[Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization

Intel CSME System Tools v11 r12 not have "SMIP Signing Key" field! Same problem with HM170, Dell Inspiron 15-5577

Capture.PNG

I do everything as instructed to step 7, but then when I need to substitute Smip signature of this item is simply not in the Fit. all the same as @virginlulu in the attachment. In the Platform protection menu there is a sub-item Configuration for Bootguard/ISH and there is no sub-point Platform integrity. I assume here is how used the "Manifest Extension Utility" from kit.
In my case "platform integrity" is missing, but "OEM public Key Hash" is not empty

well I seem to understand, I try this

i using CSME System Tools v11 r12

Thanks to plutomaniac’s excellent guide (initial post of this thread), his “ME: Drivers, Firmware & System Tools” repository and SoniX’s awesome UBU tool I’ve been able to keep my aging PC (i7 3770k + Z77) secure - so far. (I would like to use it until Windows 7 support deadline in 2020.)
Unfortunately there are new ME vulnerabilities:
https://www.intel.com/content/www/us/en/…l-sa-00112.html
https://www.intel.com/content/www/us/en/…l-sa-00118.html
And Intel will only fix ME 9 to current.
The guide lists features (Intel Anti-Theft Technology) that can be deactivated. So, is it possible to deactivate other vulnerable features, too?
I can perfectly do without all that remote maintenance stuff (especially if the “service” is provided by criminals or security agencies ).
Unfortunately it isn’t transparent which features can be safely deactivated. So, this task would require expert input.

No you cannot disable vulnerabilities. ME 8 and lower are EOL so there won’t be any new updates. Besides, issue 112 relates to AMT (5MB firmware, not 1.5MB) and 118 is only at CSME 11 firmware.

Good news at last: currently (still) safe

With this method can I change the ‘11.8.50.3399_CON_H_D0_PRD_RGN.bin’ firmware to an ‘11.8.50.3399_CON_H_D0_PRD_EXTR.bin’ firmware?

Please re-read what I wrote in the other thread, I made an edit that maybe you missed. You don’t want EXTR, that only means it’s dirty (Settings and data from some running motherboard, not yours unless you extracted ME) and it means it has been extracted from some previously used BIOS already.

I tried doing all these steps on the 11.8.50.3399_CON_H_D0_PRD_RGN.bin firmware but when I get to:

"SMIP Signing Key" field, input the placeholder RSA Private Key (dummy.pem) that was created by the OpenSSL tool. Then go to "Build > Build Settings", input the Manifest Extension Utility (MEU) executable location at "Intel(R) Manifest Extension Utility Path" field, input Win32 OpenSSL Lite executable location at "Signing Tool Path" field, make sure that "OpenSSL" is selected at "Signing Tool" field, make sure that "Verify manifest signing keys against the OEM Key Manifest" is set to "No", leave all other settings intact and click Close."

there is no Platform Integrity Field or "SMIP Signing Key" :frowning:

That step is not needed for the board/BIOS we just discussed (Maximus X Formula), unless your dump is different than the stock BIOS? OEM Key hash field is all zeros (Empty), so skip all that and move onto step #8
Or, if you are referring to another board/BIOS, ignore this

I have updated section D2. CSE (CSME 11 - 12 & CSTXE 3 - 4) > Step 7 and Step 13 to make it more clear when someone must follow their instructions. Also, section A. About Engine Regions & Configuration has been updated to explain RGN/EXTR. Other smaller text improvements can be found all around the guide.

I have updated section D2. CSE (CSME 11 - 12 & CSTXE 3 - 4) > Step 5 and Step 14 > 3rd Bullet with instructions on how to check whether the DATA section is Unconfigured, Configured or Initialized via ME Analyzer and not Flash Image Tool. ME Analyzer v1.70.0 or newer is required for CSE File System (DATA) parsing.

Hi all, how do you fix D1 Step 9 when the original dumped ME Region.bin is smaller than the new 1.5MB ME file, and FITC run into error:



-Edit-

Actually i have no idea how it come down to FITC being the faulty one, i am using the correct version to service my BIOS.

For an 8MB BIOS ROM after decomp’d by FITC all 4 Region files sums up 9.36MB and it think is oversized and won’t even rebuild with everything untouched.


-Edit 2-

Made a super sketchy ROM i don’t know if it can be trusted. Reason why FITC couldn’t build is because BIOS Region.bin is the exact full size 8MB BIOS with ME and stuffs in it, so i used UEFI Tool to extract BIOS Region which is 6MB to replace it. Set reduced BIOS Size in FITC to 600000 and replaced new ME Region that has been decomp’d so the size match. Loaded preset ME settings and FITC built it. But is that proper?

@vuze4u - a link to stock BIOS or dump you are modifying would help, without that we can only guess. Also, note what version ME you are trying to put back in, so we can test the process and see if it’s a bug, or something is wrong etc.


You need to fix the Flash Descriptor BIOS starting offset (0x44 - 0x46) first from 0x0000 to whatever the correct one is. In the past, some OEMs thought it was a good idea to not explicitly mention where the BIOS region starts, noticeably Gigabyte but others too. UEFITool automatically parses such images properly by adjusting the offset on the fly so you can use that to view the correct one. The value is in Little Endian and silently multiplied by 0x1000. For example, if UEFITool shows that the BIOS starts at 0x600000 then you need to change 0x0000 to 0x0006 which means 0x0600 * 0x1000 = 0x0600000.

@Lost_N_BIOS - Hi i have included Stock OEM BIOS (target BIOS for modding), SPI dump from my board for reference and the modded BIOS (also serviced with UBU Tool) in attachment.

My mainboard is GA-Z77-D3H revision 1.0, the ME version on stock BIOS is very old and i’m replacing it to 8.1.70.1590_1.5MB_PRD_RGN.bin among with OEM ICC Profile etc migrated.

The modded BIOS with OEM settings verified fine with UBUTool, UEFITool, ME Analyzer. But one different show in UEFITool is the Flash Descriptor with ME and BIOS regions offset swapped and it’s done by FIT:

-Modded-
ME region offset: 601000h
BIOS region offset: 1000h

-Stock OEM/SPI Dump/Other Modded BIOS from someone else-
ME region offset: 1000h
BIOS region offset: 200000h

Only the BIOS built with FIT can decompress properly (6MB BIOS Region and 1.4MB ME Region). All the stock/SPI/other 3rd party modded BIOS can’t decomp right and i suspect it has something to do with that BIOS Region offset being at 200000. But i think it shouldn’t be a problem for the system BIOS right?

–

@plutomaniac - Many thanks for the info, glad to hear UEFITool can extract the region correctly because i have zero knowledge on how to edit that offset, let along the method to do it.

OEMFactory_Z77D3HF23.zip (3.67 MB)

SPI-Dump.zip (3.8 MB)

Modded_Z77D3HF23.zip (3.72 MB)

Even with plutomaniac’s advice I can’t figure out how to fix that offset!? Maybe because it does not need fixed?!
line 40 = 00 00 00 00 01 00 00 06 01 06 ff 07 ff 1f 00 00 >> 0x44-46 = 01 00 00 = correct BIOS region offset per UEFITool and hex-view, due to however the file was modified incorrectly?

I tried 10 things, and stared at it and the stock BIOS for about 20 minutes, seems simple and it probably is, but I’m missing seeing something.
However, looking at the actual BIOS in hex, I think it’s compiled wrong and you should start over, no matter what FD shows / how UEFITool parses things, the actual BIOS region code starts at 1000h in your mod BIOS.
Meaning, BIOS is actually above ME in UEFITool and that is correctly shown in UEIFTool due to how it’s laid out in the BIOS you modified. I would start all over, making sure this doesn’t happen, stock BIOS is not like that so this happened during something you did when modifying.
Probably whatever you did when you extracted region and replaced maybe, you put above ME. And reducing BIOS size (?) probably didn’t help either.

@vuze4u - So, anyway, after all that, the simple way comes to mind. I took stock BIOS, extracted your modified BIOS region and modified ME region and replaced in stock BIOS, problem solved.
https://www.sendspace.com/file/6wudhy

@Lost_N_BIOS - Yeah the region offset thing is done by FIT and i couldn’t figure a way to force build ME on top of BIOS, thought it may cause problem but couldn’t be sure of myself, i tried edit .map file in the decompressed folder but after restarted FIT the .map file was regenerated, not reused.

So many thanks for the assist LOST_N_BIOS and this awesome detailed guide plutomaniac, going to test the ROM this weekend! :smiley: