How to upgrade my CIMC Firmware?

dal · ‎03-29-2023

Hi

I have a C220 M4 server that needs upgrade.
So I downloaded the lates HUU Iso.
But it does not boot because of UEFI Secure Boot
So I tried to turn off Secure boot only to find out it is not possible do turn off
So I mounted the ISO on my Windows 10 computer hoping that maybe the firmware files were in the ISO file somewhere, but no; only a readme file and a file called getfw (that has to be run in Linux of course) was present.

You can't make this **bleep** up.

How am I supposed to upgrade the firmware if the bootable ISO is not allowed to boot?

This guide says to to exactly what I've done:
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/lomug/4-2/b_cisco-host-upgrade-utility-user-guide-4-2/m_upgrading-the-firmware.html

gg Cisco

KyoCode · ‎03-29-2023

hey Dal,

can you confirm current C220 M4 version? and target upgrade version?

cheers,

AIV

dal · ‎03-29-2023

Hi
This is the running version:

The goal is to upgrade to latest version, currently Release 4.1(2k)

Leo Laohoo · ‎03-29-2023

Try this: CIMC Upgrade – 8540/5520 WLC

KyoCode · ‎03-29-2023

another pov similar to what Leo described is,

It looks like CIMC version is 3.0(4j) or anything below 4.0 (correct me if I'm wrong), hence is not just a basic upgrade, you should consider upgrading to 4.1(2a) first, as described here: https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/b_release-notes-for-cisco-ucs-rack-server-software-release-4_1_2.html#reference_ikd_w5t_zjb

after that, if it happens, you can upgrade to latest 4.1.2k,

please, let us know the outcome,

AIV

dal · ‎03-30-2023

Yeah, but how to upgrade? That is the question, not the upgrade path.

I discovered that it can be done by using a python script, but unsurprisingly, it does not work.

I tried with this line:
python update_firmware-4.2.3b.py -a <CIMC IP> -u cimcusername -p cimcpassword -m ucs-c220m4-huu-4.1.2a.iso -i <CIFS_IP> -d <CIFS_SHARE> -t cifs -r <CIFS_USER> -w <CIFS_PASSWORD> -y all -S no

But that produces an error like this:

[Information] Needed packages "Crypto.PublicKey.RSA" not available. Cannot support password encryption feature.
[Information] Needed packages "Crypto.Random" not available. Cannot support password encryption feature.

Total of 1 servers firmware to be updated.

Updating firmware.....

[Information] Needed packages "Crypto.PublicKey.RSA" not available. Cannot support password encryption feature.
[Information] Needed packages "Crypto.Random" not available. Cannot support password encryption feature.
Process Process-1:
Traceback (most recent call last):
File "C:\Users\Dal\AppData\Local\Programs\Python\Python310\lib\multiprocessing\process.py", line 315, in _bootstrap
self.run()
File "C:\Users\Dal\AppData\Local\Programs\Python\Python310\lib\multiprocessing\process.py", line 108, in run
self._target(*self._args, **self._kwargs)
File "C:\Users\Dal\Desktop\huu\update_firmware-4.2.3b.py", line 3782, in HuuHandleFirmwareUpdate
responseData = HuuProcessPendingWork(logger, work)
File "C:\Users\Dal\Desktop\huu\update_firmware-4.2.3b.py", line 3747, in HuuProcessPendingWork
work.HuuUpdateSendFirmwareUpdate(logger)
File "C:\Users\Dal\Desktop\huu\update_firmware-4.2.3b.py", line 898, in HuuUpdateSendFirmwareUpdate
responseData = self.ConfigConfMo(logger)
File "C:\Users\Dal\Desktop\huu\update_firmware-4.2.3b.py", line 2101, in ConfigConfMo
configMoRequest = configMoRequest.replace('remoteIpValue', self.remoteShareIp)
TypeError: replace() argument 2 must be str, not None

RobertBetts2294 · ‎03-30-2023

@dal wrote:
Hi
I have a C220 M4 server that needs upgrade.
So I downloaded the lates HUU Iso.
But it does not boot because of UEFI Secure Boot
So I tried to turn off Secure boot only to find out it is not possible do turn off
So I mounted the ISO on my Windows 10 computer hoping that maybe the firmware files were in the ISO file somewhere, but no; only a readme file and a file called getfw (that has to be run in Linux of course) was present.

You can't make this **bleep** up.
How am I supposed to upgrade the firmware if the bootable ISO is not allowed to boot?
This guide says to to exactly what I've done:
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/lomug/4-2/b_cisco-host-upgrade-utility-user-guide-4-2/m_upgrading-the-firmware.html MyTHDHR
gg Cisco

Here are some potential solutions:

Check if your server has a BIOS Compatibility Support Module (CSM) option. Enabling this option may allow the server to boot the HUU ISO.
Contact the server manufacturer's support team for assistance. They may be able to provide a solution or workaround for your specific server model.
Try creating a bootable USB drive with the HUU ISO using a tool like Rufus. This may allow you to bypass the UEFI Secure Boot issue and boot from the USB drive instead.
If none of the above solutions work, you may need to physically access the server and use a firmware update utility that can be run from within the operating system, rather than using a bootable ISO.

dal · ‎03-30-2023

Thanks for offering solutions, but:

1. Can't find such thing.
2. Contacting the support team just to upgrade a firmware is.. just ridiculous
3 and 4: Both those options requires a physical presence which is not an option.

Why has Cisco made this simple thing so hard? Why lock users out of their own hardware? Why not use the same methods like Dell does for example?
I've already wasted enough time on this piece of garbage. Just have to remind myself to never purchase anything like this again.

Steven Tardy · ‎03-31-2023

The issue with the python scripts seems to be deprecated SSL/TLS libraries/cyphers/versions or could be a python2 vs python3 issue as that is very common with python.

A little googling indicates a workaround to the python issues might be:

pip install pycryptodome

Previously used `getfw` to extract BIOS/CIMC files from file: ucs-c220m4-huu-4.1.2b.iso

Attached those resulting files to this post. These files can be uploaded/upgraded through CIMC.

This may not be your destination version, but may help with the python encryption issue once you upgrade off 5-year-old firmware.

For what it is worth Dell DRAC uses many of the same sub-components so your claims that Dell never have these issues is simply untrue as I have personally run into similar headaches/roadblocks upgrading old Dell/HP/Supermicro firmware.

Hope the provided files helps.

dal · ‎04-11-2023

Thanks for this.
Firmware applied.

But unfortunately; along the way this instance boots only into UEFI shell now.
What could be the reason for this?
And it is fixable?

Thanks

Steven Tardy · ‎04-11-2023

Sounds like the UEFI BIOS boot option entry got removed/wiped (during the BIOS update or clear CMOS or some other action).

Can re-add the UEFI boot option from the [F6] BIOS menu.
(Don't see a good walkthrough on cisco.com, but found https://pei.com/cisco-c220-m5-boot-uefi-shell/)

dal · ‎04-11-2023

Thanks for answering, but I don't see where I can do this:

And the F6 options shows:

I tried to add the boot option via the Web GUI, but it does not work:

Steven Tardy · ‎04-11-2023

Right above that screen what is set for "Actual Boot Mode" and selected for "Configured Boot Mode" (Legacy or UEFI)?

Earlier you said this server booted UEFI secure boot which requires changing from Legacy to UEFI mode.

From my M4 lab server with UEFI mode configured:

Then select "slot-1-os" [Configure Boot Order] / [Advanced] / "slot-1-os" / [Modify] you can expand section:

UEFI Boot Loader Parameters (Optional)

To include options:

Name (filename of the EFI file, ex: BOOTX64.EFI)
Path (directory structure to the above EFI file, ex: \EFI\BOOT)
Description (text description of the option seen in the [F6] menu: ex: Windows Boot Manager)

Hope that helps.

dal · ‎04-13-2023

It looks like this for me:

No such thing as slot-1-os for me.
Is it because it is an ISE server?
When I try to remove UEFI Secure boot it says this:

Maybe now you understand why I hate CIMC so much; I'm using hours upon hours fixing something that should take minutes. It shouldn't even need fixing in the first place

alisha_rascon01 · ‎04-12-2023

Upgrading the CIMC firmware on a C220 M4 server can be a bit tricky if you're running into issues with UEFI Secure Boot. Here are some steps you can take to try and resolve the issue:

Check for firmware updates: Verify that you have the latest firmware for your server. You can find the latest firmware on the Cisco website.

Disable Secure Boot: If your server has UEFI Secure Boot enabled, try disabling it temporarily to see if you can boot from the HUU ISO. However, as you mentioned, it may not be possible to disable Secure Boot on some systems.

Use a different boot method: If you can't disable Secure Boot, you may need to use a different boot method. You can try using a bootable USB drive instead of the ISO, or you can try using a PXE boot server.

Use a Linux system: As you mentioned, the getfw file in the HUU ISO is designed to be run in Linux. If you have access to a Linux system, you can use that to create a bootable USB drive with the HUU ISO and run the getfw script from there.

Contact Cisco support: If you're still having issues upgrading the firmware, you can contact Cisco support for assistance. They should be able to help you troubleshoot the issue and provide guidance on how to proceed.

I hope these steps help you upgrade your CIMC firmware successfully.