-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 009fff4
Showing
3 changed files
with
83 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| @echo off | ||
|
|
||
| :: BatchGotAdmin | ||
| :------------------------------------- | ||
| REM --> Check for permissions | ||
| IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" ( | ||
| >nul 2>&1 "%SYSTEMROOT%\SysWOW64\cacls.exe" "%SYSTEMROOT%\SysWOW64\config\system" | ||
| ) ELSE ( | ||
| >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system" | ||
| ) | ||
|
|
||
| REM --> If error flag set, we do not have admin. | ||
| if '%errorlevel%' NEQ '0' ( | ||
| echo Requesting administrative privileges... | ||
| goto UACPrompt | ||
| ) else ( goto gotAdmin ) | ||
|
|
||
| :UACPrompt | ||
| echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs" | ||
| set params = %*:"="" | ||
| echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" | ||
|
|
||
| "%temp%\getadmin.vbs" | ||
| del "%temp%\getadmin.vbs" | ||
| exit /B | ||
|
|
||
| :gotAdmin | ||
| pushd "%CD%" | ||
| CD /D "%~dp0" | ||
| :-------------------------------------- | ||
| set fwupdate=FWUpdLcl | ||
| if %PROCESSOR_ARCHITECTURE%==AMD64 set fwupdate=%fwupdate%64 | ||
| set fwupdate=%fwupdate%.exe | ||
|
|
||
| echo Easy launcher for Intel ME Firmware update tool (FWUpdate) | ||
| echo ---------------------------------------------------------- | ||
| set /p firmwarefilename=Enter firmware filename: | ||
| set firmwarefilename="%firmwarefilename%" | ||
| echo. | ||
| if NOT EXIST %fwupdate% set fwupdate=%fwupdate:64=% | ||
| if NOT EXIST %fwupdate% echo FWUpdate tool is missing. | ||
| if NOT EXIST %fwupdate% GOTO exit | ||
| %fwupdate% -f %firmwarefilename% | ||
| :exit | ||
| pause | ||
| exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| MIT License | ||
|
|
||
| Copyright (c) 2017 pal1000 | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| ### Easy launcher for Intel ME Firmware update tool | ||
| This script slightly reduces the complexity of the task of updating Intel Management Engine firmware or related AMT/TXE/SPS when the manufacturer of the system fails to update it with security patches like [NTEL-SA-00086](https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr). | ||
| ### Step by step patching of Intel ME vulnerabilities (standard) | ||
| - Check if you are vulnerable by running NTEL-SA-00086 assessment tool available for download on the link above. If you are, take note of your Intel ME/AMT/TXE/SPS firmware version reported by the tool and continue with next step. This is needed in case you get to the advanced phase. | ||
| - Check if your motherboard manufacturer provides firmware/BIOS update if your system is custom-build or the manufacturer of your system (OEM) otherwise (ex: Dell, Lenovo, Acer, Asus, LG, etc). If no firmware / BIOS update is available, mostly on aging systems, the next steps in the advanced section will help you patch it without OEM or motherboard manufacturer assistance. | ||
| ### Step by step patching of Intel ME vulnerabilities (advanced) | ||
| To patch the Intel ME firmware we need 4 pieces of software: | ||
| - Up-to-date Intel MEI or SOL driver. Depends on your system. Look in Device Manager - System devices. Corporate users that actively use ME features need to install/update both driver and software. MEI/SOL drivers and software are available at [win-raid forums](https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html) | ||
| - This script. It makes the firmware update easy, requiring a simple double-click. No Run As Admin is required, elevation request via UAC is done automatically. On execution this script only asks for the firmware filename. Usually a .bin filename. Note that if you copy-paste the firmware filename you need to manually add the extension too. | ||
| - The updated firmware. Here the ME firmware version reported by Intel vulnerability assessment tool comes into play. From that version we must extract its branch. It is usually the first 2 numbers from the version string. Some ME firmware branches have multiple variants. You have to identify the correct one for your system. Again Intel vulnerability scanner can help with that as well. A detailed step-by step process along with the firmware catalog is available at win-raid forums. | ||
| - The firmware update tool for your ME firmware branch is also available at win-raid forums. | ||
|
|
||
| This script and firmware update tool must be on the same folder. To ease things up the firmware filename should be placed there too. | ||
|
|
||
|
|
||
| On corporate environment the ME keys should also be renewed see the win-raid forum thread from above. |