How To?:
Clean the Initialized DATA section within ME/TXE Regions
Management Engine 7 - 10 and TXE 1 - 2
Note: Flash image tools download links available at the end of this article.
Management Engine 7 - 10 and TXE 1 - 2 :
In this section we have taken as an example a SPI/BIOS image dump of a model which comes with ME firmware version 9.1.x.xxxx and SKU 1.5MB. However, the same applies to all ME 7 - 10 and TXE 1 - 2 firmware.
1. From Intel Management Engine: Drivers, Firmware & System Tools 4.1k or Intel Trusted Execution Engine: Drivers, Firmware & System Tools 721 threads, make sure you have downloaded the correct System Tools package and extract it.
2. From Intel (CS)ME, CS(TXE), CS(SPS), PMC, PHY & PCHC Firmware Repositories 3.5k thread, make sure you have downloaded the correct Repository pack based on major/minor version and extract it.
3. Open the dumped SPI/BIOS image with ME Analyzer to see what major/minor version we need as well as SKU. In this case we have:
So our SPI/BIOS image dump has a ME 9.1 firmware with 1.5MB SKU.
4. Browse the Repository pack, copy the same (or as similar as possible) ME/TXE RGN firmware of the same SKU and major/minor version (as instructed above) somewhere and then rename it to "ME Region.bin" or "TXE Region.bin" depending on what you're working with. In this case:
So we pick the firmware file 9.1.25.1005_1.5MB_PRD_RGN which matches perfectly what we saw at ME Analyzer. If for example the dumped SPI/BIOS image had ME 9.1.37.1002, we would have picked ME 9.1.32.1002 instead because the one we wanted is EXTR and not RGN. Thus, we rename the "9.1.25.1005_1.5MB_PRD_RGN.bin" copy to "ME Region.bin".
5. From the System Tools folder, go to Flash Image Tool subfolder and run fitc.exe. Drag & drop the dumped SPI/BIOS image you want to clean. After it is done loading:
- Go to Build > Build Settings... , untick the option to "Generate intermediate build files", leave all other settings intact and click OK.
- If you are working on FITC v8.1.40.1456 with ME 8 firmware which is configured as any "Intel (R) C600 Series Chipset" (Patsburg SKU), then you must use a ME region only for the cleanup process and not a SPI/BIOS image. So if you have a SPI/BIOS image, first extract the ME region and then load it to FITC. That is due to a FITC bug in which Patsburg settings are not properly shown/transferred when using anything but a bare Engine region image (extracted via Flash Programming Tool with "-me" parameter or via UEFITool > ME region > Extract as is...). More info can be found here 51. When you load the bare ME region at FITC, if the SKU at the top bars does not match what you see when loading the full SPI/BIOS image, make sure to first adjust that accordingly and don't leave it empty or different.
- If you are working on ME 9, go to "Flash Image > ME Region > Configuration > Boot Guard" and make sure that "Boot Guard Profile Configuration" is not set to "Unknown". If it is set to "Unknown", change it to the default value of "Boot Guard Profile 0 - No_FVME". Also, go to "Flash Image > ME Region > Configuration > Integrated Clock Controller" and make sure that "Default Lock Enables Mask" is not set to "Unknown". If it is set to "Unknown", change it to the default value of "0:Default".
- If you are working on an Engine region only (extracted via Flash Programming Tool with "-me" parameter or via UEFITool > ME region > Extract as is...) and not a full SPI/BIOS image (Flash Descriptor + Engine + BIOS), go to "Flash Image > Descriptor Region > Descriptor Map" and set "Number of Flash Components" to "0".
- If you are working on ME 7 - 9 or TXE 1, go to Flash Image > ME/TXE Region > Configuration > Features Supported and set "Intel (R) Anti-Theft Technology Permanently Disabled? " to "Yes". Intel Anti-Theft Technology has been EOL since January 2015 and can cause issues if left activated nowadays.
- If you are working on a SPI/BIOS image with ME 7 - 9, go to Flash Image > Descriptor Region > PCH Straps > PCH Strap 2 and set "Intel (R) ME SMBus MCTP Address Enable" to "false". Also, set "Intel (R) ME SMBus MCTP Address" to "0x00". These are Intel Anti-Theft Technology settings and these changes will stop the "MCTP 3G" error seen at Intel MEManuf tool when the former is disabled.
Note: These two settings are set at the Flash Descriptor (first 4KB of a full SPI/BIOS image) and not at the Engine Region (extracted via Flash Programming Tool with "-me" parameter or via UEFITool > ME region > Extract as is...). So for these to apply, you need to reflash the FD as well either by preparing a full SPI/BIOS image (Flash Descriptor + Engine + BIOS) or by flashing it manually via a tool such as Flash Programming Tool with -desc command.
6. Go to "File > Save As" and save the configuration xml file, in this case it's named "config.xml". Afterwards, close the FITC window.
7. At the FITC folder there should now be a folder named after the inputted file, in this case it's named "Z97OCF1.80". Enter "Decomp" subfolder. There should be a number of files there (BIOS Region, Flash Descriptor, OEM Region etc) including a "ME Region.bin" or "TXE Region.bin" file. Take the previous "ME Region.bin" or "TXE Region.bin" file you saved at step 4 and copy it where the current "ME Region.bin" or "TXE Region.bin" file is, effectively replacing it.
8. Run FITC again. From "File > Open" select the saved configuration xml file from step 6 and open it.
9. Click the "Build Image" icon (or "Build > Build Image") and it should complete successfully.
10. At the FITC folder you should now see a file named "outimage.bin" which is the dumped SPI/BIOS (or ME/TXE) image with an Engine region which has a Configured DATA section without any unneeded "Initialization" information stored.
11. Now, you need to verify that the resulting image has the same configured DATA settings as the imported one.
- Remove any leftover temporary files from FITC's directory (folders, fitc.ini, fitc.log). Run FITC and drag & drop the output file. Go to "File > Save As" and save the configuration xml file with a descriptive name such as "after.xml". Afterwards, close the FITC window. Repeat this step for the original image and you should end up with two configuration xml files, in this case they are named "before.xml" and "after.xml". Open these two files in any comparison tool that supports XML and check for any differences. All settings should be identical apart from "InputFile" fields and possibly Intel Anti-Theft related ones such as "SmBusMctpAddrEn", "SmBusMctpAddr" & "ATPerm", if those required changes at step 5.
- Import the output file to ME Analyzer and check if the Major/Minor versions & SKU are the same as before. Also, make sure the Type is reported as "Extracted" which means that the inputted image is OEM/FITC configured. Whether the DATA section is now Configured and not Initialized cannot be checked/verified by ME Analyzer but if you followed the above steps properly you should not be having any issues.
- As an extra verification step, you can open your original SPI/BIOS image dump in one FITC window and the output image in another and manually check quickly if the Engine Region settings are identical at both. This method is not needed if you have already checked via the configuration xml files, it is not recommended because some settings are not visible at the FITC window but only at the configuration file and it requires a lot of time for manual comparisons.
12. Last but not least, once your new cleaned+configured full SPI/BIOS dump or Engine region is flashed on the target system, run Flash Programming Tool with command fpt -greset and wait for the system to reset (no settings are lost). This step is very important because it forces the Engine co-processor to re-initialize and properly accept any changes to its SPI/BIOS image region counterpart.
- If you are working on an Engine region only (extracted via Flash Programming Tool with "-me" parameter or via UEFITool > ME region > Extract as is...) and not a full SPI/BIOS image (Flash Descriptor + Engine + BIOS), make sure that the output region has the same size at the input/dumped one. To do that, subtract the output region size from the input/dumped one to get the difference, which is the amount of 0xFF padding that needs to be appended at the end of the output region using a hex editor. For example, in a hypothetical case in which the size difference is 0xA000, the output region would need to be adjusted in HxD Hex Editor 66 like so: