Home Archives for November 2017

Intel Management Engine: Drivers, Firmware & System Tools Last Updated: 2017-11-25


Intel Management Engine:
Drivers, Firmware & System Tools

Last Updated: 2017-11-25

Intel Management Engine Introduction: Built into many Intel-based platforms is a small, low power computer subsystem called the Intel Management Engine (Intel ME). This can perform various tasks while the system is booting, running or sleeping. It operates independently from the main CPU, BIOS & OS but can interact with them if needed. The ME is responsible for many parts of an Intel-based system. Such functionality extends, but it's not limited, to Platform Clocks Control (ICC), Thermal Monitoring, Fan Control, Power Management, Overclocking, Silicon Workaround (resolves silicon bugs which would have otherwise required a new cpu stepping), Identity Protection Technology, Boot Guard, Rapid Start Technology, Smart Connect Technology, Sensor Hub Controller (ISHC), Active Management Technology (AMT), Small Business Advantage (SBA), Wireless Display, PlayReady, Protected Video/Audio Path etc. For certain advanced/corporate features (AMT, SBA etc) the ME uses an out-of-band (OOB) network interface to perform functions even when the system is powered down, the OS and/or hard drivers are non-functional etc. Thus it is essential for it to be operational in order for the platform to be working properly, no matter if the advanced/corporate features are available or not.

Intel Converged Security Engine Introduction: The evolution of Intel Management Engine into a unified security co-processor, running x86 code under a Minix-based Operating System. It was first introduced in 2015 with the release of Skylake CPUs working alongside 100-series SunrisePoint PCH. The CSE hardware can run Management Engine (ME) 11+, Trusted Execution Engine (TXE) 3+ or Server Platform Services (SPS) 4+ firmware. So there are a total of three families of CSE-based firmware: CSME (CSE ME), CSTXE (CSE TXE) and CSSPS (CSE SPS).

This is a collection of everything Intel (CS)ME related. To extract most of the files below you need to use programs which support RAR5 compression!

Disclaimer: All the software & firmware below comes only from official updates which were provided and made public by various manufacturers! The System Tools are gathered and provided with the sole purpose of helpingpeople who are out of other viable solutions. Thus, they can be extremely helpful to those who have major problems with their systems for which their manufacturer refuses to assist due to indifference and/or system age.

A. About Intel MEI Drivers

The latest v11.7 drivers are usable with all Intel chipsets from 8-Series & up. Users of 6 & 7-series systems must use the latest v11.0 drivers. Users of 5-series & lower systems must check Section D to find the driver they need. In order to check your current installed version, use MEInfo tool as instructed below.

Notice: For Windows 7 only: Intel MEI Driver uses KMDF (WDF) 1.11, which is built-in on Windows 8 & up but not Windows 7 or earlier. Make sure you install Kernel-Mode Driver Framework (KMDF) version 1.11 before the Intel MEI Driver. Otherwise, a yellow bang will appear on Intel MEI device upon installation. Follow instructions in this link: KB2685811.

Note: To extract some of the files below you need to use programs which support RAR5 compression!

A1. Intel MEI Driver Only

These packages contain only the Intel MEI driver without any additional software or system services. They are compatible with both Consumer/1.5MB and Corporate/5MB systems. Since the software and system services are not really needed for Consumer/1.5MB systems, users of such systems should install the Drivers only (section A1). The MEI-Only Installer is the setup file from Intel which allows easy installation and adds a Control Panel entry for quick driver removal. For those who want to install the actual driver files manually via Device Manager, download the INF packages.



Note: The MEI drivers listed above are part of the complete Drivers & Software packages found at section A3. A newer Drivers & Software package has newer Software but the actual MEI driver may still be an older version. MEI-Only Installer 11.7.0.1043 includes MEI v11.7.0.1040. MEI-Only Installer v11.0.6.1194 includes MEI v11.0.5.1189 driver.

Note: The MEI-Only Installer includes the "INF for manual installation" and allows easy installation of the latter. However, since we cannot always find the latest MEI-Only Installer, it is advised to use the "INF for manual installation" in case it's version is newer.

A2. Intel SOL "Driver" Only

This package contains only the Intel SOL "driver" without any additional software or system services. It is compatible only with 5MB/Corporate systems. If the software and system services are required in case of remote management etc, users of such systems should install the equivalent complete Drivers & Software package (section A3).



Note: The SOL "driver" listed above is part of the complete Drivers & Software packages found at section A3. A newer Drivers & Software package has newer Software but the actual SOL "driver" may still be an older version.

Note: The SOL "driver" is not really a driver but rather a placeholder INF file which assigns a correct device name at Device Manager and prevents the latter from showing the yellow exclamation mark of "No driver was found for this device". It's the SOL's equivalent of Intel Chipset INF utility.

A3. Intel MEI Drivers & Software

These packages contain the Intel MEI/SOL drivers with their respective software & system services. It's important to install the correct package depending on your Consumer/1.5MB or Corporate/5MB system.



Note: ME Drivers & Software v11.7.0.1054 includes MEI v11.7.0.1045. ME Drivers & Software v11.0.6.1194 package includes MEI v11.0.5.1189 driver.

B. About Intel (CS)ME Firmware Updates

Intel ME firmware is divided into two main categories: Consumer/Slim/1.5MB SKU for Consumer systems and Corporate/5MB SKU for Corporate systems. To understand your exact SKU, manual research on your hardware may be required first. Usually MEInfo, MEManuf (-verbose) and ME Analyzer (by loading your BIOS file) can help you sort most system specific details out.

General Notice: Be careful of what firmware your download relevant to your system. First, make sure that you know what series it is (examples: Z77 --> 7-series, B150 --> 100-series). Then run MEInfo Tool and check the "FW Version" line to determine your ME firmware version (examples: 8.1.52.1496 --> v8.x, 9.1.10.1005 --> v9.1). All the firmware below correspond to a specific series which comes with a specific ME firmware version (example: For 7-Series systems which come with ME firmware v8).

Security Version Number (SVN): All ME 8.x or newer firmware are defined by a Security Version Number (SVN) like 1,2,3 etc which is used to control the possible upgrade/downgrade paths provided by Intel's FWUpdate tool. The SVN gets incremented if there is a high or critical security fix that requires a Trusted Computing Base (TCB) recovery operation, a significant event in the life cycle of the firmware which requires renewal of the security signing keys in use. A downgrade to a lower SVN value via FWUpdate tool is prohibited whereas an upgrade to the same or higher SVN is allowed. For example if your current firmware has a SVN of 2, you can update to another firmware with SVN >= 2 (for example 3) but you cannot downgrade to another firmware with SVN < 2 (for example 1). Trying to flash a firmware with lower SVN will result in the error "The image provided is not supported by the platform" or similar. This upgrade/downgrade control method applies to Intel's FWUpdate tool only and not when using a hardware SPI programmer or any general SPI software flasher such as Intel's Flash Programming Tool, Flashrom, AFU etc. To view the SVN value of any ME firmware, you can use ME Analyzer tool.

Version Control Number (VCN): All ME 8.x or newer firmware are defined by a Version Control Number (VCN) like 1,2,45,193 etc which is used to control the possible upgrade/downgrade paths provided by Intel's FWUpdate tool. The VCN gets incremented if there is a security fix, a significant firmware change or a new feature addition. A downgrade to a lower VCN value via FWUpdate tool is prohibited whereas an upgrade to the same or higher VCN is allowed. For example if your current firmware has a VCN of 176, you can update to another firmware with VCN >= 176 (for example 193) but you cannot downgrade to another firmware with VCN < 176 (for example 174). Trying to flash a firmware with lower VCN will result in the error "The image provided is not supported by the platform" or similar. This upgrade/downgrade control method applies to Intel's FWUpdate tool only and not when using a hardware SPI programmer or any general SPI software flasher such as Intel's Flash Programming Tool, Flashrom, AFU etc. To view the VCN value of any ME firmware, you can use ME Analyzer tool.

Firmware Regions (RGN/EXTR): The SPI/BIOS chip firmware is divided into regions which control different aspects of an Intel-based system. The mandatory regions are the Flash Descriptor (FD, controls read/write access between the regions among other things), the Engine (ME, holds the ME firmware which has been configured for a specific system) and the BIOS. The ME firmware is neither static nor identical across different systems. Its code at the Engine region is always Configured by the manufacturer (OEM) as explained at Section A of the CleanUp Guide. The Type of each ME firmware can be either Stock Region (RGN, clean/stock/unconfigured images provided by Intel to OEMs) or Extracted Region (EXTR, dirty/extracted/configured images from various SPI/BIOS). The ME firmware at the system's SPI/BIOS chip is always EXTR, generated by the OEM after configuring the equivalent RGN. Never flash RGN firmware to the Engine region without first configuring them for your specific system (EXTR) via Intel's Flash Image Tool. The use of any software (Intel's Flash Programming Tool, AMI's AFU, Flashrom etc) or hardware (programmer) firmware flasher, which directly deals with the Engine region of the SPI/BIOS chip, requires prior configuration of ME RGN to EXTR firmware.

Firmware Updates (UPD): To allow quick and effortless on-field updating of the ME firmware, Intel provides a tool called FWUpdate. Update images (UPD) are partial Firmware Regions which contain only ME "CODE" without any "DATA" (read Section A of the CleanUp Guide). They are created and used only by Intel's FWUpdate tool. Thus, they can neither be opened nor configured by Intel's Flash Image Tool. Never flash UPD firmware to the Engine region via anything other than FWUpdate tool. UPD images are not needed for 7-series or newer systems as FWUpdate can update the ME firmware with all three possible Types (RGN/EXTR/UPD). However, all 6-series or older systems must use UPD images in combination with FWUpdate in order to initiate a ME firmware update. Thus, at sections B1 and B2 below, only RGN/EXTR images are provided for 7-series or newer systems and only UPD images are provided for 6-series or older systems. For the latter, you can find the equivalent RGN/EXTR for use with non-FWUpdate tools at the Intel Engine Firmware Repositories thread.

Warning for 8-series systems: The 8-series desktop systems initially come with v9.0 firmware. The latter is upgradeable to v9.1 firmware (initially comes with 9-series desktop systems) only if the OEM has updated the BIOS to be compatible as well. If your BIOS is up to date and the firmware is still v9.0 then do NOT update to v9.1 but only to latter v9.0 releases. The system won't brick but, if the BIOS is not ready, you will face BCLK, fan control and other issues after which going back to v9.0 firmware is often difficult. However, if your current 8-series system has firmware v9.1 (after a BIOS update) then you can update to the latest v9.1 firmware as provided below.

Warning for all 100/200/300-series systems: Make sure you choose the correct CSME v11 firmware SKU for your system which is based on target Platform and Feature set. There are 2 chipsets: PCH-H (Halo, performance) and PCH-LP (Low Power). There are 4 CPU families: SKL/KBL/CFL-S, SKL/KBL/CFL-H, SKL/KBL(R)/CFL-U and SKL/KBL/CFL-Y. The PCH-H chipset works with SKL/KBL/CFL-S & SKL/KBL/CFL-H processors and requires PCH-H (H) CSME firmware. The PCH-LP chipset works with SKL/KBL(R)/CFL-U & SKL/KBL/CFL-Y processors and requires PCH-LP (LP) CSME firmware. An easy way to detect which Platform you need is to check the CPU socket specification of your motherboard. SKL/KBL/CFL-S uses LGA1151, SKL/KBL/CFL-H uses BGA1440, SKL/KBL(R)/CFL-U uses BGA1356 and SKL/KBL/CFL-Y uses BGA1515. There are 2 CSME firmware SKUs: Consumer (basic features) and Corporate (all features). So in total there are 4 CSME v11 firmware SKUs: Consumer PCH-H, Consumer PCH-LP, Corporate PCH-H and Corporate PCH-LP.

Warning for all CSME 11 systems: It is generally advised to wait for your OEM to release a new BIOS which supports a newer CSME v11 firmware minor release. All systems which initially come with CSME v11.0, v11.6 or v11.7 are upgradable to v11.8 firmware. In a similar way, all systems which initially come with CSME v11.10 or v11.20 are upgradable to v11.11 or v11.21 firmware respectively. In most cases, upgrading the CSME v11 to a higher compatible minor version works just fine, even without an OEM BIOS update. However, there is always the risk that you will face compatibility issues between the older BIOS and newer CSME firmware, after which going back to your previous configuration is often very difficult. If for example your BIOS is up to date but the CSME firmware is still at v11.6, then it is advised to not update to v11.8 but only to latter v11.6 releases, unless you can recover your firmware in case of issues or can contact the OEM and ask for a new BIOS. On the other hand, if your current system already has updated BIOS with firmware v11.8, you can update to the latest versions as provided below.

Warning for PCH-LP 100-series systems: Make sure to mind the firmware PDM status which is distinguished between YPDM (Yes) and NPDM (No). PDM stands for "Power Down Mitigation" and is some sort of erratum, which is only relevant to 100-series PCH-LP systems. Thus, it is an attribute of every CSME v11.x firmware which supports 100-series PCH-LP systems. The PDM status of a firmware can be detected by ME Analyzer. It is suggested to update from YPDM to YPDM and from NPDM to NPDM. From what has been observed, flashing from NPDM to YPDM or vice versa completes successfully in most cases. However, sometimes it can cause FWUpdate errors mid-way which can usually be solved by reflashing after a reboot. The CSME v11.x PCH-LP archives below include only the latest firmware regardless of their PDM status. In cases where we have YPDM and NPDM variants of that latest version, both are included.

Notice for INTEL-SA-00086 vulnerabilities:

An attacker can gain unauthorized access to the platform, its features and 3rd party secrets protected by the Intel Management Engine (ME), Intel Server Platform Service (SPS) and Intel Trusted Execution Engine (TXE). This includes scenarios, among others, where a successful attacker could:

  • Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity
  • Load and execute arbitrary code outside the visibility of the user and operating system
  • Cause a system crash or system instability

The INTEL-SA-00086 vulnerabilities are found at all systems with Intel Converged Security Engine (CSE) firmware:

  • CSME 11.0, 11.5, 11.6, 11.7, 11.10 & 11.20
  • CSTXE 3.1 & 3.2
  • CSSPS 04.xx.00.xxx, 04.xx.01.xxx, 04.xx.02.xxx & 04.xx.03.xxx

The following CVE IDs are assigned to INTEL-SA-00086 vulnerabilities:

CVE-2017-5705 (8.2 High)
CVE-2017-5706 (8.2 High)
CVE-2017-5707 (8.2 High)
CVE-2017-5708 (7.5 High)
CVE-2017-5709 (7.5 High)
CVE-2017-5710 (7.5 High)
CVE-2017-5711 (6.7 Moderate)
CVE-2017-5712 (7.2 High)

The official Intel Detection Tool for all INTEL-SA-00086 vulnerabilities can be found here:

Intel-SA-00086 Detection Tool

Current state of fixed Intel CSE firmware found for INTEL-SA-00086 vulnerabilities:

INTEL-SA-00086.PNG - Bild entfernt (keine Rechte)

Notice for INTEL-SA-00101 (CVE-2017-13077,CVE-2017-13078,CVE-2017-13080) vulnerability:

Note: To extract some of the files below you need to use programs which support RAR5 compression!

B1. Consumer Systems


B2. Corporate Systems


C. About Intel (CS)ME System Tools

The Intel ME System Tools are used for creating, modifying, and writing binary image files, manufacturing testing, Intel ME setting information gathering and Intel ME FW configuration and updating. These tools are not released to end-users but only to OEMs. The software below comes only from official updates which were provided and made public by various OEMs.

Flash Image Tool: Creates and configures a complete SPI image file which includes regions BIOS, Intel integrated LAN (GbE), Intel ME, Platform Descriptor Region & Flash Descriptor Region. The user can manipulate the completed SPI image via a GUI and change the various chipset parameters to match the target hardware.

Flash Programming Tool: Used to program a complete SPI image into the SPI flash device(s). FPT can program each region individually or it can program all of the regions with a single command. The user can also use FPT to perform various functions such as View the contents of the flash on the screen, Write the contents of the flash to a log file, Perform a binary file to flash comparison, Write to a specific address block, Program fixed offset variables etc.

C1. Identifying, Updating & Diagnosing Intel (CS)ME Firmware

Those who are looking to update/downgrade their firmware should use MEInfo, FWUpdate & MEManuf tools for status information, updating and functionality checking accordingly. The information & instructions below apply to these three tools only and can be found inside the full Intel ME System Tools Packages.

MEInfo: Checks that the ME is operating normally on the software/firmware level by querying the ME device on its status. Make sure it doesn't report any red errors. The yellow "GBE Region does not exist" warning is normal for systems that don't have an Intel GbE Controller, you can safely ignore it.

MEManuf: A diagnostic tool which can be used to run certain manufacturing-line tests to ensure that the ME is working properly on the hardware level. It should report a green message such as "MEManuf Operation Passed".

FWUpdate: Used to upgrade or downgrade the ME firmware. Up until ME v7, it works only with special Update (UPD) images. From ME v8 and onwards, FWUpdate can also work with the full ME Region images (RGN/EXTR). FWUpdate does not change any ME configuration settings (DATA section) which are model or system specific.

(Thanks 4 Win-raid)
Read More
Subscribe to: Posts (Atom)