The Bios File Is Not Allow To Flash
Giordano Thibault
The way the bios upgrade works has changed with thinpro 6. (hptc-bios-flash now just moves the *.bin to the bootpartition, then after a reboot the bios checks in this location for updates). Old bios versions cannot be upgraded this way (hence the warning).
What I did was I extracted /usr/sbin/hptc-bios-flash from an old thinpro 5 installation (which is just a really simple bash script). I used this script to successfully upgrade bios 2.08 to 2.13 on a thinpro 6.2 installation (t620). This saved me downgrading all my thinpro 6 installations to upgrade the bios.
The built-in htpc-bios-flash on ThinPro 6 ran without error and copied L40_0214.bin to /boot/EFI/EFI/HP/BIOS/New but the BIOS did not upgrade on reboots. Bashed my head against a brickwall for several days until I came across your post and script.
I can also run the hptc-bios-flash L40_0214 command and it shows the same warning mentioned above regarding "may not support tool-less BIOS update". it informs me to reboot the thin client - and when I do nothing happens.
Hi there, i was running thru some forums for an answer to my problem and i saw this post. Hope ppl are still looking at it. I have quit the same problem, i have around 20 T520 and there bios is from L41 v01.04 to 08.
I have an unsolvable problem: I am unable to login into AMT through WEB interface and OpenMDTK tools (commander and director). Instead I am able to log into MEBx.
All this as a result of some experiments made in the past through the configuration tool for linux (ACUConfig) with an unsupported OS (Ubuntu 12.04) and an unprovisioning made by the OpenMDTK tools and after changing some parameters of AMT in the BIOS and in MEBx interface.
All this happened a long time ago and I can not remember exactly what I did.
Following this, I fear that my AMT is rather messy so I think to re-flash the BIOS of the motherboard to "reset" AMT completely then clear CMOS.
However I don't Know if this will HELP therefore I'm here to ask it to You.
What I recently did:
- Disabled AMT in BIOS (then re-enabled) and resetted CMOS (Otherwise I was unable to enter MEBx menu with CTRL-P)
- To be sure unprovisioning secceded, I've also unprovisioned AMT through "AMT Configuration ---> Un-Configure ME" item in BIOS menu (this option allows to Un-Configure ME without a password).
- Tried to login in AMT through Web Interface ( _address:16992) with user "admin" and password entered during MEBx configuration with no success. DHCP is enabled in AMT configuration therefore ip_address is shared with host ip_address.
- Tried to login also through OpenMDTK tools (commander and director) with same credentials but no success.
I've also tried setting a static address in MEBx interface (and I've also setted my host address as static as explained in AMT reference guide) however I was unable to access "logon" web page with this new address while I was still able to access "logon" web page with my host ip address.
To be precise, my AMT static address as setted in MEBx was "192.168.1.5 - 255.255.255.0" and my host address was "192.168.1.2 - 255.255.255.0". I was able to enter "logon" web page with 192.168.1.2 address but not with 192.168.1.5 address. I think this is abnormal behavior.
Therefore I think to reset AMT completely but I don't know how to do. I hope this is possible reflashing BIOS but I'm not sure this will reset/clear everything.
My AMT version is 8.0.10. My motherboard is SUPERMICRO X9SAE and no AMT firmware updates have been released by Supermicro neither BIOS updates in last 18 months.
I know AMT minor releases upgrades are possible only through OEM. Is there any unofficial way to update AMT bypassing OEM (Supermicro)?
Excuse me for my poor English (I hope you understood what I tried to say). Thanks in advance.
Sorry I'm confused. Are .2 and .5 the same computer, just the OS vs the AMT interface? Or 2 separate machines? If they are the same computer, what is it that you expect to see on web login that you are not seeing?
Typing .5 ip address in my browser address bar, I was expecting to see AMT logon page appearing instead I can't see anything. Abnormally, I think, I can see AMT logon page appearing, only if I type .2 address in browser address bar (namely, typing the same ip address than host (.2) but not the one I setted in AMT MEBx UI (.5)). I think this would be normal if I had choosen DHCP in "MEBx UI Network settings" but I think it's not normal since I've choosen and inserted a different static address from the host computer one.
However this is not important for me now!!!! The important thing is to know how completely reset my AMT/MEBx configuration data (I didn't understand where are they stored ...I've read somewhere in BIOS flash chip, is this true?).
In past, I've experienced that unconfiguring ME from BIOS (in my BIOS UI there is a item to do that, named "ME Un-configure") also WEB UI password was deleted. Now I'm not able to do this operation in any way
Thank you but I already read this guide and in my case it is not useful.
Unfortunately my problem was more complicated however I managed to solve it anyway by myself.
I do not know exactly what was helpful to solve my problem however here is what I did:
- Re-flashed BIOS and ME firmware (if ME firmware and BIOS are separate files I think it should be not necessary to re-flash BIOS too)
- Removed MB battery
- Reinserted battery then Resetted CMOS
- Entered BIOS interface and loaded defaults settings
- In my motherboard (Supermicro X9SAE) there is a jumper (JPME1) named "ME Recovery" to reset AMT ME data (this jumper is probably also on other AMT/IPMI capable motherboards). The jumper is supposed to cause ME to enter recovery boot loader code and reset ME firmware configuration to factory defaults. Here following how to use it (instructions accidentally found with google in a Server Platform Services "SPS" ME firmware release notes file):
- Reconfigured AMT through MEBx user interface.
- Entered AMT WEB interface (with user: "admin" and password set during previous configuration).
- At this point I was able to access again WEB UI without authentication problems.
As a reminder:
In normal conditions AMT could be UNPROVISIONED in this way:
we made a very old computer to a server via SCS Amt configuration.This server is no longer used.We have established a new SCS server.Unable to take unprovision action.Because we do not know the AMT password from the old server.
When it comes to the AMT Firmware password if that password is lost or forgotten your only choice is to remove the CMOS battery from the board. The exact procedure to do this is different for each model, my recommendation is to locate a tear down guide.
When SCS is used for configuration of intel AMT devices. this automatically puts them in "Admin Control Mode", during this process the MEBx (AMT Firmware) has a password assigned that is = to the password in the configuration profile. As you have lost this password, the only option I know of is pulling the CMOS battery
Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.
I found two hidden options "ME FW Image Re-Flash" and "Disable ME" in my Dell Venue 7130 bios. If I enable "ME FW Image Re-Flash" in linux via the efivars sysfs, does this overrule the flash descriptor access control and can I read/write the ME region with fpt? Would you recommend to disable the ME as well?
Thanks for your advise. I found similar options in the bios of my Lenovo ThinkPad 8 tablet. This is a BayTrail device with a TXE instead of a ME. My tablet has a 32-bit bios and I want to flash a 64-bit bios. Is the TXE region of a 32-bit bios identical to that of a 64-bit bios?
Nice find! If that works, there is no need for disassembly to unlock the FD anymore.
How did you manage to edit those from Linux? The Setup var is hidden in Linux for me on kernel 4.13, so I still sticking to the patched grub for now.
Here is some pretty cool news for DELL Venue 7130 and Dell E7440 laptop users and very likely it will work with many other Dell models. It is possible to unlock the Flash Descriptor by disabling the ME and setting ME firmware reflash. Both are hidden bios options at offset 0x2d4 and 0x2bc respectively of the Setup EFI NVAR.
Just set both of them to 0x01 using the attached bootx64.efi and reboot into windows. You can then dump and flash the entire SPI. There is also a BIOS overwrite protection EFI NVAR at offset 0x75 which should be set to 0x00.
Detailed instructions:
- format a USB pen drive with FAT32 and create the subfolders \EFI\BOOT, copy bootx64.efi to \EFI\BOOT
- connect a usb hub to your tablet (no need for that with Dell laptops) and plug the pen drive and a keyboard to the hub
- reboot and press F12 to enter the extended Dell boot menu
- select the pen drive uefi device
- at the grub> prompt enter these four commands:
setup_var 0x2bc 0x01
setup_var 0x2d4 0x01
setup_var 0x75 0x00
reboot
- boot into windows and do your thing with ftpw
Note: after fixing any bios issues, it makes sense to boot again into grub and switch on the ME again and disable the ME firmware reflash:
setup_var 0x2d4 0x00
setup_var 0x2bc 0x00
@sahafdeen - Odd error #, but yes, I expected error since FD is locked from write.
Re-pack latest ME FW? Were stock and what you put in the RGN (region stock) and the package updates ME FW with ME FW update tool (FWUpdLcl.exe/FWUpdLcl64.exe)? If yes, OK
*Edit - I checked your post you linked, good, this is what you did
No, FD permissions in regards to ME region only apply to using Intel FPT program to flash ME region, so when using ME FW update tool instead of FPT, this does not matter
ME FW update tool does not matter what FD permission/restrictions are, you can use ME FW Update tool anytime as long as your ME FW is not corrupted (shows as 0.0.0.0 or N/A)