Intel (Conv.Sec.) Management Engine: Drivers, Firmware and Tools (2-15)

Intel Converged Security and Management Engine Version Detection Tool 12.0.4

04.00.05.901_HA_SVR_B_PRD_EXTR_82D55D10.rar (4.9 MB)

15.20.20.1927_SLM_H_A_PRD_EXTR_F052C198
(Full BIOS)

Hi

Trying to build ME image for a Lenovo IdeaPad 3 14ITL05 Type 81X7 (TGP LP B), in MEAnalyser the PHY is reported as TGP v11 (from the last Lenovo upload gcme38ww.exe - extracted)

image1483×762 25 KB

the repository lists TGP v12 (or does it? Seemingly N/A from the graphic)

When I try to insert the v12 at PHY Binary in FIT, I get an error

image1202×765 53.3 KB

Dumped BIOS using command FPTw.exe -bios -d biosreg.bin

Ran it in MeInfo, MEAnalyser says doesn’t contain a ME

image1920×1020 36.3 KB

image1483×762 9.57 KB

TGP N PHY 11.225.276.2043 is not at the Repository.

Dump attached
biosreg.zip (4.8 MB)

Interesting interpretion of “N/A”. So you think Lenovo got it wrong?

You’re making assumptions. See post #1

If unsure about versions: dump your own firmware and run it through MEA. Looks

Which fptw command used? (biosreg.bin naming convention??)

Screendump of MEA- output?

What’s the objective?

What machine are we talking about?

TGP SKU P - PHY P TGP v12.14.215.2015

Type C IOM Region.bin

Yours TGP SKU N - Type C North PHY Region.bin

I only accidentically recognized that you updated an earlier post with the missing information.

That’s intended. A bios region isn’t supposed to have even the smallest piece of ME in it. That’s the reason why it’s called bios region and not ME region

The output of MEInfo gives you the correct information.

image828×316 7.57 KB

Since your syntax and knowledge about Intel firmware structure still has some potential:

What do you mean by ME image? Do you want to stich a ME firmware update- binary or build an ME region?

Yeah, stitching is something it’s clear I understand the mechanics, but little else once it goes “off piste”. So, I am stitching an update.

I will post my (new) questions here for the benefit of all @MeatWar has communicated via direct message and I’m grateful.

So, the bits I grab for stitching I just download from the links in the post.

My initial question is for Tiger Lake we have P PHY and N PHY SKUs, only the P PHY is linked from the master thread and they are different.

So I understand ‘why’ my error (now), the last download from Lenovo contains the N PHY v11.xxx.xxx.xxxx; the repository contains v16.xxx.xxx.xxxx (which I’ve stitched without error in FIT).

The N PHY in the older Lenovo download is v11, whilst I’m okay using v11.xxx.xxx.xxxx if it’s the same or newer, I’m less comfortable using v15.xxx.xxx.xxxx or v16.xxx.xxx.xxxx as this is a no-no at CSME version (i.e. 11.8.xxx.xxxx is not the same as 11.40.xxx.xxxx). Will this be an issue?

Plus the v11 in the Lenovo download is not in the repository (build ending 2043), 2042 and 2041 ARE present, how can I contribute / is it required?

For further reference, I’d appreciate a signposting for further reading on firmware dumping, specifically to understand why what I provided (by attachment) was insufficient and how to dump what I should provide.

I’m at a crossroads, I either try to understand what I don’t know or simply revert to continuing as I have with a little knowledge (believe me, I know how dangerous that can be ). But I have several of these machines in the field and I like to have closed what vulnerabilities I can, or at least am aware of, a constant game of “whack-a-mole” and the patchy (I’m being diplomatic here) support from vendors and OEMs, depending on the importance of the model and it’s many variants that are seemingly inevitably produced.

An Intel support representative just sent me the latest driver link and I read the Installation instructions (more fool me, it looks a “dog’s breakfast” of issues and caveats), quite honestly I just want to let Windows install whatever CSME driver it deems sufficient and when I run the vulnerability tool the machine gets a clean bill of health (until the next time).

Sorry for the lengthy post, but I am acutely aware that if I get any of these updates wrong I can brick a machine or at least make it near impossible to be restored to full health. So, I proceed with caution.

Fptw64 has - as many other programs - a help switch. In addition the basic regions of an Intel firmware image should be known ideallly before using this tool.

The initial thread isn’t updated in a long time!

I strongly advise against switching main versions of IUPs! In addition all IUPs are stitched in unchanged, if there’s no newer version one can simply reuse the old one! Only CSME has to be ‘new’.

The only newer IUP is PHY N “TGP_N_11.225.284.2044” (old 11.225.276.2043)

Otherwise FIT 15 has it’s own tab for firmware updates:

image1202×765 53.8 KB

I found PHY N 11.225.276.2043 from Station Drivers, so I’ve stitched a FWUpdate.bin that checks through MEAnalyser OK.

Thanks to all for their input.

But you already had PHY N 11.225.276.2043- it’s part of the Lenovo update you mentioned? Unpack it, drag Cons_prod_Base_FWUpdate.bin into a FIT 15 window and FIT will decompose it. All elements you need for an update image except for the CSME part will be in the decomposed folder!

Anyway, thanks for the feedback!

I couldn’t work out a quick way of finding 2044 here, so I set about seeing if I could try elsewhere. Wasn’t quick either, but there was order.

I was a bit unsuccessful with that tab in FIT 15, but I’ll try again next time I need to update.

What do you mean?

Open FIT
Drag the CSE ME 15.0.50.2633 ConsLP binary into the window
Go to the ‘FW Update Image Build’ tab
Fill in / choose PMC, PHY, PCHC
click the right build button

(For other CSME like corporate or H- versions you might have to select the correct chipset)

Done it in the normal tabs. It was already filled I think. Then I think I was expecting a build button but they’re still in the usual place. Typical programmer haha.