It feels reassuring that you can actually get access and read the assembly of the IME now, thanks to https://github.com/ptresearch/unME11. For instance
using the the Gigabrix-BSi5ha-6200 IME Firmware update archive:
3. The uncompressed modules are located in image/00004000.FTPR/* after that
4. You can i.e. load image/00004000.FTPR/kernel.mod in IDA using 80486 in 32bit real-mode or use
"objdump -m i386 -b binary -D kernel.mod --adjust-vma=0x80000" with entry point being 0x80000
or
"objdump -m i386 -b binary -D bup.mod --adjust-vma=0x2d000" with entry point being 0x2D04C
You can see that there is an extra function call added that tests for response.length.
Given the easy availability of the assembler dump you can expect progress towards demystifying IME.
I'm not a professional in the security field, but I sense that there is lots of possibilities by just doing a
"strings image/00275000.NFTP/amt.mod". Gigabyte might be special, but they have left their assert prints in the code
and you can get a sense what the thing is doing...
1. Download and unzip the Gigabrix-BSi5ha-6200 IME update archive (http://download.gigabyte.us/FileList/BIOS/brix_bios_bsi5-h-a...). Use F5_BIOS/image.bin from that archive.
2. Start "python unME11.py image.bin"
3. The uncompressed modules are located in image/00004000.FTPR/* after that
4. You can i.e. load image/00004000.FTPR/kernel.mod in IDA using 80486 in 32bit real-mode or use "objdump -m i386 -b binary -D kernel.mod --adjust-vma=0x80000" with entry point being 0x80000 or "objdump -m i386 -b binary -D bup.mod --adjust-vma=0x2d000" with entry point being 0x2D04C