Broken(?) Intel ME on Lenovo ThinkPad T440p

Special Topics Intel Management Engine
1

Hi guys,

Yesterday I acquired a former business-unit ThinkPad T440p. I’ve been experiencing the 30-minute abrupt shutdown, indicating of borked ME. I confirmed this by:
- Intel Management Engine Interface is not listed under Device Manager > System Devices
- attempts to install Intel Management Engine Software 11 fails with the message platform not supported
- attempts to enter MEBx by pressing Ctrl+P does nothing; the system proceeds to boot to Windows as normal
- MEInfoWin keeps erroring out and not displaying any information whatsoever

A few hours ago I got myself a CH314A programmer, hooked it up to what I’d presumed is the BIOS chip on the T440p (Winbond 25Q32FV adjacent to the RAM slots). I then read and saved them 2 (two) times, then compared them on HxD to confirm they’re identical.
I tried opening them on ME Analyzer but it said File does not contain Intel Engine firmware.
I then opened them on UEFI Tool out of curiosity, in which I saw that the root of the structure says UEFI Image rather than Intel Image.
flashrom --layout (filename) gave me Error parsing layout file. Offending string: “”.

This got me wondering:
- did I dump from the right chip?
- if I didn’t, perhaps are there any clues as where to look for the actual BIOS chip? Google didn’t seem to help at all.
- how do I proceed from here?

Additional info:
- BIOS and EC is already on their latest respective version (2.52/GLET98WW and 1.12/GLHT29WW respectively)
- didn’t work: fptw -d bios.bin
- didn’t work: fptw -me -d me.bin
- works: fptw -desc -d fd.bin
- fptw -greset affects nothing
- output of ifdtool -d (my image dump.bin): https://pastebin.com/7ypW00Yy

Many thanks in advance!

Capture-me-analyzer-1stdump.PNG

Capture-me-analyzer-2nddump.PNG

Winbond 25Q32FV.JPG

Capture-uefi-tool.PNG

2

You haven’t uploaded the dumped SPI image for us to take a look. It could be that the laptop has 2 SPI chips which work together and you only dumped the 2nd one.

3



I peeked around more carefully, and turns out there is indeed a 2nd SPI chip that cannot be directly accessed without disassembly of the bottom chassis/rollcage. I will get back to you as soon as I’ve got it disassembled and dumped the 2nd chip!

4

Yeap that makes sense. The other SPI chip must be the 1st one which holds the Flash Descriptor & Engine region. That’s why MEA could not find anything and why UEFITool didn’t detect a Flash Descriptor (Intel image).

5



Confirmed that the Intel image is indeed in the other chip (Winbond 25Q64). Attached is the ME Analyzer results.

I’m a bit bamboozled by the results though – the chip says ME version is 9.0.31.1487 and SKU is 5MB, while on the firmware download page, said version is the 1.5MB SKU.

Capture-me-mea.PNG

6


Your system runs ME 9.0 5MB firmware so you need to pick the latest from Section B of Intel Management Engine: Drivers, Firmware & System Tools. Note that, in order to follow the [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization, you need to first merge the 1st SPI dump with the 2nd to create a full SPI image. At the end of the guide, you’ll end up with outimage.bin (full SPI image), outimage_1.bin (1st SPI image) and outimage_2.bin (2nd SPI image) which can be used to re-flash the two chips afterwards.

7


Understood. This means I can run ME 9.0 5MB v9.0.1.3488, correct?


How do I go about combining these two images? I’m sorry since I’m not familiar which tool(s) I should use to accomplish this.



EDIT: out of curiosity, I ran me_cleaner -S on the SPI dump (t440p_redump_fde.bin in the attached dumps.zip), reflashed it, but the 30 minute shutdown remains. intelmetool -m output on both pre- and post-me_cleaner remains the same, as shown in the attached image.

unhuffme output of the SPI dump before me_cleaner:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
 
number of flash regions: 4
	region: 0 in range: 00000fff-00000000
	region: 1 in range: 00bfffff-00500000
	region: 2 in range: 004fffff-00003000
	region: 3 in range: 00002fff-00001000
 
Flash partition table (27 entries):
	partition:  PSVN(type:3) at 00000bc0, size:40
	partition:  FOVD(type:3) at 00000c00, size:400
	partition:  MDES(type:3) at 00001000, size:1000
	partition:  FCRS(type:3) at 00002000, size:1000
	partition:  EFFS(type:4) at 00003000, size:dc000
	partition:  BIAL(type:2) at ffffffff, size:add3
	partition:  BIEL(type:2) at ffffffff, size:3522
	partition:  BIIS(type:2) at ffffffff, size:36000
	partition:  NVCL(type:2) at ffffffff, size:69c9
	partition:  NVCM(type:2) at ffffffff, size:439b
	partition:  NVCP(type:2) at ffffffff, size:a3c0
	partition:  NVHM(type:2) at ffffffff, size:58
	partition:  NVJC(type:2) at ffffffff, size:3da0
	partition:  NVKR(type:2) at ffffffff, size:5c30
	partition:  NVNF(type:2) at ffffffff, size:175f
	partition:  NVOS(type:2) at ffffffff, size:3a34b
	partition:  NVSH(type:2) at ffffffff, size:22c0
	partition:  NVSM(type:2) at ffffffff, size:1de8
	partition:  NVTD(type:2) at ffffffff, size:1feb
	partition:  NVUK(type:2) at ffffffff, size:8940
	partition:  PLDM(type:2) at ffffffff, size:43c5
	partition:  GLUT(type:3) at 000df000, size:9000
	partition:  LOCL(type:0) at 000e8000, size:4000
	partition:  WCOD(type:0) at 000ec000, size:74000
	partition:  FTPR(type:0) at 00160000, size:b0000
	partition:  NFTP(type:0) at 00210000, size:27a000
	partition:  MDMV(type:0) at 0048a000, size:40000
 
Code partition: LOCL(1 modules, v9.0.31.1487)
		 0          LOCL_EN     lzma at:     394 va:20040000+2000
 
Code partition: WCOD(1 modules, v9.0.31.1487)
		 0     WCOD_WILKINS  huffman at:     3c0 va:200db000+a9000
 
Code partition: FTPR(7 modules, v9.0.31.1487)
		 0           UPDATE     lzma at:   5af41 va:2003e000+1000
		 1             ROMP  huffman at:     8c0 va:20185000+1000
		 2              BUP  huffman at:     8c0 va:20187000+13000
		 3           KERNEL  huffman at:     8c0 va:2019f000+4a000
		 4           POLICY  huffman at:     8c0 va:203ea000+1d000
		 5         HOSTCOMM     lzma at:   5b076 va:206a5000+e000
		 6              TDT     lzma at:   63399 va:2098d000+b000
 
Code partition: NFTP(23 modules, v9.0.31.1487)
		 0          ClsPriv     lzma at:  1ea96e va:20c23000+2000
		 1          SESSMGR     lzma at:  1ead47 va:20c26000+20000
		 2     SESSMGR_PRIV     lzma at:  1f7009 va:201f5000+f000
		 3              CLS     lzma at:  1fdc2b va:209c1000+5000
		 4        utilities  huffman at:     c00 va:20409000+a000
		 5             MCTP  huffman at:     c00 va:20414000+8000
		 6             PLDM  huffman at:     c00 va:2041e000+b000
		 7        NET_STACK  huffman at:     c00 va:2042a000+65000
		 8     NET_SERVICES  huffman at:     c00 va:20499000+12000
		 9              krb  huffman at:     c00 va:204ae000+b000
		10              sal  huffman at:     c00 va:204ba000+7000
		11              tls  huffman at:     c00 va:204c2000+29000
		12     TLS_ISOLATED     lzma at:  20045a va:209f7000+22000
		13              eac  huffman at:     c00 va:204ed000+25000
		14             wlan  huffman at:     c00 va:20515000+2d000
		15      wlan_legacy  huffman at:     c00 va:20547000+46000
		16       CONF_STACK  huffman at:     c00 va:20597000+74000
		17         admin_cm  huffman at:     c00 va:20610000+7b000
		18            secio  huffman at:     c00 va:2068f000+e000
		19              ICC     lzma at:  2128cd va:206bc000+5000
		20              BOP  huffman at:     c00 va:2069e000+6000
		21           HOTHAM  huffman at:     c00 va:203c8000+7000
		22              NFC     lzma at:  214cbf va:20c94000+c000
 
Code partition: MDMV(2 modules, v9.0.31.1487)
		 0             Pavp     lzma at:     3f4 va:20048000+29000
		 1              JOM     lzma at:   15b55 va:20098000+42000
 
       LOCL_EN	f230ea82b2a5324177af2a20f1939e3049b4970d389aa6eaf17a4094b43089a2 lzma
  WCOD_WILKINS	cb8a45c146eb42344c81fb530f9b8e4c21f75369418e435934550a9203ad3464 [MATCH]
        UPDATE	4e3e49132c9d84441a06b93b2210ec872addebd020e02b4f9bf91e78cddf0a4a lzma
          ROMP	58dc7c35281069a19341a7aa0d72e5051a115681dcbbfb600653258ba6b2f8f5 [MATCH]
           BUP	98278e91a78b674ff939c9add4a9613c517814def970ba6e971f21f10d557568 incomplete
        KERNEL	f432deda338a28cb43c3c21efc11e3609458809538f69d36faa6edc0e268c9c2 [MATCH]
        POLICY	45641370e18752f7bd9f4c21075186a745a033f790882b882c03a5b8c14ca70e [MATCH]
      HOSTCOMM	867a12ddd1c635be865f55dc23e509161fa4744c4f2d517878559c41a0cf4f28 lzma
           TDT	a32df9511a891c0b8aec6895f9fc5c7373b96dcf351e23167ea4720fedbdb56a lzma
       ClsPriv	c9954a1a9d72155267ba3ec07c26cea5f4b1e0556b5557ffd641bc78e4a80826 lzma
       SESSMGR	c867bd53a9859e111c52188425a219d25cd2b9c36c0e0dbf56cb6dffa0174d11 lzma
  SESSMGR_PRIV	cf08d0434d0c6d0b816fa14c78c18a437fb45ef18af7fc9d9fd3a793872b0171 lzma
           CLS	5287b5deb46612be459f424091c7e83047a3392ac6bbcf88bdd3717f818222bb lzma
     utilities	90bbed7b19f0946cd5621b8d478e0e12f4d8f7e2aa8eaf8c923fbba50ab52b5b [MATCH]
          MCTP	555d0b9aac923f16cddf63d533b530fe0bc738c96bea0c38b4497d719bda93bd [MATCH]
          PLDM	cfe8a331d2f8ce23837c8631bef08be8c4cbd292fe8dde70a0400b4a87aa2a02 [MATCH]
     NET_STACK	9265a7deef13e0340b16b36112ae7a74b19ba0b1ba6573f75a473bccccd6bde6 [MATCH]
  NET_SERVICES	f1498688f75f41f1fcb66771bf4b08c83adb7ab43f3b33c4ac71f2b7d1ab87b4 [MATCH]
           krb	d1ec51e7bc37f8ecf9a1c7f897c03a8eed17cf3b120ce742b83964b28e0c5412 [MATCH]
           sal	4a997ff38d4c3942bbeb587160308fe438d322a5a0474e75b6123585a3fac48d [MATCH]
           tls	20a4abc5bd426bd43868fe1c472f5b6e8b3dfb8f3f0033911d989de01053879b [MATCH]
  TLS_ISOLATED	b667ef8b61947f29b2120315ee9ecce8a5a4b002bacf2c2d78c64a3736c40f23 lzma
           eac	2fd9702137caada42e8ef9335633d9b9389be62b30595d9b1e3b483b5c2bdfa0 [MATCH]
          wlan	92ca66957babc009f82e7dc60738c9c6487233fda23adf57adc7e3ab2686711c [MATCH]
   wlan_legacy	ebe928def6ab4d986bca535a1ad1da7f5b38a8f1ca9804292719bd425aa52837 [MATCH]
    CONF_STACK	a318e4e2445a004a23c643b1cc90ec21fea3d45946e57667e06b7cf9ed7de00c [MATCH]
      admin_cm	3792acb80cfcdaffd270f29a03228d83109fa42da8096f314bf6e38dda228ab1 [MATCH]
         secio	120aa0871f5598cfdbd5882383dbbf22bd8f534300d18fc8b4440af83dcb8611 [MATCH]
           ICC	4ff27a5d581bb68c00d9ecb337869c73dbbbf7dbc181bafc2396dc9267c01a90 lzma
           BOP	464fd4273baab110b280372e40cddb8171b9aecabcf0327297b53c4e6566c2cd [MATCH]
        HOTHAM	5bbdfdf4dcb4d8719eed83345775129cf3dad14a2195f23eb5014507a7c6b370 [MATCH]
           NFC	14e69cf8781fc2dc76206584ace58039bda4222cac881294a2a6c30c9161581d lzma
          Pavp	186c65c345d7634f1092f8a74e7020f3b7f8270f63de38044f500fd2315bb8f7 lzma
           JOM	23b3062aaa94549d25e2ee69681e4e608af3e730aa968a4480337ca482afea59 lzma
 


unhuffme output of the SPI dump after me_cleaner:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
number of flash regions: 4
	region: 0 in range: 00000fff-00000000
	region: 1 in range: 00bfffff-00500000
	region: 2 in range: 004fffff-00003000
	region: 3 in range: 00002fff-00001000
 
Flash partition table (1 entries):
	partition:  FTPR(type:0) at 00160000, size:b0000
 
Code partition: FTPR(7 modules, v9.0.31.1487)
		 0           UPDATE     lzma at:   5af41 va:2003e000+1000
		 1             ROMP  huffman at:     8c0 va:20185000+1000
		 2              BUP  huffman at:     8c0 va:20187000+13000
		 3           KERNEL  huffman at:     8c0 va:2019f000+4a000
		 4           POLICY  huffman at:     8c0 va:203ea000+1d000
		 5         HOSTCOMM     lzma at:   5b076 va:206a5000+e000
		 6              TDT     lzma at:   63399 va:2098d000+b000
 
        UPDATE	4e3e49132c9d84441a06b93b2210ec872addebd020e02b4f9bf91e78cddf0a4a lzma
          ROMP	58dc7c35281069a19341a7aa0d72e5051a115681dcbbfb600653258ba6b2f8f5 [MATCH]
           BUP	98278e91a78b674ff939c9add4a9613c517814def970ba6e971f21f10d557568 incomplete
        KERNEL	f432deda338a28cb43c3c21efc11e3609458809538f69d36faa6edc0e268c9c2 incomplete
        POLICY	45641370e18752f7bd9f4c21075186a745a033f790882b882c03a5b8c14ca70e incomplete
      HOSTCOMM	867a12ddd1c635be865f55dc23e509161fa4744c4f2d517878559c41a0cf4f28 lzma
           TDT	a32df9511a891c0b8aec6895f9fc5c7373b96dcf351e23167ea4720fedbdb56a lzma
 


---

EDIT 3:
Trying to make progress, so I tried opening the (fresh aka pre-me_cleaner) SPI dump in FITC and noticed that it has no ME region in it.


Is this normal? Could this be what's causing the "Image Failure" message in intelmetool and/or incomplete BUP in the unhoffme output above?

dumps.zip (5.83 MB)

intelmetool output.JPG
intelmetool output.JPG2016×1512 710 KB

8

Still trying to make progress, so in another attempt out of curiosity, I booted up the machine and tried running these commands with the following results:

memanufwin64 -verbose

1
2
3
 
Error 9278: Unknown or unsupported hardware platform
 
Error 9321: MEManuf Operation Failed
 


fptw64 -d spi.bin -bios (result attached as spi.zip)
1
2
3
4
5
6
7
8
9
10
11
12
13
 
Platform: Intel(R) QM87 Express Chipset
Reading HSFSTS register... Flash Descriptor: Valid
 
    --- Flash Devices Found ---
    W25Q64BV    ID:0xEF4017    Size: 8192KB (65536Kb)
    W25Q32BV    ID:0xEF4016    Size: 4096KB (32768Kb)
 

- Reading Flash [0xC00000] 7168KB of 7168KB - 100% complete.
Writing flash contents to file "spi.bin"...
 
Memory Dump Complete
FPT Operation Passed
 


Attempting to execute fptw64 -rewrite -me -f somefile.bin did not error out. Does this mean that I can forego cleaning up the dumped SPI image and reflash the just ME region using fptw64 instead?

I have an official ME firmware update (attached here) for my machine off of Lenovo's site -- is it possible to extract the ME Region from said file and flash it with fptw64? As an aside, I tried flashing this particular file but fptw64 said that the file is too long (file is ~9MB, write length is ~5MB), so I guess I wasn't doing the right thing and aborted immediately.

ME9.1_5M_Production.zip (5.22 MB)

spi.zip (2.84 MB)

9

You can merge the two original SPI dumps with any hex editor, first the 8MB and then the 4MB one. Then follow [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization using the latest ME 9.0 5MB firmware. Do not use me_cleaner, it’s a research tool, not a repair one.

10

Duly noted on the merging; I’ll try on HxD.

Still curious though — since fptw64 -rewrite -me happens to work, can I just use that to rewrite the ME Region on my machine instead of cleaning & reflashing the SPI dump?

11

Follow directions if you want it fixed What you asked maybe possible to do, once you merge the BIOS, then clean/UPD the ME FW, but not before, otherwise you will end up with same situation or unconfigured ME.

12



Just finished – everything now works!! Overjoyed to know that my Thinkpad won’t end up being an expensive paperweight or doorstop

Also shoutout to plutomaniac for the guidance!

13

Glad you got it sorted out, Plutomaniac knows his ME Stuff so always follow what he mentions and only that and all will get fixed quickly

14

Once the two original SPI dumps (8MB) and (4MB) are combined into one (12MB) , how does one flash the firmware if you now have one combined SPI dump and two separate chips?