Hello!
To properly finish FW update I wanted to close Manufacturing Mode as Intel recommended.
But in my case (Gigabyte H61M-DS2) I had a problem with that.
First I tried standard “FPT - closemnf” command but had an error
"Error 7: Hardware sequencing failed. Make sure that you have access to target flash area!"
I’ve checked FD region bits and all permissions (read/write) are set.
Second I paid attention that Gigabyte do not point start address of BIOS region in Flash Descriptor: ME and BIOS have the same start address formally (in fact it is not of course, UEFI Tool points real addresses which are not the same). So I assumed that FPT can not work correctly for this reason. I decided to edit FD and clean up ME region and than reflash to SPI, FD first and ME second. I prepared image as in manual, tested and it was OK.
But when I tried flash FD I had the same error
"Error 7: Hardware sequencing failed. Make sure that you have access to target flash area!"
So I suppose that Gigabyte has BIOS settings which prohibiting writing to SPI inspite of the bits in FD beginning from 0x60 are set to permit writing: “00 00 FF FF 00 00 FF FF”.
I have no idea how I can get access to writing in SPI at the moment.
First I think that may be some bits in BIOS area which could be edited in original Gigabyte BIOS image (v. F9 in my case) to permit Manufacturing Mode closing.
Second variant is to try “FPT -LOCK” but I don’t know Manufacturing Mode Done Bit real value. In case of this bit isn’t set command above won’t set Manufacturing Mode to “Disable”. And I’m not sure that it will be done without the same error in general.
Can you advice me how to close Manuf Mode in this case? Or is it a well-known feature of Gigabytes motherboards and nothing can be done about it?
You don’t need to lock the FD to perform an update and it doesn’t matter (security wise) for a 10 year old platform either way. Intel tools that deal with SPI images (FIT, FPT) won’t work properly at those stupid Gigabyte BIOS unless you fix the absent BIOS offset. UEFITool has a workaround in place just for that so that’s why it works. You can download the latest SPI/BIOS image from Gigabyte, fix the FD via a Hex Editor, extract it manually (first 0x1000) or via UEFITool and flash just that using “fptw -desc -f desc.bin”. Once the FD is proper, you should be able to use FPT for the other regions just fine.
Yes, I understand that there is no security reason in this case but I want to solve this for better understanding and for interest mainly. Maybe I was not clear enough in my previous post but I’m already did all that steps: corrected BIOS offset in FD via HxD to properly value (80 01 LE in my case as for 0x180000 BIOS start address) and tried to flash FD via FPT (DOS) but got the error (above).
I tried it again via FPT (Windows Tool) but result the same (in pic.)
I have another idea. As far as I understand Gigabyte BIOS image is the full SPI image. It is clear from UEFI Tool analysis. And when I flash BIOS via Q-Flash it change ME region too for example (for different BIOS versions ME version is also different). So I suppose that it rewrites whole SPI (maybe I mistaken).
So now I have outimage.bin from my manipulations (with edited FD to proper BIOS offset and cleared ME region) and in theory I can try to flash it (instead of original Gigabyte) via Q-Flash.
But there are two questions. Checksum of manually prepared image may be not correct. The second (and the main) that it’s my work computer and I have no programmer. So if somebody had this experience (for the same motherboard and the same problem I mean) I would try.
FWUpdate works fine. But when it goes to close Manuf Mode that is the moment where problem comes.
Are you sure the FD is not already locked? You can see the permissions via “fptw -dumplock” if I remember properly. You can try the DOS version of FPT as well just in case the Windows one is old/problematic nowadays. Back then Gigabyte’s and MSI’s in-BIOS flashers did unlock the FD for re-flashing (or relied on the fact that is was unlocked from the factory - don’t remember which) so I think you can just use these instead. Your mobo does have Dual BIOS but honestly if you want to play around with it, it shouldn’t be a work machine and you should have a programmer at hand to fix any soft bricks.
Yes, it unlocked (formally) - in pic.
I checked it with DOS Tool also earlier. That is the bit of paradox - you have permissions but you can’t write anything to SPI. I reflashed BIOS two or three times (from F7 to F9 and to F7 and to F9 again) and in result the FD status is the same - I have all permissions but have no possibility to write SPI. BIOS works fine, ME works fine (as I can see from MEInfo and MEManuf results), the only thing is I can’t close Manuf Mode and lock regions as Intel recommends.
OK, let it be so at the moment. I will update to 8.1.70.1590 (latest version) via FWUpdLcl again (from 8.1.30.1350) and quit the "Close Manuf Mode" game. 
Thank you for answers and thanks a lot for manuals you’ve done for Intel ME.
I suggest you leave it as it is since it’s a work machine but you can always lock read/write access manually. The “-closemnf” parameter is not the only way. You can adjust those settings in FIT, build an image, extract its FD and flash it directly. And you don’t have to use FPT (in case that’s the problem).
Do you mean using programmer or another software (not FPT)?
In you mean for flashing, then yes. Flashrom under Linux and AMI AFU come to mind right now but FPT is indeed the easiest and best suited for Intel systems. Try FPT v7 as well just in case.
First I decided to try FPT 8.1.0.1248 DOS version (instead of 8.1.60.1561 which I used earlier). The same error again (Error 7) when trying to flash DESC and ME regions.
Then I tried FPT 7.1.50.1166 DOS version. The same error (Error 8, with the same message as in v.8 - failed to access and erased target flash).
Then I tried "fpt -closemnf" from 8.1.0.1248 and it showed me that "Manufacturing Mode Done bit is set already" the first time of all my previous attempts to run this command. But after confirmation for locking regions it frozen for a while and then showed that ME in Init Mode with Manufacturing Mode disabled and debug error.
After "fpt -greset" it came to Normal Mode again.
After that I just updated ME to latest version (as planned before) via FWUpdLcl and it seems like it’s OK at the moment:
I decided to leave it in this state as we discussed yesterday.
For further experiments. Not sure what flasher is more suitable. I found flash entire regions (including FD region) options only in AMI Aptio AFU (AFUDOS 3.07.01). Don’t know whether it is suitable.
If I’ll decide to try it later my plan is to flash cleared ME region first as it has Manufacturing Mode Done bit is set (I didn’t tick "Do not set…" flag in FITC). And flash FD region after that. At first flashing I plan to set lock to ME region only, then check that Manuf Mode is disabled, and lock FD after that.
There could be even more vulnerabilities.
For example I found the Bootscriptable vuln on my Lenovo H61.
So it could exploit and rewrite Smram which mean game over for state of platform.
My bootscript includes settings of SMRAMC register, the same goes for TSEG register which are both writable by the exploit.
I don’t want take nothing from plutomaniac but probably only safe way is apply Me cleaner on the machine.
It’s seems like problem is solved.
Since I knew that Gigabyte original BIOS image contains the whole SPI image (as I mentioned above) I decided to edit Flash Descriptor right in original image from Gigabyte website via HEX-editor.
In my case it was needed to write 80h on 0x44 and 01h on 0x45. Then I flashed this edited image via Q-Flash as usual.
In result I’ve closed Manufacturing Mode succesfully from the first attempt.
[[File:fptw_spi_info ? ???.png|none|auto]]
[[File:meinfo_manuf_mode_disabled ? ???.png|none|auto]]
[[File:fptw_dumplock_locked ? ???.png|none|auto]]
And after that I updated ME Firmware to the latest version via FWUpdLcl. When updating process was completed I tried to reset via "fpt -greset" (as recommended) but got an Error 217: Setting Global Reset Failed. I’ve turned off power manually and then it was ok.
For those who may be have the same problem I attached the edited Gigabyte image below (in ZIP-archive). It has start address of BIOS region (180000h) in FD already (as a I described above).
IMPORTANT Notes (as usual).
If you’ll decide to flash it,
1) Rememeber that flashing BIOS is always risky process
2) Please check your motherboard model. It made for Gigabyte H61M-DS2 Rev.2.2
3) Original BIOS version is F9
4) Image was flashed via Q-Flash
h61mds22.zip (2.74 MB)
Can you make limited overclock on H61 (in the Bios) as for example run i7 3770 at all core/3900 Mhz which is supposed to be max ratio for one core?