Dear people,
My main (desktop) computer is an Acer Veriton X4610G (Intel Q65/Courgarpoint chip-set, see my signature below for specs). I’ve upgraded it to Win10x64pro (2004 build). My OEM and Intel have both dropped support for my hardware (HW) and chip-set, but I find that the HW is still quite viable/usable. I’m in the process of updating firmware (FW) and necessary drivers and stumbled upon various ME vulnerabilities (INTEL-SA-00075 and Intel-SA-00086 at least). @Fernando was kind enough to point me to the SOL driver . Later on I read (and reread) the opening post of this topic and was taken back by the immense complexity of it all and the deep integration of ME into the platform. My OEM and Intel refuse to assist me and just send me to their forums due to indifference and/or system age. I found no solution there. I’m really happy to see the expertise in this forum and would like to ask the following questions regarding ME/AMT.
My goal is to get my system stable and secure and not break nor brick it in the process.
Here’s what I currently have: ME CPT 5M v7.0.4.1197
Intel(R) MEInfo Version: 7.0.4.1197
Copyright(C) 2005 - 2010, Intel Corporation. All rights reserved.
Intel(R) Manageability and Security Application code versions:
BIOS Version: P01-B3
MEBx Version: 7.0.0.53
Gbe Version: 1.3
VendorID: 8086
PCH Version: 600005
FW Version: 7.0.4.1197
UNS Version: Not Available
LMS Version: Not Available
MEI Driver Version: 11.0.0.1157
Wireless Hardware Version: Not Available
Wireless Driver Version: Not Available
FW Capabilities: 19536998
Intel(R) Standard Manageability - PRESENT/ENABLED
Intel(R) Anti-Theft Technology - PRESENT/ENABLED
Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Standard Manageability State: Enabled
CPU Upgrade State: Upgrade Capable
Cryptography Support: Enabled
Last ME reset reason: Power up
Local FWUpdate: Enabled
BIOS and GbE Config Lock: Disabled
Host Read Access to ME: Disabled
Host Write Access to ME: Disabled
SPI Flash ID #1: EF4017
SPI Flash ID VSCC #1: 20052005
SPI Flash BIOS VSCC: 20052005
BIOS boot State: Post Boot
OEM Id: 00000000-0000-0000-0000-000000000000
Link Status: Link down
System UUID: <censored>
MAC Address: <censored>
IPv4 Address: 0.0.0.0
IPv6 Enablement: Disabled
Privacy Level: Default
Configuration state: Not started
Provisioning Mode: Unknown
Capability Licensing Service: Enabled
Capability Licensing Service Status: Permit info not available
OEM Tag: 0x00000000
C:\Apps\Intel-ME_CPT_5M_7.0.4.1197\MEManuf\Windows>MEManufWin.exe -verbose
Intel(R) MEManuf Version: 7.0.4.1197
Copyright(C) 2005 - 2010, Intel Corporation. All rights reserved.
Platform stepping value is 5
FW Status Register1: 0x1E000245
FW Status Register2: 0x68000006
CurrentState: Normal
ManufacturingMode: Disabled
FlashPartition: Valid
OperationalState: M0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
ICC: Valid OEM data, ICC programmed
Get FWU info command…done
Get FWU version command…done
Get FWU feature state command…done
Get ME FWU platform type command…done
Get ME FWU feature capability command…done
Feature enablement is 0x12A1C66
gFeatureAvailability value is 0x1
OEM ICC data valid and programmed correctly
Request Intel(R) ME test result command…done
vsccommn.bin was created on 02:10:39 09/22/2010 GMT
SPI Flash ID #1 ME VSCC value is 0x2005
SPI Flash ID #1 (ID: 0xEF4017) ME VSCC value checked
SPI Flash ID #1 BIOS VSCC value is 0x2005
SPI Flash ID #1 (ID: 0xEF4017) BIOS VSCC value checked
FPBA value is 0x0
No Intel Wireless device was found
Get Intel(R) ME test data command…done
Total of 21 Intel(R) ME test result retrieved
Micro Kernel - Blob Manager: Set - Passed
Micro Kernel - Blob Manager: Get - Passed
Micro Kernel - Blob Manager: Remove - Passed
Policy Kernel - SMBus: Read byte - Passed
Policy Kernel - ME Password: Valid MEBx password - Passed
Policy Kernel - Power Package: Package 1 supported - Passed
Policy Kernel - Power Package: Default package supported - Passed
Policy Kernel - ME Configuration: Wlan Power Well - Passed
Policy Kernel - ME Configuration: CPU Missing Logic - Passed
Policy Kernel - ME Configuration: M3 Power Rails Available - Passed
Policy Kernel - Embedded Controller: Get power source - Passed
Common Services - General: Low power idle timeout - Passed
Common Services - Provisioning: Valid MEBX password change policy - Passed
Common Services - Provisioning: Client Config mode is valid - Passed
Common Services - General: Vlan not enabled on mobile - Passed
Common Services - Provisioning: Both PID and PPS are set - Passed
Common Services - Provisioning: MEBX password set when PID and PPS set - Passed
AMT - Privacy Level: Valid Privacy Level settings - Passed
AMT - Power: Power-package 2 supported - Passed
AMT - Hardware Inventory: BIOS tables - Passed
Policy Kernel - Power Package: Live Heap Test - Passed
Clear Intel(R) ME test data command…done
MEManuf Test Passed
╔═══════════════════════════════════════════╗
║ ME Analyzer v1.160.0 r212 ║
╚═══════════════════════════════════════════╝
╔════════════════════════════════════════════════════╗
║ CPT_5M_UPD_Production.BIN (1/1) ║
╟────────────────────────────────┬───────────────────╢
║ Family │ ME ║
╟────────────────────────────────┼───────────────────╢
║ Version │ 7.0.4.1197 ║
╟────────────────────────────────┼───────────────────╢
║ Release │ Production ║
╟────────────────────────────────┼───────────────────╢
║ Type │ Update ║
╟────────────────────────────────┼───────────────────╢
║ SKU │ 5MB ║
╟────────────────────────────────┼───────────────────╢
║ Patsburg PCH Support │ No ║
╟────────────────────────────────┼───────────────────╢
║ Date │ 2011-02-01 ║
╟────────────────────────────────┼───────────────────╢
║ Downgrade Blacklist 7.0 │ <= 7.0.3.1194 ║
╟────────────────────────────────┼───────────────────╢
║ Downgrade Blacklist 7.1 │ <= 7.1.2.1049 ║
╟────────────────────────────────┼───────────────────╢
║ Chipset Support │ CPT ║
╟────────────────────────────────┼───────────────────╢
║ Latest │ No ║
╚════════════════════════════════╧═══════════════════╝
These are my questions:
1. Can I upgrade ME to a secure version that supports my hardware and Win10 OS?
2. Is the ME Firmware part of the normal BIOS/EUFI firmware? Is it physically inside the same BIOS EEPROM? Is it contained in the BIOS image.
3. Is there a risk of bricking my computer by upgrading the ME Firmware?
4. Can ME be upgraded beyond version 7.x on my computer (Acer Support offers a Win8 download for: AMT_Intel_8.1.30.1350_W8x64 it contains "ME8_1.5M_Production.BIN", which ME Analyzer says the following about:
╔═══════════════════════════════════════════╗
║ ME Analyzer v1.160.0 r212 ║
╚═══════════════════════════════════════════╝
╔══════════════════════════════════════════════════╗
║ ME8_1.5M_Production.BIN (1/1) ║
╟──────────────────────────────────┬───────────────╢
║ Family │ ME ║
╟──────────────────────────────────┼───────────────╢
║ Version │ 8.1.30.1350 ║
╟──────────────────────────────────┼───────────────╢
║ Release │ Production ║
╟──────────────────────────────────┼───────────────╢
║ Type │ Stock ║
╟──────────────────────────────────┼───────────────╢
║ SKU │ 1.5MB ║
╟──────────────────────────────────┼───────────────╢
║ TCB Security Version Number │ 1 ║
╟──────────────────────────────────┼───────────────╢
║ Version Control Number │ 2 ║
╟──────────────────────────────────┼───────────────╢
║ Production Ready │ Yes ║
╟──────────────────────────────────┼───────────────╢
║ Date │ 2013-01-17 ║
╟──────────────────────────────────┼───────────────╢
║ Size │ 0x17D000 ║
╟──────────────────────────────────┼───────────────╢
║ Chipset Support │ CPT/PBG/PPT ║
╟──────────────────────────────────┼───────────────╢
║ Latest │ No ║
╚══════════════════════════════════╧═══════════════╝
5. What does it mean when ME Analyzer reports: "Latest: No"? And can it report to me what the Latest would be?
6. To what version can/should I ultimately update?
7. Would I need to add Vendor Specific Component Capabilities (VCSS) myself?
8. The D1. "Intel MEI Drivers & Software Corporate v11.0.6.1194 (ME 7-8)" corp link points to Lenovo. Is that correct?
9. Does my computer support Intel Anti-Theft Technology? MEInfo reports: "Intel(R) Anti-Theft Technology - PRESENT/ENABLED", but the Q65 chip-set specs state: " Anti-Theft Technology: No".
10. There is a Jumper on my Mother Board (MB) that says: "ME_disable". I can’t find any documentation about it. What does it do? Will disabling it secure me against ME vulnerabilities? Will I loose functionality when I disable it? Or will ME still be silently running and keep on being a vulnerability / security problem?
11. Can ME communicate over a discrete PCIe-WiFi card?
12. My OEM did provide an ME FW update to protect against: INTEL-SA-00075. ME Analyzer reports some discrepancies about that FW image in comparison to the currently active FW (discrepancies: Patsburg PCH Support No -> Yes, Chipset Support CPT -> CPT/PBG).
╔═══════════════════════════════════════════╗
║ ME Analyzer v1.160.0 r212 ║
╚═══════════════════════════════════════════╝
╔════════════════════════════════════════════════════╗
║ ME7_5M_UPD_Production.bin (1/1) ║
╟───────────────────────────────┬────────────────────╢
║ Family │ ME ║
╟───────────────────────────────┼────────────────────╢
║ Version │ 7.1.91.3272 ║
╟───────────────────────────────┼────────────────────╢
║ Release │ Production ║
╟───────────────────────────────┼────────────────────╢
║ Type │ Update ║
╟───────────────────────────────┼────────────────────╢
║ SKU │ 5MB ║
╟───────────────────────────────┼────────────────────╢
║ Patsburg PCH Support │ Yes ║
╟───────────────────────────────┼────────────────────╢
║ Date │ 2017-04-07 ║
╟───────────────────────────────┼────────────────────╢
║ Downgrade Blacklist 7.0 │ <= 7.0.10.1203 ║
╟───────────────────────────────┼────────────────────╢
║ Downgrade Blacklist 7.1 │ <= 7.1.13.1088 ║
╟───────────────────────────────┼────────────────────╢
║ Chipset Support │ CPT/PBG ║
╟───────────────────────────────┼────────────────────╢
║ Latest │ No ║
╚═══════════════════════════════╧════════════════════╝
13. Can I dump/backup the current ME firmware somehow? And will I ever be able to revert to it after an upgrade?
Do you have any other advice for me?
I’m looking forward to your answers.
Kind regards,
Marty