Intel (CS) Management Engine: Drivers, Firmware and Tools for (CS)ME 16+

True, there won’t be MEA support for these and also not included in the DB. However, I believe that it’s good to be posted/attached/kept somewhere in case someone wants to look/use at these firmware. Personally, I try to keep most of these new binaries in bulk (w/o any processing), just in case.

New on ST, Intel Management Engine (ME) Firmware Version 16.1.30.2264 (S&H) 1.5Mo

16.1.25.2091_COR_LP_A_PRD_EXTR.zip (5.2 MB)

Good afternoon everyone!
Please help me find CSME System Tools 16.0.15.1735.
I will be very grateful.

hi .
my old bios backup gives an error on me analyzer.
“Error: Detected CSE Extension 0x16 with wrong Partition Hash at FTPR > FTPR.man!”
cs me version is 16.0.15.1662 anyone have you got , can you share?

Hello,

I am using a CLEVO NP70PNJ (NP5x_NP6x_NP7xPNK_PNH_PNJ).

The latest BIOS I found is version 12 with the following details:

BIOS Version: 1.07.12
KBC/EC Version: 1.07.07
ME FW Version: 16.1.25.1865

The problem is that even this latest ME firmware is vulnerable (CSME-Version-Detection-Tool).

CLEVO, of course, does not respond to any messages and is not very responsive.

Thanks to a user’s sharing on this forum, I found a more recent ME/FW update on Station-drivers.

I’m just very concerned about bricking a brand new PC, and I would like confirmation that upgrading from:

ME version 16.1.25.1865 to ME version 16.1.27.2192 as shown in the image below won’t cause any issues? (the difference between in yellow)

28-09-2023 à 17°15’59”1103×2011 187 KB

I’m asking because, based on the message at the beginning of this thread, it’s dangerous to change the ‘Version Control Number’ or, worse, to switch the PCHC from 16.0.x to 16.1.x , differente total bits size …

And, most importantly, even if I make a backup with ‘fptw64.exe -ME -D actualFWME.bin’ , if I brick it with a bad flash, I won’t be able to flash back the backup since the PC won’t boot anymore.

In summary, I need a specialist to confirm if it’s safe to flash the image above.

Thanks !

_{Edit: I see that if I perform a backup, I have “Initialized” in the File System State, which would be normal because it comes from an initialized system. Therefore, it is logical that the file to be flashed should be in File System State = “Configured” I suppose because DATA has been cleaned up. Note that all this speculations are based on what I understood from the second paragraph “A. About Engine Regions & Configuration” from the first post in this thread.}

Vulnerable to what? Millions of people use computers with outdated ME firmware and who cares.

It’s unlikely that you’ll brick it with an update, but there’s always a chance that something won’t work correctly. It is only safe to use updates provided by your laptop manufacturer itself. If you are so concerned about ME vulnerabilities, maybe you should use a laptop with disabled ME.

Hello Anton35,

Thank you for your response.

It’s not really a concern about ME vulnerabilities that drives me to update the firmware; it’s more of a thorough, perfectionist approach. I completely agree with you that outdated ME firmware is probably widespread and not a significant issue for standard regular users like me.

However, the problem will be quickly resolved: I’m getting error 369: failed to verify the signature of OEM or RoT key manifest. For example: Error on update from Production to Pre-Production, which confirms that the easiest solution is indeed to use the updates provided by your laptop manufacturer itself as you suggest. It’s just that Clevo is not as reactive as Asus or Lenovo…

_{Edit: Currently testing this}

Well, edit above can’t seem to resolve the error, so I’m going to use the explanations from the first post at the beginning of this thread to create my own firmware.
^{This will be a change from those who ask without trying anything. I’m sharing.}

What I’m doing here in case it can help someone.

1/ I Mfit.exe decompose an Original BIOS provided by my manufacturer and compare it to my own saved BIOS, which theoretically should be the same.

30-09-2023 à 14°59’41”1899×480 20.1 KB

2/ I notice that ME Sub Partition.bin and CSE Region.bin are different between the BIOS I’m given and after it’s flashed.

2831×508 13.3 KB

3/ Thanks to the explanations by system at the beginning of this thread, I understand that the difference is normal because ME Sub Partition.bin is “Initialized” by the system after flashing its virgin “Configured” version.

4/ Still, thanks to the explanations by system at the beginning of this thread, I understand that I will need to create a Clean Firmware in “Configured” mode.

5/ CSE Region.bin is, therefore, different between the BIOS I download and its version that I flash on the system because the PC has “Initialized” this Region.

6/ By comparing the manufacturer’s BIOS with the available update^★ for my configuration (LP Consumer (ADL) A1), I notice that I need to update:

(★) I would have preferred to build from scratch using each available piece from an MEA db from Anton35 , but the link is dead.

31877×304 19.6 KB

01) ME 16.1.27.2192
02) PMCP 160.1.0.1029
03) IOMP 36.6.0.0
04) NPHY 14.530.509.8258
05) TBTP 16.0.0.1901
06) PCHC 16.1.0.1014

7/ I launch Mfit.exe and follow the instructions from system at the beginning of this thread:

Select Intel(R) AlderLake P Chipset - FWUpdate

Flash Layout ➜ Ifwi: Intel(R) Me and Pmc Region Intel(R) ME Binary File
[ME Sub Partition.bin] = the new 01) from ME_16.1.27.2192_A0_Origin.bin

Flash Layout ➜ Ifwi: Intel(R) Me and Pmc Region PMC Binary File
[CsePlugin#PMC.bin] = the new 02) from ME_16.1.27.2192_A0_Origin.bin

Flash Layout ➜ Sub Partitions ➜ PCH Configuration Sub-Partition PCH Configuration File
[CsePlugin#PCHC.bin] = the new 06) from ME_16.1.27.2192_A0_Origin.bin

Flex IO ➜ TCSS Configuration NPHY Binary File
[CsePlugin#NPHY.bin] = the new 04) from ME_16.1.27.2192_A0_Origin.bin

Flex IO ➜ TCSS Configuration IO Manageability Engine Binary File
[CsePlugin#IOM.bin] = the new 03) from ME_16.1.27.2192_A0_Origin.bin

Flex IO ➜ TCSS Configuration Thunderbolt™/USB4™ Binary File
[CsePlugin#TBT.bin] = the new 05) from ME_16.1.27.2192_A0_Origin.bin

ISH (it’s not in the original BIOS, so I’m not putting it)

UTOK (they are identical, so I’m not touching them)

BONUS to try to counter the error 369 above:

Platform Protection ➜ Hash Key Configuration for Bootguard / ISH OEM Key Manifest Binary
[CsePlugin#OEM_KM.bin] = That of the original manufacturer’s BIOS

8/ I’m a bit afraid to flash this Frankenstein I’ve created, even though it’s actually just an ME_16.1.27.2192_A0 from here with an OEM_KM.bin from my original BIOS as a replacement.

4681×1529 20.4 KB

51899×480 36 KB

.

EDIT ▶ 🎉 Did it! 👍

I created something with Mfit.exe by simply removing the OEM and ISH bin files to avoid signature issues like above.

But I’m not going to spam a another lengthy explanation that annoys everyone here about update Intel ME on Clevo that probably only affects a few people.

02-10-2023 à 21°15’06”1594×455 18.6 KB

In fact, everything is in the first post.

For Clevo NP70PNJ Only and to update to:

FW      Version : 16.1.27.2192 LP Consumer
PMC FW  Version : 160.1.0.1029
IOM FW  Version : 36.6.0.0000
NPHY FW Version : 14.530.509.8258
TBT FW  Version : 16.0.0.1901
PCHC FW Version : 16.1.0.1014

Flash this :

FWUpdLcl64.exe -allowsv -f FWUpdate.bin

FWUpdate.bin ➯ WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free

Newest FW should be, according to ASUS 16.1.30
But I haven’t found anything useful yet to apply - specially the LP versions are getting scarcer to get hands on.
It’s way to hard to get to these new FWs without pluto and fernando…

The 16.1.30 from Asus for CON H is very new, you should wait because usually not all platforms are getting the same update, it just came out a week ago…
Also a lot of users keep tracking the FW releases whenever they can or come across.

Intel_CSME_ADL-N_16.50.0.1120_A0_Consumer :
[…]

Staff Note: The link has been removed to adhere with forum rule 14, regarding “posts or links to documents and/or tools which are marked as Confidential, Restricted, Private, are part of a commercial license etc”. The rule was originally put in place to avoid legal action against the forum and/or the 3rd-party source of the files/info. In this case, the 3rd-party source was evident from the filename as well.

@KLRCTMG

Update!

If still errors:

CSME V16.5.0 con system tool:

Hi!

Looking for CSME 16.0 CON LP A v16.0.15.1735 to clear ME

@hunmike000

EDIT: “Any idea how to solve this?” No sry, not my field…

Thanks @MeatWar , but when i rename and replace the decomposed ME Sub Partition.bin with the file from the repo for which you provided the link (intel_me_16.0.15.1735-lp(station-drivers.com)/Non_Capsule\ME_16.0_Cons.bin) I get the following error during building via Intel (R) Modular Flash Image Tool. Version: 16.0.15.1735:
“Exception: Data bucket: ‘OEM_KM’. Error: ‘The public key in the OEM Key Manifest provided does not match the hash provided in CsePlugin:UEP:OemPublicKeyHash’.
Source: ‘CsePlugin:OEM_KM’”

Any idea how to solve this?

In my case, all I had to do was open this intel ME firmware with MFIT.exe (version 16.0 to be in compliance) and remove the OEM-KM and ISH parts as believe as well (no choice if I removed OEM), and then save and flash this modified firmware (= the same one but without OEM and ISH).

Because ME_16.0_Cons.bin is not ME Sub Partition itself, it’s a prestitched FWUpdate for some Lenovo platform. You have to decompose it first using MFIT, to get unconfigured ME Sub Partition.bin, as you can see on screenshot.

Then you can try to use it for cleaning your initialized bios dump, although it is not recommended to use Extracted type.