Clean Dumped Intel Engine (CS) ME - (CS) TXE Regions With Data Initialization

Guide-How To:
Clean Dumped Intel Engine (CS)ME/(CS)TXE

Regions with Data Initialization
Last Updated: 2020-07-22
This guide is relevant to those who need to clean the DATA section of an Engine (CSME, ME, CSTXE, TXE) Region, which is part of a dumped SPI/BIOS image, in order to flash the latter on a
different machine of the same OEM model. It is not meant as a guide on how to completely transform a dumped Engine region into a stock Intel-provided one. Although the guide can be used
for that sometimes, the goal is not to update the firmware but to clean the already existing one inside the dumped SPI/BIOS image from any system-specific data while maintaining any
configuration settings applied by the OEM of the given model. In this guide, the term "system" means an individual user machine whereas "model" refers to all those "systems" released by the
OEM.
A. About Engine Regions & Configuration

The SPI/BIOS chip firmware is divided into regions which control different aspects of an Intel-based system. The mandatory regions are the Flash Descriptor (FD, controls read/write access
between the regions among other things), the (Converged Security) Management or Trusted Execution Engine (CSME/CSTXE/ME/TXE, holds the Engine firmware which has been
configured for a specific system) and the BIOS. The Type of each (CS)ME/(CS)TXE firmware Region can be either Stock (RGN, clean/stock/unconfigured images provided by Intel to OEMs) or
Extracted (EXTR, dirty/extracted/configured images from various SPI/BIOS). The (CS)ME or (CS)TXE firmware at the system's SPI/BIOS chip is always EXTR, generated by the OEM
after configuring the equivalent RGN at the factory via Intel Flash Image Tool (FIT).
The Engine firmware Regions (RGN/EXTR) consist of two sections: CODE and DATA. CODE is the actual Engine firmware whereas DATA is where all the system-specific settings are stored, as
configured by the OEM at the factory via Intel Flash Image Tool. The Engine firmware is not static as it holds system-specific configuration and can additionally be slightly configured by the
Engine co-processor while the system is running in order to provide the proper support and functionality. Any such changes are written into the DATA section of the Engine Region and the
firmware is considered initialized. That means that the DATA section can be in one of three states: Unconfigured, Configured or Initialized. Unconfigured means that the Engine firmware
image is the stock one Intel provides and not configured at all (RGN). Configured means that the OEM has applied model specific settings and the Engine region is ready for deployment
(EXTR). Initialized means that the Engine region comes from a system which was already running and thus the Engine co-processor has further configured the DATA section to suit that
particular system better (system specific or dirty EXTR).
A dumped SPI/BIOS image comes from a system which was already operating so the contained Engine Region should have a Initialized DATA section. In order for that dump to be usable on
another system of the same OEM model we need to clean the "Initialization" extra data and thus end up with an Engine Region which has a Configured-only DATA section. This is important
because on some cases these small dumped "initialization" changes made by the Engine co-processor of a system can lead to a malfunctioning or a corrupted Engine Region when transferred
to another system even one of the same OEM model.
B. Helpful Resources
First you need to identify what Engine firmware the dumped SPI/BIOS image has inside. For that you can use ME Analyzer tool which is capable of telling you the version, sku, release, type etc
of any inputted Engine firmware. You can use it to analyze both the dumped SPI/BIOS image you plan to clean and the firmware with which you plan to achieve that. The latter can be
retrieved from Intel (CS)ME, CS(TXE), CS(SPS), PMC, PHY & PCHC Firmware Repositories thread which includes all Engine (CSME, ME, CSTXE, TXE) firmware that we have gathered for such
cases.
Before proceeding, make sure to also check the dedicated Intel Management Engine: Drivers, Firmware & System Tools and Intel Trusted Execution Engine: Drivers, Firmware & System Tools
threads first. There you can find some more information about each firmware's chipset compatibility as well as the Engine System Tools packages which include the Flash Image Tool
(FIT/FITC/FTOOLC) which we will be using for the cleanup process. You will also understand various terms which are used throughout the guide such as FIT, FITC, FTOOLC, CSE, CSME,
CSTXE, RGN, EXTR, UPD, FD and so on.
C. Method Compatibility
This method has been tested to work on (CS)ME 2 - 15 and (CS)TXE 1 - 4. The process depending on the generation, so the guide differs. It has not been tested on any (CS)SPS firmware.
Since the purpose of the guide is to clean the DATA section, it is important to choose a clean RGN Engine firmware from the Intel Engine Firmware Repositories thread and not EXTR which is
extracted from various SPI/BIOS images/dumps and considered dirty as far as the DATA section is concerned. Moreover, a full RGN Engine Region is required and not an Update (UPD) image.
That means that you should look only for Engine firmware of this structure at the Repositories:
Major.Minor.Hotfix.Build_SKU_PRD_RGN
As previously mentioned, the goal is not necessarily to update the Engine firmware so you can choose any RGN firmware of the same SKU as long as the major and minor versions are the
same. It is usually recommended to take the exact same RGN firmware from the repositories, otherwise the closest you can find in case that one doesn't exist or it's not RGN, same SKU etc.
D. Clean the Initialized DATA section

D0. Index
D1. ME 2 - 3
D2. ME 4 - 6
D3. ME 7 - 10 & TXE 1 - 2
D4. CSME 11 - 15 & CSTXE 3 - 4
D1. ME 2 - 3
In this section we have taken as an example a SPI/BIOS image dump of a model which comes with ME firmware version 9.1.x.xxxx and SKU 1.5MB. However, the same applies to ME 2 - 3
firmware.
1. From Intel Management Engine: Drivers, Firmware & System Tools thread, make sure you have downloaded the correct System Tools package and extract it.
Spoiler
2. From Intel (CS)ME, CS(TXE), CS(SPS), PMC, PHY & PCHC Firmware Repositories thread, make sure you have downloaded the correct Repository pack based on major/minor version and
extract it.
Spoiler
3. Open the dumped SPI/BIOS image with ME Analyzer to see what major/minor version we need as well as SKU. In this case we have:
Spoiler
So our SPI/BIOS image dump has a ME 9.1 firmware with 1.5MB SKU.
4. Browse the Repository pack, copy the same (or as similar as possible) ME RGN firmware of the same SKU and major/minor version (as instructed above) somewhere and then rename it to
"ME Region.bin". In this case:
Spoiler
So we pick the firmware file 9.1.25.1005_1.5MB_PRD_RGN which matches perfectly what we saw at ME Analyzer. If for example the dumped SPI/BIOS image had ME 9.1.37.1002, we would
have picked ME 9.1.32.1002 instead because the one we wanted is EXTR and not RGN. Thus, we rename the "9.1.25.1005_1.5MB_PRD_RGN.bin" copy to "ME Region.bin".
5. From the System Tools folder, go to Flash Image Tool subfolder and run ftoolc.exe. Drag & drop the dumped SPI/BIOS image you want to clean. After it is done loading:
Go to Build > Build Settings... , untick the option to "Generate intermediate build files", leave all other settings intact and click OK.
Spoiler
6. Keep the FTOOLC window open. At the FITC folder there should now be a folder named after the inputted file, in this case it's named "Z97OCF1.80". Enter "Decomp" subfolder. There
should be a number of files there (BIOS Region, Flash Descriptor, OEM Region etc) including a "ME Region.bin" file. Take the previous "ME Region.bin" file you saved at step 4 and copy it
where the current "ME Region.bin" file is, effectively replacing it.
Spoiler
7. Go to the already open FTOOLC window, click the "Build Image" icon (or "Build > Build Image"), save as "intermediate.bin" and it should complete successfully.
Spoiler
8. At the FTOOLC folder you should now see a file named "intermediate.bin" which is the dumped SPI/BIOS image with an Engine region which has an "Unconfigured" DATA section without
any needed "Configuration" or unneeded "Initialization" information stored. Thus, it now needs to be "Configured".
Spoiler
9. From the System Tools folder, go to iAMTNVM subfolder and open a command prompt there. Copy the original input image (for example: "input.bin") as well as the Unconfigured one
("intermediate.bin") at the iAMTNVM subfolder. At the command prompt, enter "AMTNVM.exe -parse input.bin -out config.txt". A "config.txt" file should be created which holds the input
firmware configuration. To transfer it into the Unconfigured image, enter "AMTNVM.exe -edit intermediate.bin config.txt -out outimage.bin" which should build the final "Configured" output
SPI/BIOS image.
10. Now, you need to verify that the resulting image has the same configured DATA settings as the imported one.
Remove any leftover temporary files from FTOOLC's directory (folders, ftool.ini, ftool.log). Run FTOOLC and drag & drop the output file. Go to "File > Save As" and save the configuration
xml file with a descriptive name such as "after.xml". Afterwards, close the FTOOLC window. Repeat this step for the original image and you should end up with two configuration xml files,
in this case they are named "before.xml" and "after.xml". Open these two files in any comparison tool that supports XML and check for any differences. All settings should be identical apart
from "InputFile" fields.
Spoiler
Go to iAMTNVM subfolder and open a command prompt there. At the command prompt, enter "AMTNVM.exe -parse input.bin -out before.txt" followed by "AMTNVM.exe -parse
outimage.bin -out after.txt". You should end up with two configuration txt files, in this case they are named "before.txt" and "after.txt". Open these two files in any comparison tool and
check for any differences. All settings should be identical.
Import the output file to ME Analyzer and check if the Major/Minor versions & SKU are the same as before. Also, make sure the Type is reported as "Extracted" which means that the
inputted image is OEM/FTOOLC configured. Whether the DATA section is now Configured and not Initialized cannot be checked/verified by ME Analyzer but if you followed the above steps
properly you should not be having any issues.
Spoiler
D2. ME 4 - 6
In this section we have taken as an example a SPI/BIOS image dump of a model which comes with ME firmware version 9.1.x.xxxx and SKU 1.5MB. However, the same applies to ME 4 - 6
firmware.
1. From Intel Management Engine: Drivers, Firmware & System Tools thread, make sure you have downloaded the correct System Tools package and extract it.
Spoiler
extract it.
Spoiler
Spoiler
4. Browse the Repository pack, copy the same (or as similar as possible) ME RGN firmware of the same SKU and major/minor version (as instructed above) somewhere and then rename it to
"ME Region.bin". In this case:
Spoiler
5. From the System Tools folder, go to Flash Image Tool subfolder and run fitc.exe. Drag & drop the dumped SPI/BIOS image you want to clean. After it is done loading:
Spoiler
If you are working on an Engine region only (extracted via Flash Programming Tool with "-me" parameter or via UEFITool > ME region > Extract as is...) and not a full SPI/BIOS image
(Flash Descriptor + Engine + BIOS), go to "Flash Image > Descriptor Region > Descriptor Map" and set "Number of Flash Components" to "0".
Spoiler
If you are working on ME 5 - 6, go to Flash Image > Configuration > "Features Supported" or "Intel Anti-Theft Technology" and set "Intel (R) Anti-Theft Technology Permanently Disabled?"
to "Yes" or "Enable Intel Anti-Theft Technology" to "false". Intel Anti-Theft Technology has been EOL since January 2015 and can cause issues if left activated nowadays.
Spoiler
6. Keep the FITC window open. At the FITC folder there should now be a folder named after the inputted file, in this case it's named "Z97OCF1.80". Enter "Decomp" subfolder. There should be
a number of files there (BIOS Region, Flash Descriptor, OEM Region etc) including a "ME Region.bin" file. Take the previous "ME Region.bin" file you saved at step 4 and copy it where the
current "ME Region.bin" file is, effectively replacing it.
Spoiler
7. Go to the already open FITC window, click the "Build Image" icon (or "Build > Build Image") and it should complete successfully.
Spoiler
8. At the FITC folder you should now see a file named "outimage.bin" which is the dumped full SPI/BIOS (or ME) image with an Engine region which has a Configured DATA section without
any unneeded "Initialization" information stored.
Spoiler
Remove any leftover temporary files from FITC's directory (folders, fitc.ini, fitc.log). Run FITC and drag & drop the output file. Go to "File > Save As" and save the configuration xml file with
a descriptive name such as "after.xml". Afterwards, close the FITC window. Repeat this step for the original image and you should end up with two configuration xml files, in this case they
are named "before.xml" and "after.xml". Open these two files in any comparison tool that supports XML and check for any differences. All settings should be identical apart from "InputFile"
fields and possibly Intel Anti-Theft related ones such as "SmBusMctpAddrEn", "SmBusMctpAddr" & "ATPerm", if those required changes at step 5.
Spoiler
If you are working on ME 6, remove any leftover temporary files from FITC's directory (folders, fitc.ini, fitc.log, before.xml, after.xml etc). Run FITC and drag & drop the output file. Rename
the file "ConfigParams.txt" to "before.txt" and close FITC. Run FITC and drag & drop the original file. Rename the file "ConfigParams.txt" to "after.txt" and close FITC. You should end up
with two configuration txt files, in this case they are named "before.txt" and "after.txt". Open these two files in any comparison tool and check for any differences. All settings should be
identical apart from any Intel Anti-Theft related ones, if those required changes at step 5.
If you are working on ME 4 - 5, remove any leftover temporary files from FITC's directory (folders, fitc.ini, fitc.log, before.xml, after.xml etc). Run FITC, drag & drop the output file and close
it. Run FITC, drag & drop the original file and close it. At the FITC folder there should now be two folders named after the inputted files. At each input file folder, enter "Decomp" subfolder,
copy "Configuration.txt" (ME 5) or "NVARs.txt" (ME 4) file and rename them to "before.txt" and "after.txt" respectively. You should end up with two configuration txt files, in this case they
are named "before.txt" and "after.txt". Open these two files in any comparison tool and check for any differences. All settings should be identical apart from any Intel Anti-Theft related
ones, if those required changes at step 5.
inputted image is OEM/FITC configured. Whether the DATA section is now Configured and not Initialized cannot be checked/verified by ME Analyzer but if you followed the above steps
Spoiler
As an extra verification step, you can open your original SPI/BIOS image dump in one FITC window and the output image in another and manually check quickly if the Engine Region
settings are identical at both. This method is not needed if you have already checked via the configuration xml & txt files, it is not recommended because some settings are not visible at the
FITC window but only at the configuration files and it requires a lot of time for manual comparisons.
Spoiler
10. Last but not least, if you are working on ME 5 - 6, once your new cleaned+configured full SPI/BIOS dump or Engine region is flashed on the target system, run Flash Programming Tool
with command fpt -greset and wait for the system to reset (no settings are lost). This step is very important because it forces the Engine co-processor to re-initialize and properly accept any
changes to its SPI/BIOS image region counterpart.
Spoiler
(Flash Descriptor + Engine + BIOS), make sure that the output region has the same size at the input/dumped one. To do that, subtract the output region size from the input/dumped one
to get the difference, which is the amount of 0xFF padding that needs to be appended at the end of the output region using a hex editor. For example, in a hypothetical case in which the
size difference is 0xA000, the output region would need to be adjusted in HxD Hex Editor like so:
Spoiler
D3. ME 7 - 10 & TXE 1 - 2
In this section we have taken as an example a SPI/BIOS image dump of a model which comes with ME firmware version 9.1.x.xxxx and SKU 1.5MB. However, the same applies to all ME 7 - 10
and TXE 1 - 2 firmware.
1. From Intel Management Engine: Drivers, Firmware & System Tools or Intel Trusted Execution Engine: Drivers, Firmware & System Tools threads, make sure you have downloaded the
correct System Tools package and extract it.
Spoiler
extract it.
Spoiler
Spoiler
4. Browse the Repository pack, copy the same (or as similar as possible) ME/TXE RGN firmware of the same SKU and major/minor version (as instructed above) somewhere and then rename it
to "ME Region.bin" or "TXE Region.bin" depending on what you're working with. In this case:
Spoiler
5. From the System Tools folder, go to Flash Image Tool subfolder and run fitc.exe. Drag & drop the dumped SPI/BIOS image you want to clean. After it is done loading:
Spoiler
If you are working on FITC v8.1.40.1456 with ME 8 firmware which is configured as any "Intel (R) C600 Series Chipset" (Patsburg SKU), then you must use a ME region only for the cleanup
process and not a SPI/BIOS image. So if you have a SPI/BIOS image, first extract the ME region and then load it to FITC. That is due to a FITC bug in which Patsburg settings are not
properly shown/transferred when using anything but a bare Engine region image (extracted via Flash Programming Tool with "-me" parameter or via UEFITool > ME region > Extract as
is...). More info can be found here. When you load the bare ME region at FITC, if the SKU at the top bars does not match what you see when loading the full SPI/BIOS image, make sure to
first adjust that accordingly and don't leave it empty or different.
Spoiler
If you are working on ME 9, go to "Flash Image > ME Region > Configuration > Boot Guard" and make sure that "Boot Guard Profile Configuration" is not set to "Unknown". If it is set to
"Unknown", change it to the default value of "Boot Guard Profile 0 - No_FVME". Also, go to "Flash Image > ME Region > Configuration > Integrated Clock Controller" and make sure that
"Default Lock Enables Mask" is not set to "Unknown". If it is set to "Unknown", change it to the default value of "0:Default".
Spoiler
(Flash Descriptor + Engine + BIOS), go to "Flash Image > Descriptor Region > Descriptor Map" and set "Number of Flash Components" to "0".
Spoiler
If you are working on ME 7 - 9 or TXE 1, go to Flash Image > ME/TXE Region > Configuration > Features Supported and set "Intel (R) Anti-Theft Technology Permanently Disabled? " to
"Yes". Intel Anti-Theft Technology has been EOL since January 2015 and can cause issues if left activated nowadays.
Spoiler
If you are working on a SPI/BIOS image with ME 7 - 9, go to Flash Image > Descriptor Region > PCH Straps > PCH Strap 2 and set "Intel (R) ME SMBus MCTP Address Enable" to "false".
Also, set "Intel (R) ME SMBus MCTP Address" to "0x00". These are Intel Anti-Theft Technology settings and these changes will stop the "MCTP 3G" error seen at Intel MEManuf tool when
the former is disabled.
Spoiler
Note: These two settings are set at the Flash Descriptor (first 4KB of a full SPI/BIOS image) and not at the Engine Region (extracted via Flash Programming Tool with "-me" parameter or
via UEFITool > ME region > Extract as is...). So for these to apply, you need to reflash the FD as well either by preparing a full SPI/BIOS image (Flash Descriptor + Engine + BIOS) or by
flashing it manually via a tool such as Flash Programming Tool with -desc command.
6. Go to "File > Save As" and save the configuration xml file, in this case it's named "config.xml". Afterwards, close the FITC window.
Spoiler
7. At the FITC folder there should now be a folder named after the inputted file, in this case it's named "Z97OCF1.80". Enter "Decomp" subfolder. There should be a number of files there
(BIOS Region, Flash Descriptor, OEM Region etc) including a "ME Region.bin" or "TXE Region.bin" file. Take the previous "ME Region.bin" or "TXE Region.bin" file you saved at step 4 and copy
it where the current "ME Region.bin" or "TXE Region.bin" file is, effectively replacing it.
Spoiler
8. Run FITC again. From "File > Open" select the saved configuration xml file from step 6 and open it.
Spoiler
9. Click the "Build Image" icon (or "Build > Build Image") and it should complete successfully.
Spoiler
10. At the FITC folder you should now see a file named "outimage.bin" which is the dumped SPI/BIOS (or ME/TXE) image with an Engine region which has a Configured DATA section without
any unneeded "Initialization" information stored.
Spoiler
Remove any leftover temporary files from FITC's directory (folders, fitc.ini, fitc.log). Run FITC and drag & drop the output file. Go to "File > Save As" and save the configuration xml file with
a descriptive name such as "after.xml". Afterwards, close the FITC window. Repeat this step for the original image and you should end up with two configuration xml files, in this case they
are named "before.xml" and "after.xml". Open these two files in any comparison tool that supports XML and check for any differences. All settings should be identical apart from "InputFile"
fields and possibly Intel Anti-Theft related ones such as "SmBusMctpAddrEn", "SmBusMctpAddr" & "ATPerm", if those required changes at step 5.
Spoiler
inputted image is OEM/FITC configured. Whether the DATA section is now Configured and not Initialized cannot be checked/verified by ME Analyzer but if you followed the above steps
Spoiler
As an extra verification step, you can open your original SPI/BIOS image dump in one FITC window and the output image in another and manually check quickly if the Engine Region
settings are identical at both. This method is not needed if you have already checked via the configuration xml files, it is not recommended because some settings are not visible at the FITC
window but only at the configuration file and it requires a lot of time for manual comparisons.
Spoiler
12. Last but not least, once your new cleaned+configured full SPI/BIOS dump or Engine region is flashed on the target system, run Flash Programming Tool with command fpt -greset and wait
for the system to reset (no settings are lost). This step is very important because it forces the Engine co-processor to re-initialize and properly accept any changes to its SPI/BIOS image region
counterpart.
Spoiler
(Flash Descriptor + Engine + BIOS), make sure that the output region has the same size at the input/dumped one. To do that, subtract the output region size from the input/dumped one
to get the difference, which is the amount of 0xFF padding that needs to be appended at the end of the output region using a hex editor. For example, in a hypothetical case in which the
size difference is 0xA000, the output region would need to be adjusted in HxD Hex Editor like so:
Spoiler
save quote Quote reply

HOT Not interested
Ads by
Ad was Ad covered Seen this ad
HOT
in this ad inappropriate content multiple times
Stop seeing this ad Why this ad?
Personalised Polo T-Shirt

Vistaprint.in
#2 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Sat Mar 19, 2016 12:53 am (Last edited: Sun Jan 10, 2021 10:03 pm)
plutomaniac
D4. CSME 11 - 15 & CSTXE 3 - 4
In this section we have taken as an example a SPI/BIOS image dump of a model which comes with CSME firmware version 11.0.x.xxxx and SKU Consumer H. However, the same applies to all
CSME 11 - 15 and CSTXE 3 - 4 firmware.
1. From Intel Management Engine: Drivers, Firmware & System Tools or Intel Trusted Execution Engine: Drivers, Firmware & System Tools threads, make sure you have downloaded the
correct System Tools package and extract it.
Administrator
Spoiler
Posts: 5203
Registered 09.16.2014
since:
Sex: male
Send click here
message:
extract it.
Spoiler
Spoiler
So our SPI/BIOS image dump has a CSME 11.0 firmware with Consumer SKU.
4. Browse the Repository pack, copy the same (or as similar as possible) CSME/CSTXE RGN firmware of the same SKU and major/minor version (as instructed above) somewhere and then
rename it to "ME Region.bin" for CSME 11, "TXE Region.bin" for CSTXE 3, "ME Sub Partition.bin" for CSME 12 or "TXE Sub Partition.bin" for CSTXE 4, depending on what you're working with.
In this case:
Spoiler
So we pick the firmware file 11.0.1.1001_CON_H_XX_PRD_RGN which matches perfectly what we saw at ME Analyzer. If for example the dumped SPI/BIOS image had CSME 11.0.0.1196
with LP SKU, we would have picked CSME 11.0.0.1197 instead because the one we wanted is EXTR and not RGN. Thus, we rename the "11.0.1.1001_CON_H_XX_PRD_RGN.bin" copy to "ME
Region.bin".
5. Open the dumped SPI/BIOS image with ME Analyzer. In order to verify that the SPI/BIOS dump has Initialization data, make sure that File System State is reported as "Initialized".
Spoiler
6. From the System Tools folder, go to Flash Image Tool > WIN subfolder and run fit.exe. Drag & drop the dumped SPI/BIOS image you want to clean. Go to "Build > Build Settings", select
"No" at the option to "Generate Intermediate Files", leave all other settings intact and click Close.
Spoiler
Note: If you are working on a CSME 11 Engine region only (extracted via Flash Programming Tool with "-me" parameter or via UEFITool > ME region > Extract as is...) and not a full SPI/BIOS
image (Flash Descriptor + Engine + BIOS), you also need to change three additional settings. Set "Flash Settings > Flash Components > Number of Flash Components" to 0 and remove the
path from both "Flash Layout > Intel(R) ME Region > Intel (R) Trace Hub Binary" and "Integrated Sensor Hub > ISH Data > PDT Binary File" only if these are not present at your dumped
CSME 11 Engine region (indicated by the zero-byte size of these modules at the "Decomp" subfolder).
7. Go to "Platform Protection" and check if "Platform Integrity" section is present. If "Platform Integrity" section is present, continue as instructed below. Otherwise, proceed to
the next step of the guide.
Check if "OEM Public Key Hash" field exists and whether it is empty/zeroed or not. If "OEM Public Key Hash" field is either missing or empty/zeroed, proceed to the next step of the guide.
Spoiler
If "OEM Public Key Hash" is populated then it is highly probable that your SPI/BIOS image is signed by the OEM and their OEM Public Key Hash is stored permanently in the Chipset
hardware. In such case, you cannot easily/quickly clean the Engine firmware because the platform will reject it without the OEM's RSA Private Key.
Spoiler
If you happen to have the OEM's Private RSA Key (unlikely unless you're the OEM), you can input it at "SMIP Signing Key" field. Then go to "Build > Build Settings", input the Manifest
Extension Utility (MEU) executable location at "Intel(R) Manifest Extension Utility Path" field, input Win32 OpenSSL Lite executable location at "Signing Tool Path" field, make sure that
"OpenSSL" is selected at "Signing Tool" field, make sure that "Verify manifest signing keys against the OEM Key Manifest" is set to "Yes", leave all other settings intact and click Close. Now
proceed to the next step of the guide.
Spoiler
If you don't have the OEM's Private RSA Key (expected end-user situation), you can still clean the Engine firmware section(s) of the SPI/BIOS image but more steps are needed. That's
because the Engine firmware is signed independently and thus protected on its own so any FIT-configurable RSA Public Key Hashes & Signatures relate only to the rest of the
BIOS/IAFW/IFWI components of the SPI/BIOS chip image. For example, the "SMIP Signing Key" found above "OEM Public Key Hash" field is used to sign/re-sign the SMIP BIOS/IAFW
module which may interact with the Engine firmware but it's not actually a part of it. Thus, the goal is to update the Engine firmware only, without touching the BIOS/IAFW modules, like
SMIP or DnX, which require re-signing upon rebuilding the SPI/BIOS image at FIT.
We need to create a dummy/placeholder RSA Private Key to insert at "SMIP Signing Key" field. The use of OpenSSL is required for that. Under Windows, install Win32 OpenSSL Lite, go to
its directory and execute the command:
1 openssl.exe genrsa --out dummy.pem 2048
Spoiler
At "SMIP Signing Key" field, input the placeholder RSA Private Key (dummy.pem) that was created by the OpenSSL tool. Then go to "Build > Build Settings", input the Manifest Extension
Utility (MEU) executable location at "Intel(R) Manifest Extension Utility Path" field, input Win32 OpenSSL Lite executable location at "Signing Tool Path" field, make sure that "OpenSSL" is
selected at "Signing Tool" field, make sure that "Verify manifest signing keys against the OEM Key Manifest" is set to "No", leave all other settings intact and click Close.
Spoiler
8. Go to "File > Save As" and save the configuration xml file, in this case it's named "config.xml". Afterwards, close the FIT window.
Spoiler
9. If you are working on a full SPI/BIOS image (Flash Descriptor + Engine + BIOS) and not a CSME 11 Engine region only (extracted via Flash Programming Tool with "-me" parameter or via
UEFITool > ME region > Extract as is...), go to the FIT folder and there should now be a folder named after the inputted file, in this case it's named "Z17EX62.00". Enter "Decomp" subfolder.
There should be a number of files there (BIOS Region, Flash Descriptor, OEM Region etc) including a "ME Region.bin" or "TXE Region.bin" or "ME Sub Partition.bin" or "TXE Sub Partition.bin"
file. Take the previous "ME/TXE Region.bin" or "ME/TXE Sub Partition.bin" file you saved at step 4 and copy it where the current "ME/TXE Region.bin" or "ME/TXE Sub Partition.bin" file is,
effectively replacing it.
Spoiler
If you are working on a CSME 11 Engine region only (extracted via Flash Programming Tool with "-me" parameter or via UEFITool > ME region > Extract as is...) and not a full SPI/BIOS image
(Flash Descriptor + Engine + BIOS), take the previous "ME/TXE Region.bin" or "ME/TXE Sub Partition.bin" file you saved at step 4, rename it exactly the same as the input file (Engine region)
and copy it where the current input file is, effectively replacing it.
10. Run FIT again. From "File > Open" select the saved configuration xml file from step 8 and open it.
Spoiler
11. Click the "Build Image" icon (or "Build > Build Image") and it should complete successfully.
Spoiler
12. At the FIT folder you should now see a file named "outimage.bin" which is the dumped SPI/CSME/CSTXE image with an Engine region which has a Configured DATA section without any
unneeded "Initialization" information stored.
Spoiler
13. If you followed the instructions at Step 7 and not skipped it, you determined that your SPI/BIOS image is signed by the OEM and thus inputted a placeholder RSA Private Key
(dummy.pem) at "SMIP Signing Key" field. You must now restore the original OEM-signed SMIP module. For that you need to use a Hex Editor (example: HxD Hex Editor) and ME Analyzer tool.
Drag & drop the dumped SPI/BIOS image you want to clean at ME Analyzer and at Option(s) enter "-dfpt" parameter.
Spoiler
Find the "Boot Partition Descriptor Table" which includes the entry with Name "SMIP". It must not be Empty ("No"). Note down SMIP partition's "Start" offset & "Size" which in this case are
0x2000 and 0x4000 respectively. Do the same for the "outimage.bin" file which got built at step 12. The SMIP "Start" offset & "Size" of both SPI/BIOS images are usually the same.
Spoiler
Open the dumped SPI/BIOS image you want to clean as well as "outimage.bin" at the Hex Editor. From the the dumped SPI/BIOS image you want to clean, go to its SMIP "Start" offset and
select a block equal to the SMIP "Size" which you noted down earlier. A block equal to the SMIP "Size" should now be selected. Do the same for "outimage.bin" file.
Spoiler
Now you need to "Copy" the selected block from the dumped SPI/BIOS image you want to clean and "Paste write" it at the equivalent selected block of "outimage.bin". Then "Save" the
changes at "outimage.bin" file.
Spoiler
14. Now, you need to verify that the resulting image ("outimage.bin") is indeed not Initialized. Import the output file to ME Analyzer and check if the Major/Minor versions, SKU & Stepping are
the same as before. In order to verify that the DATA section is now Configured and not Initialized, make sure that the File System State is reported as "Configured".
Spoiler
15. Last but not least, once your new cleaned+configured SPI/BIOS dump or Engine region is flashed on the target system, run Flash Programming Tool with command fpt -greset and wait for
the system to reset (no settings are lost). This step is very important because it forces the Engine co-processor to re-initialize and properly accept any changes to its SPI/BIOS image region
counterpart.
Spoiler
If you are working on a CSME 11 Engine region only (extracted via Flash Programming Tool with "-me" parameter or via UEFITool > ME region > Extract as is...) and not a full SPI/BIOS
image (Flash Descriptor + Engine + BIOS), make sure that the output region has the same size at the input/dumped one. To do that, subtract the output region size from the input/dumped
one to get the difference, which is the amount of 0xFF padding that needs to be appended at the end of the output region using a hex editor. For example, in a hypothetical case in which
the size difference is 0xA000, the output region would need to be adjusted in HxD Hex Editor like so:
Spoiler
#3 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Sat Mar 19, 2016 11:19 am (Last edited: Sun Mar 20, 2016 1:34 pm)
rootuser123
Show info
Thanks Plutomaniac and Pacman, this tutorial worked for my Gigabyte Z170 Motherboard which enables me to update to the latest ME Firmware since I always get Error 8719
using FWUpdLcl.
Thanks to @Fernando, @SoniX, @lordkag, @CodeRush and @plutomaniac for all the resources and help for modding BIOSes.
Spoiler
Current Desktop Configuration

Intel Core i9 9900KS @5.00GHz, Corsair Vengeance LPX 32GB DDR4-3600MHz Dual Channel, Gigabyte
Z370 Aorus Gaming 5 Rev 1.0 Motherboard, Gigabyte Aorus RTX 2070 Super, Intel Optane M10 32gb
NVMe SSD, Seagate FireCuda SSHD SATA3 2TB HDD @7200RPM, Enermax 850W Revolution 87+ PSU,
Windows 7 Ultimate 64 Bit SP1
Spoiler
Secondary Server
Intel Xeon X5675 @4.60GHz, 16GB DDR3-1600 Triple Channel, Gigabyte GA-X58A-UD3R Rev 2.0
Motherboard, Gigabyte Radeon RX 470 4GB, Toshiba TLC 256GB SSD, WD Blue 3TB HDD, Antec HCG-
900 900W PSU, Windows Server 2019
Spoiler
Current Laptop Configuration

Intel Core i7 4510U @ 2.00GHz, 12GB DDR3-1600 Dual Channel, Asus HM87 Motherboard, Intel HD
Graphics 4400, NVIDIA GeForce 840M 2GB DDR3, Intel 535 SSD 360GB, Windows 10 Education
#4 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Sat Mar 19, 2016 2:47 pm (Last edited: Sat Mar 19, 2016 2:48 pm)
plutomaniac
Zitat von rootuser123 im Beitrag #3
I always get Error 8719 using FWUpdLcl.
That's a BIOS issue, Gigabyte needs to Enable the Local ME Firmware Update capability. If your flash descriptor is unlocked though, you can always use the latest RGN and
adjust settings via FIT manually.
Administrator
Show info

#5 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Wed Jun 15, 2016 7:23 am (Last edited: Wed Jun 15, 2016 7:25 am)
Jaac
That is very good information, thanks. Never heard of it before though, but it makes perfect sense.
I'm going to give it a go on an old P5Q Deluxe (with the EFI beta bios, modded though), which i'm having issue's with. Don't have the spare time yet, but asap. This system has
seen many different bioses, and including a lot from user posts and even a brainfart version(wrong model).
Thanks again, i'll let you know how it.
Show info p.s. While i come to think about it, this probably is my first post, heh! I've been a loooong time lurker, but only recently created an account . Thanks for all the work you guys
are doing, it's clear, works and takes a lot of effort!
#6 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Fri Jul 15, 2016 5:53 pm (Last edited: Fri Jul 15, 2016 5:54 pm)
rootuser123
Show info
This guide also works to update from non-PDM ME Firmware to PDM Firmware on Skylake motherboards. I updated it from 1168 ME Firmware to the latest ME Firmware using
this method and ran FPT -greset after flashing the BIOS in DOS. Also the edit year on the guide says 2015 instead of 2016 ;)
Thanks to @Fernando, @SoniX, @lordkag, @CodeRush and @plutomaniac for all the resources and help for modding BIOSes.
Spoiler
Spoiler
Spoiler
#7 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Fri Jul 15, 2016 6:00 pm (Last edited: Fri Jul 15, 2016 6:03 pm)
plutomaniac
Yes, it works with everything. For the purposes of this guide, the same FW version is used. Although higher/lower FW and/or FITC/FIT version combinations usually work, it
might not always be the case when new settings are added to FW releases or FITC/FIT is altered. So always check for any errors and compare old and new saved .xml
configurations for differences. Also, thank you for the date typo report, fixed.
Administrator
Show info
#8 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Tue Aug 16, 2016 7:01 am
toniu-massa
Show info
Hello!!!
It is necessary to clean a SPI image in all systems that have ME firmware (HM76, for exemple)?
Thanks!!!
#9 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Tue Aug 16, 2016 2:59 pm
plutomaniac
If you want to flash a ME region from a dump then yes, you need to clean it first.
Administrator
Show info
#10 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Tue Aug 30, 2016 2:19 am
toniu-massa
Show info
I followed step by step and got 3 outimage.bin:
outimage(1).bin (2,048 MB)

outimage(2).bin (4,096 MB)
outimage.bin (6,144 MB)
Which one should I flash?

The dumped SPI image I plan to clean take 2,048 MB. It's this one?
Thanks!!!
#11 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Tue Aug 30, 2016 1:15 pm
plutomaniac
The full SPI image is 6MB in size as outimage.bin shows. What model are you talking about? Does it have two SPI chips? Attach the SPI dump(s).
Administrator
Show info
#12 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Tue Aug 30, 2016 11:34 pm (Last edited: Wed Aug 31, 2016 5:12 am)
toniu-massa
Zitat von plutomaniac im Beitrag #11
Posts: 16
Registered since: 08.16.2016 The full SPI image is 6MB in size as outimage.bin shows. What model are you talking about? Does it have two SPI chips? Attach the SPI dump(s).
Send message: click here
Yes, it have 2 spi chips. HM76 chipset.
I attach the SPI image dumps that I plan to clean.
Thanks!!!!! (^_^)
toniu-massa has attached files to this post

Itautec W7730 - W3450.rar
#13 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Wed Aug 31, 2016 12:17 am
plutomaniac
You haven't attached any files.
Administrator
Show info
#14 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Wed Aug 31, 2016 5:49 am (Last edited: Wed Aug 31, 2016 5:50 am)
toniu-massa
Show info Zitat von plutomaniac im Beitrag #13
You haven't attached any files.
Sorry!!!! And now???
#15 | RE: [Guide] Clean the ME/TXE Initialized DATA section of a SPI image dump Wed Aug 31, 2016 6:14 pm (Last edited: Wed Aug 31, 2016 6:14 pm)
plutomaniac
Updates:
Added references to TXE 3.x, SPS 4.x & ME 11.5/6 (D2) and renamed all "ME/TXE" to "Engine" Regions instead
Added D1 > Step 12 and D2 > Step 16 with instructions to perform a FPT -greset after flashing the new Engine region
Rewritten D1 (Pre-Skylake) > Step 8 in sub-steps and added disabling of Intel Anti-Theft (EOL), AT settings at FD and more images
Rewritten D1 (Pre-Skylake) > Step 11 in sub-steps and added xml file comparison, what to expect and recommendations
Rewritten D2 (Post-Skylake) > Step 15 in sub-steps and added xml file comparison, what to expect and recommendations
@ toniu-massa:
Administrator
Yes, you needed the 2MB outimage part. The first 2MB chip includes the FD+ME whereas the second holds the EC/BIOS. Today I added various new instructions, mostly for pre-
Posts: 5203
Skylake, so you may want to follow the guide again if you prefer to do it yourself. Otherwise, here are the cleaned, configured and updated files for your system. Depending on
Registered since: 09.16.2014 how you flash, use either the ME region (FPT -f) or the full 2MB SPI image (programmer or FPT -f). As said at step 12, don't forget FPT -greset command when you are done.
Sex: male
Send message: click here
plutomaniac has attached files to this post
mod_toniu-massa.rar
Quick reply
reply
« SOLUTION for HP Z200 MT Shutting Down after 30 Minutes & Management Platform in manufacturing mode Intel (Converged Security) Trusted Execution Engine: Drivers, Firmware and Tools »
Page 1 of 26 « Page 1 2 3 4 5 ... 26 Page »

Clean Dumped Intel Engine (CS) ME - (CS) TXE Regions With Data Initialization

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Clean Dumped Intel Engine (CS) ME - (CS) TXE Regions With Data Initialization

Uploaded by

Copyright:

Available Formats

Guide-How To:

Clean Dumped Intel Engine (CS)ME/(CS)TXE

A. About Engine Regions & Configuration

D. Clean the Initialized DATA section

save quote Quote reply

Personalised Polo T-Shirt

1 openssl.exe genrsa --out dummy.pem 2048

save quote Quote reply

Current Desktop Configuration

Current Laptop Configuration

save quote Quote reply

I always get Error 8719 using FWUpdLcl.

save quote Quote reply

Thanks again, i'll let you know how it.

save quote Quote reply

save quote Quote reply

save quote Quote reply

save quote Quote reply

save quote Quote reply

outimage(1).bin (2,048 MB)

Which one should I flash?

save quote Quote reply

Yes, it have 2 spi chips. HM76 chipset.

I attach the SPI image dumps that I plan to clean.

toniu-massa has attached files to this post

save quote Quote reply

save quote Quote reply

You haven't attached any files.

Sorry!!!! And now???

save quote Quote reply

save quote Quote reply

Page 1 of 26 « Page 1 2 3 4 5 ... 26 Page »

You might also like