Upgrade CSME of 3965U ipc

I have a 3965U based industrial PC and the Intel ME utility says the ME firmware has a vulnerability. The vendor hasn’t posted any updates so I used fwupdate to save the firmware to a file (4968448 bytes) and then passed it through MEAnalyzer. I got this:

║         ME Analyzer v1.307.0 r349         ║
╚═══════════════════════════════════════════╝

╔════════════════════════════════════════════╗
║               ebox.fw (1/1)                ║
╟─────────────────────────────┬──────────────╢
║            Family           │    CSE ME    ║
╟─────────────────────────────┼──────────────╢
║           Version           │ 11.6.1.1142  ║
╟─────────────────────────────┼──────────────╢
║           Release           │  Production  ║
╟─────────────────────────────┼──────────────╢
║             Type            │    Update    ║
╟─────────────────────────────┼──────────────╢
║             SKU             │ Corporate LP ║
╟─────────────────────────────┼──────────────╢
║       Chipset Stepping      │      C       ║
╟─────────────────────────────┼──────────────╢
║ TCB Security Version Number │      1       ║
╟─────────────────────────────┼──────────────╢
║    Version Control Number   │     121      ║
╟─────────────────────────────┼──────────────╢
║       Production Ready      │     Yes      ║
╟─────────────────────────────┼──────────────╢
║    Power Down Mitigation    │      No      ║
╟─────────────────────────────┼──────────────╢
║     Workstation Support     │      No      ║
╟─────────────────────────────┼──────────────╢
║      OEM Configuration      │      No      ║
╟─────────────────────────────┼──────────────╢
║             Date            │  2016-11-03  ║
╟─────────────────────────────┼──────────────╢
║      File System State      │ Unconfigured ║
╟─────────────────────────────┼──────────────╢
║       Chipset Support       │   SPT/KBP    ║
╚═════════════════════════════╧══════════════╝

It’s unclear to me whether that is enough information to get a new firmware file to flash. I’m comfortable using either Windows or Linux.

Thanks

It should be possible to update to the latest v11.8 sku (Cor LP C) NPDM

EDIT: The closest one you can find should work as also the one in the MEv11 r46 tools package (11.8.92.4249) and this one should be enough.

EDIT: If you couldn’t before then the feature was not enable, usually the FW update doesn’t affect the MEBx as its was configured.

I found CSME 11.8 COR LP C NPDM v11.8.95.4551

Is there a specific version of fwupdate that should be used?

Thanks

Added: Reflash was successful, at least insofar as MEInfo reports the newer version. On the other hand, I can’t Ctrl-P into MEBx though I don’t know if I could before the update.

The BIOS splash screen says to type Ctrl-P for MEBx

But you never had access to it, right? Some bios settings should have some controls for this or its disable by default by the OEM, anyway i cant recall a user that have lost this feature, Intel® Active Management Technology (Intel® AMT) due to FW image update in the same SKU family, unless the ME FW region was already corrupted and need to be cleaned/re-initialized, if this was the case no update will solve this, the ME stays always corrupted.
This wasn’t the issue that you initially asked for info…if you omitted any relevant information, too bad…you shouldn’t.
FPT.exe -greset will reboot the ME Engine, over_n_out.

EDIT: Your welcome, inquire the OEM regarding the models with this feature enable and expose your discover

The sequence of events is as follows.

I bought this on Ebay to use as a firewall, ran the Intel vulnerability check, learned of the ME vulnerability and needed to fix it before exposing it to the Internet, did some research on firmware updates and, with your help, was able to do the update. I then thought I might as well turn on AMT for administrative access when I discovered this problem.

I can still use the PC for its intended purpose and would like to express my gratitude for your help.

Wouldn’t be wise to expose AMT to the internet on a firewall. Opening it to the inside makes it a little useless if you’re on the outside, a VPN would still use the firewall…

In addition this is a Celeron CPU which doesn’t have any management capabilities (even if chipset and NIC would be compatible with AMT)

Good point about the Catch-22 with only exposing AMT to the LAN.

Would the Celeron explain why it isn’t going to the MEBx UI even though the splash screen shows the Ctrl-P message?

P.S.: All of this may be moot because pfSense won’t install, nor will OPNsense

Maybe. Possibly this bios is used for other hardware, too? What chipset and NIC does this system have?

The box also comes in i3 and i5 variants and the NIC is a i219-LM

Chipset?

I thought it is a SOC with an integrated PCH but could be wrong. Let me see if I can find out more

You might be right and the PCH is on the same die. It’s anyway soldered, so no chance to change something here at least for people not used to soldering BGAs…

Tried to find if there were same generation same socket i5 with vpro / AMT but this isn’t too easy to find out. i219LM looks a little like manageablity, but I don’t think Corporate LP ME is able for more than standard manageability??

Standard manageability would be fine.

Here’s the screenshot from HWinfo

hwinfo1139×506 54.6 KB

Not with a Celeron.

Hwinfo gives more detailed information:

Unfortunately Intel doesn’t any longer list all the capabilities of a processor family for a cpu but lists a capability only if the processor does have it.

image1007×841 9.82 KB

I you are very interested you may open your dump in FIT or rund MEInfo on your machine
Both from the tools linked here:

Probably need to update to 11.6.1.1196. But the manufacture should suggest this for compatibility. You can try, but keep a copy of the old just in case.