Updated for v3.0.3

texhex · May 15, 2017 · 0809be8 · 0809be8
1 parent 7850d42
commit 0809be8
Showing 1 changed file with 12 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -36,11 +36,12 @@ ASCII banner from: http://chris.com/ascii/index.php?art=objects/tools
 
 Suppose you get a workitem like this: 
 
-> For the Windows 10 rollout, we need you to support ten different hardware models and all of them need to be updated to the newest BIOS version. Some devices require a TPM firmware update to use the security features that depend on TPM 2.0. You also need to update the BIOS settings for all devices (Secure Boot, Fast Boot etc.) to meet Microsoft recommendations. Oh, and a new BIOS password would be a big plus because we currently have twenty different passwords in use. 
+> For the Windows 10 rollout, we need you to support ten different hardware models and all of them need to be updated to the newest BIOS version. Some devices require a TPM firmware update to use the security features that depend on TPM 2.0. You also need to update the BIOS settings for all devices (Secure Boot, Fast Boot etc.) to meet Microsoft recommendations. And while you are at it, please also make sure to patch the Management Engine firmware security issue. Oh, and a new BIOS password would be a big plus because we currently have twenty different passwords in use. 
 
 You can now waste precious life time to try to script this, or you can just use BIOS Sledgehammer:
 * You can support several BIOS passwords for your devices, it will simply try all passwords you specify until the correct one is found
 * You define which BIOS version the devices should have. Devices with newer versions will not trigger a downgrade. The BIOS version parsing works from older devices like 6300 Pro up to a 1040 G3.
+* Define which Management Engine (ME) firmware a device should have and if the current firmware is older, an update if applied. 
 * Define which TPM firmware and/or specification version (1.2 or 2.0) the device should have. Firmware checks are in place so BIOS Sledgehammer won’t try to flash “Update 6.40 to 7.41” on a device that has firmware 6.41
 * The BIOS password can be set individual per model or you just set all devices to the same password. All passwords are stored encrypted (using *HPQPswd64.exe*). 
 * The log files from the HP BIOS or TPM update tools are automatically appended to the BIOS Sledgehammer log, so if something goes wrong you only have one log to check. 
@@ -78,13 +79,14 @@ When starting BiosSledgehammer.ps1, the following will happen:
 * A search is performed below the [Models folder](#modelsfolder) to locate the matching folder for the current model. First an exact match for the model (e.g. if the current model is a *HP EliteBook Folio 1040 G1*, a folder named ``HP EliteBook Folio 1040 G1`` is expected). If this yields no result, a partially search is performed - a sub folder named ``1040 G1`` will match. All configuration is then read from this folder only. 
 * It tries to figure out the password the device is using by going through all files in the [PwdFiles folder](#pwdfilesfolder) and trying to change the value of *Asset Tracking Number* to a random value (it will be reverted to the original value at the end). An empty password is always tried first.  
 * If the file **BIOS-Update.txt** is found, it is read and checked if a BIOS update is required. If so, the BIOS update files are locally copied and the update is performed. Any **.log* file generated by the update tool is attached to the BIOS Sledgehammer log file.  Finally, a restart is requested because the actual update is performed during POST. See [BIOS Update](#biosupdate) for more details.
+* If the file **ME-Update.txt** is found, it is read and checked if a Management Engine (ME) firmware update is required. If so, the ME firmware files are locally copied and an update is performed. Any **.log* file generated by the update tool is attached to the BIOS Sledgehammer log file.  Finally, a restart is requested because the actual update is performed during POST. See [ME Update](#meupdate) for more details.
 * If the file **TPM-Update.txt** exists, it is read and checked if a TPM update is required. This happens by checking if the TPM specification version (1.2 or 2.0) or the TPM firmware are below the configured versions. If so, the TPM updates files are locally copied and executed. Any **.log* file generated by the update tool is attached to the BIOS Sledgehammer log file.  Finally, a restart is requested because the actual update is performed during POST. See [TPM Update](#tpmupdate) for more details.
 * If the file **BIOS-Password.txt** is found, it is checked if the device is already set to use this password. The password is not specified directly (clear), but by using a *.bin file name that stores the password encrypted. If the passwords differ, the configured *.bin file is read from the [PwdFiles folder](#pwdfilesfolder) and the password is changed. See [BIOS Password](#biospassword) for more details.
 * If the file **BIOS-Settings.txt** exists, it is read and each entry is the name of a BIOS setting that needs to be changed. Each entry will be performed as single change (not all in a batch) to detect faulty settings more easily. See [BIOS Settings](#biossettings) for more details.
 
-Starting with Windows 10 1703, you can in-place switch from BIOS legacy to UEFI boot mode; this is supported by BIOS Sledgehammer using the parameter ``-ActivateUEFIBoot``. This switch will result in BIOS Sledgehammer perform the same process as above, but ignoring any configured BIOS, TPM or Password updates. 
+Starting with Windows 10 1703, you can in-place convert coinvert from BIOS legacy (MBR) to UEFI boot mode (GPT); this is supported by BIOS Sledgehammer using the parameter ``-ActivateUEFIBoot``. This switch will result in BIOS Sledgehammer only apply the BIOS settings defined in **Activate-UEFIBoot.txt**.
 
-Instead, it will only apply the BIOS settings defined in **Activate-UEFIBoot.txt** which are normally two settings to change the boot mode to UEFI. Please see [In-place BIOS to UEFI boot mode conversion](#activateuefimode) for more details.  
+These are normally just two settings to change the boot mode to UEFI. Please see [In-place BIOS to UEFI boot mode conversion](#activateuefimode) for more details.  
 
 ## <a name="returncodes">Return Code (exit code)</a>
 
@@ -98,7 +100,7 @@ BIOS Sledgehammer is "installed" by copying it to a folder where the device, tha
 
 You still need to customize some files so it works in your environment. The first thing should be to create the password files so BIOS Sledgehammer is able to access the BIOS (see [PwdFiles folder](pwdfilesfolder)).
 
-The configuration for your different models is up to you, but the archive comes with several example in the [Models folder](#modelsfolder). Those examples lack the required BIOS or TPM update files from HP. To acquire them, just start ``StartExampleDownloads.bat`` which will download and store them automatically.
+The configuration for your different models is up to you, but the archive comes with several example in the [Models folder](#modelsfolder). Those examples lack the required BIOS, ME or TPM update files from HP. To acquire them, just start ``StartExampleDownloads.bat`` which will download and store them automatically.
 
 :exclamation: **IMPORTANT!** The setting and downloaded files in ``\Models`` are just examples; there might be newer BIOS or TPM files available from HP, the settings provided might not match you environment etc. Please do not use these examples "as is" in production.   
 
@@ -214,11 +216,11 @@ The source folder is then copied to %TEMP% (to avoid any network issues) and the
 If anything goes wrong during the process, an error is generated. 
 
 
-## <a name="meupdate">((PREVIEW for v3)) Management Engine (ME) Update</a>
+## <a name="meupdate">Management Engine (ME) Update</a>
 
 Depending on the model, a device might be equipped with [Intel Active Management Technology](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) (Intel vPro) which allows for remote out-of-band management, so the device can be managed even if it's off or no operating system at all is installed. This function is provided by the Intel Management Engine (ME) which is also updatable. This can be done with BIOS Sledgehammer.   
 
-:warning: **WARNING!** The updates tool for the ME firmware from HP **DOES NOT** check if the provided ME firmware file matches the current model. This means, it allows to flash the ME firmware from a ZBook G1 on an EliteBook 840 G4 without an error message. If this happens, the machine will be toast/FUBAR on next start (CAPS LOCK will blink 5 times) and the mainboard needs to be replaced. Therefore, please pay extra caution when using ME firmware updates and always do a test run on a spare machine. 
+:warning: **WARNING!** The updates tool for the ME firmware from HP **DOES NOT** check if the provided ME firmware file matches the current model. This means, it allows to flash the ME firmware from a ZBook G1 on an EliteBook 840 G4 without an error message. If this happens, the machine will be FUBAR on next start (CAPS LOCK will blink 5 times and a mainboard replacement is required). Therefore, please pay extra caution when using ME firmware updates and always do a test run on a spare machine. 
 
 If possible, check if an BIOS update is available that also updates the ME firmware as this method is much safer than direct ME firmware updates. On the other hand, some BIOS versions require a ME firmware after a BIOS update (see [ProDesk 600 G2 BIOS v2.17](https://ftp.hp.com/pub/softpaq/sp78001-78500/sp78294.html)), so you might be forced to do direct updates.
 
@@ -232,20 +234,19 @@ Version == 9.5.61.3012
 
 # Command to be executed for the ME update
 Command==CallInst.exe
-
-# CallInst.exe requires a whitespace for the first parameter, so we need to enclose it in double-quotes  
-Arg1 == "/app Update.bat" 
+  
+Arg1 == /app Update.bat 
 Arg2 == /hide
 ```
 
-*Version* defines which ME version the device should have. If the current firmware is older, the update is started using the settings *Command* and *ArgX*. A restart is requested after that because the new firmware will only be activated during POST, after an restart. 
+*Version* defines which ME version the device should have. If the current firmware is older, the update files are copied locally and then started using the settings *Command* and *ArgX*. A restart is requested after that because the new firmware will only be activated during POST, after an restart. 
 
 **Note**: BIOS Sledgehammer enforces that the source files are stored in a sub folder of the [model folder](#modelsfolder) called ``ME-<VERSION>``. If the desired ME firmware version is ``9.5.61.3012``, the folder needs to be named ``\ME-9.5.61.3012\``. 
 
 If anything goes wrong during the process, an error is generated. 
 
 
-## <a name="meissuecheck">((PREVIEW for v3)) Management Engine (ME) Vulnerability Check</a>
+## <a name="meissuecheck">Management Engine (ME) Vulnerability Check</a>
 
 In 2017-05 a severe security vulnerability was found in the Management Engine (ME): [INTEL-SA-00075](https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr) / [CVE-2017-5689](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689) which could allow an unprivileged attacker to gain full control of the ME, which in turn allows full control of the device.