HP EliteDesk 800 G4 DM Intel ME in Recovery Mode

Hello!
I recently bought a used HP EliteDesk 800 G4 DM (65w), and HP Sure Start reports in every startup that the Intel ME firmware is corrupted and no recovery image can be found. The machine works after I hit enter to continue, boots up into win10 normally. I would like to fix it possible. I’m new to this kind of ME problems, updating / downgrading the BIOS changes nothing, the problem persists. There is no separate ME FW update for the machine, only bios that includes it.
After installing a BIOS update i get an error before windows loads
(A7) Me Downgrade - Request MeSpiLock Failed
What i found odd is that the newest BIOS update description mentions:
Intel Management Engine Corporate v12.0.94.2380 (Production)
But the current one is: 12.0.24.1314
And the oldest BIOS available mentions:
Intel Management Engine Corporate v12.0.85.1869 (Production)

Am I reading it wrong, or the current FW not supposed to be on this motherboard?
And Is there something i can do to fix this?
(I’ve read some guides here so I’m including some info in the end of the post)

Thanks for reading my post!
(And sorry for my english :sweat_smile:)

Some system infos:
CPU: Intel Pentium Gold G5400
Chipset: Intel Q370 (Cannon Lake-H)
RAM: 8 gig ddr4

HWINFO64 Reports the following for ME

ME Host Status                                                                  
ME Current Working State:                                                       Recovery
Manufacturing Mode:                                                             Not Active
ME Error Status:                                                                Image Failure
ME Current Operation Mode:                                                      Normal

Boot Guard Status:                                                              Enabled
Boot Guard Verified Boot Policy:                                                Disabled
Boot Guard Measured Boot Policy:                                                Disabled

Intel Manageability Engine Features                                             
Intel ME Version:                                                               12.0, Build 1314, Hot Fix 24
Intel ME Recovery Image Version:                                                12.0, Build 1314, Hot Fix 24
Intel ME FITC Version:                                                          12.0, Build 1314, Hot Fix 24

ME Firmware Platform Type                                                       
Platform Target Usage Type:                                                     Desktop
SKU:                                                                            Regular SKU
ME Firmware Image Type:                                                         Corporate SKU Firmware
Platform Brand:                                                                 Intel AMT

Host ME Region Flash Protection Override (HMRFPO) Status:                       Disabled

MEInfo

Intel (R) MEInfo Version: 12.0.90.2077
Copyright (C) 2005 - 2022, Intel Corporation. All rights reserved.

General FW Information

Error 280: Detected ME in recovery mode.

MEInfo -fwsts

Intel (R) MEInfo Version: 12.0.90.2077
Copyright (C) 2005 - 2022, Intel Corporation. All rights reserved.

General FW Information
FW Status Register1: 0x90003642
FW Status Register2: 0x8011010F
FW Status Register3: 0x00000030
FW Status Register4: 0x00004800
FW Status Register5: 0x00000000
FW Status Register6: 0x40000004

    CurrentState:                              Recovery
    ManufacturingMode:                         Disabled
    FlashPartition:                            Valid
    OperationalState:                          CM0 with UMA
    InitComplete:                              Complete
    BUPLoadState:                              Failure
    ErrorCode:                                 Image Failure
    ModeOfOperation:                           Normal
    SPI Flash Log:                             Not Present
    Phase:                                     Maestro
    PhaseStatus:                               UNKNOWN
    ME File System Corrupted:                  No
    FPF and ME Config Status:                  Committed

ME Analyzer of the dumped .bin from FPTW64.exe -me

╔═══════════════════════════════════════════╗
║         ME Analyzer v1.307.0 r346         ║
╚═══════════════════════════════════════════╝

╔═════════════════════════════════════════════╗
║                 me.bin (1/1)                ║
╟─────────────────────────────┬───────────────╢
║            Family           │     CSE ME    ║
╟─────────────────────────────┼───────────────╢
║           Version           │  12.0.24.1314 ║
╟─────────────────────────────┼───────────────╢
║           Release           │   Production  ║
╟─────────────────────────────┼───────────────╢
║             Type            │   Extracted   ║
╟─────────────────────────────┼───────────────╢
║             SKU             │  Corporate H  ║
╟─────────────────────────────┼───────────────╢
║           Chipset           │ CNP/CMP-H B,A ║
╟─────────────────────────────┼───────────────╢
║ TCB Security Version Number │       1       ║
╟─────────────────────────────┼───────────────╢
║ ARB Security Version Number │       4       ║
╟─────────────────────────────┼───────────────╢
║    Version Control Number   │       14      ║
╟─────────────────────────────┼───────────────╢
║       Production Ready      │      Yes      ║
╟─────────────────────────────┼───────────────╢
║      OEM Configuration      │       No      ║
╟─────────────────────────────┼───────────────╢
║       FWUpdate Support      │   Impossible  ║
╟─────────────────────────────┼───────────────╢
║             Date            │   2019-02-13  ║
╟─────────────────────────────┼───────────────╢
║      File System State      │  Initialized  ║
╟─────────────────────────────┼───────────────╢
║             Size            │    0x77B000   ║
╟─────────────────────────────┼───────────────╢
║       Flash Image Tool      │  12.0.24.1314 ║
╚═════════════════════════════╧═══════════════╝
╔═════════════════════════════════════════════╗
║         Power Management Controller         ║
╟─────────────────────────────┬───────────────╢
║            Family           │      PMC      ║
╟─────────────────────────────┼───────────────╢
║           Version           │ 300.2.11.1020 ║
╟─────────────────────────────┼───────────────╢
║           Release           │   Production  ║
╟─────────────────────────────┼───────────────╢
║             Type            │  Independent  ║
╟─────────────────────────────┼───────────────╢
║         Chipset SKU         │       H       ║
╟─────────────────────────────┼───────────────╢
║       Chipset Stepping      │       B       ║
╟─────────────────────────────┼───────────────╢
║ TCB Security Version Number │       3       ║
╟─────────────────────────────┼───────────────╢
║ ARB Security Version Number │       3       ║
╟─────────────────────────────┼───────────────╢
║    Version Control Number   │       0       ║
╟─────────────────────────────┼───────────────╢
║       Production Ready      │       No      ║
╟─────────────────────────────┼───────────────╢
║             Date            │   2018-11-29  ║
╟─────────────────────────────┼───────────────╢
║             Size            │    0x14000    ║
╟─────────────────────────────┼───────────────╢
║       Chipset Support       │      CNP      ║
╚═════════════════════════════╧═══════════════╝

Warning: Wrong CSE Layout Table CRC 0x00148000, expected 0x45038AF9!

Warning: File size exceeds Firmware, data in padding!

Press enter to exit

Follow this guide. Corrupted ME won’t update and won’t help since update works on code partitions and corruption is in data partitions

Thank you for your reply!

Sorry for reacting late! Is it possible to repair the ME without an other machine of this type that are in working condition? If i try to open a FPT64 -d dump in FIT i get an error pop-up:

Error 9: Failed to decompose Image. 
Error 42: Failed to open with processed commands. 
Unable to open file: C:\CSME\HPG4SPI.bin. Reverting to default configuration.

Use another dump and copy ME region into your dump (Hex- editor or UEFITool 0.25/0.28-‘replace as is’), then follow the guide. Don’t use any initialized ME region in your machine without ‘cleaning’.

UEFIToolNE a68 for structure:

For example (registration needed) this dump.
Compared 4 dumps from this site, they all have identical configuraton compared to the attached XML file.

XML configuration for comparing (only file paths should be different!)
dump from badcaps.zip (19.8 KB)

You’ll possibly need a programmer to flash this back- or maybe this HP machine has a service / ME disable / FDE / … jumper, then it could work with FPT.

Thank you, you are awesome!

After a replacing the ME region it loads into FIT! It’s rather late here so i don’t continue today with the cleaning process.

I researched this problem before posting here, and found this among the suggestions (for allowing the ME FW to downgrade itself or something similar):

Two pads(? I’m not sure with the correct terminology) with the FDO label. That could be flash descriptor override. My first instinct is to use a piece of cable to short it, but it sounds wrong. I will do a little bit more googling, maybe there is some misplaced documentation for this motherboard, for clarification.

I will also look into programmers also, a saw a few suggestions around the forum. (just in case of catastrophic success)

Thank you once more for your help!

Update 1:

Progress Report (for the one guy who will have this kind of problem 5 years from now)

My programmer arrived (CH341A-PRO)!

BIOS

Off course the 8 pin chip (W25Q128JV in green) is not the one.
I performed 2 identical reads on the 8 pin and it contains this in UEFITool:

I’m not sure what it is suppose to be, but there is no ME in it (I don’t see it nor does MEAnalyzer).

Currently waiting for an 16 pin clip to try the other one (W25Q256JV in blue). I’ve read around the forum for compatibility, and it should work with some pin wizardry like this:

16PIN		8PIN	16PIN CFG	8PIN CFG
-------------------------------------------------
01	 -		7 		- HOLD(IO3) - HOLD/RESET(IO3)
02 	 - 		8		- VCC 		- VCC
07 	 - 		1		- /CS 		- /CS
08 	 - 		2		- DO(IO1) 	- DO(IO1)
09 	 - 		3		- /WP(IO2)  - /WP(IO2)
10 	 - 		4		- GND 		- GND
15 	 - 		5		- DI(IO0) 	- DI(IO0)
16 	 - 		6		- CLK		- CLK

AsProgramer probably can read it, the chip type is in its database, both are 3v chips according to the documentation. (confirmation pending)

Seems to be kinda redundant bios region, but just in parts, some parts of bios region are just once in the 16 MB SPI? Would be interesting to compare these dumps tp a stock bios update!

I don’t really know what to compare, but if you are interested I can upload the read and a stock bios bin and/or a sw dump of the other/main bios region. If I remember correctly the bios updates looks similar in structure, but I’m not sure. I will check when I’m finished the night shift.

Yes, uploading both dumps would be fine, thanks! And if you happen to have the firmware version that would be nice, too.

BIOS version is Q21 Ver. 02.27.00 if you meant that by firmware version (it is suppose to be the one running on the machine right now, but with the corrupted ME I’m not sure, there could be other anomalies in the firmware).

The files are too big to attach here, even compressed.
This should work anonymously: Google Drive

HPG4SPI_rebuild - me swapped FIT compatible.rar
-FPT64 dumped ME region swapped (not cleaned) for FIT compatibility
HPG4SPI -FPT full.rar
-FPT64 dumped with the corrupted ME region
HP BIOS Update Q21_022700.rar
-Extracted .bin from the bios updater .exe (UEFITool reads it)
AUX BIOS Programmer read.rar
-Extra flash chip Dumped with the programmer.

If you need other information I will be up in ~6 hrs.

Edit

I was thinking, maybe the duplicate data could be somehow linked to HPs sure start, or maybe I’m wrong and it is just a branding of the BIOS used by them. I’ve read a lot of threads on HPs support site before I found this forum, so maybe the information is blurred in my head already, but it was implied that sure start should be able to recover from a lot of things (except of course, Me corruption :laughing:).

Thanks for sharing the files!

Seems to be a little of both. The last volumes are identical, then there are some volumes with identical GUIDs, but they’re different (2 subtype versions, maybe?), but seems that pretty much of the PEI part is redundant. DXE volume is part of the update, but it’s hidden or in its form not recognizable for UEFIToolNE, but sits unpacked as first volume in the second chip. Unclear if these volumes with different content but identical GUID are all needed or just one set?

Well, i would not expected that buying a cheap mini pc would lead me to read UEFI tech specs but here we are. :smiley:, because I had no idea what PEI and DXE were 5 minutes ago. I finished an IT High school/Technical school (whichever is the correct term in English), but the first UEFI implementation came out after i finished it, so my surface level understanding of low level processes on firmware level are next to useless here unfortunately.

Maybe the duplicated GUID ones are for recovery? Like a rollback/compatibility version or something like that if it makes sense.

But the oldest bios on HPs site looks identical in structure.

Or maybe because it has 35 65 90w versions of this pcs. That could be a reason why are duplicate entries with different data in it. Looking at an volume *5D0 in hex there is a date like data at F0 (cross referencing with the older one it seems right)


The dates seems identical the differences are here and there or in patterns (comparing the two GUIDs in hex).

Also when Sure Start throws an error for the corrupted ME FW on boot it interrupts the post. For example: pressing ESC shows the notification for entering the system menu, then the ME warning and it complains that there are no recovery image found for the ME, continues after acknowledging the risk and continue booting, then the posting proceeds as nothing happened, in this case enters the system menu. This could be nothing, just feels weird, like it is posting in parallel. Maybe its me, and it is just my preference for text based post screens makes it fell off somehow :smile:.

Sorry if its nonsense, i just try to add something.

To find about that one would have to look into firmwares of these different types to check if they really use the second set of volumes with identical GUIDs in the 32 MB file.

I’m missomg a lot of time and some of these machines to examine this further- maybe I should open a bios repair shop when getting a retiree?!

Anyway, I hope you get your ME working again without bricking the bios region :slight_smile: Good luck for your repair! :+1:

Unfortunately i don’t have a different of this type, only a G3 (6-7th gen. T, low power variant) mini, and i need this to work to be a mini media server/transcoder, so i don’t want to go too much CSI on it :smiley:.

Well maybe not a shop, but a “mail in” service, you would probably have customers.

Thanks again for you help, i try not to fail, and post progress updates, it maybe helps someone in the future. Oh and also thanks for the little rabbit chase in UEFI land! :smiley: