Watchguard Firebox XTM 8 Series
-
When I bricked my xtm5 the 4 resistors/parallel port connection was the only thing that worked. Though I only tried one other thing! I know when you first had trouble you tried various versions of flashrom, any of them show anything different?
Did you try anything other than flashrom via the SPI connector?Steve
-
Eams thanks for this topic , it's really help me .
-
No Probs Jimkisa, - stephenw10 helped too :)
Ste,
Flashrom is what got it bricked, so since then I tried a couple of SPI programmers (BlackCat and some other one off ebay - has no name on it but it had good reviews on the net).
The software for both were pretty much garbage and I couldn't get anywhere with them.
Whats needed for the parallel port hack? I might as well give that a try!
Eamon
-
It's on the website I linked to:
http://rayer.ic.cz/elektro/spipgm.htm
Might have to use the way back machine. The site now seems to be behind some security. (Edit: looks legit. I forgot it's in Czech though!)You need: a parallel port plug, 4 resistors, a cable/connector to connect to the SPI header and something to solder it together. Perhaps harder to find these days is anything with a parallel port on it to run flashrom. I happened to have an old laptop running FreeBSD 8.1 I was using for pfSense development that fitted the bill.
Steve
-
Thanks for the link Ste.
The security is just a Captcha form. Get past and the info is all there in Czech!
I did find this thou which looks to be the same http://write-code.blogspot.co.uk/2012/08/parallel-port-spi-flash-programmer-and-unbrick-wm8650.html?m=1
I'll try and give that a go at the weekend.
I think my old laptop has a parallel port on it. If not I've deffo got one on a old Abit VP6 computer I have :)
Eamon
-
That's a good link. I didn't have to use the battery or capacitors since the XTM5 provides that in standby. I believe the XTM8 does too.
You can also try the SPIPGM program under Windows if flashrom doesn't work. :)Steve
-
For information to help others, I've
attachedlinked two handy pdf's from Lanner.Motherboard Spec and Motherboard Layout with Pinouts in the user manual - these are for the Lanner FW-8750 which the XTM 8 is based on (doesn't include the SPI header).
Bear in mind WatchGuard changed/didn't include a few things e.g. COM1, Power Switch Header, Northbridge Fan Header, USB 2 Header, etc..
https://drive.google.com/folderview?id=0B0TOx6iNE-K4Rml0bmduRURuUDg&usp=sharing
Eamon
-
Ste,
I was experimenting with the BlackCat USB programmer I have and one combination of settings detected it was connected to a chip, however it didn't pull up the chip name/number as it is supposed to.
It did however suggest the exact addresses the chip requires for it's functions to read/write etc.. Writing the rom didn't work though :o
Having looked everywhere for the pdf I had of the SPI header pinouts, resulted in no joy. So I've ordered a SOIC Clip I can attach directly to the chip and to the BlackCat programmer, with a bit of luck I should be able to flash it that way.
The parallel port is still an option once I get the SOIC clip, if the BlackCat programmer is fruitless :)
Eamon
-
Ste,
I've built the 4 resistor parallel port SPI programmer.
SPIPGM gives back FF's when reading and no chip is identified. However it does ay that WH# (I think) needs to be pulled high.
Looking at the SST chip datasheet this looks like pin 3(WH#) needs to be connected to pin 8 (VDD) would that be right?
I'm using 100ohm resistors, but I see the same design but with 145ohm and 150ohm resistors do these need changing you think?
Eamon
-
I remember reading the datasheet for the chip in the XTM5 and thinking that I would need to pull some pins one way or the other but in the end I didn't need to. The circuitry provided on the board did enough. Reading back the write protect pin is not conneceted at all on the XTM5 but that didn't seem to be a problem. If you try to pull up the WP pin use a resistor to be safe.
The original developer uses 150Ohm resistors. The value is not critical, they must be sufficiently large that the parallel port doesn't try to sink or supply too much current and the voltages on the pins are able to be distinguished as logic high or low. I used two 150Ohm and two 160Ohm resistors because that's what I had. Going higher is less likely to cause problems as long as you're still orders of magnitude lower than the input/output impedance of the parallel port (which I don't know but is probably ~10KOhms ;)).
Steve
-
Forgot to mention it's important to keep the cable length as short as possible. Long cables can pickup interference and cause problems. My cable was as short as I could make it, ~15cm.
Steve
-
Thanks for the info Ste.
My lead is about 15cm long too!
Eamon
-
Ok, so I've been trying this out the parallel port hack over the last couple of weekends.
What I've discovered so far - the XTM8 doesn't seem to power the chip when it's in standby - SPIPGM reports chip as unknown.
When the PSU is fully off and the board it's in standby, SPIPGM reports the SST25VF016B chips as being detected but WH# needs to be set to high.
Having connected WP# (Pin3) to VCC (Pin8) and HLD# (Pin7) - still no joy in being able to erase/write to the chip - (in standby or off).
Looks like I have to go the full way and connect a battery and capacitor to complete the circuit as per http://4.bp.blogspot.com/-EN9HFZFkT5Y/UCXczDe11mI/AAAAAAAAARY/64Wap6-FXBM/s1600/simple_diagram.jpg.
More fun and games!
Eamon
-
I pulled out my cable and looked at it again and I do indeed have pins 3, 7 and 8 (VCC, HLD and #WP) on the SPI connector joined. Another, perhaps important difference, is that I have the GND pin connected to pins 18-25 on the parallel port connector, they are strapped together. I have no idea why I did that though I'm sure I was following a diagram from somewhere. 18-25 are all ground anyway but I seem to remember other programmers requiring them externally joined.
The XTM5 and XTM8 are the same generation of hardware from the same manufacturer probably from the same factory. It seems unlikely they would have designed it to use different programming hardware. Not impossible though. :-\Steve
-
Ste,
I've connected up the GND 18-25 as per your lead.. and it seems to be working!
Chip unlocked.
Chip erased.
Wrote the rom xtm8v1.bin (1024kb) but it errored out at 50% saying 'unexpected end of file'. This is the rom you had posted for a fellow XTM8 owner.
I still have the original 1meg and 2meg roms sent to me by Lanner support so I think I'll try flashing the 2meg one.Things are looking up!
Eamon
-
Managed to write the original 2meg rom file, no writing errors - didn't verify.
Added a 1000uf capacitor between GND and VCC/HLD/WH# - wrote ok, verified ok!!
Cleared bios via jumper, booted up - XTM8 does a boot cycle, reboots then sits there and the fans go into a low power mode - thats it, nothing on screen at all :(
Added the battery to between GND and VCC etc - result same as above >:(
Not sure what else to do apart from unsolder the chip and program it off the motherboard or replace it.
Eamon
-
Hmm, interesting about the capacitor.
If the fans are changing speed then that implies at least some bios code is running to reprogram the superio chip.
Where did the 2Mb file come from? Perhaps you're not seeing any output for some reason other than it didn't write to the flash?
What program are you using to write the chip?Steve
-
The 2meg rom file came form Lanner direct, they sent me two, one that was 1meg and one that was 2meg.
Currently using SPIPGM.
You're gonna suggest FLASHROM aren't you? Considering this is part of how I got into this mess I suppose it's worth a try!
Tried Flashrom, didn't seem to detect the chip, where as SPIPGM does.
Re-did it with SPIPGM… And it's only come back from the dead!!!
The rom I used was one you had edited back when I first saved the BIOS to disk prior to flashing to try and open up the menus.
I haven't tried going into the BIOS yet - but it did request boot media - stuck in a 4gb flash drive from last year and pfsense booted up!!
Of course it only got to the menu then defaulted to COM1, but after a few mins it did its beeps to confirm it was loaded :)
Eamon
 -
Persistence for the win! ;D
Nice one.JimP suggested a method for switching the com port even in Nano a while ago you might try that if you can edit the files on the CF card:
https://forum.pfsense.org/index.php?topic=76382.msg418066#msg418066Steve
-
Thanks, I'm chuffed I managed to get it back from the dead ;D
Do I try and update the BIOS to an unlocked one?… haha, might do. Getting COM2 reassigned as COM1 would be handy!
Thanks for your help Ste :)
Eamon
