Can't update Intel ME region of my modded bios

Special Topics Intel Management Engine
1

Sorry for the bad English and grammar!
hello guys,
Background:
Recently, I do a research about computer vulnerability. As I know that there are some vulnerabilities about Intel Management Engine Firmware(SA-00075)(SA-00086)(SA-00125)(SA00213). Therefore, I want to update ME region of my computer to prevent the vulnerability. However, the latest version of my computer BIOS is 2202, which is uploaded in Asus website on 07/23/2018. The ME version is still on 11.0.0.1202 which affect by most of the vulnerabilities(Picture 1). Hence, I have try to learn how to mod the BIOS in this two days but still it can’t successful to update ME region. Therefore, hope someone can help me to find out the problem.

Spec:
G20CB(OEM)
I7-6700
H170-P
Other is not important XD

My modify step:
1. I download the official latest BIOS. ( https://dlcdnets.asus.com/pub/ASUS/Gamin…-G20CB-2202.zip )
2. According to the page( [Tool Guide+News] “UEFI BIOS Updater” (UBU) ), I download the ubu v1.74.0.3 and update the Disk Controller, Video OnBoard include VBIOS, Network and the MicroCode to the compatible latest version(Picture 2).
PS: I follow the page to update the VBIOS( [Guide] Transfer of specific Intel VBIOS settings by using Intels BMP tool ).
3. I follow the video to change my BIOS boot logo( https://www.youtube.com/watch?v=m_gfPlZ9dHM ).
*4. I follow the page to update ME region( [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization ). The size of ME region is the same as original. The only thing I didn’t follow is the version I chose. The page tell us to choose a similar ME version of current using but I used the latest ME version of 11.8 (11.8.60.3561) I hope this is not the reason of fail update ME region.(See in Problem)
*5. I follow the page of step 5 to unlock some features of the BIOS.( https://www.bios-mods.com/forum/Thread-G…res-UEFI-Aptio4 ). Use the AMIBCP to change from Default to User of ‘Access/Use’ and from No to Yes of ‘Show’.(Picture 3)(Picture 4)

My modded BIOS: https://drive.google.com/file/d/1bt20fHT…iew?usp=sharing

Problem:
Because I don’t know how to use Intel Flash Programming Tool and my computer does not support Asus Flashback. Therefore, I use the afudos to update to my modded bios. As I know that there are many version of afu, so I have download the latest version(I think) which is v5.07.01 and older version which is v3.04.03. Since afu v5.07.01 does not support /gan command. Therefore, I use /b /p /n /x /k /me to flash it. But it does not succeed as it has a 22 error of ‘Problem allocating memory’. Then I use afu v3.04.03 with /gan command. It successful flash it.(Picture 5). After restart the computer and load the default setting, I go into the Windows and download the HWinfo, the version of BIOS and microcode is the same as Modded BIOS. Also, I have backup/extract the current updated BIOS version by using ‘fptw64 -bios -d bkbios.bin’ command and open it using ubu to see the driver version. It is correct and the boot logo also successful change. So my modify step of first 3 is successful flash. But my hidden BIOS settings are still not show in the BIOS and the important thing that the ME firmware is still not updated. I have try to use afu v3.04.03 with /me command and it comes with a a1 error ‘BIOS does not support ME Entire Firmware update’(Picture 6). Can anyone teach me how to update it? Thank you for helping.

1.png

2.png

3.png

4.png

5.jpg

6.jpg

2

BIOS mod is not required to update ME FW, and flashing in modified BIOS requires it’s own methods too. And ME FW flash is not involved in those methods, unless you have flash programmer or already unlocked FD to allow ME Region re-write.

For the ME FW cleanup guide, you must follow exactly as it says, don’t do “whatever you want” But as mentioned, you don’t need to do any of that anyway, you can update ME FW without modifying or flashing BIOS.

You’ve got too much going on there in your problem section! Two things to mention right away, you can use FPT, so stop using AFU (ever) Be careful with FPT, you can brick your board very quickly.

To update ME FW download the V11 ME System tools, inside that you will find FWUpdate folder - inside that a Windows or Win/Win32 folder. Select that Win folder, hold shift and press right click, choose open command window here (Not power shell).
Then put ME FW UPD file in the same folder and run this command >> FWUpdLcl -f update_file_name.bin

This is the ME FW File you need to use and it’s the latest version for your platform >> 11.8.65.3590_CON_H_DA_PRD_RGN
Find this link for the above file >> Intel CSME 11.8 Consumer PCH-H D,A Firmware v11.8.65.3590 >> Intel Management Engine: Drivers, Firmware & System Tools

Once you get ME FW sorted I can help you unlock BIOS. Please send me a FPT Dump of your BIOS region >> FPTw.exe -bios -d biosreg.bin

3

Thank you for reply.
When I type ‘FWUpdLcl64 -f Me.bin’, it say 'Error 8719: Firmware update cannot be initiated because Local Firmware update is disabled’
I have go to the bios to see but it doesn’t see the setting about Local Firmware. It seem that the setting is hidden by OEM.
This is my FPT Dump of my BIOS region: https://drive.google.com/file/d/1DZovU_3…iew?usp=sharing

4

OK, sorry I forgot to mention this, but please reflash stock BIOS with EZ flash before you take FPT dump to send to me, this way your failed BIOS edits are not in there.
You can do this after you’re done updating ME if you want, I wont be back online for 6-8 hours anyway.

To enable ME FW Update, use this guide to learn how to use Grub and setup_var, if you’re not already familiar
[GUIDE] Grub Fix Intel FPT Error 280 or 368 - BIOS Lock Asus/Other Mod BIOS Flash
Alt boot to grub when no boot to EFI on exit page - [Help needed] Hidden Advanced menu Bios HP Z1 J52_0274.BIN (2)

Variable you need to change >> Local FW Update, VarStoreInfo (VarOffset/VarName): 0x20C
Rename your .efi file to >> Shell.efi

So at grub prompt, you’ll type the following, reboot and then run FW update again >> setup_var 0x20C 0x0

5

I try to use Grub and setup_var to disable Local Firmware update by typing setup_var 0x20C 0x1, but it is not success. I have put the error images and original bios in the link below because I don’t know how to put image here XD
https://drive.google.com/drive/folders/1…90TGSwQA8BEZc9v

6

@SamLam140330 - You disabled it, then enabled it??? Sorry I wrote that wrong above (Disabling), so used to disabling BIOS lock. You need to set 0x1 to enable as you did at the very end. Did you try FW Update after that?
If yes, and if failed same way, reboot and run setup_var 0x20C only and see what it says, if it shows 0x0 again, set 0x1 only then reboot and flash ME FW. This may be failing, if it is, due to a secondary debug setting where it’s also set to disabled by default.
If you can’t get it, just wait, I’ll unlock BIOS fully and then you can set directly in the BIOS. Or, here, for now, FPT flash this mod BIOS real quick (FPTw.exe -bios -f [email protected]), I enabled Local ME FW update in both places of AMITSE/SetupData and within the setup module
http://www.filedropper.com/biosregm2

7

I go into grub and first use ‘setup_var 0x20C 0x0’ but it said it is already 0x0 so I type it again by changing the 0x0 to 0x1 and press ‘ctrl alt delete’ to restart the computer. However, it still said the local firmware is disabled. It seem that this method is not work for my computer.
On the other hand, I have flash the bios you unlocked for me by typing ‘FPTW64.exe -bios -f Mod.bin’ . However, I don’t see the setting of local ME firmware update in bios.

P_20190608_155633.jpg

8

@SamLam140330 - Yes, sorry, as I mentioned I told you that wrong at first (being used to needing to disable BIOS lock), you need to set 0x1 on the local FW Update to enable this.
That should have worked, but it’s possible the debug value from AMITSE/SetupData was being applied too which you can’t change this way, that’s why I sent you mod BIOS with it changed in both places of AMITSE/SetupData and in setup module too.

Good you got the BIOS flashed in I sent you, yes sorry for any confusion, I did not unlock it so the setting is visible to you yet, I only changed the default values for this setting. You may now update ME FW using FW update tool. Then once done I will work on full unlocked BIOS for you.
Please check BIOS main page, do you see “Access Level” at the bottom, if yes, what does it say User or Admin? Then I can make this one setting visible for you if you want, before I unlock all BIOS

9

@Lost_N_BIOS
Got it. Thank you for helping me to unlock the local ME firmware update in bios. It successfully update the ME to 11.8.65.3590 to prevent the vulnerability.
According to the BIOS main page, The Access Level is Admin.

10

Great you were able to update the ME FW now!! No need for Access level now, but it may help with the BIOS unlock later, so thanks.
So, lets unlock your BIOS now! Please send me a package of images of your BIOS, showing at least one of each main page (main, advanced, boot, save and exit etc)

11

Ok, here is the image and the backup bios of current using.
https://drive.google.com/drive/folders/1…cbY?usp=sharing

12

@SamLam140330 - please put all that into a 7zip archive with max compression, especially if you do not want to resave all those BMP as JPG - sorry I didn’t notice that earlier and ask you then.

13

Ok, this has been zip with max compression and changed to jpg.
https://drive.google.com/file/d/1ybLJfm1…iew?usp=sharing

14

@SamLam140330 - here you go, if any new menus are empty let me know. FPTw.exe -bios -f bkbios2M.bin
http://www.filedropper.com/bkbios2m

15

Thank you so much. It is amazing. Could you please teach me how to do it if you have time so that I can unlock bios by myself in the future updates.

16

You’re welcome! This one is easy BIOS to unhide things, only use AMIBCP 5.02.0023 or 5.02.0031, then set “Access Level” to Supervisor for this system, for anything hidden that you want to make visible at the root level first, the check in BIOS and see if all inside contents are visible, then if not do the same for any missing contents inside.
I noticed I made one mistake, in your advanced section, can you see ACPI Settings submenu? I accidentally set it to User instead of Supervisor, often we set user and it’s OK, but sometimes it must be supervisor or nothing show up.

Never flash stock BIOS via FPT, always flash stock update via normal method, then dump BIOS region with FPT and modify that, then reflash it.

17

OK, got it, thank you for helping and teaching me. It is toilsome. As for the acpi setting, yes, I can see the setting in bios.

18

You’re welcome! And good you can see ACPI submenu in advanced section, that means you can set either User or Supervisor to make things visible in your BIOS then