pfSense on Watchguard M370
-
The BIOS on the XTM800/1500 is not locked it just doesn't have console redirect to allow using the serial console.
There are other threads better suited for questions regarding that. This one maybe.Steve
-
Hi @stephenw10 ,
I recently replaced my firewall with a WG M370 that was donated to me and I was succesfully able to flash it with pfsense 2.5.1 CE. I'd like to thank you for the work and documentation for getting pfsense working on this box. I'm still a beginner and learning.
The only issue I have right now is when trying to get your WGXepc script working. It errors out on me whenever I try to run it via ssh, and using shellcmd to schedule it doesn't seem to work either. (I also couldnt get "." to execute the script either so I had to install bash not sure if this is part of my problem either).
Does the script still work for the latest version of pfsense 2.5.1 CE? I've attached a screenshot of the error I am getting. Thanks for any insight!
-
It's not a script. That's the C code you would use to compile it. Download the compiled 64bit version (or compile it yourself) then run that:
[21.05-RELEASE][admin@m470.stevew.lan]/root: ./WGXepc64 Found Firebox M370/470/570/670. WGXepc Version 1.5 5/6/2020 stephenw10 WGXepc can accept two arguments: -f (CPU fan) will return the current and minimum fan speed or if followed by a number in hex, 00-FF, will set it. -f2 (System fan) will return the current and minimum fan speed or if followed by a number in hex, 00-FF, will set it. -l (led) will set the arm/disarm led state to the second argument: red, green, red_flash, green_flash, red_flash_fast, green_flash_fast, off -b (backlight) will set the lcd backlight to the second argument: on or off. Do not use with LCD driver. -t (temperature) shows the current CPU temperature reported by the SuperIO chip. X-e box only. Not all functions are supported by all modelsSteve
-
@stephenw10 Thanks very much! That worked for me and thanks again!
-
B bingo600 referenced this topic on
-
In case anyone is interested or would like to work with me on unlocking I believe I've managed to get a .bin backup of the bios from an M370. SPI header layout is the same as the M400 & XTM5 series but a programmer won't read the chip until the CMOS jumper is set to reset (pins 2+3). Please let me know if anyone is interested. Current screenshots of bios in BCP5:
-
Ah, that's fun! I assume it won't boot in that state?
-
Not sure yet, still working up the courage to try and change it and re-flash it. Those images are from the extracted bios. I've been going through the settings in BCP and the UBU tool and it looks like it should boot in that state. Console redirection appears to be turned off so I can't Freedos for flashing and it looks like it'll have to be via SPI. I've never flashed one via SPI before so I'm being thorough before making the attempt. If you would like I can post a link to the .bin file?
Here's some of the output from the UBU Tool in case anyone finds it helpful:
-
Sure I'll poke at it if you have a link. Maybe PM it.
It's been a while but IIRC flashrom could not read it at all.
I would have though FreeDOS would work but I'm not sure any version of AFUDOS will read that. It might require the uefi version which I've never tried via serial console... -
@stephenw10 So far I haven't been able to get FreeDOS to redirect anything but garbage over serial. I'll PM you the file, from what I'm seeing the bios doesn't appear to be heavily locked down (ME is disabled) but it looks like the only way to flash over a new rom is with SPI or a PCIE video card and/or soldering on a VGA header.
-
I have an m370 and tried to unlock it.
I booted from a windows 10 disk that I moved to the m370 and used rdp to log in.
Flashrom for windows can't read the chip. However ami AFUWIN tool can read the flash and I tried to remove the password with Uefitool ( not sure anymore). The password is located at 2 locations and I blanked both. Reflashed with AFUWIN.
After a reboot the system is strangely slow and will reset, after that the password is back. I checked and reflashed multiple times and always ended up back to the password on boot.I gave up...too much time wasted on this. I still have the bios bin somewhere. Anybody ?
-
@soupman I'm going to admit I've been lazy about doing my write up on this. From what I've read the Aptio V Bios can store the setup password in the TPM and regen it if it's cleared out of the bios file. I tried the same method and was not able to get it cleared out. I did manage to modify a Lanner original bios (no password) and flash it/overwrite the stock bios on 2 M370's successfully using a CH341A Black. I've been running the modified bios for the last few months now. If you're interested I can write up the steps and post them on here and DM you a link for the bios file?
-
sure I will try it. DM me the link. I will flash it with afuwin and see what happens...
The lanner bios is unlocked ? Can boot from usb ?
thx
-
@soupman Nope can't boot from usb, you have to use one of the CH341 SPI programmers and attach it to the SPI pin outs on the motherboard or at least that has been my experience so far. After flashing you can boot from usb.
-
dead now. Flashed ok, but does no longer boot.
Did you connect to the spi pin connector or a soic clip ? Any guide ?
Thx
-
@soupman I'm working on the documentation, but it won't be until tomorrow or this weekend. I had to wire from the pins on the SPI programmer directly to the SPI pins on the mobo. I flashed it without power to the device and I had some issues until I used a USB 3.0 outlet. I did not use a SOIC clip because the chip is not labeled on the board and won't fit on what I suspect is the chip because it butts up against a heatsink. It is a Winbond chip (Bios_Chip: Winbond W25Q128). I had to use ASProgrammer (or whatever SPI programmer software you prefer) to wipe the chip, then verify it was wiped, then write the new bios. I should have documentation posted in the next few days.
-
I assume no responsibility for damage to the device. Follow the instructions below at your own risk. Instructions below should only be used for M370 model and may not work for other models in the Mx70 series.
Part 1: Connecting SPI programmer to SPI header
Picture of SPI Header on board:
Image of SPI Programmer pins:
Note: 5v is not used.
- Unplug power from the M370
- Remove the CMOS battery
- Using the chart above connect the cable from the SPI programmer pins to the corresponding pins on the mobo listed in the chart above (Note: Pins 1,2,6, & 7 are not used, Pin3 is CS (CS0), and Pin4 is your 3.3v power).
- Plug the programmer into a USB 3.1 port or plug into a USB extension cable plugged into a USB 3.1 port. This may work on USB 3.0 port as I believe a 3.0 port should provide the necessary power but I used a 3.1 port.
-
Image of CH341A Black SPI programmer plugged into the header on the board:
Part 2 coming soon
-
As far as I know the boards are identical across the series so I would expect it to work on any. But that remains untested.
-
@stephenw10 The documentation from Watchguard indicates that the M670 will take a Xeon processor which I believe requires the Intel C236 series chipset and the M370 has a B150 series chipset. The microcode is there on the M370 but I was unable to get it to run the Xeon processor which makes me suspect that at least the M670 has a different chipset, hence the warning. This part is all speculation and should not be referred to as fact. I defer to @stephenw10 here as he has more experience with the Watchguard devices than I do.
-
Well not really with this.
If you've tried the same Xeon as fitted in the 670 and it doesn't work in the 370 that seems pretty conclusive evidence it must be different to me.Steve
