Watchguard XTM 5 Series
-
Oh, and a second question as well….
Does anyone know if this one (see post above) is bootable from USB and how to get it to do so?
-
I have gotten my hands on an XTM 5. This is the NC2AE8, which I think is the second generation XTM 5. This one is configured for XTM 535 and still has the original system on the card.
The bios shown in the boot screen says "WG BIOS 1.3". The OS running now says "Fireware 11.9.3".
I am getting confused with the various posts on here about whether or not I need to flash the bios. Is this a generation 2 XTM 5? Is there a new BIOS for it?
This box only has a 1GB CF card, and I want to install 2.3.3, So the first thing I'm doing is going out to find a larger card. (Probably end up having to buy a 16GB. Can't find any 4 or 8 around, and if I order them, they are just as expensive as a 16. I HOPE I can get it built with the 2.3.3 image.
So… can anyone answer my question about the BIOS, and any other tips I should watch out for with this box?
Thanks much!
Does anyone know if this one (see post above) is bootable from USB and how to get it to do so?
We had a second generation box come through. It has-
Intel(R) Celeron(R) CPU E3400 @ 2.60GHz 2 CPUs: 1 package(s) x 2 core(s)
Vendor: American Megatrends Inc.
Version: 080015
Release Date: 02/03/2010 BIOS is identically identified as my earlier box that came with a single core proc.You have to flash the BIOS if you want -
To change any settings in BIOS..
To see a red Arm/Disarm LED in contrast to a green color when you first boot the box and before your copy of WGXepc64 does it work..
To disable boot to CF if you want to boot from the USB drive as explained by Steve a few posts up.
To play with the fan controls in BIOS.The box will boot pfSense from a cf card without flashing the BIOS.
-
Untill now i havn't updated the BIOS on a XTM5 series,
but i'm considering of doing it.If the BIOS chip wasn't soldered on the motherboard, i had tried this a long time ago.
On the previous Watchguard model like the X-E Core series, the BIOS chip is easy to remove,
and i have spare empty chips and a programmer available, so nothing can't go wrong.But before i go that way on the XTM5 series, i want to know if there is a step by step guide to do this,
and a step by step guide how to recover from a bad BIOS update?
I have seen a post by Stephenw10 about a selfmade cable, but that wasn't clear for me.Thanks in advance for the help.
Grtz
DeLorean -
You have to flash the BIOS if you want -
So… does that mean you have flashed a second gen box?
If so, then what file did you flash from? (Have a link?)But before i go that way on the XTM5 series, i want to know if there is a step by step guide to do this,
and a step by step guide how to recover from a bad BIOS update?
I have seen a post by Stephenw10 about a selfmade cable, but that wasn't clear for me.Yes, I agree. Since this is my first Watchguard box, I want to be completely up to date with all the options, so I'm looking to do the LCD mod as well, but the BIOS is my main concern at first.
StephenW10… any hints or howtos you can offer about flashing the bios in a second gen XTM 5?
Thanks.
-
I've never seen a second gen XTM5 so I can't tell anything for sure but as far as I'm aware they are identical. Only the CPU changed. I believe the BIOS should work on either though I've never tried it. (Your firewall may catch fire etc! ;))
The SPI header is standard from what I can see. You should be able to program it with any SPI compatible device.
I used the incredibly simple parallel port cable because I had parts available at the moment, it worked fine. I'm not sure I have a machine with a parallel port any longer though. ::)
Steve
-
I have a Nano programmer like this picture.
I guess that i can use a SPI connector and connect the pins that are needed
to the 8 pin socket ?
If that's the case, then it's a piece of cake ;DGrtz
DeLorean
 -
So… does that mean you have flashed a second gen box?
If so, then what file did you flash from? (Have a link?)Yes we have.
I used the same BIOS supplied by Steve.
Ive got another coming soon.
-
Yes we have.
I used the same BIOS supplied by Steve.
Ive got another coming soon.
Ok… so the bios can't be flashed with a utility run from the OS? (Like AWDflash)?
It has to be done with special cables?Anyone have a link to a post that shows the instructions for a bios flashing guide?
And a link where Steve's version that works is located?
-
Ok… so the bios can't be flashed with a utility run from the OS? (Like AWDflash)?
Not true. Ive used AWDflash every time.
Use a command window via com port or SSH.
Enter these commands one at a time from the console. ( selection 8 )
pkg
pkg install flashrom
rehash
cd tmp
fetch https://sites.google.com/site/pfsensefirebox/home/xtm5_83.rom
md5 xtm5_83.rom
flashrom -w xtm5_83.rom –programmer internal
This of course assumes you have pfSense already up and running on the box which is possible without ever touching the BIOS settings. :)
-
https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox
-
Ok… so the bios can't be flashed with a utility run from the OS? (Like AWDflash)?
Not true. Ive used AWDflash every time.
Use a command window via com port or SSH.
Enter these commands one at a time from the console. ( selection 8 )
pkg
pkg install flashrom
rehash
cd tmp
fetch https://sites.google.com/site/pfsensefirebox/home/xtm5_83.rom
md5 xtm5_83.rom
flashrom -w xtm5_83.rom –programmer internal
This of course assumes you have pfSense already up and running on the box which is possible without ever touching the BIOS settings. :)
Can these commands also be done trough the Web UI and go to Diagnostics -> Command prompt ?
Grtz
DeLorean -
Can these commands also be done trough the Web UI and go to Diagnostics -> Command prompt ?
Maybe but I would not want to. If it asks you to hit 'y' to continue for example the GUI page will just hang. You would have to be sure it won't.
Just use SSH instead. I'd prefer that over the serial console that can sometimes show odd characters etc which you don't want when you're flashing the BIOS!
Steve
-
Can these commands also be done trough the Web UI and go to Diagnostics -> Command prompt ?
Maybe but I would not want to. If it asks you to hit 'y' to continue for example the GUI page will just hang. You would have to be sure it won't.
Just use SSH instead. I'd prefer that over the serial console that can sometimes show odd characters etc which you don't want when you're flashing the BIOS!
Steve
Thx, i shall try SSH.
Any idea of the Nano programmer in my previous post could work ?
That way, the BIOS can be flashed "offline" with the firewall off, and with the powercord connected to the firewall,
so that the BIOS chip is already powered up.
This method (if it works) can then also be used to recover from a bad BIOS update.Grtz
DeLorean -
Looks like it might potentially but I'd have to research it. You'd need some sort of adapter cable, looks like it's designed to flash SPI chips that are removable.
Steve
-
I had a chance to re-visit my code that controls over the weekend and unfortunately I had not simply omitted the CPU fan register.
For some reason, even though the superio chip has control for 3 fans built in, the CPU fans are controlled by another chip which is only accessible via SMBus. Outside my coding skills at this point. ::)
Steve
-
Looks like it might potentially but I'd have to research it. You'd need some sort of adapter cable, looks like it's designed to flash SPI chips that are removable.
Steve
I have ordered a so-called SOIC8 SOP8 Flash Chip IC Test Clip socket adapter :
http://www.benl.ebay.be/itm/SOIC8-SOP8-Flash-Chip-IC-Test-Clip-socket-adapter-BIOS-24-25-93-Programmer-93C46-/162448341653?var=&hash=item25d2acfa95
mcsHYzReWIaiehW6J_jJUCg
Normally this wil fit the Nano programmer that i have.
I let you know if it worked when it arrived (normally within a couple days).Grtz
DeLorean
 -
I'm thinking about upgrading the memory on my XTM 535.
What is the max it can take, and does it have to be done in pairs? I currently have two 1gb sticks.
I'm finding that buying 2 4GB sticks is much cheaper than 2 2GB sticks, and one 8GB stick would be just a little more.
So the first question is, "what are my options for upgrading?"
And the second question, "What is the benefit of upgrading?" (In other words, would it make any difference or just be a waste of money?)
I have a fairly small network, about 30 machines, and then guests/visitors that could be sometimes another 40-50 devices.
I am thinking about using Snort and Squid. Install is on a 2.5" hard drive with plenty of space (had a spare 500gb drive laying around) so that would be used for the Squid cache.So do I want more memory? Do I need more memory? Or is 2gb sufficient?
Thank you.
-
For normal use is 2Gb RAM more then enough.
For running Squid and/or Snort, i recommend 4Gb RAM and a faster cpu, if that's not already happend.
Also, the speed of the RAM is important, it must be a least 667Mhz, lower will not work.
I use always 800Mhz RAM, same speed as the RAM that came with this type of XTM5.Grtz
DeLorean -
OK, so I need to verify something with flashing my BIOS because something didn't work (and thankfully didn't do anything to the box).
I'm going to put as much information here that I hope might be helpful.
Command "flashrom –programmer internal" returned:
flashrom v0.9.9-r1955 on FreeBSD 10.3-RELEASE-p19 (amd64)
flashrom is free software, get the source code at https://flashrom.orgCalibrating delay loop… OK.
Found chipset "Intel ICH7/ICH7R".
Enabling flash write... OK.
Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI) mapped at physical address 0x00000000fff00000.
No operations were specified.Then I ran "flashrom -V -r –programmer internal".
It comes back with a bunch of info. I trimmed what you see below to the lines I think might be the most important.Initializing internal programmer
No coreboot table found.
Using Internal DMI decoder.
DMI string chassis-type: "Desktop"
DMI string system-manufacturer: "To Be Filled By O.E.M."
DMI string system-product-name: "To Be Filled By O.E.M."
DMI string system-version: "To Be Filled By O.E.M."
DMI string baseboard-manufacturer: "To be filled by O.E.M."
DMI string baseboard-product-name: "To be filled by O.E.M."
DMI string baseboard-version: "To be filled by O.E.M."
Found Winbond Super I/O, id 0x82
Found chipset "Intel ICH7/ICH7R" with PCI ID 8086:27b8.
Enabling flash write… Root Complex Register Block address = 0xfed1c000
GCS = 0x810460: BIOS Interface Lock-Down: disabled, Boot BIOS Straps: 0x1 (SPI)
Top Swap: not enabled
...
Maximum FWH chip size: 0x100000 bytes
SPI Read Configuration: prefetching disabled, caching enabled,
BIOS_CNTL = 0x01: BIOS Lock Enable: disabled, BIOS Write Enable: enabled
SPIBAR = 0x00000008007c5000 + 0x3020
...
The following protocols are supported: FWH, SPI.
...
Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI).
Reading flash... done.I tried the following command to flash (adding the -V for verbose output): "flashrom -V -w xtm5_83.rom –programmer internal"
Enabling flash write… Root Complex Register Block address = 0xfed1c000
GCS = 0x810460: BIOS Interface Lock-Down: disabled, Boot BIOS Straps: 0x1 (SPI)
...
Maximum FWH chip size: 0x100000 bytes
SPI Read Configuration: prefetching disabled, caching enabled,
BIOS_CNTL = 0x01: BIOS Lock Enable: disabled, BIOS Write Enable: enabled
...
Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI) mapped at physical address 0x00000000fff00000.
Chip status register is 0x00.
Chip status register: Status Register Write Disable (SRWD, SRP, ...) is not set
Chip status register: Bit 6 is not set
Chip status register: Block Protect 3 (BP3) is not set
Chip status register: Block Protect 2 (BP2) is not set
Chip status register: Block Protect 1 (BP1) is not set
Chip status register: Block Protect 0 (BP0) is not set
Chip status register: Write Enable Latch (WEL) is not set
Chip status register: Write In Progress (WIP/BUSY) is not set
...
Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI).
Flash image seems to be a legacy BIOS. Disabling coreboot-related checks.
Reading old flash chip contents... done.
Erasing and writing flash chip... Trying erase function 0... 0x000000-0x00ffff:S, 0x010000-0x01ffff:S, 0x020000-0x02ffff:S, 0x030000-0x03ffff:S, 0x040000-0x04ffff:S, 0x050000-0x05ffff:S, 0x060000-0x06ffff:S, 0x070000-0x07ffff:S, 0x080000-0x08ffff:S, 0x090000-0x09ffff:S, 0x0a0000-0x0affff:S, 0x0b0000-0x0bffff:S, 0x0c0000-0x0cffff:S, 0x0d0000-0x0dffff:E, 0x0e0000-0x0effff:S, 0x0f0000-0x0fffff:S
Erase/write done.
Verifying flash... VERIFIED.
Restoring MMIO space at 0x8007c8070
Restoring MMIO space at 0x8007c807c
Restoring MMIO space at 0x8007c8078
Restoring MMIO space at 0x8007c8076
Restoring MMIO space at 0x8007c8074
Restoring PCI config space for 00:1f:0 reg 0xdcFinally, when running the command to verify the image: "flashrom -v xtm5_83.rom –programmer internal"
flashrom v0.9.9-r1955 on FreeBSD 10.3-RELEASE-p19 (amd64)
flashrom is free software, get the source code at https://flashrom.orgCalibrating delay loop… OK.
Found chipset "Intel ICH7/ICH7R".
Enabling flash write... OK.
Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI) mapped at physical address 0x00000000fff00000.
Reading old flash chip contents... done.
Verifying flash... VERIFIED.So…. the way I'm seeing it, it supposedly flashed the chip.
But then I shut the system down, and then power on again.
I get to a shell and again run: "flashrom -v xtm5_83.rom --programmer internal"This time, I get this:
Calibrating delay loop… OK.
Found chipset "Intel ICH7/ICH7R".
Enabling flash write... OK.
Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI) mapped at physical address 0x00000000fff00000.
Reading old flash chip contents... done.
Verifying flash... FAILED at 0x000dc000! Expected=0xff, Found=0x05, failed byte count from 0x00000000-0x000fffff: 0x113And when I go back into the BIOS next time, everything is still the same, and everything is locked except for date and time.
I'm open to suggestions.
Did I miss a step?
Did I use the wrong commands?
Did I use the wrong file?Thanks in advance.
-
Looks like you didn't actually run the write command so it never wrote the file to the flash.
Steve
