Watchguard XTM 5 Series
-
For a short time Lanner had a forum up that was frequented by staff with access to all manner of useful stuff. You could ask them and, mostly, they would put it up for you. I got a few manuals and bios updates that way. It's gone now. :'(
I thought I had the proper FW-7580 manual but I can't find it now. The problem with working at several computers! ::)
I'll put it up somewhere an send you a link.Steve
That would be handy. Now you can't even find anything about the FW-7580 at all other than it's a discontinued product. I wonder if contacting them directly might get you a copy of the FW-7580 manual.
In other news, I had a major find today. Decided to check an old storage room that used to be for the computer club, which was disbanded years before I started working here, but we used it for storage of old junk for a long while until we were asked to clean it out so they could store some tables and desks and books in there. I was certain we cleaned it all out, but on the shelf was a couple of boxes, mostly random junk like some ISA video cards, some PCI ethernet cards, a bunch of ribbon cables, some hard drive mounting brackets for who knows what model of PC and other odds and ends. And the big score of the bunch, a serial port on a ribbon cable to a proper 10 pin header. I'm tempted to cut out a hole in the back of the XTM and permanently mount it there, but I see no real need to do that as this will probably be the only time I'll need to use it. I also found a slot cover with a DB9 and a DB25 connectors on ribbon cables which I'm stashing in my desk drawer for a rainy day. (Which today is, but I'll stash it for a different rainy day. lol) And I also grabbed a slot cover with a LPT and PS2 port with cables and headers, though I'll probably never use that one.
And while setting up a laptop on our backup internet connection, I came across a null modem cable coiled up in the bottom of the cabinet, so I don't even need to mess around with the Cat5 to serial adapters to figure out how to make a Cat5 cable to get it to act as a null modem cable.
So I'm now in FreeDOS on COM2.
C:\BIOS>biosid ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ BIOSID v1.1 - BIOS Identification Utility ³ ³ Copyright (c) 1998 Unicore Software, Inc. ³ ³ Tel : 1-800-800-BIOS ³ ³ http: //www.unicore.com/ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ BIOS DATE : 02/03/10BIOS TYPE : American Megatrends, IncBIOS ID : 64-0100-0 09999-00101111-020310CHIPSET ID : Eaglelake Press Any key to exit!Unfortunately, I didn't add the AMI utilities to the hard drive yet, so that's as far as I've gotten, but now I know I'm good to get into this. Just need to pull a copy of the old BIOS off and verify it matches your original so I know I can flash your modified one without having to tinker around with my image myself, though I do love some good tinkering and I probably will get around to it at some point just because. I think you posted earlier in this thread which version of the utilities to use to modify without corrupting the BIOS.
Anyway, I've got some work to do. :)
EDIT>>
C:\BIOS>afudos og-bios.rom /o +---------------------------------------------------------------------------+ | AMI Firmware Update Utility v4.40 | | Copyright (C)2011 American Megatrends Inc. All Rights Reserved. | +---------------------------------------------------------------------------+ - Saving current BIOS into file: og-bios.rom - Reading flash ......... done - Program ended normally. C:\BIOS>dir Volume in drive C has no label Volume Serial Number is 294C-120C Directory of C:\BIOS . <dir> 05-20-14 10:47a .. <dir> 05-20-14 10:47a AFUDOS EXE 154,432 07-17-12 10:44a BIOSID COM 1,080 04-29-98 11:14a BIOSID TXT 661 05-04-98 4:30p BIOSID2 TXT 645 12-08-10 3:10p BIOSID3 TXT 637 12-08-10 7:49a OG-BIOS ROM 1,048,576 05-21-14 11:26a XTM5_83 ROM 1,048,576 05-14-14 4:11p C:\BIOS>afudos og-bios.rom /d +---------------------------------------------------------------------------+ | AMI Firmware Update Utility v4.40 | | Copyright (C)2011 American Megatrends Inc. All Rights Reserved. | +---------------------------------------------------------------------------+ - Bootblock checksum .... ok - Module checksums ...... ok - ROM File Size checking ........ ok - ROM ID checking ............... ok - ROM File verification status .. ok - Program ended normally. EDIT2>> Here's the [OG-BIOS.ROM](http://www.gorgarath.com/random/OG-BIOS.ROM) file. Can you verify that it matches your original BIOS so I know if I can just flash the modified BIOS you've provided? EDIT3>> I didn't find version 3.5.1, but did find 3.4.6 of the program who's name is escaping me at the moment as I'm on my phone now, and opened up your modified BIOS image and the image I pulled off the XTM and looked through the generated reports for each. While I don't know what to look for specifically, everything seemed pretty much the same, so I went ahead and flashed your modified BIOS and am able to access everything in the BIOS now. I haven't had a chance to see if flashrom will access the BIOS now or not as I haven't had a chance to turn it on after putting it all back together. I'll probably get to that later tonight.</dir> </dir> -
Ah, that's cool. :) Sorry for the delay replying.
You must use 3.51.
3.46 might corrupt the bios and there is no way to tell until the box doesn't boot.The bios you backed up up is not the same as my original backup:
steve@steve-Satellite-Pro-A300:~/Desktop$ md5sum OG-BIOS.ROM 6ce4e0811a16a61f98e051caee7d3bbb OG-BIOS.ROM steve@steve-Satellite-Pro-A300:~/Desktop$ md5sum xtm5.rom 6fd0df1ef90335d5a4af2e9bea1a6958 xtm5.romHowever I don't think that's necessarily a problem. When I have backed up the BIOS rom before and compared it they have always been different. I believe that the downloaded ROM file must contain some dynamic data which changes every time making comparison like that impossible.
Steve
Edit: typos
-
Ah, that's cool. :) Sorry for the delay replying.
No worries. :)
You must use 3.51.
3.46 might corrupt the bios and there is no way to tell until the box doesn't boot.I used backup copies of the files and only read the files and didn't do any modifications or re-save. Would you happen to know where a copy of 3.51 could be acquired from? I've had no luck finding anything newer than 3.46 and older than something like 7 or something.
The bios you backup up is not the same as my original backup:
steve@steve-Satellite-Pro-A300:~/Desktop$ md5sum OG-BIOS.ROM 6ce4e0811a16a61f98e051caee7d3bbb OG-BIOS.ROM steve@steve-Satellite-Pro-A300:~/Desktop$ md5sum xtm5.rom 6fd0df1ef90335d5a4af2e9bea1a6958 xtm5.romHowever I don't think that's necessarily a problem. When I have backuo the BIOS rom before and compared it they have always been different. I believe that the downloaded ROM file must contain some dynamic data which changes every time making comparison like that impossible.
I believe you're right in the dynamic data. IIRC, when I was comparing the reports, there was some stuff in there like date and time. In any case, your modified BIOS installed with no issues (and since I was using the DOS utility, I didn't have any issues with having to remove the battery or anything since I just used the clear CMOS option when flashing) and was able to get back into the BIOS and boot the FreeDOS image on the hard drive. I've been slacking and haven't yet tried the pfSense install on the CF card yet, but I don't see any problems with that.
I'd like to do a few extra modifications to the BIOS from what I could see in the 3.46 available settings, plus re-order that menu system so save and exit is on the end… I'm a bit OCD like that I suppose. (Actually, I know I have a lot of issues, but that's a whole other 30 volume encyclopedia set, maybe more by now... lol)
On a side note, have you had any luck with recompiling WGXepc on 64bit yet? Not demanding or anything, just idly curious. I'll try and remember which board I saw you posting questions about doing so and check that thread for an update, but just thought I'd inquire here while I'm here.
Thanks for all your help so far. And all your time spent with your seemingly 8 million different watchguard devices. :)
-
I found it here. First hit on Google. ;)
Steve
-
I found it here. First hit on Google. ;)
Steve
I think I found that one too, but when I went to the link it gave, it wanted me to download a downloader program, which I am not going to try to actually use because who knows what that actually does. However, this time, I cancelled the downloader and started typing this up with the other page still opened and it popped up with the AMIBCP download after a minute. So apparently, I was just too impatient before.
Thanks again!
-
Yes, the world of bios modification is somewhat like wading through a cess pool at times. ;)
Obviously anything you've downloaded from some anonymous upload site (after you've closed the pop-ups) linked to from a forum by some guy in Beijing must be treated with some suspicion!Steve
-
Right, after Ermal's helpful nudge in the right direction (and mostly because it was just a cut and paste job from lcdproc!) here is a WGXepc compiled for 64bit. Works fine on my XTM5. I still have to compile it for 32bit to make sure it's good there too.
https://sites.google.com/site/pfsensefirebox/home/WGXepc64
When I tried to fetch it directly to my XTM5 box I got a certificate error, which was slightly alarming, so you may have to sftp it across. Don't forget to set the permissions.Give it a try anyone running amd64.
Steve
-
Right, after Ermal's helpful nudge in the right direction (and mostly because it was just a cut and paste job from lcdproc!) here is a WGXepc compiled for 64bit. Works fine on my XTM5. I still have to compile it for 32bit to make sure it's good there too.
https://sites.google.com/site/pfsensefirebox/home/WGXepc64
When I tried to fetch it directly to my XTM5 box I got a certificate error, which was slightly alarming, so you may have to sftp it across. Don't forget to set the permissions.Give it a try anyone running amd64.
Steve
I got the certificate error as well. I moved a copy to my webserver and fetched it from there.
Just added the shell command package and doing a re-boot now. Finally a green light on this thing. ;D
Thank You Sir!
-
Right, after Ermal's helpful nudge in the right direction (and mostly because it was just a cut and paste job from lcdproc!) here is a WGXepc compiled for 64bit. Works fine on my XTM5. I still have to compile it for 32bit to make sure it's good there too.
https://sites.google.com/site/pfsensefirebox/home/WGXepc64
When I tried to fetch it directly to my XTM5 box I got a certificate error, which was slightly alarming, so you may have to sftp it across. Don't forget to set the permissions.Give it a try anyone running amd64.
Steve
I was getting that error before when trying to pull the BIOS to my watchguard.
-
Interesting… I was able to edit my original BIOS to enable the extra menus, but everything was still read only, not sure what I missed. So I figured I'd just take a shortcut and edit your modified ROM and started by re-ordering the menus so they matched the original BIOS and had the Exit menu on the end. However, now when trying to access the BIOS, it just gives me a blank screen with 'WAIT' in the middle of it.
The box will still boot up and everything seems to be working correctly with the exception of not being able to get into the BIOS. Kinda scratching my head on this one. Think I'll try going back to my original BIOS and try enabling the menus and getting them to not be read only.
At least this is kinda fun and I've got some time to kill before we move to the new house where I'll be putting this into operation.
-
Interesting… I was able to edit my original BIOS to enable the extra menus, but everything was still read only, not sure what I missed.
You have to change the 'user access level' from 2 to 3. See:
https://forum.pfsense.org/index.php?topic=43574.msg262490#msg262490Steve
-
Interesting… I was able to edit my original BIOS to enable the extra menus, but everything was still read only, not sure what I missed.
You have to change the 'user access level' from 2 to 3. See:
https://forum.pfsense.org/index.php?topic=43574.msg262490#msg262490Steve
I can't thank the post, so I gave some karma instead. I had read that post before (and the entire thread) but had missed that setting. I got lazy and read one of the books we picked up from the library instead of working on this. Luckily, I'm a rather fast reader and already finished the book, so I'll probably get to this after a trip to Walmart for some fireworks and food.
Any idea why when I modified your BIOS image it would just pause at that WAIT screen?
-
Not sure why it failed to open the setup screens. To be honest my experience with BIOS editors has me thinking that they are far from fool proof. ;) The later version seems significantly better at not producing corrupt images but the fact that it can at all, and without any indication, tells you what sort of program you're dealing with. These editors were never intended for making complex changes, as soon as you want to do anything fancy like adding new menus you're basically into writing machine code.
It's not helped by the fact that the Watchguard BIOS has a load of additional code not in a standard AMI bios. There's code for controlling the LCD and a complete copy of Redboot to allow serial firmware uploading. Who knows what else there is. ;)Steve
-
Right, after Ermal's helpful nudge in the right direction (and mostly because it was just a cut and paste job from lcdproc!) here is a WGXepc compiled for 64bit. Works fine on my XTM5. I still have to compile it for 32bit to make sure it's good there too.
https://sites.google.com/site/pfsensefirebox/home/WGXepc64
When I tried to fetch it directly to my XTM5 box I got a certificate error, which was slightly alarming, so you may have to sftp it across. Don't forget to set the permissions.Give it a try anyone running amd64.
Steve
Thanks Steve,
I was waiting for this. I'm moving this week but will reload my 510 with X64 soon, try it and report back.
Cheers
Marian -
Not sure why it failed to open the setup screens. To be honest my experience with BIOS editors has me thinking that they are far from fool proof. ;) The later version seems significantly better at not producing corrupt images but the fact that it can at all, and without any indication, tells you what sort of program you're dealing with. These editors were never intended for making complex changes, as soon as you want to do anything fancy like adding new menus you're basically into writing machine code.
It's not helped by the fact that the Watchguard BIOS has a load of additional code not in a standard AMI bios. There's code for controlling the LCD and a complete copy of Redboot to allow serial firmware uploading. Who knows what else there is. ;)Steve
Well, I went and modified my original BIOS and got it all working how I wanted it. I also found where you enabled the red arm light as well. Only thing I haven't found yet is where you changed it from WG BIOS to pfSense on the LCD screen.
Would you recommend running on mirrored hard drives or the CF card or a combination of the two?
-
The BIOS is modular and all but one module is compressed. The code that writes to the LCD at boot is in the main module. You need to extract the module with mmtool then open it in a hex-editor and search for the string 'Watchguard'. It will probably appear in a few places but it was fairly obvious which one it was as I recall. Change it then re-insert the module.
I am running from the CF card and have not had any issues (with any box). There are some things you can't do running from CF. I was just wondering how you planned to setup mirrored drives but remembered you have two SATA power connectors. I'm sure you can get a 'Y' connector of some sort anyway. What are you planning to run?
Steve
-
The BIOS is modular and all but one module is compressed. The code that writes to the LCD at boot is in the main module. You need to extract the module with mmtool then open it in a hex-editor and search for the string 'Watchguard'. It will probably appear in a few places but it was fairly obvious which one it was as I recall. Change it then re-insert the module.
I found it in module 1B and changed it, but when trying to replace it, I'm getting an error saying "1Bh This is non-editable module!!" and won't let me replace it. I also tried deleting it and inserting it with the same error. Using mmtool v3.26.
I am running from the CF card and have not had any issues (with any box). There are some things you can't do running from CF. I was just wondering how you planned to setup mirrored drives but remembered you have two SATA power connectors. I'm sure you can get a 'Y' connector of some sort anyway.
Yeah, my box has dual SATA power connectors, so that part is easy. I've found a couple of dual 2.5" hard drive brackets that I think will fit the chassis, may need the sides trimmed off, but haven't looked too far into it. Not sure I've ever seen a Y adapter for SATA, but I wouldn't be surprised to find they exist, though a 4 pin Molex to dual SATA are much more common.
What are you planning to run?
I'm not entirely certain yet. I may put a squid/dansg setup directly on the firewall for simplicity instead of having it on a separate server, and also because the re-purposed Barracuda SPAM firewall that's currently running it only has a 10/100 NIC and not 10/100/1000, though it's still faster than fetching from the internet. While I don't know much about snort, I would like to learn, so I'll probably be installing that as well. Those are the two packages I can think of offhand that would most likely benefit the most from a hard drive install. IIRC, when running from the CF, /var is a md device correct? Which means logs are gone if the power goes out. So that's also a consideration for installing to a hard drive.
I could always work out a hybrid setup where I install to CF but put /var, squid, and snort on a physical drive with fallback to md if the hard drive goes out. And I'd need some sort of alternate non-caching squid/dansg config for when the drive goes dark. Not sure what I'd have to do with snort in that instance.
It would certainly be a lot easier to either do a full hard drive install or run completely from CF than an unsupported hybrid install.
In any case, any thoughts on why I can't replace module 1B (Single Link Arch BIOS) with mmtool?
-
Hmm, I think you need a special modified version of the tool that allows it. I think that s the only version I ever tried so I probably didn't hit that particular barrier. I can't find and reference to it now though. Could be I'm thinking of Award bios tools. I'll check what I used.
Steve
-
Hmm, I think you need a special modified version of the tool that allows it. I think that s the only version I ever tried so I probably didn't hit that particular barrier. I can't find and reference to it now though. Could be I'm thinking of Award bios tools. I'll check what I used.
I found a version that works and updated that bit. Think I got just about everything set now in regards to BIOS modding. :)
-
Right, after Ermal's helpful nudge in the right direction (and mostly because it was just a cut and paste job from lcdproc!) here is a WGXepc compiled for 64bit. Works fine on my XTM5. I still have to compile it for 32bit to make sure it's good there too.
https://sites.google.com/site/pfsensefirebox/home/WGXepc64
When I tried to fetch it directly to my XTM5 box I got a certificate error, which was slightly alarming, so you may have to sftp it across. Don't forget to set the permissions.Give it a try anyone running amd64.
Steve
Hi Steve,
I have finally got around to install X64 on my xtm 510 and try your WGXepc64 on it. It works perfectly fine, thanks.
Cheers
Marian
