[As Good As Solved!] Watchguard Firebox Arm/Disarm LED

stephenw10

Edit: Don't do this! Perhaps it makes interesting reading for someone. See my post a few below here after Wallabybob pointed out my failure to understand pciconf.  ::)

Here's something that seems to work, if you're feeling brave!  :P I spent ages trying to compile a very simple program but gave up after more compile errors than I could count. Anyway the basic functionality is included in the pciutils package. First install the package:

/etc/rc.conf_mount_rw

pkg_add -r pciutils

/etc/rc.conf_mount_ro

rehash

This is a port of the Linux lspci utility with some extra bits.
Fire it up and see what you have:

[2.0-BETA5][root@pfSense.localdomain]/root(34): lspci
00:00.0 Host bridge: Intel Corporation Mobile 915GM/PM/GMS/910GML Express Processor to DRAM Controller (rev 04)
00:02.0 VGA compatible controller: Intel Corporation Mobile 915GM/GMS/910GML Express Graphics Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 1 (rev 04)
00:1c.1 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 2 (rev 04)
00:1c.2 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 3 (rev 04)
00:1c.3 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 4 (rev 04)
00:1d.0 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #1 (rev 04)
00:1d.1 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #2 (rev 04)
00:1d.2 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #3 (rev 04)
00:1d.3 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #4 (rev 04)
00:1d.7 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB2 EHCI Controller (rev 04)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev d4)
00:1f.0 ISA bridge: Intel Corporation 82801FBM (ICH6M) LPC Interface Bridge (rev 04)
00:1f.1 IDE interface: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) IDE Controller (rev 04)
00:1f.3 SMBus: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) SMBus Controller (rev 04)
01:00.0 Ethernet controller: Marvell Technology Group Ltd. 88E8053 PCI-E Gigabit Ethernet Controller (rev 19)
02:00.0 Ethernet controller: Marvell Technology Group Ltd. 88E8053 PCI-E Gigabit Ethernet Controller (rev 19)
03:00.0 Ethernet controller: Marvell Technology Group Ltd. 88E8053 PCI-E Gigabit Ethernet Controller (rev 19)
04:00.0 Ethernet controller: Marvell Technology Group Ltd. 88E8053 PCI-E Gigabit Ethernet Controller (rev 19)
05:00.0 Ethernet controller: Marvell Technology Group Ltd. 88E8001 Gigabit Ethernet Controller (rev 13)
05:01.0 Ethernet controller: Marvell Technology Group Ltd. 88E8001 Gigabit Ethernet Controller (rev 13)
05:02.0 Ethernet controller: Marvell Technology Group Ltd. 88E8001 Gigabit Ethernet Controller (rev 13)
05:03.0 Ethernet controller: Marvell Technology Group Ltd. 88E8001 Gigabit Ethernet Controller (rev 13)
05:04.0 Network and computing encryption device: Cavium Networks Nitrox XL N1 Lite

This is my Xe box. You can see the ICH LPC bridge listed has PCI address 00:1f.0 (obviously change this to your address).
So now we can get lspci to spit out the configuration data. This function comes with a danger warning but works fine here:

[2.0-BETA5][root@pfSense.localdomain]/root(35): lspci -s 00:1f.0 -xxx
00:1f.0 ISA bridge: Intel Corporation 82801FBM (ICH6M) LPC Interface Bridge (rev 04)
00: 86 80 41 26 07 01 00 02 04 00 01 06 00 00 80 00
10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
20: 00 00 00 00 00 00 00 00 00 00 00 00 86 80 41 26
30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40: 01 04 00 00 80 00 00 00 81 04 00 00 10 00 00 00
50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
60: 0b 0c 05 0a d0 00 00 00 0b 80 80 09 00 00 00 00
70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
80: 10 00 0f 34 81 00 00 00 91 02 00 00 00 00 00 00
90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
a0: 20 02 00 00 00 00 00 00 00 00 00 00 00 03 00 00
b0: 00 00 00 00 00 00 00 00 55 55 55 55 00 00 00 00
c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0: 33 22 11 00 67 45 00 00 c0 c0 00 00 00 00 00 00
e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
f0: 01 c0 d1 fe 00 00 00 00 80 0f 04 00 00 00 00 00

So now we have the important part of the configuration table. Looking at the datasheet for the ICH6 the GPIO base address is stored in registers 0x48-0x4b. You have to read it in reverse: 00 00 04 81. i.e 0x481 Except that reading the datasheet more closely we see that "bit 0 is hardwired to 1 to indicate I/O space" for some reason.  ::) So the actual address is 0x480. Which we know to be true.

This procedure should work fine for you except that in the ICH2 the gpio base address is at 0x58-5B instead.

Steve

wallabybob

The FreeBSD utility pciconf can also be used to get this information. There is a man page at http://www.freebsd.org/cgi/man.cgi?query=pciconf&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html

stephenw10

@wallabybob:

The FreeBSD utility pciconf can also be used to get this information.

Doh!  :-[
It was like three in the morning by the time I wrote that.

The same result can be had with:

[code]
[2.0-BETA5][root@pfSense.localdomain]/root(10): pciconf -r pci0:0:31:0: 0x48
00000481

On the X-core box with the ICH2 you need to look at 0x58 but the LPC device is in the same place so:

pciconf -r pci0:0:31:0: 0x58

Steve

iFloris

@stephenw10:

On the X-core box with the ICH2 you need to look at 0x58 but the LPC device is in the same place so:

pciconf -r pci0:0:31:0: 0x58

Steve

Progress! That is to say, the command gives me a response on my firebox.
The response is as follows:

[2.0-BETA5][admin@firebox1.domain]/root(1): pciconf -r pci0:0:31:0: 0x58
00004081 

I'm not sure what this means though!
What is the next step?

stephenw10

Aha! That's disappointingly similar to 480, open to confusion but it looks as though the GPIObase address is 0x4080.
The next setp is to re-try the instructions from here but using 0x4080 in place of 0x480.
Hopefully you should get something other than all ff or 0.

Steve

iFloris

@stephenw10:

The next setp is to re-try the instructions from here but using 0x4080 in place of 0x480.
Hopefully you should get something other than all ff or 0.

Steve

Indeed, the numbers are so alike that I first thought I had gotten the same response as you did.

And now, with your help, readio has given me an answer other than ff!

[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(4): ./readio 0x4080
Reading 4080 :80
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(5): ./readio 0x4081
Reading 4081 :31
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(6): ./readio 0x4082
Reading 4082 :20
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(7): ./readio 0x4083
Reading 4083 :1a
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(8): ./readio 0x4084
Reading 4084 :ff
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(9): ./readio 0x4085
Reading 4085 :ff
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(10): ./readio 0x4086
Reading 4086 :0
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(11): ./readio 0x4087
Reading 4087 :0
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(12): ./readio 0x408c
Reading 408c :0
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(13): ./readio 0x408d
Reading 408d :0
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(14): ./readio 0x408e
Reading 408e :bf
[2.0-BETA5][admin@firebox1.domain]/etc/rc.d(15): ./readio 0x408f
Reading 408f :9

Unfortunately, some of the responses are still 0 or ff.

stephenw10

@iFloris:

Unfortunately, some of the responses are still 0 or ff.

Not a problem, they should be.
So:

Experimental findings of ICH2 IO space;  

0x4080-0x4083 Set pins as gpio or native fuctions. 1=gpio
Default 1a003180				                0001 1010 0000 0000
Found  1a203180      						0001 1010 0010 0000 

0x4084-0x4087 Set gpios as input or output. 1=Input
Default	0000ffff
Found	0000ffff	bit 1 is input. Possible outputs are 	0000 0000 0000 0000 1111 1111 1111 1111 

								   1 1 1    1  (set as gpio & set as output)

0x408c-0x408f GPIO Levels
Default	1f1f0000											
Found	09bf0000				   	        0000 1001 1011 1111 

Hmm, doesn't really line up properly on the forum but.. Edit: Better

Only four pins are both enabled as GPIO and set as ouput and only two of those are set to 1. So try seting either of those to 0.

./writeio 0x408f 0x01 

Return it to it's original value after or things get confusing! Or:

./writeio 0x408e 0x9f 

One of those should switch off the red led.

Once we know that we can work on green and flashing!

Steve

iFloris

@stephenw10:

Only four pins are both enabled as GPIO and set as ouput and only two of those are set to 1. So try seting either of those to 0.

./writeio 0x408f 0x01 

Return it to it's original value after or things get confusing! Or:

./writeio 0x408e 0x9f 

One of those should switch off the red led.

Thanks, I've been meaning to try this.
However, when you write 'Return it to it's original value after or things get confusing!', how do I know what the original value was?
0x408e gave me a response of bf, so would that be 0xbf?
Or am I being nonsensical?

stephenw10

Yes, bf is 0xbf. I never really expected anyone else to be using the program so didn't spend much time sanitising the output, sorry.  :P  (in fact I don't think it matters if you include the 0x or not)
When you change 408e from 0xBF to 0x9F what you are actually doing is changing only 1 bit (B=1011 and 9=1001). I say to change it back since if you change more than one thing at a time it's hard to know what change had what effect.
The fact is that we don't know what, if anything, the other gpios are connected to. It's better to return them to their original state. On the boxes I have here none of the random number setting I have done had any ill effects and it all gets reset by the bios at boot so don't worry.
Good luck!

Steve

iFloris

After trying both ./writeio 0x408f 0x01 and ./writeio 0x408e 0x9f, I found the following:
The first command (0x01) makes the red led blink red / off (looks like it blinks synchronised to re0, but I'm not sure).
The second command (0x9f) does nothing (seemingly).

Afterwards, I reset 0x0408f to 0x09 and 0x408e to 0xbf.

stephenw10

Hmmm, interesting. Well it's something at least. It proves that the led is driven by the gpios i some way.
So it doesn't blink regularly, like once a second?

Anyway it seems that 0x408f bit 3 is red on.
To find green leave red off (or blink in this case) and try turning on bits 1 or 4 i.e.

./writeio 0x408f 0x11 or 0x03.

Normally the blinking action is set by the blink register which for you should be at 0x409b, to correspond with the ouputs at 0x408f. Try reading 0x409b, by default it is 00.

Steve

iFloris

I've tried both settings.

./writeio 0x408f 0x11 turns the led green and blinks at fast but irregular intervals.
./writeio 0x408f 0x03 does the same, but turns the led back to red.

I've reset to 0x11 now, so at least the arm led is green!
This is awesome.

Edit: actually, the blinking is regular. About four blinks per second.

stephenw10

Hmm, even more interesting.
So 0x408f set to 03 is the same as 01 yes?
The built in blink function is definitely 1Hz so if it's blinking at around 4Hz then something else is doing it. Still worth checking the blink registers at 0x409A and 0x409B.
It's likely only two pins actually do anything giving only 4 possible states. It appears to be 0x408F bits 3 and 4. We have tried:
01 which is default, solid red
00 red flashing
10 green flashing
11 haven't tried that yet.

Try ./writeio 0x408f 19

As I said there are four possible gpio pins so 16 possible states. Since there is some confusion I think we may just have to work through them.

Steve

iFloris

Good guess!  ./writeio 0x408f 19 turns the led green without blinking.

Edit: Seeing as you now know how to turn the led green on both the x peak and x core devices, perhaps someone can help you with building a package for everyone using a flavor of the firebox?

stephenw10

@iFloris:

Edit: Seeing as you now know how to turn the led green on both the x peak and x core devices, perhaps someone can help you with building a package for everyone using a flavor of the firebox?

That's the long term plan. Hopefully we can also include the lcd driver so we can have a single package for Firebox users that doesn't get broken every time you update.

It seems like we're missing something here though. The control is very different to the other two boxes.
Can you tell me what the out outs of these are:

./readio 0x409a
./readio 0x409b

Do you have bios access to your box? You can set the initial led status in the bios on the X-core. I can't remember what you could set it to but it was a load of different settings. We should be able to get, at least, all of those.

Anyway it seems like we are mostly victorious!  ;D

Steve

iFloris

Nice, but strange that the control is so very different.
Output for the commands is:

[2.0-BEAT5][admin@firebox1.domain]/etc/rc.d(3): ./readio 0x409a
Reading 409a :4
[2.0-BEAT5][admin@firebox1.domain]/etc/rc.d(4): ./readio 0x409b
Reading 409b :0

And no, I don't have access to the bios.
It has been at least ten years since I touched a pci video card..

stephenw10

Clearing out some stuff over the weekend I found an ISA video card!  Couldn't bring myself to dispose of an antique like that.  ::)

Hmm, 00 04 indicates that none of the gpios are set to flash, yet they are flashing….

@iFloris:

./writeio 0x408f 0x03 does the same, but turns the led back to red.

When you said that did you mean just fast flashing red or did you mean flashing red then green?

With the led set to green solid (0x408f = 0x19) try setting 0x409B to 0x10. It should make the led flash slowly (about 1Hz) but it may be between green and (some other state!).

Steve

iFloris

@stephenw10:

When you said that did you mean just fast flashing red or did you mean flashing red then green?
With the led set to green solid (0x408f = 0x19) try setting 0x409B to 0x10. It should make the led flash slowly (about 1Hz) but it may be between green and (some other state!).

OT: ISA, amazing! I think the only time I ever had anything to do with ISA was when I tried to upgrade my (then modern!) 386.

But I digress. What I meant by the same but ted was that the led flashed as fast as when it was green, but that it was the red led that was flashing.
So just red flashing.

./writeio 0x409B 0x10 results in slow (1 second/Hz) flashing, alternating between red and green (as you thought it might).

To iterate what we've found so far:

./writeio 0x408f 0x11    - turns the led green and blinks (fast)
./writeio 0x408f 0x03    - turns the led red and blinks (fast)
./writeio 0x408f 19      - turns the led green without blinking
./writeio 0x409B 0x10  - turns the led green and blinks (slowly)
./writeio 0x0408f 0x09  - turns the led red without blinking

Is that correct?
And does this give us the means to control the led completely, or is there something else that we need to test?

stephenw10

That looks correct.
Since 0x03 and 0x01 are the same it appears the other two gpios do not have any function for the led.

One weird thing is that there's no 'off'. As I said in an earlier post I think that Watchguard probably used a software method to flash the leds since they have fast and slow flash on all the boxes. However to do this you would need an off state to switch to.

I can certainly plug those numbers in my program and we will then have control via an easy to use command line.
Something tells me we're missing something though. This is definitely different to the other boxes where the gpios control the led directly, here we seem to be talking to some intermediate piece of hardware.

Steve

stephenw10

Here is the new program incorporating all the new values for the X-Core.
Obviously rename it WGXepc (remove the .png extension). Copy it to your box and chmod it to 0755. Run it!  ;D

Because the new memory locations were quite high I felt it would be dangerous to simply write all the values on every box, which is what the previous programs did. This new one tries to find out which Firebox model it's running on by reading the gpio_sel register and comparing it with known values. It works fine for me here on the three boxes I've tested it on but I don't have an X-Core and I can imagine that a different bios version might cause detection problems. Deal with that if it happens. Hopefully this might stop people randomly installing it on any box and messing with some important setting!  ::)

It seems to run fine on 1.2.3 and 2.0Beta5.

Steve

Edit: Now tested as working on the X-core boxes and under 2.0RC2

WGXepc.png