Intel (Converged Security) Management Engine: Drivers, Firmware and Tools (2-15)

Hi, I’m sorry to reply … Since the last time I’ve tried several methods to avoid locking FD with no success: 1) pinmod 2) meset. Could you tell me, the pinmod is actually works with hm55 chipsets or not? And if it’s not, is there any method to unlock the fd programmically? May be fwupdate from the similar fw package (it’s boils down I have the ME 6 ignition fw, so there is not such tool in my version package)

Thanks in advance!

MESet if for Clevo systems but maybe you tried that modded version for MSI systems which I think exists. Otherwise, the pinmod does work at 5-series or later systems, you just need to find the correct pins to short at the audio chip (DVDD & SDATA_OUT). I doubt that the problem is ME related because Ignition was not mandatory for the platform to operate. Ignition wasn’t FWUpdate-compatible and besides, that tool cannot do what you seek. As for the SPI size, I see only a 4MB image at MSI’s website so I don’t see how you could have flashed a hypothetical 8MB one. The FPT error about address 0x00000000 probably has to do with some sort of Flash Descriptor offset mess-up. Run “fptw -i” and show a picture of the result.

Thanks for the reply! fptw -i gives the same error. Here is a screenshot:

fpti_res.jpg



Also the audio chip is alc888s, so I’ve shortened 1 and 5 pins. As far as I know we must shorten the pins before laptop is actually on until to the “post” message will have appeared. It’s correct?

Yes, FPT behaves in weird ways when it cannot properly parse the FD. In your case, the Error 26 does not necessarily mean that your FD is locked. Use flashrom under linux or similar to get a dump of the SPI chip. We need to see what is wrong with the FD offsets. For the pinmod, you short the two pins while the system is shut-down and stop once POST is done. But as I said, you should use another flasher (flashrom) instead of FPT until we see what’s wrong with the FD.

flashrom -V - p internal

Initializing internal programmer
no coreboot table found
Using internal DMI decoder


W836xx enter config mode worked or we were already in config mode. W386xx leave config mode had no effect,
Active config mode, uncnown reg 0x20 ID: 85


Found ITE EC, ID 0x8511, Rev 0x00 on port 0x4e

Aborted
Error: Programmer initialization failed

So flashrom has done nothing, but Backup ToolKit has done something. I’ve attached the file to the post (it was possible to select the size of backup and I’ve selected 8M, don’t know actually what is the real image size).

What’s interesting, Image Tool(FITC) cannot read this but AMIBCP can.

Any ideas?

AmericanMegatrendsInc.-E1727IMS.10F.rar (1.86 MB)

Backup ToolKit is an ancient tool which doesn’t support modern SPI structures, never use it. Under Linux (Ubuntu), flashrom should detect & dump the chip if you type:

1
 
sudo flashrom -p internal -c MX25L3205D -r spi.bin
 

If it complains that it is a laptop and not recommended, you can try:
1
 
sudo flashrom -p internal:laptop=force_I_want_a_brick -c MX25L3205D -r spi.bin
 

Hi. I’ve managed to read the flash, but the command was slightly changed (don’t know exactly if it’s correct):

1
 
sudo flashrom -p internal:laptop=force_I_want_a_brick -c MX25L3205D/MX25L3208E -r spi.bin
 



Here is a probe made to find out what exactly the chip(s) flashrom supports.

Screenshot from 2017-09-23 09-21-03.png



Attached the read file to the post.

spi.rar (957 KB)

The command is correct. Your FD is locked though so the FD itself and ME were not dumped. You need to first perform the pinmod and then dump via flashrom. Does your BIOS menu have any BIOS flash option like M_FLash by any chance? If yes, try to reflash the BIOS via that option.

Actually my bios is unlocked (AMI 2.00.1201). And the most interesting options in my opinion are End of POST Message (gives nothing) and “Reset System with ME disable Mode” - the menu stalls each time I’am trying to enable this, so will try pinmod one more time.

Hello,

sorry if my question seems to be silly, but I can’t find your guides how to analyze the type of intel Management Engine and how to perform a firmware update with the tools your providing. I’m a newbie and don’t know how to use this all, but I’ve done it succesfully already a long time ago with with an older MEI firmware and your tools (and your help :).

I’m sure there had been a “HOWTO” for Mei Analyzer, Mei Info, Flash Programming Tool etc. Could you please help me with a link to find it? Thanx in advance !!! :wink:

@ mr. Lurky:

The FD locks have nothing to do with ones based in BIOS. Actually those two options, especially the latter, are all you need. But if the second freezes the menu then try the pinmod, it should work but I know from experience it is not easy to perform it with those tiny Realtek pins.

@ bananenmann:

MEInfo, MEManuf & FPT are command line utilities. Open a command prompt and enter -? to see the available options, no need for detailed instructions. ME Analyzer is basically drag & drop, check the description at Github.

Is there a way to unlock the local ME firmware update ability of the Alienware 17 R3 notebook? Whenever I try to update from 11.0.0.1194 to 11.0.25.3001 fwupdate says that local update is disabled.

It’s quite unusual to notice the laptop shuts down immediatly after shortening the pins (before reaching the post message), “quiet boot” option is also resetting. Definitely it’s some kind of protection or my trembling hands.

There’s something strange or wrong…

I had to downgrade the Intel ME 8 1 Firmware v8.1.70.1590 [1.5Mb] to the previous Intel ME 8 1 Firmware v8.1.65.1586 [1.5Mb] using Rufus Usb Bootable key (FreeDos) and using the command “FWUpdLcl -f ME.BIN”, because i couldn’t overclock my old IVB i5 3570K further the @4.1GHz.

I had some little probs time to time after upgrading to Intel ME 8 1 Firmware v8.1.70.1590 [1.5Mb], but i was thinking it’s the operating system (Windows 7 SP1) or some weird drivers.
I have disable the IRST acceleration on my RAID0 configuration in order to make a repair boot using my O.S DVD, but i saw that was not the issue either.

BTW…I’m still using the MEI driver: Intel(R) Management Engine Interface v11.0.0.1157 dated 07/07/2015 and i do not think this is the issue too.


My processor is running @4.4GHz/@4.5GHz since four years without a single prob. You can see my CPUz validation went up to @4.89GHz
It would not boot over @4.1GHz with latest 8.1 firmware v8.1.70.1590 and was experiencing power shutdown at logon.

Any feedback?
Appreciated, thanks.

hello,
If i have a ME version(for example 9.0.30.1482) and I reflash BIOS with manufacturer bios file, containing the same ME version, ME region results reflashed or stays untouched because of the same ME version?
If untouched, is there are way to force to reflash ME region with the same version using manufacturer bios file(preferable built in flashing utility)?
Thanks.

@ MorLipf:

This is set at a ME NVAR (FWUpdLcl is called I think, 0 for Disabled and 1 for Enabled) and can be changed via Flash Programming Tool but probably when the system is in manufacturing mode (Flash Descriptor unlocked and ME Manufacturing Done Bit not set). Check out the options at FPT for NVAR, CVAR etc to see if you can achieve anything.

@ mr. Lurky:

You mentioned you have a modded BIOS, I assume to unlock hidden menus etc. Are you sure the problem is not caused by that? Have you tried the stock BIOS? For the pinmod, maybe the pins are not shorted accurately and close ones are touched as well? I don’t know. If that doesn’t work though, the only way to proceed is with the help of a hardware programmer.

@ N6O7:

The ME is indeed related to overclocking as it assigns system clocks etc but I doubt that the new version limits your overclocking. Personally I would try to flash a cleaned/configured/updated 8.1.70.1590 via the CleanUp Guide first to rule out bad settings.

@ andr84:

It highly depends on the OEM and how their BIOS flashers work. Such a general question cannot be answered properly.



I also would like to flash the Consumer 8.1.70.1590 Mei Firmware but the problem indeed seems to be, that the provided version is not clean, it’s extracted and therefore "dirty". And because its not a "RGN" firmware, it can’t be cleaned like described in the guide. So what can we do now? Does anybody know where to get a "RGN"-Firm Version 8.1.70.1590?

@plutomaniac ,

I will see the cleanup guide if it’s help.

Otherwise since it is not an issue to stay to previous firmware v8.1.65.1586, i can wait another newer version like the one for 5Mb firmware (v8.1.71.3608).

Thanks for your quick response.

@ bananenmann:

You haven’t read the cleanup guide properly obviously. Besides, you don’t follow it for simple updating. Just use FWUpdate tool for the latter.

@ N6O7:

Firmware 8.1.71.3608 is only for 5MB as it fixed the recent AMT vulnerability, there is no 1.5MB equivalent. The latest (possibly last) for the latter is 8.1.70.1590.



Sorry, my english isn’t quite good - but doesn’t this sentence mean, that I have to use a stock firmware and not a extracted one for cleaning the Data?