Intel ME firmware version in MSI laptop

Hello,

I would like to know what is the firmware version installed in my laptop. In BIOS it says 11.0.0.1180, consumer SKU. HWinfo in windows shows the following information:
Intel ME Version: 11.0, Build 1180
Intel ME Recovery Image Version: 11.0, Build 1180
Intel ME FITC Version: 11.0, Build 1002, Hot Fix 10

And running MEInfoWin I get this:
Intel(R) MEInfo Version: 11.8.65.3590
Copyright(C) 2005 - 2018, Intel Corporation. All rights reserved.



Intel(R) ME code versions:

BIOS Version E16J4IMS.117
MEBx Version 11.0.0.0005
GbE Version Unknown
Vendor ID 8086
PCH Version 31
FW Version 11.0.0.1180 H
Security Version (SVN) 1
LMS Version Not Available
MEI Driver Version 11.7.0.1045
Wireless Hardware Version 2.1.77
Wireless Driver Version 19.51.17.1

FW Capabilities 0x31111940

Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Intel(R) Platform Trust Technology - PRESENT/ENABLED

Re-key needed False
Platform is re-key capable True
TLS Disabled
Last ME reset reason Firmware reset
Local FWUpdate Enabled
BIOS Config Lock Enabled
GbE Config Lock Enabled
Host Read Access to ME Disabled
Host Write Access to ME Disabled
Host Read Access to EC Disabled
Host Write Access to EC Disabled
SPI Flash ID 1 C84017
SPI Flash ID 2 Unknown
BIOS boot State Post Boot
OEM ID 00000000-0000-0000-0000-000000000000
Capability Licensing Service Enabled
OEM Tag 0x00000000
Slot 1 Board Manufacturer 0x00000000
Slot 2 System Assembler 0x00000000
Slot 3 Reserved 0x00000000
M3 Autotest Disabled
C-link Status Disabled
Independent Firmware Recovery Disabled
EPID Group ID 0xF85
LSPCON Ports None
5K Ports None
OEM Public Key Hash FPF 0000000000000000000000000000000000000000000000000000000000000000
OEM Public Key Hash ME 0000000000000000000000000000000000000000000000000000000000000000
ACM SVN FPF 0x0
KM SVN FPF 0x0
BSMM SVN FPF 0x0
GuC Encryption Key FPF 0000000000000000000000000000000000000000000000000000000000000000
GuC Encryption Key ME 0000000000000000000000000000000000000000000000000000000000000000

FPF ME
— –
Force Boot Guard ACM Disabled Disabled
Protect BIOS Environment Disabled Disabled
CPU Debugging Enabled Enabled
BSP Initialization Enabled Enabled
Measured Boot Disabled Disabled
Verified Boot Disabled Disabled
Key Manifest ID 0x0 0x0
Enforcement Policy 0x0 0x0
PTT Enabled Enabled
PTT Lockout Override Counter 0x0
EK Revoke State Revoked
PTT RTC Clear Detection FPF Not set

It seems pretty obvious that it is 11.0.0.1180. However, some time ago I updated the ME firmware using MSI’s official update for my specific laptop (http://download.msi.com/bos_exe/nb/Intel ME Update Tool_ME118H.zip) and when I analyze the file inside with ME Analyzer: MEA.exe ME_11.8_Consumer_D0_H_Production.bin I get the following:
╔══════════════════════════════════════════╗
║ ME Analyzer v1.88.0 r167 ║
╚══════════════════════════════════════════╝

╔═════════════════════════════════════════════════════════════╗
║ ME_11.8_Consumer_D0_H_Production.bin (1/1) ║
╟──────────────────────────────────────┬──────────────────────╢
║ Family │ CSE ME ║
╟──────────────────────────────────────┼──────────────────────╢
║ Version │ 11.8.50.3425 ║
╟──────────────────────────────────────┼──────────────────────╢
║ Release │ Production ║
╟──────────────────────────────────────┼──────────────────────╢
║ Type │ Region, Stock ║
╟──────────────────────────────────────┼──────────────────────╢
║ SKU │ Consumer H ║
╟──────────────────────────────────────┼──────────────────────╢
║ Chipset │ KBP/BSF-H A ║
║ │ SPT-H D ║
╟──────────────────────────────────────┼──────────────────────╢
║ Security Version Number │ 3 ║
╟──────────────────────────────────────┼──────────────────────╢
║ Version Control Number │ 275 ║
╟──────────────────────────────────────┼──────────────────────╢
║ Production Version │ Yes ║
╟──────────────────────────────────────┼──────────────────────╢
║ Lewisburg PCH Support │ No ║
╟──────────────────────────────────────┼──────────────────────╢
║ OEM RSA Signature │ No ║
╟──────────────────────────────────────┼──────────────────────╢
║ OEM Unlock Token │ No ║
╟──────────────────────────────────────┼──────────────────────╢
║ Date │ 2017-10-25 ║
╟──────────────────────────────────────┼──────────────────────╢
║ File System State │ Unconfigured ║
╟──────────────────────────────────────┼──────────────────────╢
║ Size │ 0x1F0000 ║
╟──────────────────────────────────────┼──────────────────────╢
║ Latest │ No ║
╚══════════════════════════════════════╧══════════════════════╝

The firmware update seems to be version 11.8.50, but that version is not anywhere in my hardware info. Does this make any sense?

Many thanks.

I’m sorry. I retract my question. I just found out that one year ago the firmware was not updated although I used MSI’s tool to do it. I tried again and this time it updated it correctly to 11.8.50.3425 H. On the other hand, do you know if the generic firmware that can be downloaded in this forum (Intel CSME Firmware v11.8.65.3590 (CON H DA).rar) is compatible with a notebook and can be updated in the same ways as with MSI’s tool?

Here is the new information from MEInfo:

Intel(R) MEInfo Version: 11.8.65.3590
Copyright(C) 2005 - 2018, Intel Corporation. All rights reserved.



Intel(R) ME code versions:

BIOS Version E16J4IMS.117
MEBx Version 11.0.0.0005
GbE Version Unknown
Vendor ID 8086
PCH Version 31
FW Version 11.8.50.3425 H
Security Version (SVN) 3
LMS Version Not Available
MEI Driver Version 11.7.0.1045
Wireless Hardware Version 2.1.77
Wireless Driver Version 19.51.17.1

FW Capabilities 0x31111140

Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Intel(R) Platform Trust Technology - PRESENT/ENABLED

Re-key needed False
Platform is re-key capable True
TLS Disabled
Last ME reset reason Global system reset
Local FWUpdate Enabled
BIOS Config Lock Enabled
GbE Config Lock Enabled
Host Read Access to ME Disabled
Host Write Access to ME Disabled
Host Read Access to EC Disabled
Host Write Access to EC Disabled
SPI Flash ID 1 C84017
SPI Flash ID 2 Unknown
BIOS boot State Post Boot
OEM ID 00000000-0000-0000-0000-000000000000
Capability Licensing Service Enabled
OEM Tag 0x00000000
Slot 1 Board Manufacturer 0x00000000
Slot 2 System Assembler 0x00000000
Slot 3 Reserved 0x00000000
M3 Autotest Disabled
C-link Status Disabled
Independent Firmware Recovery Disabled
EPID Group ID 0x1F86
LSPCON Ports None
5K Ports None
OEM Public Key Hash FPF 0000000000000000000000000000000000000000000000000000000000000000
OEM Public Key Hash ME 0000000000000000000000000000000000000000000000000000000000000000
ACM SVN FPF 0x0
KM SVN FPF 0x0
BSMM SVN FPF 0x0
GuC Encryption Key FPF 0000000000000000000000000000000000000000000000000000000000000000
GuC Encryption Key ME 0000000000000000000000000000000000000000000000000000000000000000

FPF ME
— –
Force Boot Guard ACM Disabled Disabled
Protect BIOS Environment Disabled Disabled
CPU Debugging Enabled Enabled
BSP Initialization Enabled Enabled
Measured Boot Disabled Disabled
Verified Boot Disabled Disabled
Key Manifest ID 0x0 0x0
Enforcement Policy 0x0 0x0
PTT Enabled Enabled
PTT Lockout Override Counter 0x0
EK Revoke State Revoked
PTT RTC Clear Detection FPF Not set

You can use FWUpdate tool to update the CSME firmware, as explained at the (CS)ME thread. It’s no different from what the OEM does.

Thanks plutomaniac. I thought that laptops had a specific requirements when updating the IntelME. I have read several posts where people have had problems after updating their laptops when using the generic firmware images from Intel liked in this forum (SATA drives not showing, etc…). On the other hand, when I open the official ME update from my OEM (MSI) it looks totally generic, but I cannot be 100% sure unless I had access to the previous generic IntelME firmware (11.8.50.3425 H) and compare the official Intel firmware download to the official MSI update inside this link: http://download.msi.com/bos_exe/nb/Intel ME Update Tool_ME118H.zip . Do you still store the release 11.8.50.3425 H so I can compare the two binary files?

Thanks.

You can read Intel Management Engine: Drivers, Firmware & System Tools > Section B to understand how Engine firmware is configured and how updating works.

According to that section, my firmware should be the “Intel CSME 11.8 Consumer PCH-H D,A Firmware v11.8.65.3590 For 100/200/H310C/B365/Z370-series systems which run CSME Consumer H D,A v11.0 - v11.8”. And because the File System State is “Unconfigured” (see ME Analyzer result in my previous posts), no additional OEM modifications have been implemented. However, if it is so straightforward, I do not understand why other MSI laptop users have flashed the wrong firmware version. There must be something I am missing. There is a sentence in section B that concerns me: “The Engine firmware at the system’s SPI/BIOS chip is always EXTR, generated by the OEM after configuring the equivalent RGN with the appropriate system settings.”

Can I find the old 11.8.50.3425 version for the Consumer PCH-H D anywhere?

The CSME firmware is given to OEMs by Intel in stock/unconfigured (RGN) form. The goal is to configure it (EXTR), insert it into the SPI/BIOS image and flash that at the system’s SPI/BIOS chip. This is done via flash programmers or generic SPI read/write tools such as Flash Programming Tool. Once the firmware is up and running, it can be easily updated via FWUpdate tool which does not require any configuration of the firmware to flash because it only updates the CODE and not any DATA/Configuration. The configuration stays the same. Because FWUpdate tool deals only with CODE and not DATA, you can use whatever you want with it (RGN/EXTR which are either Uncofigured/Configured/Initialized), it’s all the same to it. So unless you want to repair the CSME firmware or re-flash it completely (CODE + DATA), you do not need to Configure it again, like the OEM did.

OK, now I got it! Thanks for the detailed explanation. In fact, I found the old 11.8.50.3425 firmware version in stationdrivers, and the .bin file was identical to the one that MSI provided to update my laptop from 11.0 to 11.8. I think this confirms that the firmware can be easily updated. However, being so easy, I still do not understand the problems of some users if the FWUpdate tool is used properly, i.e.:

First generate a key if needed: SetupME.exe -tcs -nodrv -s
Second update the firmware: FWUpdLcl64 -f "firmware.bin" -forcereset -allowsv


This doesn’t prove anything. The firmware could have been slightly different for various reasons and all of these would be acceptable to SD because they use FWUpdate tool.

As explained at Intel Management Engine: Drivers, Firmware & System Tools > Engine Firmware Updating, a simple “FWUpdLcl -f update_file_name.bin” command is enough to update the firmware. The “-tcs -nodrv” driver parameters are irrelevant to firmware updating but have to do with a vulnerability mitigation, as explained at the equivalent section of the aforementioned (CS)ME thread.

Hello again,

I have recently activated the Intel PTT’s TPM 2.0 in the BIOS, but after running the MEInfo, the Endorsement Key (EK) appears as Revoked. The Re-key needed option is False. I tried re-keying again with “SetupME.exe -tcs -nodrv -s”, but nothing changes. Any idea? TPM seems to be detected and working in the device manager, but Windows 10 seems to be complaining with this error:
“Device health attestation isn’t supported on this device.” I think both problems are related, as a EK is required for the attestation to work. Am I right? Why my key is revoked and can I change that?

Many thanks.

I’m not very knowledgeable on these things but I don’t think there is a problem. Once you Re-Keyed the first time, the old EK was Revoked and that’s why you see that. Install the latest Drivers & Software normally and if the fTPM works, you’re good. If you’re still skeptical, I suggest you ask Intel support. They should know for sure.

Thanks,

It seems that Bitlocker does not complain, only Windows shows the error message I posted above. I wonder if I can test the TMP with additional software to see if it is fully working.

I might ask Intel just in case, but I suppose they will redirect me to my computer manufacturer…



I think you’re spot on, plutomaniac! After powering on the system today, Windows 10 does not complain anymore about the attestation thing! The Endorsement Key (EK) still appears as revoked in MEInfo, but Windows 10 seems to fully accept the TPM no with no error messages in the Security Processor window (https://support.microsoft.com/en-us/help…curityprocessor ). The revoked EK probably means exactly what you said, and in that case, anybody that had re-keyed their system should see the same revoked status in MEInfo.

Thanks.