25.03-BETA won't install in SG-2100 (SG-1100 ok)

stephenw10

Indeed, I'm not aware of anything in beta that should present like that so it might well apply to any upgrade on that specific device. Somehow.

robotox

Hi @stephenw10

After many attempts on the SG-2100 MAX I found this in the logs:
WARNING: DTB version is 6.4 while kernel expects 6.8, please update the DTB in the ESP

In the forum I found these:
https://forum.netgate.com/topic/195988/2100-max-upgrade-24-03-to-24-11-failed
https://redmine.pfsense.org/issues/15993
https://forum.netgate.com/topic/197530/sg-2100-max-warning-dtb-version-is-6-4-while-kernel-expects/6

But camcontrol devlist shows:
<ATP SATA III M.2 2242 SBFMB1.1> at scbus0 target 0 lun 0 (pass0,ada0)

So,
I don't think I have the unsupported NVMe but the normal SATA as I purchased from an official Netgate partner and made no modifications.

Can this warning be the reason why boot verification keeps failing and falling back?

Thank you once more.
(SG-1100 is now on 25.07-RC and no issues to report.)

stephenw10

No unlikely to be related. The dtb error would probably prevent boot entirely or have no effect. And since there are reports of it in 24.11 it's probably the latter.

I would just reinstall clean to 24.11 or 25.07-RC at this point to be honest.

robotox

@stephenw10 said in 25.03-BETA won't install in SG-2100 (SG-1100 ok):

ean to 24.11 or 25.07-RC at this point to be

Got to the console to check the upgrade at least once before going to the install option for which I got the image ready as well.

As seen in the first pictures it hangs a few minutes in Updating configuration......2025-07-20T17:53:26 but then immediately says Shutdown NOW!

I can't even tell where it fails and goes back to version 24.

Should I just move on and install on top?
Or do you want me to check anything of interest?

Thanks again.

Screenshot from 2025-07-20 18-08-39.png

stephenw10

Hmm well that looks like it successfully upgrades but then fails the boot environmen check at the first boot after that. Hence it reverts to the old 24.11 BE.

It should show an alert in 24.11 confirming that it reverted to a previous BE.

If you check the list of BEs you should see some created for the upgrades that are marked as failed.

It's odd it doesn't show that in the console output though. It could be simply timing out at the first boot if something there is taking a very long time? How large is the config? Or does it have anything unusual that is ripping up the config update script perhaps?

robotox

@stephenw10

I am in the same line of thoughts.
/conf/config.xml in SG-2100 is 377kB with 9360 lines.
/conf/config.xml in SG-1100 is 187kB with 4453 lines.

The weirdest thing I have in the SG-2100 is maybe pfBlockerNG and some big Aliases entries (in Firewall Aliases IP, not related with pfBlockerNG). Also a couple of OpenVPN clients.

The thing is that I tried removing all packages and rebooting before an upgrade but didn't do the trick.
Would the config file be instantly shorter once pfBlockerNG is removed and after a reboot?

I can check and try by removing the big Aliases.
I can always restore them after from a backup.

Thanks again.

stephenw10

Disabling pfBlocker leaves most of the config present so you can re-enable it later.

It shouldn't fail on that config. It's big but not that big. So I would look for something unexpected there. It might have some left over cruft in there that is tripping up the new config backend.

Are you able to upload that to us for testing?

robotox

@stephenw10
Thanks again.
Well it is full of passwords and pre-shared keys and very detailed stuff but I guess we should find the culprit of it somehow.

I did find leftovers of lcdproc before, which I cleaned at some point.
That means that part of the config I am using was migrated from a modified WatchGuard I have used in the past.

Let me have a look tomorrow.
It's kind of late now in my timezone.
Thanks!

robotox

Got the image from support.
Tried with several usb devices, tried with dd and etcher, tried usb reset a dozen of times and nothing gets me to the upgrade.
EFI size is not the problem.

I just opened another ticket with this message now.

Wish me luck.

Marvell>> usb reset
resetting USB...
USB0: Register 2000104 NbrPorts 2
Starting the controller
USB XHCI 1.00
USB1: USB EHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
scanning bus 1 for devices... 2 USB Device(s) found
scanning usb for storage devices... 1 Storage Device(s) found
Marvell>> run usbboot
resetting USB...
USB0: Register 2000104 NbrPorts 2
Starting the controller
USB XHCI 1.00
USB1: USB EHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
scanning bus 1 for devices... 2 USB Device(s) found
scanning usb for storage devices... 1 Storage Device(s) found
17302 armada-3720-gti-doorkeeper.dtb
18022 armada-3720-netgate-1100.dtb
18022 armada-3720-sg1100.dtb
13733 armada-3720-netgate-2100.dtb
13733 armada-3720-sg2100.dtb
14063956 config-name.local-20250928173915.xml

6 file(s), 0 dir(s)

13733 bytes read in 17 ms (788.1 KiB/s)
EHCI timed out on TD - token=0x20008d80
EHCI timed out on TD - token=0x20008d80
EHCI timed out on TD - token=0x20008d80
Error reading cluster
** Unable to read file efi/boot/bootaa64.efi **

Starting EFI application at 01000000 ...

efi_load_pe: Invalid DOS Signature

Application terminated, r = 9223372036854775806

Marvell>>

stephenw10

Have you tried dircetly doing: run usbrecovery there?

That will erase the eMMC to be sure it's not trying to load the efi file from there.

You can also check to make sure that file exists on the USB:

Marvell>> fatls usb 0:1 efi/boot
            ./
            ../
   848316   bootaa64.efi
       13   startup.nsh

2 file(s), 2 dir(s)

robotox

@stephenw10
Finally found the availability to go through this one again and for good.

Old Kingston was no good, bought a new Sandisk and no joy.
Eventually got it working with a very old usb flash drive.
"efi_load_pe: Invalid DOS Signature" was gone.

Reinstalled it but got into a new problem where ada0 was not recognized.
Boot loop where only usb would work.

Support was GREAT!
They helped me and did a remote session and they nailed it with a "setenv pfsenseboot" command.
At some point I believe we were even tricked by " being different from ' not sure to be honest, we did it a lot of times.
But we got it!

Reinstall to 25.07.1 worked well at the end.
Did a new environment and tested my restore. All good and no surprises!
Restored and rebooted and halted a couple of times to test if ada0 would kick in every time, which did ever since.

People in the forum say the support is great, I can confirm!
Thank you to those in forum.netgate and those at portal.netgate.

Thanks!

P.S. I will now try to fight again with unbound that insists to be delayed by either openvpn or pfblockerng :)