Optiplex 5040 AMT

Special Topics Intel Management Engine
1

Trying to enable full intel AMT on the motherboard has proved quite tricky. I have read all the other post but I’m getting no where fast. I wanted to use the ME from the optiplex 7040 thread but the files are no longer available. I will post my files in a few minutes. I followed the information from this post also RE:HP EliteOne 800 G2 CPU Gen6 to Gen7. Which provided a lot of insight. This one was also very good. Optiplex 5050 - Intel FIT Build Error. Actually he was having the same problems I am having currently. This is my ME region dump. My other SPI dump is too large to post. As far as my research is concerned I need a bios or Me from another OEM machine with AMT enabled.

Any help will be welcomed.


here is more info

Meinfo

Intel(R) MEInfo Version: 11.8.60.3561
Copyright(C) 2005 - 2018, Intel Corporation. All rights reserved.



Intel(R) Manageability and Security Application code versions:

BIOS Version 1.10.1
MEBx Version 11.0.0.0010
GbE Version 0.8
Vendor ID 8086
PCH Version 31
FW Version 11.8.55.3510 H
Security Version (SVN) 3
LMS Version Not Available
MEI Driver Version 11.5.0.1019
Wireless Hardware Version Not Available
Wireless Driver Version Not Available

FW Capabilities 0x791A1146

Intel(R) Standard Manageability - PRESENT/ENABLED
Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Service Advertisement & Discovery - PRESENT/ENABLED
Intel(R) Platform Trust Technology - PRESENT/DISABLED

Re-key needed False
Platform is re-key capable True
Intel(R) AMT State Disabled
AMT Global State Enabled
Intel(R) Standard Manageability State Enabled
TLS Disabled
Last ME reset reason Power up
Local FWUpdate Enabled
BIOS Config Lock Enabled
GbE Config Lock Enabled
Host Read Access to ME Disabled
Host Write Access to ME Disabled
Host Read Access to EC Disabled
Host Write Access to EC Disabled
SPI Flash ID 1 20BA18
SPI Flash ID 2 Unknown
BIOS boot State Post Boot
OEM ID 68853622-eed3-4e83-8a86-6cde315f6b78
Link Status Link Up
System UUID 4c4c4544-0039-5710-8038-c7c04f374a32
MAC Address 48-4d-7e-f9-24-04
IPv4 Address 0.0.0.0
IPv6 Enablement Disabled
IPv6 Address Unknown
Privacy/Security Level Default
Configuration State Not Started
Provisioning Mode PKI
Capability Licensing Service Enabled
OEM Tag 0x00000000
Slot 1 Board Manufacturer 0x00001028
Slot 2 System Assembler 0x00000000
Slot 3 Reserved 0x00000000
M3 Autotest Enabled
C-link Status Enabled
Wireless Micro-code Mismatch No
Wireless Micro-code ID in Firmware 0x24F3
Wireless LAN in Firmware Intel(R) Dual Band Wireless-AC 8260
Wireless Hardware ID No Intel WLAN card installed
Wireless LAN Hardware No Intel WLAN card installed
Localized Language English
Independent Firmware Recovery Disabled
EPID Group ID 0x1FD7
LSPCON Ports None
5K Ports None
OEM Public Key Hash FPF A53EF0C178D288B02E61FD71FC31874E89F041FE9332BA2A787A97F7146FB06C
OEM Public Key Hash ME A53EF0C178D288B02E61FD71FC31874E89F041FE9332BA2A787A97F7146FB06C
ACM SVN FPF 0x2
KM SVN FPF 0x0
BSMM SVN FPF 0x0
GuC Encryption Key FPF 0000000000000000000000000000000000000000000000000000000000000000
GuC Encryption Key ME 0000000000000000000000000000000000000000000000000000000000000000

FPF ME
— –
Force Boot Guard ACM Enabled Enabled
Protect BIOS Environment Enabled Enabled
CPU Debugging Enabled Enabled
BSP Initialization Enabled Enabled
Measured Boot Enabled Enabled
Verified Boot Enabled Enabled
Key Manifest ID 0xF 0xF
Enforcement Policy 0x3 0x3
PTT Enabled Enabled
PTT Lockout Override Counter 0x0
EK Revoke State Not Revoked
PTT RTC Clear Detection FPF 0x0



snakeman

5040.zip (3.54 MB)

2

More info if needed.

C:\WIN64>meinfowin64 -fwsts

Intel(R) MEInfo Version: 11.8.60.3561
Copyright(C) 2005 - 2018, Intel Corporation. All rights reserved.



FW Status Register1: 0x94000245
FW Status Register2: 0x80100106
FW Status Register3: 0x00000030
FW Status Register4: 0x00684004
FW Status Register5: 0x00001F01
FW Status Register6: 0x47C00BC9

CurrentState: Normal
ManufacturingMode: Disabled
FlashPartition: Valid
OperationalState: CM0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
SPI Flash Log: Present
FPF HW Source value: Original FPF HW Fuse Bank
ME FPF Fusing Patch Status: ME FPF Fusing patch NOT required
Phase: Maestro
ICC: Valid OEM data, ICC programmed
ME File System Corrupted: No
FPF and ME Config Status: Match


First log from FIT

03/14/2019 04:28:52
Using vsccommn.bin with timestamp 20:58:37 05/01/2018 GMT

Command Line: C:\Users\owner\Downloads\downloaded\CoffeeTime\Intel CSME System Tools v11 r20\Flash Image Tool\WIN32\fit.exe

Log file written to fit.log

Loading C:\more\5040.bin

Decomposed SKU Value: "Intel (R) H Series Chipset - Intel (R) Q170 - Desktop".

Warning: The ME FW image loaded has been pulled from a previously booted system. Some FW settings will not be allowed to be changed.
Warning: Could not set "Redirection Privacy / Security Level" to: 0x0000000000000000000000000000000000000098133288941C8F6C2FE02F4BE060E3720EEC0ED65B635B61941F207DFAE8F4A49C01, reverting to previous/default value: Default
Writing map file C:\Users\owner\Downloads\downloaded\CoffeeTime\Intel CSME System Tools v11 r20\Flash Image Tool\WIN32\5040\5040.map


Which lead to this after trying to Build

Executing pre-build actions
Warning: Did not update "IshSigningPolicy" because the ME FW is from a previously booted system.
Warning: Did not update "OdmIDIntelServices" because the ME FW is from a previously booted system.
Warning: Did not update "SysIntIdIntelServices" because the ME FW is from a previously booted system.
Warning: Did not update "ReservedIdIntelServices" because the ME FW is from a previously booted system.
Warning: Did not update "NvarPostManUnLckd" because the ME FW is from a previously booted system.
Warning: Did not update "PkiDomainSuffix" because the ME FW is from a previously booted system.
Warning: Did not update "PkiDomainSuffix" because the ME FW is from a previously booted system.
Warning: Did not update "EhbcEnable" because the ME FW is from a previously booted system.
Error 21: [NvarActions] Data Conversion error.
Error converting data type of length: 53
NVAR name: RedirectionPrivSecLevel
value: 1
Error 37: [NvarActions] Could not write NVAR value. RedirectionPrivSecLevel
Error 14: [NvarActions] Failed to write NVAR. RedirectionPrivSecLevel
Error 5: [CsmeBinaryGen] Error executing pre-build actions.
Error 15: Failed to build.
Failed to build!

3

Please take a look at these files to see if they are ok.

5040.zip is the orig dumped Me

outimage is the new file "Me" to flash



snakeman

5040.zip (3.54 MB)

outimage.zip (3.41 MB)

4

I tried to check if you followed the CleanUp Guide properly & also adjusted the AMT settings to be enabled but then noticed via ME Analyzer that your dump has multiple File System (MFS) corruptions so it might not be possible or a good idea to use that as your basis. Have you found by any chance another 5040 dump in order to clean?

5

I can’t find one anywhere! I was wondering how close will the 7050 dump in the other thread be to say a 7040 dump. trying to follow the same theory as using a 7040 ME on a 5040 machine. His dump is as close as I can find slightly different chipset. Can I brick the whole box with a bad ME flash?

This is the post I am referring Optiplex 5050 - Intel FIT Build Error

6

The system you are referencing is different as it has a newer PCH and various other FIT options changed. We should be able to use your own dump based on the fact that only checksums are broken and not data. FIT does not seem to crash upon loading it so that’s another good sign. I have thus followed the Engine CleanUp Guide based on your own 5040 dump using the latest COR H firmware and enabled AMT at the same time.

Capture.PNG

5040_AMT_fix.rar (3.32 MB)

7

Wow thanks just got home and saw this post I will report back as soon as possible.

snakeman


I have AMT enabled,

Many Thanks,

Cheers,

snakeman

8

I know that this thread is not active anymore, but I am trying my luck… Can you give me more details about what you activated on 5040 model, full Intel AMT (with KVM support) or just the Intel Standard Management stack (AMT limited)?
Thank you in advance,

9

Full AMT + KVM + TLS (at the bottom). Standard Manageability is the absence of AMT so I assume that’s not what you want.