This is how I updated my Intel ME firmware on my Lenovo X1 Carbon Gen 4 (reports say this also has worked for Gen5 machines). These instructions are pretty strongly inspired by https://news.ycombinator.com/item?id=15744152
Why? Intel security advisory and CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, and CVE-2017-5712 should be reason enough.
You will need:
- To download about 3.5GB of stuff
- A USB key
- Linux installed
- WINE or a Windows box to run two executables (because self extracting archives are a thing on Windows apparently)
- A bit of technical know-how. A shell prompt shouldn’t scare you too hard.
Steps:
- Go to https://www.microsoft.com/en-au/software-download/windows10ISO and download the 32-bit ISO.
- Mount the ISO as a loopback device (e.g. by right clicking and choosing to mount, or by doing ‘sudo mount -o loop,ro file.iso /mnt’
- Go to Lenovo web site for Drivers & Software for your laptop, under Chipset, there’s ME Firmware and Software downloads You will need both. It looks like this:
- Run both exe files with WINE or on a windows box to extract the archives, you do not need to run the installers at the end.
- you now need to extract the management engine drivers. You can do this in ~/.wine/drive_c/DRIVERS/WIN/AMT, with “cabextract SetupME.exe” or (as suggested in the comments) you can use the innoextract utility (from linux) to extract them (a quick check shows this to work)
- Save off HECI_REL folder, it’s the only extracted thing you’ll need.
- Go and install https://wimlib.net/ – we’re going to use it to create the boot disk. (it may be packaged for your distro).
If you don’t have the path /usr/lib/syslinux/modules/bios on your system but you do have /usr/share/syslinux/modules/bios – you will need to change a bit of the file programs/mkwinpeimg.in to point to the /usr/share locations rather than /usr/lib before you install wimlib. This probably isn’t needed if you’re installing from packages, but may be requried if you’re on, say, Fedora. - Copy ~/.wine/drive_c/DRIVERS to a new folder, e.g. “winpe_overlay” (or copy from the Windows box you extracted things on)
- Use mkwinpeimg to create the boot disk, pointing it to the mounted Windows 10 installer and the “winpe_overlay”:
mkwinpeimg -W /path/to/mounted/windows10-32bit-installer/ -O winpe_overlay disk.img
- Use ‘dd’ to write it to your USB key
- Reboot, go into BIOS and turn Secure Boot OFF, Legacy BIOS ON, and AMT ON.
- Boot off the USB disk you created.
- In the command prompt of the booted WinPE environment, run the following to start the update:
It should look something like this:
- Reboot, go back into BIOS and change your settings back to how you started.
This worked perfectly with my X1 Carbon 5th generation. Thanks for sharing!
I had to make slight modifications to the instructions (see https://forums.lenovo.com/t5/ThinkPad-X-Series-Laptops/X1-Carbon-5th-gen-on-Linux-How-to-update-Intel-Management-Engine/td-p/3885194), but it generally worked well. Thanks a lot!
Ahh yep, I may have hit that too, or have made a local modification. I’ll add something to the instructions, thanks!
I got stuck at step 6: “Save off HECI_REL folder”, When I extract the contents of “SetupME.exe” I don’t get any “HECI_REL” folder. I don’t have such folder in the “ME” or “AMT” folders I extracted in step 4 either.
You can extract the files from the self-extracting executables with innoextract, so you don’t need wine or a Windows instance after all.
You’ll find the HECI_REL folder if you execute “innoextract n1cra28w.exe” and then “cabextract app/SetupME.exe”.
Thanks for the innoextract tip! I’ve updated the post to mention it.
Thanks a lot for compiling this manual.
But some things are unclear. First, what do you mean with “Save off HECI_REL folder” (Step 6)? Save off – to where? And what does “Save off” mean anyway?
Then, I don’t understand why I should download both drivers from Lenovo and extract them etc. if only HECI_REL is needed (which is in DRIVERS/AMT). Is Directory DRIVERS/ME needed? If not, why do I have to download the second driver (which generates ME)?
As others pointed out, I, too, had to copy all files from /usr/lib/syslinux/modules/bios to /usr/lib/syslinux in order to not to run into that “missing chain.c32” error. My operation system is Ubuntu 16.04 and I think you should take more extensive note about this issue. Especially, I findt it important to state that the files from the BIOS directory are required (not the efi* ones).
The overlay parameter you are using with mkwinpeimg does not generate a HECI_REL directory in the root of the booted windows. Instead, it creates a directory WIN in which somewhere deeper HECI_REL is available. This question is connected to the question if I need the directory DRIVERS with it’s two entries at all. As I see it, you seem to be just tossing everything away from the two downloads and only use the extracted HECI_REL. Is anything else from the directory DRIVERS needed?
Sorry for all these questions. But I don’t dare applying your fix because there are so many unclear points. And since applying a bad “fix” to AMT might very, very well result in a completely unusable system… I hope you could clarify & detail a bit more.
Thanks a lot, best regards, Mike
I tried now. But it is not working. Not at all. First, the MEUpdate.cmd references a 64 Bit Executable. Why is that so?? Because, if I execute this Executable it will only result in an error “Operating system not suitable” – sure, since that is 32 Bit.
There is another file in that directory FwUpdate.exe. I figured this might be the 32-bit Variant and replaced it in the MEUpdate.cmd. And yes, that starts, brings about several warning windows and then… goes into an endless loop, gets up another CMD-Shell, restarts from the beginning and all the questions, gets another CMD-Shell, …
I don’t understand what is the problem. Your recipe is not working, at least not with my computer (Lenovo Thinkpad P70).
I’d appreciate very much if you could give some further help on the issue.
Also, I extracted the drivers with a Windows 64-Bit System (Virtualbox). Since I thought that this might be the problem, I tried to use innoextract. That ain’t working at all, just extracts 4 files but no subdirectories etc. innoextract extracts maybe 10% of the file (as opposed to cabextract). Especially, I don’t receive any HECI_REL directory with innoextract.
Best regards, Mike
Well… since I just couldn’t find a 32-Bit executable for command line firmware patching, I downloaded the 64-bit ISO from Microsoft, as opposed to your advice for the first step, and followed the rest of the steps you outlined as before with the 32-bit ISO.
All worked fine, just as with the 32-bit ISO, and also the now 64-Bit ISO usb stick did then boot without any problem.
Then I drvloaded heci.inf, switched to the ME dir for the 64 bit firmware patcher, started MEUpdate.cmd… and…. drumroll… firmware patching started and successfully completed without any error. And now these Intel tests for the vulnerabilities SA-00075 and SA-00086 both show my system isn’t vulnerable anymore. Yay.
So, thanks again for your work which has helped me a lot. Whether you publish my comments or not, I don’t bother at all, but you should really take a note that the Windows 64 Bit ISO may also be used, or, in specific cases where the manufacturer only publishes 64 Bit Tools (as is the case with Lenovo Thinkpad P70 / P50), that 64 Bit Windows ISO even is required to get things going.
Best regards, Mike
PS: I did finally also succeed with innoextract. What I oversaw is, first innoexctract, then cabextract for SetupME.exe, and then HECI_REL directory will show up. Or, in other words: I oversaw that the cabextract step also is necessary with innoextract. Maybe you could take a note about that, too. I didn’t find that too clear from the comments.
Oh my, I’m blind. You already had the cabextract note with the innoextract tip. Sorry.
Thanks for the guide, it worked fine on my Lenovo X1 Carbon 3rd gen running Debian (skipping WINE and using innoextract, cabextract and wimtools).
Thank you very much, it’s work for me and my computer is thinkpad x270.
I’ve used your post to dig a bit further and found that you can use the intel ME System Tools for Linux to achieve the same with less hops:
https://superuser.com/a/1318241/369027
This was very helpful and because of your guide I was able to update my TS140 and TS440. If the user has access to a Windows 10 machine you can build a Windows PE USB stick rather easily:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-intro
Then I used a separate fat32 formatted USB stick for the Intel ME driver and firmware update tools. I loaded the driver as directed here and was then able to update the firmware.
Thanks again for posting this!
Pingback: Firmware Security Realizations - Part 2 - Start Your Management Engine - Eclypsium