Community
cancel
Showing results for 
Search instead for 
Did you mean: 
JHans10
Beginner
2,902 Views

NUC5i5MYBE TPM version 5.0 Update

The release notes says that customers with TPM version 5.0 should contact Intel support to get help...

https://downloadcenter.intel.com/download/27513/Trusted-Platform-Module-TPM-Firmware-Update-for-Inte... Download Trusted Platform Module (TPM) Firmware Update for Intel® NUC Kits NUC5i5MYHE

We have many SA# H47796-207

Kind Regards

Jesper Hanno

0 Kudos
17 Replies
idata
Community Manager
588 Views

Hello Hanno

 

Thank you for contacting us.

 

I understand that you are having issues with our Trusted Platform Module (TPM) and your Intel® NUC Board NUC5i5MYBE.

 

Can you provide us with a longer/more detailed description of your issue?

 

We are here to serve.

 

 

I hope to hear from you soon.

 

Best regards.

 

Diego S.

 

idata
Community Manager
588 Views

Hello Hanno

 

We just wanted to double check if you still need further assistance.

 

Please do not hesitate on contacting us back.

 

Best Regards,

 

Diego S.

 

GHopf
Beginner
588 Views

I think I have the same problem. While I cannot see the release notes (where are they?), I also do have FW version 5.0 of the TPM chip.

According to the installation guide of the TPM update, anyone with TPM 5.4 or earlier needs to update.

According to tpm.msc in Windows, I have an IFX TPM, Version 5.0.1089.2

However, when I try to flash it using F7 and NUC5i5MY-TPM-Firmware-Update.bio I get the following error:

"Current TPM FW version is 5.00, skip FW update. System will reboot in 20 seconds."

How do I update my NUC5i5MYHE NUCs (I have three of them) to TPM Firmware 5.62 ?

On one of the NUCs Windows 10 security center even complains about the TPM firmware and tells me to update it!

idata
Community Manager
588 Views

Hello AnybodyM2,

 

 

Thank you for joining this community; it will be more than a pleasure to assist you.

 

 

In this case, please let me ask, where did you download the TPM Firmware?

 

Can you provide us the link?

 

The reason that I am asking is because the actual firmware is a .ZIP file that can be found here:

 

https://downloadcenter.intel.com/download/27513/NUCs-Trusted-Platform-Module-TPM-Firmware-Update-for... https://downloadcenter.intel.com/download/27513/NUCs-Trusted-Platform-Module-TPM-Firmware-Update-for...

 

Based on your post, you mentioned that you downloaded a NUC5i5MY-TPM-Firmware-Update.bio, so we want to gather more information about that.

 

 

I hope to hear from you soon.

 

 

 

Regards,

 

Diego S.

 

GHopf
Beginner
588 Views

I got the download link from the official download page for the NUC5i5MYHE NUC on downloadcenter.intel.com

The download item is "Trusted Platform Module (TPM) Firmware Update for Intel® NUC Kit NUC5i5MYHE Instructions, BIOS and Firmware necessary to update the TPM on Intel® NUC Kits NUC5i5MYHE and Intel® NUC Boards NUC5i5MYBE." and is dated 4/3/2018 and it links to the 11.96MB ZIP File which hanno linked to in the first post here.

This ZIP file contains a .bio file and a .pdf file, which tells me to flash the .bio file using F7.

It also tells me that I need to upgrade if I have TPM Firmware 5.4 or lower and according to the tpm.msc utility by microsoft (which the PDF tells me to use) I have 5.0.x firmware.

Yet the firmware flashing using an USB Stick and the "F7" method aborts with: "Current TPM FW version is 5.00, skip FW update. System will reboot in 20 seconds"

idata
Community Manager
588 Views

Hello AnybodyM2

 

Thank you for your response.

 

In this case, we are currently trying to replicate your situation in order to find a suitable answer.

 

This may delay our answers; however I will reach you back as soon as possible.

 

I hope this helps.

 

Regards,

 

Diego S.

 

idata
Community Manager
588 Views

Hello Hanno and AnybodyM2,

 

Thank you for your response.

 

To Hanno: The link to the article on the download page is missing, we just added it.

 

Please go ahead and take a look to it:

 

https://www.intel.com/content/www/us/en/support/articles/000026516/mini-pcs.html https://www.intel.com/content/www/us/en/support/articles/000026516/mini-pcs.html

 

In this case you can update the Firmware on your NUCs based on the link.

 

If you have the version 5.0, however you should have the version 5.4.

 

Please perform the update and let us know the outcome.

 

To AnybodyM2: I have sent a private message to your inbox, please go ahead and check it, I am awaiting for your response.

 

 

 

I hope this helps.

 

Regards,

 

 

Diego S.

 

idata
Community Manager
588 Views

Hello Hanno,

 

We just wanted to double check if you still need further assistance.

 

Please do not hesitate on contacting us back.

 

Best Regards,

 

Diego S.

 

GHopf
Beginner
588 Views

Just to summarize this for anyone who also has the TPM version 5.0 update problem and who will stumble upon this thread:

If you have this version, there is no software update. You need to exchange the NUC via Intel Support which they might even do for free outside the warranty period (?).

I opted not to do so, since it would have been a major hassle to not have the unit for some time and the likelihood that somebody will attack my TPM is pretty minimal (the NUC is not used in an industry which is especially prone to attacks).

SChau10
New Contributor II
588 Views

It is possible to update Infineon TPM 2.0 firmware for NUC5i5MYBE from 5.0.1089.2 to 5.62.3126.2 to address the security vulnerability.

The procedure is more involved than flashing a special BIOS for NUC5i5MYBE. It requires clearing the TPM, booting system to UEFI shell, then launching a TPM FW update utility (called TPMFactoryUpd.efi) to execute the TPM FW update. The required FW binary file is TPM20_5.0.1089.2_to_TPM20_5.62.3126.2.BIN.

I was able to use this process to update all three of my NUC5i5MYBE with H47796-202 revision that came with 5.0.1089.2 FW for the TPM, which saved the need to exchange the NUCs via Intel Support.

GHopf
Beginner
588 Views

SChau10, could you please elaborate how you managed to do this? I was able to find the required files on the supermicro server (9665FW update package_1.5), copied them to an USB stick and entered the stick on the UEFI shell. I try to update using the command line: TPMFactoryUpd.efi -update tpm20-emptyplatformauth -firmware TPM20_5.0.1089.2_to_TPM20_5.62.3126.2.BIN

 

However:

When the TPM is enabled in BIOS (Advanced => TPM 2.0 Presence)

=> TPM2.0: PlatformAuth is not the Empty Buffer. The firmware cannot be updated.

I also tried clearing the TPM using BIOS => Boot => Secure Boot => Clear Secure Boot Data which did not help.

 

When I google this error, it is generally recommended to disable the TPM so I disable TPM 2.0 Presence in BIOS but then I get

=> TPM2.0: The platform hierarchy is disabled. The firmware cannot be updated.

 

I'm at my wits' end. If you had not explicitly stated that you were able to do this, I would say it is impossible on this NUC? Please help :-)

 

SChau10
New Contributor II
588 Views

@GHopf, you don't want to disable the TPM, but clear it. The "Clear Secure Boot Data" option in BIOS is NOT the correct way to clear the TPM. While the NUC is running Windows, launch tpm.msc (Trusted Platform Module Management) and select "Clear TPM..." option. Windows will prompt you to restart the system since Windows cannot perform the TPM clearing and instead sends a request to the motherboard BIOS to do it. When the system restarts, the BIOS may prompt you to confirm the TPM clear request (as a security measure), so proceed with that, but instead of system booting back into Windows again you need to boot to UEFI shell from your USB stick, via F10. The TPMFactoryUpd.efi command should then be able to proceed with updating the TPM firmware.

 

Please also ensure that BitLocker is not in use with any of your disk partitions. Clearing the TPM will break BitLocker and cause it to prompt for recovery key at OS bootup (or worse), so any BitLocker encrypted disk partitions need to be decrypted before clearing the TPM. Once the TPM firmware is updated and Windows takes ownership of it again, BitLocker can be re-enabled.

 

GHopf
Beginner
588 Views

Thank you so much. I will try this tomorrow and report back if it worked.

GHopf
Beginner
588 Views

Update, I tried again, now clearing the firmware using tpm.msc, but it doesn't make a difference.

 

I filmed what I did and uploaded it (unlisted video) on YouTube: https://www.youtube.com/watch?v=k0M_tCE6Y6w

(sorry, the Windows is installed in German, could not change it for the video. Should be pretty self explanatory what is done in tpm.msc - doesn't have a lot of options)

 

Also also tried (afterwards) clearing the TPM with windows, then clearing it in the BIOS, then entering the UEFI Shell - also did not help)

Perhaps it really can't be done and Intels claim that you need to mail the unit to them is actually true?

SChau10
New Contributor II
588 Views

It's been over a year since I successfully updated my NUC5i5MYHE units TPM firmware from 5.0 to 5.62, so I may have remembered the steps incorrectly, and I apologize for that. I also thought there was no choice but to send my NUC5i5MYHE units to Intel, but then I stumbled into a way to get the TPM firmware updated.

 

Intel had an earlier TPM firmware update package "NUC5i5MY_TPM_Firmware_Version_5.4.zip" that is no longer available for download on their website. I may have used this package. The included instructions talk about flashing the NUC5i5MY BIOS to 0043, then turning off "Trusted Platform Module 2.0 Presence" under Onboard Devices within VIsual BIOS, before booting system to UEFI shell to execute the TPM firmware update.

 

This update package supports TPM firmware update from 5.40.1971.2 to 5.62.3126.2. Since you want to update from 5.0.1089.2 to 5.62.3126.2 you will need to copy in the TPM20_5.0.1089.2_to_TPM20_5.62.3126.2.BIN file that you acquired separately. I seem to recall having done the same.

 

I'd also recommend this:

  • Flash NUC5i5MY BIOS to 0043
  • Clear the TPM using tpm.msc
  • Enter Visual BIOS and disable "Trusted Platform Module 2.0 Presence"
  • Boot to UEFI shell
  • Execute TPMFactoryUpd.efi -update tpm20-emptyplatformauth -firmware TPM20_5.0.1089.2_to_TPM20_5.62.3126.2.BIN

 

Good luck!

GHopf
Beginner
588 Views

Thank you again. I got hold of these files, but I was unable to downgrade to BIOS 0043. I even tried various recovery modes (long press Power Button + F4), also tried the Jumper on the board. I was unable to downgrade.

BIOS file just gets ignored and is never flashed.

 

I tried updating with the tpmfactoryupd.efi from this intel package but it didn't make a difference. Either "PlatformAuth is not the Empty Buffer" if the TPM is enabled in the BIOS, no matter how I cleared it, or "The platform hierarchy is disabled" if the TPM is disabled in BIOS.

SChau10
New Contributor II
588 Views

I just checked one of my NUC5i5MYHE and playing around with TPMFactoryUpd.efi I got the same error messages as you reported: "Not Empty Buffer" if TPM is enabled, and "Platform hierarchy is disabled" if TPM is disabled.

 

When I updated TPM firmware for my NUC5i5MYHE units last year, I may have used an older version of TPMFactoryUpd.efi, specifically Ver 01.00.1619.00, which was not acquired from Intel. You may have better luck with this version than the one included with the TPM firmware update package from Intel.

 

Send me a PM if you are interested in trying this older version of TPMFactoryUpd.efi.

 

Reply