I have two Dell Optiplex 7090s. One has Intel AMT Enabled, one has it disabled. I would like to enable Intel AMT on the second PC.
Posts on this forum suggest that a good way to start investigating is to get an image of the I2C ROM, use the Flash Image Tool to enable AMT in that image then flash back. (I have a programmer to bypass the locks of updating from software.) I believe the programmer is reading the ROM consistently (checksum is the same until I power on the PC), and MEA reports plausible information from the dump.
Decomposed SKU Value: “Intel(R) TigerLake H Chipset with CML and RKL - TGP-H w/CML-RKL No Emulation”.
Missing XML attribute:$BuildResults/DefaultDataPartitionEnabled FIT version used to build the image: 15.0.22.1622
Error 179: [Fit Actions] Failed to parse CSE region. Error 10: [Ifwi Actions] Failed to decompose Region. Failed to decompose CSE data. Error 18: [Ifwi Actions] Failed to generate decomposed files. CSE Region Error 18: [Ifwi Actions] Failed to generate decomposed files. Error 9: Failed to decompose Image. Unable to open file: C:\7090\ch341a\Ch341a Programmer V2.2.0.10\Dump\no-AMT-1.bin. Reverting to default configuration. Loading defaults.
(I get similar errors when attempting to open the dump from the PC with AMT enabled, which makes me wonder whether my programmer is incorrectly - but consistently - dumping the ROM data.)
Could anybody suggest how I should proceed, please?
10th Generation Intel Core i7- 10700 (8-Core, 16MB Cache, 2.9 GHz to 4.8GHz, 65W) - both systems have the same.
PCH Information PCH Name TGL PCH Device ID 4384 PCH Revision ID A1 PCH SKU Type Production PRQ Revenue PCH Replacement State Disabled PCH Replaceable Counter 0 PCH Unlocked State Disabled
PCH info taken from MEInfo output:
Non-AMT system
Intel (R) ME Info Version: 15.0.35.1951 Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.
General FW Information
Platform Type Desktop FW Image Type Production Last ME Reset Reason Other BIOS Boot State Post Boot Boot Critical Code Redundancy Enabled Current Boot Partition 1 Factory Defaults Restoration Status Disabled Factory Defaults Recovery Status Enabled Firmware Update OEM ID 68853622-EED3-4E83-8A86-6CDE315F6B78 TCSS FW partial update Disabled Crypto HW Support Enabled Intel(R) ISH Power State Disabled OEM Tag 0x00 FW Update State Enabled TLS State Enabled CSME Measured Boot to TPM Enabled BIOS Recovery State Enabled
Intel(R) ME Code Versions BIOS Version 1.2.1 MEBx Version 15.0.0.0003 GbE Version 0.4 MEI Driver Version 2204.2.62.0 FW Version 15.0.23.1777 H Consumer LMS Version Not Installed
IUPs Information PMC FW Version 150.2.10.1014 OEM FW Version 0.0.0.0000 LOCL FW Version 15.0.23.1777 WCOD FW Version 15.0.23.1777 SAMF FW Version 1.17.0.0000 PPHY FW Version 12.14.214.2014 PCHC FW Version 15.0.0.1013
PCH Information PCH Name TGL PCH Device ID 4384 PCH Revision ID A1 PCH SKU Type Production PRQ Revenue PCH Replacement State Disabled PCH Replaceable Counter 0 PCH Unlocked State Disabled
Transactional FW Information Original image type Corporate Current sku type Consumer
Flash Information Storage Device Type SPI SPI Flash ID 1 C84019 RPMC Supported RPMC Bind Counter 1 RPMC Bind Status Post-bind RPMC Rebind Supported RPMC Replay Protection Max Rebind 15 BIOS Read Access 0x000F BIOS Write Access 0x000A GBE Read Access 0x0009 GBE Write Access 0x0008 ME Read Access 0x000D ME Write Access 0x0004 EC Read Access 0x0101 EC Write Access 0x0100
End Of Manufacturing NVAR Configuration State Locked EOM Settings Lock(Flash,Config) HW Binding State Enabled Flash Protection Mode Protected FPF Committed Yes
Intel(R) Active Management Technology Intel(R) AMT State in FW Present/Disabled Auto-BIST State Enabled Localized Language English Wireless C-Link Status Enabled Intel(R) SMLink0 MCTP Address Unknown Intel(R) Manageability HW Status Disabled Discrete vPro NIC on-board State Disabled On Board Discrete vPro NIC SMBus address 0x00 vPRO TBT Dock State Disabled On dock vPro NIC SMBus address 0x00 Thunderbolt Port1 SMBus Address 0x20 Thunderbolt Port2 SMBus Address 0x21 Thunderbolt Port3 SMBus Address 0x22 Thunderbolt Port4 SMBus Address 0x23 AMT Global State Enabled Redirection Privacy / Security Level Default
Trusted Device Setup Signing Policy Seal Signing Required Reseal Timeout 0x06 Seal State Disabled Trusted Device Setup Supported Disabled
Intel(R) Protected Audio Video Path Widevine provisioning state Not Provisioned Attestation KeyBox Not Provisioned PAVP State Yes
Security Version Numbers Trusted Computing Base SVN 1
1st OEM Public Key Hash FPF CEC5BBA33899D87B16D38581F3DB0DBF5920F6094074437A94DD6756CEC56923D3747EE0ACE7F56E0577B97592C84096 1st OEM Public Key Hash UEP CEC5BBA33899D87B16D38581F3DB0DBF5920F6094074437A94DD6756CEC56923D3747EE0ACE7F56E0577B97592C84096 2nd OEM Public Key Hash FPF 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2nd OEM Public Key Hash UEP 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
AMT system:
Intel (R) ME Info Version: 15.0.35.1951 Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.
General FW Information
Platform Type Desktop FW Image Type Production Last ME Reset Reason Other BIOS Boot State Post Boot Boot Critical Code Redundancy Enabled Current Boot Partition 1 Factory Defaults Restoration Status Disabled Factory Defaults Recovery Status Enabled Firmware Update OEM ID 68853622-EED3-4E83-8A86-6CDE315F6B78 TCSS FW partial update Disabled Crypto HW Support Enabled Intel(R) ISH Power State Disabled OEM Tag 0x00 FW Update State Enabled TLS State Enabled CSME Measured Boot to TPM Enabled BIOS Recovery State Enabled
Intel(R) ME Code Versions BIOS Version 1.4.3 MEBx Version 15.0.0.0004 GbE Version 0.4 MEI Driver Version 2204.2.62.0 FW Version 15.0.35.2028 H Corporate LMS Version Not Installed
IUPs Information PMC FW Version 150.2.10.1019 OEM FW Version 0.0.0.0000 LOCL FW Version 15.0.35.2028 WCOD FW Version 15.0.35.2028 SAMF FW Version 1.17.0.0000 PPHY FW Version 12.14.214.2014 PCHC FW Version 15.0.0.1013
PCH Information PCH Name TGL PCH Device ID 4384 PCH Revision ID A1 PCH SKU Type Production PRQ Revenue PCH Replacement State Disabled PCH Replaceable Counter 0 PCH Unlocked State Disabled
Transactional FW Information Original image type Corporate Current sku type Corporate
Flash Information Storage Device Type SPI SPI Flash ID 1 C27519 RPMC Supported RPMC Bind Counter 1 RPMC Bind Status Post-bind RPMC Rebind Supported RPMC Replay Protection Max Rebind 15 BIOS Read Access 0x000F BIOS Write Access 0x000A GBE Read Access 0x0009 GBE Write Access 0x0008 ME Read Access 0x000D ME Write Access 0x0004 EC Read Access 0x0101 EC Write Access 0x0100
FW Capabilities 0x3DF6D107 Intel(R) Active Management Technology Present/Enabled Intel(R) Protected Audio Video Path Present/Enabled Intel(R) Dynamic Application Loader Present/Enabled Intel(R) Platform Trust Technology Present/Disabled Persistent RTC and Memory Present/Enabled
End Of Manufacturing NVAR Configuration State Locked EOM Settings Lock(Flash,Config) HW Binding State Enabled Flash Protection Mode Protected FPF Committed Yes
Intel(R) Active Management Technology Intel(R) AMT State in FW Present/Enabled MAC Address 74-86-e2-19-a3-a3 IPv4 Address 0.0.0.0 IPv6 Enablement Disabled Configuration State Not Started Provisioning Mode PKI Auto-BIST State Enabled Wired AMT Link Status Link Down Localized Language English Wireless C-Link Status Enabled Intel(R) SMLink0 MCTP Address 0xFF System UUID 4c4c4544-0030-3710-8042-b4c04f444e33 Intel(R) Manageability HW Status Enabled Discrete vPro NIC on-board State Disabled On Board Discrete vPro NIC SMBus address 0x00 vPRO TBT Dock State Disabled On dock vPro NIC SMBus address 0x00 Thunderbolt Port1 SMBus Address 0x20 Thunderbolt Port2 SMBus Address 0x21 Thunderbolt Port3 SMBus Address 0x22 Thunderbolt Port4 SMBus Address 0x23 AMT Global State Enabled Redirection Privacy / Security Level Default
Trusted Device Setup Signing Policy Seal Signing Required Reseal Timeout 0x06 Seal State Disabled Trusted Device Setup Supported Disabled
Intel(R) Protected Audio Video Path Widevine provisioning state Not Provisioned Attestation KeyBox Not Provisioned PAVP State Yes
Security Version Numbers Trusted Computing Base SVN 1
1st OEM Public Key Hash FPF CEC5BBA33899D87B16D38581F3DB0DBF5920F6094074437A94DD6756CEC56923D3747EE0ACE7F56E0577B97592C84096 1st OEM Public Key Hash UEP CEC5BBA33899D87B16D38581F3DB0DBF5920F6094074437A94DD6756CEC56923D3747EE0ACE7F56E0577B97592C84096 2nd OEM Public Key Hash FPF 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2nd OEM Public Key Hash UEP 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Full dump of the I2C ROM in the mega.nz link in first post; will investigate extracting using FPTW and compare.
I think the ROM is locked: "Error 185: FCERR is set":
C:\7090\CSME System Tools v15.0 r13\Flash Programming Tool\WIN64>.\FPTW64.exe -d all.bin Intel (R) Flash Programming Tool Version: 15.0.35.1951 Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.
Reading HSFSTS register… Flash Descriptor: Valid
— Flash Devices Found — ID:0xC27519 Size: 32768KB (262144Kb)
- Reading Flash [0x0000040] 0KB of 32768KB - 0 percent complete. Error 185: FCERR is set. Hardware sequencing failed. Make sure that you have access to target flash area.
Both systems have a Q570 chipset and a vPro compatible CPU. Are you sure you have provisioned the non-AMT system to have AMT enabled via MEBx? The MEInfo status indicates that the capability is enabled in FW but soft-disabled (MEBx, BIOS maybe?).
Going into the BIOS settings ("BIOS Settings at a Glance") on the with-AMT system, I see "Intel AMT Capability" and "MEBx Hotkey" as options under "SYSTEM MANAGEMENT". Neither of these are present on the non-AMT system.
On the non- AMT system the firmware is Consumer H- does the ME 15 firmware change from Corporate to Consumer when AMT is disabled in Bios?
"Intel(R) ME Code Versions … FW Version 15.0.23.1777 H Consumer … Transactional FW Information Original image type Corporate Current sku type Consumer"
Yes, since CSME 12. It’s possible to flash COR on CON systems, and it will work with CON features only. Similarly, COR firmware on COR systems will work with CON features when AMT is not provisioned/enabled.
Yes, since CSME 12. It’s possible to flash COR on CON systems, and it will work with CON features only. Similarly, COR firmware on COR systems will work with CON features when AMT is not provisioned/enabled.
It sounds to me as if re-flashing the non-AMT system with a COR version of the firmware might be successful then. To do that, I guess I could use the dump from the AMT-enabled system - if I could open it in FIT!
Alright, for some reason, FIT refuses to work with the initialized/dumped SPI images, even though they seem healthy when checked/unpacked via ME Analyzer (MEA).
The only way to get them to work with FIT is to manually clean their initialized File Systems (MFS, EFS) by replacing those regions with the same stock ones. I used 15.0.22.1595_COR_H_A_PRD_RGN for “no-AMT-1” and 15.0.35.1951_COR_H_B_PRD_RGN for “with-AMT-1” because they include the same initial/stock MFS and EFS partition hashes.
Now, at CSME 15, we don’t need MFS and EFS to get the firmware settings before cleaning them using [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization as FITC partition exists and contains the initial OEM configuration. So, replacing MFS and EFS with the stock ones is perfectly valid for getting the images ready to be cleaned via FIT.
Still, when comparing FITC settings between “no-AMT-1” and “with-AMT-1”, it appears they both use the exact same settings (AMT enabled). So both firmware are correctly configured. Which means that something else is disabling AMT. A quick look at the unpacked EFS file system using MEA shows that EFS 0000 [0x410000] > “DISABLE_MANAGEABILITY_HW (0010)” file has value 1 at “no-AMT-1” but 0 at “with-AMT-1”.
Now that you can load “no-AMT-1__fix-15.0.22.1595” in FIT, I suggest you follow [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization on it and flash the result back using the programmer. Remove all power for a few minutes afterwards (leave RTC) and check if you can now enable AMT. If it is still not enabled or even possible to enable, something else is the reason. Either HW (jumper, HW fuse) or BIOS (setting).
I have uploaded the aforementioned results in this temporary link:
Is it correct, that a partition for the settings was first added in ME15 (I can’t find a FITC partition in ME 14 and ME 12)?
Otherwise one of those (many) odd threads that seem to peter out: Thread owner got good help three days ago, was online at least yesterday and today, but no reaction any longer…
Yes, first with CSME 15. Before, FIT Configuration was included within the MFS > File 7. A lot of times, File 7 would get deleted after initial power up (or FWUpdate operation) because it was no longer needed, so the only way to get settings was from the initialized MFS. However, with FITC now being in a separate partition, we no longer strictly need healthy MFS/EFS to get OEM configuration back during cleaning. In this case, MFS/EFS seem healthy, but FIT refuses to work with them for some weird reason (bug?) so FITC can be used.
Let’s see, I’m willing to give the benefit of the doubt, for a few days at least.
Sorry for being unresponsive - back in the office today after a week of unexpected child-minding at home. I’ll respond properly once I’ve had my second coffee, but I appreciate all the effort which has gone in while I’ve been offline.
Thank you for taking the trouble to check those images; it’s reassuring to know that a second instance of FIT rejects them too.
That really is extremely kind of you; I’ve downloaded that image and it opens in FIT. Furthermore, if I flash it to the machine which previously had AMT disabled, the option to enable it appears in the BIOS and I’m able to provision, which was the goal.
I have another fifty machines to do, so I need to investigate how to repeat your work of overwriting the EFS partition.
It’s great that it started working. Makes sense, as there was no configuration in place to disable AMT in the CSME firmware. It had been soft-disabled after the initial provisioning somehow.
Oh, that will become extremely tedious fast, haha. If the machines are all identical (exact same SKU, HW etc), then it will be easier because you can copy-paste the cleaned CSME firmware region from the first "fixed/cleaned" dump to the rest. But you must always work on the actual system’s dump and replace the CSE region only (i.e. BIOS is unique for each motherboard). Anyway, if you plan to do this, I can tell you what steps to take to make each dump work with FIT before following the cleanup guide and flashing back. It is not easy to understand on your own without prior CSE knowledge.
Oh, that will become extremely tedious fast, haha. If the machines are all identical (exact same SKU, HW etc), then it will be easier because you can copy-paste the cleaned CSME firmware region from the first "fixed/cleaned" dump to the rest. But you must always work on the actual system’s dump and replace the CSE region only (i.e. BIOS is unique for each motherboard). Anyway, if you plan to do this, I can tell you what steps to take to make each dump work with FIT before following the cleanup guide and flashing back. It is not easy to understand on your own without prior CSE knowledge.
I’ve done a few systems now and have come up with a script (below) to ease the pain a little. It uses MEA to unpack an SPI dump, checks that EFS is in the expected place (0x410000) then overwrites that with the empty EFS partition into a new image. (I should check the size of the EFS is 64k too, now I think about it…)
In an ideal world I’d have been able to automate the reading and writing of the image, too - but sorting that out might take much longer than just doing it by hand.
@echo off echo A tool to replace the EFS partition in a dump echo. set /P SVCTAG="Enter service tag: " set BLANKEFS="MEA\Unpacked_no-AMT-1-with-clean-EFS.bin\EFS 0000 [0x410000].bin" IF NOT EXIST Raw/%SVCTAG%.bin goto filemissing echo %SVCTAG% entered
(echo -unp86 & echo: ) | MEA\MEA Raw\%SVCTAG%.bin IF NOT EXIST "MEA\Unpacked_%SVCTAG%.bin\EFS 0000 [0x410000].bin" goto badefs
dd if=Raw\%SVCTAG%.bin of=Process\%SVCTAG%-head.bin bs=4096 count=1040 dd if=Raw\%SVCTAG%.bin of=Process\%SVCTAG%-tail.bin bs=4096 skip=1056 type Process\%SVCTAG%-head.bin %BLANKEFS% Process\%SVCTAG%-tail.bin >New\%SVCTAG%.bin 2>NUL echo Flash New\%SVCTAG%.bin, then reboot machine into BIOS (F2) and check AMT settings are present
goto:eof :filemissing echo File Raw\%SVCTAG%.bin is a prerequisite goto:eof
:badefs echo "MEA\Unpacked_%SVCTAG%.bin\EFS 0000 [0x410000].bin" does not exist echo which means that the EFS is not where we expect it to be. goto:eof
Oh, does it load in FIT only by resetting EFS? I was doing both MFS and EFS, but it’s possible only the latter is needed for that weird FIT bug, don’t remember.
You can get the start & end of the EFS from the Flash Partition Table (FPT). Use MEA with -unp86 -json to also generate json files. Read the .json starting with “FPT [0x” to get the EFS info.
Note that EFS is not static, it can change/update alongside new CSME releases. From a quick check I performed at CSME 15.0 COR H PRD firmware, there is one EFS from 15.0.22.1595-15.0.23.1777 (SHA1 1E50D85DD7CDA7B9477430F26292F06F6EBA23BA) and another for 15.0.30.1692-15.0.35.2028 (SHA1 092F351AC14359EFA466039CAC626682CBB271F0).
Just checked and, yep, the images where the EFS only has been replaced open in FIT without a problem.
That’s good to know, thanks. (The re-flashing process could be smoother - but it’s only 50 45 machines to fix )
I’m making the assumption that all my machines have the same version of the firmware (and making backup copies of each as I go, just in case). (So far, I’ve found one or two with SPI chips from a different vendor, but the firmware version has been the same.)
You could check the CSME firmware version as well by reading the json file FTPR partition > "FTPR.man.json". I mentioned this because the "no-AMT-1" and "with-AMT-1" have different CSME firmware versions (15.0.23.1777, 15.0.35.2028) which do use the two different EFS I mentioned.
)