Page 14 of 22

Re: GK3 Secure boot bios update

Posted: Wed Nov 03, 2021 1:37 pm
by Servo128
rroger wrote: Wed Nov 03, 2021 7:11 am The original BIOS on my device was dated 03/16/2021.
After the "update" there is no USB-Power (the light of a USB thumb is not on).
Switching off with the power button does not work either, I must plug out power-cable.

Sorry to read this, now we know why the bios hasn't been giving out. Hope you get it fixed

Re: GK3 Secure boot bios update

Posted: Wed Nov 03, 2021 5:20 pm
by j11544
galaxys5 wrote: Wed Nov 03, 2021 3:20 am Does anyone have the old version for me to downgrade 03/2020
Did you encounter any problems with the new BIOS? Just wondering why you would want to go back the old version.

Re: GK3 Secure boot bios update

Posted: Wed Nov 03, 2021 5:47 pm
by galaxys5
j11544 wrote: Wed Nov 03, 2021 5:20 pm
galaxys5 wrote: Wed Nov 03, 2021 3:20 am Does anyone have the old version for me to downgrade 03/2020
Did you encounter any problems with the new BIOS? Just wondering why you would want to go back the old version.
because version 03/2020 contains "secure boot" and upgrade to win11, my version is 03/2021 and does not contain secure boot and cannot upgrade to win11.

Re: GK3 Secure boot bios update

Posted: Wed Nov 03, 2021 8:48 pm
by Speed_zgz
So, that long awaited new BIOS fails and brick machines... :(
Better if you do a faithfull test before release, please, admin

Re: GK3 Secure boot bios update

Posted: Thu Nov 04, 2021 6:33 pm
by gadge51
hi..i got the same bios update........then it states it could brick your minipc........Great.....so won't be tempted...i will stay with WIN10...until its out of warranty[12mths]....after warranty runs out then i'll dump bios and then try there new bios.......UNLESS THINGS CHANGE

Re: GK3 Secure boot bios update

Posted: Thu Nov 04, 2021 7:32 pm
by simonelombardo
-

Re: GK3 Secure boot bios update

Posted: Thu Nov 04, 2021 8:53 pm
by simonelombardo
-

Re: GK3 Secure boot bios update

Posted: Thu Nov 04, 2021 11:38 pm
by VFLOW
simonelombardo wrote: Thu Nov 04, 2021 8:53 pm By the way, for the sake of trasparency, I write the steps how I have done for making that unchecksummed bios mod from my previous post (viewtopic.php?p=5252#p5252), if someone wants to try it. Personally, recovery screen is annoying but if the unit, is kept on, it's a minor issue.

Firstly: it's not a Secure boot compliant mode (no SecureBoot signing check is performed because no OEM keys are enrolled), it's just passing the Windows 11 check. I don't have compiled setup and AmiTse for the ACEPC builds (for the same reason, I asked a copy of the bios because it can be extracted for having a control on Secure Boot policy).

The Gigadevice flash device has several memory area: the main bios program (the one that runs your system), the shadow bios program (the last checksumed copy of your bios), the EC program (the one which governs the fan and power management), the bootblock area (the very piece of code that checks whether the main bios program is damaged / checksummed correctly and initialize the crisis mode for bios recovery...though it seems to check for an ATAPI CDROM actually...), NVRAM area (that stores the EFI variables and keys), the FTL+ME microcode area (that uploads the microcode updates to the CPU and the fTPM module). IT's a pretty standard strucuture of a UEFI bios.

For now it's textual, because it's the best I could do while I'm away from home.

1. First download the AMITool V AMI Firmware update utility, available here: https://www.ami.com/products/firmware-t ... utilities/
2. Execute it and press Save and backup your BIOS saving it to a file. The dump should be 8MB as the size of the main bios program area on the Gigadevice flash unit. Very important to revert the procedure.
3. After that make a second copy of the BIOS dump to use it as a base for the mod
4. Download the MMTool 5.02.0025 (https://www.mediafire.com/file/x6hxxemx ... 5.rar/file) - this program would extract, replace and insert the UEFI modules from the BIOS dump. It also generates incorrect checksums on the bios image - that it's the cause for having the recovery screen at each boot (because the bootblock would detect it), but it is also the cause that keeps the shadow bios area untouched. Reflashing the original bios would clear the recovery screen
5. Take a reference BIOS... Better whether comes from the same line up of your original BIOS but taking a similar architecture BIOS could work (like that ASROCK J4125-ITX I took as example: https://www.asrock.com/MB/Intel/J4125-I ... t.asp#BIOS)
6. Open the reference BIOS with MMTools. A list with modules will appear; use "Extract As Is" for extracting the following UEFI modules from your reference BIOS (e.g. the bios coming from the 5° point):
- SecureBootDXE (the core of SecureBoot functionality)
- NVRamDxe (it kicks of the SecureBootDXE initialization and creates the Nvram variable that Windows checks upon)
These are the bar minimum for the initialization. There are other components involved on SecureBoot (NvramSmm, AmiRedFishApiDXE, Setup, AMITSE) but this is highly specific to the vendor so don't use them or the system would hang.
7. Open the copy of your bios dump with MMTools, select the NvRAMDxe module from the list and use the Replace tab to replace it with the NvramDXE one coming from the reference bios.
8. Always selecting the NvramDXE (very important to keep the same Volume), choose "Insert As is" the SecureBootDXE module. It would be put on the bottom of the volume
9. After that, choose Save Image and so the module is being replaced on your bios copy

If flashed in this state, the reboot of the system would kick the recovery process with the message of "ROM image not loaded". Actually it's the bootblock finding the incorrect checksum but the flashed BIOS is loaded and the CMOS variables are set in fail-safe mode. If Windows is booted in this stage, the Windwos 11 Health check would find the Secureboot but the fTPM disabled because the fail safe settings from the freshly modded main bios image prevent it to being enabled.

So we need to set the "fail safe" of the fTPM as enabled. And for doing this:

10. Use AMIBCP 5.02.0031 (https://www.mediafire.com/file/ckao23pe ... 1.rar/file) and open your freshly modded bios dump
11. Expand the menu and search for the Setup entries for fTPM entries and change the settings from Disabled to Enabled
12. Save the image

Now you can flash it

13. Open the AMI Tool V Firmware utility and open the modded flash image
14. Very important - keep only "Main BIOS Program" selected in the (so NVRAM, microcode and so on cheboxes NEEDS to be disabled in order to not overwrite data we don't have backup) in the program and flash it.

In the next reboot, you are welcomed by the recovery screen, choose Save User default settings and boot. You should have the Windows Health check test passing.

For reverting back and clearing the recovery screen, just flash your main program bios backup and it returns as before.

I think keeping the shadow bios untouched by feeding the incorrect checksum is a safety measure for now but caveat emptor: I'm just a random guy on internet, I can't make myself and I won't make myself forcefully trusted by people.


It worked like a charm. Thanks so much for sharing your knowledge. Everything happend exactly how you described.

My device is a "generic" GK3V. I tried to contact the original manufacturer (Cyxtech) to get the BIOS update but I haven't received any answers until now.

After modding my device's BIOS as you shared, I was able to activate the Secure Boot, it passed on Windows Health Check but Windows Update still says that my PC does not meet the requirements to run Windows 11. Maybe it is just a Windows 10 bug... who knows.

Re: GK3 Secure boot bios update

Posted: Fri Nov 05, 2021 5:42 am
by simonelombardo
-

Re: GK3 Secure boot bios update

Posted: Fri Nov 05, 2021 11:54 am
by Servo128
simonelombardo wrote: Fri Nov 05, 2021 5:42 am
VFLOW wrote: Thu Nov 04, 2021 11:38 pm After modding my device's BIOS as you shared, I was able to activate the Secure Boot, it passed on Windows Health Check but Windows Update still says that my PC does not meet the requirements to run Windows 11. Maybe it is just a Windows 10 bug... who knows.
Thanks a lot for the test. Added a point: Together with fTPM, check with AMIBCP whether AHCI entries are enabled as fail safe and CSM (Legacy and Dual mode) is disabled. Windows 11 and secureboot-compliant system implicitely requires it but SecureBoot initialization happens also in CSM mode.Windows Health Check does not check for it, probably.

If it fails, Could you share the windows update log in order to check what’s checking? Thanks. I’ll try to run it also when I get back. If it signals the key management is missing, it could be enrolled manually as I have done on a GNU/Linux distribution.

Also SecureBoot is starting in Setup Mode (not user mode) since the oem keys are missing: the AmiTSe and Setup from the new released build
(or from the GK1 / AK3 with secure boot entries) would be a big help here.
Lets hope someone will give you the info needed to sort out windows 11. From spending time here it's not coming from Acepc, their aftersales has been pathetic.

It's about time @admin gave us a true reflection of what stage the bios upgrade is at!!