chair, even if they do not boot , remotely connecting ISOs, controlling via remote desktop, etc.
All this is spinning on Minix and approximately at this level:
Invisible Things Lab has suggested calling the functionality of Intel vPro/Intel AMT technology the -3 protection ring. As part of this technology, chipsets supporting vPro technology contain an independent microprocessor (ARC4 architecture), have a separate interface to the network card, exclusive access to a dedicated RAM area (16 MB), DMA access to the main RAM. Programs on it are executed independently of the central processor, the firmware is stored together with BIOS codes or on a similar SPI flash memory (the code has a cryptographic signature). Part of the firmware is an embedded web server. AMT is disabled by default, but some of the code still works in this mode even when AMT is disabled. Ring code -3 is active even in S3 Sleep power mode.
It sounds tempting, because it seems that if we can establish a reverse connection to some admin panel using Intel AMT, we can have access no worse than Computrace (actually not).
Activating Intel AMT on our machine
At first, some of you would probably like to touch this AMT with your own hands, and here the nuances begin. First: you need a processor that supports it. Fortunately, there are no problems with this (if you do not have AMD), because vPro has been added to almost all Intel i5, i7 and i9 processors (you can see ) since 2006, and normal VNC has been brought there since 2010. Secondly, if you have a desktop, then you need a motherboard with support for this functionality, namely with the Q chipset. In laptops, we only need to know the processor model. If you find that you have Intel AMT support, then this is a good sign and you can apply the settings obtained here. If not, then either you were unlucky / you deliberately chose a processor or chipset without support for this technology, or you successfully saved money by taking AMD for yourself, which is also a reason for joy.
According to the documents
In non-secure mode, Intel AMT devices listen on port 16992.
In TLS mode, Intel AMT devices listen on port 16993.
Intel AMT accepts connections on ports 16992 and 16993. Let's move there.
You need to check that Intel AMT is enabled in the BIOS:
Next, we need to reboot and press Ctrl + P during boot
The default password, as usual, admin.
Immediately change the password in Intel ME General Settings. Next, in Intel AMT Configuration, enable Activate Network Access. Ready. You are now officially backdoored. We are loaded into the system.
Now an important nuance: logically, we can access Intel AMT from localhost and remotely, but no. Intel says that you can connect locally and change settings using , but she flatly refused to connect to me, so my connection only worked remotely.
We take some device and connect via : 16992
It looks like this:
Welcome standard Intel AMT interface! Why "standard"? Because it is truncated and completely useless for our purposes, and we will use something more serious.
Getting to know MeshCommander
As usual, big companies do something, and end users modify it for themselves. It happened here as well.
Here is this humble (no exaggeration: his name is not on his own website, I had to google it) man named Ylian Saint-Hilaire developed wonderful tools for working with Intel AMT.
I would like to draw your attention to it , in his videos he simply and clearly shows in real time how to perform certain tasks related to Intel AMT and its software.
Let's start with . Download, install and try to connect to our machine:
The process is not instantaneous, but as a result we get this screen:
It's not that I'm paranoid, but sensitive data will be forgotten, forgive me such coquetry
The difference, as they say, is obvious. I don't know why the Intel control panel doesn't have this feature set, but the fact is that Ylian Saint-Hilaire takes a lot more out of life. Moreover, you can install its web interface directly into the firmware, it will give you the opportunity to use all the functions without a utility.
This is done like this:
I should note that I did not use this functionality (Custom web interface) and can not say anything about its effectiveness and efficiency, since it is not required for my needs.
You can play around with the functionality, it is unlikely that you will be able to spoil everything, because the starting and ending starting point of this whole festival is the BIOS, in which you can then reset everything by disabling Intel AMT.
Deploying MeshCentral and Implementing BackConnect
And here begins the complete dump of the head. Uncle not only made a client, but also a whole admin panel for our Trojan! And not only did, but .
Get started by installing a MeshCentral server of your own or if you are not familiar with MeshCentral, you can try the public server at your own risk at MeshCentral.com.
This speaks positively about the reliability of his code, since I could not find any news about hacks and leaks during the life of the service.
Personally, I run MeshCentral on my server because I unreasonably believe that it is more reliable, but there is nothing but fuss and languor in this. If you want also, then there are documents and container with MeshCentral. The docs say how to wire it all up in NGINX, so the implementation easily integrates into your home servers.
Register for , go in and create a Device Group by selecting the "no agent" option:
Why "no agent"? Because why do we need him to install something extra, it is not clear how it behaves and how it will work.
Click "Add CIRA":
Download cira_setup_test.mescript and use it in our MeshCommander like this:
Voila! After some time, our machine will connect to MeshCentral and we can do something with it.
First: you should know that just like that our software will not knock on a remote server. This is related to the fact that Intel AMT has two options for connecting - through a remote server and directly locally. They don't work at the same time. Our script has already configured the system for remote work, but you may need to connect locally. In order for you to be able to connect locally, you need to here
write a string that is your local domain (note that our script has ALREADY entered some random string there so that the connection is made remotely) or clear all the strings at all (but then the remote connection will not be available). For example, in my OpenWrt local domain is lan:
Accordingly, if we enter lan there, and if our machine is connected to a network with this local domain, then the connection will not be available remotely, and local ports 16992 and 16993 will open and accept connections. In short, if there is some kind of rubbish that is not related to your local domain, then the software knocks, if not, then you need to connect to it yourself via wire, that's all.
Second:
Everything is ready!
You ask - where is AntiTheft? As I said initially, Intel AMT is not very suitable for fighting thieves. Administering an office network is fine, but fighting against individuals who have unlawfully taken possession of property via the Internet is not really. Consider a set of tools that, in theory, can help us in the fight for private property:
- In itself, the unambiguous availability of access to the machine, if it is connected by cable, or if Windows is installed on it, then via WiFi. Yes, childish, but it is already very difficult for an ordinary person to use such a laptop even if someone just suddenly takes control. Moreover, despite the fact that I could not deal with the scripts, there is probably an opportunity to artistically cut out some functionality for blocking / displaying notifications on them.
- Remote Secure Erase with Intel Active Management Technology
With this option, you can remove all the information from the car in seconds. It is not clear if it works on non-Intel SSDs. Here you can read more about this feature. You can enjoy working . The quality is terrible, but only 10 megabytes and the essence is clear.
The problem of delayed execution remains unsolved, in other words: you need to watch when the machine enters the network in order to connect to it. I believe there is a solution for this too.
Ideally, you need to block the laptop and display some kind of inscription, but in our case we just have inevitable access, and how to proceed is a matter of fantasy.
Perhaps you can somehow manage to block the car or at least display a message, write if you know. Thank you!
Don't forget to set the BIOS password.
Thanks user for proofreading!
Source: habr.com