Recently I decided to upgrade the Intel Management Engine (ME) firmware on my Lenovo T450 laptop as Lenovo had released a new version of the firmware (10.0.55.3000) in May 2017.
The ME firmware upgrade went smoothly and no problems were encountered.
After the upgrade was completed, I decided to review my knowledge of ME firmware internals using the ME firmware binary that I had just installed as I had last looked at ME firmware in early 2015.
For readers who are not familiar with the Intel Management Engine, I suggest you first read this Wikipedia article on Intel Active Management Technology. For an introduction to ME internals, I recommend Rootkit in your laptop: Hidden code in your chipset and how to discover what exactly it does by Igor Skochinsky and all all his other excellent presentations on this topic. They can all be downloaded from his Github papers repository. Another useful presentation to read is INTEL AMT. STEALTH BREAKTHROUGH by Dmitriy Evdokimov, CTO Embedi et al which was presented at Blackhat USA 2017. Finally, I recommend you look at the ME Blob Format webpage.
Here is an 010 editor template which I used to examine the binary to ensure that the binary was laid out as expected:
typedef struct { uint32 Romb[4]; // 00 04 08 0C } PRE_HDR; typedef struct { char Tag[4]; uint32 NumberPartitions; byte Version; // used because 010 editor does byte EntryType; // not have int8 or uint8 types byte Length; byte Checksum; uint16 FlashCycleLifetime; uint16 FlashCycleLimit; uint32 UMASize; uint32 Flags; uint16 MajorVersion; uint16 MinorVersion; uint16 HotfixVersion; uint16 BuildVersion; } FPT_HDR; typedef struct { uint16 ModuleType; uint16 ModuleSubType; uint32 HeaderLength; uint32 HeaderVersion; uint32 Flags; uint32 ModuleVendor; uint32 Date; uint32 Size; char Tag[4]; uint32 NumModules; uint16 MajorVersion; uint16 MinorVersion; uint16 HotfixVersion; uint16 BuildVersion; uint32 Unknown1; uint32 KeySize; uint32 ScratchSize; uint32 RSAPublicKey[64]; uint32 RSAExponent; uint32 RSASignature[64]; char PartitionName[12]; } MODULE_HDR; // entry point LittleEndian(); struct PRE_HDR PreHeader <bgcolor=cLtGreen>; struct FPT_HDR FptHeader <bgcolor=cLtBlue>; FSeek(0); FSkip(0xE8000); // FSkip(0x160000) and so on; struct MODULE_HDR ModuleHeader <bgcolor=cLtRed>;
and here are two screen shots of that template being used on the ME10.0_5M_Production.bin binary. Refer to the ME Blob Format webpage for an explanation of these structures if you are unfamiliar with them.
Turning now to see what information is available from the Intel-supplied utilities MEInfoWin.exe and meinfo.efi. Note there are different versions of meinfowin and meinfo.efi for each major release of ME firmware, and you need use the appropriate version.
Here is the output from MEInfoWin.exe:
C:> MEInfoWin.exe /? Intel(R) MEInfo Version: 10.0.30.1054 Copyright(C) 2005 - 2014, Intel Corporation. All rights reserved. MEInfoWin.exe [-EXP] [-H|?] [-VER] [-FITCVER] [-FEAT] [-VALUE] [-FWSTS] [-VERBOSE] [-PAGE] [-PID] [-DUMPIDLM] -EXP Display example usage of this tool -H|? Display help screen -VER Display version information -FITCVER Display FITC version -FEAT<name> Retrieve a related platform setting -VALUE<value> An expected platform setting value -FWSTS Retrieve/decode ME Firmware status register -VERBOSE[filename] Display the debug information of the tool -PAGE Pause after each screenful of information -PID<filename> Append/Export Platform ID to the binary file -DUMPIDLM<filename> Display Platform ID list in an IDLM binary Note: Name/value more than one word has to be between quotations. C:> meinfowin Intel(R) MEInfo Version: 10.0.30.1054 Copyright(C) 2005 - 2014, Intel Corporation. All rights reserved. Intel(R) Manageability and Security Application code versions: BIOS Version: JBET65WW (1.29 ) MEBx Version: 10.0.0.0007 Gbe Version: 0.2 VendorID: 8086 PCH Version: 3 FW Version: 10.0.55.3000 LP LMS Version: 11.0.0.1153 MEI Driver Version: 11.0.0.1146 Wireless Hardware Version: 2.1.77 Wireless Driver Version: 19.70.0.100 FW Capabilities: 0x7DF65A45 Intel(R) Active Management Technology - PRESENT/ENABLED Intel(R) Capability Licensing Service - PRESENT/ENABLED Protect Audio Video Path - PRESENT/ENABLED Intel(R) Dynamic Application Loader - PRESENT/ENABLED Intel(R) Platform Trust Technology - PRESENT/ENABLED Intel(R) AMT State: Enabled TLS: Enabled Last ME reset reason: Power up Local FWUpdate: Enabled BIOS Config Lock: Enabled GbE Config Lock: Enabled Host Read Access to ME: Disabled Host Write Access to ME: Disabled SPI Flash ID #1: EF4018 SPI Flash ID VSCC #1: 20252025 SPI Flash BIOS VSCC: 20252025 BIOS boot State: Post Boot OEM Id: 4c656e6f-766f-0000-0000-000000000000 Link Status: Link down System UUID: 7f053681-53c2-11cb-8c69-bb0db8ed8dcf MAC Address: 68-f7-28-63-46-fb IPv4 Address: 0.0.0.0 Wireless MAC Address: Not Available Wireless IPv4 Address: 0.0.0.0 IPv6 Enablement: Disabled Privacy/Security Level: Default Configuration state: Not started Provisioning Mode: PKI Capability Licensing Service: Enabled OEM Tag: 0x00000000 Slot 1 Board Manufacturer: 0x000017AA Slot 2 System Assembler: Unused Slot 3 Reserved: Unused M3 Autotest: Enabled C-link Status: Enabled Wireless Micro-code Mismatch: No Wireless Micro-code ID in Firmware: 0x095A Wireless LAN in Firmware: Intel(R) Dual Band Wireless-AC 7265 Wireless Hardware ID: 0x095B Wireless LAN Hardware: Intel(R) Dual Band Wireless-AC 7265 Localized Language: English Independent Firmware Recovery: Disabled Keybox: Not Provisioned OEM Public Key Hash (FPF): 9B406E27DD0E4B0CBD8F79725B902B994F93125E7EB5AEB032E7259D0655DEFD OEM Public Key Hash (ME): ACM SVN FPF: 0x3 KM SVN FPF: 0x0 BSMM SVN FPF: 0x0 FPF ME --- -- Force Boot Guard ACM: Enabled Protect BIOS Environment: Enabled CPU Debug Disabled: Disabled BSP Initialization Disabled: Disabled Measured Boot: Disabled Verified Boot: Enabled Key Manifest ID: 0x1 Enforcement Policy: 0x3 PTT: Enabled PTT Lockout Override Counter: 0x0 EK Revoke State: Not Revoked
And here is the output from meinfo.efi when run from a UEFI shell in verbose mode:
FS1> meinfo -h Intel(R) MEInfo Version: 10.0.30.1054 Copyright(C) 2005 - 2014, Intel Corporation. All rights reserved. MEInfo.efi [-EXP] [-H|?] [-VER] [-FITCVER] [-FEAT] [-VALUE] [-FWSTS] [-VERBOSE] [-PAGE] [-PID] [-DUMPIDLM] -EXP Display example usage of this tool -H|? Display help screen -VER Display version information -FITCVER Display FITC version -FEAT<name> Retrieve a related platform setting -VALUE<value> An expected platform setting value -FWSTS Retrieve/decode ME Firmware status register -VERBOSE[filename] Display the debug information of the tool -PAGE Pause after each screenful of information -PID<filename> Append/Export Platform ID to the binary file -DUMPIDLM<filename> Display Platform ID list in an IDLM binary Note: Name/value more than one word has to be between "^". FS1> meinfo -verbose Intel(R) MEInfo Version: 10.0.30.1054 Copyright(C) 2005 - 2014, Intel Corporation. All rights reserved. FW Status Register1: 0x1E000245 FW Status Register2: 0x6900A106 FW Status Register3: 0x00000300 FW Status Register4: 0x00004004 FW Status Register5: 0x00001F01 FW Status Register6: 0x44400EC9 CurrentState: Normal ManufacturingMode: Disabled FlashPartition: Valid OperationalState: M0 with UMA InitComplete: Complete BUPLoadState: Success ErrorCode: No Error ModeOfOperation: Normal Phase: HOSTCOMM Module ICC: Valid OEM data, ICC programmed SPI Flash Log: Not Present ME File System Corrupted: No FPF and ME Config Status: Match Get ME FWU version command...done Get ME FWU info command...done Get ME FWU version command...done Get ME FWU feature state command...done Get ME FWU platform type command...done Get ME FWU feature capability command...done Get ME FWU OEM Id command...done FW Capabilities value is 0x7DF65A45 Feature enablement is 0x7DF65A45 Platform type is 0x42351401 Intel(R) Manageability and Security Application code versions: BIOS Version: JBET65WW (1.29 ) MEBx Version: 10.0.0.0007 Gbe Version: 0.2 VendorID: 8086 PCH Version: 3 FW Version: 10.0.55.3000 LP FW Capabilities: 0x7DF65A45 Intel(R) Active Management Technology - PRESENT/ENABLED Intel(R) Standard Manageability - NOT PRESENT Intel(R) Capability Licensing Service - PRESENT/ENABLED Protect Audio Video Path - PRESENT/ENABLED Intel(R) Dynamic Application Loader - PRESENT/ENABLED Intel(R) NFC Capabilities - NOT PRESENT Intel(R) Platform Trust Technology - PRESENT/ENABLED Intel(R) AMT State: Enabled TLS: Enabled Last ME reset reason: Power up Local FWUpdate: Enabled Get BIOS flash lockdown status...done BIOS Config Lock: Enabled Get GbE flash lockdown status...done GbE Config Lock: Enabled Get flash master region access status...done Host Read Access to ME: Disabled Host Write Access to ME: Disabled SPI Flash ID #1: EF4018 SPI Flash ID VSCC #1: 20252025 SPI Flash BIOS VSCC: 20252025 Protected Range Register Base #0 0x0 Protected Range Register Limit #0 0x0 Protected Range Register Base #1 0xEB0 Protected Range Register Limit #1 0xFFF Protected Range Register Base #2 0xDF1 Protected Range Register Limit #2 0xE2F Protected Range Register Base #3 0xDF0 Protected Range Register Limit #3 0xDF0 Protected Range Register Base #4 0xA00 Protected Range Register Limit #4 0xDEF BIOS boot State: Post Boot OEM Id: 4c656e6f-766f-0000-0000-000000000000 Get Intel(R) AMT state command...done Link Status: Link down Get system UUID command...done System UUID: 7f053681-53c2-11cb-8c69-bb0db8ed8dcf Get LanInterfaceSettings command for wired interface...done MAC Address: Get Provisioning Tls Mode command...done Get provisioning state command...done 68-f7-28-63-46-fb IPv4 Address: 0.0.0.0 Get LanInterfaceSettings command for wireless interface...done Wireless MAC Address: Get Provisioning Tls Mode command...done Get provisioning state command...done 00-00-00-00-00-00 Wireless IPv4 Address: 0.0.0.0 Get IPv6InterfaceStatus command for wired interface...done Command response reports interface was disabled IPv6 Enablement: Disabled Get privacy/security level info command...done Privacy/Security Level: Default Get provisioning state command...done Configuration state: Completed Get Provisioning Tls Mode command...done Provisioning Mode: PKI Capability Licensing Service: Enabled Get ME FWU OEM Tag command...done OEM Tag: 0x00000000 Get System Integrator ID command...done Slot 1 Board Manufacturer: 0x000017AA Get System Integrator ID command...This slot is unused. Slot 2 System Assembler: Unused Get System Integrator ID command...This slot is unused. Slot 3 Reserved: Unused Get M3 Autotest command...done M3 Autotest: Enabled Get CLink Status command...done C-link Status: Enabled Get ME FWU Platform Attribute (WLAN ucode) command...done Wireless Micro-code Mismatch: No Wireless Micro-code ID in Firmware: 0x095A Wireless LAN in Firmware: Intel(R) Dual Band Wireless-AC 7265 Wireless Hardware ID: 0x095B Wireless LAN Hardware: Intel(R) Dual Band Wireless-AC 7265 Get ME FWU Platform Attribute (WLAN ucode) command...done Localized Language: English Get ME FWU Info command...done Independent Firmware Recovery: Disabled Keybox: Not Provisioned Get Oem Public Key Hash command...done OEM Public Key Hash (FPF): 9B406E27DD0E4B0CBD8F79725B902B994F93125E7EB5AEB032E7259D0655DEFD OEM Public Key Hash (ME): Get ACM SVN command...done ACM SVN FPF: 0x3 Get KM SVN command...done KM SVN FPF: 0x0 Get BSMM SVN command...done BSMM SVN FPF: 0x0 Get Oem Boot Guard Policy command...done FPF ME --- -- Force Boot Guard ACM: Enabled Protect BIOS Environment: Enabled CPU Debug Disabled: Disabled BSP Initialization Disabled: Disabled Measured Boot: Disabled Verified Boot: Enabled Key Manifest ID: 0x1 Enforcement Policy: 0x3 Get PTT command...done PTT: Enabled PTT Lockout Override Counter: Get Anti-Hammering command...done 0x0 EK Revoke State: Get EK Revoke State command...done Not Revoked
The first utility I used to check the contents of ME10.0_5M_Production.bin was me_unpack which is part of Igor Skochinsky’s me-tools tool suite.
According to the README, this Python script allows you to dump and extract ME firmware images. Supported formats are:
- Full SPI flash image with descriptor (signature 5A A5 F0 0F)
- Full ME region image (signature ‘$FPT’)
- individual ME code partitions and update images (signature $MN2/$MAN)
These tools have not been updated in a while. For example, me_unpack only supports ME versions 2.x – 9.x. Currently, Intel is at ME version 11.x – so these tools are quite out of date.
Here is the output I got when I used me_unpack on ME10.0_5M_Production.bin:
$ ./me_unpack.py ME10.0_5M_Production.bin -m Intel ME dumper/extractor v0.3 ===ME Flash Partition Table=== NumEntries: 28 Version: 2.0 EntryType: 10 HeaderLen: 30 Checksum: BD FlashCycleLifetime: 7 FlashCycleLimit: 100 UMASize: 32 Flags: FFFFFC01 EFFS present: 1 ME Layout Type: 0 Extra ver: 0.0.0.0 ROM Bypass instruction: 20 20 80 0F 40 00 00 24 00 00 00 00 00 00 00 00 ---Partitions--- Partition: 'PSVN' Owner: 'KRID' Offset/size: 00000BC0/00000040 TokensOnStart: 00000001 MaxTokens: 00000001 ScratchSectors: 00000000 Flags: 18783 Type: 3 (Generic) DirectAccess: 1 Read: 1 Write: 1 Execute: 1 Logical: 0 WOPDisable: 0 ExclBlockUse: 0 Partition: 'FOVD' Owner: 'KRID' Offset/size: 00000C00/00000400 TokensOnStart: 00000001 MaxTokens: 00000001 ScratchSectors: 00000000 Flags: 0783 Type: 3 (Generic) DirectAccess: 1 Read: 1 Write: 1 Execute: 1 Logical: 0 WOPDisable: 0 ExclBlockUse: 0 Partition: 'MDES' Owner: 'MDID' Offset/size: 00001000/00001000 TokensOnStart: 00000001 MaxTokens: 00000001 ScratchSectors: 00000000 Flags: 2383 Type: 3 (Generic) DirectAccess: 1 Read: 1 Write: 1 Execute: 0 Logical: 0 WOPDisable: 0 ExclBlockUse: 1 Partition: 'FCRS' ..... // extra output removed Partition: 'EFFS' ..... Partition: 'BIAL' ..... Partition: 'BIEL' ..... Partition: 'BIIS' ..... Partition: 'FTPM' ..... Partition: 'NVCL' ..... Partition: 'NVCM' ..... Partition: 'NVCP' ..... Partition: 'NVHM' ..... Partition: 'NVJC' ..... Partition: 'NVKR' ..... Partition: 'NVNF' ..... Partition: 'NVOS' ..... Partition: 'NVSH' ..... Partition: 'NVSM' ..... Partition: 'NVUK' ..... Partition: 'PLDM' ..... Partition: 'TMNN' ..... Partition: 'GLUT' ..... Partition: 'LOCL' ..... Partition: 'WCOD' ..... Partition: 'FTPR' ..... Partition: 'NFTP' ..... Partition: 'MDMV' Owner: (none) Offset/size: 0048A000/00040000 TokensOnStart: 00000001 MaxTokens: 00000001 ScratchSectors: 00000000 Flags: A780 Type: 0 (Code) DirectAccess: 1 Read: 1 Write: 1 Execute: 1 Logical: 0 WOPDisable: 0 ExclBlockUse: 1 ------End------- Traceback (most recent call last): File "./me_unpack.py", line 1502, in <module> dump_glut(f, offset, extract_huff) File "./me_unpack.py", line 1255, in dump_glut ftpr_range = get_huff_range(f, me_offset + ftpr_part.Offset) File "./me_unpack.py", line 1126, in get_huff_range manif = get_struct(f, offset, MeManifestHeader) File "./me_unpack.py", line 60, in get_struct raise Exception("can't read struct: %d bytes available but %d required" % (fit, slen)) Exception: can't read struct: 0 bytes available but 656 required $
And here is the output when I used the me_sigcheck tool which is intended to check the validity of an ME partition’s manifest using the embedded RSA public key and signature:
$ /me_sigcheck.py FOVD_part.bin Intel ME partition manifest signature checker v0.1 ME manifest not found! (bad file format?) $
Another popular tool is ME Analyzer. According to the tool developer, ME Analyzer is a tool which can show various details about Intel Engine Firmware (Management Engine, Trusted Execution Engine, Service Platform Services) images. It can be used to identify whether the firmware is updated, healthy, what Release, Type, SKU, etc., and supports all ME firmware from versions 1 to 11. The Achilles Heel of this tool is it’s ME firmware version database which requires constant updating. Fortunately, the tool developer provides excellent support.
Unfortunately for me, ME Analyzer failed to work with ME10.0_5M_Production.bin as shown below:
Recently an Embedi developer produced an IDA Python plugin called meloader to assist in analyzing ME firmware images. Unfortunately, it is currently specific to ME firmware version 9.0.30.1482. By modifying kapi.py (Kernel API) and rapi.py (ROM API), the plugin can easily be made to work with any 9.0.X.X ME firmware but unfortunately not with 9.5.X.X nor 10.X.X.X or 11.X.X.X ME firmware.
Here is what I got when I tried to use this plugin to load ME10.0_5M_Production.bin into IDA:
It seems to me there is little ongoing work to enhance existing ME analysis tools such as me_unpack or the meloader IDA plugin to support ME firmware versions 9.5.X.X or later. Possible reasons for this state of affairs include the lack of available documentation for ME versions above 9, no ROMB-enabled ME firmware later the version 9 in the wild, or simply that the ME tool developers have moved on to other projects
How long should this update take? Mine started 2 hours ago and has been cranking at 96% (“Sending the update image to FW for verification”) for about 1:58 of that time.
There’s the “Warning: Do not exit the process..”
Only took about 10 minutes for me
Finnbarr, A complete guide! It would be very helpful for the beginners. Great article thanks and keep it up!