DELL OptiPlex 755 - fixing management engine

We have a couple of hundreds DELL OptiPlex 755 machines and ME died on some of them. The symptoms are:
1. BIOS hangs with diagnostic LEDs 1,2,3 before boot or continues to boot after a minute (latest BIOS A22). Can be worked-around by closing SERVICE MODE jumper. (Light ME corruption)
2. System turns off instead of reboot, makes upgrading BIOS impossible.
3. DIMM_1 and DIMM_3 slots not working (stops with diagnostic LEDs 3,4 when a DIMM is inserted in these slots). Closing SERVICE mode jumper allows the slots to work but system turns off instead of reboot and hangs instead of shutting down. (Heavy ME corruption).

This great forum allowed me to develop a fix:
1. Close SERVICE MODE jumper.
2. Boot Linux, dump BIOS (fprog in DOS did not work for me):

1
 
flashrom -p internal:laptop=this_is_not_a_laptop -r bios.bin
 

3. Replace the ME region in BIOS - either using Flash Image Tool (ftoolc) from Intel ME System Tools v3 (can be run in Wine) or simply using a script:
1
2
3
4
 
#!/bin/sh
dd if="$1" of="$1".part1 bs=45056 count=1 || exit 1
dd if="$1" of="$1".part3 bs=3145728 skip=1 || exit 1
cat "$1".part1 3.2.20.1049_AMT_PRD_RGN.bin padding.bin "$1".part3 >"$1".fixed || exit 1
 

where 3.2.20.1049_AMT_PRD_RGN.bin comes from Intel ME 3 Firmware Repository Pack r5 and padding.bin is 1302528B file filled with 0xFF bytes.
4. Flash the modified BIOS:
1
 
flashrom -p internal:laptop=this_is_not_a_laptop -w bios.bin.fixed
 

5. Turn off, remove SERVICE MODE jumper, remove CMOS battery, turn on, press F1 to reset ME
6. Turn off, close SERVICE MODE jumper, reboot in DOS, run:
1
2
3
4
5
6
 
faupd -u -n:MngMode -v:0x01
faupd -u -n:DefPowerPackage -v:0x05
faupd -u -n:FWUpdOverrideCounter -v:0xff
REM (MngMacAdd = HostMacAdd+1)
faupd -u -n:MngMacAdd -v:0x001122334456
faupd -u -n:QSTState -v:0x00
 

To make faupd work, it needs fprog.exe in the same directory. fprog.exe needs fparts.txt. fparts.txt in Intel ME System Tools v3 r1 contains few flash chips and did not work for me. I replaced it with newer version found it Intel ME System Tools v10.0 r7.
7. Turn off, remove SERVICE MODE jumper, turn on, update BIOS to latest A22

This is a solution to all 3 failure modes described above.

One weird thing remains: meinfo shows SKU: ASF IAMT IQST after this fix. Systems that didn't fail show: SKU: ASF IAMT. Is there a method to remove IQST?

Great work doing proper research and figuring out how to use legacy ME 3 tools. Your effort is much appreciated.

Did you use the RGN firmware as it is? If yes, that’s the issue. First, replace it as it is at the new/repaired SPI image (spi_rgn.bin). The region starts at 0xB000 and has a size of 0x23F000 so you’ll need to add 0x88000 to the RGN firmware before the replacement. Then you need to configure it via iAMTNVM. To do that, extract the current configuration from the old SPI image (spi_old.bin) via “-parse spi_old.bin -out config.txt” and then re-configure the new/repaired SPI image via “-edit spi_rgn.bin config.txt -out spi_final.bin”.

Yes, I used unmodified RGN file. I was trying to find some tools but haven’t found iAMTNVM. Tried “faupd -e -o:file.ini” on a working system but the resulting file did not contain any values from ME - only HostMacAdd from Gbe.

Didn’t you use the ME System Tools v3 from Secton C of Intel Management Engine: Drivers, Firmware & System Tools ?

Oops, I used that but somehow missed AMTNVM completely.
The ME region in original BIOS (case #3 - heavy damage) is really corrupt:

1
2
3
4
5
 
wine AMTNVM.exe -parse bios.bin -out amt.txt
Copyright(c) 2006, Intel Corporation. All rights reserved. 2004-2007
Allenville API Error: \ccViews\autobuild1_BR-0706-1365_3.0_Snapshot\AMT_Development\Sw\Src\Apps\iAMT\Amtnvm\Common\Image.cpp <600> status=14
 
An unknown error has occurred.
 


It works with BIOS from a working system:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
Manageability Mode = 1
Manageability Mode Lock = 0
Local Firmware Update Enabled = 1
Local FWU Override Counter = -1
Local FWU Override Qualifier = 0
Flash Descriptor Override Pin-Strap Ignore = 0
iQST Enabled = 0
iQST Lock = 1
Configuration Server Port = 0
Configuration Server Name =
Configuration Server IP = 0.0.0.0
AMT Host Name =
AMT Domain Name =
DHCP Enabled = 1
AMT Ping Response Enabled = 1
AMT Static IP Address = 0.0.0.0
AMT Static IP Subnet Mask = 0.0.0.0
AMT Static IP Default Gateway Address = 0.0.0.0
AMT Static IP Primary DNS Address = 0.0.0.0
AMT Static IP Secondary DNS Address = 0.0.0.0
AMT Dedicated MAC Address = 11-22-33-44-55-67
VLAN = 0
PET Language Code = 0xff
PET OEM Custom Fields 00-15 = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PET OEM Custom Fields 16-31 = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PET OEM Custom Fields 32-47 = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PET OEM Custom Fields 48-63 = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PET OEM Custom Fields Length = 0
PET Community String = public
MEManuf Test Counter = 0
IDER Boot Capable = 1
SOL Boot Capable = 1
BIOS Reflash Capable = 0
Boot into BIOS Setup Capable = 1
Pause during BIOS Boot Capable = 0
HostIf SOL Enabled = 1
HostIf IDER Enabled = 1
Idle timeout - Manageability Engine = 1
ME Visual LED Indicator Enabled = 0
LAN Power Well = 2
Power Package 1 Supported (Desktop: ON in S0) = 1
Power Package 2 Supported (Desktop: ON in S0, S3) = 1
Power Package 3 Supported (Desktop: ON in S0, S3, S4-5) = 1
Power Package 4 Supported (Desktop: ON in S0, ME WoL in S3) = 1
Power Package 5 Supported (Desktop: ON in S0, ME WoL in S3, S4-5) = 1
Power Package 6 Supported (Desktop: ON in S0, S3, S4-5, OFF After Power Loss) = 1
Power Package 7 Supported (Desktop: ON in S0, ME WoL in S3, S4-5, OFF After Power Loss) = 1
Default Power Package = 5
AMT Legacy Provisioning Mode Supported = 0
AMT VLAN Local Configuration Blocked = 0
iQST Supported = 0
ASF Supported = 1
AMT Supported = 1
 
Provisioning Time Period = 0
 

Yes you can use the configuration from another system of the same model because it does look like the current firmware is too corrupt. You’ll only need to adjust the MAC address or anything else that might be system specific. You can check the AMTNVM_editable_fields document which explains everything in detail.

Thanks. Used AMTNVM to edit the fixed BIOS using the parsed parameters above but it didn’t work:

1
2
 
Invalid Parameter File Error:
The given parameter file is missing parameters.
 

So parsed parameters from the fixed BIOS and appended the missing ones (everything after Provisioning Time Period = 0) to the original parameters file. Also changed AMT Dedicated MAC Address to ff-ff-ff-ff-ff-ff. Then AMTNVM worked. Opened the BIOS again in fitc to extract ME Region, truncated to original length (1798144B) and saved as 3.2.20.1049_AMT_PRD_RGN_o755.bin. This file can now be used in the script from step 3.

Step 6 is now reduced to:
1
 
faupd -u -n:MngMacAdd -v:0x001122334456
 

And it seems that this could be done without resetting ME before. So after flashing the fixed BIOS, just reboot into DOS, run the above command to set the MAC address. Then turn off, remove SERVICE MODE jumper and battery, turn on, press F1 to reset ME and it's done.

Mmm. Yesterday I spent some time to figure out what’s needed for ME 2 - 3 which require the use of iAMTNVM for the settings to be transferred outside of FTOOLC. Based on my findings and understanding, I wrote a guide for these generations at section D1 of [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization. I tested two SPI images for ME 2 and ME 3 respectively, followed the steps I told you and didn’t encounter any issue. Can you try these steps and let me know if you encounter the problem again? Maybe it happened because you used the configuration from another system which happened to have more settings altered and iAMTNVM was not smart enough at the time to merge them automatically or something.

I guess that it was caused by different ME versions or because of some DELL-specific customization. This was missing from the parsed parameter file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
AMT Compatibility Mode = 0
AMT Configuration Mode = 0
Remote Configuration Enabled = 0
PKI DNS Suffix =
Config Server FQDN =
 
Hash 0 Active = 1
Hash 0 Friendly Name = VeriSign Class 3 Primary CA-G1
Hash 0 Stream = 74 2C 31 92 E6 07 E4 24 EB 45 49 54 2B E1 BB C5 3E 61 74 E2
 
Hash 1 Active = 1
Hash 1 Friendly Name = VeriSign Class 3 Primary CA-G3
Hash 1 Stream = 13 2D 0D 45 53 4B 69 97 CD B2 D5 C3 39 E2 55 76 60 9B 5C C6
 
Hash 2 Active = 1
Hash 2 Friendly Name = Go Daddy Class 2 CA
Hash 2 Stream = 27 96 BA E6 3F 18 01 E2 77 26 1B A0 D7 77 70 02 8F 20 EE E4
 
Hash 3 Active = 1
Hash 3 Friendly Name = Comodo AAA CA
Hash 3 Stream = D1 EB 23 A4 6D 17 D6 8F D9 25 64 C2 F1 F1 60 17 64 D8 E3 49
 
Hash 4 Active = 1
Hash 4 Friendly Name = Starfield Class 2 CA
Hash 4 Stream = AD 7E 1C 28 B0 64 EF 8F 60 03 40 20 14 C3 D0 E3 37 0E B5 8A
 
Hash 5 Active = 1
Hash 5 Friendly Name = VeriSign Class 3 Primary CA-G2
Hash 5 Stream = 85 37 1C A6 E5 50 14 3D CE 28 03 47 1B DE 3A 09 E8 F8 77 0F
 
Hash 6 Active = 0
Hash 6 Friendly Name =
Hash 6 Stream =
 
Hash 7 Active = 0
Hash 7 Friendly Name =
Hash 7 Stream =
 
Hash 8 Active = 0
Hash 8 Friendly Name =
Hash 8 Stream =
 
Hash 9 Active = 0
Hash 9 Friendly Name =
Hash 9 Stream =
 
Hash 10 Active = 0
Hash 10 Friendly Name =
Hash 10 Stream =
 
Hash 11 Active = 0
Hash 11 Friendly Name =
Hash 11 Stream =
 
Hash 12 Active = 0
Hash 12 Friendly Name =
Hash 12 Stream =
 
Hash 13 Active = 0
Hash 13 Friendly Name =
Hash 13 Stream =
 
Hash 14 Active = 0
Hash 14 Friendly Name =
Hash 14 Stream =
 
Hash 15 Active = 0
Hash 15 Friendly Name =
Hash 15 Stream =
 
Hash 16 Active = 0
Hash 16 Friendly Name =
Hash 16 Stream =
 
Hash 17 Active = 0
Hash 17 Friendly Name =
Hash 17 Stream =
 
Hash 18 Active = 0
Hash 18 Friendly Name =
Hash 18 Stream =
 
Hash 19 Active = 0
Hash 19 Friendly Name =
Hash 19 Stream =
 
Hash 20 Active = 0
Hash 20 Friendly Name =
Hash 20 Stream =
 
Hash 21 Active = 0
Hash 21 Friendly Name =
Hash 21 Stream =
 
Hash 22 Active = 0
Hash 22 Friendly Name =
Hash 22 Stream =
 

I see, these were never missing during my tests. They are standard settings and should be there. I merged settings from an SPI with ME 3.0.1 using 3.2.20 as the destination firmware and everything worked out fine. Anyway, I think the instructions are proper so I’ll consider this “missing parameters” issue an exception. No matter what, thank you for opening this thread as we now have a better understanding and instructions for ME 2 & 3 platforms.