Infineon TPM Firmware Update 4.43.257.0 (01.01.0410.00) Readme


Welcome

Welcome to the Infineon TPM Firmware Update.
With the TPM Firmware Update Wizard you can easily check whether your platform is ready for the firmware update. If all preconditions are met, you can update the TPM in just a few steps.
If you prefer to perform the TPM Firmware Update without any explicit user interactions, you can use the Command Line Mode.
Note that a system restart is needed for the update to take effect. Please save all unsaved work in all user sessions before restarting in order to ensure prevention of data loss.
Before you start TPM Firmware Update, please consider the license terms in License.pdf, close all running applications and deactivate or suspend any drive encryption software that uses the TPM.


Requirements

Hardware

TPM Firmware Update supports Infineon Trusted Platform Module SLB 9660.

TPM Firmware

This version of TPM Firmware Update supports the update from version(s) 4.40.119.0 and 4.42.132.0 to version 4.43.257.0 of the TPM Firmware.

Software

Supported operating systems: Microsoft Windows 10 ®, Microsoft Windows 7 ® SP1.
Please install all important updates for your operating system before starting TPM Firmware Update.

Preconditions

To run the update, you need to have administrative privileges.
Also, if the Owner Password is not stored by the operating system you need to know the Owner Password or you need to have a valid Owner Password Backup File. If the Owner Password is not stored by the operating system and you do not have a valid Owner Password Backup File or you do not know the Owner Password, you may use these commands to clear the TPM. You will be able to take the ownership later on. WARNING: Clearing the TPM resets it to factory defaults. You will lose all created keys and data protected by those keys.

The following preconditions must be met in addition:

Precondition Comment Steps to do if precondition is not met
TPM Firmware Update is not prohibited by group policy settings. TPM Firmware Update can be allowed or prohibited by group policy settings. TPM Firmware Update has been explicitly prohibited for your system. To get permission, contact your group policy administrator.
Power cord is plugged. Only relevant for computers with batteries. Plug the power cord. Do not unplug it before TPM Firmware Update completes.
If you use BitLocker with any of the following key protectors (stand-alone or in combination with other key protectors):
  • TPM
  • TPM + PIN
  • TPM + Startup Key
  • TPM + PIN + Startup Key
then BitLocker Drive Encryption must be off or suspended.
Only relevant for operating systems with BitLocker Drive Encryption (e.g. Windows 10 Pro or Windows 7 Ultimate).
You can use this command line in an elevated command prompt to display current BitLocker status and key protectors.
"Off" corresponds to the "fully decrypted" BitLocker state. This is the case, if BitLocker has never been turned on at all, or has explicitly been turned off.
"Suspended" (or "disabled") corresponds to the "encrypted, but protection off" BitLocker state.

You can use the "BitLocker Drive Encryption" control panel applet provided by the operating system to turn off or suspend BitLocker. For details, please refer to Microsoft resources on BitLocker.

Alternatively you can use this command line in an elevated command prompt to suspend the "BitLocker Drive Encryption", e.g. for drive C.
If you want to re-enable the protection, use this command line.

TPM is enabled and TPM Owner is set. The TPM must be enabled.
The TPM Owner must be set before the TPM firmware can be updated.
Make sure that your TPM is enabled in the system BIOS. Check the system BIOS documentation for details how to enable the TPM.
You can use Microsoft Trusted Platform Module (TPM) Management application to enable the TPM ("Turn TPM on" action) and set the owner. Refer to Microsoft TechNet for details.
Shut Down, Hibernate and Sleep can be blocked. To avoid an unintentional interruption of the update process, a temporary power plan is created and selected. This power plan blocks Shutdown, Hibernate and Sleep. The power plan could not be created and selected. A possible reason is that this is not allowed by policy settings. To get permission, contact your group policy administrator.

To find out whether all preconditions are met on your platform, just start TPM Firmware Update Wizard. The wizard will show you a detailed overview.

Back to top


How to update the TPM Firmware

Wizard Mode

To run TPM Firmware Update in Wizard Mode (i.e. with graphical user interface), start the executable IFXTPMUpdate_TPM12_v0443.exe without any parameters. In this case the wizard guides you through the following steps:

  1. Accept the license agreement.
  2. Install TPM recovery driver (only if necessary; this may require a restart of your computer).
  3. Check platform details.
  4. Provide the Owner Password or the Owner Password Backup File if the Owner Password is not managed by the operating system.
  5. Perform the update.
  6. Restart your computer (please save all unsaved work in all user sessions before restarting in order to ensure prevention of data loss).

Note: Wizard Mode always creates a log file in %TEMP% directory.

Command Line Mode

To run TPM Firmware Update without any user interactions, use the command line tool IFXTPMUpdate_TPM12_v0443.com. By starting IFXTPMUpdate_TPM12_v0443.com you implicitly express that you accept the terms of the license agreement in License.pdf.

The usage is: IFXTPMUpdate_TPM12_v0443.com [action] {[option1] [option2] ...}

Action Description
/?
/h
/help
Shows the command line help
/info

Logs platform information and preconditions which are not met.

You can specify the following additional options:

Option Description
/logfile:<file>

Optional parameter to create a log file. <file> must:

  • either point to an existing file to which you have write access. The tool will append log output to the file.
  • or specify a non-existing file in an existing folder where you are allowed to create a new file. The tool will create the file.

For example the parameter could point to C:\Users\User1\Documents\IFXTPMUpdate.log.
Note that the file path must be put in quotation marks if it contains spaces.

The log file will include platform information and preconditions which are not met.

/update

Updates the firmware on the platform.

You can specify the following additional options:

Option Description

/pwd:<password>
or
/pwdfile:<file>

Windows 7:
Either /pwd or /pwdfile option is required.

Windows 10:
The option /pwd or /pwdfile can be omitted if the Owner Password can be retrieved from the operating system. Otherwise the option is mandatory to perform the update.

Use the /pwd option to specify the Owner Password to be used for the owner authentication during the firmware update process.
Use the /pwdfile option to specify the Owner Password Backup File to be used for the owner authentication during the firmware update process. <file> must be a valid full path of a valid Owner Password Backup File (e.g. C:\Users\User1\Documents\Platform1.tpm).

Note that the password and the file path must be put in quotation marks if they contain spaces. For passwords containing a quote character, this character must be escaped, i.e. another quote character must be prepended (e.g. /pwd:"Password ""1" if the password is Password "1).

/logfile:<file>

Optional parameter to create a log file. <file> must:

  • either point to an existing file to which you have write access. The tool will append log output to the file.
  • or specify a non-existing file in an existing folder where you are allowed to create a new file. The tool will create the file.

For example the parameter could point to C:\Users\User1\Documents\IFXTPMUpdate.log.
Note that the file path must be put in quotation marks if it contains spaces.

The log file includes platform information and preconditions which are not met, and the result of the performed update steps.

/restart

Optional parameter to enforce the system restart at the end of the update process.
Open applications may prevent the restart, but please save all unsaved work in all user sessions before using this parameter in order to ensure prevention of data loss.

/recovery-driver:[on|off]

This action is provided for the rare scenarios when TPM Firmware Update was interrupted (for example if your computer lost power during an update). In these scenarios the Microsoft TPM Driver is not accessible and a TPM recovery driver is needed to resume the TPM Firmware Update.

/recovery-driver:on enables recovery mode and temporarily installs a TPM recovery driver. If you completed this action, you can run the /update action again. After successful update, the TPM recovery driver is automatically uninstalled. This action is ignored if Microsoft TPM Driver is working properly and there is no pending TPM Firmware Update.

/recovery-driver:off disables recovery mode and uninstalls the TPM recovery driver. In case a system restart is required after the TPM recovery driver uninstallation, start TPM Firmware Update again after the restart.

You can specify the following additional options:

Option Description
/logfile:<file>

Optional parameter to create a log file. <file> must:

  • either point to an existing file to which you have write access. The tool will append log output to the file.
  • or specify a non-existing file in an existing folder where you are allowed to create a new file. The tool will create the file.

For example the parameter could point to C:\Users\User1\Documents\IFXTPMUpdate.log.
Note that the file path must be put in quotation marks if it contains spaces.

/restart

Optional parameter to enforce the system restart at the end of the update process.
Open applications may prevent the restart, but please save all unsaved work in all user sessions before using this parameter in order to ensure prevention of data loss.

The following table shows examples how to use the command line:

Initial Situation Actions to be done Command line
You are not sure whether your TPM is ready to be updated. Check platform details and preconditions without performing the update. IFXTPMUpdate_TPM12_v0443.com /info
  • You already know that your TPM can be updated and all preconditions are met.
  • You have a valid TPM Owner Backup File.
  • You want to check the update result.
  • You want to manually restart your system later.
Perform the update with TPM Owner Backup File. Prevent the system restart. Write a log file. IFXTPMUpdate_TPM12_v0443.com /update /pwdfile:<file> /logfile:<file>
The firmware update failed due to power loss and you want to resume the update process. You want to check the update result. Temporarily install TPM recovery driver. Resume the update. Write a log file.

IFXTPMUpdate_TPM12_v0443.com /recovery-driver:on /logfile:<file>

IFXTPMUpdate_TPM12_v0443.com /update /logfile:<file>

Back to top


Firmware Update Steps

The following table explains the steps of the firmware update process:

Step Description
Set up update process Preparations for the firmware update are made.
Especially, precautions are taken to block Shut Down, Hibernate and Sleep functions (if supported by the operating system and allowed by group policy settings).
Initialize update The firmware parameters are loaded onto the TPM. The Owner Password is verified.
Perform update The firmware of the TPM is overwritten.
Verify update The new firmware on the TPM is verified.
Clean up Temporary data and settings are deleted. Especially, the actions to block Shut Down, Hibernate and Sleep functions are reverted.
Uninstall TPM recovery driver If the TPM recovery driver has been installed and the update was performed successfully, uninstall the driver.

Important Notes

Helpful scripts

Here you can find helpful commands that may help you bringing your system to a state so that all preconditions for the firmware update can be fulfilled.

Usage Description Command(s)
Display BitLocker Status To display BitLocker drive encryption status and used key protectors for drive C: manage-bde.exe -status C:
Suspend BitLocker To suspend BitLocker drive encryption for drive C: manage-bde.exe -protectors -disable C:
(Re-)Activate BitLocker To (re-)activate BitLocker drive encryption for drive C: after the firmware update was performed manage-bde.exe -protectors -enable C:
Clear the TPM owner
WARNING: Clearing the TPM resets it to factory defaults. You will lose all created keys and data protected by those keys.
  • To clear the TPM owner in case you do not know the Owner Password and/or it is not available through the operating system
  • Please note: the last command will restart your computer, which is necessary to clear the TPM owner
  1. reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4
  2. WMIC /namespace:\\root\cimv2\Security\MicrosoftTpm Path Win32_Tpm Where __RELPATH="Win32_Tpm=@" Call SetPhysicalPresenceRequest 14
  3. shutdown -r -t 15

Back to top


Error Codes

The following table lists errors specific to TPM Firmware Update. In Wizard Mode, errors are displayed by the graphical user interface. In Command Line Mode, errors are logged to the console and in the log file if a log file was configured. The exit code of IFXTPMUpdate_TPM12_v0443.com is set accordingly.
Note that not all possible errors are listed here, e.g. no Windows system error codes. Details on Windows system error codes are available in the MSDN.

Error Description
0xE028000A TPM command with a bad ordinal was called. An unknown or blocked TPM command was called. Make sure that the TPM_FieldUpdate command is not blocked on your platform.
Make sure that the default settings in the Command Management of Microsoft Trusted Platform Module (TPM) Management have not been changed.
0xE02A0001 An internal error occurred. Contact your system administrator.
0xE02A0002 A Trusted Platform Module (TPM) error occurred. Contact your system administrator.
0xE02A0003 A Trusted Software Stack (TSS) error occurred. Consider to repair, reinstall or update the software which accesses the TPM, e.g. Infineon TPM Driver or TPM Base Services as provided by Windows 7 or higher.
0xE02A0004 You do not have permission to perform this operation. Make sure that you have administrative rights.
0xE02A0005 Another instance of TPM Firmware Update is already running. Do not start TPM Firmware Update while the same program is already running.
0xE02A0007 A wrong command line was specified. Make sure to specify correct parameters (see Command Line Mode).
0xE02A0008 No Trusted Platform Module was found. Check whether your system has a TPM (see Requirements). Make sure that the system BIOS settings do not hide the TPM.
0xE02A0009 No connection to the Trusted Platform Module can be established. Consider to repair, reinstall or update the software which accesses the TPM, e.g. Infineon TPM Driver or TPM Base Services as provided by Windows 7 or higher.
0xE02A000A TPM device driver or TPM Base Services are missing, not functional, or do not meet TPM Firmware Update requirements. TPM Firmware Update requires either TPM Base Services with a suitable Microsoft TPM Driver or an Infineon TPM Driver. No suitable software could be found on your system.
To install a compatible driver, specify the /recovery-driver:on parameter in Command Line Mode, or start TPM Update Wizard. See Command Line Mode and Important Notes.
0xE02A000B TPM recovery driver could not be installed or installation requires a restart. Install the TPM recovery driver manually if error is still reported after a restart.
0xE02A000C TPM recovery driver could not be uninstalled. Uninstall the TPM recovery driver manually (see Important Notes).
0xE02A000D Trusted Platform Module vendor is not supported. Check whether your system has a Trusted Platform Module as specified in the Requirements.
0xE02A000E TPM Firmware Update does not include a matching firmware for your Trusted Platform Module. Contact your vendor to find out whether there is a suitable TPM Firmware Update. Include the TPM and firmware detail info in your query, as shown on the "Check platform details" wizard page.
0xE02A000F A wrong Owner Password was specified. Make sure to specify the correct Owner Password. In Wizard Mode, type the correct password on "Provide the Owner Password" page. In Command Line Mode, specify the correct password using the /pwd:<password> parameter.
0xE02A0010 The content of the specified Owner Password Backup File does not match the current Owner Password. The specified file could be found and identified as a valid Owner Password Backup File. But the file content does not match the current Owner Password.
Make sure to specify the correct Owner Password Backup File. In Wizard Mode, specify the correct file on "Provide the Owner Password" page. In Command Line Mode, specify the correct file using the /pwdfile:<file> parameter.
0xE02A0011 The specified Owner Password Backup File does not exist, cannot be opened, or is not a valid Owner Password Backup File. Make sure to specify the correct file path of an existing Owner Password Backup File. In Wizard Mode, specify the correct file on "Provide the Owner Password" page. In Command Line Mode, specify the correct file using the /pwdfile:<file> parameter.
0xE02A0012 An invalid log file path was specified. The specified file path is either invalid, or the file cannot be created or accessed due to missing permissions.
In Command Line Mode, use the /logfile:<file> parameter to specify a valid file path of a file in a folder where you have permission to create or access a file.
0xE02A0013 Multiple TPM Firmware Update preconditions are not met. Start TPM Firmware Update in Wizard Mode. The "Check platform details" wizard page will display all preconditions which are not met (see Preconditions).
0xE02A0014 TPM Owner is not set. See Preconditions, "TPM is enabled and TPM Owner is set".
0xE02A0015 TPM is not enabled. See Preconditions, "TPM is enabled and TPM Owner is set".
0xE02A0016 System is running on battery. See Preconditions, "Power cord is plugged".
0xE02A0017 Update not allowed by policy settings. See Preconditions, "TPM Firmware Update is not prohibited by group policy settings".
0xE02A0018 Shutdown, Hibernate and Sleep cannot be blocked, or blocking of Shutdown, Hibernate and Sleep cannot be reverted. See Preconditions, "Shut Down, Hibernate and Sleep can be blocked".
0xE02A0019 BitLocker Drive Encryption blocks update. See Preconditions, "BitLocker Drive Encryption is off or suspended".
0xE02A001A The Owner Password cannot be retrieved from the operating system. The Owner Password is not stored by the operating system (Windows 10). In Command Line Mode either use parameter /pwdfile:<file> or /pwd:<password> to specify the Owner Password.
0xE02A001B Your TPM already runs the firmware included with this version of TPM Firmware Update or newer. Contact your vendor to find out whether there is a suitable TPM Firmware Update. Include the TPM and firmware detail info in your query, as shown on the "Check platform details" wizard page.
0xE02A001C The maximum allowed number of firmware updates has been reached. No further TPM firmware update possible because the maximum allowed number of firmware updates for your system has been reached. Contact your system administrator.
0xE02A001E Administrative rights weren't given during device driver installation. Start the program as an administrator.
0xE02A001F Administrative rights weren't given during device driver uninstallation. Start the program as an administrator.
0xE02A0020 A system restart is pending. To finalize the firmware update or the TPM recovery driver uninstallation a system restart is required.
0xE02A0021 The TPM recovery driver status cannot be obtained. Contact your system administrator.
0xE02A0023 The TPM does not have an owner. Take ownership of the TPM before updating the TPM firmware.
0xE02A0024 The firmware update is not applicable to the SLB model of this TPM. Contact your vendor to find out whether there is a suitable TPM Firmware Update. Include the TPM and firmware detail info in your query, as shown on the "Check platform details" wizard page.
0xE02A0025 TPM is in Dictionary Attack mode Due to multiple failed attempts to provide a valid owner password, the TPM is locked to prevent dictionary attack.
The TPM will be automatically unlocked after a certain amount of time. The exact time depends on how many failed attempts have been registered.
Note: Depending on your TPM configuration, the TPM may not only be locked but also temporarily disabled. In that case a restart is required in addition to elapsed lockout time.

Back to top