Intel (Converged Security) Management Engine: Drivers, Firmware and Tools (2-15)

Special Topics Intel Management Engine
4378

Hi KaoDome, that’s a pretty deep dive you’ve made there. Even checked the File System out, very impressive.


Indeed they have. That’s why I was asking for those logs back then. They are no longer needed as I have sorted out how to distinguish the chipset steppings for each firmware now but it’s always good to have them here for future reference.


Exactly, OEM FIT configuration (MFS File 7) is useless for FWUpdate use. Only the stock/static Intel configuration (MFS File 6) is needed. The rest of the MFS Files (1-5, 8+) are present at Initialized/dumped firmware so that’s why you saw them. These can be removed by following [Guide] Clean Dumped Intel Engine (CS)ME/(CS)TXE Regions with Data Initialization.


Ha, interesting thought but it is not actually that sensitive. Each Chipset has its own key but HMAC is used for integrity and combines the hash of said key with a secret Intel private key which is known only to them. Since you cannot reverse a hash (MD5 in this case) to get the original content and the Intel private key is safeguarded, there is nothing to fear from those HMACs.


Yes I have noticed that as well. It is Intel being weird as far as I can tell. I have seen CNP-LP systems which report at MEInfo C, others D and even some A (probably a MEInfo bug at older versions). Both CNP-LP C and CNP-LP D are the same firmware-wise. MEA detects them as CNP-LP C because that’s what the firmware reports so go figure… Basically, for all released/Production CNP-LP systems, users need PCH-LP C firmware. One small exception is that one (literally one) Lenovo 330-15ICN laptop (stepping B) which was released very early so that Intel could say/reassure that “hey, we managed to release 1 Cannon Lake CPU in 2018”. Cannon Lake is dead now so we know how that turned out.


Yes it does. The Dell Updater basically uses a lite FWUpdate EFI variant called “FWUpdate Reduced Size (RS)” so it fully respects the FD locks and the SVN/VCN/PV-bit restrictions of CSME and PMC firmware upgrades/downgrades.


Technically yes. I think the Dell Updater automatically skips updating the Engine firmware when it detects that it is newer so it should continue to update the BIOS, EC or whatever else it wants to. I agree with you though, you can wait for Dell to release newer firmware and avoid any potential issues, even if nothing like that has been reported here, if I remember properly. Dell is generally decent to good when it comes to Engine firwmware updates so yeah you can wait for them.


Thank you for your kind words, much appreciated. All this wouldn’t be possible without members such as you.

4379

Intel CSME 12.0 Consumer PCH-LP C Firmware v12.0.32.1420

Capture.PNG

4380

Intel CSME 11.8 Corporate PCH-H D,A Firmware v11.8.65.3572

Capture.PNG

4381

Greetings! I know this is a stupid question but I can’t seem to find the answer anywhere, so please be patient with me :slight_smile:
I’m thinking about updating the ME firmware on my laptop I fount out that it need Consumer PCH-LP 11.8 (it has 11.5 currently), but I can’t seem to figure out if I need the PDM or NOPDM version.
Thanks in advance!

4382

What laptop is that exactly? We cannot guess it. From Intel CSME System Tools v11, run FWUpdate tool with parameter “-save upd.bin”. Once it’s done, drop “upd.bin” file into ME Analyzer and check the “Power Down Mitigation” status.

4383

It is an Acer laptop running H2O bios if I remember correctly. Here is the screenshot of the current Intel ME firmware, and the two other I found might be the correct version. The middle one is the NOPDM one (if I’m right).

Capture.PNG

4384

ME-FW_12.0.31.1416+PMC_300.2.11.1020

info.jpg



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
Intel (R) MEInfo Version: 12.0.22.1310
Copyright (C) 2005 - 2018, Intel Corporation. All rights reserved.
 
Intel(R) ME code versions:
 
BIOS Version                                 1.41
MEBx Version                                 0.0.0.0000
GbE Version                                  Unknown
Descriptor Version                           1.0
Vendor ID                                    8086
FW Version                                   12.0.31.1416 H Consumer
LMS Version                                  Not Available
MEI Driver Version                           1904.12.0.1208
 
PMC FW Version                               300.2.11.1020
 
PCH Information
    PCH Version                              11
    PCH Device ID                            A305
    PCH Step Data                            B1
    PCH SKU Type                             Production Pre-QS Revenue
    PCH Replacement Counter                  0
    PCH Replacement State                    Disabled
    PCH Unlocked State                       Disabled
 
FW Capabilities                              0x31119140
 
    Protect Audio Video Path - PRESENT/ENABLED
    Intel(R) Dynamic Application Loader - PRESENT/ENABLED
    Intel(R) Platform Trust Technology - PRESENT/DISABLED
    Persistent RTC and Memory - PRESENT/ENABLED
 

Capability Licensing Service                 Enabled
End of Manufacturing Enable                  No
Local FWUpdate                               Enabled
OEM ID                                       00000000-0000-0000-0000-000000000000
Integrated Sensor Hub Initial Power State    Disabled
Intel(R) PTT Supported                       Yes
Intel(R) PTT initial power-up state          Disabled
OEM Tag                                      0x00
PAVP Supported                               Yes
Post Manufacturing NVAR Config Enabled       Yes
TLS                                          Disabled
 
FW Type                                      Production
Last ME reset reason                         Global system reset
BIOS Config Lock                             Enabled
GbE Config Lock                              Enabled
Host Read Access to ME                       Enabled
Host Write Access to ME                      Enabled
Host Read Access to EC                       Enabled
Host Write Access to EC                      Enabled
SPI Flash ID 1                               EF4018
SPI Flash ID 2                               Not Available
BIOS boot State                              Post Boot
Slot 1 Board Manufacturer                    0x00000000
Slot 2 System Assembler                      0x00000000
Slot 3 Reserved                              0x00000000
M3 Autotest                                  Disabled
Minimum Allowed Anti Rollback SVN            1
Image Anti Rollback SVN                      5
Trusted Computing Base SVN                   1
Re-key needed                                False
HW Binding                                   Enabled
 

                                             FPF         UEP         ME FW
                                                       *In Use
                                             ---         ---         -----
Enforcement Policy                           Not set     0x00        0x00
EK Revoke State                              Not set     Not Revoke  Not Revoke
PTT                                          Not set     Enabled     Enabled
OEM ID                                       Not set     0x00        0x00
OEM Key Manifest Present                     Not set     Not Present Not Present
OEM Platform ID                              Not set     0x00        0x00
OEM Secure Boot Policy                       Not set     0x406       0x406
CPU Debugging                                Not set     Disabled    Disabled
BSP Initialization                           Not set     Disabled    Disabled
Protect BIOS Environment                     Not set     Disabled    Disabled
Measured Boot                                Not set     Disabled    Disabled
Verified Boot                                Not set     Disabled    Disabled
Key Manifest ID                              Not set     0x00        0x00
Persistent PRTC Backup Power                 Not set     Enabled     Enabled
RPMB Migration Done                          Not set     Disabled    Disabled
SOC Config Lock                              Not set     Not Done    Not Done
SPI Boot Source                              Not set     Enabled     Enabled
TXT Supported                                Not set     Disabled    Disabled
 
ACM SVN FPF                                  Not set
BSMM SVN FPF                                 Not set
KM SVN FPF                                   Not set
OEM Public Key Hash FPF                      Not set
OEM Public Key Hash UEP                      0000000000000000000000000000000000000000000000000000000000000000
OEM Public Key Hash ME FW                    0000000000000000000000000000000000000000000000000000000000000000
PTT Lockout Override Counter FPF             Not set
 

ME-FW_12.0.31.1416+PMC_300.2.11.1020.rar (1.62 MB)

ME_Region_12.0.31.1416.rar (1.62 MB)

4385

Intel CSME 12.0 Consumer PCH-H B,A Firmware v12.0.31.1416

Capture1.PNG

4386

If someone with more knowledge than me could check the screenshot i made, i would thank him very much.
I have never updated the me firmware on these never devices, and i don’t know if I can do it. Is it safe to do something like this on a laptop? I remember that it was not possible couple of years ago.

4387


Oups sorry, I completely missed your reply. Your system is running NPDM firmware so you need to choose the latest 11.8 Consumer LP NDPM for it.

4388
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
 
D:\Intel CSME System Tools v12 r14\MEInfo>MEInfoWin64
Intel (R) MEInfo Version: 12.0.22.1310
Copyright (C) 2005 - 2018, Intel Corporation. All rights reserved.
 
Intel(R) ME code versions:
 
BIOS Version                                 GL703GS.308
MEBx Version                                 0.0.0.0000
GbE Version                                  Unknown
Descriptor Version                           1.0
Vendor ID                                    8086
FW Version                                   12.0.31.1416 H Consumer
LMS Version                                  Not Available
MEI Driver Version                           1904.12.0.1208
 
PMC FW Version                               300.2.11.1020
 
PCH Information
    PCH Version                              11
    PCH Device ID                            A30D
    PCH Step Data                            B1
    PCH SKU Type                             Production Pre-QS Revenue
    PCH Replacement Counter                  0
    PCH Replacement State                    Disabled
    PCH Unlocked State                       Disabled
 
FW Capabilities                              0x31119140
 
    Protect Audio Video Path - PRESENT/ENABLED
    Intel(R) Dynamic Application Loader - PRESENT/ENABLED
    Intel(R) Platform Trust Technology - PRESENT/ENABLED
    Persistent RTC and Memory - PRESENT/ENABLED
 

Capability Licensing Service                 Enabled
End of Manufacturing Enable                  Yes
Local FWUpdate                               Enabled
OEM ID                                       00000000-0000-0000-0000-000000000000
Integrated Sensor Hub Initial Power State    Disabled
Intel(R) PTT Supported                       Yes
Intel(R) PTT initial power-up state          Enabled
OEM Tag                                      0x1043
PAVP Supported                               Yes
Post Manufacturing NVAR Config Enabled       Yes
TLS                                          Disabled
 
FW Type                                      Production
Last ME reset reason                         Global system reset
BIOS Config Lock                             Enabled
GbE Config Lock                              Enabled
Host Read Access to ME                       Enabled
Host Write Access to ME                      Disabled
Host Read Access to EC                       Disabled
Host Write Access to EC                      Disabled
SPI Flash ID 1                               C22018
SPI Flash ID 2                               Not Available
BIOS boot State                              Post Boot
Slot 1 Board Manufacturer                    0x00001043
Slot 2 System Assembler                      0x00000000
Slot 3 Reserved                              0x00000000
M3 Autotest                                  Disabled
Minimum Allowed Anti Rollback SVN            1
Image Anti Rollback SVN                      5
Trusted Computing Base SVN                   1
Re-key needed                                False
HW Binding                                   Enabled
 

                                             FPF         UEP         ME FW
                                             *In Use
                                             ---         ---         -----
Enforcement Policy                           0x00        0x00        0x00
EK Revoke State                              Not Revoke  Not Revoke  Not Revoke
PTT                                          Enabled     Enabled     Enabled
OEM ID                                       0x00        0x00        0x00
OEM Key Manifest Present                     Not Present Not Present Not Present
OEM Platform ID                              0x00        0x00        0x00
OEM Secure Boot Policy                       0x00        0x00        0x00
CPU Debugging                                Enabled     Enabled     Enabled
BSP Initialization                           Enabled     Enabled     Enabled
Protect BIOS Environment                     Disabled    Disabled    Disabled
Measured Boot                                Disabled    Disabled    Disabled
Verified Boot                                Disabled    Disabled    Disabled
Key Manifest ID                              0x00        0x00        0x00
Persistent PRTC Backup Power                 Enabled     Enabled     Enabled
RPMB Migration Done                          Disabled    Disabled    Disabled
SOC Config Lock                              Done        Not Done    Done
SPI Boot Source                              Enabled     Enabled     Enabled
TXT Supported                                Disabled    Disabled    Disabled
 
ACM SVN FPF                                  0x00
BSMM SVN FPF                                 0x00
KM SVN FPF                                   0x00
OEM Public Key Hash FPF                      0000000000000000000000000000000000000000000000000000000000000000
OEM Public Key Hash UEP                      0000000000000000000000000000000000000000000000000000000000000000
OEM Public Key Hash ME FW                    0000000000000000000000000000000000000000000000000000000000000000
PTT Lockout Override Counter FPF             0x00
 
D:\Intel CSME System Tools v12 r14\MEManuf>MEManufWin64 -verbose
Intel (R) MEManuf Version: 12.0.22.1310
Copyright (C) 2005 - 2018, Intel Corporation. All rights reserved.
 
LPC Device Id: A30D.
Platform: Cannonlake Platform
 
Windows OS Version : 10.0
 
FW Status Register1: 0x94000245
FW Status Register2: 0x02F10506
FW Status Register3: 0x00000020
FW Status Register4: 0x00004000
FW Status Register5: 0x00000000
FW Status Register6: 0x40000000
    CurrentState:                            Normal
    ManufacturingMode:                       Disabled
    FlashPartition:                          Valid
    OperationalState:                        CM0 with UMA
    InitComplete:                            Complete
    BUPLoadState:                            Success
    ErrorCode:                               No Error
    ModeOfOperation:                         Normal
    SPI Flash Log:                           Not Present
    Phase:                                   ROM/Preboot
    ME File System Corrupted:                No
    PhaseStatus:                             UNKNOWN
    FPF and ME Config Status:                Committed
FW Capabilities value is 0x31119140
Feature enablement is 0x31119140
Platform type is 0x71000391
Feature enablement is 0x31119140
ME initialization state valid
ME operation mode valid
Current operation state valid
ME error state valid
MFS is not corrupted
PCH SKU Emulation is correct
 
MEManuf NextReboot option can only run when M3 Autotest is Enabled.
 done
 
Get Intel(R) ME test data command... done
 
Get Intel(R) ME test data command... done
Total of 4 Intel(R) ME test result retrieved
 

 
Policy Kernel - Boot Guard : Self Test - Passed
 
VDM - General : VDM engine - Passed
 
PAVP - General : Set Edp Port - Passed
 
Policy Kernel - ME Configuration : PROC_MISSING - Passed
 
Clear Intel(R) ME test data command... done
 

MEManuf Operation Passed
 
D:\Intel CSME System Tools v12 r14\Clock Commander Tool>cctwin gcc
 
Intel (R) Clock Commander Tool Version: 12.0.22.1310
Copyright (C) 2009 - 2018 Intel Corporation. All rights reserved.
 
HW Product Family:CNP-H
FW Version Major: 12
FW Version Minor: 0
FW Version Hotfix: 31
FW Version Build: 1416
ICC HW SKU = EXTREME
 

HECI CMD Status = 0x00000000 (SUCCESS)
 


Just updated. @plutomaniac can you please see if it's ok?
4389


Everything looks proper, you’re good to go. :wink:

4390

There is the newest version of MEI & Drivers & Software “all-inclusive” package for Intel ME at Station Drivers in 1908.12.0.1231 version that is 300 MB big. However, it requires the previous 1847.12.0.1183 version to install properly.

Quick things I noticed with this version:

- it contains specific ME information for each particular OEM (it installed Gigabyte version for my motherboard)
- it tidily organizes all INF repository packages for Windows 10 (looked up by Driver Store Explorer from GitHub)
- it converts DAL, iCSL and a few other services that were loaded as regular software modules into legit Software Components (looked up with Device Manager)
- it updates system/DLL Intel ME files into the newest versions if applicable (it updated quite a lot of 18XX.XX.XX.XXXX to 19XX.XX.XX.XXXX versions in all of the places)

I tested only the Consumer version, but it seems the Corporate follows the same path judging by their sizes. In my case it didn’t install all 300 MB, but all Intel-related folders grew approx. 52 MB in size.

4391

A question: Do you guys think firmware updates improve performance or similar? I can only think of it getting worse because of security fixes, but not sure.

4392

Probably have this already, but FwUpdLcl.exe and FwUpdLcl64.exe 11.8.65.3572: https://support.lenovo.com/us/en/downloads/DS121676

4393

Intel CSME 12.0 Consumer PCH-LP C Firmware v12.0.32.1421

Capture.PNG



Intel MEI Driver v1909.12.0.1237 MEI-Only Installer
Intel MEI v1909.12.0.1237 for Consumer systems Drivers & Software
Intel MEI v1910.12.0.1239 for Corporate systems Drivers & Software

4394

Weird. By default MEI driver should be prioritized by Windows, enabling the “Message Signaled-Based Interrupt (MSI)” option for it, correct?

However, only today I noticed my MEI driver had a pretty high IRQ of 2 in the Device Manager, while my graphic card and system clock had -5 and -6 respectively. Following this guide, I modified Windows registry and voila, my MEI’s IRQ dropped to -7, while my Windows 10 boot time was reduced from 17 secs to 11 (I used BootRacer to measure that, and enabled it for 10 consecutive boots to have a good sample). Just a notion someone might find it useful.

Also, @plutomaniac is LMS a vital part of MEI software? I didn’t have it enabled with the OEM-designed MEI drivers (I mentioned it in the previous post), but it’s now back on with the newest version you posted links to today.

4395

Hi,

I updated to 11.8.60.3561 H and wondering whats the best driver version to pair with this firmware? Seems counter intuitive to go with 11.7 drivers?

Thank you

4396

Intel CSME 12.0 Consumer PCH-H B,A Firmware v12.0.32.1421

Capture.PNG

4397

@davidm71 If you have windows 8 i would recommend the 11.7 driver, because it works better in my experience.