Firmware

Update Firmware via EFI Shell

Updating your firmware using the EFI Shell is straightforward and safe when done carefully. Follow this step-by-step guide to prepare your USB drive, enter the EFI Shell, and complete the update. ⚠️ Note: You’ll need a USB Flash Drive with at least 8 MB of free space to perform this update. Make sure your laptop is plugged into its charger before starting. 1) Download the Firmware Download the firmware file for your specific model from here. Firmware files are stored in folders named according to the model. For example, for the StarBook Mk IV, the files are in StarBook/MkVI-Intel/, ITE updates in /ite, and the file you need is efi-B6-I.zip. Download 2) Extract the Firmware Files After downloading the file, right-click it and select Extract Here. Extract Open the extracted folder, select all files and folders using the mouse or by pressing Ctrl and A. Right-click and select Copy. 3) Prepare the USB Flash Drive Your USB drive must be formatted in FAT32 format. Open your distribution's disk manager. You can typically find it by searching for disks. The process is similar across most distributions. In Ubuntu, select your USB drive and click the - sign to remove the current partition. This action will delete all data on the drive. After removing the original partition, the - sign will disappear and a + sign will appear. Click the + and set the Type to FAT. You can choose any name for the Volume Name. Once complete, locate your USB drive. Open it, right-click, and select Paste. The contents should resemble the image below. Files 4) Boot into the EFI Shell 1. Keep the USB drive connected. 2. Connect your laptop charger. 3. Shut down your laptop completely. 4. Power it back on and enter the EFI Shell: - For AMI firmware: Press F2 (or Fn + F2 if Function Lock is enabled) repeatedly until you see a blue boot menu. Use the arrow keys to select EFI Shell and press Enter. - For coreboot firmware: Press the key shown on-screen to open Boot Manager, then select EFI Shell. 5) Run the Update Once you’re in the EFI Shell, the update will start automatically. The process usually takes 10 seconds to 5 minutes. ⚠️ Do not turn off or restart your laptop during this process. Interrupting the update could make your device inoperable and require physical repair. When the update finishes, your laptop will either reboot automatically or shut down - this is normal. 💡 Tip: Some BIOS updates may require multiple reboots. If prompted, repeat the steps above to boot into the EFI Shell again.

Updating your firmware

Keeping your firmware up to date helps your system stay secure, stable, and compatible with new hardware and software. This guide shows how to update firmware safely using LVFS (Linux Vendor Firmware Service). Important notes - Please use LVFS for firmware updates. - Using other methods (like flashrom or mtd) is not recommended and is done at your own risk. - If you are using Qubes OS, follow their documentation: https://www.qubes-os.org/doc/how-to-update/ Before you start - Plug your laptop into AC power and keep it connected during the update. - Avoid suspend/hibernation during flashing (keep the lid open if your system sleeps when closed). - Make sure you have a stable internet connection. - Don’t force power-off while an update is in progress. 1) Check your current firmware versions Open a terminal (for example, Ctrl + Alt + T), then run: BIOS version cat /sys/class/dmi/id/bios_version EC version cat /sys/class/dmi/id/ec_firmware_release (Optional) Confirm fwupd can see your devices: fwupdmgr get-devices 2) Install the required tools To update via LVFS, you need fwupd. Ubuntu / Linux Mint / elementary OS / Zorin OS (and other Ubuntu derivatives) sudo add-apt-repository ppa:starlabs/main sudo add-apt-repository universe sudo apt update sudo apt install fwupd libflashrom1 Fedora (GNOME/KDE) sudo dnf install fwupd Arch / Manjaro sudo pacman -S fwupd openSUSE sudo zypper install fwupd If you hit errors, jump to Troubleshooting. 3) Install firmware updates Option A: Terminal Refresh metadata fwupdmgr refresh Check what updates are available fwupdmgr get-updates Install updates fwupdmgr update If fwupdmgr asks to reboot (or schedules an offline update), reboot when prompted. Confirm versions (after updating) Re-run the version checks from Step 1, or use: fwupdmgr get-history Option B: Desktop apps Below are the most common desktop update paths. Pick the one that matches your distro. elementary OS Distro(s): elementary OS (v6+) From version 6 onward, firmware updates appear in System Settings → System → Firmware. elementarySystem You can view the current firmware information and install updates by clicking on each component. elementaryDetails GNOME Software Distro(s): Ubuntu (GNOME), Fedora Workstation (GNOME), Zorin OS, openSUSE (GNOME), Arch (GNOME), Manjaro GNOME, Debian (GNOME) Firmware updates appear alongside your normal software updates in the GNOME Software app. KDE Discover Distro(s): Kubuntu, KDE Neon, Fedora KDE, Manjaro KDE Firmware updates appear in Discover, just like normal app updates. KDEDiscover GNOME Firmware Distro(s): most distros (useful when firmware updates aren’t integrated into your software center) If your distro doesn’t integrate firmware updates into a software center, you can use the standalone GNOME Firmware app (available via most package managers, even on non-GNOME systems). You can check for updates via the menu → Check for Updates. If none of the above options are available, you can still manage firmware updates from the terminal. 4) Testing branch (optional) If you want to help test firmware updates before their official release, you can enable the LVFS testing remote: Enable fwupdmgr enable-remote lvfs-testing Disable fwupdmgr disable-remote lvfs-testing Downgrade back to stable fwupdmgr downgrade Please note: ensure you have a recovery option before enabling the testing remote. Troubleshooting No updates showing Try forcing a refresh and listing updates again: fwupdmgr refresh --force fwupdmgr get-updates You can also check enabled remotes: fwupdmgr get-remotes IO access errors Do I need iomem=relaxed? You only need this if fwupdmgr fails with an IO/memory access error. Common messages include: - /dev/mem mmap failed: Operation not permitted - Message recipient disconnected from message bus without replying (sometimes paired with the error above) If your firmware update works, you don’t need to change anything. How to confirm it’s enabled iomem=relaxed is a kernel boot parameter (set via your bootloader/GRUB), not something you change inside fwupd. After you’ve applied the change and rebooted, you can confirm the running kernel received it by checking the active boot parameters: cat /proc/cmdline If you see iomem=relaxed in the output, it’s enabled. If it’s needed If you see the errors above, add the iomem=relaxed kernel parameter: Debian-based distros sudo sed -i 's/quiet/quiet iomem=relaxed/g' /etc/default/grub sudo update-grub Fedora sudo sed -i 's/quiet/quiet iomem=relaxed/g' /etc/default/grub sudo grub2-mkconfig -o /boot/grub2/grub.cfg Arch (GRUB) sudo sed -i 's/quiet/quiet iomem=relaxed/g' /etc/default/grub sudo grub-mkconfig -o /boot/grub/grub.cfg Reboot after making the change. Version number mismatch If you see a message that version numbers don’t match: fwupdmgr update --force Failed to connect to daemon If you see a timeout activating org.freedesktop.fwupd, delete the pending DB: sudo rm /var/lib/fwupd/pending.db Other errors Run the updater script: bash <(curl -s https://raw.githubusercontent.com/StarLabsLtd/firmware/main/updater.sh) If this doesn’t work on your distribution, you can use a Live USB with Ubuntu to update.

AMI Aptio V vs coreboot

What's the difference? AMI (American Megatrends Inc.) Aptio V and coreboot are both firmware. These exist to provide an interface between your Operating System and hardware so the OS know's what devices there are and how to control them. There are two main parts of that firmware, the bootloader and the payload. The bootloader initialises the hardware, and the payload provides a UEFI platform. UEFI was a direct replacement for BIOS, and whilst UEFI has been standard for over a decade, it's commonly referred to as BIOS. Both coreboot and AMI use edk II as a payload; AMIs version is about 10 years old and highly modified. coreboot uses a standard but bleeding-edge version. Since day one, we've used AMI Aptio V firmware for our laptops, and now, we're making a second option available - coreboot. We're making both available because there isn't a definite answer to which one is "better". Which one is better for you depends on your priorities and how you use your laptop. AMI is an industry-standard firmware, alongside Insyde and Pheonix. It offers many features, including a graphical interface that allows various settings to be changed. coreboot, on the other hand, is an open-source project that has only been made available for a finite number of devices (the majority of these being Chromebooks). The version of edk II it uses has no dedicated interface apart from a simple boot menu. Configurable options can be changed using our coreboot configurator program, which is available for Linux. You can find all the details of this here. So which is better? AMI is more capable, but one of the significant coreboot appeals is that it's open-source, so all of the source code is public - you can find it here. It means you can see everything inside it; if you know how you can change anything you like. It suits Linux, as it uses the same licensing (GPLv2) as the Linux kernel. Due to how lightweight coreboot is, it will offer better performance and lower power consumption. For example, the LabTop Mk IV combined with coreboot will deliver approximately 8% more performance and around 20% longer battery life (with a record of 13 hours and 42 minutes for general use). Is coreboot more secure? The jury is out on this one; it depends on who you speak to and how it's configured. From now on, we'll be talking about the version of coreboot that we build, as, for example, Google's configuration is very different. The main difference in security is the way that they update, as this is the primary method used in an attempt to compromise firmware. Both receive updates via the LVFS but differ in the plugin they use. AMI uses EFI capsules, you can send any EFI capsule to the firmware as an update, but before it is installed, the firmware will check the signature to ensure that the vendor writes it. If it's not, it will be rejected. This is widely considered one of the most reliable and secure ways of delivering updates. coreboot uses flashrom, which runs from the userspace (outside the kernel) and writes directly to the SPI (a small chip where the firmware is stored). Instead of verifying the update, it will allow anything using user id 0 (aka "sudo", "root" or "admin") to write to it. Whilst this may sound less secure, and arguably it is, if user id 0 is compromised, then the vast majority of security measures are null and void. One advantage of seeing the source code is that as the contents are public - there's no chance of anything being there that shouldn't, such as spyware or keyloggers. Whilst our development team have full access to the AMI source code, we aren't allowed to share this due to the licensing - so you have to take our word for it that there is nothing terrible inside! Advantages of AMI: * Graphical interface that allows all settings to be changed * Uses EFI capsules to update Advantages of coreboot: * Incredibly lightweight, which results in better performance and battery life * Open-source * coreboot-configurator allows all settings to be changed What do Star Labs recommend? If security isn't your number one concern, we recommend coreboot as the laptop will perform better. If security is imperative, as there is no definite answer, then you are the only person who can decide which is best for you.

Switching Branch (Installing coreboot)

Available on: - Star Labtop Mk III - Star Labtop Mk IV - StarBook Mk V - StarLite Mk IV - StarLite Mk III (Beta) Requirements: - fwupd version 1.5.6 or later - The battery must be charged to at least 30% - The charger must be connected (either USB-C or DC Jack) - BIOS Lock must be disabled - Supported Linux distribution (Ubuntu 20.04 +, Linux Mint 20.1 + elementaryOS 6 +, Manjaro 21+) Notes: On the StarLite Mk II and Mk III, to switch back to AMI, this must be done with a hardware programmer. Setup Follow the steps in this guide for how to install the pre-requisites. If you are not using one of the distributions listed above, it is possible to install coreboot using a Live USB. Disable BIOS Lock BIOS Lock must be disabled when switching from the standard AMI (American Megatrends Inc.) firmware to Coreboot. BIOS Lock is only available in later versions of the firmware, so if you don't see it, please update the AMI firmware first. To disable BIOS Lock: 1. Start with your LabTop turned off. Turn it on whilst holding the F2 key to access the BIOS settings. 2. When the BIOS settings load, use the arrow keys to navigate to the advanced tab. Here you will see BIOS Lock. 3. Press Enter to change this setting from Enabled to Disabled Disable BIOS Lock 4. Next, press the F10 key to Save & Exit and then Enter to confirm. Switching Branch Switching branch refers to changing from AMI firmware to Coreboot, or vice versa. First, check for new firmware files with the below terminal command: fwupdmgr refresh --force Then, to change branch, enter the below terminal command: fwupdmgr switch-branch You can then select which branch you would like to use, by typing in the corresponding number: Switch Branch You will be prompted to confirm, press y to continue or n to cancel. If you see a message Message recipient disconnected from message bus without replying, you'll need to add the iomem=relaxed kernel parameter. The two below commands will do this for you: sudo sed -i 's/quiet/quiet iomem=relaxed/g' /etc/default/grub sudo update-grub Once the switch has been completed, you will be prompted to restart. Installed Coreboot The next reboot can take up to 10 minutes, do not disconnect the charger. This reboot can occasionally stall, so if it's been longer than 5 minutes and the screen is blank, press and hold Ctrl + Alt + Delete and Power for 30 seconds. Once the reboot is complete, that's it - you'll continue to receive updates for whichever branch you are using. You can switch branch at any time.