Flash your Lenovo Ideapad laptop BIOS from Linux using UEFI capsule updates

I’m the happy owner of a Lenovo Ideapad laptop (model 710S-13IKB). It’s comparable to the Dell XPS 13 and runs beautifully under Linux, but one detail has always been bugging me: Lenovo only provides BIOS updates for its Ideapad laptops in the form of Windows 10 executable files. System firmware updates are important, especially to mitigate newly found vulnerabilities like Meltdown and Spectre. Since I wiped Windows off my machine a long time ago, I was wondering if there was an alternative (and secure) way to flash firmware updates on it.

And it turns out there is! After months of investigation, I found an elegant and stable update procedure which doesn’t require Windows at all. It doesn’t even need the creation of a bootable USB key: everything is done from the existing Linux installation. How is that possible? Let me introduce you to an interesting new feature of the UEFI specification.

Different machines, different firmware updates

  • For the higher-end ThinkPad series inherited from IBM, they provide bootable CD images that can be turned into bootable USB keys. That’s another good OS-agnostic solution.
  • For the Ideapad and Yoga series, you’re stuck with a Windows executable file. The contents of this file and the actual flashing procedure varies depending on the BIOS/Firmware brand.

If you have a modern machine with a Phoenix firmware, chances are that the Windows executable contains the update in the form of an UEFI Capsule Update.

Capsule what?

This standard update system is part of the UEFI 2.5 specification released in 2015 and is also available for Linux thanks to efforts from Intel and Red Hat. To be able to use it, your Linux distribution must already boot in UEFI mode from a disk including an EFI system partition.

Compatible models

700–15ISK, 700–17ISK
710S-13ISK, 710S-13IKB
720S-15IKB, 720S Touch-15IKB
E42–80, E52–80, E53–80
300S-14ISK, 500S-14ISK, Edge 2–1580, Flex 3–1480, Flex 3–1580, Yoga 500–14ISK, Yoga 500–15ISK
720–15IKB (Type 81AG)
K21–80, K22–80, K32–80
XiaoXin Rui7000
Rescuer E520–15IKB
V110–14IAP, V110–15IAP
V110–15IKB, V110–15ISK
V310–14IKB, V310–15IKB, V510–14IKB, V510–15IKB
V310–14ISK, V310–15ISK
V330–15IKB, V330–15ISK
V730–13IKB, V730–13ISK

Step 1: locate and extract the firmware update file

pacman -S innoextract

Now let’s extract the files:

Warning: Make sure you use the latest version of innoextract which is compatible with BIOS update executable files generated by Inno Setup version 6.0.0, the version that Lenovo is currently using.

If you have a compatible model you will find a .cap file, which is the file format for UEFI Capsule Updates. Keep that file and delete the rest.

Step 2: install the UEFI Linux firmware update tools

Unfortunately, there are only a handful of machines supported on that site at the time of this writing, mostly from Dell. Other vendors don’t (yet) make the effort of publishing their software updates for Linux users.

Instead of the fwupd daemon and its companion tool fwupdmgr, we’re going to use a lower-level tool called fwupdate. It’s normally installed along with fwupd, but on some Linux distributions you may have to install it separately.

pacman -S fwupd

On Arch Linux, fwupdate is located in: /usr/lib/fwupd/fwupdate.

We can use this tool to check if our machine provides a firmware compatible with Capsule Updates:

If nothing shows up for you, your firmware or your Linux kernel is not compatible and you can’t go any further. Otherwise, copy the GUID number of your system firmware for the next step.

Step 3: flash the firmware!

sudo fwupdate -a {e20bafd3-9914-4f4f-9537-3129e090eb3c} ./3HCN24WW.cap --esp-path=/boot

Note that I manually specify the ESP path which defaults to /boot/efi. Use the appropriate path for your Linux installation.

If you see no error message, all went well. You can check that the update is pending using the following command:

Plug your laptop to a power source before rebooting or the update will be cancelled and you’ll have to repeat the last step.

Reboot. Now go to the BIOS setup menu of your machine (for Lenovo laptops, press F2 or Fn + F2 at boot time) and make sure the “Linux-Firmware-Updater” entry is moved first in the “Boot Priority Order”.

Save and exit. Now the updater will kick in, load the Capsule Update file into RAM, verify it and restart the machine again.

Wait for it…

Hold your breath during the actual flashing procedure.

Pardon the blurry image, I was shaking with excitement and fear.

Success! Your machine has just been updated to its latest firmware.

Step 4: reconfigure the BIOS to boot Linux again

In the “Configuration” tab, put the “SATA Controller Mode” back to AHCI because Linux can’t boot in RAID mode. You can also enable “Intel Virtual Technology” if you’re using KVM (it’s used by virtualization and emulation software).

Next, in the “Security” tab disable “Secure Boot”. Only Windows and a few Linux distributions provide a suitably signed boot loader.

In the “Boot” tab, you’ll notice that the Linux boot loader entry is gone as well, but that shouldn’t be a problem because most systems will attempt to detect previously installed UEFI boot loaders automatically from the disks. Save and exit and your machine should boot back into your Linux installation. If it doesn’t, you can always use a bootable Linux USB stick for the next step.

Step 5: restore the UEFI boot entry

Everything is back to normal.

I’m excited to see that there are now better options to safely and quickly update our machine firmwares from Linux. I’m waiting for more manufacturers to publish their updates on the Linux Vendor Firmware Service or for a community effort to appear. In the meantime, you can always use this procedure to download, extract and install the update files yourself, if you own a compatible system. Happy flashing!

Android developer from Belgium, blogging about advanced programming topics.