I have a T440s. CVE-2017-5689 / INTEL-SA-00075 is looming. Lenovo released updates:
https://support.lenovo.com/us/en/product_security/LEN-14963
Their motherboard BIOS updates usually have both a Windows-required option, and a live USB update option. However this one only has the Windows-required option, as I’m checking now. They haven’t even released updates for all hardware models so maybe things are just in the works, but they haven’t indicated so in anything I’ve seen.
In the mean time, I found these instructions on some wiki:
http://www.thinkwiki.org/wiki/Intel_Active_Management_Technology_(AMT)#Firmware_update
But they seem involved and somewhat confusing, and I’m wondering if it’s outdated besides. Being a wiki it could change, but it currently seems to say I need to:
- Install Windows PE on a USB stick
- Extract 2 files from some other firmware file from IBM’s website using Wine:
- A CMD I’ll run to do the update
- A driver I need to figure out how to load.
This seems sketchy to me. Can anybody corroborate this? Is there another way to go about it?
On a side note, isn’t Lenovo a little more responsible than this to take care of flaws in its product? Or did I agree somewhere in a contract that I only run Windows? The lack of support, transparency, and preparedness seems completely unacceptable to me for such a serious defect in their product.
Answer
I’ve found a way using native Linux (or even DOS/EFI: just use the respective tools in the System Tools download, instead of the Linux ones).
Lenovo provides us with two things: Management Engine Interface (MEI) or Management Engine Software and the Management Engine Firmware (ME).
The former is needed to provide a driver (HECI) to access and flash the ME, the latter is the flash utility plus the flash image.
As we use Linux, we only need the flash tools and firmware.
In my case it was called “r0dmu01w.exe“, I will use “FWPkg.exe” from now on.
- Extract the firmware using innoextract
$ innoextract FWPkg.exeor wine$ wine FWPkg.exe - This will create some a folder “
app” in your current directory (innoextract) or the folder “ME” in wine root’s “C:\DRIVERS\” directory that will be created if needed (wine). We will only be interested in the “ME_<version>_[Consumer/Corporate]_*_Production.bin” file(s) (the firmware image) and the “MEUpdate.CMD” flash script which calls a “FWUpdLcl(64).exe“.
Intel does provide a Linux version of this tool to distributors however, we can download it here (inofficial!).
These are the intel ME System Tools, I’m having a ME v11, so I downloaded “Intel CSME System Tools v11”, I’ll call it “METools.rar” from now on.
- Extract the files
$ unrar x METools.rar - Inside the extracted directory, there will be a “
FWUpdate/LINUX(64)/Portable/FWUpdLcl” file. - Go to the path of said file and add execute permissions:
$ chmod +x FWUpdLcl -
Have a look at the “
MEUpdate.CMD” script with a line that should look a bit like that:%~dp0FWUpdLcl64.exe -F %~dp0ME_<version>_[Consumer/Corporate]_*_Production.BIN -OEMID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -generic -allowsvWe are only interested in the OEMID-flag, I’ll refer to it as
$OEMID.
Alternatively you can use the “MEInfo” utility, this however requiresiomem=relaxedto be set in the kernel load command line. -
Now use the Linux tool as admin and update your firmware, you use the consumer variant if your device does not support intel AMT (AMT-enabled CPUs have the “vPro” logo on them):
# FWUpdLcl -F <path/to/binfile> -OEMID $OEMID -allowsvThe generic flag isn’t available on Linux, the only documentation I could find was “Perform the update through MEI without credentials” — but we don’t seem to need it.
AllowSV allows Same-Version updates.
That’s it, you should now have an updated ME firmware.
Edit:
I just found that someone has already found the same solution (in German), linked for completeness.
Attribution
Source : Link , Question Author : orblivion , Answer Author : ljrk
