Intel (CS) Management Engine: Drivers, Firmware and Tools for (CS)ME 16+

Good afternoon everyone!
Please help me find CSME System Tools 16.0.15.1735.
I will be very grateful.

hi .
my old bios backup gives an error on me analyzer.
ā€œError: Detected CSE Extension 0x16 with wrong Partition Hash at FTPR > FTPR.man!ā€
cs me version is 16.0.15.1662 anyone have you got , can you share?

Hello,

I am using a CLEVO NP70PNJ (NP5x_NP6x_NP7xPNK_PNH_PNJ).

The latest BIOS I found is version 12 with the following details:

BIOS Version: 1.07.12
KBC/EC Version: 1.07.07
ME FW Version: 16.1.25.1865

The problem is that even this latest ME firmware is vulnerable (CSME-Version-Detection-Tool). :neutral_face:

CLEVO, of course, does not respond to any messages and is not very responsive. :nail_care:

Thanks to a userā€™s sharing on this forum, I found a more recent ME/FW update on Station-drivers.

Iā€™m just very concerned about bricking a brand new PC, and I would like confirmation that upgrading from:

ME version 16.1.25.1865 to ME version 16.1.27.2192 as shown in the image below wonā€™t cause any issues? (the difference between in yellow)

Iā€™m asking because, based on the message at the beginning of this thread, itā€™s dangerous to change the ā€˜Version Control Numberā€™ or, worse, to switch the PCHC from 16.0.x to 16.1.x , differente total bits size ā€¦ :thinking:

And, most importantly, even if I make a backup with ā€˜fptw64.exe -ME -D actualFWME.binā€™ , if I brick it with a bad flash, I wonā€™t be able to flash back the backup since the PC wonā€™t boot anymore. :scream:

In summary, I need a specialist :robot: to confirm if itā€™s safe to flash the image above.

Thanks !

Edit: I see that if I perform a backup, I have ā€œInitializedā€ in the File System State, which would be normal because it comes from an initialized system. Therefore, it is logical that the file to be flashed should be in File System State = ā€œConfiguredā€ I suppose because DATA has been cleaned up. Note that all this speculations are based on what I understood from the second paragraph ā€œA. About Engine Regions & Configurationā€ from the first post in this thread.

Vulnerable to what? Millions of people use computers with outdated ME firmware and who cares.

Itā€™s unlikely that youā€™ll brick it with an update, but thereā€™s always a chance that something wonā€™t work correctly. It is only safe to use updates provided by your laptop manufacturer itself. If you are so concerned about ME vulnerabilities, maybe you should use a laptop with disabled ME.

Hello Anton35,

Thank you for your response.

Itā€™s not really a concern about ME vulnerabilities that drives me to update the firmware; itā€™s more of a thorough, perfectionist approach. I completely agree with you that outdated ME firmware is probably widespread and not a significant issue for standard regular users like me.

However, the problem will be quickly resolved: Iā€™m getting error 369: failed to verify the signature of OEM or RoT key manifest. For example: Error on update from Production to Pre-Production, which confirms that the easiest solution is indeed to use the updates provided by your laptop manufacturer itself as you suggest. Itā€™s just that Clevo is not as reactive as Asus or Lenovoā€¦

Edit: Currently testing this

Final try: a Frankenstein :zombie: !

Donā€™t worry, if this attempt fails, I promise to continuing my experiments on my own and stop spamming this thread with my tests.

Well, edit above canā€™t seem to resolve the error, so Iā€™m going to use the explanations from the first post at the beginning of this thread to create my own firmware.
This will be a change from those who ask without trying anything. Iā€™m sharing.

What Iā€™m doing here in case it can help someone.

1/ I Mfit.exe decompose an Original BIOS provided by my manufacturer and compare it to my own saved BIOS, which theoretically should be the same.

2/ I notice that ME Sub Partition.bin and CSE Region.bin are different between the BIOS Iā€™m given and after itā€™s flashed.

3/ Thanks to the explanations by system at the beginning of this thread, I understand that the difference is normal because ME Sub Partition.bin is ā€œInitializedā€ by the system after flashing its virgin ā€œConfiguredā€ version.

4/ Still, thanks to the explanations by system at the beginning of this thread, I understand that I will need to create a Clean Firmware in ā€œConfiguredā€ mode.

5/ CSE Region.bin is, therefore, different between the BIOS I download and its version that I flash on the system because the PC has ā€œInitializedā€ this Region.

6/ By comparing the manufacturerā€™s BIOS with the available updateā˜… for my configuration (LP Consumer (ADL) A1), I notice that I need to update:

(ā˜…) I would have preferred to build from scratch using each available piece from an MEA db from Anton35 , but the link is dead.

01) ME 16.1.27.2192
02) PMCP 160.1.0.1029
03) IOMP 36.6.0.0
04) NPHY 14.530.509.8258
05) TBTP 16.0.0.1901
06) PCHC 16.1.0.1014

7/ I launch Mfit.exe and follow the instructions from system at the beginning of this thread:

Select Intel(R) AlderLake P Chipset - FWUpdate

Flash Layout āžœ Ifwi: Intel(R) Me and Pmc Region :arrow_forward: Intel(R) ME Binary File
:heavy_check_mark: [ME Sub Partition.bin] = the new 01) from ME_16.1.27.2192_A0_Origin.bin

Flash Layout āžœ Ifwi: Intel(R) Me and Pmc Region :arrow_forward: PMC Binary File
:heavy_check_mark: [CsePlugin#PMC.bin] = the new 02) from ME_16.1.27.2192_A0_Origin.bin

Flash Layout āžœ Sub Partitions āžœ PCH Configuration Sub-Partition :arrow_forward: PCH Configuration File
:heavy_check_mark: [CsePlugin#PCHC.bin] = the new 06) from ME_16.1.27.2192_A0_Origin.bin

Flex IO āžœ TCSS Configuration :arrow_forward: NPHY Binary File
:heavy_check_mark: [CsePlugin#NPHY.bin] = the new 04) from ME_16.1.27.2192_A0_Origin.bin

Flex IO āžœ TCSS Configuration :arrow_forward: IO Manageability Engine Binary File
:heavy_check_mark: [CsePlugin#IOM.bin] = the new 03) from ME_16.1.27.2192_A0_Origin.bin

Flex IO āžœ TCSS Configuration :arrow_forward: Thunderboltā„¢/USB4ā„¢ Binary File
:heavy_check_mark: [CsePlugin#TBT.bin] = the new 05) from ME_16.1.27.2192_A0_Origin.bin

:x: ISH (itā€™s not in the original BIOS, so Iā€™m not putting it)

:white_check_mark: UTOK (they are identical, so Iā€™m not touching them)

BONUS to try to counter the error 369 above:

Platform Protection āžœ Hash Key Configuration for Bootguard / ISH :arrow_forward: OEM Key Manifest Binary
:question: [CsePlugin#OEM_KM.bin] = That of the original manufacturerā€™s BIOS

8/ Iā€™m a bit afraid to flash this Frankenstein Iā€™ve created, even though itā€™s actually just an ME_16.1.27.2192_A0 from here with an OEM_KM.bin from my original BIOS as a replacement.

.

EDIT ā–¶ šŸŽ‰ Did it! šŸ‘

I created something with Mfit.exe by simply removing the OEM and ISH bin files to avoid signature issues like above.

But Iā€™m not going to spam a another lengthy explanation that annoys everyone here about update Intel ME on Clevo that probably only affects a few people.

In fact, everything is in the first post.

For Clevo NP70PNJ Only and to update to:

FW      Version : 16.1.27.2192 LP Consumer
PMC FW  Version : 160.1.0.1029
IOM FW  Version : 36.6.0.0000
NPHY FW Version : 14.530.509.8258
TBT FW  Version : 16.0.0.1901
PCHC FW Version : 16.1.0.1014

Flash this :

FWUpdLcl64.exe -allowsv -f FWUpdate.bin

FWUpdate.bin āžÆ WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free

1 Like

Newest FW should be, according to ASUS 16.1.30
But I havenā€™t found anything useful yet to apply - specially the LP versions are getting scarcer to get hands on.
Itā€™s way to hard to get to these new FWs without pluto and fernandoā€¦ :pensive:

The 16.1.30 from Asus for CON H is very new, you should wait because usually not all platforms are getting the same update, it just came out a week agoā€¦
Also a lot of users keep tracking the FW releases whenever they can or come across.

Intel_CSME_ADL-N_16.50.0.1120_A0_Consumer :
[ā€¦]

Staff Note: The link has been removed to adhere with forum rule 14, regarding ā€œposts or links to documents and/or tools which are marked as Confidential, Restricted, Private, are part of a commercial license etcā€. The rule was originally put in place to avoid legal action against the forum and/or the 3rd-party source of the files/info. In this case, the 3rd-party source was evident from the filename as well.

5 Likes


required this file

@KLRCTMG

Update!

image

If still errors:

CSME V16.5.0 con system tool:

Hi!

Looking for CSME 16.0 CON LP A v16.0.15.1735 to clear ME :slight_smile:

@hunmike000

EDIT: ā€œAny idea how to solve this?ā€ No sry, not my fieldā€¦

Thanks @MeatWar , but when i rename and replace the decomposed ME Sub Partition.bin with the file from the repo for which you provided the link (intel_me_16.0.15.1735-lp(station-drivers.com)/Non_Capsule\ME_16.0_Cons.bin) I get the following error during building via Intel (R) Modular Flash Image Tool. Version: 16.0.15.1735:
ā€œException: Data bucket: ā€˜OEM_KMā€™. Error: ā€˜The public key in the OEM Key Manifest provided does not match the hash provided in CsePlugin:UEP:OemPublicKeyHashā€™.
Source: ā€˜CsePlugin:OEM_KMā€™ā€

Any idea how to solve this?

In my case, all I had to do was open this intel ME firmware with MFIT.exe (version 16.0 to be in compliance) and remove the OEM-KM and ISH parts as believe as well (no choice if I removed OEM), and then save and flash this modified firmware (= the same one but without OEM and ISH).

Because ME_16.0_Cons.bin is not ME Sub Partition itself, itā€™s a prestitched FWUpdate for some Lenovo platform. You have to decompose it first using MFIT, to get unconfigured ME Sub Partition.bin, as you can see on screenshot.
Screenshot_1
Then you can try to use it for cleaning your initialized bios dump, although it is not recommended to use Extracted type.

1 Like

@Anton35 Sir you are well deserving my thanks! Spot on with your description. I had no idea that I would need to further decompose the station-drivers provided ME. Thank you very much for your help, i can now see with ME Analyser that ā€œFile System State ā”‚ Configuredā€ which i assume the correct one.

hello, how to slow this error?

CSE ME 16.50.0.1232 Production Atom LP Unknown A
PMC 160.50.00.1008 Production Independent Unknown ADP
PCHC 16.50.0.1013 Production Independent ADP
PHY 14.14.508.4007 Production Independent N ADP

v16.50.0.1232.bin.zip (2.1 MB)

1 Like