FS Esprimo 5730 AMT upgrade - SOLVED !

Special Topics Intel Management Engine
1

Hello,

I have 2 old PCs Fujitsu Siemens Esprimo E5730 both with the same latest BIOS version but with different AMT version; I did not found on Fujitsu Siemens drivers/support site anything that can help me to upgrade AMT.

I try to upgrade the oldest AMT to latest version without success until now:
- AMT unprovisioned/provisioned
- TPM cleared - disable/enabled
- from DOS
- from win 8.1 x64


If anybody can provide some help.
thank you

MEInfo from win 8.1 x64
Latest AMT 5.2.70.1046:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 

Intel(R) MEInfo Version:         5.0.0.1167
PMXUtil: Error during PMX Call: sseidrvdll32e.dll!IDRVInstallDriver(): Failed to start loaded service err: 1275 
 
Reading Fw Status Register....
PMXUtil: Error during PMX Call: sseidrvdll32e.dll!IDRVInstallDriver(): Failed to start loaded service err: 1275 
...
PMXUtil: Error during PMX Call: sseidrvdll32e.dll!IDRVInit(): Failed VerAddVersion() call 
FW Status Register: 0X00000000
 
BIOS Version:		     6.00 R1.19.2824.A1              
Intel(R) Standard Manageability code versions:
  Flash:               5.2.70  Netstack:            5.2.70
  Apps:                5.2.70  Intel(R) Standard Manageability: 5.2.70
  FW Capabilities:     62
                       ASF2
                       Intel(R) AMT
                       Intel(R) Standard Manageability
                       Intel(R) QST
                       Intel(R) TPM
                       
  VendorID:            8086
  Build Number:        1046  
 
Manageability Mode: 			 Intel(R) Standard Manageability
UNS Version:				 5.0.5.1018
LMS Version:				 5.2.0.1018
MEI Driver version:			 5.2.0.1008
Link status:				 Link down
Cryptography fuse:			 Enabled
Flash protection:			 Enabled
Last ME reset reason:			 Global system reset
Configuration state:			 Completed
BIOS boot State:		 	 Post Boot
MAC Address:				 00-19-39-4d-0d-a1
FWU Override Counter:			 Always
FWU Override Qualifier:			 Always
IP Address:				 0.0.0.0
MEBx Version:				 5.0.5.8
FT Version:				 5.2
FT Build Number:			 1046
Local FWUpdate:				 Enabled
Secure FWUpdate:			 Disabled
Remote Connectivity Service Capability:	 False
Configuration Mode:	 Small Business
 
TPM Vendor ID:			 INTC
TPM SPEC Version:		 1.2.5.2
TPM FW Version:			 5.2
TPM Firmware Build Number:	 1046
TPM State:			 Operational
TPM Operational Mode:		 Enabled Owned Active 
iTPM - FIPS 140-2:		 False
iTPM - Failed Attempts Threshold:61440
iTPM - Initial lockout period:   526
iTPM - Lockout multiplier:       4096
iTPM - Fade-out period:          0
iTPM - Physical presence life time lock flag:	    False
iTPM - Physical presence command enabled flag:	    True
iTPM - Physical presence HW enabled flag:	    False
TPM fuses (MCH/ICH/soft strap MCH/ soft strap ICH): Enabled
FW behavior on Flash Descriptor Override Pin-Strap: Halt
 

Oldest AMT 5.0.1.1111 the one I try to upgrade:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 

Intel(R) MEInfo Version:         5.0.0.1167
PMXUtil: Error during PMX Call: sseidrvdll32e.dll!IDRVInstallDriver(): Failed to start loaded service err: 1275 
 
Reading Fw Status Register....
PMXUtil: Error during PMX Call: sseidrvdll32e.dll!IDRVInstallDriver(): Failed to start loaded service err: 1275 
...
PMXUtil: Error during PMX Call: sseidrvdll32e.dll!IDRVInit(): Failed VerAddVersion() call 
FW Status Register: 0X00000000
 
BIOS Version:		     6.00 R1.19.2824.A1              
Intel(R) Standard Manageability code versions:
  Flash:               5.0.1  Netstack:            5.0.1
  Apps:                5.0.1  Intel(R) Standard Manageability: 5.0.1
  FW Capabilities:     62
                       ASF2
                       Intel(R) AMT
                       Intel(R) Standard Manageability
                       Intel(R) QST
                       Intel(R) TPM
                       
  VendorID:            8086
  Build Number:        1111  
 
Manageability Mode: 			 Intel(R) Standard Manageability
UNS Version:				 5.0.5.1018
LMS Version:				 5.2.0.1018
MEI Driver version:			 5.2.0.1008
Link status:				 Link down
Cryptography fuse:			 Enabled
Flash protection:			 Enabled
Last ME reset reason:			 Power up
Configuration state:			 Completed
BIOS boot State:		 	 Post Boot
MAC Address:				 00-19-39-47-bb-dd
FWU Override Counter:			 Always
FWU Override Qualifier:			 Always
IP Address:				 0.0.0.0
MEBx Version:				 5.0.5.8
FT Version:				 5.0
FT Build Number:			 1111
Local FWUpdate:				 Enabled
Secure FWUpdate:			 Disabled
Remote Connectivity Service Capability:	 False
Configuration Mode:	 Small Business
 
TPM Vendor ID:			 INTC
TPM SPEC Version:		 1.2.5.0
TPM FW Version:			 5.0
TPM Firmware Build Number:	 1111
TPM State:			 Operational
TPM Operational Mode:		 Enabled Owned Active 
iTPM - FIPS 140-2:		 False
iTPM - Failed Attempts Threshold:61440
iTPM - Initial lockout period:   526
iTPM - Lockout multiplier:       4096
iTPM - Fade-out period:          0
iTPM - Physical presence life time lock flag:	    False
iTPM - Physical presence command enabled flag:	    True
iTPM - Physical presence HW enabled flag:	    False
TPM fuses (MCH/ICH/soft strap MCH/ soft strap ICH): Enabled
FW behavior on Flash Descriptor Override Pin-Strap: Halt
 

Try to Flash AMT from win8.1 without success:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
FWUpdLcl.exe 5.2.70.1046.bin -generic -verbose
Firmware Update Utility Version 5.2.50.1042
Copyright (C) 2007-2011 , Intel Corporation.  All Rights Reserved
 

Trying to connect to MEI driver.Connected to HECI driver, version: 5.2.0.1008
 

*****   Flash Info      ******
Version                 : 5.0.1.1111
Last Update Staus       : 1
SKU                     : (2110)
                        : Intel (R) QST
                        : ASF2
                        : Intel (R) AMT
                        : Intel Standard Manageability
                        : Intel (R) TPM
EnabledUpdateInterfaces : 5
 
*****   Image Info      ******
Version                 : 5.2.70.1046
SKU                     : (2110)
                        : Intel (R) QST
                        : ASF2
                        : Intel (R) AMT
                        : Intel Standard Manageability
                        : Intel (R) TPM
Error (8721): Firmware update through TPM is enabled. Use -tpm switch
 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
FWUpdLcl.exe 5.2.70.1046.bin -tpm -verbose
Firmware Update Utility Version 5.2.50.1042
Copyright (C) 2007-2011 , Intel Corporation.  All Rights Reserved
 

Trying to connect to MEI driver.Connected to HECI driver, version: 5.2.0.1008
 

*****   Flash Info      ******
Version                 : 5.0.1.1111
Last Update Staus       : 1
SKU                     : (2110)
                        : Intel (R) QST
                        : ASF2
                        : Intel (R) AMT
                        : Intel Standard Manageability
                        : Intel (R) TPM
EnabledUpdateInterfaces : 5
 
*****   Image Info      ******
Version                 : 5.2.70.1046
SKU                     : (2110)
                        : Intel (R) QST
                        : ASF2
                        : Intel (R) AMT
                        : Intel Standard Manageability
                        : Intel (R) TPM
Communication Mode: TPM
 


MEinfo from DOS:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 

Copyright(C) 2005-08 Intel(R) Corporation. All Rights Reserved.
Intel(R) MEInfo Version:         5.0.0.1167
 
Reading Fw Status Register....
FW Status Register: 0X3009065A
 
BIOS Version:		     6.00 R1.19.2824.A1              
Intel(R) Standard Manageability code versions:
  Flash:               5.0.1  Netstack:            5.0.1
  Apps:                5.0.1  Intel(R) Standard Manageability: 5.0.1
  FW Capabilities:     62
                       ASF2
                       Intel(R) AMT
                       Intel(R) Standard Manageability
                       Intel(R) QST
                       Intel(R) TPM
                       
  VendorID:            8086
  Build Number:        1111  
 
Manageability Mode: 			 Intel(R) Standard Manageability
Link status:				 Link down
Cryptography fuse:			 Enabled
Flash protection:			 Enabled
Last ME reset reason:			 Global system reset
Configuration state:			 Completed
BIOS boot State:		 	 Post Boot
MAC Address:				 00-19-39-47-bb-dd
FWU Override Counter:			 Always
FWU Override Qualifier:			 Always
IP Address:				 0.0.0.0
MEBx Version:				 5.0.5.8
FT Version:				 5.0
FT Build Number:			 1111
Local FWUpdate:				 Enabled
Secure FWUpdate:			 Disabled
Remote Connectivity Service Capability:	 False
Configuration Mode:	 Small Business
 
TPM Vendor ID:			 INTC
TPM SPEC Version:		 1.2.5.0
TPM FW Version:			 5.0
TPM Firmware Build Number:	 1111
TPM State:			 Operational
TPM Operational Mode:		 Enabled Owned Inactive 
iTPM - FIPS 140-2:		 False
iTPM - Failed Attempts Threshold:10
iTPM - Initial lockout period:   240
iTPM - Lockout multiplier:       2
iTPM - Fade-out period:          3600
iTPM - Physical presence life time lock flag:	    False
iTPM - Physical presence command enabled flag:	    True
iTPM - Physical presence HW enabled flag:	    False
TPM fuses (MCH/ICH/soft strap MCH/ soft strap ICH): Enabled
FW behavior on Flash Descriptor Override Pin-Strap: Halt
 


Try to Flash AMT from DOS without success:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
Firmware Update Utility Version 5.2.50.1042
Copyright (C) 2007-2011 , Intel Corporation.  All Rights Reserved
 

Trying to connect to MEI driver.
 
*****	Flash Info	******
Version  		: 5.0.1.1111 
Last Update Staus	: 1
SKU   			: (2110)
      			: Intel (R) QST
      			: ASF2
      			: Intel (R) AMT
      			: Intel Standard Manageability
      			: Intel (R) TPM
EnabledUpdateInterfaces	: 5
 
*****	Image Info	******
Version  		: 5.2.70.1046 
SKU   			: (2110)
      			: Intel (R) QST
      			: ASF2
      			: Intel (R) AMT
      			: Intel Standard Manageability
      			: Intel (R) TPM
Communication Mode: TPM
 
FW image is uploading through TPM.
 


EDIT by Fernando: To save space I have put the codes into "spoilers" (can be opened by clicking onto them).
2

I made another try from DOS and this time I wrote on the paper error message:



any idea ?
thank you.

3

I solved the problem !

Found a jumper labeled TPM and I removed and I was able to upgrade AMT.

First I try to upgrade to v5.2.70.1046 but failed due to integrity failure or invalid FW image ?!?!

Then I try another image and upgraded without problem to:
v5.0.2.1121 then to v5.0.3.1126
and finally the latest available: v5.2.71.1048

After a quick test I decided to upgrade also the one that had v5.2.70.1046 to v5.2.71.1048; no problems.

info with TPM jumper on:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
BIOS Version:		     6.00 R1.19.2824.A1              
Intel(R) Standard Manageability code versions:
  Flash:               5.2.71  Netstack:            5.2.71
  Apps:                5.2.71  Intel(R) Standard Manageability: 5.2.71
  FW Capabilities:     62
                       ASF2
                       Intel(R) AMT
                       Intel(R) Standard Manageability
                       Intel(R) QST
                       Intel(R) TPM
                       
  VendorID:            8086
  Build Number:        1048  
 
Manageability Mode: 			 Intel(R) Standard Manageability
UNS Version:				 5.0.5.1018
LMS Version:				 5.2.0.1018
MEI Driver version:			 5.2.0.1008
Link status:				 Link down
Cryptography fuse:			 Enabled
Flash protection:			 Enabled
Last ME reset reason:			 Global system reset
Configuration state:			 Completed
BIOS boot State:		 	 Post Boot
MAC Address:				 00-19-39-47-bb-dd
FWU Override Counter:			 Always
FWU Override Qualifier:			 Restricted
IP Address:				 0.0.0.0
MEBx Version:				 5.0.5.8
FT Version:				 5.2
FT Build Number:			 1048
Local FWUpdate:				 Enabled
Secure FWUpdate:			 Disabled
Remote Connectivity Service Capability:	 False
Configuration Mode:	 Small Business
 
TPM Vendor ID:			 INTC
TPM SPEC Version:		 1.2.5.2
TPM FW Version:			 5.2
TPM Firmware Build Number:	 1048
TPM State:			 Operational
TPM Operational Mode:		 Enabled Owned Active 
iTPM - FIPS 140-2:		 False
iTPM - Failed Attempts Threshold:61440
iTPM - Initial lockout period:   526
iTPM - Lockout multiplier:       4096
iTPM - Fade-out period:          0
iTPM - Physical presence life time lock flag:	    False
iTPM - Physical presence command enabled flag:	    True
iTPM - Physical presence HW enabled flag:	    False
TPM fuses (MCH/ICH/soft strap MCH/ soft strap ICH): Enabled
FW behavior on Flash Descriptor Override Pin-Strap: Halt
 

info with TPM jumper off:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
Copyright(C) 2005-08 Intel(R) Corporation. All Rights Reserved.
Intel(R) MEInfo Version:         5.0.0.1167
 
Reading Fw Status Register....
FW Status Register: 0X301C065A
 
BIOS Version:		     6.00 R1.19.2824.A1              
Intel(R) Standard Manageability code versions:
  Flash:               5.2.71  Netstack:            5.2.71
  Apps:                5.2.71  Intel(R) Standard Manageability: 5.2.71
  FW Capabilities:     62
                       ASF2
                       Intel(R) AMT
                       Intel(R) Standard Manageability
                       Intel(R) QST
                       Intel(R) TPM
                       
  VendorID:            8086
  Build Number:        1048  
 
Manageability Mode: 			 Intel(R) Standard Manageability
Link status:				 Link up
Cryptography fuse:			 Enabled
Flash protection:			 Enabled
Last ME reset reason:			 Firmware reset
Configuration state:			 Completed
BIOS boot State:		 	 Post Boot
MAC Address:				 00-19-39-4d-0d-a1
FWU Override Counter:			 Always
FWU Override Qualifier:			 Always
IP Address:				 0.0.0.0
MEBx Version:				 5.0.5.8
FT Version:				 5.2
FT Build Number:			 1048
Local FWUpdate:				 Enabled
Secure FWUpdate:			 Enabled
Remote Connectivity Service Capability:	 False
Configuration Mode:	 Small Business
 
TPM fuses (MCH/ICH/soft strap MCH/ soft strap ICH): Disabled
FW behavior on Flash Descriptor Override Pin-Strap: Halt
 




4

From what I tested until now both computer works ok; but as before the AMT upgrade I am unable to set-up CIRA.

From MEinfo I see: Remote Connectivity Service Capability: False ?!?

Anybody know if this can be fixed ?

thank you

5

I don’t even know what that is but, as said at the support forum, it should be a configuration problem at Lenovo’s side of things. Good work on managing to perform the AMT update though.

6

With CIRA you can set-up the AMT computer to detect the domain where he is ( normally home LAN ) and if it is not there then he can establish a connection with a server, MPS.
It is useful because:
- it lock AMT ports - connection to AMT can be establish only via MPS server, no chance of AMT hacking.
- it let you know where it is, and you can manage it.

With neuter FS Esprimo 5730 I’m not sure if it is possible to change AMT default Initialization data to enable CIRA, maybe this is the key ?:
Guide-How To: Clean dumped or extracted Intel Engine region images of Initialization data

something like in here:
Optiplex 7010 and VPro AMT ME

Intel Standard Manageability on Dell 7010. Is full vPro possible through Bios mod ?

Dell Optiplex 790 unlock AMT

7

I try to read flash / AMT data but it looks like fpt don’t have data for this chip and I am stuck.
Any idea ?
Thank you

1
2
3
4
5
6
7
8
9
10
11
 

Flash Programming Tool. Version 5.1.0.1167
Copyright (c) Intel Corporation. 2007-2008
 
Southbridge: ICH10
Reading file "fparts.txt" into memory...
Initializing SPI utilities
Reading HSFSTS register... Flash Descriptor: Valid
 
	--- Flash Devices Found ---
Error 405: There are no supported SPI flash devices installed. Please check connectivity and orientation of SPI flash device.
 

1
2
3
4
5
6
7
 
09/12/17-07:13:11. ***********************************************************
09/12/17-07:13:11. Flash Programming Tool. Version 09/12/17-07:13:11. 5.1.0.1167
09/12/17-07:13:11. Copyright (c) Intel Corporation. 2007-2008
09/12/17-07:13:11. ***********************************************************
09/12/17-07:13:11. Number of ICH devices supported: 29
09/12/17-07:13:11. Southbridge: 3a1a.
09/12/17-07:13:11. Error 405. Initialization of Spi utilities failed.
 


MEManuf:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 

Copyright(C) 2005-08 Intel Corporation. All Rights Reserved.
Intel (R) MEManuf Version: 5.0.0.1167
 
Connected to FW Update client
Sent data to FWUpdate Client. Size of data sent = 4
Data recieved from FWUpdate Client. 52 bytes read
Sent data to FWUpdate Client. Size of data sent = 4
Data recieved from FWUpdate Client. 52 bytes read
Status in response is success
Connection with FWUpdate Client ended.
SKU is 2110
Manageability Mode is 1
Intel(R) Remote PC Assist Technology is disabled
 
Trying to initialize heci...Calling HeciInitAndConnect for Intel(R) AMT
PutSomeCheckForASF_NONEHere is 0
 
Reading Fw Status Register....
FW Status Register: 0X300A065A
 

Full or Graceful BIST requested...
Full BIST in FW requested by tool...
Error 8203: Status in response is not as expected
Error 9267: Intel(R) AMT Full BIST could not be performed
 
 


this is original fparts.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 

;Description of fields:
;  1) Display name
;  2) Device ID (2 or 3 bytes)
;  3) Device Size (in bits)
;  4) Block Erase Size (in bytes - 256, 4K, 64K)
;  5) Block Erase Command
;  6) Write Granularity (1 or 64)
;  7) Enable Write Status Register Command (1- True, 0- False)
;  8) Chip Erase Command
;  9) Chip Erase Timeout (in milliseconds)
;
SST25VF020,  0xBF43,   0x200000,  0x1000,  0x20, 1,  1, 0x60, 80000
SST25VF040,  0xBF44,   0x400000,  0x1000,  0x20, 1,  0, 0x60, 80000
SST25VF080B, 0xBF8E,   0x800000,  0x1000,  0x20, 1,  0, 0x60, 80000
SST25VF080B, 0xBF258E, 0x800000,  0x1000,  0x20, 1,  0, 0x60, 80000
SST25VF080A, 0xBF80,   0x800000,  0x1000,  0x20, 1,  0, 0x60, 80000
SST25VF016B, 0xBF2541, 0x1000000, 0x1000,  0x20, 1,  0, 0x60, 80000
MX25L1605A,  0xC22015, 0x1000000, 0x1000,  0x20, 64, 0, 0x60, 80000
MX25L80005,  0xC22014, 0x800000,  0x1000,  0x20, 64, 0, 0x60, 80000
ST-M25PE80,  0x208014, 0x800000,  0x100,   0xDB, 64, 0, -1, 80000
M25PE80,     0x2080,   0x800000,  0x10000, 0xD8, 1,  0, 0xc7, 80000
AT26DF081,   0x1F4500, 0x800000,  0x1000,  0x20, 1,  0, 0x60, 80000
AT26DF081A,  0x1F4501, 0x800000,  0x1000,  0x20, 64, 0, 0x60, 80000
AT26DF161,   0x1F4600, 0x1000000, 0x1000,  0x20, 64, 0, 0x60, 80000
AT26DF321,   0x1F4700, 0x2000000, 0x1000,  0x20, 64, 0, 0x60, 80000
W25X80,	     0xEF3014, 0x800000,  0x10000, 0xD8, 64, 0, 0xc7, 80000
QB25F016S33B8, 0x898911, 0x1000000, 0x10000, 0xD8, 64, 0, 0xC7, 80000
QB25F032S33B8, 0x898912, 0x2000000, 0x10000, 0xD8, 64, 0, 0xC7, 80000
 
 
8

I made some progress:
I replaced fparts.txt with updated data and now FPT know the flash ID and can read.
I am able to dump: desc, bios, gbe, pdr but not me; for that it report that host CPU does not have read access to the target flash area and I need to modify the descriptor settings to give host access to that region. I have no idea yet how to do it.

I attached dumps I read if somebody will need it.

Do you think it is safe to try to update with fpt directly variable:
0x0006 FWUpdEnable to 1
0x2012 RCSCapability to 1

fpt -u -id 0x0006 -v 1
fpt -u -id 0x2012 -v 1

thank you

fparts.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 
;
; These settings are not part recommendations, nor are they an 
; indication these parts are supported on Intel platforms. 
; All parts on this list have NOT been validated, and it is the 
; responsibility of the customer to validate the flash parts used
; on their platform.
;
; Flash parts may change opcodes and architectures so please refer
; to the respective flash datasheet and errata/application note and
; flash vendor to confirm.
;
;Description of fields:
;  1) Display name
;  2) Device ID (2 or 3 bytes)
;  3) Device Size (in bits)
;  4) Block Erase Size (in bytes - 256, 4K, 64K)
;  5) Block Erase Command
;  6) Write Granularity (1 or 64)
;  7) Enable Write Status Register Command (1- True, 0- False)
;  8) Chip Erase Command
;  9) Chip Erase Timeout (in milliseconds)
;
W25X80V,     0xEF3014, 0x800000,   0x1000, 0x20, 64, 0, 0xc7, 80000
W25X16BV,    0xEF3015, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
W25X32BV,    0xEF3016, 0x2000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
W25X64BV,    0xEF3017, 0x4000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
W25Q80BV,    0xEF4014, 0x800000,   0x1000, 0x20, 64, 0, 0xc7, 80000
W25Q40BV,    0xEF4013, 0x400000,   0x1000, 0x20, 64, 0, 0xc7, 80000
W25Q16BV,    0xEF4015, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
W25Q32BV,    0xEF4016, 0x2000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
W25Q64BV,    0xEF4017, 0x4000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
W25Q128BV,   0xEF4018, 0x8000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
W25Q16CV,    0xEF4015, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
W25Q64CV,    0xEF4017, 0x4000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
MX25L8005,   0xC22014, 0x800000,   0x1000, 0x20, 64, 0, 0x60, 80000
MX25L8006E,  0xC22014, 0x800000,   0x1000, 0x20, 64, 0, 0x60, 80000
MX25L8036E,  0xC22014, 0x800000,   0x1000, 0x20, 64, 0, 0x60, 80000
MX25L1605A,  0xC22015, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L1605D,  0xC22015, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L1606E,  0xC22015, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L1636E,  0xC22015, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L3205D,  0xC22016, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L3206E,  0xC22016, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L3225D,  0xC25E16, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L3235D,  0xC25E16, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L3236D,  0xC25E16, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L6405D,  0xC22017, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L6445E,  0xC22017, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L6436E,  0xC22017, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L6406E,  0xC22017, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L12805D, 0xC22018, 0x8000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L12845E, 0xC22018, 0x8000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L12836E, 0xC22018, 0x8000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L12835E, 0xC22018, 0x8000000,  0x1000, 0x20, 64, 0, 0x60, 80000
MX25L25635E, 0xC22019, 0x10000000, 0x1000, 0x20, 64, 0, 0x60, 80000
MX25L25735E, 0xC22019, 0x10000000, 0x1000, 0x20, 64, 0, 0x60, 80000
M25PE10,     0x208011, 0x100000,   0x1000, 0x20, 64, 0, 0xc7, 80000
M25PE20,     0x208012, 0x200000,   0x1000, 0x20, 64, 0, 0xc7, 80000
M25PE40,     0x208013, 0x400000,   0x1000, 0x20, 64, 0, 0xc7, 80000
M25PE80,     0x208014, 0x800000,   0x1000, 0x20, 64, 0, 0xc7, 80000
M25PE16,     0x208015, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
M25PX80,     0x207114, 0x800000,   0x1000, 0x20, 64, 0, 0xc7, 80000
M25PX16,     0x207115, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
M25PX32,     0x207116, 0x2000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
M25PX64,     0x207117, 0x4000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
N25Q016,     0x20BA15, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
N25Q032,     0x20BA16, 0x2000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
N25Q064,     0x20BA17, 0x4000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
N25Q128,     0x20BA18, 0x8000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
AT26DF081,   0x1F4500, 0x800000,   0x1000, 0x20, 1, 0, 0x60,  20000
AT26DF081A,  0x1F4501, 0x800000,   0x1000, 0x20, 64, 0, 0x60, 20000
AT25DF081,   0x1F4502, 0x800000,   0x1000, 0x20, 64, 0, 0X60, 20000
AT26DF161,   0x1F4600, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 35000
AT26DF161A,  0x1F4601, 0x1000000,  0x1000, 0X20, 64, 0, 0x60, 35000
AT25DF161,   0x1F4602, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 35000
AT25DQ161,   0x1F8600, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 35000
AT25DF321,   0x1F4700, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 60000
AT26DF321,   0x1F4700, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 60000
AT25DF321A,  0x1F4701, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 60000
AT25DF641,   0x1F4800, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 120000
AT25DF641A,  0x1F4800, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 120000
AT25DQ641,   0x1F8800, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 120000
SST25VF016B, 0xBF2541, 0x1000000,  0x1000, 0x20, 1, 0, 0x60, 50
SST25VF032B, 0XBF254A, 0x2000000,  0x1000, 0x20, 1, 0, 0x60, 50
SST25VF040B, 0xBF258D, 0x400000,   0x1000, 0x20, 1, 0, 0x60, 50
SST25VF080B, 0xBF258E, 0x800000,   0x1000, 0x20, 1, 0, 0x60, 50
SST25VF064C, 0xBF254B, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 50
EN25Q40,     0x1C3013, 0x400000,   0x1000, 0x20, 64, 0, 0x60, 80000
EN25F80,     0x1C3114, 0x800000,   0x1000, 0x20, 64, 0, 0x60, 80000
EN25Q80A,    0x1C3014, 0x800000,   0x1000, 0x20, 64, 0, 0x60, 80000
EN25F16,     0x1C3115, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 80000
EN25F32,     0x1C3116, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 80000
EN25Q32B,    0x1C3016, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 80000
EN25Q64,     0x1C3017, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 80000
EN25Q128,    0x1C3018, 0x8000000,  0x1000, 0x20, 64, 0, 0x60, 80000
EN25Q16(A),  0x1C3015, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 80000
EN25QH16,    0x1C7015, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 80000
EN25QH32,    0x1C7016, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 80000
EN25QH256,   0x1C7019, 0x10000000, 0x1000, 0x20, 64, 0, 0x60, 80000
EN25QH128,   0x1C7018, 0x8000000,  0x1000, 0x20, 64, 0, 0x60, 80000
EN25QH64,    0x1C7017, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 80000
EN25QH80,    0x1C7014, 0x800000,   0x1000, 0x20, 64, 0, 0x60, 80000
EN25F64,     0x1C3117, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 80000
GD25Q80,     0xC84014, 0x800000,   0x1000, 0x20, 64, 0, 0xc7, 80000
GD25Q16,     0xC84015, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
GD25Q32,     0xC84016, 0x2000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
GD25Q64,     0xC84017, 0x4000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
FM25Q16,     0xF83215, 0x1000000,  0x1000, 0x20, 64, 0, 0x60, 50000
FM25Q32,     0xF83216, 0x2000000,  0x1000, 0x20, 64, 0, 0x60, 80000
FM25Q64,     0xF83217, 0x4000000,  0x1000, 0x20, 64, 0, 0x60, 100000
FM25Q128,    0xF83218, 0x8000000,  0x1000, 0x20, 64, 0, 0x60, 150000
A25L016,     0x373015, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
A25L032,     0x373016, 0x2000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
A25LQ32A,    0x374016, 0x2000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
S25FL016K,   0xEF4015, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
S25FL032K,   0xEF4016, 0x2000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
S25FL064K,   0xEF4017, 0x4000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
Pm25LQ080C,  0x7F9D44, 0x800000,   0x1000, 0x20, 64, 0, 0xc7, 80000
Pm25LQ016C,  0x7F9D45, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
Pm25LQ032C,  0x7F9D46, 0x2000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
Pm25LV080B,  0x7F9D13, 0x800000,   0x1000, 0x20, 64, 0, 0xc7, 80000
Pm25LV016B,  0x7F9D13, 0x1000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
W25Q64FV,    0xEF6017, 0x4000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
W25Q128FV,   0xEF6018, 0x8000000,  0x1000, 0x20, 64, 0, 0xc7, 80000
 


this is the info for Esprimo 5730:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 

--------------------------------------------
Flash Programming Tool. Version 5.1.0.1167
Copyright (c) Intel Corporation. 2007-2008
 
Southbridge: ICH10
Reading file "fparts.txt" into memory...
Initializing SPI utilities
Reading HSFSTS register... Flash Descriptor: Valid
 
	--- Flash Devices Found ---
	W25X32BV	ID:0xEF3016	Size: 4096KB (32768Kb)
 
Using software sequencing.
Reading region information from flash descriptor.
 
	--- Flash Image Information --
	Signature: VALID
	Number of Flash Components: 1
		Component 1 - 4096KB (32768Kb)
	Regions:
		Descriptor - Base: 0x000000, Limit: 0x000FFF
		BIOS       - Base: 0x300000, Limit: 0x3FFFFF
		ME         - Base: 0x003000, Limit: 0x2F7FFF
		GbE        - Base: 0x001000, Limit: 0x002FFF
		PDR        - Base: 0x2F8000, Limit: 0x2FFFFF
	Master Region Access:
		CPU/BIOS - ID: 0x0000, Read: 0x1B, Write: 0x1A
		ME       - ID: 0x0000, Read: 0x0D, Write: 0x0C
		GbE      - ID: 0x0218, Read: 0x08, Write: 0x08
 
Used Space: 4096KB, Actual Space: 4096KB
 


FOv info:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
--------------------------------------------
Flash Programming Tool. Version 5.1.0.1167
Copyright (c) Intel Corporation. 2007-2008
 
Southbridge: ICH10
Reading file "fparts.txt" into memory...
Initializing SPI utilities
Reading HSFSTS register... Flash Descriptor: Valid
 
	--- Flash Devices Found ---
	W25X32BV	ID:0xEF3016	Size: 4096KB (32768Kb)
 
Using software sequencing.
Reading region information from flash descriptor.
Reading FOV configuration file "fptcfg.ini"
 

Id	FOVId	Name
---------------------------------------
1	0x0001	MEStateLock
2	0x0002	MEStateControl
3	0x0003	Password
4	0x0004	MEPwrFeature
5	0x0005	DefPowerPackage
6	0x0006	FWUpdEnable
7	0x0007	FWUpdOverrideQualifier
8	0x0008	FWUpdOverrideCounter
9	0x0009	PasswordFlag
10	0x000a	OEMSkuRule
11	0x1001	QSTLock
12	0x1002	QSTState
13	0x2001	PID
14	0x2002	PPS
15	0x2003	MngFeatureLock
16	0x2004	MngMode
17	0x2005	EncryptionEnable
18	0x2006	FullTestCounter
19	0x2007	AMTConfigMode
20	0x2008	MEIdleTimeout
21	0x2009	ZTCEnable
22	0x200a	CfgSrvFQDN
23	0x200b	Hash1
24	0x200c	Hash2
25	0x200d	Hash3
26	0x200e	PasswordPolicy
27	0x200f	EnablerID
28	0x2010	EnablerDescription
29	0x2012	RCSCapability
30	0x3001	DanburyStateControl
31	0x3002	DanburyStateLock
32	0x3003	DanburySecQuest1
33	0x3004	DanburySecQuest2
34	0x3005	DanburySecQuest3
35	0x3010	DanburyCfgPolicy1
36	0x3011	DanburyCfgPolicy2
37	0x3012	DanburyCfgPolicy3
38	0x3013	DanburyCfgPolicy4
39	0x3014	DanburyCfgPolicy5
40	0x3015	DanburyCfgPolicy6
41	0x3016	DanburyCfgPolicy7
42	0x3017	DanburyCfgPolicy8
43	0x3018	DanburyCfgPolicy9
44	0x3019	DanburyCfgPolicy10
45	0x301a	DanburyCfgPolicy11
46	0x301b	DanburyCfgPolicy12
47	0x301c	DanburyCfgPolicy13
48	0x301d	DanburyCfgPolicy14
49	0x301e	DanburyCfgPolicy15
50	0x301f	DanburyCfgPolicy16
51	0x3020	DanburyCfgPolicy17
52	0x3021	DanburyCfgPolicy18
53	0x3022	DanburyCfgPolicy19
54	0x3023	DanburyCfgPolicy20
55	0x3024	DanburyCfgPolicy21
56	0x3025	DanburyCfgPolicy22
57	0x4001	ReadyAccessSupport
58	0x5001	UnlockMTP
59	0x5002	UnlockSMTP
101	Null	HostMacAdd
Null	Null	GlobalLocked
 
---------------------------------------
Total: 61 FOVs are supported.
 

esprimo5730-dump.zip (637 KB)

9

Your only bet, outside Lenovo’s own ME region settings, is to perform the Engine region firmware cleanup as my guide linked above explains. Your Flash Descriptor is currently locked so you cannot dump/reflash the Engine region. Try to see if there are any motherboard jumpers to disable ME/TPM or BIOS options such as “Enable ME-Reflash”, “Disable ME” etc. As for FOV, you cannot change these when the system is out of Manufacturing Mode. Maybe only unlocking FD access will allow you to do that at such an older platform but if you manage to do that, you can just follow the Cleanup Guide anyhow.

10

I had no success until now to find a solution to unlock/ignore Flash Descriptor and read the flash.
I even tested to solder a jumper between PIN 1-5 at realtek alc663 - it is not working for this board.
I don’t have any ideas.

11

I think I found something important for AMT 5 - the hw pin that will disable Flash Descriptor !
Flash Descriptor Security Override/ ME Debug Mode for 5 chipset.
Intel ® I/O Controller Hub 10 (ICH10) Family

HDA_DOCK_EN-GPIO33.png



Now I have to find the chip with pin HDA_DOCK_EN / GPIO [33] and ground it !

If I am not mistaken it is the 82801 with GPIO 33 ?! … without board documentation this will be almost impossible to find without removing the chip and find the pcb…

170913-IMG_20170913_113931.jpg




If anybody have an idea what chip it is I am thank you in advance.

12

HDA is the audio chip. You need to find a motherboard schematic from the OEM (service manual etc) which shows where GPIO33 is.

13

I found the GPIO 33 pin to disable Flash Descriptor Lock and I read the flash !!!

82801JD.jpg



@plutomaniac
If you can provide some recommendation how to proceed because I am at latest AMT 5.2.71.1048 and closest RGN is 5.2.0.1009 it is safe to use that ME Region ?
It will downgrade ME but will not brick the board ?

I found that I am missing lot of data in Setup and Configuration, and I think that is what I need to add.
If I update Configuration.txt it will show the changes and will rebuild with the original ME Region but when I import the build to check I am still missing the same data in Setup and Configuration.
as you can see in the picture.

2017-09-14 15.50.44.jpg

2017-09-14 15.52.37.jpg



Thank you

14

You need to follow the cleanup guide on the dump you just made. Use the latest RGN, it is ok if it’s older. You can then update to the latest via FWUpdate. The settings will transfer via the cleanup guide process.

15

Here it is how I found the GPIO33 pin:

I used a wire / a probe from multimeter connected to computer GND / case and I tested few test pad turning ON computer remove power cord / insert power cord. My comp it is set in BIOS to turn ON when it have power.
With some of the test point connected to GND comp did not start. Lucky did not burn.

My comp have a LED for AMT on pcb that light / flash when AMT it is ON / working.
When I connected the correct test point GPIO 33 the LED was off when I turned ON the computer and I knew it is correct.
Also at boot it displayed on top line some dots … … … and on right top B9


But unfortunately the work it is not finished for me:

I generate a new flash image from latest RGN, flashed the computer without problem and after that I updated to latest one with FWUpdate… and the problem it is the same:
"Remote Connectivity Service Capability: False"

Again like before I have no settings in Setup and Configuration when I load the new flash I dumped after upgrade.

How can I change the descriptor so flash / ME area will not be locked so I don’t have to use Test Point for next time ?

It is ok to use ME from 5.2.40.1037_DO_PRD_EXTR as I see it have a key at Remote Connectivity Service or I can brick the computer ?

Any idea ?
thank you

p.s.
Forgot to add that right after I flash the generated image with test point I try to ftp -greset and if failed with “Error Could not set the GlobalReset bit”

16


With hexeditor patch the FD at offsets 062, 0x66 and 0x6a of full spi dump, see here and then flash the patched spi image

17

I think to change it with FIT I need to replace values at Master Access Section for:

CPU/BIOS now read 0x1B / write 0x1A with FF
ME now read 0x0D / write 0x0C with FF
GBE LAN now read 0x08 / write 0x08 with FF

and generate the new flash image

18

Yes, you can set everything at Master Access Section to FF to enable read/write access and not have to pull GPIO33 on every boot.

FITC 4-5 worked differently than anything post ME6. The AMT settings were kept at separate configuration files. I’m not sure if the cleanup guide is properly written to accommodate that. Can you compress & upload/attach the dumped SPI image?

19

I did another try with the same unsuccessful result as first.

Attached archive with flash file I used and after flash, reboot, test… dump.

By any chance anybody have a flash dump or ME dump from Lenovo M58p ?
That one it have for sure remote capability enabled.

flash-E5730-v2.zip (3.72 MB)

20

Can you upload the original dump from your system? These are based on a random EXTR image, something which should not be done.