Flash your Lenovo Ideapad laptop’s BIOS from Linux using UEFI capsule updates
Flash your Lenovo Ideapad laptop's BIOS from Linux using UEFI capsule updates
I recently purchased a Lenovo Ideapad laptop (model 710S-13IKB). It’s equivalent to the Dell XPS 13 and performs admirably under Linux, but one feature has always irritated me: Lenovo exclusively delivers BIOS upgrades for its Ideapad notebooks in the form of Windows 10 executable files. System firmware upgrades are critical, especially for mitigating newly discovered vulnerabilities like Meltdown and Specter. I was wondering if there was an alternate (and secure) way to flash firmware updates on my system since I wiped Windows off a long time ago.
And, as it happens, there is! After months of research, I discovered an elegant and consistent updating technique that does not require Windows at all. It doesn’t even require the manufacture of a bootable USB key; everything is accomplished using the current Linux installation. How is this even possible? Let me introduce you to an intriguing new UEFI standard feature.
Various devices, various firmware upgrades
Many laptop manufacturers, such as Dell and Asus, give firmware files that you may store on a USB key and flash using an update program found in the BIOS menu. Lenovo, however, does not. Instead, they provide you with two options:
- They supply bootable CD images that may be converted into bootable USB keys for the higher-end ThinkPad series inherited from IBM. That’s another nice OS-independent option.
- You’re stuck with a Windows executable file for the Ideapad and Yoga series. The contents of this file, as well as the actual flashing operation, differ based on the manufacturer of BIOS/Firmware.
If you have a contemporary system with Phoenix firmware, the update is most likely included in the Windows executable as a UEFI Capsule Update.
What is a capsule?
When the firmware is delivered in this format, the update software will not immediately flash it under Windows. Instead, it will transfer the operation to Capsule Update, a common UEFI update mechanism. In practice, it will request that the operating system copy an updated file to the system partition, and then instruct the UEFI to check and install the update after the next reboot of the computer before the operating system begins.
This standard update system is part of the UEFI 2.5 specification, which was released in 2015, and it is also accessible for Linux owing to Intel and Red Hat’s work. To utilize it, your Linux distribution must already be able to boot in UEFI mode from a disc containing an EFI system partition.
Models that are compatible
I’ve prepared a list of Lenovo laptops that have a firmware upgrade in the form of a Capsule Update installer. Please leave a comment if you locate any more (even from other manufacturers).
700–15ISK, 700–17ISK
710S-13ISK, 710S-13IKB
720S-15IKB, 720S Touch-15IKB
E42–80, E52–80, E53–80
300S-14ISK, 500S-14ISK, Edge 2–1580, Flex 3–1480, Flex 3–1580, Yoga 500–14ISK, Yoga 500–15ISK
720–15IKB (Type 81AG)
K21–80, K22–80, K32–80
K41–80/M41–80
XiaoXin Rui7000
Rescuer E520–15IKB
V110–14IAP, V110–15IAP
V110–15IKB, V110–15ISK
V310–14IKB, V310–15IKB, V510–14IKB, V510–15IKB
V310–14ISK, V310–15ISK
V330–15IKB, V330–15ISK
V730–13IKB, V730–13ISK
V730–15IKB
The first step is to find and extract the firmware upgrade file.
Download the most recent BIOS executable file for your computer from the Lenovo support page. This is a Windows self-extracting archive created with Inno Setup. The files in these archives can be extracted using the command line utility innoextract, which is available for many Linux variants. Because I’m running Arch Linux, I install it with Pacman:
Pacman -S innoextract
Let us now extract the files:
Warning: Use the most recent version of innoextract, which is compatible with BIOS update executable files created by Inno Setup version 6.0.0, which Lenovo is presently utilizing.
If your model is compatible, you’ll discover the .cap file, which is the file format for UEFI Capsule Updates. Keep that file and discard the others.
Step 2: Download and install the UEFI Linux firmware upgrade tools
There is a high-level utility called found that can detect, download, and install updates from the Linux Vendor Firmware Service automatically. This program also connects with the Gnome Software graphical user interface, allowing firmware updates to be shown alongside standard software updates.
Unfortunately, at the time of writing, just a few computers, largely from Dell, are supported on that site. Other suppliers do not (yet) go to the trouble of distributing software updates for Linux customers.
Instead of the fwupd daemon and its companion program fwupdmgr, we’ll utilize fwupdate, a lower-level utility. It is often installed with fwupd, however, on some Linux distributions, it may be necessary to install it independently.
Pacman -S fwupd
fwupdate is found at /usr/lib/fwupd/fwupdate on Arch Linux.
We may utilize this tool to see if our computer has firmware that is compatible with Capsule Updates:
If nothing appears for you, your firmware or Linux kernel is incompatible, and you cannot proceed. Otherwise, copy your system firmware’s GUID number for the following step.
Step 3: Install the firmware
Now, using our extracted.cap file and the above-mentioned GUID, we can prepare and schedule the update for the next system reboot:
sudo fwupdate -a {e20bafd3-9914-4f4f-9537-3129e090eb3c} ./3HCN24WW.cap —esp-path=/boot
It’s worth noting that I override the ESP path, which is set to /boot/efi by default. Choose the correct path for your Linux installation.
If you don’t observe any error messages, everything went smoothly. You may use the following command to see if an update is pending:
If you don’t connect your laptop to a power source before restarting, the update will be canceled and you’ll have to repeat the previous step.
Reboot. Now, go to your machine’s BIOS settings menu (for Lenovo laptops, press F2 or Fn + F2 at boot time) and make that the “Linux-Firmware-Updater” entry is pushed to the top of the “Boot Priority Order.”
Save your work and depart. The updater will now take over, loading the Capsule Update file into RAM, verifying it, and restarting the computer.
During the flashing operation, hold your breath.
Success! Your system has just received an update to the most recent firmware.
Step 4: Reconfigure the BIOS so that Linux can boot again.
The system will no longer boot. Don’t be alarmed; this is just because the BIOS settings have been reset to factory defaults. A few settings must be changed to restore Linux’s control. At boot, press Fn + F2 to access the BIOS menu.
Because Linux cannot boot in RAID mode, change the “SATA Controller Mode” back to AHCI in the “Configuration” tab. If you’re using KVM, you may also enable “Intel Virtual Technology” (which is utilized by virtualization and emulation applications).
Then, in the “Security” tab, uncheck “Secure Boot.” Only Windows and a few Linux variants include a boot loader that is properly signed.
The Linux boot loader item has also been removed from the “Boot” tab, although this should not be a problem because most systems would attempt to detect previously installed UEFI boot loaders automatically from drives. After you save and quit, your system should boot into your Linux installation. If it doesn’t, you may always proceed with the following step by using a bootable Linux USB stick.
Step 5: reenable the UEFI boot entry
The quickest approach to restore the Linux option in your UEFI boot menu is to replace your boot loader. Check your Linux distribution’s documentation for the right approach, which generally consists of a single command line. Many distributions include GRUB2 by default; however, for convenience, I prefer system-boot.
