This is how I updated my Intel ME firmware on my Lenovo X1 Carbon Gen 4. These instructions are pretty strongly inspired by https://news.ycombinator.com/item?id=15744152
Why? Intel security advisory and CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, and CVE-2017-5712 should be reason enough.
You will need:
- To download about 3.5GB of stuff
- A USB key
- Linux installed
- WINE or a Windows box to run two executables (because self extracting archives are a thing on Windows apparently)
- A bit of technical know-how. A shell prompt shouldn’t scare you too hard.
- Go to https://www.microsoft.com/en-au/software-download/windows10ISO and download the 32-bit ISO.
- Mount the ISO as a loopback device (e.g. by right clicking and choosing to mount, or by doing ‘sudo mount -o loop,ro file.iso /mnt’
- Go to Lenovo web site for Drivers & Software for your laptop, under Chipset, there’s ME Firmware and Software downloads You will need both. It looks like this:
- Run both exe files with WINE or on a windows box to extract the archives, you do not need to run the installers at the end.
- you now need to extract the management engine drivers. You can do this in ~/.wine/drive_c/DRIVERS/WIN/AMT, with “cabextract SetupME.exe”
- Save off HECI_REL folder, it’s the only extracted thing you’ll need.
- Go and install https://wimlib.net/ – we’re going to use it to create the boot disk. (it may be packaged for your distro)
- Copy ~/.wine/drive_c/DRIVERS to a new folder, e.g. “winpe_overlay” (or copy from the Windows box you extracted things on)
- Use mkwinpeimg to create the boot disk, pointing it to the mounted Windows 10 installer and the “winpe_overlay”:
mkwinpeimg -W /path/to/mounted/windows10-32bit-installer/ -O winpe_overlay disk.img
- Use ‘dd’ to write it to your USB key
- Reboot, go into BIOS and turn Secure Boot OFF, Legacy BIOS ON, and AMT ON.
- Boot off the USB disk you created.
- In the command prompt of the booted WinPE environment, run the following to start the update:
It should look something like this:
- Reboot, go back into BIOS and change your settings back to how you started.