Intel (Converged Security) Management Engine: Drivers, Firmware and Tools (2-15)

Yeah, weird stuff, it worked just fine previously. New BIOS today, maybe that sorts out something.

What about the new MEI version 2041.15.0.1893 on Station Driver?
Including new MEI driver with the strange number 2036.100.0.1024

I installed the drivers from that package, INF variant. They appear newer, by date, than the previous ones I had.

Intel CSME 15.0 Consumer PCH-LP B Firmware v15.0.10.1414



Intel CSME 15.0 Corporate PCH-LP B Firmware v15.0.10.1414



Intel PMC TGP PCH-LP C (B) Firmware v150.1.20.1026




Intel seems to be changing their mind on MEI drivers every month at this point. I donā€™t know what that is. I know that "CSE" (GSC) 100 is for Dedicated Xe Graphics. Why is Intel using 100 for CSE is a good question. I see references to CSME 16 (Alderlake), CSME 17.30 (???) and CSME 18.30 (???) in those drivers. Maybe early test drivers for upcoming platforms. Maybe a change in driver versioning. Who knows outside of Intel & OEMs. For now, I will keep the current drivers and will revise if more of these 100 appear in the future.

@ plutomaniac: Remember that one?

We got a ME region from a working identical machine, i simply exchanged the complete ME- region, not yet tested if this unbricks the machine.

Funny thing:
Bios with good ME gives exact same errors when trying to open in FIT 4.0.36.1158 as the bios with corrupt MFS
Bios with good ME opened in FIT 4.0.11.1205 gives same configuration as the bios with corrupt MFS. Compared the saved xml- files and itā€™s just the paths for the file locations that are different. (I know there was a slight chance, but one should anyway not trust this configuration read from a corrupt region)

MEA reads now of course region as configured, no error.

I wonder why the Intel tools donā€™t complain about the corrupt MFS partition? MEA seems to be a quite sensible tool, I wasnā€™t aware of that MEA reads/ checks the subpartitions of the ME region so thoroughly!

If a dump was used, MEA should report ā€œInitializedā€, not ā€œConfiguredā€. The image was built with 4.0.11 so it should be opened with the old tools. The FW is newer due to FWUpdate tool usage, as I said above. I would need to see those two SPI ā€œdumpsā€ together to check how & why FIT behaves like that. MEA is a beast, Iā€™m proud of it. And yes, it goes into crazy amount of detail without the user noticing. You can see some of that detail by trying to unpack the firmware using ā€œ-unp86ā€ parameter.

Hi! Iā€™m getting this error: Error 639: Loader failed to verify manifest signature of PPHY. Thanks in advance!

My bad, I used ā€œConfiguredā€ in the meaning of ā€œInitializedā€, sorry for having been imprecise.

And yes, the output of MEA with this option is quite amazing Not less impressing the unpacked content! Thanks a lot for all this work!!

Iā€™ll attach the complete images and the ME regions, not sure if just ME region was enough. Tried to open xml- configuration file generated with 4.0.11 with newer FIT version, but gives same error as opening the bios file? Wouldā€™ve expected that a later version at least could read an existing configā€¦

(System isnā€™t booting/ still completely dead with copied good ME-region, so I assume it was not corrupted MFS/ is not at all the UEFI firmware)

FD_EC_MEbad_and_good.zip (4.49 MB)

BIOSrgn.zip (5.39 MB)

ME_rgn_bad_good.zip (2.03 MB)

mea -unp86 good me.txt (136 KB)


Please give me more info. What exact system do you have? What firmware are you trying to update? What tool did you use? What did you choose from the OP? I cannot guess these things.

@lfb6

Ohā€¦ Upon comparing the two images (good & bad), this is clearly a MEA oversight. It turns out that the MFS is not corrupted at all. Removing the check for "unrecognized MFS" completes the analysis properly and shows Initialized at the state. I know how to fix it, very simple. TLDR, the MFS has 3 types of Pages: System, Data & Scratch. Only 1 Scratch/Temporary page exists and itā€™s normally filled with padding and placed at the end. But in this case, the Scratch page was being in use when the dump was made and it had data (what looked like "corruption" to me before) and was also placed at the top of the MFS. Since MEA checks the top of the MFS for "unrecognized" structure, it would skip it incorrectly. Nice find! Iā€™ll consider this an indirect MEA bug report. Thank you very much lfb6 for bringing this to my attention. Iā€™ll push an update to MEA later today which addresses that oversight.



Sorry. Iā€™m new with these and i followed your instructions. I have an i5-10600K on an Asus Z490 Tuf Gaming Plus, 2x8gb 2933MHz Predator, H100i RGB Pro XT, m.2 Kingston A2000 250GB, Samsung EVO 860 1TB, Zotac RTX 2060 Super Mini. Iā€™m trying to update the ME Firmware (i have version 14.0.45.1389). The driver version is dated on May 19th (version 2021.14.0.1615). I used the tools you provided in this post. I got to the end but iā€™m having another error. It started reading the file but it says is corrupted or something like that.
From ASUS i updated the ME firmware, but you have a later one. How do i know i have the latest ME driver installed? How to install it?
I tried to update the CPU microcode, but i canā€™t make it work, the new python method is giving me a headache. Iā€™m concerned about the new platypus vulnerability and the others vulnerabilities too. Thanks!



EDIT:

C:\Intel CSME System Tools v14.0.20+ r10\FWUpdate\WIN64>FWUpdLcl64.exe -f FWUpdate.bin
Intel (R) Firmware Update Utility Version: 14.0.45.1389
Copyright (C) 2005 - 2020, Intel Corporation. All rights reserved.

Checking firmware parametersā€¦

Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification: [ COMPLETE ]

FW Update: [ 0% (/)] Do not Interrupt

Error 639: Loader failed to verify manifest signature of PPHY.



Same thing if i do it with WIN32 and FWUpdLcl.exe

What should i put on BIOS binary file? If i donā€™t put anything i canā€™t build the image.
Iā€™m also getting this: "Warning: OEM Signing is Disabled".

Alright, follow the discussion between Ataemonus and me from a few days ago. This is either an ASUS issue or something specific to FWUpdate v14.0.45 tool and/or CSME firmware 14.0.46. I donā€™t have a solution for that. Weā€™ll have to wait for a newer FWUpdate or firmware version or reports from other systems as well.

ASUS launched this the day before yesterday:

Version 14.0.45.1389V2.1
2020/11/12 5.34 MBytes
MEUpdateTool
Intel has identified security issue that could potentially place impacted platform at risk.
Use ME Update tool to update your ME.
*We suggest you update ME Driver to the latest Version 14.0.45.1389V2.1 simultaneously.
Please download the file and check the MD5 code first.
MD5: 010ebfd94977a4aea551fc79a9b892e2

I updated it, but it says: 14.0.45.1389 (but the v2.1 doesnā€™t appear on the description). And they say that i should update the driver to the same version, but my driver version is: 2021.14.0.1615 (dated May). Where can i find the latest ME driver? Am i ok with this firmware posted by ASUS? Should i wait for a BIOS update with a new microcode? Because in my laptop i updated the cpu microcode via Windows Update and all done. Thanks again.

What should i put on BIOS binary file? If i donā€™t put anything i canā€™t build the image.

I wonder actually who might be able to give you direct MEA bug rapports, thatā€™s probably not a really large number of peopleā€¦

Thanks a lot for the explanation, and for looking into these files!


Thatā€™s true unfortunately. I donā€™t think Iā€™ve ever received an actual report for a logical code bug report. I can probably count the amount of people, who I know and could do that, in one hand.

Anyway, thank you a lot for your help lfb6, especially at the various Engine-related topics which I canā€™t keep up with anymore.



ASUS launched this the day before yesterday:

Version 14.0.45.1389V2.1
2020/11/12 5.34 MBytes
MEUpdateTool
Intel has identified security issue that could potentially place impacted platform at risk.
Use ME Update tool to update your ME.
*We suggest you update ME Driver to the latest Version 14.0.45.1389V2.1 simultaneously.
Please download the file and check the MD5 code first.
MD5: 010ebfd94977a4aea551fc79a9b892e2

I updated it, but it says: 14.0.45.1389 (but the v2.1 doesnā€™t appear on the description). And they say that i should update the driver to the same version, but my driver version is: 2021.14.0.1615 (dated May). Where can i find the latest ME driver? Am i ok with this firmware posted by ASUS?
I updated the CPU microcode too via CMD, but HWInfo shows version B0 and BIOS and Windows registry shows C8.
I updated the me firmware on my laptop with your steps. I think is an ASUS problem/issue.

Could you help me? Thanks?


Uhhmmm, in this thread youā€™re posting?


Yes, leave is at it is.


Off-Topic.

Youā€™re very welcome. I think ME is a quite interesting area, but I have only very basic knowledge, and even less for newer versions, since Iā€™m personaly still work with SNB/ IVB/ HSW systems. Thank a lot for these very detailed and understandable guides- they make it possible to get some people going again

Intel CSME 12.0 Corporate PCH-LP C Firmware v12.0.71.1681



Note: Update ME Analyzer to v1.174.1 or newer due to a hotfix at the main Engine firmware detection.


Ahh, I know that pain as a "proud" owner of a SNB i7-2760QM and an IVB i5-3570K.


[quote="plutomaniac, post:5199, topic:30719"]
@ ibsajc:
Choose the latest. No problem with FWUpdate. [/quote]

I can confirm that the Intel CSME Firmware update to version v11.8.81.3781 works properly in Linux.

Intel MEI Drivers & Software v2041.15.0.1893 DCH (Windows 10 >= 1709)
Intel MEI Drivers & Software v2044.15.0.1951 MSI (Windows 7, 8, 10 <= 1703)
Intel MEI Driver v2036.100.0.1024 (Windows 10 >= 1709)
Intel MEI Driver v2040.100.0.1029 (Windows 8, 10 <= 1703)
Intel MEI Driver v2040.100.0.1029 (Windows 7)


It seems those "100" drivers have merged LKF into the main branch so there is no need for a separate 13.30 driver anymore. My guess is that these "100" drivers aim to unify the various MEI platforms or something like that. Since I found 2044.15.0.1951 MSI from HP (official, OEM) and I like that LKF has been finally merged, Iā€™ve switched to these newer drivers. Instructions on supported platforms and OS versions have been updated: