How to completely disable Intel AMT? (Intel ME)

Question

I have a Lenovo M82 box and it has Intel ME. Which means UDP traffic on port 623 just disappears into a black hole without a trace.

Is there any way to completely switch this effect off? Disabling it in BIOS (or playing with settings in Intel ME bios) so far produced zero effect -- it keeps eating all UDP packets on port 623.

try installing another NIC. Avoid the extra fancy ones as they are more likely to support Intel ME/IMPI — Frank Thomas, Apr 05 '17 at 04:08
@FrankThomas Yes, new NIC just arrived in mail. Will install it on monday — C.M., Apr 08 '17 at 21:22
switched off on-board NIC, used external one -- problem is gone — C.M., Apr 19 '17 at 17:00

Gaia · Answer 1 · 2018-11-17T01:13:20.047

8

Here's a concise, plain English guide to disabling Intel AMT

Intel AMT is the OS Layer to Intel ME. In some chipsets you can disable Intel ME by following these instructions (at your own risk). Newer chipsets (Haswell on) have Intel Boot Guard set in Verified Boot, which renders the solution above unusable.

UPDATE 2018: Starting with Intel AMT Release 12.0, it is possible to globally disable Intel AMT.

edited Nov 17 '18 at 01:13

answered May 03 '17 at 20:42

Gaia

6,699
7
34
39

3

removing software components does absolutely nothing to chipset logic that filters all network packets and intercepts any UDP sent to port 623. Your second link may work, but since I've already fixed my problem (by using 3rd-party network card) -- it is unlikely that I ever check it. – C.M. May 05 '17 at 00:34
1

@C.M. There is [evidence from disassembly](https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/) that Baseboard Management Controllers (BMCs) like the Intel Management Engine run Linux. If this is the case, the Linux kernel cannot be excluded from featuring all drivers to talk to any NIC through PCIe. On notebooks that would be the case anyway, since WLAN is handled by off-chip plugin modules. – Serge Stroobandt Oct 11 '18 at 06:42
1

@C.M.That said, the normal pathway for a BCM to talk to a NIC, is through the [Network Controller Sideband Interface](https://en.wikipedia.org/wiki/NC-SI). Hence, your suggestion of using a (non-Intel) separate PCIe NIC could still be valuable. – Serge Stroobandt Oct 11 '18 at 08:00
@SergeStroobandt It is certainly valuable in sense that it is the only way I found that allows me to use UDP port 623 from application layer. I would not be surprised if there is a way to configure motherboard to stop intercepting traffic on that port by using some hidden API, but uninstalling software mentioned in Gaia's links produced zero effect. – C.M. Oct 11 '18 at 20:57

Shreyas Jejurkar · Answer 2 · 2017-04-05T06:42:40.553

0

BIOS is the only way thorough we can disble Intel ME.

edited Apr 05 '17 at 06:42

answered Apr 05 '17 at 02:54

Shreyas Jejurkar

30
4

2

It still intercepts port 623 traffic – C.M. Apr 05 '17 at 02:59
4

This technology should not exist. Period. In the way that pocket-sized atom bombs should not exist. – Triynko Jun 28 '17 at 12:41

How to completely disable Intel AMT? (Intel ME)

2 Answers2