[Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization

Well ok, if you have the knowledge and tools then you can replace it with something which accepts Core i-series like HM76 or similar (check Intel ARK). But it’s not relevant to this topic anymore.

@Plutomaniac,

Hi,

I think I figured out how to transfer just the ‘DATA’ info from a configured ME onto a newer version and include it in my ROM File.

Steps I took:

1. You load the matching version factory stock RGN ME file into FIT tool and copy ‘ME Region.bin’ to a safe place.
2. You then load your either dumped ROM file or downloaded Bios Rom file into FIT.
-> set generate intermediate files to NO
-> blank out paths to any output files with 0 kb
Then save your config.xml file to disk and exit FIT.
3. You then copy over your ‘ME Region.bin’ file overwriting the new ‘ME Region’ file from the dumped Rom.
4. Run FIT again and load your config.xml and hit ‘Build’.
5. Open the new outputfile.bin with FIT and you should have a new ‘ME Region.bin’ file striped of the INIT info but with the OEM DATA transfered over.
6. Correct the length of the new ‘ME Region.bin’ file to match the last extracted ME Region using UEFITool and use UefiTool to replace the Me Region with your new file.
7. Save file.

Questions I have:

When I press Build I get a warning that Boot Gaurd will be disabled! Is this important?

Alright to use downloaded bios rom file instead of direct dump? Obviously have to remove capsule?

This statement confuses me a little:

 So we pick the firmware file 11.0.1.1001_CON_H_XX_PRD_RGN which matches perfectly what we saw at ME Analyzer. If for example the dumped SPI image had ME 11.0.0.1196 with LP SKU, we would have picked ME 11.0.0.1197 instead because the one we wanted is EXTR and not RGN.
 
 

These steps don’t matter as long as the guide explains exactly what to do. The warning is ok. You can use OEM download as long as it is a full SPI image. If there is a capsule, it needs to be removed first. The quoted sentence is fine.

Thanks Plutomaniac for the reply,


Much appreciated your response. Thank you.

Edit: How do I know its a full OEM SPI download?

If I clean the ME image of a BIOS dump and end up with a clean ME image in "manufacturing mode" but with the descriptor locked which prevents me from using the "fpt -closemnf" command, would that be a problem? Should I change the ME read and write permissions to 0xFF so that I can use the "-closemnf" command or should I just leave it in manufacturing mode?

Manufacturing mode is determined by the FD lock state and the Manufacturing bit being set. You don’t have to use -closemnf if you build the SPI image with FD locked and Manufacturing bit set at Flash Image Tool. If you leave the FD unlocked, you can reflash the ME region via software solutions (FPT, flashrom, AFU etc). If you have other methods of bypassing the lock when needed (jumper, BIOS option, programmer etc) the you can leave it locked for better security.

I updated the ME version for my Asus Maximus Board to the latest ME firmware 11.6.29.3287_CON_H_D0_PRD_RGN.bin

Now see this screenshot and perhaps someone can tell me what is wrong:


http://i.imgur.com/oOqEJHl.png

ME Version in bios listed as 11.6.25.1229
ME Version outimage and on USB listed as 11.6.29.3287
Me Version Source file listed as 11.6.10.1196

Now… meinfo listed it as 11.6.25.1229 H



Any one got a clue?

@ Toetje583:

I suppose you used USB Flashback or similar. These update the BIOS region only, not the ME. If you used a programmer with outimage.bin then the version would be 11.6.29 indeed. Use FWUpdate tool to update the ME instead. If you want to clean it you need read/write access to its region which is not possible without a programmer, a motherboard jumper, a bios option which enables ME reflash etc.

I remember now what happend, I already updated the ME firmware once thats why the ME version is newer then the source bios but older then my modded bios but I can’t remember I used FWUpdate or a programmer. Perhaps I unlocked ME Reflash but I need to get a look into that.
Anyway as FWUpdate might allow a upgrade I will do that first, and if that isen’t working I use my hardware flasher.

Thanks Plutomaniac!

First I tried using the UnlockME_x64.efi tool that came with the BIOS update, but it allows updating the TXE/ME firmware without unlocking the descriptor, so I wasn’t able to get it out of manufacturing mode. But I do have a programmer and I was able to fix it using the programmer, thanks.

But lets say this happens again, can it be fixed without a programmer? Where is the Manufacturing bit you speak of?

TXEManuf -eol -verbose output:

@ e1D:

Manufacturing Mode is controlled by the Flash Descriptor Region Access Permissions (all of them must be at the Intel recommended values) and by the setting of the Engine (ME/TXE) Manufacturing Done bit. Thus, there are four possible cases: FD Locked + Done bit Set, FD Locked + Done bit Not Set, FD Unlocked + Done bit Set and FD Unlocked + Done bit Not Set. Manufacturing Mode is Disabled only when the FD is Locked and the Done bit is Set (1st case). The other three lead to Manufacturing Mode being Enabled.

Flash Programming Tool’s Close Manufacturing command (-closemnf) automatically Sets the FD locks to Intel recommended values and the Engine Manufacturing Done bit. Usually a Global Reset (-greset) is performed to apply the changes and at the next reboot the system will be out of Manufacturing Mode. There are two exceptions:

1) If the FD is locked and the Engine Done bit is Set, -closemnf does nothing since the system already has Manufacturing Mode Disabled
2) If the FD is locked but the Engine Done bit is Not Set, -closemnf cannot proceed since it cannot change the Engine Done bit at the Engine region while the FD is Locked

In the latter exception, one would need to reprogram the Engine region of the SPI/BIOS chip with the Manufacturing Done bit Set. Generally, Flash Image Tool automatically Sets the Manufacturing Done bit at the Engine Region upon image building, provided that the Flash Descriptor Region Access Permissions are Set to those recommended by Intel. You need to manually change an option at Flash Image Tool to allow leaving the Engine Manufacturing Done bit Not Set even when the FD is Locked.

I think I have enough information to figure out what I did wrong then. Thanks

Section D2 for CSE (CSME 11 & CSTXE 3) got updated today:

At Step 11 I’ve added proper instructions for what file to replace when working with bare Engine regions only. When not working with SPI images, you need to replace the input Engine region, not the one from “Decomp” folder. That’s because FIT looks for the Engine region at the input file in that case, so we need to replace that for the cleaning to be successful.

Can somebody help me with cleaning DATA in this image?
https://drive.google.com/open?id=1poDFqs…BUaD81AWSbXo2CI
I did try, but 10 and 11 versions of FIT are not opening this images, or extracted ME region. Both are just crashing.
It’s Corporate H version of 11.8 ME

You must use FIT v11 for CSME 11 firmware, not 10 or anything else. The CSME firmware (its settings specifically) is corrupted so FIT cannot parse it. You’ll need to find a SPI dump from someone else with the same system and clean that instead. Then extract its CSME region with UEFITool in order to replace the one from your own dump.

@plutomaniac No other way? Like taking ME part from bios update package? It will be really hard to find working dump, as this is laptop with soldered chip - not so much maniacs like me will use programmer on-the-board.

You need an Engine region with that model’s settings, we can neither guess them or take them from your corrupted dump. The choices are either the OEM SPI/BIOS (not useful in your case as Dell includes RGN/stock Engine regions for FWUpdate flashing during normal BIOS updating) or someone else’s (non-corrupted) dump which can then be cleaned as I said above.

Looks like i did found dump from same model, but dump is little bit old. I have currently latest 11.8, and dump has 11.0.
Before i’ll try this, just want to clarify things:
- I’m taking that old image, extracting ME region
- Cleaning it using this guide
- Flashing cleaned ME regions with flashrom
- If everything will go well - upgrading ME with official Dell installer (together with last BIOS)
Also, should i be aware about anything looking on fact that my laptop has Boot Guard active?
Also, one more question - can i use 11.8 RGN image with extracted 11.0 image? Otherwise - where i can find clean 11.0 image for cleaning extracted?

BootGuard should not be an issue when dealing with Engine firmware. Take the old (but healthy) SPI dump and follow the CleanUp Guide using the latest compatible 11.8 RGN for your system (yes you can jump from 11.0 to 11.8 while using the guide). Then extract its cleaned/configured/updated Engine region via UEFITool. Replace the one at your own dump with the guide’s output (make sure the region sizes are the same in UEFITool, they should probably be the same in this case). Flash your fixed dump (cleaned/configured/updated CSME firmware) back via flashrom or whatever programmer you used in the first place.

Sections D1 for Pre-CSE (ME 2 - 10 & TXE 1 - 2) > Step 15 and D2 for CSE (CSME 11 & CSTXE 3) > Step 16 got updated today. I’ve added instructions on how to make sure that the output region has the same size as the dumped one which is relevant when working with bare Engine regions only.