Watchguard XTM 5 Series
-
Hmm yes, I was forgetting no pkg_add etc in 2.2. Haven't explored the options here. Just add a pbi repo? Point at PC-BSD 10?
Steve
I took a quick look yesterday and looked again today, but I'm not seeing how to do this. If you could kindly point me in the right direction, I'll give this a try. Seems like all I'm finding are people talking about how repo's broke with 2.1 or something, but not seeing how to actually set it up. I'm guessing I'm just not using the right search terms.
-
Hmm, this is far more trouble than I expected. I'm probably just missing something. There seems to be no easy way of adding flashrom (or anything else) to 2.2. More research needed. ;)
Looks like you might be able to use the PC-BSD PBIs but since 10 they are 64bit only. :-\
pbi_add -r http://pbi.cdn.pcbsd.org/sysutils/flashrom/10/x64/flashrom-0.9.7_1-amd64.pbi
No good for 32bit installs, which mine is. :(
Edit: Though you can do that you shouldn't. Use the pkg command instead see below.
Steve
-
Hmm, this is far more trouble than I expected. I'm probably just missing something. There seems to be no easy way of adding flashrom (or anything else) to 2.2. More research needed. ;)
Looks like you might be able to use the PC-BSD PBIs but since 10 they are 64bit only. :-\
pbi_add -r http://pbi.cdn.pcbsd.org/sysutils/flashrom/10/x64/flashrom-0.9.7_1-amd64.pbi
No good for 32bit installs, which mine is. :(
Steve
Heh, tried to quote the message, but my phone decided to thank you instead.
Anyway, is there a DOS utility that can flash the BIOS on this perhaps? I can try loading up FreeDOS on the CF card and flashing the BIOS that way. I'd imagine this is possible as almost everyone still provides ways to flash via DOS. (HP is great with this as you can PXE boot an image with a bunch of different BIOSes and the machine automatically figures out which one is for that machine and the program can be signed with the BIOS password so no interaction is required.)
-
Thank your phone for me. ;D
There are DOS programs for doing this yes. AFUDOS I believe is the program you'd need. The problem is that these dos based tools still use some sort of graphical mode, albeit a crude one, which cannot be displayed via the serial console. To work around that you need to feed it a command line that by-passes all the user input such as we did with the X-e boxes, see:
https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Flashing_the_BIOSI've just tried and failed to get FreeDOS to boot to the console. I'm sure I've done it before though. :-\
Steve
-
Thank your phone for me. ;D
There are DOS programs for doing this yes. AFUDOS I believe is the program you'd need. The problem is that these dos based tools still use some sort of graphical mode, albeit a crude one, which cannot be displayed via the serial console. To work around that you need to feed it a command line that by-passes all the user input such as we did with the X-e boxes, see:
https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Flashing_the_BIOSI've just tried and failed to get FreeDOS to boot to the console. I'm sure I've done it before though. :-\
Steve
I tried one of your FreeDOS images from one of the other watchguard threads and never got the 3 beeps. Looking at the CF card though, it doesn't look like everything copied over. And now I can't seem to repartition my card back to 1GB from 16MB, so I've not tried the 64bit 2.2 yet. I need a female to female adapter for the PCI-Express slot so I can toss a video card on it. (And later, hopefully a supported crypto card.)
Would doing the pain in the butt SPI work? I'd have to hack together a cable for it and all, but if that's what I have to do, that's what I have to do.
I think I'll try playing around with trying to get FreeDOS working for now though.Or maybe a Linux distro with flashrom. Plenty of things to try. Might need to run to the store for a new CF card though. Newegg needs a local store in my middle of nowhere town… Lol
EDIT>>
Well, I got 2.2 up and running, and got the flashrom pbi installed, but it still gives the same error about no EEPROM/flash device found. Guess I'll have to try some Linux or DOS. -
The SPI header may work but I see no reason why flashrom should recognise your chip via that rather than the internal method, which is also using SPI.
I updated my box to 64bit which you can do via the normal firmware update just change the updater URL. It is possible to install the flashrom PBI from PC-BSD as I outlined above but it seems very 'wrong'.
Edit: It IS wrong don't do it, see below.
You cannot install the PBI directly you must fetch it first. You must disable the signature check. Then when it's installed you must call it using the full path it does not seem to integrate in any useful way even after a rehash.[2.2-ALPHA][root@pfsense.localdomain]/tmp(8): fetch http://pbi.cdn.pcbsd.org/sysutils/flashrom/10/x64/flashrom-0.9.7_1-amd64.pbi flashrom-0.9.7_1-amd64.pbi 100% of 5349 kB 1999 kBps 00m03s [2.2-ALPHA][root@pfsense.localdomain]/tmp(9): pbi_add -i flashrom-0.9.7_1-amd64.pbi PBI Information for: flashrom-0.9.7_1-amd64 ----------------------------------------------------- Name: flashrom RootInstall: NO Version: 0.9.7_1 Built: 20140206 190737 Prefix: /usr/pbi/flashrom-amd64 Author: flashrom Team Website: http://www.flashrom.org/ Arch: amd64 FbsdVer: 10.0-RELEASE CreatorVer: 1.0 ArchiveCount: 648 ArchiveSum: e22c43317551cb41703add247953ccbeb277957f9444003d09586ec22aa67f9a Signature: Bad License: GPLv2 AutoUpdate: NO [2.2-ALPHA][root@pfsense.localdomain]/tmp(12): pbi_add --no-checksig flashrom-0.9.7_1-amd64.pbi Verifying Checksum...OK Extracting to: /usr/pbi/flashrom-amd64 Installed: flashrom-0.9.7_1 [2.2-ALPHA][root@pfsense.localdomain]/tmp(14): rehash [2.2-ALPHA][root@pfsense.localdomain]/tmp(15): flashrom flashrom: Command not found. [2.2-ALPHA][root@pfsense.localdomain]/tmp(18): /usr/pbi/bin/flashrom -p internal flashrom v0.9.7-r1711 on FreeBSD 10.0-STABLE (amd64) flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. Found chipset "Intel ICH7/ICH7R". Enabling flash write... OK. Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI) at physical address 0xfff00000. No operations were specified.
If you choose to use this method I would definitely recommend reinstalling afterwards or at least switching to the other slice if you're running Nano.Just don't!Steve
-
The SPI header may work but I see no reason why flashrom should recognise your chip via that rather than the internal method, which is also using SPI.
I updated my box to 64bit which you can do via the normal firmware update just change the updater URL. It is possible to install the flashrom PBI from PC-BSD as I outlined above but it seems very 'wrong'.
You cannot install the PBI directly you must fetch it first. You must disable the signature check. Then when it's installed you must call it using the full path it does not seem to integrate in any useful way even after a rehash.
[2.2-ALPHA][root@pfsense.localdomain]/tmp(8): fetch http://pbi.cdn.pcbsd.org/sysutils/flashrom/10/x64/flashrom-0.9.7_1-amd64.pbi flashrom-0.9.7_1-amd64.pbi 100% of 5349 kB 1999 kBps 00m03s [2.2-ALPHA][root@pfsense.localdomain]/tmp(9): pbi_add -i flashrom-0.9.7_1-amd64.pbi PBI Information for: flashrom-0.9.7_1-amd64 ----------------------------------------------------- Name: flashrom RootInstall: NO Version: 0.9.7_1 Built: 20140206 190737 Prefix: /usr/pbi/flashrom-amd64 Author: flashrom Team Website: http://www.flashrom.org/ Arch: amd64 FbsdVer: 10.0-RELEASE CreatorVer: 1.0 ArchiveCount: 648 ArchiveSum: e22c43317551cb41703add247953ccbeb277957f9444003d09586ec22aa67f9a Signature: Bad License: GPLv2 AutoUpdate: NO [2.2-ALPHA][root@pfsense.localdomain]/tmp(12): pbi_add --no-checksig flashrom-0.9.7_1-amd64.pbi Verifying Checksum...OK Extracting to: /usr/pbi/flashrom-amd64 Installed: flashrom-0.9.7_1 [2.2-ALPHA][root@pfsense.localdomain]/tmp(14): rehash [2.2-ALPHA][root@pfsense.localdomain]/tmp(15): flashrom flashrom: Command not found. [2.2-ALPHA][root@pfsense.localdomain]/tmp(18): /usr/pbi/bin/flashrom -p internal flashrom v0.9.7-r1711 on FreeBSD 10.0-STABLE (amd64) flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. Found chipset "Intel ICH7/ICH7R". Enabling flash write... OK. Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI) at physical address 0xfff00000. No operations were specified.
If you choose to use this method I would definitely recommend reinstalling afterwards or at least switching to the other slice if you're running Nano.
Steve
As I said, I got 2.2 installed and flashrom installed as well, but it still did not work. I then tried a couple different ways of getting FreeDOS booted, but none of them seemed to work. I'm putting 2.1.3 back on the CF card now and going to get it configured and then make a backup of it so I can stop having to go through the setup every time after trying something different.
Out of curiosity, do you have a jumper on J10? Mine doesn't have one. J11 seems required to be able to turn on, and J2 was on pins 2&3. J14 has no jumper across any of the 3 pins. Is this the same as what you have there?
-
Ah, sorry I missed your edit.
Yep, my jumpers set the same. It's interesting that J11 has a jumper because the default is n/c where as J19 should be shorted by default but isn't on my box. Those three jumpers select AT or ATX mode. J2 selects master or slave for the CF card slot. That's based on the 7581which is slightly different.Steve
-
Ok using PBIs is not the way to go. The old package system has been replaced with pkgng. See:
https://forum.pfsense.org/index.php?topic=77166.0
It's easy enough to install flashrom but it takes a long time in Nano while it updates the package list.[2.2-ALPHA][root@pfsense.localdomain]/root(3): pkg The package management tool is not yet installed on your system. Do you want to fetch and install it now? [y/N]: y Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/freebsd:10:x86:32/latest, please wait... Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done Installing pkg-1.2.7_2... done If you are upgrading from the old package format, first run: # pkg2ng Usage: pkg [-v] [-d] [-l] [-N] [-j <jail name="" or="" id="">|-c <chroot path="">] [-C <configuration file="">] [-R <repo config="" dir="">] <command></command> [<args>] Global options supported: -d Increment debug level -j Execute pkg(8) inside a jail(8) -c Execute pkg(8) inside a chroot(8) -C Use the specified configuration file -R Directory to search for individual repository configurations -l List available commands and exit -v Display pkg(8) version -N Test if pkg(8) is activated and avoid auto-activation Commands supported: add Registers a package and installs it on the system annotate Add, modify or delete tag-value style annotations on packages audit Reports vulnerable packages autoremove Removes orphan packages backup Backs-up and restores the local package database check Checks for missing dependencies and database consistency clean Cleans old packages from the cache config Display the value of the configuration options convert Convert database from/to pkgng create Creates software package distributions delete Deletes packages from the database and the system fetch Fetches packages from a remote repository help Displays help information info Displays information about installed packages install Installs packages from remote package repositories lock Locks package against modifications or deletion plugins Manages plugins and displays information about plugins query Queries information about installed packages register Registers a package into the local database remove Deletes packages from the database and the system repo Creates a package repository catalogue rquery Queries information in repository catalogues search Performs a search of package repository catalogues set Modifies information about packages in the local database ssh ssh packages to be used via ssh shell Opens a debug shell shlib Displays which packages link against a specific shared library stats Displays package database statistics unlock Unlocks a package, allowing modification or deletion update Updates package repository catalogues updating Displays UPDATING information for a package upgrade Performs upgrades of packaged software distributions version Displays the versions of installed packages which Displays which package installed a specific file Commands provided by plugins: For more information on the different commands see 'pkg help <command></command>'. [2.2-ALPHA][root@pfsense.localdomain]/root(4): pkg add flashrom pkg: flashrom: No such file or directory pkg: Was 'pkg install flashrom' meant? Failed to install the following 1 package(s): flashrom [2.2-ALPHA][root@pfsense.localdomain]/root(5): pkg install flashrom Updating repository catalogue digests.txz 100% 1070KB 1.0MB/s 1.0MB/s 00:01 packagesite.txz 100% 4908KB 2.4MB/s 1.4MB/s 00:02 Incremental update completed, 22923 packages processed: 0 packages updated, 0 removed and 22923 added. The following 5 packages will be installed: Installing dmidecode: 2.12 Installing pciids: 20140502 Installing libftdi: 0.20_1 Installing libpci: 3.2.1 Installing flashrom: 0.9.7_1 The installation will require 3 MB more space 612 KB to be downloaded Proceed with installing packages [y/N]: y dmidecode-2.12.txz 100% 60KB 59.9KB/s 59.9KB/s 00:00 pciids-20140502.txz 100% 180KB 180.1KB/s 180.1KB/s 00:00 libftdi-0.20_1.txz 100% 41KB 41.3KB/s 41.3KB/s 00:00 libpci-3.2.1.txz 100% 44KB 43.9KB/s 43.9KB/s 00:00 flashrom-0.9.7_1.txz 100% 287KB 286.9KB/s 286.9KB/s 00:00 Checking integrity... done [1/5] Installing dmidecode-2.12... done [2/5] Installing pciids-20140502... done [3/5] Installing libftdi-0.20_1... done [4/5] Installing libpci-3.2.1... done [5/5] Installing flashrom-0.9.7_1... done [2.2-ALPHA][root@pfsense.localdomain]/root(6): flashrom flashrom: Command not found. [2.2-ALPHA][root@pfsense.localdomain]/root(7): rehash [2.2-ALPHA][root@pfsense.localdomain]/root(8): flashrom flashrom v0.9.7-r1711 on FreeBSD 10.0-STABLE (i386) flashrom is free software, get the source code at http://www.flashrom.org Please select a programmer with the --programmer parameter. Previously this was not necessary because there was a default set. To choose the mainboard of this computer use 'internal'. Valid choices are: internal, dummy, nic3com, nicrealtek, gfxnvidia, drkaiser, satasii, ft2232_spi, serprog, rayer_spi, pony_spi, nicintel, nicintel_spi, ogp_spi, satamv, usbblaster_spi. [2.2-ALPHA][root@pfsense.localdomain]/root(9): flashrom -p internal flashrom v0.9.7-r1711 on FreeBSD 10.0-STABLE (i386) flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. Found chipset "Intel ICH7/ICH7R". Enabling flash write... OK. Found Micron/Numonyx/ST flash chip "M25P80" (1024 kB, SPI) at physical address 0xfff00000. No operations were specified.</args></repo></configuration></chroot></jail>
John, did you try to access the BIOS rom before you changed the CPU? IT's about the only thing your system has different to anyone else's.
Also it's not necessary to change the BIOS anyway. ;)Steve
-
I think I did, but I can't remember. I'll try putting the Celeron back in tomorrow.
-
It works fine with my Core2duo in there. Maybe the Quad core shifts some I/O resources or similar. :-\
Steve
-
It works fine with my Core2duo in there. Maybe the Quad core shifts some I/O resources or similar. :-\
Steve
Just tried again with the original CPU and RAM and still getting this:
[2.1.3-RELEASE][root@pfSense.gorgarath.net]/root(2): /etc/rc.conf_mount_rw [2.1.3-RELEASE][root@pfSense.gorgarath.net]/root(3): flashrom -r og-bios.rom flashrom v0.9.5.2-r1515 on FreeBSD 8.3-RELEASE-p16 (i386), built with libpci 3.1.9, GCC 4.2.1 20070719 [FreeBSD], little endian flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. Found chipset "Intel ICH7/ICH7R". Enabling flash write... OK. No EEPROM/flash device found. Note: flashrom can never write if the flash chip isn't found automatically.
On bootup, the console shows this: "MB-7580 Ver.WC0 02/03/2010". Does that match what yours shows?
-
Yep:
AMIBIOS(C)2006 American Megatrends, Inc. MB-7580 Ver.WC0 02/03/2010 Unlocked V1.8 SW CPU : Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz Speed : 2.20 GHz Press DEL to run Setup (F4 on Remote Keyboard) Press n if you want to boot from the network Press F11 for BBS POPUP (F3 on Remote Keyboard) The MCH is operating with DDR2 800 DRAM Timing: Tcl:6/Tras:18/Trp:6/Trcd:6/Twr:6/Trfc:52/Twtr:3/Trrd:3/Trtp:3 Initializing USB Controllers .. Done.
Except of course I have modified the boot message. ;)
Say for some reason the I/O addess of your chip has been shifted, that might mean that accessing it via the SPI header would work. Seems more likely it's a new IC variant that flashrom doesn't recognise though.
Steve
-
Say for some reason the I/O addess of your chip has been shifted, that might mean that accessing it via the SPI header would work. Seems more likely it's a new IC variant that flashrom doesn't recognise though.
Steve
So, any luck getting FreeDOS to boot on the XTM5? lol I know it is working fine without unlocking the BIOS, but not being able to is really annoying and I'd prefer having full access to the hardware.
-
Nope. Just tried several images on several CF cards. I'm sure it worked fine when I first tried it. Hmm… :-\
Steve
-
Nope. Just tried several images on several CF cards. I'm sure it worked fine when I first tried it. Hmm… :-\
Steve
I've never tried using DOS (FreeDOS or otherwise) over a serial console, so I'm not even sure where to start in trying to get it to work. My searches on Google aren't giving much insight either. This is pretty standard x86 hardware, so it should work just fine, at least for the purposes of flashing the BIOS in DOS, but I've not had luck either, though I'm not sure I'm doing it right. Maybe I should try with a hard drive instead of CF card and see if I have better luck. If I format the drive to boot FreeDOS, I should be able to copy the files from the image over and have it work just fine. Assuming the box will boot it.
Is my Cisco console cable going to work for this or will I need some sort of other null modem cable? Your image IIRC beeps when it finishes booting to the command prompt, so at the least, I should be able to get to that. If I can, I can probably script the autoexec to launch the utility to backup the BIOS and then reprogram the BIOS without having to actually have a working console. A bit risky doing low level stuff like that without any visual confirmation of what's going on, especially since it seems mine is different in that it won't flash from flashrom. Maybe I'll just have it backup the BIOS and then take a look at that BIOS file to see if it's different in any other ways. If I can get a backup of my BIOS, would you be willing to take a look at the resulting file? From what it looks like, it should be identical, but better safe than sorry. Or if you could point me to where to get the files for modifying it myself, I could take a look myself. Been a long time since I've tinkered with something like this. Was able to hot flash a BIOS chip last time I messed around with a BIOS so if I got it wrong, I could easily reprogram the BIOS back to default using another BIOS chip to boot it up. Wish I had the option on this board, would be a bit more comfortable.
-
So the thing to know about the FreeDOS serial console is that it can only use hardware flow-control, it needs the additional wiring in the serial cable to work. In the X-e firebox that was true of the BIOS serial re-direct code but that was an older Award BIOS.
https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Not_All_Null_Modem_Cables_are_Created_Equal.21
It's possible the RJ45 console cable doesn't support hardware flow control which would explain why we aren't seeing anything. One possibility in that case would be to use the internal serial header for com2 with 9-pin socket and known cable.Running it blind is a possibility. A user in the X-e thread did that when they could find a cable that worked. I think they edited the autoexec.bat file to put in more beeps to know what stage it's at.
Steve
-
So the thing to know about the FreeDOS serial console is that it can only use hardware flow-control, it needs the additional wiring in the serial cable to work. In the X-e firebox that was true of the BIOS serial re-direct code but that was an older Award BIOS.
https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox#Not_All_Null_Modem_Cables_are_Created_Equal.21
It's possible the RJ45 console cable doesn't support hardware flow control which would explain why we aren't seeing anything. One possibility in that case would be to use the internal serial header for com2 with 9-pin socket and known cable.Running it blind is a possibility. A user in the X-e thread did that when they could find a cable that worked. I think they edited the autoexec.bat file to put in more beeps to know what stage it's at.
Steve
I got a little further with this. While I was unable to get it to boot off the CF card, with the hard drive, I get to the point where the Watchguard will beep when it switches to the console. However, it doesn't get any further than that. I'm messing around with some RJ45 to serial adaptors, but I think I'm going to need to wire a special Cat5 connector for it to work. I forgot about the internal COM2 port… I think I might try that instead as I should have a serial port connected to a pin block laying around here somewhere. Think it would be easier than trying to figure out how the RJ45 port is wired to figure out what to connect to it.
EDIT>>
What settings in PuTTY are the required settings for hardware flow control? I can hook it up to an XP machine if needed and use hyperterm with it's hardware setting, but I prefer PuTTY/KiTTY over hyperterm if possible. XON/XOFF, RTS/CTS, and DSR/DTR are the flow control options, and XON/XOFF I believe is software and not hardware, so RTS/CTS or DSR/DTR are my options and I can try with both, but if you can let me know which is correct, it'll speed up the process. :)EDIT2>>
OK, I'm assuming J13 is the serial port, however, for whatever reason, HP used 16 pin header blocks for their serial port B on the desktops I have in storage, so that's obviously not going to fit the 10 pin header block on this board. Unless that's USB and I might be able to get some sort of USB->serial adapter working in FreeDOS. (I do have USB ports on PCB designed to be used straight off of headers for internal USB connections.) Or if any of the pins not in blocks are for serial, I could try this as only 9 of these pins are actually connected, hopefully all in a row. (I tried looking for a manual or diagram for this motherboard and wasn't able to find one, so I'm not sure what any of the pinouts are for.) -
That's a good question. I'm using Putty in Xubuntu but when I was first investigating the XTM5 I was using WinXP. The Linux version doesn't appear to offer DSR/DTR so maybe I used that. :-\
The manual for the FW-7581 also lists the com2 header J13, see pic.
Steve
-
That's a good question. I'm using Putty in Xubuntu but when I was first investigating the XTM5 I was using WinXP. The Linux version doesn't appear to offer DSR/DTR so maybe I used that. :-\
The manual for the FW-7581 also lists the com2 header J13, see pic.
Steve
Where are you finding the manual at? I tried searching their site but was only finding brochures and a data sheet that didn't include motherboard layout or anything.
I'm going to dig through my stuff in the basement for a serial port with cable. Maybe take the one off my PIX hack job running pfSense on an upgraded P4, but I think that motherboard was from one of those HP machines as well. I have a feeling though, that if I have one still, which I most likely don't anymore, it'll be at my parents' house. Most of my old stuff that I had at their house has been tossed over time though.
I'll let you know what I find, though I'm wondering if it would just be easier to automatically do it via the autoexec.