Intel (Converged Security) Management Engine: Drivers, Firmware and Tools (2-15)

I was using the link posted by atomota - I get a prompt that says illegal download. I am looking for MEI 11.7.0.1002 and cant get it.
Can someone please post a link if you have it. Thanks,

MEI 11.7.0.1002 needed badly.PNG

What about looking into the start post of this thread? Your desired "pure" Intel ME driver v11.7.0.1002 and the complete Intel ME Installer Set v11.7.0.1010 are available there.

I’m Consumer LP(i5-6200U).I have tried to flash from 11.6.25.1229 to 11.7.0.1229(YPDM) provided at the first page.No error or malfunctioning at all by now.
Indeed, my notebook(HP 15q aj109TX)was shipped with version 11.0.0.1160. I first tried to upgrade it to 11.0.16.1000, then 11.0.18.1002, then 11.6.25.1229, and then 11.7.0.1229. All without any error and went as smooth as it should be.BTW, these are all done with fwlcl64.
Sorry for my poor English.

thx, i update my GA-Z270M-D3H (rev. 1.0) (Z270 Chipset) from 11.6.25.1229 to 11.7.0.1229, and works perfect.

FYI, as it seems Intel provided new MEI firmware to OEMs to fix a major security hole, for more see the article at Semiaccurate


Here is the official Advisory from Intel:

https://security-center.intel.com/adviso…anguageid=en-fr

Here are the mitigation steps until the OEMs update their BIOS (oh boy…):

https://downloadcenter.intel.com/download/26754

The firmware that fix this vulnerability are the following:

6.2.61.3535
7.1.91.3272
8.1.71.3608
9.1.41.3024
9.5.61.3012
10.0.55.3000
11.0.25.3001
11.6.27.3264


Intel should have released those firmware at their own site in my own opinion instead of waiting for the OEMs to update their BIOS (which won’t happen easily for older systems with ME6,7 etc). When any of these firmware are found I will update the thread as usual. This is one of the main reasons why this thread exists.

Regarding ME 11.7:

Intel hasn’t acknowledged ME 11.7 at their advisory because KBL Refresh is not out yet but you can assume that the version we have currently found (11.7.0.1229 - based on 11.6.25.1229) is also affected. At least, maybe, since this vulnerability targets AMT and thus Corporate firmware which we don’t have any at 11.7 yet. Nevertheless, I advise people to roll back to 11.6.25.1229 while they still can (VCN is the same between 11.6.25.1229 and 11.7.0.1229 so hopefully it’s possible) and wait for Intel’s 11.6.27.3264.

Edit: Lenovo didn’t get the memo apparently:

Read that SemiAccurate (what a name ^^) article just a few hours ago via HN and it basically says nothing. Also Intel says "This vulnerability does not exist on Intel-based consumer PCs"… i really dunno what to expect from all of this and i am curious about the whole situation.


This vulnerability targets all systems not only AMT enabled?

That article was annoyingly vague and also had some mistakes (ME6 is from 2009, ME 11.x is x86 and not ARC based, AMT is only at 5MB/Corporate systems so it doesn’t affect “everyone” etc). It’s great that the vulnerability was found and finally solved but it seems like they are trying to scare a lot more people than they actually need to.

Generally, from what Intel says, this vulnerability is Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (IntelÂŽ SBT) related. That means 5MB/Corporate systems only, thus not 1.5MB/Consumer.

Intel just updated their advisory (r1.1) and added detection steps for non tech/ME savvy users:

https://security-center.intel.com/adviso…anguageid=en-fr
https://downloadcenter.intel.com/download/26755

According to a table they have, 11.7 (Corporate) “seems” to not be affected. This is the first time I’ve seen 11.7 being officially mentioned. Thing is, since KBL-R/11.7 is not out yet, they may mean that recent 11.7 firmware is not vulnerable, not old ones. Currently, for the 11.7 firmware offered in this thread, we know that ours is from February but also Consumer not Corporate. So according to Intel, these are ok.

Capture.PNG

Wonder will updating ME firmware on Kaby Lake will help lower cpu core temps on these processors? Been getting some crazy insanely high prime95 temps.


Thanks

No, what’s most probable is that you’ve done something wrong (bad cpu cooler application, no/too little/too much thermal paste, non working fan, very aggressive overclock, wrong fan profiles etc). The only thing that could be ME related is a corrupted ME firmware causing power management and fan control issues but it’s not common. Even if the latter is the case, updating won’t help, a full repair would be needed. Usually though these are caused by user errors.

I read that Intel used poor quality TIM in the Kaby Lake line of CPU and thats why a lot of them run hot. Also there are two versions of Prime95 out there. One that gives abnormally high temps. FWIW I checked my mounting like three times over. Even bought a better quality heatsink. They just run hot. So I’ve read. Think my main board is over volting it as well. Guess thats up to the bios engineers to fix.

Thanks.

typing from a i5 7500 and with stock Intel cooler cannot reach 70C even after one hour on Prime95.
you have a different issue

They use not-so-great TIM because that one lasts for many years whereas the ones we apply between the heat spreader and the cooler last for a significantly shorter period before reapplication is necessary. But that’s neither here nor there. Even with that “poor” quality TIM (it’s ok really, not worth deliding for 4-5 degrees) you shouldn’t be facing overheating issues. Your problem is elsewhere, not with the CPU and probably not with the ME (verify by MEInfo & MEManuf if you like but it won’t help). Also, to point the obvious, Prime95 is designed to burn-in the CPU so it never represents real world use. Generally, as elisw and I said, you should look elsewhere for the cause of that issue.

Long story short its an HTPC case with not best thermal dynamics with a HTPC Thermalright cooler. Sorry if I went off topic. Will try updating ME though won’t expect miracles. Thanks.

Guys read the second post on this Intel support thread! Was posted on behalf of Intel Corp. Contradicts what you guys just said!

https://communities.intel.com/thread/111954

I mean Intel seems to think one should update ME drivers for sake of cpu temps right or wrong…

here is what I measured today during Prime95 (small FFT).
MEI Driver is 11.6.0.1032
sorry for the OT|addpics|bpu-3-92e3.png|/addpics|



Try that on version 28.1 of Prime95 and your temps will be at least 10 degrees higher!



To be fair, you save around 20-25*C by delidding a Kaby Lake processor. It isn’t about the TIM but the gap between the IHS and the die itself because of the glue being used.

In the news today.
All intel management engine firmware has a remote execution bug which allows for easy remote hacking without the user or OS ever being aware of it.

new firmwares anounced:

- First-gen Core family: 6.2.61.3535
- Second-gen Core family: 7.1.91.3272
- Third-gen Core family: 8.1.71.3608
- Fourth-gen Core family: 9.1.41.3024 and 9.5.61.3012
- Fifth-gen Core family: 10.0.55.3000
- Sixth-gen Core family: 11.0.25.3001
- Seventh-gen Core family: 11.6.27.3264


I disabled the IME network functionallity months ago when updating to the latest IME, just to prevent this kind of thing.



Interesting, I just readed both articles. I agree that the article by SemiAccurate is semi-accurate or misleading a bit :slight_smile:
Intel clearly states, that the systems affected by the bug are corporate ME FW (5MB) with full AMT. So desktop MB users shoul be safe. Also because AFAIK AMT can work with intel NIC only and most of common dosktop MBs use Realtek/Marvell/Broadcom, etc. so I hope it cannot be hacked remotely via AMT even there’s some TCP/IP stack inside consumer systems. More often the full AMT can bee seen on notebooks…
I also think that intel should release ME FW updates for everybody like they do microcodes updates for (not only) linux community to be able to fix older system. No much OEMs would release BIOS updates for 8 years old MBs, hehe. It’s common ~2-3 years support… BTW a paranoid though rises about the new "fixed" ME FW that can contain another bug or intentional better hidden backdoor that would spread more easily because of panic around this old bug :slight_smile: