Watchguard XTM 5 Series

uu0113

Hi Everyone,

I own a Watchguard XTM515 with a different BIOS. The LCD shows WG BIOS 1.3 when booting. The Boot output shows:


AMIBIOS(C)2006 American Megatrends, Inc.
MB-7580 Ver.WD0 04/26/2010
CPU : Intel(R) Celeron(R) CPU        E3400  @ 2.60GHz

I saved the BIOS using the following commands


pkg install flashrom
flashrom -p internal -r xtm515.rom

[2.3.4-RELEASE][root@pfSense.localdomain]/root: flashrom -p internal -r xtm515.rom
flashrom v0.9.9-r1955 on FreeBSD 10.3-RELEASE-p19 (amd64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7/ICH7R".
Enabling flash write... OK.
Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI) mapped at physical address 0x00000000fff00000.
Reading flash... done.

The MD5/SHA1 sum is different from what I found in this thread so I assume I have another Version:

MD5: 512514e3fd2ce318be1a6ee8280856d5
SHA1: 683eb4d99d9c2c8188efba637c501c0ac475ee9c

I modded the BIOS above in order to unlock all settings, enable booting from other sources (e.g. USB-Stick) which all works fine. I also modified the table below as mredding suggested but the Arm/Disarm LED does not turn red when booting:

@mredding:

EDIT: I think I found where Steve changed the Arm/Disarm LED settings: Under the BootBlock SIO Table, the 27th, 28th, and 29th SIO Registers listed are 30, F0, and F1, and are changed to 01, CF, and 20 respectively. See the new attachment. I think I might try it later today. Not sure how these values correspond with https://forum.pfsense.org/index.php?topic=43574.msg261279.html#msg261279 though.

This is how I flashed it:


flashrom -p internal -w xtm515_uu0113_mod.rom

[2.3.5-RELEASE][admin@pfSense.localdomain]/root: flashrom -p internal -w xtm515_uu0113_mod.rom
flashrom v0.9.9-r1955 on FreeBSD 10.3-RELEASE-p22 (amd64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7/ICH7R".
Enabling flash write... OK.
Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI) mapped at physical address 0x00000000fff00000.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.

After this I powered down the Watchguard, removed the battery for 10 minutes, startet again and went into BIOS to change the settings I needed in order to boot from my USB-Stick. This was necessary in order to get pfSense 2.4.1 installed. 2 Settings are crucial for this: "Always boot from CF Card" must be disabled and serial console must be changed to "VT100"… After that pfSense 2.4.1 was easily installed :)

I am attaching my BIOS files if someone needs it or has the same version running.

If anyone can get the Arm/Disarm to work, please let me know.

xtm515.zip
xtm515_uu0113_mod.zip

DeLorean

First i was sceptical about updating the BIOS, fear of a badflash and bricking the firewall,
but since i have a decent JTAG programmer, i update now every XTM5 box that i convert to pfSense.
Through the serial console or with the JTAG programmer.

Since i'm converting these XTM5 boxes , i have done 505, 510, 515, 520, 525 and 530 with WG Bios 1.2 and 1.3,
and the BIOS xtm5_83.rom from Stephenw10 worked on every box and the update is never been a problem.

The MD5/SHA1 sum will always be different due the modifications you do to the file.
Every little modification change The MD5/SHA1 sum.
This MD5/SHA1 check is therefore only usefull to check if the checksum before and after the download is the same,
to eliminate filecoruption during downloading.

Keep in mind, that the saved WG Bios is stored on your medium (CF card) that you used for the BIOS update.
So formatting this CF card or overwriting, will erase your original WG Bios backup.
To backup this file from the CF card to your desktop/laptop , i use the free program WinSCP to login in with SSH (username root, password pfsense)
to save these BIOS backups to your local drive.

Grtz
DeLorean

chpalmer

@DeLorean:

Keep in mind, that the saved WG Bios is stored on your medium (CF card) that you used for the BIOS update.
So formatting this CF card or overwriting, will erase your original WG Bios backup.
To backup this file from the CF card to your desktop/laptop , i use the free program WinSCP to login in with SSH (username root, password pfsense)
to save these BIOS backups to your local drive.

He has attached a copy to his post above. :)

CyberDaddIO

I have an XTM 510 & plan on installing pfSense. At the moment it is still running the Watchguard OS & I am just trying to log into the serial console. If I boot the XTM while connected to the console via Putty I can see it booting, but when the logon prompt appears, I can't type anything. I have tried 2 different console cables & connected to one laptop via serial port & another via USB to serial adapter (both laptops running Windows 10). All produce the same result.

Anyone experienced this?

mredding

@CyberDaddIO:

I have an XTM 510 & plan on installing pfSense. At the moment it is still running the Watchguard OS & I am just trying to log into the serial console. If I boot the XTM while connected to the console via Putty I can see it booting, but when the logon prompt appears, I can't type anything. I have tried 2 different console cables & connected to one laptop via serial port & another via USB to serial adapter (both laptops running Windows 10). All produce the same result.

Anyone experienced this?

I had problems where there was a little hiccup during the transition from the BIOS to the OS, where I wouldn't see the OS booting without unplugging the console cable and plugging it back in, but nothing like you described on this hardware. The only time I've had a problem where I could see everything but couldn't type was with a TTL to USB 6-pin serial converter and a consumer router when the connector to the router's RX pin was loose.
I'm fairly confident I have these cables for connection to the console and they work: https://smile.amazon.com/dp/B00HUZ6OMQ/ref=cm_sw_r_tw_dp_x_bn0cAbTG7TFEB

Hopefully the console connector on your board is okay. If not, there is also a serial port header you can plug a standard motherboard 10-pin to DB9 connector into like this one: https://smile.amazon.com/dp/B01MFBMZZF/ref=cm_sw_r_tw_dp_x_VQ0cAbWJR5987 However, I guess that would map to the second serial port and I'm not sure how you would direct the console to that one. This post all the way back on page 11 shows where it gets plugged into: https://forum.pfsense.org/index.php?topic=43574.msg430594#msg430594

I couldn't get PuTTY to work at all for some reason, but I used both screen & minicom on Ubuntu without issues.

–---

@uu0113:

If anyone can get the Arm/Disarm to work, please let me know.

I'll attach my modified 1.3 BIOS with working arm/disarm LED so you can compare.
md5sum:23f2a6329db762256a03bec8a70bd5d7

–---

BTW, on an unrelated note, I found that Suricata does not work in inline mode on this hardware (not that I expected it to), but does in legacy mode. YMMV.

MJR-BIOSv2.zip

CyberDaddIO

@CyberDaddIO:

I have an XTM 510 & plan on installing pfSense. At the moment it is still running the Watchguard OS & I am just trying to log into the serial console. If I boot the XTM while connected to the console via Putty I can see it booting, but when the logon prompt appears, I can't type anything. I have tried 2 different console cables & connected to one laptop via serial port & another via USB to serial adapter (both laptops running Windows 10). All produce the same result.

Anyone experienced this?

Turned out to be the USB-Serial adapter. I found another one & it works fine with the three console cables I have. The laptop with the serial port has has it on the docking station, so that serial port must also be doing something funky with the pinout.

diesel678

Pfsense 2.4.1 seems to be working fine on XTM 5. You just boot live USB pfsense and then install it to the CF card using a desktop PC. No problems booting so far

chpalmer

@diesel678:

Pfsense 2.4.1 seems to be working fine on XTM 5. You just boot live USB pfsense and then install it to the CF card using a desktop PC. No problems booting so far

Im on 2.4.2 snaps on my unit here.. Got a few in the field all on 2.4.1 NP at all.

DeLorean

@diesel678:

Pfsense 2.4.1 seems to be working fine on XTM 5. You just boot live USB pfsense and then install it to the CF card using a desktop PC. No problems booting so far

After installing to a CF card , you must enable the RAM disks, to extend the life span of your CF card, or your CF card will die very soon. :-)

Grtz
DeLorean

DeLorean

@diesel678:

Pfsense 2.4.1 seems to be working fine on XTM 5. You just boot live USB pfsense and then install it to the CF card using a desktop PC. No problems booting so far

Or you can flash the BIOS with the unlocked version,
and you install pfSense (memstick serial version) from USB stick straight to the CF in the Watchguard.

Grts
DeLorean

elliotcater

I edited the xtm5_83.rom from Stephenw10 to include the Xeon microcode for socket 771 processors if anyone with a programmer is interested and fancies trying it? Not tried it myself yet as not got a programmer yet… :-[

Lots of good 771 processors knocking around and seem to be lower TDP...

xtm5_xeon.rom.zip

chpalmer

@elliotcater:

Not tried it myself yet as not got a programmer yet… :-[

[/quote]

Theres always Flashrom..

:)

m0reilly

I'm not having any luck running PFsense from a CF card (Transcend x300 4gb). I get no network activity. Tried both nano (2.3), and the other option. I wanted to see if I could at least get it going on a CF before trying it on an ssd. XTM 510, running a Q9400 quad cpu (original OS runs super, but wanted to at least see PF running, then planned to flash bios)…
Any help would be appreciated...

m0reilly

this is what I see after install…
Serial, 9600, my present com port #...I had checked out the existing bios, looked at some settings (115200) prior to the initial reboot...

umlol.png_thumb

diesel678

@m0reilly:

this is what I see after install…
Serial, 9600, my present com port #...I had checked out the existing bios, looked at some settings (115200) prior to the initial reboot...

Which type of serial cable are you using? I use rj45 to COM but it does NOT need null modem adapter to get it working like x750e watchguard does.

diesel678

@DeLorean:

@diesel678:

Pfsense 2.4.1 seems to be working fine on XTM 5. You just boot live USB pfsense and then install it to the CF card using a desktop PC. No problems booting so far

Or you can flash the BIOS with the unlocked version,
and you install pfSense (memstick serial version) from USB stick straight to the CF in the Watchguard.

Grts
DeLorean

Thanks for the tip about ramdisks. sounds more efficient installing straight from usb. how do you go about installing the unlocked bios version?

DeLorean

@m0reilly:

this is what I see after install…
Serial, 9600, my present com port #...I had checked out the existing bios, looked at some settings (115200) prior to the initial reboot...

9600 is only used on the older X-E Core series like x550e, x750e, x1250e and x5500e for accessing the BIOS setup.
For the XTM5 series since pfSense version 2.2 and later, it's 115200 for updating BIOS or installing pfSense.

Grtz
DeLorean

m0reilly

Thanks for that. Yes, I used the 115200 before and after the 9600 attempt, but I think I have found the issue: the CF card may be being blocked from the boot order, as it shows the CF as the boot choice but in the boot order it is listed in brackets (the bios info states that devices in parentheses are excluded from boot…matter of semantics, or...? ). I'll put the original OS back in, see how it looks re boot.
@Diesel678: A Cisco style cable, two piece.

Cortex

@blaxx:

@stephenw10:

Do you have 'Hardware TCP Segmentation Offloading' disabled in System > Advanced > Networking?

It should be disabled by default.

Steve

Yes it is disabled. The config is default except for installation of LCDproc.

Stellan

Ok so it's a bit late 2 months after your post.
I had the same problem, that my box would stop working after a couple of weeks. I found that uninstalling the LCDproc actually solved this.
I'd try to run it without the LCDproc installed.

Cortex

Maybe I missed it somewhere in the thread, but i can't seem to find an answer for this.
I says that pfsense 2.4 is not supported as embedded distribution, but is it safe to upgrade from 2..3.4 to 2.4.0 using the update function?