Resolving BIOS and Intel ME conflicts in ASUS Z170 motherboard

2020-11-05

(last time edited: 2021-02-14)

tags: intel, asus, bios

This is the error shown on screen when booting:

(A7) Me FW Downgrade - Request MeSpiLock Failed

Problem: BIOS (3805) ME Firmware Version displays 0.0.0.0 in the BIOS. It started conflicting with Intel ME everytime I wanted to change a whole lot of BIOS settings and didn't respond at certain moments, such as reboots, power on, sleep commands, etc. Freezes and black screens were constant at boot. And since every single piece of software is propietary all I can do is guess blindly about what is happening here. My ASUS Z170 BIOS was updated with the latest version (3805) dated to 2018/05/25 using the UEFI online utility ASUS EZ Flash and I have no possibility to upgrade or downgrade the Intel ME firmware using Linux or Windows.

Solution: The only solution I've come across so far is to change and save 1 setting per time. The BIOS is able to save settings and run properly and don't corrupt the Intel ME firmware. Eventually, if you check the BIOS again it should show ME Firmware Version 11.0.0.1149. If you are able to connect your motherboard to the Internet, please do it.

First of all, let's understand all different terms. We have tons of multiple different software running on our hardware and things can get very confusing.

  1. ASUS EZ Flash (Easy Flash)

    • A simple UEFI software that allows you to update/flash your BIOS.
  2. Intel ME (Management Engine)

    • This is the binary blob client that resides inside the Z170 chipset and communicates with the CPU and BIOS. It's your surveillance buddy and you can't get rid of it. Some guys (Coreboot, Libreboot) were able to disable it but not remove it completely.
  3. Intel MEI (Management Engine Interface)

    • This is the driver. Lastest version compatible to the Z170 chipset released to this date on the Intel website is 1909.12.0.1236. The ASUS website provides a different distribution of this software.
  4. Intel CSMEVDT (Converged Security and Management Engine Version Detection Tool)

    • A Windows-based program made by Intel to check if the Intel Management Engine Interface and the Trusted Execution Engine are installed. It will also tell you the current Intel ME firmware version.
  5. Intel ME Update Tool (Management Engine Update Tool)

    • This is a program made by Intel and offered by ASUS in their support web page in order to fix some security vulnerabilities.
  6. Intel TXE (Trusted Execution Engine)

    • Just another driver, not important to solve our problem. But its name will pop-up when you use CSMEVDT. Useless.
  7. Intel DSA (Driver & Support Assistant)

    • Program made by Intel with a web graphical interface. Steals hardware information of your system and shows it to you in a web page so you can read it. Useless.
  8. Chipset INF Utility

    • Windows-based drivers for the Z170 chipset. Not really useful.
  9. ASUS EZ Installer (Easy Installer)

    • Windows-based program that allows you to burn a Windows 7 .iso in a USB drive. Useless.
  10. ASUS AI Suite 3 (Artificial Intelligent Suite 3) 😂

    • Bloat Windows-based software that allows you to control peripherals. Useless.
  11. BRename (BIOS Renamer)

    • Stupid Windows-based program. You can use it to rename your BIOS Z170-PRO-GAMING-AURA-3850.cap file to Z17PG.CAP if you put the program and the BIOS file in a same directory. Useless.

I installed Windows 10 64-bit in a separate hard drive, booted into it, installed Intel MEI v1909.12.0.1236. Then installed Intel CSMEVDT 3.1.0.0 to check the current Intel ME firmware version.

Intel ME firmware version shows 11.0.0.1149. That's a really old version! CSMEVDT also tells us that we were supposed to have a newer Intel ME version to fix security vulnerabilities. Very strange.

And I'm not able to update the Intel ME firmware because the BIOS 3805 locked all our possibilities with a nasty variable. How do I know that?

Well, I downloaded Intel MEInfo which is a software that Intel released and I can't find a public current release on the official website.

I executed it using administration permissions with PowerShell:

cd C:\Users\myusername\Downloads\intel_me_fw_11.8.55.3510_con_h(www.station-drivers.com)\MeInfo\

.\MEInfoWin64.exe

The information showed on screen is the following:

...

Re-key needed               False
Platform is re-key capable  True
TLS                         Disabled
Last ME reset reason        Firmware reset
Local FWUpdate              Disabled

...

Yes, Local FWUpdate is disabled, our BIOS did that. Fuck. Another piece of software blocking us from doing things. We cannot update it.

I've downloaded Intel ME Update Tool 11.8.55.3510 despite the sad message. Extracted the files with the graphical right click utilities and went to execute it.

Started PowerShell with administration permissions and changed directory where the new firmware files are located.

cd C:\Users\myusername\Downloads\MEUpdateTool_11.8.55.3510_S\MEUpdateTool_11.8.55.3510_S\FW

And we run the program with the file argument pointing to the firmware binary.

.\FWUpdLcl64.exe -f ME.bin

That's it. We are getting the error we were supposed to get.

Error 8719: Firmware update cannot be initiated because Local Firmware update is disabled.

I've tried to downgrade the BIOS version to enable Local FWUpdate but it's impossible. It's also locked.

My workaround right now is setting all BIOS options to default. Especifically the CSM (Compatibility Support Module) options, very important!

I have no idea if an old firmware version is truly conflicting, who knows. We can just guess. Propietary systems are fucking garbage.


It's very simple to understand what was going on here. The BIOS tries to communicate with the Intel ME and viceversa. Intel wants to know everything, every single state of your computer, and maybe even specific CPU instructions or RAM data, access to the cryptographic engine, access to the networking, etc. ME has a special space for itself in your computer and won't get away soon.

In simple words, vaccinate your backdoors if you are able. The big corporations and the state want you to have the latest binary blob. And if you don't update, you will tinker around so much you'd wish you bought another piece of hardware, reject modernity and return to monke.

blogimg