Enable Intel vPro\AMT Xeon E-2276ML and CM246

smosia · September 21, 2024, 1:29pm

Hello.
Looks like I’ve stuck in enabling vPro technology on my motherboard.

I have motherboard with Xeon E-2276ML CPU, CM246 chipset and i219LM ethernet controller.
All of them has vPro support.

I’ve tried to modify the bios with clean ME region with guide - nothing changed.

Motherboard boots, but Ctrl+P keys do nothing.
Intel AMT support is enabled in Flash Image Tool.
What am I doing wrong?

Some notes:

Strange behavior of FIT - it detects that my bios is for QM370 chipset, not CM246.
I have not touched this setting and everything works.
Looks like my motherboard platform type is Mobile (check MEInfo), while there is a note in FIT that AMT support applies to Desktom and Workstation platforms.

fit1888×347 34.4 KB

What can I do to enable intel AMT on my board?

MEInfo output of modded bios:

Intel (R) MEInfo Version: 12.0.90.2077
Copyright (C) 2005 - 2022, Intel Corporation. All rights reserved.

General FW Information
                                               
    Platform Type                              Mobile
    FW Type                                    Production
    Last ME Reset Reason                       Unknown
    BIOS boot State                            Post Boot
    Slot 1 Board Manufacturer                  0x00000000
    Slot 2 System Assembler                    0x00000000
    Slot 3 Reserved                            0x00000000
    Capability Licensing Service               Enabled
    Local FWUpdate                             Enabled
    OEM ID                                     00000000-0000-0000-0000-000000000000
    Integrated Sensor Hub Initial Power State  Disabled
    Intel(R) PTT Supported                     Yes
    Intel(R) PTT initial power-up state        Disabled
    OEM Tag                                    0x00
    TLS                                        Disabled
                                               
Intel(R) ME code versions:                     
    BIOS Version                               R112
    Vendor ID                                  8086
    FW Version                                 12.0.47.1524 H Consumer
                                               
IUPs Information                               
    PMC FW Version                             300.2.11.1021
    OEM FW Version                             0.0.0.0000
                                               
PCH Information                                
    PCH Version                                0
    PCH Device ID                              A30E
    PCH Step Data                              A0
    PCH SKU Type                               Production PRQ Revenue
    PCH Replacement State                      Disabled
    PCH Replacement Counter                    0
    PCH Unlocked State                         Disabled
                                               
Flash Information                              
    SPI Flash ID 1                             Not Available
    SPI Flash ID 2                             Not Available
    Host Read Access to ME                     Not Available
    Host Write Access to ME                    Not Available
    Host Read Access to EC                     Not Available
    Host Write Access to EC                    Not Available
                                               
FW Capabilities                                0x31101140
    Protect Audio Video Path - PRESENT/ENABLED
    Intel(R) Dynamic Application Loader - PRESENT/ENABLED
    Intel(R) Platform Trust Technology - PRESENT/DISABLED
                                               
End Of Manufacturing                           
    Post Manufacturing NVAR Config Enabled     Yes
    HW Binding                                 Enabled
    End of Manufacturing Enable                No
                                               
Intel(R) Protected Audio Video Path            
    Keybox                                     Not Provisioned
    Attestation KeyBox                         Not Available
    EPID Group ID                              0x28F9
    Re-key needed                              False
    PAVP Supported                             Yes
                                               
Security Version Numbers                       
    Minimum Allowed Anti Rollback SVN          1
    Image Anti Rollback SVN                    6
    Trusted Computing Base SVN                 1
                                               
FW Supported FPFs                              
                                               FPF         UEP         ME FW
                                                         *In Use
                                               ---         ---         -----
Enforcement Policy                             Not set     0x00        0x00        
EK Revoke State                                Not set     Not Revoked Not Revoked 
PTT                                            Not set     Enabled     Enabled     
OEM ID                                         Not set     0x00        0x00        
OEM Key Manifest Present                       Not set     Present     Present     
OEM Platform ID                                Not set     0x00        0x00        
OEM Secure Boot Policy                         Not set     0x40        0x40        
CPU Debugging                                  Not set     Enabled     Enabled     
BSP Initialization                             Not set     Enabled     Enabled     
Protect BIOS Environment                       Not set     Disabled    Disabled    
Measured Boot                                  Not set     Disabled    Disabled    
Verified Boot                                  Not set     Disabled    Disabled    
Key Manifest ID                                Not set     0x01        0x01        
Persistent PRTC Backup Power                   Not set     Disabled    Disabled    
RPMB Migration Done                            Not set     Disabled    Disabled    
SOC Config Lock                                Not set     Not Done    Not Done    
SPI Boot Source                                Not set     Enabled     Enabled     
TXT Supported                                  Not set     Disabled    Disabled    

ACM SVN FPF                                    Not set
BSMM SVN FPF                                   Not set
KM SVN FPF                                     Not set
OEM Public Key Hash FPF                        Not set
OEM Public Key Hash UEP                      4906357EEEB04DCB0825D3F266EC5AEE49B1D36016CA84AFCEAB95BAXXXXXXXX
OEM Public Key Hash ME FW                    4906357EEEB04DCB0825D3F266EC5AEE49B1D36016CA84AFCEAB95BAXXXXXXXX
PTT Lockout Override Counter FPF               Not set

lfb6 · September 21, 2024, 4:54pm

Post a link to or attach the modded bios.

smosia · September 23, 2024, 12:48pm

Thank you for an answer.

Here is my modded bios with clean ME Region:
R112_ME.zip (7.5 MB)

Also checked it in UEFI-Editor.
Looks like I need to Enable AMT in Bios first. Only then will it be possible to enter MEBx setup.

I tried changing the Access Level for Mabageability Features State and AMT BIOS Features to 05. But that didn’t work either.
These settings appears in Bios, but are reset back to Disable after reboot.

It seems that some conditions in the “Suppress If” field are required.
But I cannot find which ones…

Updated.
Here is my setup sector converted with ifrextractor.
Section_PE32_image_Setup_Setup.sct.0.0.en-US.ifr.zip (288.4 KB)

It looks like I need to understand what these variables means:
EqIdVal QuestionId: 0x1BC, Value: 0x0
EqIdVal QuestionId: 0xEAA, Value: 0x4

Only after executing them AMT in bios will be available.

0x3304B: 		SuppressIf  { 0A 82 }
0x3304D: 			EqIdVal QuestionId: 0x1BC, Value: 0x0 { 12 06 BC 01 00 00 }
0x33053: 			SuppressIf  { 0A 82 }
0x33055: 				EqIdVal QuestionId: 0xEAA, Value: 0x4 { 12 86 AA 0E 04 00 }
0x3305B: 					Not  { 17 02 }
0x3305D: 					EqIdVal QuestionId: 0xEB0, Value: 0x0 { 12 06 B0 0E 00 00 }
0x33063: 					Not  { 17 02 }
0x33065: 					Or  { 16 02 }
0x33067: 				End  { 29 02 }
0x33069: 				GrayOutIf  { 19 82 }
0x3306B: 					EqIdVal QuestionId: 0xEAF, Value: 0x1 { 12 86 AF 0E 01 00 }
0x33071: 						EqIdVal QuestionId: 0xEAE, Value: 0x0 { 12 06 AE 0E 00 00 }
0x33077: 						Or  { 16 02 }
0x33079: 					End  { 29 02 }
0x3307B: 					GrayOutIf  { 19 82 }
0x3307D: 						EqIdVal QuestionId: 0xE9A, Value: 0x1 { 12 06 9A 0E 01 00 }
0x33083: 						OneOf Prompt: "Manageability Features State", Help: "Enable/Disable Intel(R) Manageability features.
NOTE: This option disables/enables Manageability Features support in FW. To disable support platform must be in an unprovisioned state first.", QuestionFlags: 0x14, QuestionId: 0x276E, VarStoreId: 0x14, VarOffset: 0x0, Flags: 0x10, Size: 8, Min: 0x0, Max: 0x1, Step: 0x0 { 05 91 30 11 31 11 6E 27 14 00 00 00 14 10 00 01 00 }
0x33094: 							OneOfOption Option: "Disabled" Value: 0 { 09 07 04 00 00 00 00 }
0x3309B: 							OneOfOption Option: "Enabled" Value: 1, Default { 09 07 03 00 10 00 01 }
0x330A2: 						End  { 29 02 }
0x330A4: 					End  { 29 02 }
0x330A6: 					SuppressIf  { 0A 82 }
0x330A8: 						EqIdVal QuestionId: 0x276E, Value: 0x0 { 12 06 6E 27 00 00 }
0x330AE: 						GrayOutIf  { 19 82 }
0x330B0: 							EqIdVal QuestionId: 0xE9A, Value: 0x1 { 12 06 9A 0E 01 00 }
0x330B6: 							OneOf Prompt: "AMT BIOS Features", Help: "When disabled AMT BIOS Features are no longer supported and user is no longer able to access MEBx Setup.
NOTE: This option does not disable Manageability Features in FW.", QuestionFlags: 0x10, QuestionId: 0x1BD, VarStoreId: 0x1, VarOffset: 0x90D, Flags: 0x10, Size: 8, Min: 0x0, Max: 0x1, Step: 0x0 { 05 91 32 11 33 11 BD 01 01 00 0D 09 10 10 00 01 00 }
0x330C7: 								OneOfOption Option: "Disabled" Value: 0 { 09 07 04 00 00 00 00 }
0x330CE: 								OneOfOption Option: "Enabled" Value: 1, Default { 09 07 03 00 10 00 01 }
0x330D5: 							End  { 29 02 }
0x330D7: 						End  { 29 02 }
0x330D9: 					End  { 29 02 }
0x330DB: 				End  { 29 02 }
0x330DD: 			End  { 29 02 }

lfb6 · September 23, 2024, 2:01pm

OK, dump would be correctly configured.

Then there’s the question if the image is properly flashed - how did you do that?

MEInfo should read something like this for a fully AMT capable system (PTT depending on hardware):

FW Capabilities 0x7DF6D147
Intel(R) Active Management Technology - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
(Intel(R) Platform Trust Technology - PRESENT/DISABLED)
Service Advertisement & Discovery - PRESENT/ENABLED
Persistent RTC and Memory - PRESENT/ENABLED

So even if AMT was diabled it should be mentioned here as PRESENT/DISABLED. In addition TLS in MEInfo is disabled, but your attached fw has it enabled.

=> I assume you didn’t flash the ME region properly. Try to dump it with FPT (for Windows fptw64 -d spi.bin) and open the dump in FIT again, save the config to an XML file and compare to the config of the file you configured and attached.

In addition ths ME firmware is still in manufacturing mode, a little unclear to me if AMT would work in this state.