Intel Converged Security Management Engine
Drivers, Firmware and Tools
CSME 16+
Last Updated: 2022-09-10
Intel Management Engine Introduction:
Built into many Intel-based platforms is a small, low power computer subsystem called the Intel Management Engine (Intel ME). This can perform various tasks while the system is booting, running or sleeping. It operates independently from the main CPU, BIOS and OS but can interact with them if needed. The ME is responsible for many parts of an Intel-based system. Such functionality extends, but itβs not limited, to Platform Clocks Control (ICC), Thermal Monitoring, Fan Control, Power Management, Overclocking, Silicon Workaround (resolves silicon bugs which would have otherwise required a new cpu stepping), Identity Protection Technology, Boot Guard, Rapid Start Technology, Smart Connect Technology, Sensor Hub Controller (ISHC), Active Management Technology (AMT), Small Business Advantage (SBA), Wireless Display, PlayReady, Protected Video/Audio Path etc. For certain advanced/corporate features (i.e. AMT, SBA) the ME uses an out-of-band (OOB) network interface to perform functions even when the system is powered down, the OS and/or hard drivers are non-functional etc. Thus it is essential for it to be operational in order for the platform to be working properly, no matter if the advanced/corporate features are available or not.
Intel Converged Security Engine Introduction:
The evolution of Intel Management Engine into a unified security co-processor, running x86 code under a Minix-based Operating System. It was first introduced in 2015 with the release of Skylake CPUs working alongside 100-series Sunrise Point Platform Controller Hub (PCH). The CSE hardware can run Management Engine (ME) 11+, Trusted Execution Engine (TXE) 3+ or Server Platform Services (SPS) 4+ firmware. So there are a total of three families of CSE-based firmware: CSME (CSE ME), CSTXE (CSE TXE) and CSSPS (CSE SPS). The CSE hardware is also capable of running other types of firmware such as Power Management Controller (PMC), Integrated Sensor Hub (ISH), Imaging Unit (iUnit), Clear Audio Voice Speech (cAVS), Wireless Microcode (WCOD) etc.
Intel Power Management Controller Introduction:
Handles all Platform Controller Hub (PCH) power management related activities, running ARC code on top of the CSE hardware. PMC administers power management functions of the PCH including interfacing with other logic and controllers on the platform to perform power state transitions, configure, manage and respond to wake events, aggregate and report latency tolerance information for devices and peripherals connected to and integrated into the PCH etc. It was first introduced in 2018 with the release of Coffee/Cannon Lake CPUs working alongside 300-series Cannon Point PCH.
Disclaimer:
All the software and firmware below comes only from official updates which were provided and made public by various manufacturers! The System Tools are gathered and provided with the sole purpose of helping people who are out of other viable solutions. Thus, they can be extremely helpful to those who have major problems with their systems for which their manufacturer refuses to assist due to indifference and/or system age.
Note: This wiki thread does not appear to be maintained anymore! You may be able to find newer resources at the threadβs replies. User discretion is strongly advised!
Getting Started:
Intel CSME is a Hardware platform which runs Firmware, is monitored/configured by Tools and interfaces with the user via Drivers. To get started, you need at the very least to know what CSME firmware major and minor version your system is running. Such info can be retrieved in various ways but you can use the free system information and diagnostics tool HWiNFO > Motherboard > Intel ME > Intel ME Version. The format is Major.Minor, Build, Hotfix. Once you determine the systemβs CSME firmware major and minor version, you can install the latest Drivers from section A and update the CSME Firmware by following sequentially the relevant steps at Section B using the required Tools from Section C.
A. Intel MEI Drivers
The latest v16 drivers are usable with CSME 10, 11, 12, 13, 14, 15 and 16 systems running under Windows 10 >= 1709. In order to check your current installed version, use Intel MEInfo tool as instructed below.
These packages contain the Intel MEI drivers with their respective software and system services. It is advised to install these to enable all the Engine-related functionality. Since the Intel MEI Drivers and Software are OS version dependent, search and run "winver.exe" to determine your own.
B. Intel CSME, PMC, PCHC and PHY Firmware
SPI/BIOS Regions (FD/Engine/BIOS):
The SPI/BIOS chip firmware is divided into regions which control different aspects of an Intel-based system. The mandatory regions are the Flash Descriptor (FD), the (Converged Security) Management Engine (CSME or Engine) and the BIOS. The FD controls read/write access between the SPI/BIOS chip regions and holds certain system hardware settings. The CSME holds the systemβs Engine firmware. For security reasons, the FD and Engine regions of the SPI/BIOS chip are usually locked so that no read/write access is allowed via software means. Since the FD controls that read/write access, it must be locked/protected so that it is not manually overwritten to allow unauthorized access to the firmware regions of the systemβs SPI/BIOS chip. The Engine region at the systemβs SPI/BIOS chip is also locked/protected due to the nature of the CSE/ME co-processor, as explained at the Introductions above.
Engine Firmware Attributes (Family/Platform/SKU/Version):
Intel CSME or Engine firmware is mainly categorized based on its target Chipset Family (e.g. Alder Point), Chipset Platform (H = Halo, LP = Low Power, N = Nano), Type/SKU (e.g. Consumer, Corporate, Slim) and Version (e.g. 16.1.25.1932 = Major.Minor.Hotfix.Build). Be careful of what firmware your download relevant to your system. To understand your exact Chipset Family, Chipset Platform, CSME Type/SKU and CSME Version, you can usually run MEInfo or MEManuf tools with "-verbose" parameter. Otherwise, ME Analyzer can show you all the relevant information, after loading your SPI/BIOS image (Flash Descriptor + Engine + BIOS), when the latter is available. If a SPI/BIOS image is not available, run FWUpdate tool with parameter "-save fw.bin" and load the resulting "fw.bin" image into ME Analyzer instead. All the firmware below correspond to a specific Platform which runs a specific CSME firmware version (example: For systems running CSME Corporate H A v16.0 - v16.1).
Engine Firmware Regions (RGN/EXTR):
The Type of each Engine/CSME firmware Region can be either Stock (RGN) or Extracted (EXTR). Stock are clean/stock/unconfigured images provided by Intel to OEMs. Extracted are dirty/extracted/configured images from various SPI/BIOS. The Engine firmware at the systemβs SPI/BIOS chip is always EXTR, generated by the OEM after configuring the equivalent RGN with the appropriate system settings.
Engine Firmware Configuration (CODE/DATA):
The Engine Firmware Regions (RGN/EXTR) consist of two sections: CODE and DATA. CODE is the actual Engine firmware whereas DATA is where all the system-specific settings are stored, as configured by the OEM at the factory via Intel Flash Image Tool. The Engine firmware is not static as it holds system-specific configuration and can additionally be configured by the Engine co-processor itself while the system is running in order to provide the proper support and functionality. Any such changes are written into the DATA section of the Engine Region and the firmware is considered Initialized. That means that the DATA section can be in one of three states: Unconfigured, Configured or Initialized. Unconfigured means that the Engine firmware image is the stock one Intel provides and not configured by the OEM at all (RGN). Configured means that the OEM has applied model specific settings and the Engine region is ready for deployment (EXTR). Initialized means that the Engine region comes from a system which was already running and thus the Engine co-processor has further configured the DATA section to suit that particular system better (system specific or dirty EXTR).
Independent Update Partitions (IUP):
The Engine firmware consists of multiple Partitions (sections) and each one is responsible for different features/capabilities. For example, the Fault Tolerant Partition (FTPR) contains CODE which is essential for the CSME operation whereas the File System Partition (MFS, EFFS) contains the Configured and/or Initialized DATA. Some CSME firmware Partitions target auxiliary CSE/ME co-processor devices or capabilities and can also be updated independently of the main CSME firmware. These are called Independent Update Partitions (IUP) with the most notable/important ones being Power Management Controller (PMC), Platform Controller Hub Configuration (PCHC) and USB Type C Physical (PHY).
At CSME 16+, the main CSME firmware must first be combined/stitched with one or more obligatory IUPs, before initiating an update procedure via FWUpdate tool. Whenever CSME + IUP merging is required, equivalent instructions and firmware are provided below. The following CSME/IUP Table lists the CSME 16+ firmware Major.Minor versions which require the presence of IUP(s) and their respective versions or SKUs. Youβll need to consult this table while following the update instructions below to choose the correct CSME + IUP combination for your system.
Engine Security Version Number (SVN):
All CSME and IUP firmware are defined by a Security Version Number (SVN) like 1,2,3 etc which is used to control the possible upgrade/downgrade paths provided by Intelβs FWUpdate tool. The SVN gets incremented if there is a high or critical security fix that requires a Trusted Computing Base (TCB) recovery operation, a significant event in the life cycle of the firmware which requires renewal of the security signing keys in use. A downgrade to a lower SVN value via FWUpdate tool is prohibited whereas an upgrade to the same or higher SVN is allowed. For example if your current firmware has a SVN of 2, you can update to another firmware with SVN >= 2 (for example 3) but you cannot downgrade to another firmware with SVN < 2 (for example 1). Trying to flash a firmware with lower SVN will result in the error "The image provided is not supported by the platform" or similar. To view the SVN value of any CSME or PMC firmware, you can use ME Analyzer tool.
Engine Version Control Number (VCN):
All CSME and IUP firmware are defined by a Version Control Number (VCN) like 1,2,45,193 etc which is used to control the possible upgrade/downgrade paths provided by Intelβs FWUpdate tool. The VCN gets incremented if there is a security fix, a significant firmware change or a new feature addition. A downgrade to a lower VCN value via FWUpdate tool is prohibited whereas an upgrade to the same or higher VCN is allowed. For example if your current firmware has a VCN of 176, you can update to another firmware with VCN >= 176 (for example 193) but you cannot downgrade to another firmware with VCN < 176 (for example 174). Trying to flash a firmware with lower VCN will result in the error "The image provided is not supported by the platform" or similar. To view the VCN value of any CSME firmware, you can use ME Analyzer tool.
Engine Production Ready Status (PV):
All CSME and IUP firmware are defined by a Production Version/Ready Status (PV) which can be either Yes or No and is used to control the possible upgrade/downgrade paths provided by Intelβs FWUpdate tool. The PV status is set to Yes when a firmware is validated/ready for use at Production platforms, thus when its status is Stable and not Beta, Alpha etc. An upgrade/downgrade from PV to non-PV firmware via FWUpdate tool is prohibited whereas upgrades/downgrades to the same PV or from non-PV to PV are allowed. For example if your current firmware has PV set to Yes, you can upgrade/downgrade to another firmware with PV set to Yes but you cannot upgrade/downgrade to another firmware with PV set to No. Trying to flash a firmware with incompatible PV will result in the error "The image provided is not supported by the platform" or similar. To view the PV status of any CSME firmware, you can use ME Analyzer tool.
Power Management Controller (PMC) IUP:
PMC firmware always targets a specific Chipset Family/Codename (e.g. ADP), Chipset Platform (e.g. H, LP, N) and Chipset Stepping/Revision (e.g. A, B, C, D). For example, a CSME 16.0 Corporate H A system must use PMC ADP H A 160.2 firmware etc. The PMC firmware can only be updated after being merged with a compatible CSME firmware via Modular Flash Image Tool.
Platform Controller Hub Configuration (PCHC) IUP:
PCHC firmware always targets a specific Chipset Family/Codename (e.g. ADP). For example, a CSME 16.0 Consumer LP A system must use PCHC ADP 16.0 firmware etc. The PCHC firmware can only be updated after being merged with a compatible CSME firmware via Modular Flash Image Tool.
USB Type C Physical (PHY) IUP:
PHY firmware always targets a specific Chipset Family/Codename (e.g. ADP) and PHY Type/SKU (e.g. S, N, P). For example, a CSME 16.0 Consumer H A system must use PHY N ADP firmware etc. The PHY firmware can only be updated after being merged with a compatible CSME firmware via Modular Flash Image Tool.
How to update Engine firmware:
The Intel FWUpdate tool is an official command line utility provided by Intel which uses the Engine co-processor itself to upgrade/downgrade the CSME firmware quickly and easily. FWUpdate tool requires that the Engine co-processor is operational and that its current Engine firmware region is healthy at the systemβs SPI/BIOS chip. To check if the Engine itself as well as its current firmware are healthy, you can use Intel MEInfo and MEManuf tools, as instructed below. FWUpdate tool also requires that the SVN, VCN and PV are not violated. FWUpdate tool does not require the user to have read/write access to the Engine firmware region of the systemβs SPI/BIOS chip, as dictated by the Flash Descriptor region permissions. Moreover, FWUpdate tool deals only with Engine CODE and does not require any prior Configuration (DATA). It can thus work with either RGN or EXTR Engine Regions. The basic usage is FWUpdLcl -allowsv -f update_file_name.bin for CSME. At CSME 16+, the main CSME firmware needs to be combined/stitched together with one or more IUPs first before initiating an update/downgrade procedure, as described below. You can see the entire supported parameters by displaying the utilityβs help screen via FWUpdLcl -?. You can also see a few basic usage examples via FWUpdLcl -exp. Note that the name of the file to be flashed via FWUpdate does not matter.
How to use FWUpdate Tool at CSME v16+:
At CSME 16 or newer, FWUpdate tool requires CSME firmware which has been combined/stitched with its equivalent IUP firmware (i.e. PMC, PCHC, PHY) via Modular Flash Image Tool (FIT). To proceed, you must first learn your systemβs Chipset Family/Codename (i.e. ADP), Chipset Platform (i.e. H, LP, N), Chipset Type (i.e. Consumer, Corporate, Slim, Lite, Server) and Chipset Stepping/Revision (i.e. A, B, C, D).
- Download the latest Intel CSME System Tools from Section C2 as well as ME Analyzer tool.
- From Intel CSME System Tools, run MEInfo command line tool and under "Intel(R) ME Code Versions" > "FW Version" you will find your systemβs Chipset Platform as well as Chipset Type (e.g. H Consumer). Under "PCH Information" > "PCH Revision ID" you will find your systemβs Chipset Stepping/Revision which starts with a letter (i.e. Ax, Bx, Cx). Alternatively, drag and drop your systemβs SPI/BIOS image (Flash Descriptor + Engine + BIOS) at ME Analyzer tool and find "SKU" field which shows your systemβs Chipset Type and Chipset Platform (e.g. Consumer LP). Next, find "Chipset Stepping" field which lists one or more supported Chipset Steppings in the form of letters (i.e. A, B, C).
- Based on your systemβs Chipset Family/Codename, Chipset Platform, Chipset Type and Chipset Stepping/Revision, consult the CSME/IUP Table above and choose the correct CSME, PMC, PCHC and/or PHY firmware from Sections B1-B4.
- Input the chosen CSME firmware into ME Analyzer tool and make sure that "FWUpdate Support" is not reported as "Impossible".
- From Intel CSME System Tools, go to Modular Flash Image Tool folder and make sure that only one (1) file exists: mfit.exe. Otherwise, delete the rest.
- Run Modular Flash Image Tool (FIT) and click "Create and build a new image". Select the "FWUpdate" layout that matches your systemβs equivalent CPU specifications. Each Chipset works with certain CPUs. Usually the Chipset codenames end in "Point" whereas CPU codenames end in "Lake". Also, the Chipset Types (i.e. H, LP, N) match to equivalent CPU Families (i.e. S, P, N). For example, "Alder Point (ADP)" Chipset Platform works with "Alder Lake (ADL)" CPU Family and "ADP-H" Chipset Type works with "ADL-S" CPU Family.
- Go to "Flash Layout > Ifwi: Intel(R) Me and Pmc Region" and load the chosen CSME firmware at "Intel(R) ME Binary File". The CSME firmware version should be shown below.
- If your chosen CSME firmware requires PMC IUP, input its firmware at "Flash Layout > Ifwi: Intel(R) Me and Pmc Region > PMC Binary File". The PMC firmware version should be shown below.
- If your chosen CSME firmware requires PCHC IUP, input its firmware at "Flash Layout > Sub Partitions > PCH Configuration Sub-Partition > PCH Configuration File". The PCHC firmware version should be shown below.
- If your chosen CSME firmware requires PHY IUP, input its firmware at "Flex IO > *PHY Configuration > *PHY Binary File". The PHY firmware version should be shown below.
- Click the green "Build" button at the left and a "FWUpdate.bin" file will be generated.
- Input "FWUpdate.bin" file into ME Analyzer tool and make sure that "FWUpdate Support" is reported as "Yes".
- Use FWUpdate tool to flash the "FWUpdate.bin" image.
Note: To extract the files below you need to use programs which support RAR5 compression!
Note: This wiki thread does not appear to be maintained anymore! You may be able to find newer resources at the threadβs replies. User discretion is strongly advised!
B1. Converged Security Management Engine - CSME
-
CSME 16.x CON H A v16.x.yy.zzzz
For CSME Consumer H A v16.x -
CSME 16.x COR H A v16.x.yy.zzzz
For CSME Corporate H A v16.x -
CSME 16.x CON LP A v16.x.yy.zzzz
For CSME Consumer LP A v16.x -
CSME 16.x COR LP A v16.x.yy.zzzz
For CSME Corporate LP A v16.x
B2. Power Management Controller - PMC
-
PMC ADP H A v16x.2.0y.zzzz
For PMC ADP H A v16x.2.0y -
PMC ADP LP A v16x.1.0y.zzzz
For PMC ADP LP A v16x.1.0y -
PMC ADP SoC A v16x.0.0y.zzzz
For PMC ADP SoC A v16x.0.0y
B3. Platform Controller Hub Configuration - PCHC
- PCHC ADP v16.x.y.zzzz
For PCHC ADP v16.x
B4. USB Type C Physical - PHY
-
PHY N ADP v14.xxx.yyy.zzzz
For PHY N ADP v14 -
PHY N ADP v13.xxx.yyy.zzzz
For PHY N ADP v13 -
PHY S ADP v13.xxx.yyy.zzzz
For PHY S ADP v13
C. Intel CSME System Tools
The Intel CSME System Tools are used for creating, modifying, and writing binary image files, manufacturing testing, Intel CSME setting information gathering and Intel CSME firmware configuration and updating. These tools are not released to end-users but only to OEMs. The software below comes only from official updates which were provided and made public by various OEMs.
Flash Image Tool: Creates and configures a complete SPI image file which includes regions such as Flash Descriptor (FD), BIOS/UEFI, Intel Integrated LAN (GbE), Intel CSME etc. The user can manipulate the completed SPI image via a GUI and change the various chipset parameters to match the target hardware.
Flash Programming Tool: Used to program a complete SPI image into the SPI flash device(s). FPT can program each region individually or it can program all of the regions with a single command. The user can also use FPT to perform various functions such as view the contents of the flash on the screen, write the contents of the flash to a log file, perform a binary file to flash comparison, write to a specific address block, program fixed offset variables etc.
Manifest Extension Utility: Used to generate a 3rd party Independent Update Partitions (IUP) which are compressed and signed by an external signing tool, such as OpenSSL. The signed contents may then be stitched into a SPI/BIOS image using the Intel Flash Image Tool (FIT).
Notice: Avoid running the System Tools from paths which include non-English characters (i.e. Cyrillic, Chinese, Arabic, Greek) as it may cause them to crash or behave unpredictably.
C1. Identifying, Updating and Diagnosing Intel CSME Firmware
Those who are looking to update/downgrade their firmware should use MEInfo, FWUpdate and MEManuf tools for status information, updating and functionality checking accordingly. The information and instructions below apply to these three tools only and can be found inside the full Intel CSME System Tools Packages.
MEInfo: Shows CSME and IUP info and checks that the Engine co-processor is operating properly on the software/firmware level. Make sure it doesnβt report any errors. You can use "-verbose" parameter to get status info in more detail. The "GBE Region does not exist" warning is normal for systems that donβt have an Intel GbE Controller, you can safely ignore it.
MEManuf: Diagnostic tool which runs various manufacturing-line tests to ensure that the Engine co-processor is operating properly on the hardware level. It should report a "MEManuf Operation Passed" or similar success message. You can use "-verbose" parameter to get diagnostic info in more detail.
FWUpdate: Used to effortlessly upgrade or downgrade the CSME and IUP (i.e PMC, PCHC, PHY) Engine firmware. Read more about FWUpdate tool at Section B.
C2. CSME System Tools
Note: To extract the files below you need to use programs which support RAR5 compression!
Note: This wiki thread does not appear to be maintained anymore! You may be able to find newer resources at the threadβs replies. User discretion is strongly advised!
- CSME System Tools v16.x
For CSME v16.x