Intel (Converged Security) Management Engine: Drivers, Firmware and Tools (2-15)

plutomaniac:
Do you know how to install Intel MEI v11.0.6.1194 (AMT 6 & 7 Corporate) Drivers & Software from your first post on AMT7 Corporate board with ME firmware v7.1.91.3272

setup only installs MEI driver, according to log there is a problem with detecting fw version

Getting FW version.
Message sent.
Waiting for FW version response.
Message received
E Wrong device answer length
Disconnecting driver interface.
E Error detecting SKU, Defaulting to MEI only.


any idea how to skip this check or force install of everything?

Last version which installs everything is Intel MEI 10.0.39.1003 Corporate

Thanks.

Intel CSME 11.8 Slim PCH-H Firmware v11.8.50.3425 (INTEL-SA-00086)

Capture1.PNG



Intel CSME 11.8 Slim PCH-LP Firmware v11.8.50.3425 (INTEL-SA-00086)

Capture2.PNG



Notice for INTEL-SA-00086 vulnerability:

INTEL-SA-00086.PNG



Tip: You can wait for Apple to release their new UEFI updates with CSME v11.8.50.3425 Slim H/LP when macOS 10.13.3 is out of beta.

There is a new Intel Management Engine driver ver: 11.7.0.1057 date: 11/19/2017 here https://necacom.net/index.php/intel/mei/…1-7-0-1065-whql

Intel MEI v11.7.0.1065 for Consumer systems Drivers & Software
Intel MEI Driver v11.7.0.1057 (Windows 8 & Windows 10) INF for manual installation
Intel MEI Driver v11.7.0.1057 (Windows XP & Windows 7) INF for manual installation

Intel CSME 11.21 Corporate PCH-H Firmware v11.21.50.1429

Capture0.PNG



Intel CSME 11.11 Consumer PCH-H Firmware v11.11.50.1436

Capture1.PNG



Intel CSME System Tools v11 r6 (ReUp)

be careful with that archive files inside are from 2012 and 2016 year, and I did not even scanned for malware - deleted.

I managed to update my Asrock B85M Pro 4’s ME firmware from 9.0 to 9.1 using an update provided by Lenovo for their think stations. I was originally trying to extract FWUpdate.exe but the Lenovo Util ended up automatically flashing the firmware without any error.
Now SA-00086 detection tool says my vulnerability has been patched and I am on the latest 9.1.42.3002 version.

I can’t run MEInfo to verify but everything seems to be working ATM.



I think I have a similar issue with updating ME firmware to fix Intel-SA-00086 vulnerability on ASUS Z170-A motherboard with i7-6700K on a latest BIOS 3504. FWUpdLcl64.exe gives "Error 8719: Firmware update cannot be initiated because Local Firmware update is disabled". Details on ASUS site if anyone is interested ASUS forums. ASUS support suggests that it is "obviously" hardware fault or damaged firmware and that I should send my motherboard to the service center of the shop where I purchased it. From what I have found on the net regarding Error 8719, it is a BIOS bug. BIOS is working fine, no crashes, I even tried running MEManuf from Intel CSME System Tools v11 r6 that checks if ME is operating correctly if I understood it right, which gives no errors.

Intel MEInfo 11.8.50.3425 also reports Local FWUpdate as Disabled. Does anyone know if there anyway to enable it so that I can update my ME firmware? Or the only solution is to wait for ASUS to release new BIOS for my motherboard and hope that they will fix it?

Seems like Intel is going to implode. Another security flaw just discovered affecting AMT:

https://www.techspot.com/news/72736-inte…-corporate.html

That’s no flaw (or you could say unknown or undocumented feature). If you don’t change any default passwords it’s just your own fault. I can’t believe some security expert consider this a security flaw. You could say that any computer with remote management (IMM, ILO, DRAC) is flawed by default then or just any device which use login credentials (pretty much everything) is flawed.



I think I have a similar issue with updating ME firmware to fix Intel-SA-00086 vulnerability on ASUS Z170-A motherboard with i7-6700K on a latest BIOS 3504. FWUpdLcl64.exe gives "Error 8719: Firmware update cannot be initiated because Local Firmware update is disabled". Details on ASUS site if anyone is interested ASUS forums…




So today ASUS released a new BIOS 3703 for Z170-A and I still get Error 8719 and can’t update vulnerable ME firmware. Is there any way to enable Local Firmware update?

If not, what can I do to reduce the impact on security of outdated and vulnerable ME firmware? Please note that I am not security specialist, I’m just wondering what can I do to prevent remote exploits from the network? For example, I assume that using Intel NIC on the motherboard is not recommended?


That option is controlled by a BIOS option. It might be hidden in your BIOS menu but it’s definitely there. ASUS should have that set to Enable by default, not Disabled.

You said that you downloaded the BIOS image from ASUS, flashed it and then updated the CSME firmware via FWUpdate tool. Then you check that same downloaded ASUS BIOS with MEA and you expect it to have its CSME firmware updated as well. Do you see the error in your logic?

Alright. Bottom line is this: MEA checks the Engine firmware of a given/input file, not the one already operating at the system’s SPI/BIOS. So if you don’t manually update the downloaded ASUS SPI/BIOS image, you won’t see any change at MEA. Anyway, thank you for using ME Analyzer Gus.Ghanem.


Thank you for your reply, Gus.Ghanem. From your previous post I assume you were using BIOS 3504 when you updated your ME firmware?

You have Local FWUpdate set to Enabled in both of your MEInfo outputs. I don’t understand, how come I have it disabled then on the same motherboard and with the same BIOS versions. I already tried clearing CMOS using jumper and by removing the battery with the plug disconnected, that didn’t help to reset Local FWUpdate setting. I also tried to reset to default settings in BIOS, it doesn’t make a difference.

I certanly didn’t mess with my BIOS or ME before that, I think I only updated it a couple of times with official firmware from ASUS site using EZFlash from BIOS UI, it always went without a problem and worked fine.


That option is controlled by a BIOS option. It might be hidden in your BIOS menu but it’s definitely there. ASUS should have that set to Enable by default, not Disabled.




@plutomaniac , do you by any chance know what can cause this difference? Below is my output from MEInfo and MEManuf.

Intel(R) MEInfo Version: 11.8.50.3425
Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.



Intel(R) ME code versions:

BIOS Version 3703
MEBx Version 0.0.0.0000
GbE Version 0.7
Vendor ID 8086
PCH Version 31
FW Version 11.6.10.1196 H
Security Version (SVN) 1
LMS Version 11.7.0.1043
MEI Driver Version 11.7.0.1040
Wireless Hardware Version Not Available
Wireless Driver Version Not Available

FW Capabilities 0x11111540

Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED

Re-key needed False
Platform is re-key capable True
TLS Disabled
Last ME reset reason Global system reset
Local FWUpdate Disabled
BIOS Config Lock Enabled
GbE Config Lock Enabled
Host Read Access to ME Enabled
Host Write Access to ME Disabled
Host Read Access to EC Disabled
Host Write Access to EC Disabled
SPI Flash ID 1 EF4018
SPI Flash ID 2 Unknown
BIOS boot State Post Boot
OEM ID 00000000-0000-0000-0000-000000000000
Capability Licensing Service Enabled
OEM Tag 0x00000000
Slot 1 Board Manufacturer 0x00000000
Slot 2 System Assembler 0x00000000
Slot 3 Reserved 0x00000000
M3 Autotest Disabled
C-link Status Disabled
Independent Firmware Recovery Disabled
EPID Group ID 0xF81
LSPCON Ports None
5K Ports None
OEM Public Key Hash FPF 0000000000000000000000000000000000000000000000000000000000000000
OEM Public Key Hash ME 0000000000000000000000000000000000000000000000000000000000000000
ACM SVN FPF 0x0
KM SVN FPF 0x0
BSMM SVN FPF 0x0
GuC Encryption Key FPF 0000000000000000000000000000000000000000000000000000000000000000
GuC Encryption Key ME 0000000000000000000000000000000000000000000000000000000000000000

FPF ME
— –
Force Boot Guard ACM Disabled Disabled
Protect BIOS Environment Disabled Disabled
CPU Debugging Enabled Enabled
BSP Initialization Enabled Enabled
Measured Boot Disabled Disabled
Verified Boot Disabled Disabled
Key Manifest ID 0x0 0x0
Enforcement Policy 0x0 0x0


Intel(R) MEManuf Version: 11.8.50.3425
Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.


Windows OS Version : 10.0

FW Status Register1: 0x94000245
FW Status Register2: 0x00F60506
FW Status Register3: 0x00000420
FW Status Register4: 0x00084000
FW Status Register5: 0x00000000
FW Status Register6: 0x40000000

CurrentState: Normal
ManufacturingMode: Disabled
FlashPartition: Valid
OperationalState: CM0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
SPI Flash Log: Not Present
Phase: ROM/Preboot
ICC: Valid OEM data, ICC programmed
ME File System Corrupted: No
PhaseStatus: AFTER_SRAM_INIT
FPF and ME Config Status: Match

FW Capabilities value is 0x11111540
Feature enablement is 0x11111140
Platform type is 0x71220322
No Intel Wireless device was found
Feature enablement is 0x11111140
ME initialization state valid
ME operation mode valid
Current operation state valid
ME error state valid
OEM ICC data valid and programmed correctly
MFS is not corrupted
PCH SKU Emulation is correct
FPF and ME Config values matched

Request Intel(R) ME BIST status command… done

Get Intel(R) ME test data command… done

Get Intel(R) ME test data command… done
Total of 11 Intel(R) ME test result retrieved


Policy Kernel - Boot Guard : Self Test - Passed
MCA - MCA Tests : Blob - Passed
MCA - MCA Tests : MCA Manuf - Passed
SMBus - SMBus : Read byte - Passed
VDM - General : VDM engine - Passed
PAVP - General : Verify Edp and Lspcon Configurations - Passed
PAVP - General : Set Lspcon Port - Passed
PAVP - General : Set Edp Port - Passed

Clear Intel(R) ME test data command… done




MEManuf Operation Passed


EDIT: link to diff of our MEInfo and MEManuf results

I have a question and looking for an answer. On my Z97 board I was reading the Intel website specifically talking about the Intel ME issue. Here is the link

https://security-center.intel.com/adviso…anguageid=en-fr

Scrolling down to the chart that lists the generations, mine is a 4th gen. It states that the recommended ME firmie is 9.1.42.3002 and 9.5.61.3012. Digging around (and I may be wrong) but I think the 3012 is for laptops. The 3002 are for desktops. I came here looking for the firmware and all I see is 9.1.37.1002. Am I wrong that I (or we) should stay at 9.1.37.1002 for us 9-series folks or is the 9.1.42.3002 the newest? Just wondering.


I have the same CPU. Maybe in my case the setting got changed in one of the older BIOS updates, and not reset in new ones? I can only guess, so an expert opinion or participation from ASUS representatives would be needed to figure this out, however their support was not helpful, and there have been no response from them in my thread on ASUS forums.

I have tried everything and can’t upgrade my MB. Either I get a message that there is another upgrade in progress or SKU wrong, etc. Can anyone help?? Thanks.

My info

Intel(R) MEInfo Version: 9.1.42.3002
Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.

Intel(R) ME code versions:

BIOS Version: 3003
MEBx Version: 0.0.0.0000
Gbe Version: 0.1
VendorID: 8086
PCH Version: 0
FW Version: 9.1.25.1005 H
LMS Version: Not Available
MEI Driver Version: 11.0.0.1157
Wireless Hardware Version: Not Available
Wireless Driver Version: Not Available

FW Capabilities: 0x51101940

Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Service Advertisement & Discovery - PRESENT/ENABLED

TLS: Disabled
Last ME reset reason: Power up
Local FWUpdate: Enabled
BIOS Config Lock: Enabled
GbE Config Lock: Enabled
Host Read Access to ME: Disabled
Host Write Access to ME: Disabled
SPI Flash ID #1: EF4017
SPI Flash ID VSCC #1: 20252025
SPI Flash BIOS VSCC: 20252025
BIOS boot State: Post Boot
OEM Id: 00000000-0000-0000-0000-000000000000
Capability Licensing Service: Enabled
OEM Tag: 0x00000000
Localized Language: Unknown
Independent Firmware Recovery: Disabled
OEM Public Key Hash (FPF): 0000000000000000000000000000000000000000000000000000000000000000
OEM Public Key Hash (ME):
ACM SVN FPF: 0x0
KM SVN FPF: 0x0
BSMM SVN FPF: 0x0

FPF ME
— –
Force Boot Guard ACM: Disabled
Protect BIOS Environment: Disabled
CPU Debug Disabled: Disabled
BSP Initialization Disabled: Disabled
Measured Boot: Disabled
Verified Boot: Disabled
Key Manifest ID: 0x0
Enforcement Policy: 0x0

-------[ ME Analyzer v1.42.0 r110 ]-------

File: MAXIMUS-VII-FORMULA-ASUS-3003.CAP (1/1)

Family: ME
Version: 9.1.25.1005
Release: Production
Type: Region, Extracted
SKU: 1.5MB
SVN: 1
VCN: 11
PV: Yes
Date: 2014-12-01
FITC Ver: 9.1.10.1000
Size: 0x17D000
Platform: LPT/WPT
Latest: No

Update:

Nevermind. It worked after updating the drivers…

^
9.1.42.3002 is corporate (5MB) ME…you need 9.1.37.1002 (1.5MB) to be flashed…

Intel(R) MEInfo Version: 9.1.42.3002 is the latest program from r4 version of the tools. I was trying to flash 9.1.37.1002 (1.5MB). Anyways it worked after first updating the Windows drivers…

Hi,

I have updated the ME on some systems in the past but on a Lenovo u330p meinfo says that the currently installed version is 9.5.13.1706 LP which leaves me a litte puzzled.

Since 9.5 doesn’t seem to have different versions for H and LP is it safe to assume that it is okay to flash 9.5.60.1952?

Thank you!