Re: GK3 Secure boot bios update
Posted: Wed Nov 03, 2021 1:37 pm
Sorry to read this, now we know why the bios hasn't been giving out. Hope you get it fixed
Technology Lights Up Your Life.You can find everything about your mini PC here.
https://minipcunion.net/
because version 03/2020 contains "secure boot" and upgrade to win11, my version is 03/2021 and does not contain secure boot and cannot upgrade to win11.
simonelombardo wrote: ↑Thu Nov 04, 2021 8:53 pm By the way, for the sake of trasparency, I write the steps how I have done for making that unchecksummed bios mod from my previous post (viewtopic.php?p=5252#p5252), if someone wants to try it. Personally, recovery screen is annoying but if the unit, is kept on, it's a minor issue.
Firstly: it's not a Secure boot compliant mode (no SecureBoot signing check is performed because no OEM keys are enrolled), it's just passing the Windows 11 check. I don't have compiled setup and AmiTse for the ACEPC builds (for the same reason, I asked a copy of the bios because it can be extracted for having a control on Secure Boot policy).
The Gigadevice flash device has several memory area: the main bios program (the one that runs your system), the shadow bios program (the last checksumed copy of your bios), the EC program (the one which governs the fan and power management), the bootblock area (the very piece of code that checks whether the main bios program is damaged / checksummed correctly and initialize the crisis mode for bios recovery...though it seems to check for an ATAPI CDROM actually...), NVRAM area (that stores the EFI variables and keys), the FTL+ME microcode area (that uploads the microcode updates to the CPU and the fTPM module). IT's a pretty standard strucuture of a UEFI bios.
For now it's textual, because it's the best I could do while I'm away from home.
1. First download the AMITool V AMI Firmware update utility, available here: https://www.ami.com/products/firmware-t ... utilities/
2. Execute it and press Save and backup your BIOS saving it to a file. The dump should be 8MB as the size of the main bios program area on the Gigadevice flash unit. Very important to revert the procedure.
3. After that make a second copy of the BIOS dump to use it as a base for the mod
4. Download the MMTool 5.02.0025 (https://www.mediafire.com/file/x6hxxemx ... 5.rar/file) - this program would extract, replace and insert the UEFI modules from the BIOS dump. It also generates incorrect checksums on the bios image - that it's the cause for having the recovery screen at each boot (because the bootblock would detect it), but it is also the cause that keeps the shadow bios area untouched. Reflashing the original bios would clear the recovery screen
5. Take a reference BIOS... Better whether comes from the same line up of your original BIOS but taking a similar architecture BIOS could work (like that ASROCK J4125-ITX I took as example: https://www.asrock.com/MB/Intel/J4125-I ... t.asp#BIOS)
6. Open the reference BIOS with MMTools. A list with modules will appear; use "Extract As Is" for extracting the following UEFI modules from your reference BIOS (e.g. the bios coming from the 5° point):
- SecureBootDXE (the core of SecureBoot functionality)
- NVRamDxe (it kicks of the SecureBootDXE initialization and creates the Nvram variable that Windows checks upon)
These are the bar minimum for the initialization. There are other components involved on SecureBoot (NvramSmm, AmiRedFishApiDXE, Setup, AMITSE) but this is highly specific to the vendor so don't use them or the system would hang.
7. Open the copy of your bios dump with MMTools, select the NvRAMDxe module from the list and use the Replace tab to replace it with the NvramDXE one coming from the reference bios.
8. Always selecting the NvramDXE (very important to keep the same Volume), choose "Insert As is" the SecureBootDXE module. It would be put on the bottom of the volume
9. After that, choose Save Image and so the module is being replaced on your bios copy
If flashed in this state, the reboot of the system would kick the recovery process with the message of "ROM image not loaded". Actually it's the bootblock finding the incorrect checksum but the flashed BIOS is loaded and the CMOS variables are set in fail-safe mode. If Windows is booted in this stage, the Windwos 11 Health check would find the Secureboot but the fTPM disabled because the fail safe settings from the freshly modded main bios image prevent it to being enabled.
So we need to set the "fail safe" of the fTPM as enabled. And for doing this:
10. Use AMIBCP 5.02.0031 (https://www.mediafire.com/file/ckao23pe ... 1.rar/file) and open your freshly modded bios dump
11. Expand the menu and search for the Setup entries for fTPM entries and change the settings from Disabled to Enabled
12. Save the image
Now you can flash it
13. Open the AMI Tool V Firmware utility and open the modded flash image
14. Very important - keep only "Main BIOS Program" selected in the (so NVRAM, microcode and so on cheboxes NEEDS to be disabled in order to not overwrite data we don't have backup) in the program and flash it.
In the next reboot, you are welcomed by the recovery screen, choose Save User default settings and boot. You should have the Windows Health check test passing.
For reverting back and clearing the recovery screen, just flash your main program bios backup and it returns as before.
I think keeping the shadow bios untouched by feeding the incorrect checksum is a safety measure for now but caveat emptor: I'm just a random guy on internet, I can't make myself and I won't make myself forcefully trusted by people.
Lets hope someone will give you the info needed to sort out windows 11. From spending time here it's not coming from Acepc, their aftersales has been pathetic.simonelombardo wrote: ↑Fri Nov 05, 2021 5:42 amThanks a lot for the test. Added a point: Together with fTPM, check with AMIBCP whether AHCI entries are enabled as fail safe and CSM (Legacy and Dual mode) is disabled. Windows 11 and secureboot-compliant system implicitely requires it but SecureBoot initialization happens also in CSM mode.Windows Health Check does not check for it, probably.
If it fails, Could you share the windows update log in order to check what’s checking? Thanks. I’ll try to run it also when I get back. If it signals the key management is missing, it could be enrolled manually as I have done on a GNU/Linux distribution.
Also SecureBoot is starting in Setup Mode (not user mode) since the oem keys are missing: the AmiTSe and Setup from the new released build
(or from the GK1 / AK3 with secure boot entries) would be a big help here.