Intel (Converged Security) Management Engine: Drivers, Firmware and Tools (2-15)

  • edited -

    Once again thank you fernando and plutomaniac for your fantastic work here, makes my job a lot easier. Whenever there’s something going on with ME or AHCI / RAID I know where to look first.

ninjaed

Hello. Before I continue, a hearty thanks to everybody who has been helping out. I really appreciate it. :slight_smile:



Ahhh, I made the mistake of not explicitly stating that things like PAVP came up as fine under Cyberlink’s advisor. My apologies. Everything’s good to go except for HDCP 2.2. Basically, the shot @davidm71 posted a few posts ago matches mine, other than my system also supporting HDR (i.e., it’s green).



Okay. I have a few thoughts.

- In the pic you posted, I believe I saw an entry regarding LSPCON Display Port 1. ("The setting determines which port for LSPCON will be connected to the HDCP 2.2 bridge adapter Display 1.") I seem to recall posting in my last MEInfo dump that no port was listed. ("Retrieving Variable ‘LSPCON Port Configuration’ -> LSPCON Ports None") I’m a bit unsure of how exactly this works, seeing as how my rough understanding is that the MDCP2800 chip operates as the LSPCON and the bridge adapter. I know the ASRock Z270 Gaming-ITX/ac board (basically the same as mine, only mine has the Z370 chipset) activated HDCP 2.2 after-the-fact by using a slight variation of the flashing tool for the MDCP2800 that I used to update my chip’s firmware to 1.72. The HDCP flasher was the same but it also included an entry for a key file. (Mine worked right out of the box.) Anyway, if this value is supposed to be set, then yes, something went wrong somewhere.
- I can’t flash 11.7 firmware. I tried. The SVN restriction blocks it. I don’t think flashing the original 1.10 BIOS will help but I’ll keep it in mind.
- I’ll give @jockyw2001 's idea a shot. I don’t think it’ll help but I don’t think it can hurt.
- Shorting pins is a bit above my pay grade. As much as I love tinkering, I’ve put too much money into the system to risk doing something silly to it. Maybe when a long-lost uncle dies and leaves me his fortune… :slight_smile:

The fact that you know what SVN is means that you’ve done your homework, most people don’t even read the thread or try to do basic research before asking for help. Kudos to you. Now, the VCN & SVN matter for FWUpdate tool only, direct flashing via Flash Programming Tool or external programmers are not restricted by such things. I do agree that the problem is CSME firmware related due to “LSPCON Ports None” but, unless something is not properly connected (I’m not familiar with HDCP, what it needs etc), then only a reflash will solve it. Your board definitely advertises HDCP (“Supports HDCP with HDMI, DisplayPort 1.2 and Intel® Thunderbolt™ 3” , “Supports 4K Ultra HD (UHD) playback with HDMI, DisplayPort 1.2 and Intel® Thunderbolt™ 3”) so clearly something went wrong. Avoiding anything invasive, I would personally try my luck with ASRock. Maybe they can provide some software solution they use to temporarily unlock the Flash Descriptor on the field to allow full SPI reflashing or similar.



Thanks for the info. I am a bit confused. You mention Flash Programming Tool (which I believe I found) and how it doesn’t care about SVN and such. If that’s the case, wouldn’t I be able to load the original version of ME firmware (11.7.4.3314), cross my fingers, and hope that the flash resolves my problem? My apologies if there’s something I’m missing. It sounds like I am since you mentioned unlocking the Flash Descriptor and such. I’ve done some homework, like reading the initial post, but I suspect there’s some stuff that I’ve missed. :frowning:

EDIT: Derp. fptw64 still requires permission or workarounds to flash.

EDIT 2: I did a bit more research. I’m halfway tempted to try to extract the SPI chip. (I’m not confident in my ability to pull off pinmod, although I’ll consider if somebody’s willing to help me walk through the steps.) A quick search didn’t reveal any immediately useful info. Would someone be able to point out how I can find the chip on my board so that I can tell if it’s soldered or socketed?

If resetting Playready didn’t help then probably ME 11.8.50.3425 revoked the HDCP 2.2 device key. Perhaps ASRock didn’t pay for it… You can check that with Intel or ASRock. If not, then it might be yet another ME bug.

I can have a look at your bios and see if there is a hidden switch to unlock the entire ME partition so that you can dump and flash it.

@ crown_nick:

The SPI chip consist of regions such as Flash Descriptor (offsets, sizes, read/write permissions between regions), GbE, Engine & BIOS. All software flashers rely on the read/write permissions set at the Flash Descriptor, that includes Flash Programming Tool. FWUpdate is a special tool which updates the Engine firmware by communicating with the CSE itself so the FD read/write permissions don’t matter. It does however abide to Engine firmware upgrade/downgrade checks such as SVN and VCN.

In your case, the FD is locked as per Intel’s recommendations so there is no read/write access to the Engine region of the SPI chip. To unlock the FD at your motherboard, one could find a jumper (none), set a BIOS option (none?), use a cheap hardware programmer (too invasive for your liking, SPI chip soldered not socketed) or do the “pinmod”. The latter is done by shutting down the system and then shorting DVDD & SDATA_OUT pins at the Audio chip (should be pins 1 & 5 for Realtek, starting from the marked dot) while the system boots (stop once the OS starts to load). Note that the Realtek pins are very small nowadays and may take some tries. You can check if you have read/write access to the CSME/Engine region either by running MEInfo tool and checking “Host Read/Write Access to ME Enabled” or by testing via Flash Programming Tool “fptw -d spi.bin”.

Because your SPI chip is soldered, the viable options for you are the BIOS option (hidden usually - what jockyw2001 suggested) and the “pinmod”. Both are safe and non hardware invasive. Personally I would first ask @jockyw2001 to look into the BIOS in case there is a hidden option. If that is a no go, I would give the “pinmod” a try.



I went back and tried to follow the PlayReady directions. I don’t think they’re applicable in my case. The stuff I was told to rename didn’t exist (I do have all the proper files & directories exposed), the CleanDRM binary log made it look like nothing particularly interesting happened, and Windows Media Center is discontinued and requires some trickery in order to get it on Win10 in the first place. I’ll try again if I’m truly stuck but I suspect this is a dead end. :frowning:

Revoked HDCP key - I don’t think so. In one of my posts, I think I mentioned that the Z270 version of my board activated HDCP 2.2 via an upgrade of the MegaChips MDCP2800 chip (DisplayPort 1.2 -> HDMI 2.0 converter). A special key was flashed into the chip alongside upgraded firmware. I suppose there could be something in the ME firmware too but my gut suspicion is that there isn’t.

Regarding the BIOS, I won’t turn down a peek if you’re offering. Thank you!



Thanks for all the help and patience! I’ll look into pinmod. I don’t see any BIOS options that imply workarounds for the flashing issues but I’ll look one last time. Some BIOS options are rather obscure…

Ok I think I found the hidden BIOS option (Me FW Image Re-Flash) at variable 0x70D so let’s try this first:

1. Download the attachment and place the “efi” folder at the root of a USB drive
2. Boot from it while the system starts
3. Run “setup_var 0x70D” and you should see 0x00 (zero) as in Disabled
4. Run “setup_var 0x70D 0x01” and that should set the hidden option to Enabled
5. Reboot and run Flash Programming Tool with the command "fptw -d -me me.bin"
6. Do you see a CPU access error or does it complete successfully?

efi.zip (765 KB)

Hello again.


meiInfo and MeManuf is ready.

MEInfo.txt (5.99 KB)

MEManuf.txt (6.03 KB)



Well, I have good news and bad news. The good news is that this worked! Well, I had to change the FPT command ("fptw -me -f me.bin") but it worked. When I bounced back to the BIOS, it showed the downgraded ME firmware (11.7.4.3314). Amazing work. :slight_smile: The bad news is that HDCP 2.2 is still broken. I also downgraded the LSPCON firmware to 1.66 (the original version on the board), thankfully with no trickery involved. Same result. I suppose it’s possible the LSPCON downgrade somehow screwed up but nothing in the logs seems to indicate as such to me. "LSPCON Ports" is stil "None" under MEInfo, for example.

I’ve done some more research and think I’ve narrowed down the results. Intel has a white paper on High Dynamic Range (HDR) support. I read it, and it’s probably the most cohesive document regarding what exactly goes where. It looks like, as expected, the CSME firmware is required in order to achieve A/V link protection via HDCP 2.2. The LSPCON chip also must support HDCP 2.2, and does so by having a key loaded onto the chip as needed. I’m guessing that the CSME FW opens a port and talks to the LSPCON chip over the port. The LSPCON chip then talks to the 4K display. (The LSPCON is unnecessary with DisplayPort 1.3 but I don’t have that option.) Here are the ideas I have in mind.

- The most likely problem (IMO) is that there was an LSPCON port that was assigned, and it somehow got nuked when I performed the 11.8 FW upgrade. If the LSPCON Port variable needs to be set, and there’s a way to write the correct value (fingers crossed that I’ll know what it is later today), I’m assuming it’ll be possible to reopen the full HDCP link. This should make Cyberlink happy.
- It’s possible the 11.8 FW upgrade somehow nuked the LSPCON HDCP key. I don’t believe this is likely, especially since Intel tells users to talk to the vendor (chip and/or motherboard), but stranger things have happened. I seriously doubt that my LSPCON FW up/downgrade path (1.66 -> 1.72 -> 1.66) broke anything. I’ve heard from other people who upgraded their LSPCON FW and had no playback issues.
- For unknown reasons, there’s a bug in the latest ME drivers that prevents the system from knowing how to access a proper value. Extremely unlikely. I reinstalled the drivers recommended by ASRock. That didn’t help.
- I’m completely wrong about all of this! :slight_smile:

Any more steps to follow? The only one I can think of is reprogramming the port, but if that turns out to not be the problem, I’m stumped.

Thanks again!

EDIT: Looking at Flash Image Tool, it looks like I have only four options for the LSPCON Ports value: None (obviously not working), PortB, PortC, and PortD. For some reason, I’m not allowed to choose PortA, even if I turn of the 5K display stuff (which is where PortA is currently assigned). Maybe there’s some way to flash this value into the firmware? I figure it can’t hurt to cycle through the values until things either work or I hit a wall. Alas, FIT won’t let me build anything. So, I need to figure that out.

EDIT 2: Damn. Looks like my LSPCON Ports theory was wrong. Somebody running on the Z170 version of my board, and who is able to get HDCP 2.2 to work and play UHD discs (albeit without HDR but that’s apparently a motherboard issue), sent me the following MEInfo breakdown. Anything interesting in here? It’s not quite apples-to-apples but I’d like to think it’s close enough.

Intel(R) MEInfo Version: 11.6.27.3264
Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.




Windows OS Version : 10.0

FW Status Register1: 0x90000245
FW Status Register2: 0x00F60506
FW Status Register3: 0x00000420
FW Status Register4: 0x00084004
FW Status Register5: 0x00000000
FW Status Register6: 0x40000000

CurrentState: Normal
ManufacturingMode: Disabled
FlashPartition: Valid
OperationalState: CM0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
SPI Flash Log: Present
Phase: ROM/Preboot
ICC: Valid OEM data, ICC programmed
ME File System Corrupted: No
PhaseStatus: AFTER_SRAM_INIT
FPF and ME Config Status: Match
FW Capabilities value is 0x31101140
Feature enablement is 0x11101140
Platform type is 0x71240322
No Intel Wireless device was found
Intel(R) ME code versions:

Table Type 133 ( 0x 85 ) found, size of 0 (0x 00 ) bytes
BIOS Version P7.10
Table Type 133 ( 0x 85 ) found, size of 0 (0x 00 ) bytes
Table Type 0 ( 0x 00 ) found, size of 67 (0x 43 ) bytes
Table Type 1 ( 0x 01 ) found, size of 166 (0x A6 ) bytes
Table Type 2 ( 0x 02 ) found, size of 127 (0x 7F ) bytes
Table Type 3 ( 0x 03 ) found, size of 141 (0x 8D ) bytes
Table Type 9 ( 0x 09 ) found, size of 24 (0x 18 ) bytes
Table Type 11 ( 0x 0B ) found, size of 29 (0x 1D ) bytes
Table Type 32 ( 0x 20 ) found, size of 22 (0x 16 ) bytes
Table Type 40 ( 0x 28 ) found, size of 22 (0x 16 ) bytes
Table Type 7 ( 0x 07 ) found, size of 29 (0x 1D ) bytes
Table Type 4 ( 0x 04 ) found, size of 190 (0x BE ) bytes
Table Type 16 ( 0x 10 ) found, size of 25 (0x 19 ) bytes
Table Type 17 ( 0x 11 ) found, size of 109 (0x 6D ) bytes
Table Type 19 ( 0x 13 ) found, size of 33 (0x 21 ) bytes
Table Type 20 ( 0x 14 ) found, size of 37 (0x 25 ) bytes
Table Type 130 ( 0x 82 ) found, size of 22 (0x 16 ) bytes
MEBx Version 10.0.0.0001
GbE Version 0.8
Vendor ID 8086
PCH Version 31
FW Version 11.7.4.3314 H
LMS Version 11.7.0.1035
MEI Driver Version 11.7.0.1032
Wireless Hardware Version Not Available
Wireless Driver Version Not Available

FW Capabilities 0x31101140

Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Service Advertisement & Discovery - NOT PRESENT
Intel(R) NFC Capabilities - NOT PRESENT
Intel(R) Platform Trust Technology - PRESENT/DISABLED

Intel(R) AMT State Disabled
TLS Disabled
Last ME reset reason Power up
Local FWUpdate Enabled
BIOS Config Lock Enabled
GbE Config Lock Enabled
Get flash master region access status…done
Host Read Access to ME Disabled
Host Write Access to ME Disabled
Get EC region access status…done
Host Read Access to EC Enabled
Host Write Access to EC Enabled
Protected Range Register Base #0 0x0
Protected Range Register Limit #0 0x0
Protected Range Register Base #1 0x0
Protected Range Register Limit #1 0x0
Protected Range Register Base #2 0x0
Protected Range Register Limit #2 0x0
Protected Range Register Base #3 0x0
Protected Range Register Limit #3 0x0
Protected Range Register Base #4 0x0
Protected Range Register Limit #4 0x0
SPI Flash ID 1 C22018
SPI Flash ID 2 Unknown
BIOS boot State Post Boot
OEM ID 00000000-0000-0000-0000-000000000000
Capability Licensing Service Enabled
OEM Tag 0x00000001
Slot 1 Board Manufacturer 0x00000000
Slot 2 System Assembler 0x00000000
Slot 3 Reserved 0x00000000
M3 Autotest Disabled
C-link Status Disabled
Independent Firmware Recovery Disabled
EPID Group ID 0xF85

Retrieving Variable "LSPCON Port Configuration"
LSPCON Ports None

Retrieving Variable "eDP Port Configuration"
5K Ports None
OEM Public Key Hash FPF 0000000000000000000000000000000000000000000000000000000000000000

Retrieving Variable "OEM Public Key Hash"
OEM Public Key Hash ME 0000000000000000000000000000000000000000000000000000000000000000
ACM SVN FPF 0x0
KM SVN FPF 0x0
BSMM SVN FPF 0x0
GuC Encryption Key FPF 0000000000000000000000000000000000000000000000000000000000000000

Retrieving Variable "GuC Encryption Key"
GuC Encryption Key ME 0000000000000000000000000000000000000000000000000000000000000000

FPF ME
— –
Force Boot Guard ACM Disabled
Retrieving Variable "Force Boot Guard ACM Enabled"
Disabled
Protect BIOS Environment Disabled
Retrieving Variable "Protect BIOS Environment Enabled"
Disabled
CPU Debugging Enabled
Retrieving Variable "CPU Debugging"
Enabled
BSP Initialization Enabled
Retrieving Variable "BSP Initialization"
Enabled
Measured Boot Disabled
Retrieving Variable "Measured Boot Enabled"
Disabled
Verified Boot Disabled
Retrieving Variable "Verified Boot Enabled"
Disabled
Key Manifest ID 0x0
Retrieving Variable "Key Manifest ID"
0x0
Enforcement Policy 0x0
Retrieving Variable "Error Enforcement Policy"
0x0
PTT Enabled
Retrieving Variable "Intel(R) PTT Supported"
Enabled
PTT Lockout Override Counter 0x0
EK Revoke State Not Revoked
PTT RTC Clear Detection FPF 0x0


EDIT 3: Please hold. I finally got somebody on the phone at ASRock. The tech claimed he had software that’ll fix the problem, and he’ll be sending it to me momentarily. If it works, I’ll post a description of what I did and bow out from further discussion. No matter what, this has been a very enlightening few days. :slight_smile: My last real time spent hardware hacking was 15 years ago. I’ve always missed it. I’ve just never quite gotten around to trying it again.

Intel CSME 11.11 Consumer PCH-H Firmware v11.11.50.1422

Capture.PNG



Thanks to SD/Fdrsoft/Pacman for the new firmware!

@ crown_nick:

Very interesting White Paper. I will look into it myself as well, for informational purposes, even if I don’t have a system capable of these new technologies. Very interesting edits as well, let’s see what ASRock has to say about this. What is the problem with FIT building, there shouldn’t be any. What I would try is reflashing the entire older/11.7 SPI image from ASRock via “fptw -f spi.bin” followed by “fptw -greset”. If that doesn’t solve the issue then it’s not BIOS/CSME related (since it worked before) so maybe OS, Cyberlink, LSPCON firmware? But let’s wait for ASRock’s reply first. Things are looking good though now, especially since you can relfash the CSME firmware and thus the entire SPI chip via software.

@ Gleb:

Please compress the two text files into a zip/rar archive and attach that. The forum is buggy when it comes to txt attachments (try it yourself).

Done.

Desktop.rar (1.83 KB)

Intel CSME System Tools v11 r6 (Updated)

@ crown_nick:

There is a new BIOS for your board which updates CSME to 11.8.50.3425 and “Enables Intel SGX” apparently. Maybe there was a bug before? Check it out.

@ Gleb:

As can be seen from the reports, you need to “CHECK_BUP_OVERRIDE_STRAP”. You must have set some sort of motherboard jumper or BIOS option which temporarily disables the CSE.

@ plutomaniac


I did not do anything whith my mobo(jumpers) and bios. CSE i didn’t find in my bios. Only what i did with my pc is instaled “MEUpdateTool” from asus.

How i uderstend this update for ME FW and now in bios i have 11.8.50.3399 and a lot of problem.

MEUpdateTool_UI_20171103_TP.zip (3.71 MB)

1. Download the attachment and place the “efi” folder at the root of a USB drive
2. Boot from the USB drive while the system starts (UEFI boot mode)
3. At the EFI shell, run “setup_var 0x6A9 0x01” command
4. Reboot manually/forcefully via Ctrl+Alt+Del or similar
5. Run Flash Programming Tool with the command "fptw -me -d me.bin"
6. If it completes successfully, compress & upload me.bin file

efi.zip (765 KB)

@ plutomaniac

Error 365: Invalid parameter value specified by user. Use -? option to see help.

I do samething wrong ?

FPT.rar (1.62 KB)

You didn’t type any command, how is it supposed to work? Equivalently, since you use FPT Windows x64, the command would be “fptw64 -d spi.bin”. Follow the steps again from the beginning and type a proper command this time.

Ready.

https://1drv.ms/u/s!AtOeP3QiQa3Vg5wyKkfFLpRiYcfDXg

Alright, download the fixed SPI image and flash via “fptw64 -f spi_fix.bin” followed by “fptw64 -greset”. The problem should be solved after the reboot.

http://www.mediafire.com/file/5l12gll0mobr1ob/spi_fix.rar