BIOS updates unavailable

tcsenter · ‎04-30-2023

I have several EliteDesk 800 G1 Business PC in Small Form Factor in use for about five years. I recently needed to replace one so I picked up a used/refurbished unit. The unit arrived with an early BIOS ROM version dated from 2014. The units I had in service were updated to L01 Family ROM V2.78 dated released 4/29/2020, which was the last time I happened to service any hardware/firmware for these units.

I checked HP Software and Drivers for this model to check if newer BIOS had been released, and if not, then download and apply the v2.78 the others have been updated to. But it is no longer offered for any of the OS choices. In fact, multiple previous BIOS releases appear to have been pulled from the HP support site for any model using the L01 Family ROM. Versions 2.77, 2.75, 2.74, 2.73, and 2.72 all previously released for this model/family but appear to have been pulled from the entire HP sphere. Most of them were deemed "critical" updates with "strongly recommend" by HP. This is highly, highly unusual!

I am concerned about why this has occurred. i.e. is there a security issue, critical flaw of some kind in these BIOS versions, that I should know about? I have four units in service with BIOS 2.78 but the same concern would exist for anyone using any of the aforementioned BIOS versions that seem to have been pulled by HP, I would assume for some very good reason?

I'd rather not deal in speculations by those who really do NOT know of the answer here and do not have access to any resource that CAN offer real insight. Thanks in advance!

BeemerBiker · ‎04-30-2023

This has been asked before and no answer given (note the link to 2.78 is shown)

I volunteer on several other OEM sites and a have never seen an official explanation as to why a bios update has been withdrawn . I am sure there are proprietary internal documents in existence as to why.

The latest listed L01 bios is 2.71. Possibly the HP Support Assistant app might find 2.78.

Here is a list of reasons for updates going back to 2.71. An "intel microcode update" sometimes just allows a new CPU to be recognized but more often than not is a critical security update. Note that 2.72 caused a problem that 2.73 reversed.

Version 2.78

- Update to latest Intel microcode 0x28

*** ALERT ***

This release improved Security Updates implementation. HP strongly recommends promptly
transitioning to this BIOS version. Due to security changes, after this BIOS
update has been installed, previous BIOS versions cannot be reinstalled.

Version 2.77

- Update to latest Intel microcode 0x27

*** ALERT ***

This release improved Security Updates implementation. HP strongly recommends promptly
transitioning to this BIOS version. Due to security changes, after this BIOS
update has been installed, previous BIOS versions cannot be reinstalled.

Version 2.75

- Update to latest Intel microcode 0x25

*** ALERT ***

This release improved Security Updates implementation. HP strongly recommends promptly
transitioning to this BIOS version. Due to security changes, after this BIOS
update has been installed, previous BIOS versions cannot be reinstalled.

Version 2.74

- Add new BIOS Setup policy to allow Power On Password prompt when Wake On LAN.
NOTE: By default this new setting will be enable, so it will prompt for Power On Password on a Wake on Lan event.
- Update to latest Intel microcode 0x24
- Update to latest UEFI PXE version 0018

*** ALERT ***

This release improved Security Updates implementation. HP strongly recommends promptly
transitioning to this BIOS version. Due to security changes, after this BIOS
update has been installed, previous BIOS versions cannot be reinstalled.

Version 2.73
- Rolls back the chages added in 02.72
- This BIOS version allows to downgrade to 02.71

Version 2.72
- Add new BIOS Setup policy to allow Power On Password prompt when Wake On LAN.
*** NOTE: By default this new setting will be enable, so it will prompt for Power On Password on a Wake on Lan event.
- Update to latest Intel microcode 0x23.
- Update to latest UEFI PXE version 0018

*** NOTE: Due to security changes, after loading this BIOS, older versions cannot be installed.

Version 2.71
- Fixed issue where a scheduled netork BIOS update would fail if a BIOS admin password existed in the system.

PCR 0: 65A4601320E1752DFD2B0170BFCBF8D7F12DFEC2

Thank you for using HP products and posting to the community.
I am a community volunteer and do not work for HP. If you find
this post useful click the Yes button. If I helped solve your
problem please mark this as a solution so others can find it

SDH · ‎04-30-2023

You're very close...

Take the link you provided (https://ftp.hp.com/pub/softpaq/sp103501-104000/sp103785.html) and just change the end to:

https://ftp.hp.com/pub/softpaq/sp103501-104000/sp103785.exe

That will take you directly to the SoftPaq that includes the 2.78 BIOS download. You can run that SoftPaq on pretty much any MS OS computer, and it will create a folder on the root level of your C drive called SWSetup. In there will be a folder called SP103785. In that will be a folder called DOS Flash. In there will be a file called L01_0278.BIN. I copy that .bin file out and use it for upgrading BIOS from within BIOS, from a thumb drive... there is a HP BIOS feature that lets you do that before BIOS has advanced into launching the OS. I've found that to be a safer way to upgrade BIOS because the included in-OS upgrade application may be interfered with by the currently installed OS (or its security add-ons). The HP-provided in-OS application may have been written for W7, for example, and may not work properly if you try to upgrade BIOS from within W10 instead. I almost bricked a nice Z620 doing exactly that, and thus will not go back from this in-BIOS method. Supposedly HP fixed that issue... but it is a shortcut I'm not willing to try again.

HP changed from upgrading BIOS from within BIOS as a quite simple process of copying the .bin file to the top level of a USB drive... to more recently requiring that the .bin file is nested down inside the third level of 3 specifically named folders. That happened for the HP workstations when they went from the ZX20 family to the ZX40 series. I've also seen that nesting approach in some of the more recent business class HP desktop PCs. I do know HP mucked up their instructions for using the in-BIOS method in some earlier BIOS upgrade SoftPaqs for the ZX20 workstations... some cutter/paster HP guy threw in the 3-nested-folders instructions from the newer ZX40 SoftPaqs into the instructions for ZX20 BIOS upgrading. Did not work. I let them know, and they fixed that pretty quickly.

From your 2.78 SoftPaq's html file regarding this method:

"The HP Business Desktop systems provide a BIOS upgrade option through both the Startup Menu and the F10 Setup utility using the "Flash System ROM" feature. Reboot the PC and press the Escape key to display the Startup Menu. Use the arrow keys to select Utilities, and then select the Flash System ROM option. Alternatively, reboot the PC and press F10 to access the BIOS Setup utility. In the File menu, select Flash System ROM. Either method requires that removable media be present (USB storage or data CD) that contains the BIOS binary image file in the root directory. The binary image file can be found in the DOS Flash folder and is named xxx_MMmm.bin where "xxx" is the BIOS family, "MM" is the major version number, and "mm" is the minor version number. To create a CD for updating the BIOS, use a blank CD-R or CD-RW disk on a system with a CD-RW or DVD+RW drive, and write the binary to the disk using any CD-burning software (Windows 7 and Vista support burning data CDs without additional software). If a BIOS Setup password has been set, the password will be required before being able to access the "Flash System ROM" menu. The user is notified when the process is completed. The new BIOS code will not take effect until the PC is restarted."

So, from that I'd say your HP Business PC will be using the older non-nested approach...

I've traditionally used a smaller sized thumb drive with nothing else on it, freshly formatted using FAT32, and plug that thumb drive in before doing a cold boot, and F10 into BIOS. "Flash System ROM" is up near the top in BIOS, easy to find (you don't boot from the thumb drive for this process).

By the way, that .html vs .exe trick seems to work most of the time from functioning HP ftp servers...

tcsenter · ‎05-01-2023

@BeemerBiker wrote:
Here is a list of reasons for updates going back to 2.71. An "intel microcode update" sometimes just allows a new CPU to be recognized but more often than not is a critical security update. Note that 2.72 caused a problem that 2.73 reversed.

Hello! Yes, all those microcode updates (0x24, 0x25, 0x27, 0x28) are to mitigate security vulnerabilities to exploits such as Meltdown and Spectre, that were reported circa 2017~2018. No new 4th/5th gen Haswell/Broadwell (for consumer space) processors had been released since Q3/2014 so any BIOS released after that would not be (or highly unlikely) to bring newer processor support.

I find it baffling and concerning that HP has pulled EVERY BIOS that addresses this group of security flaws first revealed or reported in 2017, with NO explanation or guidance to HP users. Are we fully exposed to these security risks/exploits if running a BIOS that predates the fixes for them? Are the now-retracted BIOS even more problematic in other ways (i.e. the cure was worse than the disease)?

For users of business segment products, on a matter that may be critical to security, I think this is unacceptable, really. Especially since this page continues to be available (you have to dig for it) urging users to update to the (retracted) BIOS v2.74 for applicable L01 ROM family models: https://support.hp.com/us-en/document/c05869091

Create an account on the HP Community to personalize your profile and ask a question