Monday 25 January 2021

Latest Windows update KB4535680 blocks agFM Secure Boot!

You can Secure UEFI64-boot to agFM on the E2B USB drive because it uses the Kaspersky bootx64.efi signed grub2 shim file. This boot file originated from Kaspersky and was signed by Microsoft as being 'Secure'. However, it contained a loophole which allowed us (via some clever programming) to load unsigned modules and hence an unsigned version of grub2 (e.g. grubfm or agFM or Ventoy, etc.).

A year or so ago, Microsoft released a KB Update which added a 'blacklist' entry into the UEFI BIOS non-volatile RAM of the Windows system UEFI firmware. This is called the DBx (or dbx) list and it can usually be found in your UEFI BIOS settings.

The DBx list was specifically intended for this purpose - to blacklist boot files which Microsoft had signed as 'Secure' but later turn out to be not as 'secure' as they thought!

The update provided by Microsoft immediately caused a lot of issues on certain Secure Boot OEM systems which also used this same EFI boot file (Lenovo?, HP?) and thus the update prevented them from booting after it was installed! Microsoft quickly withdrew the Windows Update and left their victims to try to rescue their secure but unbootable systems.

Now it seems Microsoft have tried again (KB4535680 2021-01-12) but the new Windows update is only applied to certain systems (and probably only those that boot via UEFI and have GPT partitions on the boot disk):

Friday 22 January 2021

Add rEFInd to agFM

Clover identifies EFI files on all partitions.
You can also add your own menu entries if you wish.

If you want to add rEFInd to your Easy2Boot USB drive, then you can download the current rEFInd files to the \EFI\refind folder, rename the bootx64 and bootia32 .efi files and then simply add all the files to the 2nd FAT32 partition (agFM partition) of your E2B USB drive.

You can configure the rEFInd menu by editing the \EFI\refind\refind.conf text file.


Monday 18 January 2021

agFM 1.70b Beta and E2B v2.08a Beta available (BUGFIX for Blank screen on UEFI booting)

It has been reported that some notebooks such as the Lenovo IdeaPad S145 and ZYREX SKY 232 do not like the UEFI64 Kaspersky .EFI boot shim which agFM uses by default.

The Kasperksy .EFI boot file is signed by Microsoft and allows us to boot to agFM which then temporarily disables Secure Boot, thus allowing us to run agFM grub2 and boot from both signed and unsigned (insecure) ISOs and other boot files.

However, some systems will not UEFI64 boot to the Kaspersky+agFM boot files (even if Secure Boot is disabled in the BIOS). The reason for this is unknown.

Another problem with the Kaspersky shim is that it may be blacklisted by a Linux or Windows update which can add an entry into the BIOS's DBx blacklist EEPROM firmware list. This means that if Secure Boot is enabled in your BIOS on your system, it will not allow the Kaspersky EFI boot file to load and you may see some sort of 'Security Violation' error from the BIOS on boot. You can check your BIOS DBx list to see if has any entries (and clear the list).

The solution to both these issues is to remove the Kaspersky shim and this process is documented on this page in the Troubleshooting sections and in the FAQ page.

In these latest Beta versions, I have modified the E2B and agFM menu system so that you can enable or disable the Kaspersky shim by using a menu entry. If you remove the Kaspersky Secure Boot EFI file, you will not have the ability to secure boot to the agFM menu.

Update Instructions

Wednesday 13 January 2021

agFM v1.70aBeta available

The latest agFM v1.70aBeta version now understands files with the new .binacpi file extension.

If you have a binary acpi file which you want to patch your BIOS with (for instance to try to get ACPI support working under XP using a DSDT.bin file), you can change the extension of your file from .bin to .binacpi.

It will then by listed in the agFM menu system and agFM will present you with this menu when the .binacpi file is selected:

Monday 11 January 2021

E2B v2.07 is now released

 The latest version 2.07 is now live.

1. \E2B Launcher.exe application added

2. Add .ventoyignore dummy files to \_ISO\docs and \_ISO\e2b folders for faster Ventoy startup

Sunday 10 January 2021

Why not treat yourself?

Having problems booting UEFI payloads with E2B, Rufus, Ventoy, etc.?

Maybe you didn't get the present you really wanted at Xmas or you are just feeling depressed at having to stay indoors during Covid Lockdown? Then why not treat yourself to an IODD Mini SSD  CD\DVD emulator (#ad).

This small device fits easily into any pocket and being SSD-based it is robust, light and fast.

In case you didn't get the memo - the Mini can not only load any ISO as a virtual DVD drive, but it can load up to FOUR different VHDs at the same time! That means you can have any four USB disks you like. Each disk can contain multiple partitions, so you can have four different complete OS's on those disks and boot to any of them (not counting the SSD disk itself). You can also set each Virtual disk to be a Removable USB device and thus emulate a USB Flash drive instead of a USB HDD (or up to four USB flash drives).

If you copy on an empty file with a .VHD extension (or any file) and select it - you now have a blank 'disk' which you can install anything you like onto (after partitioning it and formatting it like any other blank disk).

Do you have many small bootable USB drives, each with a different payload? Then why not just convert each one to a .VHD file (e.g. using RMPrepUSB - Disk to File) and store them on the IODD?

Note: VHD files are  just disk images. The file needs to be contiguous.

Of course, it can't do fancy stuff like auto-install Windows, apps, drivers and updates using user XML files like E2B can with SDI_CHOCO, it can't attach a persistence file to an ISO and boot the live ISO with persistence, it can't Secure-boot boot non-secure ISOs, it can't run ISOs that were actually designed to be extracted onto a flash drive rather than boot as a liveCD, it doesn't contain PassPass or UtilMan XML files to bypass Windows account logins and all the other good stuff that E2B+agFM+Ventoy can do - BUT the good news is you can simply add E2B+agFM+Ventoy onto it!

Prices are around $130 for the 256GB version. You know you deserve it :-)

agFM v1.69 and 'Ventoy for Easy2Boot' v1.0.32 released

 agFM v1.69 and 'Ventoy for Easy2Boot' v1.0.32 are now released and will be automatically downloaded when you make a new E2B USB drive or run the appropriate \e2b\Update agFM cmd files to update agFM and Ventoy.

eBook #4 for agFM has been revised and updated for the new F1 and F5 menu structure in agFM. Updates are free - just use the link in the original email receipt from Payhip.

E2B v2.07 will be released soon - the only changes to E2B are the new E2B Launcher utility and the addition of some .ignoreVentoy dummy files to speed up booting to the Ventoy menu.

Please donate!

If you use E2B+agFM+Ventoy, please donate something to a1ive and LongPanda who are the developers of grubfm and Ventoy. They deserve at least a cup of coffee for all their excellent hard work which they provide for free! Think where we would be if we didn't have these utilities to use on modern UEFI systems!

Friday 8 January 2021

'Ventoy for Easy2Boot' v1.0.32 with UEFI32 support now available

 Ventoy now supports UEFI32 (experimental) as well as UEFI64.

I have compiled a version for Easy2Boot from the v1.0.32 Ventoy sources.

To update your E2B USB drive...

Monday 4 January 2021

'Ventoy for Easy2Boot' v1.0.31 is now available

 Download ZIP file and drag-and-drop onto \e2b\Update agFM\Add_Ventoy.cmd to update.

The download is in the latest Betas folder on Alternate Downloads site.!AqlrQcdsFA-K7S2G6_UPKR7HCecH?e=dhknNv

I will release in a few days unless someone reports a problem.

This is NOT the official version of Ventoy - it is modified - so do not report any problems to the Ventoy author!

Ventoy UEFI32 is not supported.

Don't forget to subscribe for the latest news and tips!

Friday 1 January 2021

a1ive grub2 code to check for an expiry date

 If you have added your own \boot\grubfm\startup_menu.txt file, you can check for an expiry date. This would force the user to update their USB drive. Here is an example of how to test dates.

Check expiry date

You can add the lines below to check that an expiry date has not been met or exceeded. Change the value of LOWERDATE  and UPPERDATE as required to set a valid range.

The code gets the current date in YYYYMMDD format into sdate. The regexp command is used to get the first 8 characters only.

It then compares that dates and reboots the system if the expiry date has been met or if the date is before or equal to the LOWERDATE. The LOWERDATE test helps to prevent the user from cheating by setting the RTC (Real Time Clock) to an earlier date.

This may be of use if you want to force the user to update the USB boot drive after a specific date (.e.g. example = expires Feb 01 - valid for any day in January).

# check date - reset if UPPERDATE (YYYYMMDD) is equal to or smaller than current date
set LOWERDATE=20201231
set UPPERDATE=20210201
unset now;date -s now;regexp -s sdate '(........)' "$now"
# display RTC date and time in human form (optional)
date -m
if [ "${sdate}" -le "${LOWERDATE}" ]; then echo "ERROR: INCORRECT RTC DATE - rebooting..."; sleep 5; reset -w; fi
if [ "${sdate}" -ge "${UPPERDATE}" ]; then echo "ERROR: THIS SOFTWARE HAS EXPIRED ($sdate >= $UPPERDATE) - rebooting..."; sleep 5; reset -w; fi 
unset now;unset UPPERDATE;unset sdate;unset LOWERDATE

Taken from E2B eBook #4 - UEFI-multiboot using the a1ive grub2 File Manager