Extract Cisco UCS BIOS and CIMC Firmware with getfw

Cisco Mar 06, 2019

Turns out its a royal PITA to get Cisco BIOS and CIMC firmware out of their upgrade ISO just to upgrade a Cisco UCS (in my case a UCS C22 M3) server's management and BIOS via the web UI.

According to the Cisco docs:

(Optional)  If you plan to upgrade the Cisco IMC and BIOS firmware manually, do the following:Beginning with Release 3.0, the BIOS and Cisco IMC firmware files are no longer embedded inside the HUU as a standalone .zip file. BIOS and Cisco IMC firmware must now be extracted using the getfw utility, which is available in the GETFW folder of the HUU. Perform the following steps to extract the BIOS or Cisco IMC firmware files:
Note   To perform this:
Openssl must be installed in the target system.
Squashfs kernel module must be loaded in the target system.

Openssl is already installed on my system so that should be easy (if it's not installed on yours, don't bother Googling, keep reading). Famous last words.

Install squashfs

There's no squashfs-modules package in Ubuntu 16.04, 18.04 or Debian Stretch so sadly the instructions here for Debian won't work: https://www.tldp.org/HOWTO/html_single/SquashFS-HOWTO/#debian

Therefore we need to build from source to get the modules we need. Download the latest release from https://sourceforge.net/projects/squashfs/

Compile and install:

tar -zxvf squashfs4.3.tar.gz
cd squashfs4.3
sudo make install
sudo modprobe squashfs

Note: this will require zlib, I didn't have it installed so make initially failed. Install it with sudo apt install libz-dev.

Now lsmod | grep sqash should show it's all loaded okay.

At this point, theoretically it should be as simple as running this as root:

./getfw -s /root/Desktop/HUU/ucs-c2xxx-huu-3.0.1c.iso -d /tmp/HUU

I'd be so lucky.

# ./getfw -s ucs-c2x-huu-3.0.4j.iso -d out

Decryption failed

After some Googling about it's something about versions. Luckily though, some chap on the Cisco forums says:

I was able the run the getfw cli on a Rhel7.3 with openssl ver 1:1.0.1e

Right then, let's grab that version and try again.

wget https://ftp.openssl.org/source/old/1.0.1/openssl-1.0.1e.tar.gz
tar -zxvf openssl-1.0.1e.tar.gz
cd openssl-1.0.1e

Now there's a version of OpenSSL 1.0.1e in apps/openssl

$ ./apps/openssl version
OpenSSL 1.0.1e 11 Feb 2013

This need to be first on the PATH so that getfw picks it up:

sudo su
export PATH="/path/to/openssl-1.0.1e/apps:$PATH"
./getfw -s ucs-c2x-huu-3.0.4j.iso -d out

Nothing was selected hence getting only CIMC and BIOS 

FW/s available at 'out/ucs-c2x-huu-3.0.4j'

And hey presto, we have firmware! With any luck this will save someone the hours it took me.


Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.