cancel
Showing results for 
Search instead for 
Did you mean: 

Asus / Infineon TPM firmware update?

lightknightrr
Level 8
So, is Asus going to issue a firmware update for the Infineon TPM modules produced under its name, in light of the recently released security bulletin from our friends at Microsoft, or is this a case where we will have to so without, or buy entirely new modules?

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012


Infineon doesn't seem to be issuing the update to the masses, when it is available. It wants to do it through OEM channels, and Asus does qualify as an OEM (Original Equipment Manufacturer).

https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160
1,304 Views
119 REPLIES 119

rasmorthil wrote:
In case it is helpful to someone, I found a way to update my Asus TPM-M R2.0 14-1 Pin TPM Module to the latest 5.62.3126.0 firmware (previously the TPM had the 5.61.2785.0 firmware with the vulnerability).

Supermicro (a great server company) sells Infineon-based TPMs - e.g., see http://supermicro.com/products/accessories/addon/AOM-TPM-9665V.cfm. Unlike Asus (:mad:) Supermicro has issued the latest firmware security updates for their Infineon TPM modules. Their update packages appear to be general Infineon updates, so I figured it'd be worth a try to update my Asus module using one.

Note that you should only attempt this sort of update if you know what you are doing!! If you aren't adept at the command line or if this is all new to you, then DO NOT ATTEMPT THIS. YOU CAN LOSE DATA IF YOU ARE USING BITLOCKER, etc.!!!

I'll explain what I did and if you want to try with your system/TPM module you will need to adapt as appropriate for your system.

1. You can find TPM update packages by browsing to ftp://ftp.supermicro.com/driver/TPM/. In my case I looked at the various firmwares included, and the "9665FW update package_1.1.zip" bundle contained firmware that matched my Asus TPM. So be sure to pick the right update bundle for your TPM (?).

2. I completely turned OFF and disable Bitlocker and Windows Hello. You must decrypt your drive so that the TPM is NOT in use!

3. I ran "tpm.msc" and executed the "Clear TPM..." option in Action. This rebooted the machine and the Asus BIOS had me press F12 to clear the TPM.

4. After rebooting again, I then booted into the BIOS and turned the TPM completely OFF in the BIOS settings. You must completely disable Windows' use of the TPM in order to update the firmware.

5. I booted back into Windows, and extracted the firmware update package bundle. For ease of operation I then copied the Windows update executable from the "...\Tools\WinPE\Bin\x64\" directory into the "...\Firmware\" directory.

6. I then ran an Administrator command prompt, and changed to the "...\Firmware\" directory. Then I ran "TPMFactoryUpd.exe -update config-file -config TPM20_latest.cfg". The updater detected my TPM, and flash updated to the latest firmware in the bundle. Again, if you try this your command line may need to be different (use "TPMFactoryUpd.exe -?" for command line help with the tool).

70491

7. Then I rebooted back to the BIOS, turned the TPM back on, and re-enabled everything, and "tpm.msc" shows that my Asus TPM has been updated and no longer has the vulnerability.

70492

Note that the update bundle also includes a UEFI updater that you can run from the BIOS, but I didn't bother doing that because I didn't have time to figure it out.

Anyway I hope this is helpful to others!


I don't actually use the darn TPM and have no real clue what its for, I think only Windows Pro can make use of it correct? Anyways I followed your instructions here and it worked! Congrats!

I just did this to update to 5.63 thanks guys!

lightknightrr
Level 8
We are going to need a volunteer.

lightknightrr
Level 8
Asus, you guys feel like just copying their updater or something for your customers?

Infineon Technologies AG TPMFactoryUpd Version 01.01.2212.00
[2018-01-21 14:36:17.089]

Error detected:
Final code: 0xE0295002
Final message: Invalid command line parameter(s).
Module: CommandLineParser.c; Function: CommandLineParser_FinalizeParsing; Line: 464
Code: 0xE0295002
Message: No mandatory command line option found.

FW:5.50xx

no1yak
Level 8
Thanks for the heads up on the firmware update. No problems flashing the chip , now back in business.

lightknightrr
Level 8
@liuhongxin1993, what were your commandline arguments?

lightknightrr wrote:
@liuhongxin1993, what were your commandline arguments?


我的5.50.2022.0的无法更新,我英语不是很好,所以我就用中文吧。官方还没有这个版本的更新包,最低版本也只有5.51以上的。而且我打开升级程序就闪退。

lightknightrr
Level 8
@xrs01 - When you run Get-TPM inside PowerShell (Administrator Mode), what is the output?

lightknightrr
Level 8
Lol. My attempts to leave a review on Amazon referencing this discussion so people could update their own TPM chips apparently can't happen because of the following:

"We encourage you to revise your review and submit it again. A few common issues to keep in mind:

Your review should focus on specific features of the product and your experience with it. Feedback on the seller or your shipment experience should be provided at www.amazon.com/feedback.
We do not allow profane or obscene content. This applies to adult products too.
Advertisements, promotional material or repeated posts that make the same point excessively are considered spam.
Please do not include URLs external to Amazon or personally identifiable content in your review."

Please do not include URLs external to Amazon

Zinzan8
Level 7
I don’t have a TPM module yet—just typing in a BL password on computer boot for now. Sounds like I should just wait until Asus updates their firmware before buying one?

BTW, I called Asus motherboard support for another question yesterday and asked about this issue. Mentioned this thread in the ROG forums, and the SuperMicro fix. Their motherboard guy said they were aware of this and were testing things, but he wasn’t willing to give any ETA or any indication that they would have a firmware update soon.