TL;DR - Intel and Lenovo release the firmware updates as Windows executables so you'll have to build a USB drive with Windows PE with all the necessary drivers and update utilities. You boot your PC with the USB and execute the updates from WinPE. If you have an spare PC with Windows, you're lucky and can skip all the virtual machine part, if you don't, you can use use a virtualized Windows 10 for the USB preparation.
I spent 2 days fiddling with Windows PE 7 (x86) but didn't managed to get it to work. Using Windows 10 (amd64) worked just fine.
The contents of this document are provided "AS IS" without warranty of any kind. This document could contain technical inaccuracies, typographical errors and out-of-date information. This document may be updated or changed without notice at any time. Use of the information is therefore at your own risk.
For Windows 10 emulation you'll need VirtualBox and because we'll emulate a 64bit Windows 10 machine, you must have Intel VT-X enabled.
Instead of creating a virtual machine from scratch, we can use the work done by Microsoft. Microsoft releases a set of virtual machines with some combination of operating system and browser version. This machines are Enterprise versions of Windows and the license is a valid one for 90 days.
Visit Microsoft Edge VM website and download the file select:
- Virtual machine: MSEdge on Win10(64bit) Stable (16.16299)
- Select platform: VirtualBox
- Click: Download ZIP
Note: The zip file is a ~4.9GB file.
After downloading the MSEdge.Win10.VirtualBox.zip you must unzip it to get a final MSEdge - Win10.ova file.
-
File > Import Appliance
-
Select the file
MSEdge - Win10.ova
-
Modify the CPU count to 2
-
Click Import and wait ...
-
Use 128MB of Video Memory and enabled 3D Acceleration
I didn't manage to make VirtualBox to detect and share
a physical USB to the guest machine -- even with Oracle's
extension pack.
My workaround was to add an extra virtual disk (.vdi) and use it as a USB device
on Windows.
Let's create a 1GB additional disk
-
Select the machine MSEdge - Win10
-
Click Settings button
-
Click Storage option
-
Under the main IDE controller, click the Add hard drive
-
Select Create new disk
-
Select VDI (Virtual Box Image)
-
Select Fixed size
-
Save the
usb.vdiin a known location and use1.00 GBas size
-
Click Create
-
Select the MSEdge - Win 10 machine
-
Click Start
-
Now you have a running Windows 10 VM
To have a more comfortable workspace, modify the default display resolution.
-
Right-click on the Desktop
-
Select Display settings
-
Select 1280 x 960 option
-
Select Keep changes
-
Click Windows key
-
Type
disk partitions -
Select Create and format hard disk partitions
-
Select MBR for Disk 1
-
Select Disk 1
-
Right-click on the disk and select New Simple Volume
-
Accept all defaults and assign drive letter D
-
Format with FAT32 file system
-
Format the drive by clicking Finish
-
You have now 2 drives and we'll use D: as a USB drive
-
Open Microsoft Edge browser
-
Click Download now
-
Select the option: Run
-
Select default location and accept the License
-
From the default selected packages I removed:
- Windows Performance Toolkit
- Microsoft User Experience Virtualization (UE-V) Template
- Microsoft Application Virtualization (App-V) Sequencer
- Microsoft Application Virtualization (App-V) Auto Sequencer
- Click Install -- and wait, you'll download ~ 6.4 GB
The available documentation in Microsoft Docs gives you all you need to customize a Windows PE.
-
Use the Windows key
-
Search for deployment
-
Right-click in the option Deployment and Imaging Tools Environment
-
Run as administrator
-
Using the console:
copype amd64 C:\WinPE_amd64
-
We're now ready to load some additional drivers
In order to use the firmware update you need to have some additional drivers in WinPE environment. You can find the required drivers on Lenovo's support portal under the Chipset section.
In my case I downloaded:
- Intel Management Engine 11.8 Firmware for Windows 10 (64-bit): https://download.lenovo.com/pccbbs/mobiles/r02rg06w.exe
- Intel(R) Management Engine Interface for Windows 10 (64-bit): https://download.lenovo.com/pccbbs/mobiles/r02mk15w.exe
- Intel(R) Chipset Device Software for Windows 10 (64-bit): https://download.lenovo.com/pccbbs/mobiles/r02ia08w.exe
- Save the files and execute them. This are self extractable zip files.
- NOTE: Make sure you don't attempt to install this drivers on the virtual machine.
- Use the default path to extract the content:
C:\DRIVERS\WIN\MEC:\DRIVERS\WIN\MEIC:\DRIVERS\WIN\Chipset
-
The first folder
C:\DRIVERS\WIN\MEcontains the firmware (.binfiles) plus the necessary script to update:MEUpdate.CMD-- We'll add this folder to the WinPE distribution. -
Using the same console...
-
Move to
C:\DRIVERS\WIN\MEI
cd C:\DRIVERS\WIN\MEI
-
Create a new folder name
Driversmkdir Drivers
-
Execute
SetupME.exeusing the flags-Aand-Pto extract the content of the fileSetupME.exe -A -P C:\DRIVERS\WIN\MEI\Drivers
-
You'll find 2 new folders in under the
Drivers,HECI_RELandSOL_REL
-
Move to the
Chipsetfoldercd C:\DRIVERS\WIN\Chipset
-
Create a
Driversfolder insidemkdir Drivers
-
Execute
SetupChipset.exewith-extractflagsSetupChipset.exe -extract C:\DRIVERS\WIN\Chipset\Drivers
-
List the files under
Driversand you'll find a folder per processor architecture. I'll use theskylakein this case
The Microsoft documentation shows how to mount and customize our WinPE.
-
Mount the image file
Dism /Mount-Image /ImageFile:"C:\WinPE_amd64\media\sources\boot.wim" /index:1 /MountDir:"C:\WinPE_amd64\mount"
-
Add the Intel Chipset driver
Dism /Add-Driver /Image:"C:\WinPE_amd64\mount" /Driver:"C:\DRIVERS\WIN\Chipset\Drivers\skylake\SkylakeSystem.inf"
-
Add the Intel ME driver
Dism /Add-Driver /Image:"C:\WinPE_amd64\mount" /Driver:"C:\DRIVERS\WIN\MEI\Drivers\HECI_REL\win10\heci.inf"
Dism /Add-Driver /Image:"C:\WinPE_amd64\mount" /Driver:"C:\DRIVERS\WIN\MEI\Drivers\SOL_REL\mesrl.inf"
-
Add the firmware update and script by copying the
C:\DRIVERS\WIN\*folder to the mount pointxcopy /s C:\DRIVERS\WIN\* C:\WinPE_amd64\mount- NOTE: While is not strictly necessary to copy the drivers binaries I did it for troubleshooting
-
Add more temporary space
Dism /Set-ScratchSpace:512 /Image:"C:\WinPE_amd64\mount"
-
Unmount the file and commit the changes
Dism /Unmount-Image /MountDir:"C:\WinPE_amd64\mount" /commit
-
We'll use the extra drive added to the virtual machine
-
MakeWinPEMedia /UFD C:\WinPE_amd64 D:
-
Make sure to shutdown the Windows 10 virtual machine
-
We have a bootable media under a .vdi format and we need to convert it to be able to burn it
-
Using
VBoxManagewe'll convert the.vdiin raw format. NOTE: Change the command to the correct path tousb.vdiVBoxManage clonehd usb.vdi winpe_amd.img --format RAW 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% Clone medium created in format 'RAW'. UUID: b4e20b0b-302d-44d4-8b10-40801fb35b88
-
Using
ddyou can copy the resultingwinpe_amd64.imgto your usb.
WARNING: Make sure you choose the correct output otherwise you could delete something from your computer
In my case /dev/sdb is the USB device
sudo dd if=winpe_amd.img of=/dev/sdb bs=4M
256+0 records in
256+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 87.5253 s, 12.3 MB/s
-
Hit
<ENTER>when the Lenovo logo shows up -
Select an alternative boot device - Your USB drive
-
Wait for Windows PE to boot
-
Move to
X:\ME\--cd X:\ME -
Execute
UpdateME.CMD
-
Wait for the update to finish
-
Use
wpeutil shutdownto shutdown
- https://www.thinkwiki.org/wiki/Windows_PE
- https://www.thinkwiki.org/wiki/Intel_Active_Management_Technology_(AMT)#Firmware_update
- https://www.reddit.com/r/thinkpad/comments/7ek838/how_to_patch_intel_sa00086_vulnerability_from/
- https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-intro
- https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive
- https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
- https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#winADK