[Fixed] HP Prodesk 600 G4 mini upgrade to full Intel vPro ME/AMT/KVM

Special Topics Intel Management Engine
4

Yes, NIC is i219LM so should be fine there.

Good info in that Reddit thread - I’ll look into this - thanks.

5

I finally managed to upgrade to full AMT support.

First a few notes from what I observed:
For HP Prodesk 600 G4 it does not seem to be possible to change Flash/SPI Descriptor region Master permissions, since they are restored to original values after each boot.
Also I have not found a way to boot with FDO (Flash Descriptor Override) so the only remaining option was to use flash programmer.

I have used:

CH341A programmer software I tried had issues with failing verification after reading 25% of flash’s content and also was not able to consistently read full flash dump. I assume it was not able to support W25Q256JV correctly, but NeoProgrammer had no problems.

To be on the safe side, I used powered USB hub and connected CH341A programmer to USB hub directly, since most of the motherboard will get power directly from CH341A programmer.
Also when you connect CH341A to the flash chip - power LED which is usually white will start flashing red, so do not be alarmed by it - I didn’t see any ill effect from this.

Once flashing is completed and Intel AMT is active, remote video will only be shown when there is a monitor connected to display port, otherwise the image from remote computer will be blank.
To fully support remote management without connected monitor you need to use dummy Display Port plug which emulates connected monitor.

And final warning - do not share or reuse full SPI/flash .bin files created with these instructions, since they are specific to the system in question and contain system IDs and MAC addresses.

Now for the steps:

  1. download CSME System Tools v12 r38 and read instructions from thread
    [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization
    [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization - #2 by plutomaniac

  2. Download CSME 12.0 Repository r33 (linked from the thread)
    Intel (CS)ME, (CS)TXE, (CS)SPS, GSC, PMC, PCHC, PHY & OROM Firmware Repositories - Intel Management Engine - Win-Raid Forum

  3. Identifiy needed “Unconfigured” Management Engine .bin file.
    In my case I used:
    12.0.81.1753_COR_H_BA_PRD_EXTR-Y.bin

  4. Open ME .bin file with ME Analyzer and check that “File System State” is Unconfigured.

  5. From Prodesk computer, use FPT Flash Programming Tool to dump full SPI/flash image and save it somewhere safe in case you need to restore it.
    CSME System Tools v12 r38\Flash Programming Tool\WIN64>FPTW64.exe -d fulldump.bin

  6. Start Flash Image Tool (fit.exe) and open dumped fulldump.bin file
    Change these settings for AMT support:
    Intel(R) AMT → Intel(R) AMT Parameter Configuration → Intel(R) AMT Supported = YES
    Intel(R) AMT → KVM Configuration → Firmware KVM Screen Blanking = YES
    Intel(R) AMT → KVM Configuration → KVM Redirection supported = YES

    image
    image1207×568 46.9 KB

  7. Save this new configuration as .xml file and close Intel Flash Tool

  8. In the directory where fit.exe is locate there should now be a sub-directory “Decomp” containing “ME Sub Partition.bin” file.
    CSME System Tools v12 r38\Flash Image Tool\WIN32\fulldump\Decomp\ME Sub Partition.bin

This file needs to be replaced/overwritten with the appropriate Unconfigured ME .bin file which is renamed to “ME Sub Partition.bin”

  1. Open FIT tool again and loaded previously saved .xml file

  2. Build new .bin image: Build → Build Image

You will be prompted for:

"Boot Guard Profile Configuration " is set to “Boot Guard Profile 0 - No_FVME”.
The Boot Guard feature will be disabled on the platform.

Select Yes to continue

Are you sure you want to set “Intel(R) PTT Supported [FPF]” to “No”?
This will cause Intel (R) PTT to be disabled permanently in HW.

Select Yes to continue

You will get “outimage.bin” file created - this is the .bin image that needs to be flashed on the chip using programmer.

  1. open “outimage.bin” with MEAnalyzer and check that “File System State” is shown as Configured now.

  2. Power down and disconnect all cables from Prodesk computer. Press and hold power button for 5 seconds to clear all resident electrical charge.
    Open the computer and connect flash programmer onto Winbond flash chip (it is located below SATA hard disk cage so remove it first).
    Make sure to connect pins correctly to avoid damaging the system board.

image
image1244×919 137 KB

image

  1. If not done before install CH341A drivers on Windows

  2. Start NeoProgrammer and connect programmer to computer USB port. Prodesk power button should now flash red from time to time.
    Press Detect in NeoProgrammer - and from the selected list of possible flash chips select W25Q256JV [3.3V]
    Open “outimage.bin” file.

Select operations in NeoProgrammer in the following order:

  • Erase IC
  • Write IC
  • Verify IC
    (this takes around 15 minutes)

image
image872×814 51.3 KB

Once Verification completes with Success programming is done.
Disconnect programmer from the flash chip

  1. Before booting Prodesk clear CMOS. If you do not do this it might not boot properly.
    Hold for 5 seconds CMOS reset button (it’s a small white button between C-type USB and USB A-type connectors on the front of the system board)

  2. Boot computer, enter BIOS and change settings as required (e.g. increase boot time wait to 5 or 10 seconds)

  3. In Windows go to “Flash Programming Tool” directory and issue ME reset command
    fptw64.exe -greset

Computer will reboot now

  1. Select in the boot menu (press ESC key during boot) option to enter ME Setup.
    Here you should finally see that Intel AMT is now enabled.
    Configure Intel AMT as needed and enable AMT networking and you’re done.

Feel free to update HP BIOS to the latest available version after this and AMT should continue to work as expected.

2 Likes
6

Hi,

Your guide is quite detailed :+1:

I am thinking about enabling AMT (advanced) on HP ProDesk 600 G5 tower.

I have all the required hardware aforementioned by you.

Could you provide a schematic of which pins on the programmer to be connected to which pins on the flash chip?
I could check the model of the flash chip

7

It depends on the exact chip that you have.

In my case the chip was a SOIC 16 pin, and the programmer has 8 slot socket for SPI (the other 8 slots are for I2C EEPROM).

So try to find datasheet instructions for the exact SPI chip you have and in it there should be pinouts for different pin configurations.
In case your chip is 16 pin and you need to connect it to an 8 pin/slot programmer, compare pin descriptions in the datasheet of the 8-pin chip part with the 16-pin chip part that you have, then identify the same chip pins by name between 8-pin and 16-pin version to figure out what to connect. (16-pin version usually has a bunch od NC marked pins - meaning No Connection - ignore those).

CH341A USB programmer should have chip orientation drawings on it (bottom side) so you should be able to figure out which pin needs to connect to which programmer socket.

1 Like
8

Thank you for the comprehensive answer.

Please find the photo of the bios chip attached.

Is the highlighted part of micro clamp conductive on the photo attached?

bios
bios1779×2325 346 KB

micro_clamp

9

It should not be, otherwise it would short-circuit when it grips nearby pins.
Only the protruding part (which retracts and grabs chip pins) is.
If you have a multi-meter handy you can test them for conductivity.

1 Like
10

Which SPI pins need to be linked?

11

Imagine your chip is an 8-pin variant and not 16-pin.
Find relevant chip datasheet on the internet and compare PIN descriptions between 8-pin and 16-pin versions. Since 16-pin version does not fit into 8pin SPI part of the programmer you need to use the clamps to connect identically named pins on the 16-pin chip and the 8-pin programmer slots. Small dot on the chip and on the programmer marks pin number 1.
For example look at this schematic, pins that need to be connected are marked in yellow:

image
image660×758 34.8 KB

1 Like
12

@dpcwr

Thank you for this write up! :slight_smile:

I’m attempting to do this on a ProDesk 600 G5 SFF. I have the latest ME version 12.0.95 Build 2489 on the machine. The repository doesn’t have anything this current.

Do I try to downgrade my ME firmware? Can I use something older like the file you used? What do you suggest?

13

I have not tried to downgrade ME since I didn’t have newer ME on the computer, but I think you might be ok if you use closest version available.
As long as you make full SPI backup before starting you should be able to program it back and go back to beginning state.
Last step I did was to use official HP BIOS upgrade with the latest available BIOS from HP and it upgraded ME to the latest version.
If you are already at the latest available BIOS you could try to run HP BIOS upgrade again to upgrade ME once full AMT is working.

14

First post here links to a repo with only latest versions:

15

Ok, I guess its worth a shot trying to flash the latest version in the repo as long as I have a good back up of what is currently on the chip…

One other question I’m not clear on. In the repo, there are 4 files for each version. Why did you pick xxx_COR_H_BA_PRD_EXTR-Y.bin as opposed to the other three?

Edit: I see the extension is correlated to chipset… Still reading to see if I can figure it out…

16

@dpcwr

I ran into some issues after flashing my chip… Luckily, I made a backup with the programmer…

I used the latest unconfigured .bin file from the repository… My ProDesk 600 G5 is on ME 12.0.95 Build 2489 as mentioned above. I used 12.0.90.2072_COR_H_BA_PRD_EXTR-Y.bin and followed the instructions.

Everything seemed to go perfectly until I booted up for the first time. The machine detected bios corruption and completed an automatic repair, bringing me back up to 12.0.95.

Although it reset ME, it did not add full AMT as I suspect it wrote over it with the recovery.

I went into the bios and found a section on bios protection… I changed it to manual and tried the process again.

IMG_2316
IMG_23161920×1440 160 KB

This time, after completing the flash and putting everything back together, when I powered on the machine, I got error beeps and no post. Two long ones and three short ones…

I went back and tried the process with the file you used… Same thing… no post and the same beeps…

I finally flashed the original .bin back to the chip and was able to recover…

So, I’m guessing I either need to find a newer unconfigured file or find some way to roll back my ME firmware, although I’ve read that doesn’t seem to be a possibility…

Any idea on bios settings you might have used? Should I try to roll back my bios?

@sencha , you have the same machine and bios chip as me. Did you get it to work?

17

@superdupe Not yet, do you have a schematic such as which pins on ch340a to which pins on the eeprom chip to connect to? @dpcwr provided a schematic for SPI pins on the eeprom chip, but I am not sure to which ones on ch340a these correspond.
Should be easy enough to find out, I just didn’t look into it yet.

18

Which part of my earlier post didn’t you understand?

Look into the first post of this thread, there’s a link to repository with the latest ME versions, including 5 ME 12.0.95…

But that won’t help you, these are most probably HPs anti tampering measures. There’s (probably) another chip on the board which has copies of the firmware for automatic recovery. In addition they might have stored some checksums and hashes in the TPM. You might check for measured boot and verified boot with MEInfo.
If this is a fTPM you can reset this information by re-initializing the ME, but those machines usually have a dTPM.

So you’d have to know how these systems get initialized, where the reduntant parts are stored, how to modify them and how to sell this information to the TPM…

19

I used the image dpcwr attached above, but also looked it up online to make sure it was the same…

Just pretend your programmer is the 8 pin version at the bottom and the top is the 16 pin chip on your board. Connect the leads to the same corresponding connection type. For example, VCC is pin 8 on the programmer. Connect it to VCC pin 2 on the board.

The next problem I ran into was NeoProgrammer doesn’t have our chip in it. So I had to add it via instructions I found here…

I’m attaching the xml I used to do the import.

When you hit the “detect” button, if its connected correctly, it will find the chip based on the import function you just did above. Ours is GD25B256D.

At first I couldn’t get it to read the chip, but found I had the numbers reversed on my programmer… Make sure you know where pin 1-8 are and then connect accordingly.
Import GD25B256D Chip.zip (6.5 KB)

20

Thank you. Sorry, I will look again. I must have missed it because I couldn’t find the 12.0.95.

But that won’t help you, these are most probably HPs anti tampering measures. There’s (probably) another chip on the board which has copies of the firmware for automatic recovery.

That’s why I was hoping @dpcwr could tell me the bios settings he had on his machine. They re basically the same except his is the micro version and mine is the SFF. He was able to get it done just a few months ago, so I’m guessing there is a way.

If I can find the current ME firmware, I’ll give that a shot next. :slight_smile:

Again, I appreciate your help…

21

I believe I picked COR_H version due to having Firmware SKU = Corporate H displayed when running my dumped firmware through ME Analyzer as explained in this post:

Also note that my machine was Prodesk 600 G4 mini, not G5 so there are probably some additional differences to be considered in your case.
I also think that my BIOS had settings for Data Recovery set to something other than Automatic, but I’m not 100% sure on that.
In any case it does appear you managed to load a new firmware but failed to boot due to some other issue. Search online for HP Prodesk 600 G5 SFF Service Manual - see if beeps are explained there.
Or perhaps @lfb6 is onto something here and HP changed BIOS anti tampering protections in G5+ variants in which case I’m not sure how to proceed at this time.

22

Thanks for the info! I’m going to try a few more things later today. First, I was able to find the newest firmware… Not sure why I couldn’t before… But I totally overlooked it.

I’ll also mess with the data recovery settings… I have a few of these including a G4, although they are all SFF not mini’s… I may play with the G4 also, as that one is not in service and it won’t matter if I brick it.

In any event, this has been a fun project and I’m not giving up! I have other HP machines that have full AMT natively running so I was hoping to get these SFF’s doing it also. :slight_smile:

23

Ok, to further add to this project, I found the following. Upon opening up my other Prodesk 600’s, a mixture of both G4 and G5’s, I found three different BIOS chips. One of my G5’s has the same BIOS chip at the OP of this thread @dpcwr. Its a Winbond 25Q256JVFQ.

Yesterday as I was exploring how to add my particular chip to NeoProgrammer, I opened my programmer dumped full bios file with UEFITool. In that report, I found something that indicates they use three different chips for these computers. That is now consistent with my findings in the different computers I have.

Here is what the BIOS dump said:

Flash chips in VSCC table:

C22019 (Macronix MX25L256)

EF4019 (Winbond W25Q256)

C84019 (GigaDevice GD25x256C)

I’m continuing to try to make it work on my machines… :slight_smile: