path: root/Documentation/mysteries_intel.txt
diff options
authorStefan Tauner <>2012-04-27 20:41:23 +0000
committerStefan Tauner <>2012-04-27 20:41:23 +0000
commit2abab94c18721181c8d517b8e31ffada22145ea9 (patch)
tree5942453208bdb73ff2bfeadc94fbacf79d5bf023 /Documentation/mysteries_intel.txt
parent23bb6d579f0e8d76905ee108b85db10b0cf11f90 (diff)
Add a bunch of new/tested stuff and various small changes 12
Tested Mainboards: OK: - ASUS M4A785T-M - ASUS P5VD2-MX - ASUS P8Z68-V PRO/GEN3 - Bachmann electronic OT200 - Biostar N61PB-M2S - GIGABYTE GA-H61M-D2-B3 - MSI MS-7740 (H61MA-E35(B3)) - Tyan S2875 (Tiger K8W) - ZOTAC nForce 630i Supreme (N73U-Supreme) - ZOTAC ZBOX AD02 (PLUS) NOT OK: - ASRock H67M - ASUS P8P67 LE - ASUS Maximus IV Extreme - Biostar H61MU3 - Biostar M7VIQ - Dell Inspiron 580 - Dell Vostro 460 - Fujitsu-Siemens CELSIUS W410 (D3062-A1) - EPoX EP-3PTA - HP XW6400 - HP XW9300 - Intel DG965OT - Intel DN2800MT (Marshalltown) - Lenovo T420 - Lenovo X1 - MSI GF615M-P33 Tested flash chips: - mark EN25Q32(A/B) as TEST_OK_PROBE (+P) - mark S25FL032A as TEST_OK_PR (+PR) - mark AT25DF161 as TEST_OK_PROBE (+P) - mark SST as TEST_OK_PREW (+EW) Tested chipset enables: - H61 (various reports) - SiS 755 - Fix compilation of ich_descriptor_tool which was broken since r1492. - Add Documentation regarding unlocking the ME region on Intel chipsets. - Fix reading the flash descriptor via FDOC/FDOD and prettyprinting of the descriptor on boards with 5 active regions. - Reorder some boards in print.c. - Add Intel 7 Series (Panther Point) PCI IDs. - Add preliminary PCI IDs for future Intel chipsets (DH89xxCC and Lynx Point) see - Change the message for untested chipsets to send only after an attempt to update the firmware with flashrom. - Fix warnings in ich_descriptor_tool's build. Corresponding to flashrom svn r1524. Signed-off-by: Stefan Tauner <> Acked-by: Stefan Tauner <>
Diffstat (limited to 'Documentation/mysteries_intel.txt')
1 files changed, 80 insertions, 1 deletions
diff --git a/Documentation/mysteries_intel.txt b/Documentation/mysteries_intel.txt
index d6d3dfb..55921cf 100644
--- a/Documentation/mysteries_intel.txt
+++ b/Documentation/mysteries_intel.txt
@@ -15,4 +15,83 @@
See also
= Unlocking the ME region =
+ If the ME region is locked by the FRAP register in descriptor mode, the host
+ software is not allowed to read or write any address inside that region. There
+ are different ways to unlock access:
+ - A pin strap: Flash Descriptor Security Override Strap (as indicated by the
+ Flash Descriptor Override Pin Strap Status (FDOPSS) in HSFS. That pin is
+ probably not accessible to end users on consumer boards (every Intel doc i
+ have seen stresses that this is for debugging in manufacturing only and
+ should not be available for end users).
+ The ME indicates this in bits [19:16] (Operation Mode) in the HFS register of
+ the HECI/MEI PCI device by setting them to 4 (SECOVR_JMPR) [MODE_CTRL].
+ - Intel Management Engine BIOS Extension (MEBx) Disable
+ This option may be available to end users on some boards usually accessible
+ by hitting ctrl+p after BIOS POST. Quote: "'Disabling' the Intel ME does not
+ really disable it: it causes the Intel ME code to be halted at an early stage
+ of the Intel ME's booting so that the system has no traffic originating from
+ the Intel ME on any of the buses." [MEBX] The ME indicates this in
+ bits [19:16] (Operation Mode) in the HFS register of the HECI/MEI PCI device
+ by setting them to 3 (Soft Temporary Disable) [MODE_CTRL].
+ - Previous to Ibex Peak/5 Series chipsets removing the DIMM from slot (or
+ channel?) #0 disables the ME completely, which may give the host access to
+ the ME region.
+ - HMRFPO (Host ME Region Flash Protection Override) Enable MEI command
+ This is the most interesting one because it allows to temporarily disable
+ the ME region protection by software. The ME indicates this in bits [19:16]
+ (Operation Mode) in the HFS register of the HECI/MEI PCI device by setting
+ them to 5 (SECOVER_MEI_MSG) [MODE_CTRL].
+== MEI/HECI ==
+ Communication between the host software and the different services provided by
+ the ME is done via a packet-based protocol that uses MMIO transfers to one or
+ more virtual PCI devices. Upon this layer there exist various services that can
+ be used to read out hardware management values (e.g. temperatures, fan speeds
+ etc.). The lower levels of that protocol are well documented:
+ The locations/offsets of the PCI MMIO registers are noted in the chipset
+ datasheets. The actually communication is documented in a whitepaper [DCMI] and
+ an outdated as well as a current Linux kernel implementation (currently in
+ staging/ exist [KERNEL]. There exists a patch that re-implements this in user
+ space (as part of flashrom).
+== Problems ==
+ The problem is that only very few higher level protocols are documented publicly,
+ especially the bunch of messages that contain the HMRFPO commands is probably
+ well protected and only documented in ME-specific docs and the BIOS writer's
+ guides. We are aware of a few leaked documents though that give us a few hints
+ about it, but nothing substantial regarding its implementation.
+ The documents are somewhat contradicting each other in various points which
+ might be due to factual changes in process of time or due to the different
+ capabilities of the ME firmwares, example:
+ Intel's Flash Programming Tool (FPT) "automatically stops ME writing to SPI
+ ME Region, to prevent both writing at the same time, causing data corruption." [ME8]
+ "FPT is not HMRFPO-capable, so needs [the help of the FDOPS pin] HDA_SDO if
+ used to update the ME Region." [SPS]
+ When looking at the various ME firmware editions (and different chipsets), things
+ get very unclear. Some docs say that HMRFPO needs to be sent before End-of-POST
+ (EOP), others say that the ME region can be updated in the field or that some
+ vendor tools use it for updates. This needs to be investigated further before
+ drawing any conclusion.
+[MODE_CTRL] Client Platform Enabling Tour: Platform Software
+ Document Number: 439167, Revision 1.2, page 52
+[MEBX] Intel Management Engine BIOS Extension (MEBX) User's Guide
+ Revision 1.2, Section 3.1 and 3.5
+[DCMI] DCMI Host Interface Specification
+ Revision 1.0
+[SPI_PROG] Ibex Peak SPI Programming Guide
+ Document Number: 403598, Revision 1.3, page 79
+[ME8] Manufacturing with Intel Management Engine (ME) Firmware 8.X on Intel 7 Series
+ Revision 2.0, page 59
+[SPS] Manufacturing with Intel Management Engine (ME) on Intel C600 Series Chipset 1
+ for Romley Server 2 Platforms using Server Platform Services (SPS) Firmware
+ Revision 2.2, page 51
OpenPOWER on IntegriCloud