Firmware version check
To check firmware version you can use:
dmidecode -s bios-version
dmidecode is not installed use following command:
For Debian-based distributions:
apt-get install dmidecode
pkg install -y dmidecode
APUx firmware flashing
To flash firmware image to APUx SPI install (or use system with already installed) flashrom.
For Debian-based distributions you can install
flashrom by simply:
sudo apt-get install flashrom
For FreeBSD you can install
pkg install -y flashrom
You can also use minimal distributions with already installed
flashrom -w coreboot.rom -p internal -c "MX25L1605A/MX25L1606E/MX25L1608E"
flashrom -w coreboot.rom -p internal
To update the firmware and keep the runtime configuration unchanged please use the following command:
flashrom -p internal -w apuX_v22.214.171.124.rom --fmap -i COREBOOT
The persistent runtime configuration works only when migrating from versions v126.96.36.199 and later. The feature is not yet supported on apu1. Flashrom version needs to be v1.1 or newer.
A full power cycle is required after flashing. If it is not possible (e.g.
remote firmware upgrade), when flashing coreboot v188.8.131.52 or newer a full reset
can be forced with the following commands after using
flashrom. For older
firmware versions please refer to cold_reset.md.
setpci -s 18.0 6c.L=10:10
pciconf -w pci0:24:0 0x6c 0x580ffe10
pcictl pci0 read -d 24 -f 0 0x6c # verify that you see 580ffe00 pcictl pci0 write -d 24 -f 0 0x6c 0x580ffe10
After that reboot as usual. Platform will turn off for 3-5 seconds. Note that there are parts of the platform which cannot be reset with this approach. A full power cycle is strongly suggested when possible.
Motherboard mismatch warning
When you update firmware and try to flash image to apu board,
mismatch warning can be yielded. It is known issue related to SMBIOS table
v4.6.7 in mainline and
v4.0.15 in legacy, part number entry
is in shorter (correct) form. Therefore, if you update to those version (or
newer) a warning will appear. To flash BIOS correctly, just add
internal:boardmismatch=force flag. Entire flashing command should look like
flashrom -w coreboot.rom -p internal:boardmismatch=force
To automate firmware update while developing copy ssh keys to target machine:
cat ~/.ssh/id_rsa.pub | ssh firstname.lastname@example.org 'cat >> .ssh/authorized_keys'
Then you can use below command to flash APU2 recently built changes:
APU2_IP=192.168.0.101 && ssh root@$APU2_IP remountrw && \ scp build/coreboot.rom root@$APU2_IP:/root && \ ssh root@$APU2_IP flashrom -w /root/coreboot.rom -p internal \ && ssh root@$APU2_IP reboot
Flashrom known problems
If flashrom tells you
/dev/mem mmap failed: Operation not permitted:
- Most common at the time of writing is a Linux kernel option, CONFIG_IO_STRICT_DEVMEM, that prevents even the root user from accessing hardware from user-space. Try again after rebooting with iomem=relaxed in your kernel command line.
- Some systems with incorrect memory reservations (e.g. E820 map) may have the same problem even with CONFIG_STRICT_DEVMEM. In that case iomem=relaxed in the kernel command line may help too.
You can set iomem=relaxed via Grub by appending to file
grub-mkconfig -o /boot/grub/grub.cfg
APU firmware updater for OPNsense
You can use a script to update the firmware on an OPNsense firewall.
- Login via SSH to your OPNsense firewall.
- Copy the script apu_fw_updater_opnsense.sh where you want it.
- Make the script executable using
chmod +x apu_fw_updater_opnsense.sh.
- Set the correct type, e.g.
- Set the desired version, e.g.
- Execute the script