cancel
Showing results for 
Search instead for 
Did you mean: 

Asus / Infineon TPM firmware update?

lightknightrr
Level 8
So, is Asus going to issue a firmware update for the Infineon TPM modules produced under its name, in light of the recently released security bulletin from our friends at Microsoft, or is this a case where we will have to so without, or buy entirely new modules?

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012


Infineon doesn't seem to be issuing the update to the masses, when it is available. It wants to do it through OEM channels, and Asus does qualify as an OEM (Original Equipment Manufacturer).

https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160
2,300 Views
119 REPLIES 119

xrs01 wrote:
I have ASUS H170 PRO GAMING motherboard with Asus TPM-M R2.0 14-1 Pin TPM Module installed. When I try to upgrade the firmware, I get:

Infineon Technologies AG TPMFactoryUpd Version 01.01.2212.00
[2018-01-21 18:28:29.840]
Error: open "TVicPort"-Driver failed !!!
Error initializing LowLevelIO: 0xE0295200
Error detected:
Final code: 0xE0295200
Final message: No connection to the TPM or TPM not found.
Module: ..\Common\DeviceManagement.c; Function: DeviceManagement_Connect; Line: 340
Code: 0xE0295200
Message: TPMConnect failed: 0xE0295200

I have copied all files from "...\Tools\WinPE\Bin\x64\" to the "...\Firmware\" directory. And used "TPMFactoryUpd.exe -update config-file -config TPM20_latest.cfg" command in CMD (executed as administrator).

Anyone else is having this problem?


I had the same problem. To solve start windows in PE mode.
Press shift key and restart windows -> problem handling -> advanced options -> cmd shell
( or similar, I am using German windows ) . Then the driver is working and you can update the firmware.

xrs01 wrote:
I have ASUS H170 PRO GAMING motherboard with Asus TPM-M R2.0 14-1 Pin TPM Module installed. When I try to upgrade the firmware, I get:

Infineon Technologies AG TPMFactoryUpd Version 01.01.2212.00
[2018-01-21 18:28:29.840]
Error: open "TVicPort"-Driver failed !!!
Error initializing LowLevelIO: 0xE0295200
Error detected:
Final code: 0xE0295200
Final message: No connection to the TPM or TPM not found.
Module: ..\Common\DeviceManagement.c; Function: DeviceManagement_Connect; Line: 340
Code: 0xE0295200
Message: TPMConnect failed: 0xE0295200

I have copied all files from "...\Tools\WinPE\Bin\x64\" to the "...\Firmware\" directory. And used "TPMFactoryUpd.exe -update config-file -config TPM20_latest.cfg" command in CMD (executed as administrator).

Anyone else is having this problem?


I am having this exact same problem, have the 14-1 pin asus tpm and disabled tpm in bios in the motherboard (asus hero x ac). I think I will try switching from discreet tpm to intel ptt in the bios and keep you updated if that helps.

If anyone has suggestions please let me know.

I made a profile here a few days ago but couldn't post. Here is how you can update the TPM firmware, using Asus's files.

The Asus firmware files do update the TPM to 5.63. Be aware that there are two different firmware files. One to update from 5.61 to 5.63, and another to update from 5.51 to 5.63. Be sure you grab the correct file from Asus's website or you won't be able to update the firmware. I updated from 5.51 to 5.63.

Be sure to disable Bitlocker in windows, and allow for the drives to decrypt before flashing the TPM firmware. In order to do this, you will be booting from a USB stick, which is why you have to turn off certain features in the BIOS. Just follow the instructions provided by Asus. I put the EFI and Tools folder in the root directory of my thumb drive, and I made sure my thumb drive was formatted FAT32. I put the EFI folder in the root directory, not the TPM.... folder because this is what I am used to in getting something to boot from a stick, but you may be able to put the TPM... folder in the root directory as well. It took a few boots, but then I booted into the provided EFI Shell. Once it boots into the shell, you only have a few seconds to press any key so that it stays in the shell.

Now this is where the Asus instructions are severely lacking.

The instructions tell you to go to fs0 and work from there, but the USB stick may not be assigned to fs0, I think mine was assigned to fs4 or fs5. So here is what you do. Key in fs0: then hit enter. Then Key in DIR and hit enter. This will list the folders and files in fs0. If this looks like your thumb drive, great, otherwise Key in fs1: and hit enter. Repeat the DIR, etc. and continue until you find which fs number is your thumb drive.

Now that you are on your thumb drive you need to navigate to the x64 directory. To do that you look at the folders in your directory. So for me I had to do cd Tools then hit enter. This puts you in the Tools folder. Then continue with cd UEFI etc. I like to do this one folder at a time, but you can do more if you are comfortable with it. Once you are in the x64 folder, you will need to type the long command TPMFactoryUpd -update tpm20-emptyplatformauth -firmware
TPM20_5.61.2785.0_to_TPM20_5.63.3144.0.BIN and press enter. (The instructions are missing a T, but I added it here. Be aware that if you are updating from TPM5.51 then instead of copying that command directly, do a DIR and you will see a file called TPM20_5.51... You will need to type this in place of the listed BIN file in that command. After hitting enter you will see a message showing you the status, and hopefully it will say successfully updated. I did get some kind of error message after the firmware update messages, but when I got back into the BIOS I could see that the firmware has successfully updated to 5.63, so I don't know what that was all about.

Proceed at your own risk.

PhoenixFlame9 wrote:
I made a profile here a few days ago but couldn't post. Here is how you can update the TPM firmware, using Asus's files.

The Asus firmware files do update the TPM to 5.63. Be aware that there are two different firmware files. One to update from 5.61 to 5.63, and another to update from 5.51 to 5.63. Be sure you grab the correct file from Asus's website or you won't be able to update the firmware. I updated from 5.51 to 5.63.

Be sure to disable Bitlocker in windows, and allow for the drives to decrypt before flashing the TPM firmware. In order to do this, you will be booting from a USB stick, which is why you have to turn off certain features in the BIOS. Just follow the instructions provided by Asus. I put the EFI and Tools folder in the root directory of my thumb drive, and I made sure my thumb drive was formatted FAT32. I put the EFI folder in the root directory, not the TPM.... folder because this is what I am used to in getting something to boot from a stick, but you may be able to put the TPM... folder in the root directory as well. It took a few boots, but then I booted into the provided EFI Shell. Once it boots into the shell, you only have a few seconds to press any key so that it stays in the shell.

Now this is where the Asus instructions are severely lacking.

The instructions tell you to go to fs0 and work from there, but the USB stick may not be assigned to fs0, I think mine was assigned to fs4 or fs5. So here is what you do. Key in fs0: then hit enter. Then Key in DIR and hit enter. This will list the folders and files in fs0. If this looks like your thumb drive, great, otherwise Key in fs1: and hit enter. Repeat the DIR, etc. and continue until you find which fs number is your thumb drive.

Now that you are on your thumb drive you need to navigate to the x64 directory. To do that you look at the folders in your directory. So for me I had to do cd Tools then hit enter. This puts you in the Tools folder. Then continue with cd UEFI etc. I like to do this one folder at a time, but you can do more if you are comfortable with it. Once you are in the x64 folder, you will need to type the long command TPMFactoryUpd -update tpm20-emptyplatformauth -firmware
TPM20_5.61.2785.0_to_TPM20_5.63.3144.0.BIN and press enter. (The instructions are missing a T, but I added it here. Be aware that if you are updating from TPM5.51 then instead of copying that command directly, do a DIR and you will see a file called TPM20_5.51... You will need to type this in place of the listed BIN file in that command. After hitting enter you will see a message showing you the status, and hopefully it will say successfully updated. I did get some kind of error message after the firmware update messages, but when I got back into the BIOS I could see that the firmware has successfully updated to 5.63, so I don't know what that was all about.

Proceed at your own risk.


Okay so I decided to give it another go this evening after your instructions gave me hope..

I had to obviously turn off all drives using bitlocker in windows, restart and in my bios disable my tpm chip completely (Asus Hero X (AC)) and then turn off secure boot so I could then boot directly via uefi to the usb drive which was pretty easy for me to find the right directory as you explained can be tricky (not always fs0:). I had previously moved the files in windows to the root directory of the flash as suggested to make this step easier having to browse down the directory path, then I finally was able to run the command which gave me the following results..

https://drive.google.com/open?id=12SH_g4MVtWZm33QvuV-rrKPgnpcLhUFG

https://drive.google.com/open?id=1qeZsQT7zOtaK4wByEVr-BnmgnGB6QcKB

https://drive.google.com/open?id=1gQK39rqyJv-ARZWs-bbDvmBI60ypRvH9

I think I got the same weird error at the end of the flash like you experienced, but after going into bios and turning everything on again and booting into windows it showed it had updated.

HUGE THANKS!! I have no idea how you worked all this out by yourself, thanks for such clear instructions. Hopefully this all can help other people as well. 🙂

PhoenixFlame9 wrote:
I made a profile here a few days ago but couldn't post. Here is how you can update the TPM firmware, using Asus's files.

The Asus firmware files do update the TPM to 5.63. Be aware that there are two different firmware files. One to update from 5.61 to 5.63, and another to update from 5.51 to 5.63. Be sure you grab the correct file from Asus's website or you won't be able to update the firmware. I updated from 5.51 to 5.63.

Be sure to disable Bitlocker in windows, and allow for the drives to decrypt before flashing the TPM firmware. In order to do this, you will be booting from a USB stick, which is why you have to turn off certain features in the BIOS. Just follow the instructions provided by Asus. I put the EFI and Tools folder in the root directory of my thumb drive, and I made sure my thumb drive was formatted FAT32. I put the EFI folder in the root directory, not the TPM.... folder because this is what I am used to in getting something to boot from a stick, but you may be able to put the TPM... folder in the root directory as well. It took a few boots, but then I booted into the provided EFI Shell. Once it boots into the shell, you only have a few seconds to press any key so that it stays in the shell.

Now this is where the Asus instructions are severely lacking.

The instructions tell you to go to fs0 and work from there, but the USB stick may not be assigned to fs0, I think mine was assigned to fs4 or fs5. So here is what you do. Key in fs0: then hit enter. Then Key in DIR and hit enter. This will list the folders and files in fs0. If this looks like your thumb drive, great, otherwise Key in fs1: and hit enter. Repeat the DIR, etc. and continue until you find which fs number is your thumb drive.

Now that you are on your thumb drive you need to navigate to the x64 directory. To do that you look at the folders in your directory. So for me I had to do cd Tools then hit enter. This puts you in the Tools folder. Then continue with cd UEFI etc. I like to do this one folder at a time, but you can do more if you are comfortable with it. Once you are in the x64 folder, you will need to type the long command TPMFactoryUpd -update tpm20-emptyplatformauth -firmware
TPM20_5.61.2785.0_to_TPM20_5.63.3144.0.BIN and press enter. (The instructions are missing a T, but I added it here. Be aware that if you are updating from TPM5.51 then instead of copying that command directly, do a DIR and you will see a file called TPM20_5.51... You will need to type this in place of the listed BIN file in that command. After hitting enter you will see a message showing you the status, and hopefully it will say successfully updated. I did get some kind of error message after the firmware update messages, but when I got back into the BIOS I could see that the firmware has successfully updated to 5.63, so I don't know what that was all about.

Proceed at your own risk.


Problem of updating TPM solved -- Booting sequence. I was one of the first people to start writing about problems I was having back in October of 2017 with updating an Asus TPM2.0 from version 5.51 to 5.63 and today I was finally successful some of the problems I encountered were with Booting the UEIF. How the BOOTX64.EFI is started was the final step to get the ASUS TPM update to load.

Post # 102 provides good directions regarding the sequence to follow to load the update. I have been using a Asus Rampage V Edition 10 (R5E10). Following the instructions given by Asus and post #102; and putting all the directories and files into the USB root drive (see file layout below) the last step is to reboot the computer and run the update. On the R5E10 the boot drive selection can be achieved by using the dashboard of the Bios (Key F2 or DEL key) or getting a list of drives available to boot from via the F8 key. The BOOTX64.EFI would run from the dashboard under the heading BOOT, but the update would report a problem. With everything the same except for starting the Boot sequence with F8 the update would then run.

The following is an overview of how the R5E10 was updated:Get the files from Asus and note if you are updating from 5.51 or 5.61 to 5.63

https://www.asus.com/us/SupportOnly/TPM-M%20R2-0/HelpDesk_BIOS/

My update was from 5.51; I put all the files and subdirectories into the Root of the USB, each subdirectory contained all the files and any other directories that came in the original unzipping. This step most likely is unnecessary, but was used to eliminate any possible request by the shell EFI setup program or the install program (TPMFactoryUpd.efi) for a file in one of the original directories.
As noted by post #102 regarding step 6 of the Asus instructions the USB drive you are using may not be located in the indicated fs0: designation. My USB was located in fs5: and when the DIR command was typed in the file structure looked like this:

As mentioned above, in my case, it was critical to boot the shell program (EFI) via the F8 key, not from inside the Bios dashboard.
When it comes to step 7 and typing in the long string the spaces before the dashes are not a format error, so the spaces are correct with the one exception of: ,,,update tpm20-emptyplatformauth...¦. The complete command reads:
TPMFactoryUpd -update tpm20-emptyplatformauth -firmware TPM20_5.51.2098.0_to_TPM20_5.63.3144.0.BIN
Only one space between firmware and TPM20; as in "... -firmware TPM20_5.51.2098.0..." Forgive me for being pedantic here but during my attempts to do the update and not getting it to work I kept thinking it was in the spacing of the command line. Also note that in the directions (#7) from Asus they left out the "T" in "TPM20" it is correctly represented in the last line of the graphic.

I do hope that this will help anyone trying to update a TPM. Everything worked as the three frame captures of posting #103 show. I too received an error message at the end. But, after rebooting everything worked properly.

As I mentioned this all started for me about five years ago (see post #21). The success here is with a generic TPM20 module sold on Ebay in the past two weeks. When I started all those years ago, I purchased two genuine Asus modules. I worked with Asus support for months they had not, as of then. produced an update. I ended up sending one of the modules to them to update twice the first time in didn't work and the second time it didn't even show up in the Bios. I pretty much gave up and misplaced or disposed of them. And then Windows 11 arrived.

The CPU in my R5E10 is an intel i7 6900K and that CPU is in the list that Microsoft has deemed to be unworthy of service in Windows 11 even though it has 8 cores and 128GB of RAM and now an UpToDate TPM20 module. I had been hoping to find a workaround and wanted all of the parts required for Windows 11, the only thing missing is the right age. Right after I built the R5E10, AMD came out with the Ryzen 1800 CPU also with 8 cores and since I was in need for another computer, I built the Ryzen 1800 with 64GB of RAM on an Asus Hero board. Now I have two computers that are fully equipped except for the age requirement.

So I need to build another computer to support Windows 11. I was about to buy an Asus Pro WS WRX80E -- Sage SE and then Threadripper PRO 2 is released and only available in a prebuilt -- something I do not want.
But, the real problem is something else and that is the development of a new security device by Microsoft called PLUTON and it is something like a TPM built directly into the CPU and the new Threadripper Pro's do not have that, the only chips that will have that at the moment are AMD 6000 chips.

PLUTON is a potential nightmare for me. Since Windows 11 requires a TPM to run will Microsoft turn around and pull the same thing over again with PLUTON? Will the next version of Windows a few years down the line require a PLUTON device built into the CPU and create a new class of obsolete computers?

I suspect that I should prepare by starting a new thread about PLUTON on this Forum and dig in for a new security problem and obsolescence.

UPDATE: March 12, 2022
TPM Version 5.63.3353.0

Today I updated to version 5.63.3353.0. I used the link from post #117 and got the files from PremaMod. I went through the list of files downloaded from Premod, found the file TPM20_5.63.3144.0_to_TPM20_5.63.3353.0.BIN and added it to the Root of the USB drive I used for the earlier update. I ran the update exactly the same as I did for the first update except used the TPM20_5.63.3144.0_to_TPM20_5.63.3353.0.BIN line in the string to activate the update.

The update ran the same. When I got back into Windows everything looked OK except for the line: Attestation, that was not ready. I used Windows TPM.msc to clear the TPM and when it booted up again everything was fine running version 5.63.3353.0

Charlie Woken wrote:
Problem of updating TPM solved -- Booting sequence.

Post # 102 provides good directions regarding the sequence to follow to load the update.

TPM Version 5.63.3353.0

Today I updated to version 5.63.3353.0. I used the link from post #117 and got the files from PremaMod.


Anyone who needs the 5.63.3353.0 BIN files I have updated the rar from Post #102 with them here:

9665FW update package_to_3353.rar

Tested on my Windows 11 install (PRIME Z390-A) and no "firmware update needed" errors now.

rasmorthil wrote:
In case it is helpful to someone, I found a way to update my Asus TPM-M R2.0 14-1 Pin TPM Module to the latest 5.62.3126.0 firmware (previously the TPM had the 5.61.2785.0 firmware with the vulnerability).

Supermicro (a great server company) sells Infineon-based TPMs - e.g., see http://supermicro.com/products/accessories/addon/AOM-TPM-9665V.cfm. Unlike Asus (:mad:) Supermicro has issued the latest firmware security updates for their Infineon TPM modules. Their update packages appear to be general Infineon updates, so I figured it'd be worth a try to update my Asus module using one.

Note that you should only attempt this sort of update if you know what you are doing!! If you aren't adept at the command line or if this is all new to you, then DO NOT ATTEMPT THIS. YOU CAN LOSE DATA IF YOU ARE USING BITLOCKER, etc.!!!

I'll explain what I did and if you want to try with your system/TPM module you will need to adapt as appropriate for your system.

1. You can find TPM update packages by browsing to ftp://ftp.supermicro.com/driver/TPM/. In my case I looked at the various firmwares included, and the "9665FW update package_1.1.zip" bundle contained firmware that matched my Asus TPM. So be sure to pick the right update bundle for your TPM (?).

2. I completely turned OFF and disable Bitlocker and Windows Hello. You must decrypt your drive so that the TPM is NOT in use!

3. I ran "tpm.msc" and executed the "Clear TPM..." option in Action. This rebooted the machine and the Asus BIOS had me press F12 to clear the TPM.

4. After rebooting again, I then booted into the BIOS and turned the TPM completely OFF in the BIOS settings. You must completely disable Windows' use of the TPM in order to update the firmware.

5. I booted back into Windows, and extracted the firmware update package bundle. For ease of operation I then copied the Windows update executable from the "...\Tools\WinPE\Bin\x64\" directory into the "...\Firmware\" directory.

6. I then ran an Administrator command prompt, and changed to the "...\Firmware\" directory. Then I ran "TPMFactoryUpd.exe -update config-file -config TPM20_latest.cfg". The updater detected my TPM, and flash updated to the latest firmware in the bundle. Again, if you try this your command line may need to be different (use "TPMFactoryUpd.exe -?" for command line help with the tool).

70491

7. Then I rebooted back to the BIOS, turned the TPM back on, and re-enabled everything, and "tpm.msc" shows that my Asus TPM has been updated and no longer has the vulnerability.

70492

Note that the update bundle also includes a UEFI updater that you can run from the BIOS, but I didn't bother doing that because I didn't have time to figure it out.

Anyway I hope this is helpful to others!



I just ran the update on my 14-pin ASUS TPM-M R2.0 module and it worked perfectly the first time using your instructions.

This is excellent. rasmorthil you deserve a medal.

mrbillishere wrote:
I just ran the update on my 14-pin ASUS TPM-M R2.0 module and it worked perfectly the first time using your instructions.

This is excellent. rasmorthil you deserve a medal.


Thanks! 😄

rasmorthil wrote:
In case it is helpful to someone, I found a way to update my Asus TPM-M R2.0 14-1 Pin TPM Module to the latest 5.62.3126.0 firmware (previously the TPM had the 5.61.2785.0 firmware with the vulnerability).

Supermicro (a great server company) sells Infineon-based TPMs - e.g., see http://supermicro.com/products/accessories/addon/AOM-TPM-9665V.cfm. Unlike Asus (:mad:) Supermicro has issued the latest firmware security updates for their Infineon TPM modules. Their update packages appear to be general Infineon updates, so I figured it'd be worth a try to update my Asus module using one.

Note that you should only attempt this sort of update if you know what you are doing!! If you aren't adept at the command line or if this is all new to you, then DO NOT ATTEMPT THIS. YOU CAN LOSE DATA IF YOU ARE USING BITLOCKER, etc.!!!

I'll explain what I did and if you want to try with your system/TPM module you will need to adapt as appropriate for your system.

1. You can find TPM update packages by browsing to ftp://ftp.supermicro.com/driver/TPM/. In my case I looked at the various firmwares included, and the "9665FW update package_1.1.zip" bundle contained firmware that matched my Asus TPM. So be sure to pick the right update bundle for your TPM (?).

2. I completely turned OFF and disable Bitlocker and Windows Hello. You must decrypt your drive so that the TPM is NOT in use!

3. I ran "tpm.msc" and executed the "Clear TPM..." option in Action. This rebooted the machine and the Asus BIOS had me press F12 to clear the TPM.

4. After rebooting again, I then booted into the BIOS and turned the TPM completely OFF in the BIOS settings. You must completely disable Windows' use of the TPM in order to update the firmware.

5. I booted back into Windows, and extracted the firmware update package bundle. For ease of operation I then copied the Windows update executable from the "...\Tools\WinPE\Bin\x64\" directory into the "...\Firmware\" directory.

6. I then ran an Administrator command prompt, and changed to the "...\Firmware\" directory. Then I ran "TPMFactoryUpd.exe -update config-file -config TPM20_latest.cfg". The updater detected my TPM, and flash updated to the latest firmware in the bundle. Again, if you try this your command line may need to be different (use "TPMFactoryUpd.exe -?" for command line help with the tool).

70491

7. Then I rebooted back to the BIOS, turned the TPM back on, and re-enabled everything, and "tpm.msc" shows that my Asus TPM has been updated and no longer has the vulnerability.

70492

Note that the update bundle also includes a UEFI updater that you can run from the BIOS, but I didn't bother doing that because I didn't have time to figure it out.

Anyway I hope this is helpful to others!


Thanks! This worked a treat! For reference, for anyone who wants to know, I am on a ROG Maximus X APEX with a Asus TPM-M R2.0. The BIOS was a bit confusing to clear my TPM, but that's more me than ASUS. Also, it turned out that I didn't have to clear the TPM through the BIOS. I got the firmware updated before I figured out how to clear it in the BIOS.

Just a note for anyone who is getting an error like "TPM not found", you need to copy the other file in the folder with the "exe" to the firmware folder with the "exe". I felt very stupid when I read the install log and realised what was going wrong for me.

My TPM -> https://www.amazon.co.uk/gp/product/B01CK5VY3Y/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1
Alice -> i7 8700K @ 5.2Ghz (-1AVX, 5Ghz Cache), ASUS Maximus X Apex, 32GB Gskill Trident Z RGB (@3600Mhz C16), 2x MSI 1080Ti Gaming X (SLI), Sound Blaster ZxR (DTS encoder to home cinema), Corsair AX1200i PSU, Corsair K95 RGB Keyboard, Logitech G502 Mouse, Dell Ultrasharp U2413 and HP LP2475w Monitors.

Dinah -> Microsoft Surface Pro (2017, i5 Passive cooling)

Dormouse -> iPhone 7 Pus 256GB

The guide in post #45 worked perfectly, my ASUS TPM on a Maximus VIII Hero updated from 5.51.2098.0 to 5.62.3126.0.

I found firmware version 5.63.3144.0 for the same Infineon chip elsewhere (http://forum.notebookreview.com/threads/important-security-updates.811312/), so I downloaded it, copied the firmware files to the firmware folder from the guide in this thread, edited TPM20_latest.cfg to update the target firmware (version_SLB966x=5.63.3144.0) and re-ran the guide. Everything seems to be working out.