Watchguard XTM 5 Series
-
Hi, just got my hands on a XTM515. Bios not flashed.
ARM/DISARM works
but my Display doesn´t show e.g. Hostname. so i tried every setting under LCDproc. The only setting that works is traffic of interface. Did i get a faulty display?
Driver is Watchguard Firebox
Displaysize is 2 rows 20 columsWhat version of pfSense do you use ?
I have seen this behaviour once with the embedded version 2.3.5 , while version 2.3.4 runs fine.Grtz
DeLoreanHi DeLorean,
using Pfsense 2.4.2 (64Bit) installed it with 2 ssd´s and zfs and raid (mirrored)
this was a clean install. so i installed it when the ssd´s were connected to my pc and after installation i plunged it right back in to the WG
-
Hey Guyz,
this is what i tried so far.
looks like my XTM515 has a newer Display. tried with pfsense 2.34 and 2.4 fresh installations. no chance. 2nd row doesn´t work at all.
the only thing that works is time, load and that´s it. -
Hey Guyz,
this is what i tried so far.
looks like my XTM515 has a newer Display. tried with pfsense 2.34 and 2.4 fresh installations. no chance. 2nd row doesn´t work at all.
the only thing that works is time, load and that´s it.dmidecode | less brings this
Scanning /dev/mem for entry point.
SMBIOS 2.5 present.
44 structures occupying 2148 bytes.
Table at 0x000FBCD0.Handle 0x0000, DMI type 0, 24 bytes
BIOS Information
Vendor: American Megatrends Inc.
Version: 080015
Release Date: 04/26/2010
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 1024 kB
Characteristics: -
G'day,
I've been lurking here for a while and many of the posts have been extremely helpful in allowing me to tweak my very recent hardware version of XTM 515. Thank you for that to everyone! Now, I don't actually run pfSense on my XTM but in all the fun time spent with the box I learned a few new things that might be useful to others. So here it goes…
-
The on-board VGA header definitely works, and it works very well. I made a custom cable with a connector I got from digiKey and it's been extremely useful in playing with the box. The front USB ports work well with USB keyboards and mice as well, so the box becomes a fully functional PC with on-board video.
-
The unit serial number is present in the original BIOS. If you have backed-up your original BIOS, as you should have, the serial number is stored in plain ASCII starting at offset 0x0h, and is terminated with 0x00h. There is also another ASCII sequence stored in the original BIOS at offset 0x100h. Both of those are replaced with zeros once you edit the BIOS image with AMI editors. So, if anyone feels adventurous enough you can re-instate your serial number and the other number back into the edited BIOS and see if it works.
-
I had great success in unlocking and modifying the BIOS. The log of my modifications is shown below. I can make it available for anyone who is interested.
XTM515-BIOS1.3-UNLOCKED-5: Changed 'Sign On Message' to include 'Unlocked v1.5 PT'. Enabled 'PCIPnP' and 'Chipset' menus. Enabled 'CPU Configuration' submenu in 'Advanced' menu. Enabled 'ACPI Configuration' submenu in 'Advanced' menu. XTM515-BIOS1.3-UNLOCKED-4: Updated platform 11 CPUID 1067a microcode to version a0b. XTM515-BIOS1.3-UNLOCKED-3: Disabled 'Lan ByPass Control' submenu in 'Advanced' menu. Modified BIOS Strings from 'Port0 AHCI Speed limit to' to 'Port0 AHCI Speed limit' for POrt0 to Port3. XTM515-BIOS1.3-UNLOCKED-2: Changed 'Aways CF Card Boot' to 'Show' in 'Advanced' menu. XTM515-BIOS1.3-UNLOCKED-1: Unlocked the BIOS by changing 'User Access Level' to 03 in 'Security' menu.
Cheers,
Peter. -
-
G'day,
I've been lurking here for a while and many of the posts have been extremely helpful in allowing me to tweak my very recent hardware version of XTM 515. Thank you for that to everyone! Now, I don't actually run pfSense on my XTM but in all the fun time spent with the box I learned a few new things that might be useful to others. So here it goes…
-
The on-board VGA header definitely works, and it works very well. I made a custom cable with a connector I got from digiKey and it's been extremely useful in playing with the box. The front USB ports work well with USB keyboards and mice as well, so the box becomes a fully functional PC with on-board video.
-
The unit serial number is present in the original BIOS. If you have backed-up your original BIOS, as you should have, the serial number is stored in plain ASCII starting at offset 0x0h, and is terminated with 0x00h. There is also another ASCII sequence stored in the original BIOS at offset 0x100h. Both of those are replaced with zeros once you edit the BIOS image with AMI editors. So, if anyone feels adventurous enough you can re-instate your serial number and the other number back into the edited BIOS and see if it works.
-
I had great success in unlocking and modifying the BIOS. The log of my modifications is shown below. I can make it available for anyone who is interested.
XTM515-BIOS1.3-UNLOCKED-5: Changed 'Sign On Message' to include 'Unlocked v1.5 PT'. Enabled 'PCIPnP' and 'Chipset' menus. Enabled 'CPU Configuration' submenu in 'Advanced' menu. Enabled 'ACPI Configuration' submenu in 'Advanced' menu. XTM515-BIOS1.3-UNLOCKED-4: Updated platform 11 CPUID 1067a microcode to version a0b. XTM515-BIOS1.3-UNLOCKED-3: Disabled 'Lan ByPass Control' submenu in 'Advanced' menu. Modified BIOS Strings from 'Port0 AHCI Speed limit to' to 'Port0 AHCI Speed limit' for POrt0 to Port3. XTM515-BIOS1.3-UNLOCKED-2: Changed 'Aways CF Card Boot' to 'Show' in 'Advanced' menu. XTM515-BIOS1.3-UNLOCKED-1: Unlocked the BIOS by changing 'User Access Level' to 03 in 'Security' menu.
Cheers,
Peter.Hello,
Thank you for the usefull information.
I have also being experimenting with the BIOS unlocking, and noticed also that the original serial number is wiped,
from the moment you do a modification.
The downside is, that the BIOS is still let the box boot pfSense without any problem,
but when you want to use back the original Watchguard OS, the login in the Web GUI fails.
The box passes internet, but when you try to login with the right credentials, the page refresh and stays at the login page.I had discovered if you open the BIOS file with notepad, that the serial number is at the very first line,
but nowhere else (or i missed it).Grtz
DeLorean -
-
Greetings…
I have 2 XTM 505's I've converted to pfsense a while back, still running Celeron 440. One I use actively and the other is just a spare. With the upcoming AES NI requirements, I was looking to upgrade the CPU's in these (FW-7580) to the fastest CPU's that have AES NI capable. Has anyone done this? If so, can you please share with me what would be your recommendation? I've not found an AES NI CPU that I believe with will work on this motherboard.
TIA.
Kap
-
Greetings…
I have 2 XTM 505's I've converted to pfsense a while back, still running Celeron 440. One I use actively and the other is just a spare. With the upcoming AES NI requirements, I was looking to upgrade the CPU's in these (FW-7580) to the fastest CPU's that have AES NI capable. Has anyone done this? If so, can you please share with me what would be your recommendation? I've not found an AES NI CPU that I believe with will work on this motherboard.
TIA.
Kap
The XTM 5 series use a mainboard with Intel Socket S775 , in the S775 design there doesn't exist any CPU that supports AES-NI.
For these boxes to upgrade from the stock Celeron, i always use a Intel E5800 Dual Core @ 3.2Ghz ,
this type is in the same thermal range (65Watt) as the original cpu.
That way, the cpu runs at same temperature (sometimes even cooler) then the original cpu, and you still got a decent extra cpu power.
There are users that use a Intel Quad Core Q6600 cpu in these boxes, but i never done this,
because that cpu is a 105Watt type, so the box gets hotter and draws more power.Grtz
DeLorean -
Greetings…
I have 2 XTM 505's I've converted to pfsense a while back, still running Celeron 440. One I use actively and the other is just a spare. With the upcoming AES NI requirements, I was looking to upgrade the CPU's in these (FW-7580) to the fastest CPU's that have AES NI capable. Has anyone done this? If so, can you please share with me what would be your recommendation? I've not found an AES NI CPU that I believe with will work on this motherboard.
TIA.
Kap
The XTM 5 series use a mainboard with Intel Socket S775 , in the S775 design there doesn't exist any CPU that supports AES-NI.
For these boxes to upgrade from the stock Celeron, i always use a Intel E5800 Dual Core @ 3.2Ghz ,
this type is in the same thermal range (65Watt) as the original cpu.
That way, the cpu runs at same temperature (sometimes even cooler) then the original cpu, and you still got a decent extra cpu power.
There are users that use a Intel Quad Core Q6600 cpu in these boxes, but i never done this,
because that cpu is a 105Watt type, so the box gets hotter and draws more power.Grtz
DeLoreanYes - this is what I thought, but wanted some confirmation in case I overlooked something. So I guess the XTM 5 series is confined to 2.4 since the 2.5 will require AES NI. Guess I will need a new box when 2.5 arrives :)
Thanks for your quick response…
Kap
-
Well 2.4 will be supported for some time after that, like 2.3 is now. So there will be time to make the switch.
Steve
-
Well 2.4 will be supported for some time after that, like 2.3 is now. So there will be time to make the switch.
Steve
Yep - fully understand, my statement was not meant to be a complaint, just a confirmation that I will eventually need to get off this XTM 5 hardware. I like to run the latest greatest :) Keep up all the great work, AES-NI makes sense and I look forward to my next build when 2.5 arrives!
Thanks - Kap
-
Argh!
I finally got pfSense working on my XTM 535 with Dual Core E5300 / 4GB RAM. Took me forever to figure out how to unlock my own BIOS, get it booting from USB and installed via SSD. Had a ton of issues with the CF card. Now I read your post about AES-NI.
I am disappoint :-[
-
Think about how much you learned along the way though. ;)
You're still good for some time to come anyway as I said.
Steve
-
Argh!
I finally got pfSense working on my XTM 535 with Dual Core E5300 / 4GB RAM. Took me forever to figure out how to unlock my own BIOS, get it booting from USB and installed via SSD. Had a ton of issues with the CF card. Now I read your post about AES-NI.
I am disappoint :-[
[/quote]I wouldn't be disappointed. Still plenty of time left. In my case I am still just tweaking my first XTM box and I have a second backup box on the way. I also have a Q9505s CPU on the way. It will be weeks before it's all configured and operational.
For me going with XTM 5 was a calculated decision since I was aware of the upcoming AES-NI limitation. So I also investigated alternatives to pfSense in order to avoid retiring the hardware prematurely.
Changing the subject, is anyone with a handy SPI programmer willing to insert the two ASCII sequences (unit serial number & the second sequence) into a modified BIOS to confirm if the unit accepts such hybrid BIOS and recognized the serial number?
-
Not sure what you're asking there. You want to change the unit's serial number?
I don't think that is stored in the BIOS. Changing the serial also seems morally dubious at best! ??? Maybe I'm misunderstanding…
Steve
-
Hi Steve,
Several posts earlier I highlighted a few of the discoveries I made when tinkering with my XTM 5 box. One of those discoveries was that the original unit BIOS has the serial number stored in null terminated plain ASCII at offset 0x0000h in the BIOS. Likewise offset 0x0100h in the original BIOS has a null terminated ASCII string that corresponds to the barcode label on my unit that is placed immediately to the left of the power switch (the barcode correlation was highlighted to me by DeLorean). Both of those strings are wiped out when the BIOS is edited with the AMI tools. This is the reason why people with edited BIOS cannot get the original firmware to recognize the unit serial number…
All I was suggesting is that someone who cares about the original firmware can try to re-insert those strings manually into their edited / unlocked BIOS to see if it fixes the issue. I have no idea if these strings are used by the BIOS to calculate the checksum. I am myself not that adventurous because (1) I will never need to run the original WatchGuard firmware and (2) I don't have an SPI programmer in case the unit is "bricked".
Cheers.
Not sure what you're asking there. You want to change the unit's serial number?
I don't think that is stored in the BIOS. Changing the serial also seems morally dubious at best! ??? Maybe I'm misunderstanding…
Steve
-
Ah, sorry I've clearly not been paying attention. ::)
That's interesting from an academic point of view. Raises some questions.
However I must ask that any such discussion is taken off the public forum. Whilst you and I might have no need to use that for subversive reasons there will be others who try it, unfortunately.
Were you ever able to enable EIST (speedstep) successfully in your BIOS?
It's been so long since I tried it I forget exactly what success I had there. I do recall having to make several changes to set the MSR bit correctly after boot though.Thanks,
Steve -
Stephen what box have you switched to or are you still using an XTM?
-
Well you can probably imagine I have a whole host of boxes. Some might say too many! ::)
I still have the XTM5 and I use it for testing snapshots and packages etc all the time. Also useful as source or sink in throughput testing something else. I'm running an E8400 in it now. Runs solid.
I'd still love to get Speedstep working properly but finding the time to dig deep enough is difficult.I still run an X-Core-E box but it flakes out about once a week now. Just too many old components in it.
Steve
-
Has not even occurred to me since the two strings were just so obvious at the beginning of the file when viewed with a hex editor. Feel free to redact my posts.
I have not touched speedstep at all. It would require a lot of learning on my part first and I suffer from a very chronic lack of time. It would be awesome if someone got it to work correctly though.
Ah, sorry I've clearly not been paying attention. ::)
That's interesting from an academic point of view. Raises some questions.
However I must ask that any such discussion is taken off the public forum. Whilst you and I might have no need to use that for subversive reasons there will be others who try it, unfortunately.
Were you ever able to enable EIST (speedstep) successfully in your BIOS?
It's been so long since I tried it I forget exactly what success I had there. I do recall having to make several changes to set the MSR bit correctly after boot though.Thanks,
Steve -
I can now also report that the Q9505s CPU is working beautifully in my unit, but of course sans speedstep.