pfSense on Watchguard M370

soupman

@hangmansnoose001380

I have an m370 and tried to unlock it.

I booted from a windows 10 disk that I moved to the m370 and used rdp to log in.
Flashrom for windows can't read the chip. However ami AFUWIN tool can read the flash and I tried to remove the password with Uefitool ( not sure anymore). The password is located at 2 locations and I blanked both. Reflashed with AFUWIN.
After a reboot the system is strangely slow and will reset, after that the password is back. I checked and reflashed multiple times and always ended up back to the password on boot.

I gave up...too much time wasted on this. I still have the bios bin somewhere. Anybody ?

HangmansNoose001380

@soupman I'm going to admit I've been lazy about doing my write up on this. From what I've read the Aptio V Bios can store the setup password in the TPM and regen it if it's cleared out of the bios file. I tried the same method and was not able to get it cleared out. I did manage to modify a Lanner original bios (no password) and flash it/overwrite the stock bios on 2 M370's successfully using a CH341A Black. I've been running the modified bios for the last few months now. If you're interested I can write up the steps and post them on here and DM you a link for the bios file?

soupman

@hangmansnoose001380

sure I will try it. DM me the link. I will flash it with afuwin and see what happens...

The lanner bios is unlocked ? Can boot from usb ?

thx

HangmansNoose001380

@soupman Nope can't boot from usb, you have to use one of the CH341 SPI programmers and attach it to the SPI pin outs on the motherboard or at least that has been my experience so far. After flashing you can boot from usb.

soupman

@hangmansnoose001380

dead now. Flashed ok, but does no longer boot.

Did you connect to the spi pin connector or a soic clip ? Any guide ?

Thx

HangmansNoose001380

@soupman I'm working on the documentation, but it won't be until tomorrow or this weekend. I had to wire from the pins on the SPI programmer directly to the SPI pins on the mobo. I flashed it without power to the device and I had some issues until I used a USB 3.0 outlet. I did not use a SOIC clip because the chip is not labeled on the board and won't fit on what I suspect is the chip because it butts up against a heatsink. It is a Winbond chip (Bios_Chip: Winbond W25Q128). I had to use ASProgrammer (or whatever SPI programmer software you prefer) to wipe the chip, then verify it was wiped, then write the new bios. I should have documentation posted in the next few days.

HangmansNoose001380

I assume no responsibility for damage to the device. Follow the instructions below at your own risk. Instructions below should only be used for M370 model and may not work for other models in the Mx70 series.

Part 1: Connecting SPI programmer to SPI header

Picture of SPI Header on board:

Image of SPI Programmer pins:

Note: 5v is not used.

1. Unplug power from the M370
2. Remove the CMOS battery
3. Using the chart above connect the cable from the SPI programmer pins to the corresponding pins on the mobo listed in the chart above (Note: Pins 1,2,6, & 7 are not used, Pin3 is CS (CS0), and Pin4 is your 3.3v power).
4. Plug the programmer into a USB 3.1 port or plug into a USB extension cable plugged into a USB 3.1 port. This may work on USB 3.0 port as I believe a 3.0 port should provide the necessary power but I used a 3.1 port.

HangmansNoose001380

Image of CH341A Black SPI programmer plugged into the header on the board:

Part 2 coming soon

stephenw10

As far as I know the boards are identical across the series so I would expect it to work on any. But that remains untested.

HangmansNoose001380

@stephenw10 The documentation from Watchguard indicates that the M670 will take a Xeon processor which I believe requires the Intel C236 series chipset and the M370 has a B150 series chipset. The microcode is there on the M370 but I was unable to get it to run the Xeon processor which makes me suspect that at least the M670 has a different chipset, hence the warning. This part is all speculation and should not be referred to as fact. I defer to @stephenw10 here as he has more experience with the Watchguard devices than I do.

stephenw10

Well not really with this. If you've tried the same Xeon as fitted in the 670 and it doesn't work in the 370 that seems pretty conclusive evidence it must be different to me.

Steve

HangmansNoose001380

Same Xeon but the device wouldn't even boot. I don't have any solid evidence on what chipset is in the M470 and M570 but I suspect they may have the C236 chipset as well. I'm currently flashing one of my M370's back to the stock bios so I can document the flash process of the unlocked/modified Lanner bios. Should have Part 2 of this documented by the end of this weekend.

soupman

@hangmansnoose001380

Ok i need to get some stuff and then reflash it.

As I remember the xeon microcode was not in the bios.

Update you when I have some progress.

THX

stephenw10

The m470 does appear to have a C230 series chipset but I've found that can be misleading:

[2.6.0-RELEASE][admin@m470-2.stevew.lan]/root: pciconf -lv
hostb0@pci0:0:0:0:	class=0x060000 card=0x20158086 chip=0x190f8086 rev=0x07 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host Bridge/DRAM Registers'
    class      = bridge
    subclass   = HOST-PCI
pcib1@pci0:0:1:0:	class=0x060400 card=0x20158086 chip=0x19018086 rev=0x07 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = '6th-10th Gen Core Processor PCIe Controller (x16)'
    class      = bridge
    subclass   = PCI-PCI
pcib2@pci0:0:1:1:	class=0x060400 card=0x20158086 chip=0x19058086 rev=0x07 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = 'Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe Controller (x8)'
    class      = bridge
    subclass   = PCI-PCI
pcib3@pci0:0:1:2:	class=0x060400 card=0x20158086 chip=0x19098086 rev=0x07 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = 'Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe Controller (x4)'
    class      = bridge
    subclass   = PCI-PCI
xhci0@pci0:0:20:0:	class=0x0c0330 card=0x72708086 chip=0xa12f8086 rev=0x31 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family USB 3.0 xHCI Controller'
    class      = serial bus
    subclass   = USB
none0@pci0:0:20:2:	class=0x118000 card=0x72708086 chip=0xa1318086 rev=0x31 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family Thermal Subsystem'
    class      = dasp
ig4iic0@pci0:0:21:0:	class=0x118000 card=0x72708086 chip=0xa1608086 rev=0x31 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family Serial IO I2C Controller'
    class      = dasp
ig4iic1@pci0:0:21:1:	class=0x118000 card=0x72708086 chip=0xa1618086 rev=0x31 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family Serial IO I2C Controller'
    class      = dasp
ahci0@pci0:0:23:0:	class=0x010601 card=0x72708086 chip=0xa1028086 rev=0x31 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Q170/Q150/B150/H170/H110/Z170/CM236 Chipset SATA Controller [AHCI Mode]'
    class      = mass storage
    subclass   = SATA
pcib4@pci0:0:28:0:	class=0x060400 card=0x72708086 chip=0xa1108086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family PCI Express Root Port'
    class      = bridge
    subclass   = PCI-PCI
pcib5@pci0:0:28:4:	class=0x060400 card=0x72708086 chip=0xa1148086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family PCI Express Root Port'
    class      = bridge
    subclass   = PCI-PCI
pcib6@pci0:0:28:5:	class=0x060400 card=0x72708086 chip=0xa1158086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family PCI Express Root Port'
    class      = bridge
    subclass   = PCI-PCI
pcib7@pci0:0:28:6:	class=0x060400 card=0x72708086 chip=0xa1168086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family PCI Express Root Port'
    class      = bridge
    subclass   = PCI-PCI
pcib8@pci0:0:28:7:	class=0x060400 card=0x72708086 chip=0xa1178086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family PCI Express Root Port'
    class      = bridge
    subclass   = PCI-PCI
pcib9@pci0:0:29:0:	class=0x060400 card=0x72708086 chip=0xa1188086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family PCI Express Root Port'
    class      = bridge
    subclass   = PCI-PCI
pcib10@pci0:0:29:1:	class=0x060400 card=0x72708086 chip=0xa1198086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family PCI Express Root Port'
    class      = bridge
    subclass   = PCI-PCI
pcib11@pci0:0:29:2:	class=0x060400 card=0x72708086 chip=0xa11a8086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family PCI Express Root Port'
    class      = bridge
    subclass   = PCI-PCI
pcib12@pci0:0:29:3:	class=0x060400 card=0x72708086 chip=0xa11b8086 rev=0xf1 hdr=0x01
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family PCI Express Root Port'
    class      = bridge
    subclass   = PCI-PCI
isab0@pci0:0:31:0:	class=0x060100 card=0x72708086 chip=0xa1498086 rev=0x31 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'C236 Chipset LPC/eSPI Controller'
    class      = bridge
    subclass   = PCI-ISA
none1@pci0:0:31:2:	class=0x058000 card=0x72708086 chip=0xa1218086 rev=0x31 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family Power Management Controller'
    class      = memory
none2@pci0:0:31:4:	class=0x0c0500 card=0x72708086 chip=0xa1238086 rev=0x31 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '100 Series/C230 Series Chipset Family SMBus'
    class      = serial bus
    subclass   = SMBus
none3@pci0:1:0:0:	class=0x0b4000 card=0x00008086 chip=0x04348086 rev=0x21 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'DH89XXCC Series QAT'
    class      = processor
none4@pci0:1:0:1:	class=0x020000 card=0x0dc18297 chip=0x04368086 rev=0x21 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'DH8900CC Null Device'
    class      = network
    subclass   = ethernet
igb0@pci0:2:0:0:	class=0x020000 card=0x0000ffff chip=0x15218086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I350 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb1@pci0:2:0:1:	class=0x020000 card=0x0000ffff chip=0x15218086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I350 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb2@pci0:2:0:2:	class=0x020000 card=0x0000ffff chip=0x15218086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I350 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb3@pci0:2:0:3:	class=0x020000 card=0x0000ffff chip=0x15218086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I350 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb4@pci0:3:0:0:	class=0x020000 card=0x0000ffff chip=0x15218086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I350 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb5@pci0:3:0:1:	class=0x020000 card=0x0000ffff chip=0x15218086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I350 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb6@pci0:3:0:2:	class=0x020000 card=0x0000ffff chip=0x15218086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I350 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb7@pci0:3:0:3:	class=0x020000 card=0x0000ffff chip=0x15218086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I350 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb8@pci0:5:0:0:	class=0x020000 card=0x0000ffff chip=0x15338086 rev=0x03 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I210 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb9@pci0:6:0:0:	class=0x020000 card=0x0000ffff chip=0x15338086 rev=0x03 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I210 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb10@pci0:7:0:0:	class=0x020000 card=0x0000ffff chip=0x15338086 rev=0x03 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I210 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb11@pci0:8:0:0:	class=0x020000 card=0x0000ffff chip=0x15338086 rev=0x03 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I210 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb12@pci0:9:0:0:	class=0x020000 card=0x0000ffff chip=0x15338086 rev=0x03 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I210 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb13@pci0:10:0:0:	class=0x020000 card=0x0000ffff chip=0x15338086 rev=0x03 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I210 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb14@pci0:11:0:0:	class=0x020000 card=0x0000ffff chip=0x15338086 rev=0x03 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I210 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb15@pci0:12:0:0:	class=0x020000 card=0x0000ffff chip=0x15338086 rev=0x03 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'I210 Gigabit Network Connection'
    class      = network
    subclass   = ethernet

Steve

HangmansNoose001380

Part 2: Detecting and backing up chip

1. You’ll need SPI programmer software that can read the chip from the CH341A/Mobo SPI. Listed below are the 2 pieces of software that I have found that will read the chip:
   a. AsProgrammer v2.0.3a -
   b. NeoProgrammer V2.2.0.8
2. Note the following steps are for the AsProgrammer software. The steps are mostly same for both programmer software. Do not attempt the steps below unless the CMOS battery has been removed and the power cable has been disconnected from the M370.
   a. Launch AsProgrammer
   b. Click “Read ID” button and you should get a list of 3 chips (2 WINBOND W25Q128 chips and 1 Spansion. I believe you can select either of the WINBOND options but I used the W25Q128FV.
   
   

c. Next you’ll need to unprotect the chip by clicking the “Unprotect” button to the right of “Read ID”.

d. After Detecting/Selecting/Unprotecting the chip click the “Read IC” button. This reads the original bios from the chip.

e. Once the read completes run a verification check by clicking the “Verify IC” button to make sure the image read into memory is clean.

f. At this point, if the verification succeeded without errors, I would strongly suggest saving the original bios as a backup copy. If you receive an error either the chip is still protected, cables are not connected correctly, or USB port is not supplying enough power to the mobo. Do not proceed with Step 3 if you do not have a clean backup.

HangmansNoose001380

Part 3: Erasing Chip

1. After saving the original bios the next step is the click the “Erase IC” button. This will completely erase the contents of the chip and can take a few minutes.
   
   
   
2. After the Erase has completed, you’ll need to verify the chip was erased successfully by clicking the drop-down button next to the “Verify IC” button and selecting “Blank check”. Note whether the verification was successful or not before proceeding with the next step. Sometimes the chip must be erased twice before verification succeeds.
   
   

HangmansNoose001380

Part 4: Reprogramming chip with modded bios

1. Open the modified bios file in AsProgrammer that you would like to flash to the chip.
   

2. Click the “Program IC” button to start the flash of the modified bios to the chip.
   

3. Click “Yes” in the pop-up window asking for confirmation to start the programming.
   

4. Programming can take several minutes to complete. There is a progress bar to show completion status.
   bolded text
   

5. Once complete click the “Verify IC” button to verify the modified bios was flashed successfully.
   
   
   

6. If all steps completed successfully you should be able to disconnect your SPI programmer from the mobo SPI header, insert your CMOS battery back in, plug the power cable back in and power it on. The machine takes about a minute or so to boot up and post, then it will reboot, power on and immediately power off and reboot again, and after that you should be able to access the bios menu at this point.

HangmansNoose001380

WatchGuard original post:

WatchGuard original prompt to access bios:

Mod_Bios post:

Mod_Bios Menu:

HangmansNoose001380

Side note: I would not enable Turbo Mode option in the modified bios if you are running a 6th gen processor. pfSense will hang on boot if it's enabled with a 6th gen processor. Works fine with a 7th gen processor.

Example of my configuration with 6th gen processor:

HangmansNoose001380

This post is deleted!