Intel (Converged Security) Management Engine: Drivers, Firmware and Tools (2-15)


@Fernando

I see that the 2120.100.0.1085 is quoted but the 2124.100.0.1096 driver is actually within the recent SD release. I am not including that because it is an early release for Alder Lake and as a rule, I try to stick to the drivers, firmware & tools which are relevant to already released platforms, not upcoming. Thank you for attaching it though as someone might want to install/test it sooner for some reason.

Hi there,
I hope, someone can help me.
I have a Gigabyte H370 motherboard with an Intel ME version 12.
ManufacturingMode is enabled / active and FPFs are not committed and not set / UEP in use.
I want to update the Intel ME.
My question:
If I update the Intel ME with FwUpdLcl64, will the OEM public key (and the hash) be deleted?
Do I have to disable / close the ManufacturingMode beforehand (with fptw64 -closemnf) in order to save the OEM public key (hash) in the hardware (FPF)?
Thanks very much.


D:\Intel ME\CSME System Tools v12 r34\MEInfo\WIN64>MEInfoWin64 -verbose
Intel (R) MEInfo Version: 12.0.81.1760
Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.


Windows OS Version : 10.0

LPC Device Id: A304.
Platform: Cannonlake Platform
General FW Information
FW Status Register1: 0x90000255
FW Status Register2: 0x60000506
FW Status Register3: 0x00000020
FW Status Register4: 0x00004000
FW Status Register5: 0x00000000
FW Status Register6: 0x00400000

CurrentState: Normal
ManufacturingMode: Enabled
FlashPartition: Valid
OperationalState: CM0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
SPI Flash Log: Not Present
Phase: HOSTCOMM Module
PhaseStatus: UNKNOWN
ME File System Corrupted: No
FPF and ME Config Status: Not committed
FW Capabilities value is 0x31109140
Feature enablement is 0x31109140
Platform type is 0x71000392

Platform Type Desktop
FW Type Production
Last ME Reset Reason Unknown
BIOS boot State Post Boot
Slot 1 Board Manufacturer 0x00000000
Slot 2 System Assembler 0x00000000
Slot 3 Reserved 0x00000000
Capability Licensing Service Enabled
Local FWUpdate Enabled
OEM ID 00000000-0000-0000-0000-000000000000
Integrated Sensor Hub Initial Power State Disabled
Intel(R) PTT Supported Yes
Intel(R) PTT initial power-up state Enabled
OEM Tag 0x00
TLS Disabled

Intel(R) ME code versions:
BIOS Version F15e
GbE Version 0.5
Vendor ID 8086
FW Version 12.0.70.1652 H Consumer
LMS Version Not Available
MEI Driver Version 2124.100.0.1096

IUPs Information
PMC FW Version 300.2.11.1025
OEM FW Version 0.0.0.0000

PCH Information
PCH Version 10
PCH Device ID A304
PCH Step Data B0
PCH SKU Type Production PRQ Revenue
PCH Replacement State Disabled
PCH Replacement Counter 0
PCH Unlocked State Disabled

Flash Information
SPI Flash ID 1 C22018
SPI Flash ID 2 Not Available
Host Read Access to ME Enabled
Host Write Access to ME Enabled
Host Read Access to EC Enabled
Host Write Access to EC Enabled

FW Capabilities 0x31109140
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Intel(R) Platform Trust Technology - PRESENT/ENABLED
Service Advertisement & Discovery - NOT PRESENT
Persistent RTC and Memory - PRESENT/ENABLED

End Of Manufacturing
Post Manufacturing NVAR Config Enabled Yes
HW Binding Enabled
End of Manufacturing Enable No

Intel(R) Protected Audio Video Path
Keybox Not Provisioned
Attestation KeyBox Not Provisioned
EPID Group ID 0x28B0
Re-key needed False
PAVP Supported Yes

Security Version Numbers
Minimum Allowed Anti Rollback SVN 1
Image Anti Rollback SVN 10
Trusted Computing Base SVN 1

FW Supported FPFs
FPF UEP ME FW
*In Use
β€” β€” -----
Enforcement Policy Not set 0x00 0x00
EK Revoke State Not set Not Revoked Not Revoked # Not Revoked=0, Revoked=1
PTT Not set Enabled Enabled # Disabled=0, Enabled=1
OEM ID Not set 0x00 0x00
OEM Key Manifest Present Not set Present Present # Not Present=0, Present=1
OEM Platform ID Not set 0x00 0x00
OEM Secure Boot Policy Not set 0x40 0x40
CPU Debugging Not set Enabled Enabled # Enabled=0, Disabled=1
BSP Initialization Not set Enabled Enabled # Enabled=0, Disabled=1
Protect BIOS Environment Not set Disabled Disabled # Disabled=0, Enabled=1
Measured Boot Not set Disabled Disabled # Disabled=0, Enabled=1
Verified Boot Not set Disabled Disabled # Disabled=0, Enabled=1
Key Manifest ID Not set 0x01 0x01
Persistent PRTC Backup Power Not set Enabled Enabled # Enabled=0, Disabled=1
RPMB Migration Done Not set Disabled Disabled # Disabled=0, Enabled=1
SOC Config Lock Not set Not Done Not Done # Not Done=0, Done=1
SPI Boot Source Not set Enabled Enabled # Enabled=0, Disabled=1
TXT Supported Not set Disabled Disabled # Disabled=0, Enabled=1

ACM SVN FPF Not set
BSMM SVN FPF Not set
KM SVN FPF Not set
OEM Public Key Hash FPF Not set
OEM Public Key Hash UEP E02EFA655BEBB704883EEE4476ADC62C
OEM Public Key Hash ME FW E02EFA655BEBB704883EEE4476ADC62C
PTT Lockout Override Counter FPF Not set

D:\Intel ME\CSME System Tools v12 r34\MEInfo\WIN64>

Test.txt (6.94 KB)


Nothing will get deleted. You don’t need to do anything else. Just use FWUpdate tool as explained in the first post.

CSME 15.0 Consumer H A (B) v15.0.30.1902

Capture1.PNG



CSME 15.0 Corporate H A (B) v15.0.30.1902

Capture2.PNG

I have two questions about the Intel ME update.
Intel Boot Guard Verified Boot and Measured Boot are enabled on my computer. The system only starts with a signed firmware. Are the CSME and PMC firmware that can be downloaded under Sections B1-B2 digitally signed and are they from Intel? Otherwise my system won’t start anymore.

Another question: If I combine the CSME firmware with the PMC firmware with FIT and press the Build Image button, an error message appears: Warning: OEM Signing is Disabled.
What does this error message mean? Is the firmware working?
Many thanks for your help.


Yes, they are. I have Verified Boot and Measured Boot on my system and the firmwares from here have always worked.


It’s a normal message that doesn’t mean anything. The firmware is fine and will work.



This is SPS firmware, so none of the tools/firmwares on this thread are applicable. As plutomaniac said in post #5562, "That’s Server Platform Services (SPS) firmware, not Management Engine (ME). It works and gets updated in different ways. We also lack tools for such platforms. So no, you cannot use anything from this thread. You’ll have to leave it as it is."

I am looking for some suggestions as to what could be failing in my rig. (z390-i powered by corsair SF750)
Not sure if this is the right place to post, but it seems to be connected somehow to the INTEL ME, so there I go.

I am experiencing weird POST problems.
If the computer is turned off for an hour or two, it will not turn on when pressing the buttong for the first two minutes. Afterwards, it turns on but doesn’s POST. It keeps turning on and off, when it eventually POSTs in SAFE MODE and throws out Intel ME FW errors (which shows up as version 0.0.0.0 once I go into UEFI BIOS).

After a minute, it turns on normally, goes into UEFI OS no problem and runs as nothing ever happens without a hitch. As long as I keep the system on, it boots/reboots normally. Even if I unplug the cable and drain the power through pressing the button, it immediately boots as if nothing bad ever happened afterwards. I’ve ran the rig yesterday, gamed on it no problem (RTX 3080) for 8 hours straight.

Could it be that some condensator on the mobo is botched and it needs to β€˜load it up itself with juice’ before working correctly? I updated Intel ME firmware, but it didn’t help. Once it starts booting correctly, the INTEL ME version shows up correctly in BIOS.

If the ME 0.0.0.0 never happened again, we can that its fixed and leave us a suspicious HW failure from the motherboard, my opinion only.

Apologies if this has been asked in the previous 373 pages but what do you need to do for ME 11. I can see there are instructions for FWUpdate tool at CSME 12 and for 13+ but I cannot see what you need for 11. I have looked through 12 in case they are similar but though better to ask.

The board I have is the ROG MAXIMUS VIII EXTREME
Z170 chipset
i7 6700 CPU

MEInfoWin64.exe information

BIOS Version 3801
MEBx Version 0.0.0.0000
GbE Version 0.7
Vendor ID 8086
PCH Version 31
FW Version 11.8.50.3399 H
Security Version (SVN) 3
LMS Version 2120.0.21.0
MEI Driver Version 2108.100.0.1053

Intel(R) Platform Trust Technology - PRESENT/DISABLED


ME Analyzer v1.241.0 r258
From dumped FW

Family β”‚ CSE ME β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ Version β”‚ 11.8.50.3399 β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ Release β”‚ Production β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ Type β”‚ Update β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ SKU β”‚ Consumer H β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ Chipset Stepping β”‚ D, A

From Bios Update file

Family β”‚ CSE ME β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ Version β”‚ 11.8.50.3399 β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ Release β”‚ Production β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ Type β”‚ Extracted β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ SKU β”‚ Consumer H β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ Chipset β”‚ KBP/BSF/GCF-H A β•‘
β•‘ β”‚ SPT-H D


Thanks

Chris

Wot u see is special notes/cautions for ME12/13+… the guide is for all.
U need the FW: CSME 11.8 Consumer H D,A v11.8.86.3909 and the ME tools: CSME System Tools v11 r41 - (2021-06-26)

Here a word of warning to all who are thinking of "upgrading" the CSME from a Lenovo from 14.0.45 H CONS (official)
Your system will not honor "power after failure" settings in BIOS.

-Corrected after test–>
also 14.0.48 shows same erratic behaviour, not only 14.1.53, even having same PMC version.
I am not sure what causes this, but 14.0.45 official does not have that "power after failure" bug.

@plutomaniac I found a newer old ME firmware IBX 6.0.30.1203 in some old bios https://www.mediafire.com/file/e340fz6fn…B10240.zip/file

It is not the newest, as I successfully flashed the firmware 6.2.50.1062

6.0.30.1203.png


I’m not sure I understand. Newer than what? ME 6 1.5MB 6.0.30.1203 is already in the database/repository and very old.

@plutomaniac the one you linked in your OP is 6.0.30.1199, while the one in this bios file is 6.0.30.1203

It is not that important, as there is a newer version 6.2.50.1062 and you already linked it in the OP


No, you are confusing different SKUs with one another:

ME 6 1.5MB
ME 6 5MB DT
ME 6 5MB MB
ME 6 IGN IBX
ME 6 IGN CCK

You are comparing 1.5MB (last v6.2.50.1062) to IGN IBX (last v6.0.30.1199), which are completely different.

@plutomaniac I already flashed successfully the version 6.2.50.1062 using the command -allowsv

AFAIK -allowsv will only flash ME firmware from the same type, any how I run the tests and the version 6.2.50.1062 is working over the version 6.0.30.1203 just fine, and no errors were reported.

Still, the IBX version 6.0.30.1203 has a higher version number and I just checked it even has a newer date


Sure, but it doesn’t matter because you cannot compare apples (ME 6 1.5MB) to oranges (ME 6 IGN IBX). The last firmware version released for the Ignition Ibex Peak (IGN IBX) SKU is 6.0.30.1199. If you had a system with that SKU (i.e. P55), you wouldn’t be able to go higher than 6.0.30.1199. It is not strange that the Ignition SKU was left at v6.0.30.1199 firmware because apparently it never required an update after that (but 1.5MB and 5MB did, thus > 6.0.30). I cannot explain it in a better way.

@plutomaniac OK, I got it, you were right, I had SKU 1.5 and it is not the same as IBX. I got confused with chip support IBX sorry.

Intel CSME 14.0 Consumer PCH-H A Firmware v14.0.46.1431
Intel PMC CMP PCH-H A Firmware v140.2.01.1011
Intel PCHC CMP PCH-H/LP Firmware v14.0.0.1002

Hi, where can download these films?
Just find CSME 14.1 and 14.5.
Thanks