Intel (CS) Management Engine: Drivers, Firmware and Tools for (CS)ME 16+

Vulnerable to what? Millions of people use computers with outdated ME firmware and who cares.

It’s unlikely that you’ll brick it with an update, but there’s always a chance that something won’t work correctly. It is only safe to use updates provided by your laptop manufacturer itself. If you are so concerned about ME vulnerabilities, maybe you should use a laptop with disabled ME.

Hello Anton35,

Thank you for your response.

It’s not really a concern about ME vulnerabilities that drives me to update the firmware; it’s more of a thorough, perfectionist approach. I completely agree with you that outdated ME firmware is probably widespread and not a significant issue for standard regular users like me.

However, the problem will be quickly resolved: I’m getting error 369: failed to verify the signature of OEM or RoT key manifest. For example: Error on update from Production to Pre-Production, which confirms that the easiest solution is indeed to use the updates provided by your laptop manufacturer itself as you suggest. It’s just that Clevo is not as reactive as Asus or Lenovo…

Edit: Currently testing this

Final try: a Frankenstein :zombie: !

Don’t worry, if this attempt fails, I promise to continuing my experiments on my own and stop spamming this thread with my tests.

Well, edit above can’t seem to resolve the error, so I’m going to use the explanations from the first post at the beginning of this thread to create my own firmware.
This will be a change from those who ask without trying anything. I’m sharing.

What I’m doing here in case it can help someone.

1/ I Mfit.exe decompose an Original BIOS provided by my manufacturer and compare it to my own saved BIOS, which theoretically should be the same.

2/ I notice that ME Sub Partition.bin and CSE Region.bin are different between the BIOS I’m given and after it’s flashed.

3/ Thanks to the explanations by system at the beginning of this thread, I understand that the difference is normal because ME Sub Partition.bin is “Initialized” by the system after flashing its virgin “Configured” version.

4/ Still, thanks to the explanations by system at the beginning of this thread, I understand that I will need to create a Clean Firmware in “Configured” mode.

5/ CSE Region.bin is, therefore, different between the BIOS I download and its version that I flash on the system because the PC has “Initialized” this Region.

6/ By comparing the manufacturer’s BIOS with the available update for my configuration (LP Consumer (ADL) A1), I notice that I need to update:

(★) I would have preferred to build from scratch using each available piece from an MEA db from Anton35 , but the link is dead.

01) ME 16.1.27.2192
02) PMCP 160.1.0.1029
03) IOMP 36.6.0.0
04) NPHY 14.530.509.8258
05) TBTP 16.0.0.1901
06) PCHC 16.1.0.1014

7/ I launch Mfit.exe and follow the instructions from system at the beginning of this thread:

Select Intel(R) AlderLake P Chipset - FWUpdate

Flash Layout ➜ Ifwi: Intel(R) Me and Pmc Region :arrow_forward: Intel(R) ME Binary File
:heavy_check_mark: [ME Sub Partition.bin] = the new 01) from ME_16.1.27.2192_A0_Origin.bin

Flash Layout ➜ Ifwi: Intel(R) Me and Pmc Region :arrow_forward: PMC Binary File
:heavy_check_mark: [CsePlugin#PMC.bin] = the new 02) from ME_16.1.27.2192_A0_Origin.bin

Flash Layout ➜ Sub Partitions ➜ PCH Configuration Sub-Partition :arrow_forward: PCH Configuration File
:heavy_check_mark: [CsePlugin#PCHC.bin] = the new 06) from ME_16.1.27.2192_A0_Origin.bin

Flex IO ➜ TCSS Configuration :arrow_forward: NPHY Binary File
:heavy_check_mark: [CsePlugin#NPHY.bin] = the new 04) from ME_16.1.27.2192_A0_Origin.bin

Flex IO ➜ TCSS Configuration :arrow_forward: IO Manageability Engine Binary File
:heavy_check_mark: [CsePlugin#IOM.bin] = the new 03) from ME_16.1.27.2192_A0_Origin.bin

Flex IO ➜ TCSS Configuration :arrow_forward: Thunderbolt™/USB4™ Binary File
:heavy_check_mark: [CsePlugin#TBT.bin] = the new 05) from ME_16.1.27.2192_A0_Origin.bin

:x: ISH (it’s not in the original BIOS, so I’m not putting it)

:white_check_mark: UTOK (they are identical, so I’m not touching them)

BONUS to try to counter the error 369 above:

Platform Protection ➜ Hash Key Configuration for Bootguard / ISH :arrow_forward: OEM Key Manifest Binary
:question: [CsePlugin#OEM_KM.bin] = That of the original manufacturer’s BIOS

8/ I’m a bit afraid to flash this Frankenstein I’ve created, even though it’s actually just an ME_16.1.27.2192_A0 from here with an OEM_KM.bin from my original BIOS as a replacement.

.

EDIT ▶ 🎉 Did it! 👍

I created something with Mfit.exe by simply removing the OEM and ISH bin files to avoid signature issues like above.

But I’m not going to spam a another lengthy explanation that annoys everyone here about update Intel ME on Clevo that probably only affects a few people.

In fact, everything is in the first post.

For Clevo NP70PNJ Only and to update to:

FW      Version : 16.1.27.2192 LP Consumer
PMC FW  Version : 160.1.0.1029
IOM FW  Version : 36.6.0.0000
NPHY FW Version : 14.530.509.8258
TBT FW  Version : 16.0.0.1901
PCHC FW Version : 16.1.0.1014

Flash this :

FWUpdLcl64.exe -allowsv -f FWUpdate.bin

FWUpdate.binWeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free

1 Like

Newest FW should be, according to ASUS 16.1.30
But I haven’t found anything useful yet to apply - specially the LP versions are getting scarcer to get hands on.
It’s way to hard to get to these new FWs without pluto and fernando… :pensive:

The 16.1.30 from Asus for CON H is very new, you should wait because usually not all platforms are getting the same update, it just came out a week ago…
Also a lot of users keep tracking the FW releases whenever they can or come across.

Intel_CSME_ADL-N_16.50.0.1120_A0_Consumer :
[…]

Staff Note: The link has been removed to adhere with forum rule 14, regarding “posts or links to documents and/or tools which are marked as Confidential, Restricted, Private, are part of a commercial license etc”. The rule was originally put in place to avoid legal action against the forum and/or the 3rd-party source of the files/info. In this case, the 3rd-party source was evident from the filename as well.

5 Likes


required this file

@KLRCTMG

Update!

image

If still errors:

CSME V16.5.0 con system tool:

Hi!

Looking for CSME 16.0 CON LP A v16.0.15.1735 to clear ME :slight_smile:

@hunmike000

EDIT: “Any idea how to solve this?” No sry, not my field…

Thanks @MeatWar , but when i rename and replace the decomposed ME Sub Partition.bin with the file from the repo for which you provided the link (intel_me_16.0.15.1735-lp(station-drivers.com)/Non_Capsule\ME_16.0_Cons.bin) I get the following error during building via Intel (R) Modular Flash Image Tool. Version: 16.0.15.1735:
“Exception: Data bucket: ‘OEM_KM’. Error: ‘The public key in the OEM Key Manifest provided does not match the hash provided in CsePlugin:UEP:OemPublicKeyHash’.
Source: ‘CsePlugin:OEM_KM’”

Any idea how to solve this?

In my case, all I had to do was open this intel ME firmware with MFIT.exe (version 16.0 to be in compliance) and remove the OEM-KM and ISH parts as believe as well (no choice if I removed OEM), and then save and flash this modified firmware (= the same one but without OEM and ISH).

Because ME_16.0_Cons.bin is not ME Sub Partition itself, it’s a prestitched FWUpdate for some Lenovo platform. You have to decompose it first using MFIT, to get unconfigured ME Sub Partition.bin, as you can see on screenshot.
Screenshot_1
Then you can try to use it for cleaning your initialized bios dump, although it is not recommended to use Extracted type.

1 Like

@Anton35 Sir you are well deserving my thanks! Spot on with your description. I had no idea that I would need to further decompose the station-drivers provided ME. Thank you very much for your help, i can now see with ME Analyser that “File System State │ Configured” which i assume the correct one.

hello, how to slow this error?

CSE ME 16.50.0.1232 Production Atom LP Unknown A
PMC 160.50.00.1008 Production Independent Unknown ADP
PCHC 16.50.0.1013 Production Independent ADP
PHY 14.14.508.4007 Production Independent N ADP

v16.50.0.1232.bin.zip (2.1 MB)

1 Like

hello everyone; i tried to clear a BIOS 64MB of DELL XPS 15 9520 La-l402p, but i got some errors! i don’t know what have to do…
‘’‘ERROR : Decompose ‘C:/Users/Line_teck/Desktop/XPS 15 9520 La-l402p r1.0 Gagarin .BIN’ image failed.
Details: Intel(R) AlderLake P Chipset - Corporate - SPI not found in the available layouts’’

A post was merged into an existing topic: Intel (Converged Security) Management Engine: Drivers, Firmware and Tools (2-15)

How to correct this error? Layout dictionary generated successfully
“ERROR : Failed to initialize MFS.
ERROR : Failed to instantiate container CseRegion:0.1”
when trying to decompress 16.1 image