Updating Intel ME on a Lenovo Carbon X1 3rd gen #commandline #computers #hardware #security
No doubt to Andrew S. Tanenbaum's great joy recent news have revealed that many Intel processors run a version of Minix on some kind of extra "security" core.
Unfortunately it seems to be full of holes.
After downloading and running a tool from Intel to check whether my system was vulnerable, Intel-SA-00086 Detection Tool , and getting the unfortunate message:
Based on the analysis performed by this tool: This system is vulnerable. Explanation: The detected version of the Intel(R) Management Engine firmware is considered vulnerable for INTEL-SA-00086. Contact your system manufacturer for support and remediation of this system.
I started looking for how to update the faulty code in my processor.
I found a description on how somebody updated their Lenovo X1 Carbon 5th gen, Solved: Re: X1 Carbon 5th gen on Linux: How to update Intel Management Engine 11.8 Firmware??, which was basically a couple of amendments to another guide: Updating Intel Management Engine firmware on a Lenovo without a Windows Install, which was written for a Gen 4.
Here is what I did to upgrade my Lenovo X1 Carbon 3rd gen running Debian unstable:
- Start downloading a Windows 10 32-bit English ISO from Microsoft: Download Windows 10 Disc Image (ISO File). It takes a while (3.3GB).
- Download the two updates from Lenovo, Intel Management Engine Firmware 10.0 for Windows 10 (64-bit), 8.1 (64-bit) - ThinkPad - n10rg48w.exe (4.5MB) and Intel Management Engine 11.0 Software for Windows 10 (64-bit), 8.1 (64-bit) - ThinkPad - n10rc02w.exe (89MB)
- To extract the content of the two
.exe
files from Lenovo, install the Debian packagesinnoextract
andcabextract
, and then runinnoextract n10rg48w.exe
andinnoextract n10rc02w.exe
. This creates a new folderapp
. - In the new
app
folder, runcabextract SetupME.exe
, which, among other folders creates one calledHECI_REL
, which you will be using later. Put theapp
folder into a new folder:mkdir winpe_overlay; mv app winpe_overlay/
- Now, to make a bootable USB-stick with some kind of
Windows-recovery thing on it, you need to install the Debian package
wimtools
. Wait until the Windows 10 iso has finished downloading, and then mount it:sudo mount -o loop,ro Win10_1709_English_x32.iso /mnt
- You can now create the image for the USB stick, by running
mkwinpeimg -W /mnt/ -O winpe_overlay disk.img
- Write the
disk.img
to your USB stick, usingdd if=disk.img bs=128K of=/dev/sdX
(whereX
is the letter of your USB stick,b
in my case), and boot he computer from it. If you haven't already, turn Secure Boot off, Legacy BIOS on. - Once booted into the Windows command line recovery thing, you need to
run these commands:
cd \ cd app\HECI_REL\win10 drvload heci.inf cd \ cd app MEUpdate.cmd
Wait for the command to finish. For me it complained aboutShutdown.exe
not being available at the end, so I just typedexit
, and that was enough to reboot the machine.
Running the detection tool now says:
INTEL-SA-00086 Detection Tool Copyright(C) 2017, Intel Corporation, All rights reservedApplication Version: 1.0.0.146 Scan date: 2017-12-09 16:59:33 GMT
*** Host Computer Information *** Name: tullinup Manufacturer: LENOVO Model: 20BSCTO1WW Processor Name: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz OS Version: debian buster/sid (4.14.0-1-amd64)
*** Intel(R) ME Information *** Engine: Intel(R) Management Engine Version: 10.0.56.3002 SVN: 0
*** Risk Assessment *** Based on the analysis performed by this tool: This system is not vulnerable. It has already been patched.
For more information refer to the INTEL-SA-00086 Detection Tool Guide or the Intel Security Advisory Intel-SA-00086 at the following link: https://www.intel.com/sa-00086-support
Yay.
Add comment
To avoid spam many websites make you fill out a CAPTCHA, or log in via an account at a corporation such as Twitter, Facebook, Google or even Microsoft GitHub.
I have chosen to use a more old school method of spam prevention.
To post a comment here, you need to:
- Configure a newsreader¹ to connect to the server
- Open the newsgroup called
¹ Such as Thunderbird, Pan, slrn, tin or Gnus (part of Emacs).koldfront.dk
on port1119
using nntps (nntp over TLS).lantern.koldfront
and post a follow up to the article.Or, you can fill in this form: