help enabling Dell disabled ME

Special Topics Intel Management Engine
1

Hello Wizards,

I’ve got what I guess would be a strange request for help to enable ME that Dell has disabled.

I have a Dell XPS 9550 laptop that I would like to get TPM 2.0 working on. The CPU is Intel i7-6700HQ and ark[1] suggests to me the hardware supports this. The BIOS menus have no visible TPM or PTT settings or anything else that I can click to get this functionality. tpm.msc tells me that a TPM module can not be found on this computer. I looked back at the order sheet Dell gave me when I bought/configured the machine and I see:

340-AFPJ : TPM Not Enabled GVH5N INFO,TOKEN,DTP,NO-TPM,WW

Inside the case of the laptop there’s a sticker[2] “ME Disabled.” I assume Dell has somehow done some soft lock out of the ME/PTT/TPM functionality for the machine.

MEInfo shows the following:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
 

>MEInfoWin64.exe
 
Intel(R) MEInfo Version: 11.8.86.3909
Copyright(C) 2005 - 2020, Intel Corporation. All rights reserved.
 

 
Intel(R) ME code versions:
 
BIOS Version                                 1.14.0
MEBx Version                                 11.0.0.0010
GbE Version                                  0.8
Vendor ID                                    8086
PCH Version                                  31
FW Version                                   11.8.86.3909 H
Security Version (SVN)                       3
LMS Version                                  Not Available
MEI Driver Version                           2120.100.0.1085
Wireless Hardware Version                    Not Available
Wireless Driver Version                      Not Available
 
FW Capabilities                              0x31111140
 
        Intel(R) Capability Licensing Service - PRESENT/ENABLED
        Protect Audio Video Path - PRESENT/ENABLED
        Intel(R) Dynamic Application Loader - PRESENT/ENABLED
        Intel(R) Platform Trust Technology - PRESENT/DISABLED
 
Re-key needed                                False
Platform is re-key capable                   True
TLS                                          Disabled
Last ME reset reason                         Global system reset
Local FWUpdate                               Enabled
BIOS Config Lock                             Enabled
GbE Config Lock                              Enabled
Host Read Access to ME                       Disabled
Host Write Access to ME                      Disabled
Host Read Access to EC                       Disabled
Host Write Access to EC                      Disabled
SPI Flash ID 1                               EF4018
SPI Flash ID 2                               Unknown
BIOS boot State                              Post Boot
OEM ID                                       68853622-eed3-4e83-8a86-6cde315f6b78
Capability Licensing Service                 Enabled
OEM Tag                                      0x00000000
Slot 1 Board Manufacturer                    0x00001028
Slot 2 System Assembler                      0x00000000
Slot 3 Reserved                              0x00000000
M3 Autotest                                  Enabled
C-link Status                                Enabled
Independent Firmware Recovery                Disabled
EPID Group ID                                0x1F83
LSPCON Ports                                 None
5K Ports                                     None
OEM Public Key Hash FPF                      234EB9DE1AC240CC1376378CA22D245372D665B40F93D148141A66E9B76293EF
OEM Public Key Hash ME                       234EB9DE1AC240CC1376378CA22D245372D665B40F93D148141A66E9B76293EF
ACM SVN FPF                                  0x2
KM SVN FPF                                   0x0
BSMM SVN FPF                                 0x0
GuC Encryption Key FPF                       0000000000000000000000000000000000000000000000000000000000000000
GuC Encryption Key ME                        0000000000000000000000000000000000000000000000000000000000000000
 
                                             FPF                      ME
                                             ---                      --
Force Boot Guard ACM                         Enabled                  Enabled
Protect BIOS Environment                     Enabled                  Enabled
CPU Debugging                                Enabled                  Enabled
BSP Initialization                           Enabled                  Enabled
Measured Boot                                Enabled                  Enabled
Verified Boot                                Enabled                  Enabled
Key Manifest ID                              0xF                      0xF
Enforcement Policy                           0x3                      0x3
PTT                                          Enabled                  Enabled
PTT Lockout Override Counter                 0x0
EK Revoke State                              Not Revoked
PTT RTC Clear Detection FPF                  0x0
 
 


You might notice that I'm running a ME firmware that's more recent than what's included in Dell's latest they've released for this in their BIOS package 1.14.0[3]. I updated the ME firmware myself hoping it would get things working, but it didn't.

Before I updated the ME firmware to the latest I could find, I dumped the original with
FWUpdLcl64.exe -save fw.bin
I can run that through ME Analyzer to get:


╔═══════════════════════════════════════════╗
║ ME Analyzer v1.253.0 r262 ║
╚═══════════════════════════════════════════╝

╔════════════════════════════════════════════╗
║ fw.bin (1/1) ║
╟─────────────────────────────┬──────────────╢
║ Family │ CSE ME ║
╟─────────────────────────────┼──────────────╢
║ Version │ 11.8.70.3626 ║
╟─────────────────────────────┼──────────────╢
║ Release │ Production ║
╟─────────────────────────────┼──────────────╢
║ Type │ Update ║
╟─────────────────────────────┼──────────────╢
║ SKU │ Corporate H ║
╟─────────────────────────────┼──────────────╢
║ Chipset Stepping │ D, A ║
╟─────────────────────────────┼──────────────╢
║ TCB Security Version Number │ 3 ║
╟─────────────────────────────┼──────────────╢
║ Version Control Number │ 284 ║
╟─────────────────────────────┼──────────────╢
║ Production Ready │ Yes ║
╟─────────────────────────────┼──────────────╢
║ Workstation Support │ No ║
╟─────────────────────────────┼──────────────╢
║ OEM Configuration │ No ║
╟─────────────────────────────┼──────────────╢
║ Date │ 2019-07-22 ║
╟─────────────────────────────┼──────────────╢
║ File System State │ Unconfigured ║
╟─────────────────────────────┼──────────────╢
║ Chipset Support │ SPT/KBP ║
╟─────────────────────────────┼──────────────╢
║ Latest │ No ║
╚═════════════════════════════╧══════════════╝


I can also dump the ME firmware I'm running now with
FWUpdLcl64.exe -save mefw_new.bin
And run that through ME Analyzer to get:

╔═══════════════════════════════════════════╗
║ ME Analyzer v1.253.0 r262 ║
╚═══════════════════════════════════════════╝

╔════════════════════════════════════════════╗
║ mefw_new.bin (1/1) ║
╟─────────────────────────────┬──────────────╢
║ Family │ CSE ME ║
╟─────────────────────────────┼──────────────╢
║ Version │ 11.8.86.3909 ║
╟─────────────────────────────┼──────────────╢
║ Release │ Production ║
╟─────────────────────────────┼──────────────╢
║ Type │ Update ║
╟─────────────────────────────┼──────────────╢
║ SKU │ Corporate H ║
╟─────────────────────────────┼──────────────╢
║ Chipset Stepping │ D, A ║
╟─────────────────────────────┼──────────────╢
║ TCB Security Version Number │ 3 ║
╟─────────────────────────────┼──────────────╢
║ Version Control Number │ 301 ║
╟─────────────────────────────┼──────────────╢
║ Production Ready │ Yes ║
╟─────────────────────────────┼──────────────╢
║ Workstation Support │ No ║
╟─────────────────────────────┼──────────────╢
║ OEM Configuration │ No ║
╟─────────────────────────────┼──────────────╢
║ Date │ 2021-03-14 ║
╟─────────────────────────────┼──────────────╢
║ File System State │ Unconfigured ║
╟─────────────────────────────┼──────────────╢
║ Chipset Support │ SPT/KBP ║
╟─────────────────────────────┼──────────────╢
║ Latest │ Yes ║
╚═════════════════════════════╧══════════════╝



I've also tried poking through the BIOS .bin that I unpacked from Dell's bios update .exe looking for hidden EFI variables to twiddle with this[4], but there seem to be so many relevant ones, I don't know which to try forcing and I'm a bit worried here that I could brick it by changing those.

So any advise anyone can offer for how I can get TPM working on this laptop would be really great!

[1]: ark.intel.com/content/www/us/en/ark/products/88967/intel-core-i7-6700hq-processor-6m-cache-up-to-3-50-ghz.html
[2]: attached
[3]: www dell.com/support/home/en-uk/drivers/driversdetails?driverid=90khw&oscode=wt64a&productcode=xps-15-9550-laptop
[4]: github.com/datasone/grub-mod-setup_var

me_disabled.jpg

2

What do you want and what do you think is your processor capable of?

ME disabled means for Dell normally vpro/AMT disabled, but an i7-6700HQ isn’t vpro capable.

ME software TPM might be possible to enable in ME, at least it’s not fused disabled according to your MEInfo. Would require editing settings of ME region, similar to the cleaning process described here: [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization

fit11.jpg

3


My goal is to get "The TPM is ready for use." or similar status when I run tpm.msc in windows.

I think my machine is capable of providing some sort of TPM functionality to the OS via Intel PTT (Platform Trust Technology).


Yeah, I had thought it might be similar to that. Would that cleaning prcedure cause PTT to become enabled? Would there also need to EFI variable changes to go along with that? Can just EFI var edits unlock PTT? Are there any tools for parsing or editing ME DATA?

Intel(R) Platform Trust Technology - PRESENT/DISABLED
from my MEInfo seems to be the critical issue here. Getting that from DISABLED to ENABLED without making a paperweight is what I think I should go for first.

4

I bought an IC clip to help me dump/reprogram my flash memory chips. Absent any advice from the pros here, I think I’ll just start messing around. Is there anything more I can provide that could help anyone give me any better guidance?

5

Check for the chip details, maybe you need a 1.8 V adapter. Make at least 2 to 3 good and valid backups of the firmware!

Otherwise as written: While following the procedure for cleaning an ME change the required settings regarding PTT in FIT and flash the ME back. That should change "Intel(R) Platform Trust Technology - PRESENT/DISABLED" to enabled… Either your bios options come up when the bios detects a TPM device or you have to unlock them in the next step, too…

6

I am joining this, though I am not sure whether I should start a new thread for this.

My mother’s Vostro 3568 has been erroring out on post for the past few months, not being able to find any TPM (no such issues with my sister’s Vostro 3568, which has an identical hardware configuration), and no matter what I have tried, it just doesn’t change anything (I have even tried the setup_VAR method, to no avail, the settings are either the same, or are reset upon reboot, and worse, every single GUID is mismatching between UBU and setup_VAR).

Since there is a chance I am mistaking something, here is my text file extracted with IFRExtract (renamed for convenience in the terminal):
https://www.swisstransfer.com/d/fee550a8…dc-6248f7f70982

7

Joining too. I have the exact same problem as OP, but with a Dell Optiplex 7050 instead. I can all but assure you that your assumption is correct; Dell ‘soft locked’ the TPM functionality based on the order details. I actually have 4 of these machines at present. Two SFF’s with TPM enabled/working (as ordered) and two MT’s with TPM not enabled/missing (also as ordered). I can physically see the TPM chip on all four machines so I know the hardware is there. I’ve started trying to compare fimrware data between them to find the difference. This is what I’ve found/tried so far:

First, I’ll note that the MEinfo of a working machine also shows ‘Intel(R) Platform Trust Technology - PRESENT/DISABLED’. I think that option is specific to PTT (cpu/software) rather than TPM (separate hardware). Seems to be a red herring in this case.

Second, I did find a relevant Setup variable:


0x30BE9 Suppress If {0A 82}
0x30BEB QuestionId: 0x8C equals value 0x0 {12 86 8C 00 00 00}
0x30BF1 QuestionId: 0xDFF equals value 0x1 {12 06 FF 0D 01 00}
0x30BF7 Or {16 02}
0x30BF9 QuestionId: 0xDD4 equals value 0x1 {12 06 D4 0D 01 00}
0x30BFF Or {16 02}
0x30C01 End {29 02}
0x30C03 Ref: TPM 1.2 Security, VarStoreInfo (VarOffset/VarName): 0xFFFF, VarStore: 0x0, QuestionId: 0x41, FormId: 0x8809 {0F 0F 02 1A 04 1A 41 00 00 00 FF FF 00 09 88}
0x30C12 Guid: [A5D58BCF-EB5C-44FC-9122-CA4369B9ABE6] {5F 27 CF 8B D5 A5 5C EB FC 44 91 22 CA 43 69 B9 AB E6 13 E0 CE 7A 41 A9 6F 82 4A 99 D7 F9 B1 DD 27 1E 48 49 04 00 00}
0x30C39 End If {29 02}
0x30C3B Suppress If {0A 82}
0x30C3D QuestionId: 0x8C equals value 0x0 {12 86 8C 00 00 00}
0x30C43 QuestionId: 0xDFF equals value 0x1 {12 06 FF 0D 01 00}
0x30C49 Or {16 02}
0x30C4B QuestionId: 0xDD4 equals value 0x0 {12 06 D4 0D 00 00}
0x30C51 Or {16 02}
0x30C53 End {29 02}
0x30C55 Ref: TPM 2.0 Security, VarStoreInfo (VarOffset/VarName): 0xFFFF, VarStore: 0x0, QuestionId: 0x42, FormId: 0x8821 {0F 0F 03 1A 05 1A 42 00 00 00 FF FF 00 21 88}
0x30C64 Guid: [A5D58BCF-EB5C-44FC-9122-CA4369B9ABE6] {5F 27 CF 8B D5 A5 5C EB FC 44 91 22 CA 43 69 B9 AB E6 13 E0 CE 7A 41 A9 6F 82 4A 99 D7 F9 B1 DD 27 1E 48 49 04 00 00}
0x30C8B End If {29 02}

0x31932 Checkbox: , VarStoreInfo (VarOffset/VarName): 0x1131, VarStore: 0x1, QuestionId: 0x8C {06 8E AF 03 AF 03 8C 00 01 00 31 11 10 00}
0x31940 Default: DefaultId: 0x0, Value (Other) {5B 85 00 00 08}
0x31945 Value {5A 82}
0x31947 64 Bit Unsigned Int: 0x1 {45 0A 01 00 00 00 00 00 00 00}
0x31951 End {29 02}
0x31953 End {29 02}
0x31955 End {29 02}
0x31957 Guid: [A5D58BCF-EB5C-44FC-9122-CA4369B9ABE6] {5F 27 CF 8B D5 A5 5C EB FC 44 91 22 CA 43 69 B9 AB E6 1D E0 CE 7A 41 A9 6F 82 4A 99 D7 F9 B1 DD 27 1E 48 49 04 00 00}

Using setup_var from the UEFI shell I found that offset 0x1131 is set to 0x1 on the working machine and 0x0 on the non-working. It did try changing that value to 0x1, and it let me. But after rebooting it seems to revert back to 0x0 and still no love in BIOS setup. I guess it needs set some other way/place, or its actual value is derived from some other setting/process.

The ‘checkbox’ above seems to be an item in a hidden Debug menu:

0x301AC Suppress If {0A 82}
0x301AE QuestionId: 0xE3F equals value 0x0 {12 06 3F 0E 00 00}
0x301B4 Ref: Debug, VarStoreInfo (VarOffset/VarName): 0xFFFF, VarStore: 0x0, QuestionId: 0x17, FormId: 0x800C {0F 0F B1 17 B2 17 17 00 00 00 FF FF 00 0C 80}
0x301C3 End If {29 02}

0x31223 Form: Debug, FormId: 0x800C {01 86 0C 80 B1 17}
0x31229 Subtitle: Statement.Prompt: Debug, Flags: 0x0 {02 87 B1 17 00 00 00}
0x31230 End {29 02}
0x31232 Subtitle: Statement.Prompt: , Flags: 0x0 {02 87 02 00 00 00 00}
0x31239 End {29 02}
0x3123B Guid: [A5D58BCF-EB5C-44FC-9122-CA4369B9ABE6] {5F 13 CF 8B D5 A5 5C EB FC 44 91 22 CA 43 69 B9 AB E6 11}

0x59D31 Numeric: , VarStoreInfo (VarOffset/VarName): 0xFDB, VarStore: 0x1, QuestionId: 0xE3F, Size: 1, Min: 0x0, Max 0xFF, Step: 0x0 {07 91 00 00 00 00 3F 0E 01 00 DB 0F 00 10 00 FF 00}
0x59D42 End {29 02}

I found 0xFDB set to 0x0. I tried setting it to both 0x1 and 0xFF. The setting did persist across reboots, but neither caused the Debug menu to appear in setup. I’ve see other methods related to that menu, specifically modifying the the bios.bin and flashing it back to the device. I haven’t gone that far yet but might eventually.

I’m VERY new to this next-level firmware hacking stuff so forgive any ignorance. I pulled the BIOS image from the actual machines using FPT, then ran it through UBU to get the IFR file which I’ve attached for reference. I tried extracting the BIOS update EXE using the method from ([the same freeking site but it won’t let me link]/t3479f16-Problem-How-to-extract-a-Dell-exe-BIOS-package.html#msg48552) but the files I got seemed wrong or incomplete. There’s 25 more pages of that thread I haven’t read yet but I’m curious what method you were able to use to extract yours.

mt_setup_extr.zip (231 KB)