[Help please] Dell Optiplex 7090 - Enabling Intel ME

Hello all,

I have two Dell Optiplex 7090s. One has Intel AMT Enabled, one has it disabled. I would like to enable Intel AMT on the second PC.

Posts on this forum suggest that a good way to start investigating is to get an image of the I2C ROM, use the Flash Image Tool to enable AMT in that image then flash back. (I have a programmer to bypass the locks of updating from software.) I believe the programmer is reading the ROM consistently (checksum is the same until I power on the PC), and MEA reports plausible information from the dump.

https://mega.nz/file/FhcxjAJB#mAPCZ6YWbZrzWdZAjLi3qWko4Y6djtABvYC4mQJVhiU

I’m failing at the stage of opening the image in FIT: “Error 179: [Fit Actions] Failed to parse CSE region”.

Output of MEA (system with ME disabled):
╔═══════════════════════════════════════════╗
║ ME Analyzer v1.274.0 r277 ║
╚═══════════════════════════════════════════╝

╔════════════════════════════════════════════╗
║ no-AMT-1.bin (1/1) ║
╟─────────────────────────────┬──────────────╢
║ Family │ CSE ME ║
╟─────────────────────────────┼──────────────╢
║ Version │ 15.0.23.1777 ║
╟─────────────────────────────┼──────────────╢
║ Release │ Production ║
╟─────────────────────────────┼──────────────╢
║ Type │ Extracted ║
╟─────────────────────────────┼──────────────╢
║ SKU │ Corporate H ║
╟─────────────────────────────┼──────────────╢
║ Chipset │ TGP/EBG-H A ║
╟─────────────────────────────┼──────────────╢
║ TCB Security Version Number │ 1 ║
╟─────────────────────────────┼──────────────╢
║ ARB Security Version Number │ 2 ║
╟─────────────────────────────┼──────────────╢
║ Version Control Number │ 6 ║
╟─────────────────────────────┼──────────────╢
║ Production Ready │ Yes ║
╟─────────────────────────────┼──────────────╢
║ OEM Configuration │ Yes ║
╟─────────────────────────────┼──────────────╢
║ FWUpdate Support │ Impossible ║
╟─────────────────────────────┼──────────────╢
║ Date │ 2021-04-28 ║
╟─────────────────────────────┼──────────────╢
║ File System State │ Initialized ║
╟─────────────────────────────┼──────────────╢
║ Size │ 0x90D000 ║
╟─────────────────────────────┼──────────────╢
║ Flash Image Tool │ 15.0.22.1622 ║
╟─────────────────────────────┼──────────────╢
║ Latest │ No ║
╚═════════════════════════════╧══════════════╝
╔═════════════════════════════════════════════╗
║ Power Management Controller ║
╟─────────────────────────────┬───────────────╢
║ Family │ PMC ║
╟─────────────────────────────┼───────────────╢
║ Version │ 150.2.10.1014 ║
╟─────────────────────────────┼───────────────╢
║ Release │ Production ║
╟─────────────────────────────┼───────────────╢
║ Type │ Independent ║
╟─────────────────────────────┼───────────────╢
║ Chipset SKU │ H ║
╟─────────────────────────────┼───────────────╢
║ Chipset Stepping │ B ║
╟─────────────────────────────┼───────────────╢
║ TCB Security Version Number │ 0 ║
╟─────────────────────────────┼───────────────╢
║ ARB Security Version Number │ 0 ║
╟─────────────────────────────┼───────────────╢
║ Version Control Number │ 0 ║
╟─────────────────────────────┼───────────────╢
║ Production Ready │ Yes ║
╟─────────────────────────────┼───────────────╢
║ Date │ 2021-02-23 ║
╟─────────────────────────────┼───────────────╢
║ Size │ 0x40000 ║
╟─────────────────────────────┼───────────────╢
║ Manifest Extension Utility │ 15.0.10.1302 ║
╟─────────────────────────────┼───────────────╢
║ Chipset Support │ TGP ║
╟─────────────────────────────┼───────────────╢
║ Latest │ No ║
╚═════════════════════════════╧═══════════════╝
╔═════════════════════════════════════════════╗
║ Power Management Controller ║
╟─────────────────────────────┬───────────────╢
║ Family │ PMC ║
╟─────────────────────────────┼───────────────╢
║ Version │ 150.2.10.1014 ║
╟─────────────────────────────┼───────────────╢
║ Release │ Production ║
╟─────────────────────────────┼───────────────╢
║ Type │ Independent ║
╟─────────────────────────────┼───────────────╢
║ Chipset SKU │ H ║
╟─────────────────────────────┼───────────────╢
║ Chipset Stepping │ B ║
╟─────────────────────────────┼───────────────╢
║ TCB Security Version Number │ 0 ║
╟─────────────────────────────┼───────────────╢
║ ARB Security Version Number │ 0 ║
╟─────────────────────────────┼───────────────╢
║ Version Control Number │ 0 ║
╟─────────────────────────────┼───────────────╢
║ Production Ready │ Yes ║
╟─────────────────────────────┼───────────────╢
║ Date │ 2021-02-23 ║
╟─────────────────────────────┼───────────────╢
║ Size │ 0x40000 ║
╟─────────────────────────────┼───────────────╢
║ Manifest Extension Utility │ 15.0.10.1302 ║
╟─────────────────────────────┼───────────────╢
║ Chipset Support │ TGP ║
╟─────────────────────────────┼───────────────╢
║ Latest │ No ║
╚═════════════════════════════╧═══════════════╝
╔═══════════════════════════════════════════╗
║ Platform Controller Hub Configuration ║
╟─────────────────────────────┬─────────────╢
║ Family │ PCHC ║
╟─────────────────────────────┼─────────────╢
║ Version │ 15.0.0.1013 ║
╟─────────────────────────────┼─────────────╢
║ Release │ Production ║
╟─────────────────────────────┼─────────────╢
║ Type │ Independent ║
╟─────────────────────────────┼─────────────╢
║ TCB Security Version Number │ 0 ║
╟─────────────────────────────┼─────────────╢
║ ARB Security Version Number │ 0 ║
╟─────────────────────────────┼─────────────╢
║ Version Control Number │ 0 ║
╟─────────────────────────────┼─────────────╢
║ Production Ready │ Yes ║
╟─────────────────────────────┼─────────────╢
║ Date │ 2020-06-29 ║
╟─────────────────────────────┼─────────────╢
║ Size │ 0x1000 ║
╟─────────────────────────────┼─────────────╢
║ Manifest Extension Utility │ 15.0.0.9000 ║
╟─────────────────────────────┼─────────────╢
║ Chipset Support │ TGP ║
╟─────────────────────────────┼─────────────╢
║ Latest │ No ║
╚═════════════════════════════╧═════════════╝
╔═══════════════════════════════════════════╗
║ Platform Controller Hub Configuration ║
╟─────────────────────────────┬─────────────╢
║ Family │ PCHC ║
╟─────────────────────────────┼─────────────╢
║ Version │ 15.0.0.1013 ║
╟─────────────────────────────┼─────────────╢
║ Release │ Production ║
╟─────────────────────────────┼─────────────╢
║ Type │ Independent ║
╟─────────────────────────────┼─────────────╢
║ TCB Security Version Number │ 0 ║
╟─────────────────────────────┼─────────────╢
║ ARB Security Version Number │ 0 ║
╟─────────────────────────────┼─────────────╢
║ Version Control Number │ 0 ║
╟─────────────────────────────┼─────────────╢
║ Production Ready │ Yes ║
╟─────────────────────────────┼─────────────╢
║ Date │ 2020-06-29 ║
╟─────────────────────────────┼─────────────╢
║ Size │ 0x1000 ║
╟─────────────────────────────┼─────────────╢
║ Manifest Extension Utility │ 15.0.0.9000 ║
╟─────────────────────────────┼─────────────╢
║ Chipset Support │ TGP ║
╟─────────────────────────────┼─────────────╢
║ Latest │ No ║
╚═════════════════════════════╧═════════════╝
╔══════════════════════════════════════════════╗
║ USB Type C Physical ║
╟─────────────────────────────┬────────────────╢
║ Family │ PHY ║
╟─────────────────────────────┼────────────────╢
║ Version │ 12.14.214.2014 ║
╟─────────────────────────────┼────────────────╢
║ Release │ Production ║
╟─────────────────────────────┼────────────────╢
║ Type │ Independent ║
╟─────────────────────────────┼────────────────╢
║ SKU │ P ║
╟─────────────────────────────┼────────────────╢
║ TCB Security Version Number │ 0 ║
╟─────────────────────────────┼────────────────╢
║ ARB Security Version Number │ 0 ║
╟─────────────────────────────┼────────────────╢
║ Version Control Number │ 0 ║
╟─────────────────────────────┼────────────────╢
║ Production Ready │ Yes ║
╟─────────────────────────────┼────────────────╢
║ Date │ 2021-04-01 ║
╟─────────────────────────────┼────────────────╢
║ Size │ 0x7000 ║
╟─────────────────────────────┼────────────────╢
║ Manifest Extension Utility │ 15.0.0.7069 ║
╟─────────────────────────────┼────────────────╢
║ Chipset Support │ TGP ║
╟─────────────────────────────┼────────────────╢
║ Latest │ Yes ║
╚═════════════════════════════╧════════════════╝
╔══════════════════════════════════════════════╗
║ USB Type C Physical ║
╟─────────────────────────────┬────────────────╢
║ Family │ PHY ║
╟─────────────────────────────┼────────────────╢
║ Version │ 12.14.214.2014 ║
╟─────────────────────────────┼────────────────╢
║ Release │ Production ║
╟─────────────────────────────┼────────────────╢
║ Type │ Independent ║
╟─────────────────────────────┼────────────────╢
║ SKU │ P ║
╟─────────────────────────────┼────────────────╢
║ TCB Security Version Number │ 0 ║
╟─────────────────────────────┼────────────────╢
║ ARB Security Version Number │ 0 ║
╟─────────────────────────────┼────────────────╢
║ Version Control Number │ 0 ║
╟─────────────────────────────┼────────────────╢
║ Production Ready │ Yes ║
╟─────────────────────────────┼────────────────╢
║ Date │ 2021-04-01 ║
╟─────────────────────────────┼────────────────╢
║ Size │ 0x7000 ║
╟─────────────────────────────┼────────────────╢
║ Manifest Extension Utility │ 15.0.0.7069 ║
╟─────────────────────────────┼────────────────╢
║ Chipset Support │ TGP ║
╟─────────────────────────────┼────────────────╢
║ Latest │ Yes ║
╚═════════════════════════════╧════════════════╝


Log file from FIT:
===============================================================================
Intel (R) Flash Image Tool. Version: 15.0.35.1951
Copyright (c) 2013 - 2021, Intel Corporation. All rights reserved.
4/01/2022 - 9:12:38 pm
===============================================================================

Using vsccommn.bin with timestamp 15:10:12 08/11/2021 GMT

Command Line: C:\7090\CSME System Tools v15.0 r13\Flash Image Tool\WIN32\fit.exe

Log file written to fit.log

Loading C:\7090\ch341a\Ch341a Programmer V2.2.0.10\Dump\no-AMT-1.bin.bin

Decomposed SKU Value: “Intel(R) TigerLake H Chipset with CML and RKL - TGP-H w/CML-RKL No Emulation”.

Missing XML attribute:$BuildResults/DefaultDataPartitionEnabled
FIT version used to build the image: 15.0.22.1622

Error 179: [Fit Actions] Failed to parse CSE region.
Error 10: [Ifwi Actions] Failed to decompose Region. Failed to decompose CSE data.
Error 18: [Ifwi Actions] Failed to generate decomposed files. CSE Region
Error 18: [Ifwi Actions] Failed to generate decomposed files.
Error 9: Failed to decompose Image.
Unable to open file: C:\7090\ch341a\Ch341a Programmer V2.2.0.10\Dump\no-AMT-1.bin. Reverting to default configuration.
Loading defaults.


(I get similar errors when attempting to open the dump from the PC with AMT enabled, which makes me wonder whether my programmer is incorrectly - but consistently - dumping the ROM data.)

Could anybody suggest how I should proceed, please?

hx57w

Maybe could you dump you bios (full bios image) using intelfpt or programmer?

What CPU and PCH does the "non-AMT" system have?



10th Generation Intel Core i7- 10700 (8-Core, 16MB Cache, 2.9 GHz to 4.8GHz, 65W) - both systems have the same.

PCH Information
PCH Name TGL
PCH Device ID 4384
PCH Revision ID A1
PCH SKU Type Production PRQ Revenue
PCH Replacement State Disabled
PCH Replaceable Counter 0
PCH Unlocked State Disabled

PCH info taken from MEInfo output:

Non-AMT system

Intel (R) ME Info Version: 15.0.35.1951
Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.

General FW Information

Platform Type Desktop
FW Image Type Production
Last ME Reset Reason Other
BIOS Boot State Post Boot
Boot Critical Code Redundancy Enabled
Current Boot Partition 1
Factory Defaults Restoration Status Disabled
Factory Defaults Recovery Status Enabled
Firmware Update OEM ID 68853622-EED3-4E83-8A86-6CDE315F6B78
TCSS FW partial update Disabled
Crypto HW Support Enabled
Intel(R) ISH Power State Disabled
OEM Tag 0x00
FW Update State Enabled
TLS State Enabled
CSME Measured Boot to TPM Enabled
BIOS Recovery State Enabled

Intel(R) ME Code Versions
BIOS Version 1.2.1
MEBx Version 15.0.0.0003
GbE Version 0.4
MEI Driver Version 2204.2.62.0
FW Version 15.0.23.1777 H Consumer
LMS Version Not Installed

IUPs Information
PMC FW Version 150.2.10.1014
OEM FW Version 0.0.0.0000
LOCL FW Version 15.0.23.1777
WCOD FW Version 15.0.23.1777
SAMF FW Version 1.17.0.0000
PPHY FW Version 12.14.214.2014
PCHC FW Version 15.0.0.1013

PCH Information
PCH Name TGL
PCH Device ID 4384
PCH Revision ID A1
PCH SKU Type Production PRQ Revenue
PCH Replacement State Disabled
PCH Replaceable Counter 0
PCH Unlocked State Disabled

Transactional FW Information
Original image type Corporate
Current sku type Consumer

Flash Information
Storage Device Type SPI
SPI Flash ID 1 C84019
RPMC Supported
RPMC Bind Counter 1
RPMC Bind Status Post-bind
RPMC Rebind Supported
RPMC Replay Protection Max Rebind 15
BIOS Read Access 0x000F
BIOS Write Access 0x000A
GBE Read Access 0x0009
GBE Write Access 0x0008
ME Read Access 0x000D
ME Write Access 0x0004
EC Read Access 0x0101
EC Write Access 0x0100

FW Capabilities 0x31319100
Intel(R) Protected Audio Video Path Present/Enabled
Intel(R) Dynamic Application Loader Present/Enabled
Intel(R) Platform Trust Technology Present/Disabled
Persistent RTC and Memory Present/Enabled

End Of Manufacturing
NVAR Configuration State Locked
EOM Settings Lock(Flash,Config)
HW Binding State Enabled
Flash Protection Mode Protected
FPF Committed Yes

Intel(R) Active Management Technology
Intel(R) AMT State in FW Present/Disabled
Auto-BIST State Enabled
Localized Language English
Wireless C-Link Status Enabled
Intel(R) SMLink0 MCTP Address Unknown
Intel(R) Manageability HW Status Disabled
Discrete vPro NIC on-board State Disabled
On Board Discrete vPro NIC SMBus address 0x00
vPRO TBT Dock State Disabled
On dock vPro NIC SMBus address 0x00
Thunderbolt Port1 SMBus Address 0x20
Thunderbolt Port2 SMBus Address 0x21
Thunderbolt Port3 SMBus Address 0x22
Thunderbolt Port4 SMBus Address 0x23
AMT Global State Enabled
Redirection Privacy / Security Level Default

Trusted Device Setup
Signing Policy Seal Signing Required
Reseal Timeout 0x06
Seal State Disabled
Trusted Device Setup Supported Disabled

Intel(R) Protected Audio Video Path
Widevine provisioning state Not Provisioned
Attestation KeyBox Not Provisioned
PAVP State Yes

Security Version Numbers
Trusted Computing Base SVN 1

Anti Rollback SVNs
PMC 0 [minimum allowed: 0]
CSE 2 [minimum allowed: 0]
ROT KM 0 [minimum allowed: 0]
IDLM 0 [minimum allowed: 0]
SECURE BOOT BSMM 0 [minimum allowed: 0]
OEM KM 0 [minimum allowed: 0]
SECURE BOOT KM 0 [minimum allowed: 0]
UCODE 0 [minimum allowed: 0]
SECURE BOOT ACM 2 [minimum allowed: 0]

HW Glitch Detection 0x08
TRC Polarity Rising Trans
TRC Mode Full-cycle polarity trans
TRC State Disabled

Intel(R) Unique Platform ID
UPID supported Disabled

Intel(R) Platform Trust Technology
Intel(R) PTT initial power-up state Disabled
Intel(R) PTT State Disabled
SMx State Disabled
RSA1K Support Disabled

FW Supported FPFs FPF UEP
*In Use
— —
1st OEM Key Hash Revoked Disabled Disabled
1st OEM Key Hash size Enabled Enabled
1st OEM RSA Key size Enabled Enabled
2nd OEM Key Hash Revoked Disabled Disabled
2nd OEM Key Hash size Enabled Enabled
2nd OEM RSA Key size Disabled Disabled
BSMM Anti Rollback Enabled Enabled
DAL OEM Signing Disabled Disabled
DNX Anti Rollback Enabled Enabled
EOM Flow Full Full
Error Enforcement Policy 0 Enabled Enabled
Error Enforcement Policy 1 Enabled Enabled
Flash Descriptor Verification Disabled Disabled
Glitch Detection Disabled Enabled Enabled
Glitch Detection Enabled Disabled Disabled
IDLM Anti Rollback Enabled Enabled
Intel PTT Encryption Key Not Revoked Not Revoked
Intel(R) Manageability HW Fuse Status Enabled Enabled
Intel(R) PTT Enabled Enabled
OEM ID 0x00 0x00
OEM KM Anti Rollback Enabled Enabled
OEM Key Manifest Enabled Enabled
OEM Key Revocation State Disabled Disabled
OEM Platform ID 0x00 0x00
OEM Secure Boot Policy 0x3F9 0x3F9
CPU Debugging Enabled Enabled
BSP Initialization Enabled Enabled
Protect BIOS Environment Enabled Enabled
Measured Boot Enabled Enabled
Verified Boot Enabled Enabled
Key Manifest ID 0x0F 0x0F
Force Boot Guard ACM Enabled Enabled
OEM key Hash RSA key size Enabled Enabled
PID Refurbish Counter 0x00 0x00
PMC Anti Rollback Enabled Enabled
PTT Lockout Override Counter 0x00 0x00
Persistent PRTC Backup Power Enabled Enabled
RBE Anti Rollback Enabled Enabled
ROT Anti Rollback Enabled Enabled
RPMB Monotonic Counters 0x00 0x00
RPMC Rebinding Enabled Enabled
RPMC Support Enabled Enabled
SOC Config Lock State Enabled Disabled
SPI Boot Source Enabled Enabled
SPIRAL CPU Disabled Disabled
Secure boot KM Anti Rollback Enabled Enabled
TXT Supported Enabled Enabled
UFS Boot Source Disabled Disabled
USB Port ID 0x00 0x00
uCode Anti Rollback Disabled Disabled

DNX SVN 0x00 0x00
IDLM SVN 0x00 0x00
OEM KM SVN 0x00 0x00
PMC SVN 0x00 0x00
ROT KM SVN 0x00 0x00
Secure boot ACM SVN 0x00 0x00
Secure boot BSMM SVN 0x00 0x00
Secure boot KM SVN 0x00 0x00
Ucode SVN 0x00 0x00


1st OEM Public Key Hash FPF CEC5BBA33899D87B16D38581F3DB0DBF5920F6094074437A94DD6756CEC56923D3747EE0ACE7F56E0577B97592C84096
1st OEM Public Key Hash UEP CEC5BBA33899D87B16D38581F3DB0DBF5920F6094074437A94DD6756CEC56923D3747EE0ACE7F56E0577B97592C84096
2nd OEM Public Key Hash FPF 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2nd OEM Public Key Hash UEP 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000


AMT system:
Intel (R) ME Info Version: 15.0.35.1951
Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.

General FW Information

Platform Type Desktop
FW Image Type Production
Last ME Reset Reason Other
BIOS Boot State Post Boot
Boot Critical Code Redundancy Enabled
Current Boot Partition 1
Factory Defaults Restoration Status Disabled
Factory Defaults Recovery Status Enabled
Firmware Update OEM ID 68853622-EED3-4E83-8A86-6CDE315F6B78
TCSS FW partial update Disabled
Crypto HW Support Enabled
Intel(R) ISH Power State Disabled
OEM Tag 0x00
FW Update State Enabled
TLS State Enabled
CSME Measured Boot to TPM Enabled
BIOS Recovery State Enabled

Intel(R) ME Code Versions
BIOS Version 1.4.3
MEBx Version 15.0.0.0004
GbE Version 0.4
MEI Driver Version 2204.2.62.0
FW Version 15.0.35.2028 H Corporate
LMS Version Not Installed

IUPs Information
PMC FW Version 150.2.10.1019
OEM FW Version 0.0.0.0000
LOCL FW Version 15.0.35.2028
WCOD FW Version 15.0.35.2028
SAMF FW Version 1.17.0.0000
PPHY FW Version 12.14.214.2014
PCHC FW Version 15.0.0.1013

PCH Information
PCH Name TGL
PCH Device ID 4384
PCH Revision ID A1
PCH SKU Type Production PRQ Revenue
PCH Replacement State Disabled
PCH Replaceable Counter 0
PCH Unlocked State Disabled

Transactional FW Information
Original image type Corporate
Current sku type Corporate

Flash Information
Storage Device Type SPI
SPI Flash ID 1 C27519
RPMC Supported
RPMC Bind Counter 1
RPMC Bind Status Post-bind
RPMC Rebind Supported
RPMC Replay Protection Max Rebind 15
BIOS Read Access 0x000F
BIOS Write Access 0x000A
GBE Read Access 0x0009
GBE Write Access 0x0008
ME Read Access 0x000D
ME Write Access 0x0004
EC Read Access 0x0101
EC Write Access 0x0100

FW Capabilities 0x3DF6D107
Intel(R) Active Management Technology Present/Enabled
Intel(R) Protected Audio Video Path Present/Enabled
Intel(R) Dynamic Application Loader Present/Enabled
Intel(R) Platform Trust Technology Present/Disabled
Persistent RTC and Memory Present/Enabled

End Of Manufacturing
NVAR Configuration State Locked
EOM Settings Lock(Flash,Config)
HW Binding State Enabled
Flash Protection Mode Protected
FPF Committed Yes

Intel(R) Active Management Technology
Intel(R) AMT State in FW Present/Enabled
MAC Address 74-86-e2-19-a3-a3
IPv4 Address 0.0.0.0
IPv6 Enablement Disabled
Configuration State Not Started
Provisioning Mode PKI
Auto-BIST State Enabled
Wired AMT Link Status Link Down
Localized Language English
Wireless C-Link Status Enabled
Intel(R) SMLink0 MCTP Address 0xFF
System UUID 4c4c4544-0030-3710-8042-b4c04f444e33
Intel(R) Manageability HW Status Enabled
Discrete vPro NIC on-board State Disabled
On Board Discrete vPro NIC SMBus address 0x00
vPRO TBT Dock State Disabled
On dock vPro NIC SMBus address 0x00
Thunderbolt Port1 SMBus Address 0x20
Thunderbolt Port2 SMBus Address 0x21
Thunderbolt Port3 SMBus Address 0x22
Thunderbolt Port4 SMBus Address 0x23
AMT Global State Enabled
Redirection Privacy / Security Level Default

Trusted Device Setup
Signing Policy Seal Signing Required
Reseal Timeout 0x06
Seal State Disabled
Trusted Device Setup Supported Disabled

Intel(R) Protected Audio Video Path
Widevine provisioning state Not Provisioned
Attestation KeyBox Not Provisioned
PAVP State Yes

Security Version Numbers
Trusted Computing Base SVN 1

Anti Rollback SVNs
PMC 0 [minimum allowed: 0]
CSE 4 [minimum allowed: 0]
ROT KM 0 [minimum allowed: 0]
IDLM 0 [minimum allowed: 0]
SECURE BOOT BSMM 0 [minimum allowed: 0]
OEM KM 0 [minimum allowed: 0]
SECURE BOOT KM 0 [minimum allowed: 0]
UCODE 0 [minimum allowed: 0]
SECURE BOOT ACM 2 [minimum allowed: 0]

HW Glitch Detection 0x08
TRC Polarity Rising Trans
TRC Mode Full-cycle polarity trans
TRC State Disabled

Intel(R) Unique Platform ID
UPID supported Disabled

Intel(R) Platform Trust Technology
Intel(R) PTT initial power-up state Disabled
Intel(R) PTT State Disabled
SMx State Disabled
RSA1K Support Disabled

FW Supported FPFs FPF UEP
*In Use
— —
1st OEM Key Hash Revoked Disabled Disabled
1st OEM Key Hash size Enabled Enabled
1st OEM RSA Key size Enabled Enabled
2nd OEM Key Hash Revoked Disabled Disabled
2nd OEM Key Hash size Enabled Enabled
2nd OEM RSA Key size Disabled Disabled
BSMM Anti Rollback Enabled Enabled
DAL OEM Signing Disabled Disabled
DNX Anti Rollback Enabled Enabled
EOM Flow Full Full
Error Enforcement Policy 0 Enabled Enabled
Error Enforcement Policy 1 Enabled Enabled
Flash Descriptor Verification Disabled Disabled
Glitch Detection Disabled Enabled Enabled
Glitch Detection Enabled Disabled Disabled
IDLM Anti Rollback Enabled Enabled
Intel PTT Encryption Key Not Revoked Not Revoked
Intel(R) Manageability HW Fuse Status Enabled Enabled
Intel(R) PTT Enabled Enabled
OEM ID 0x00 0x00
OEM KM Anti Rollback Enabled Enabled
OEM Key Manifest Enabled Enabled
OEM Key Revocation State Disabled Disabled
OEM Platform ID 0x00 0x00
OEM Secure Boot Policy 0x3F9 0x3F9
CPU Debugging Enabled Enabled
BSP Initialization Enabled Enabled
Protect BIOS Environment Enabled Enabled
Measured Boot Enabled Enabled
Verified Boot Enabled Enabled
Key Manifest ID 0x0F 0x0F
Force Boot Guard ACM Enabled Enabled
OEM key Hash RSA key size Enabled Enabled
PID Refurbish Counter 0x00 0x00
PMC Anti Rollback Enabled Enabled
PTT Lockout Override Counter 0x00 0x00
Persistent PRTC Backup Power Enabled Enabled
RBE Anti Rollback Enabled Enabled
ROT Anti Rollback Enabled Enabled
RPMB Monotonic Counters 0x00 0x00
RPMC Rebinding Enabled Enabled
RPMC Support Enabled Enabled
SOC Config Lock State Enabled Disabled
SPI Boot Source Enabled Enabled
SPIRAL CPU Disabled Disabled
Secure boot KM Anti Rollback Enabled Enabled
TXT Supported Enabled Enabled
UFS Boot Source Disabled Disabled
USB Port ID 0x00 0x00
uCode Anti Rollback Disabled Disabled

DNX SVN 0x03 0x03
IDLM SVN 0x00 0x00
OEM KM SVN 0x00 0x00
PMC SVN 0x00 0x00
ROT KM SVN 0x00 0x00
Secure boot ACM SVN 0x00 0x00
Secure boot BSMM SVN 0x00 0x00
Secure boot KM SVN 0x00 0x00
Ucode SVN 0x00 0x00


1st OEM Public Key Hash FPF CEC5BBA33899D87B16D38581F3DB0DBF5920F6094074437A94DD6756CEC56923D3747EE0ACE7F56E0577B97592C84096
1st OEM Public Key Hash UEP CEC5BBA33899D87B16D38581F3DB0DBF5920F6094074437A94DD6756CEC56923D3747EE0ACE7F56E0577B97592C84096
2nd OEM Public Key Hash FPF 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2nd OEM Public Key Hash UEP 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000




Full dump of the I2C ROM in the mega.nz link in first post; will investigate extracting using FPTW and compare.

I think the ROM is locked: "Error 185: FCERR is set":

C:\7090\CSME System Tools v15.0 r13\Flash Programming Tool\WIN64>.\FPTW64.exe -d all.bin
Intel (R) Flash Programming Tool Version: 15.0.35.1951
Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.

Reading HSFSTS register… Flash Descriptor: Valid

— Flash Devices Found —
ID:0xC27519 Size: 32768KB (262144Kb)


- Reading Flash [0x0000040] 0KB of 32768KB - 0 percent complete.
Error 185: FCERR is set. Hardware sequencing failed. Make sure that you have access to target flash area.

FPT Operation Failed.


I see no jumper on the motherboard to unlock it.

Both systems have a Q570 chipset and a vPro compatible CPU. Are you sure you have provisioned the non-AMT system to have AMT enabled via MEBx? The MEInfo status indicates that the capability is enabled in FW but soft-disabled (MEBx, BIOS maybe?).



Going into the BIOS settings ("BIOS Settings at a Glance") on the with-AMT system, I see "Intel AMT Capability" and "MEBx Hotkey" as options under "SYSTEM MANAGEMENT". Neither of these are present on the non-AMT system.

Do you have an equivalent programmer dump from the AMT-working system as well?

On the non- AMT system the firmware is Consumer H- does the ME 15 firmware change from Corporate to Consumer when AMT is disabled in Bios?

"Intel(R) ME Code Versions

FW Version 15.0.23.1777 H Consumer

Transactional FW Information
Original image type Corporate
Current sku type Consumer"


Yes, since CSME 12. It’s possible to flash COR on CON systems, and it will work with CON features only. Similarly, COR firmware on COR systems will work with CON features when AMT is not provisioned/enabled.



Dump from the AMT-working system is at

https://mega.nz/file/ookkXDTL#FADZ8uJYoy_mMtfDUgdT4OWCmM4XPCH33m-nVH_iYuY


Yes, since CSME 12. It’s possible to flash COR on CON systems, and it will work with CON features only. Similarly, COR firmware on COR systems will work with CON features when AMT is not provisioned/enabled.




It sounds to me as if re-flashing the non-AMT system with a COR version of the firmware might be successful then. To do that, I guess I could use the dump from the AMT-enabled system - if I could open it in FIT!

Alright, for some reason, FIT refuses to work with the initialized/dumped SPI images, even though they seem healthy when checked/unpacked via ME Analyzer (MEA).

The only way to get them to work with FIT is to manually clean their initialized File Systems (MFS, EFS) by replacing those regions with the same stock ones. I used 15.0.22.1595_COR_H_A_PRD_RGN for “no-AMT-1” and 15.0.35.1951_COR_H_B_PRD_RGN for “with-AMT-1” because they include the same initial/stock MFS and EFS partition hashes.

Now, at CSME 15, we don’t need MFS and EFS to get the firmware settings before cleaning them using [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization as FITC partition exists and contains the initial OEM configuration. So, replacing MFS and EFS with the stock ones is perfectly valid for getting the images ready to be cleaned via FIT.

Still, when comparing FITC settings between “no-AMT-1” and “with-AMT-1”, it appears they both use the exact same settings (AMT enabled). So both firmware are correctly configured. Which means that something else is disabling AMT. A quick look at the unpacked EFS file system using MEA shows that EFS 0000 [0x410000] > “DISABLE_MANAGEABILITY_HW (0010)” file has value 1 at “no-AMT-1” but 0 at “with-AMT-1”.

Now that you can load “no-AMT-1__fix-15.0.22.1595” in FIT, I suggest you follow [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization on it and flash the result back using the programmer. Remove all power for a few minutes afterwards (leave RTC) and check if you can now enable AMT. If it is still not enabled or even possible to enable, something else is the reason. Either HW (jumper, HW fuse) or BIOS (setting).

I have uploaded the aforementioned results in this temporary link:

1
 
https://mega.nz/file/XVkwwTbR#ygQwG3M7B6VYgXaRK_ujhYpcLsVLrY1lbQHvUwV0_TI
 

Is it correct, that a partition for the settings was first added in ME15 (I can’t find a FITC partition in ME 14 and ME 12)?

Otherwise one of those (many) odd threads that seem to peter out: Thread owner got good help three days ago, was online at least yesterday and today, but no reaction any longer…


Yes, first with CSME 15. Before, FIT Configuration was included within the MFS > File 7. A lot of times, File 7 would get deleted after initial power up (or FWUpdate operation) because it was no longer needed, so the only way to get settings was from the initialized MFS. However, with FITC now being in a separate partition, we no longer strictly need healthy MFS/EFS to get OEM configuration back during cleaning. In this case, MFS/EFS seem healthy, but FIT refuses to work with them for some weird reason (bug?) so FITC can be used.


Let’s see, I’m willing to give the benefit of the doubt, for a few days at least.



Sorry for being unresponsive - back in the office today after a week of unexpected child-minding at home. I’ll respond properly once I’ve had my second coffee, but I appreciate all the effort which has gone in while I’ve been offline.



Thank you for taking the trouble to check those images; it’s reassuring to know that a second instance of FIT rejects them too.



That really is extremely kind of you; I’ve downloaded that image and it opens in FIT. Furthermore, if I flash it to the machine which previously had AMT disabled, the option to enable it appears in the BIOS and I’m able to provision, which was the goal.

I have another fifty machines to do, so I need to investigate how to repeat your work of overwriting the EFS partition.

Thank you for showing me the way forward!


It’s great that it started working. Makes sense, as there was no configuration in place to disable AMT in the CSME firmware. It had been soft-disabled after the initial provisioning somehow.


Oh, that will become extremely tedious fast, haha. If the machines are all identical (exact same SKU, HW etc), then it will be easier because you can copy-paste the cleaned CSME firmware region from the first "fixed/cleaned" dump to the rest. But you must always work on the actual system’s dump and replace the CSE region only (i.e. BIOS is unique for each motherboard). Anyway, if you plan to do this, I can tell you what steps to take to make each dump work with FIT before following the cleanup guide and flashing back. It is not easy to understand on your own without prior CSE knowledge.


Oh, that will become extremely tedious fast, haha. If the machines are all identical (exact same SKU, HW etc), then it will be easier because you can copy-paste the cleaned CSME firmware region from the first "fixed/cleaned" dump to the rest. But you must always work on the actual system’s dump and replace the CSE region only (i.e. BIOS is unique for each motherboard). Anyway, if you plan to do this, I can tell you what steps to take to make each dump work with FIT before following the cleanup guide and flashing back. It is not easy to understand on your own without prior CSE knowledge.




I’ve done a few systems now and have come up with a script (below) to ease the pain a little. It uses MEA to unpack an SPI dump, checks that EFS is in the expected place (0x410000) then overwrites that with the empty EFS partition into a new image. (I should check the size of the EFS is 64k too, now I think about it…)

In an ideal world I’d have been able to automate the reading and writing of the image, too - but sorting that out might take much longer than just doing it by hand.

Many thanks for all your help.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
@echo off
echo A tool to replace the EFS partition in a dump
echo.
set /P SVCTAG="Enter service tag: "
set BLANKEFS="MEA\Unpacked_no-AMT-1-with-clean-EFS.bin\EFS 0000 [0x410000].bin"
IF NOT EXIST Raw/%SVCTAG%.bin goto filemissing
echo %SVCTAG% entered
 
(echo -unp86 & echo: ) | MEA\MEA Raw\%SVCTAG%.bin
IF NOT EXIST "MEA\Unpacked_%SVCTAG%.bin\EFS 0000 [0x410000].bin" goto badefs
 
dd if=Raw\%SVCTAG%.bin of=Process\%SVCTAG%-head.bin bs=4096 count=1040
dd if=Raw\%SVCTAG%.bin of=Process\%SVCTAG%-tail.bin bs=4096 skip=1056
type Process\%SVCTAG%-head.bin %BLANKEFS% Process\%SVCTAG%-tail.bin >New\%SVCTAG%.bin 2>NUL
echo Flash New\%SVCTAG%.bin, then reboot machine into BIOS (F2) and check AMT settings are present
 
goto:eof
:filemissing
echo File Raw\%SVCTAG%.bin is a prerequisite
goto:eof
 
:badefs
echo "MEA\Unpacked_%SVCTAG%.bin\EFS 0000 [0x410000].bin" does not exist
echo which means that the EFS is not where we expect it to be.
goto:eof
 

 

Oh, does it load in FIT only by resetting EFS? I was doing both MFS and EFS, but it’s possible only the latter is needed for that weird FIT bug, don’t remember.

You can get the start & end of the EFS from the Flash Partition Table (FPT). Use MEA with -unp86 -json to also generate json files. Read the .json starting with “FPT [0x” to get the EFS info.

Note that EFS is not static, it can change/update alongside new CSME releases. From a quick check I performed at CSME 15.0 COR H PRD firmware, there is one EFS from 15.0.22.1595-15.0.23.1777 (SHA1 1E50D85DD7CDA7B9477430F26292F06F6EBA23BA) and another for 15.0.30.1692-15.0.35.2028 (SHA1 092F351AC14359EFA466039CAC626682CBB271F0).



Just checked and, yep, the images where the EFS only has been replaced open in FIT without a problem.



That’s good to know, thanks. (The re-flashing process could be smoother - but it’s only 50 45 machines to fix )



I’m making the assumption that all my machines have the same version of the firmware (and making backup copies of each as I go, just in case). (So far, I’ve found one or two with SPI chips from a different vendor, but the firmware version has been the same.)


You could check the CSME firmware version as well by reading the json file FTPR partition > "FTPR.man.json". I mentioned this because the "no-AMT-1" and "with-AMT-1" have different CSME firmware versions (15.0.23.1777, 15.0.35.2028) which do use the two different EFS I mentioned.