IMPORTANT SECURITY UPDATES!

ME is good now.

Your TPM is also good if the revision ends on .2.

Can't see that on your picture from the tapatalk image quality.

 

Yeah my TPM revision does end in .2. Thanks for helping me clear this up

 

Hi @Prema, thanks for the patches. I was living under a rock and wasn't aware that I had to patch anything until Windows 10 Version 1803 brought Windows Defender back to life and alerted me about TPM problems. I'm glad that I found this post and patched the Intel ME and CPU Microcodes as well.



A quick gotcha: After patching my P650HS-G both microphone and camera stopped working. I've used Obsidian Tools and forced update of the following drivers to fix it (rebooting between installations)

Audio: Nothing happened
Intel ME: Nothing happened
Intel Chipset: Fixed sound (don't ask me) and broke Touchpad
Touchpad: Fixed touchpad
Control Center: Fixed Camera

Now everything works.

Before updating the drivers I've tried the Privacy Settings for Microphone and Camera. When I tried to toggle "Allow apps to access your microphone" and "Allow apps to access your camera" the Settings App froze. Closing the Settings window and opening it again successfully toggled the option, but nothing happened.

 

Alright, I'm good on the TPM and the Specter stuff.

I grabbed the IME package off Prema's site and installed that. No problems.

Profiler says I'm not vulnerable, but something is obsolete?

"Installed Intel Capability Licensing Service Client is obsolete. Minimum version required is 1.47.715.0" Please get update from manufacturer etc... etc... etc...

Here's the profiler results:



Not sure how to update that?

Thanks.

 

It usually installs as part of the ME driver package (link should be in the OP as well) unless you only use the .inf method.
If that isn't enough, you will have to update the Intel chipset driver as well.

 

Where would I find the latest version of the Intel Chipset Drivers for this laptop? Or are they universal?

EDIT - nvm I found it.

I updated IME, the Chipset, RST and XTU - pretty much every Intel thing I could find - everything is up to date except for whatever that Intel Capability Licensing Service Client is. I ran Intel's in-house system scanner too, but nothing came up.

I guess I won't worry about it. Everything else looks good now.

 

Are you sure you installed the ME Software package from the driver link of the OP?
There are 3 folder for user to decide between inf, driver and full package installers...

 

I installed the one from Premamod site.

I'll try that one zip file in the OP when I get a chance. Should I use the full package installer?

 

On the website is only the firmware, the driver is only in the OP!

 

Well, I grabbed that and I'm not sure which EXE to run.

Both of the exes have a menu showing an option to remove and an option to repair.

Not sure what exe to run in which folder? And do I just select the repair option?

ME_11.8.50.3470
|
--ME_SW_MSI
---- SetupME??
|
--MEI-Only Installer MSI
---- MEISetup??
|
--WindowsDriverPackages
----iCLS (looks like mostly just Driver dlls)
----MEI (looks like mostly just Driver dlls)


Sorry if this sounds noobish. lol I'm honestly not sure.


Thanks.

 

Run the Soft Ware setup...

 

Ok, I ran that.

Everything looks good now. The "obsolete" warning is gone and no more red flags.

Looks like I'm secure!

Thanks for your help!

 

@Prema Thanks for the TPM update. I kept getting the message it was out of date and I didn't even know you COULD update the TPM. The instructions were clear and easy to follow.

I'm sure I speak for many when I say we appreciate all you do!

 

Hi @Prema

Thank's for this usefull thread. In the main post you wrote
"DON’T UPDATE THE TPM AS LONG AS YOUR DRIVES ARE STILL ENCRYPTED VIA BITLOCKER OR YOUR DATA WILL BE LOST!!!"


I've a P775TM1 (i7-8700) with Win10 running on a bitlocker device. How i could update TPM?

Thanks

 

Turn off bitlocker and click on decrypt the drive before making the update.
Turn it back on and encrypt it after clearing the TPM from its old and vulnerable keys and after making the update.

 

The link for the driver is not working on the OP.

 

Works for me...maybe their server was down before.

 

Got it working.

Thanks!

 

Hey @Prema

I updated the TPM by following the instructions in the readme and now none of the settings show up in the BIOS when I go to TPM Configuration. Is there any way to fix that? I can't enable it now.

When I tried to flash the firmware again, it just outputs this:
Code: 0xE0295504
Message: The provided firmware image is not valid for the TPM. (0xE0295504)

 

Unplug the AC Adapter and boot once on battery.

 

I did it, and it still doesn't show up in the BIOS. Here's a picture of what it looks like when I go into the TPM settings now.

EDIT: I got it to show again; What I did was do a CMOS reset and then went back to the BIOS and loaded the optimized defaults, which brought it back

EDIT 2: There seems to be a bug with the BIOS, because if you disable the TPM completely, save and reset, and then go back into the BIOS, there's nothing there, and then you have to load the optimized defaults.

 

Very handy info in here! I'll have to show this to my brother who's currently using a Clevo from 2013 (can't remember the model though...)

 

Updated my p775tm1 without any issue. Thanks @Prema

 

@Prema There is new MEI FW at station-drivers v 11.8.50.3474. Any crucial bugfixes from Intel? Should everyone update?

 

It's a minor update, so it won't be security related. It's also not available in our development branch and I won't upload files from unknown sources like the one above as they caused some trouble in the past and user won't be able to downgrade...

Edit: Have added ME 12 updates for new 6 core PA7 & P9 models.

 

Trying to update a Clevo W550SU TPM but when I follow steps it fails telling me TPM is not enabled.

Yet when I enable TPM in bios and clear ownership it tells me that TPM has an owner even when it doesn't.

Has anyone come across this?

 

hey bro.. im new to this and have the same exact machine as you.
I downloaded the discovery tool and it showed I am vulnerable.
I next followed @Prema 's advice and downloaded from his website the 2 files needed. management engine 11.x and Infineon file.
the .7z files.
extracted files and when I run the intel update tool I get a black screen and a error message that reads:
can not open file.... the system cannot find the path specified.

what am I doing wrong? any help would be much appreciated.

 

Copy the path where you downloaded Prema's tool. Open cmd in admin mode.

• Type cd followed the path you have copied
• If you've downloaded the tool in different drive(say for example, D) then type D:
• type the filename of bat file to get the tool running.

 

SUCCESS!! very happy as I was having the same issues.

@Perma is a god!

[/URL][/IMG]

 

@Prema Is the new MEI FW update 11.8.3510 good or bad? Release notes says security issues are fixed. Any important/critical update that must be applied?

 

All ME firmware updates available on premamod.team are tested by us internally with stock and PremaMod firmware.
Version 11.8.3510 was a very important security update and fixed the following security vulnerabilities:

• CVE-2018-3655
• CVE-2018-3657
• CVE-2018-3658
• CVE-2018-3659
• CVE-2018-3616
• CVE-2018-3643
• CVE-2018-3644

 

Any more updates coming on the ZM series?

 

It appears as if Intel didn't bother to update the EOL consumer version beyond 8.1.70.1590...

 

11.8.55.3510 installed on W650KK/KJ1

 

Figures Intel wouldn't, but I thought haswell and the P7x0ZM was the 9 series?

Either way...

Sent from my SM-G900P using Tapatalk

 

Righ, the thing with ME 9 on many Clevo models is that if we update to version 9.1 the BCLK overclock will stop working due to the missing BIOS interface.

If we upload the latest ME9.1 version user will likely not read the readme and won't be able to downgrade as easy...

 

I suppose they are important security fixes. Already applied them right away!

Yep I was one of them and luckily ME flashing got stuck and never flashed saving the PCs. So, I always read the ReadME files.

 

@Prema Okay...so I'm not really sure what I'm supposed to download and install. I have a Powerspec 1510 (Clevo P650HS-G) I downloaded the Intel tool and ran it. I downloaded 11.x I downloaded an App to open the .7z file...but it says I need a password to open it? Found it. I'm blue and pink blind. Sorry! Do I need to repatch everytime I do a Clevo update?

 

The passworld is posted in post #1

 

@Papusan Yeah, I found it after reading to page 14. I must be blue and pink blind like the others. Do I need to follow the steps to do the TPM (what does that mean?) after running the ME 11 tool? Should I actually be running the ME 12 tool? I'm out of my depth with this.

So, I went ahead and ran the ME 11 tool. I'm pretty sure I had ME 11 and not ME 12? (Does it matter?) After my computer restarted, I ran the detection tool again and got "This system is not vulnerable. It has already been patched." Do I still need to do TPM?

 

i think ME12 it's for 6core notebook, or newer chipset ....

 

@Prema @Papusan @Thedoktor84 Just wanted to say again, thanks for this post. I updated my ME tool. I checked for the Spectre/Meltdown risk and appear to be safe. As for TPM, it appears Microsoft had a Patch Day on October 10th, 2017...otherwise, I should've received a Windows Security message. I purchased my laptop about a month and a half after that, so I think the patch was already installed (or installed when it ran Windows Updates after my first boot.)

 

It would be nice to include the ME firmware version in the ME tool readme

 

No need to even download to know the version. Simply hover over the download link.

 

Nice! thanks
Updated successfully to 11.8.65.3590 on my W650KK/KJ1

 

it does give me an error for some reason even tho IME 11.X is installed on my system

 

I've been using this on my desktop to update my microcode: https://www.win-raid.com/t154f16-Tool-Guide-News-quot-UEFI-BIOS-Updater-quot-UBU.html
Not sure how safe it is to use it for laptops. On my desktop I had no issues.

 

It doesn't work correctly on laptop BIOS.

 

That's unfortunate.