Flash your Lenovo Ideapad laptop BIOS from Linux using UEFI capsule updates

Christophe Beyls
7 min readJul 14, 2018

--

I’m the happy owner of a Lenovo Ideapad laptop (model 710S-13IKB). It’s comparable to the Dell XPS 13 and runs beautifully under Linux, but one detail has always been bugging me: Lenovo only provides BIOS updates for its Ideapad laptops in the form of Windows 10 executable files. System firmware updates are important, especially to mitigate newly found vulnerabilities like Meltdown and Spectre. Since I wiped Windows off my machine a long time ago, I was wondering if there was an alternative (and secure) way to flash firmware updates on it.

And it turns out there is! After months of investigation, I found an elegant and stable update procedure which doesn’t require Windows at all. It doesn’t even need the creation of a bootable USB key: everything is done from the existing Linux installation. How is that possible? Let me introduce you to an interesting new feature of the UEFI specification.

Different machines, different firmware updates

Many latop brands like Dell or Asus provide firmware files that you can put on a USB key and flash from an update application located in the BIOS menu itself. Lenovo does not. Instead, they give you two options:

  • For the higher-end ThinkPad series inherited from IBM, they provide bootable CD images that can be turned into bootable USB keys. That’s another good OS-agnostic solution.
  • For the Ideapad and Yoga series, you’re stuck with a Windows executable file. The contents of this file and the actual flashing procedure varies depending on the BIOS/Firmware brand.

If you have a modern machine with a Phoenix firmware, chances are that the Windows executable contains the update in the form of an UEFI Capsule Update.

Capsule what?

When a firmware is distributed in that form, the update program won’t flash it directly under Windows. Instead, it will delegate the task to the standard UEFI update mechanism called Capsule Update. In practice, it will ask the operating system to copy an update file to the system partition then program the UEFI to verify this update and install it after the next reboot of the machine, before the operating system starts.

This standard update system is part of the UEFI 2.5 specification released in 2015 and is also available for Linux thanks to efforts from Intel and Red Hat. To be able to use it, your Linux distribution must already boot in UEFI mode from a disk including an EFI system partition.

Compatible models

I compiled the following list of Lenovo laptops which come with a firmware update in the form of a Capsule Update installer. If you find more (including from other brands), please mention them in the comments.

700–15ISK, 700–17ISK
710S-13ISK, 710S-13IKB
720S-15IKB, 720S Touch-15IKB
E42–80, E52–80, E53–80
300S-14ISK, 500S-14ISK, Edge 2–1580, Flex 3–1480, Flex 3–1580, Yoga 500–14ISK, Yoga 500–15ISK
720–15IKB (Type 81AG)
K21–80, K22–80, K32–80
K41–80/M41–80
XiaoXin Rui7000
Rescuer E520–15IKB
V110–14IAP, V110–15IAP
V110–15IKB, V110–15ISK
V310–14IKB, V310–15IKB, V510–14IKB, V510–15IKB
V310–14ISK, V310–15ISK
V330–15IKB, V330–15ISK
V730–13IKB, V730–13ISK
V730–15IKB

Step 1: locate and extract the firmware update file

Go to the Lenovo support website and download the latest BIOS executable file for your machine. This is actually a Windows self-extracting archive built using Inno Setup. You can extract the files in these archives using the command line tool innoextract which is available for many Linux distributions. I’m using Arch Linux so I install it using pacman:

pacman -S innoextract

Now let’s extract the files:

Warning: Make sure you use the latest version of innoextract which is compatible with BIOS update executable files generated by Inno Setup version 6.0.0, the version that Lenovo is currently using.

If you have a compatible model you will find a .cap file, which is the file format for UEFI Capsule Updates. Keep that file and delete the rest.

Step 2: install the UEFI Linux firmware update tools

There is a high-level tool called fwupd which allows to automatically detect, download and install updates from the Linux Vendor Firmware Service. This tool also integrates with the Gnome Software graphical user interface in order to display firmware updates next to regular software updates.

Unfortunately, there are only a handful of machines supported on that site at the time of this writing, mostly from Dell. Other vendors don’t (yet) make the effort of publishing their software updates for Linux users.

Instead of the fwupd daemon and its companion tool fwupdmgr, we’re going to use a lower-level tool called fwupdate. It’s normally installed along with fwupd, but on some Linux distributions you may have to install it separately.

pacman -S fwupd

On Arch Linux, fwupdate is located in: /usr/lib/fwupd/fwupdate.

We can use this tool to check if our machine provides a firmware compatible with Capsule Updates:

If nothing shows up for you, your firmware or your Linux kernel is not compatible and you can’t go any further. Otherwise, copy the GUID number of your system firmware for the next step.

Step 3: flash the firmware!

Now it’s time to prepare and schedule the update for the next system reboot, using our extracted .cap file and the GUID noted above:

sudo fwupdate -a {e20bafd3-9914-4f4f-9537-3129e090eb3c} ./3HCN24WW.cap --esp-path=/boot

Note that I manually specify the ESP path which defaults to /boot/efi. Use the appropriate path for your Linux installation.

If you see no error message, all went well. You can check that the update is pending using the following command:

Plug your laptop to a power source before rebooting or the update will be cancelled and you’ll have to repeat the last step.

Reboot. Now go to the BIOS setup menu of your machine (for Lenovo laptops, press F2 or Fn + F2 at boot time) and make sure the “Linux-Firmware-Updater” entry is moved first in the “Boot Priority Order”.

Save and exit. Now the updater will kick in, load the Capsule Update file into RAM, verify it and restart the machine again.

Wait for it…

Hold your breath during the actual flashing procedure.

Pardon the blurry image, I was shaking with excitement and fear.

Success! Your machine has just been updated to its latest firmware.

Step 4: reconfigure the BIOS to boot Linux again

Now the system won’t boot. Don’t panic, it’s just because the BIOS settings have been reset to the factory defaults. You need to configure a few things to put Linux back in charge. At boot, enter the BIOS menu by pressing Fn + F2.

In the “Configuration” tab, put the “SATA Controller Mode” back to AHCI because Linux can’t boot in RAID mode. You can also enable “Intel Virtual Technology” if you’re using KVM (it’s used by virtualization and emulation software).

Next, in the “Security” tab disable “Secure Boot”. Only Windows and a few Linux distributions provide a suitably signed boot loader.

In the “Boot” tab, you’ll notice that the Linux boot loader entry is gone as well, but that shouldn’t be a problem because most systems will attempt to detect previously installed UEFI boot loaders automatically from the disks. Save and exit and your machine should boot back into your Linux installation. If it doesn’t, you can always use a bootable Linux USB stick for the next step.

Step 5: restore the UEFI boot entry

If you want to add back the Linux option in your UEFI boot menu, the simplest way is to reinstall your boot loader. Check the documentation of your Linux distribution to find the correct procedure, which usually consists of a single command line. Many distributions install GRUB2 by default; I prefer using systemd-boot for simplicity.

Everything is back to normal.

I’m excited to see that there are now better options to safely and quickly update our machine firmwares from Linux. I’m waiting for more manufacturers to publish their updates on the Linux Vendor Firmware Service or for a community effort to appear. In the meantime, you can always use this procedure to download, extract and install the update files yourself, if you own a compatible system. Happy flashing!

--

--

Christophe Beyls

Android developer from Belgium, blogging about advanced programming topics.