debug after poc success run

[prince156]

 In your conversation you used the pythonl library to demonstrate the debugging effects of the ME. I have no clue about how to stop at 0xf000:fff0 after reset.
 And I want to figure out the details of the vulnerability by re-jumping into the entry point in TXE, but after a few steps, the program will running, cannot keep step.

[h0t]

Hi @prince156. On some platforms we have problem with reset-break too, also we haven't research it, you can try another version of intel system studio. You can try the hack from our video: https://youtu.be/H9jt2CZwwZA?t=3234

[prince156]

Thank you for your quick answer. 1、 I runn the reset breakpoint on Gigabyte GB-BPCE-3350C. After run resett arget command, there is a warning:error occurred while handing reset break:an argument is NULL when int should not be. Do I need to set a additional hardware break at f000:fff0 , or if reset break run successful will auto halt in 0xf000:0xfff0.I see the command output in you talk is "ExecutionControlUnableToHaltException:unable to halt proccess thread:LMT2_C0_T0,then [LMT2_C0_T0] multithreaed break at 0xF000:0000FFF0".How to set a multithreaded break at ixF000:0xfff0. 2、And anyone try to change eip in TXE bup module, for example I change eip to the entrypoint with right stack,but after a few steps, the program will running, I cannot keep it in step state.

[markel777]

Hi @prince156,

Unfortunately, we don't know simple method to do Reset Break for CSE MIA on Apollo Lake (Broxton P) platforms. To do Reset Break you must not set hw bp to 0xf000:0xfff0, because DRx registers are cleared at CPU reset. The Reset Break for all Intel CPUs involves external logic raising PREQ# (Probe Mode Request) signal at Reset. We don't know how to accomplish this for CSE MIA for BXTP. However, we found very robust method to break CSE in ROM at very earlier stage: you can see this method in our VISA demo video (extracting root key): https://github.com/ptresearch/IntelVISA-BH2019/blob/master/fuses.mp4 If briefly, CSE hangs in ROM if FUSE controller is used by another device when CSE accesses it. So, all we need is to acquire FUSE controller ownership before doing CSE Reset. After Reset we can halt CSE in ROM. To access FUSE controller you need at least Orange Unlock of BXTP platform. However, if the PoC succeeded you already have Red Unlock. So, you can used IOSF Side Band interface via OpenIPC stateport to acquire FUSE controller (port id = 0x42, bar = 4, you need to write 0x20000 at zero offset)