Sonicwal Pro 2040

  • Anybody tried installing pfSense on a Sonicwall Pro2040? I have one that we don't use anymore and this morning I decided to open it up. I know it has an 800Mhz x86 (P3 or VIA most likely), 128MB PC133 (which can be upgraded), 4x Intel 82551ER ports and a CF slot on the MB.

    Unless there is some sort of lock in the bios that prevents the boot to anything other than SonicOs, it should work in theory.

  • I have a the same Sonicwall. I had considered trying to install pfSense on it but I am not sure how to go about it. The box is currently in use so I have no had the chance.

    Any idea how to get a connection to box when I am not using SonicOS? I know with the watchguard boxes you have to reflash the BIOS.

  • I hope I can just replace the SonicOS CF card with one where I flashed pfSense nanobsd and it boots up, but I doubt it will be that easy.

    This is what it looks inside:

  • Can you get a picture of the board from birdseye view. And a picture of the non VIA chipset, the one to right in the posted picture.

  • Netgate Administrator

    It looks like our old friend the Cavium Nitrox to me.  ;)  Too big to be a CN505 though. (CN1010?)
    You will probably find it boots a pfSense flashed CF card fine. Only one of the Watchguard boxes required anything special to get it to boot and that was only because it has a buggy bios.
    Sonicwall could have written their own bios which checks the image checksum and refuses to boot anything but an official image but I very much doubt they did.
    To access the bios try booting with a serial console attched. Because you can't send delete over serial you usually have to press TAB instead. You'll have to guess the serial speed though, probably 115200 8N1.


    Edit: Reading through this [pdf] interesting document it appears as though there may be some sort of hardware failover, possibly lan bypass, so you may have to do something with that if you get it booted.

    Edit2: No I'm wrong that just refers to some sort of CARP cluster scenario.

    Edit3: Some further reading seems to indicate that in fact Sonicwall have gone to some lengths to secure their boxes. The CF and BIOS are encrypted so it seems very likely they will not boot anything but the correct signed image.  :( Be interesting to find out though.

  • Pretty sure those are Cavium MIPS or ARM based platforms, which aren't supported. The Watchguard and other boxes people use are all x86. I believe they've also gone to some lengths to secure the hardware platform as stephenw10 noted, so even if we had a Cavium image, it wouldn't work.

  • Netgate Administrator

    It's definitely X86, even Sonicwall agree  ;):

    What kinds of processors are in the PRO 2040?
    The PRO 2040 uses a 800MHz VIA C3 as its main processor, which handles all I/O, firewall, and packet processing functions. All cryptographic and hashing mechanisms are offloaded to a Cavium Nitrox co-processor.

    From this [pdf] review of router security presented at CanSecWest:

    Root access:
    • Removable Storage Compact Flash
    …but its unreadable...
    • Removable BIOS
    ...but its unreadable...
    • Firmware can be backed up
    ...but its signed...

    It doesn't specifically say it won't boot anything else but why would you attempt to remove the bios or read it otherwise? Also doesn't specify what model but the picture looks like the 2040 board.
    You could argue that once you have physical access to the CF card there is little point in further security measures other than to prevent reverse engineering.


  • Ah, yeah I see Cavium and I assume MIPS or ARM, but that's not true on that one.

    I'm sure they have protections in place to prevent knock off products. It's not hard to build your own box identical to that hardware and duplicate the CF, so they have to do something.

  • Netgate Administrator

    Watchguard don't encrypt either the bios or CF card. To authenticate the box they have a separate on board eprom that contains the serial number and licensing information. This is presumably encrypted but I've never been able to read it as the FreeBSD SPI driver doesn't seem to play nicely with it. It's also probably the one area that Watchguard would be concerned about people meddling with.  ;)


  • The VIA chipset is a VT82C686B and the Nitrox chip is a CN1005-350BG256. I tested with 4GB CF with the latest 2.1 snapshot and, as I expected, it doesn't boot. It actually beeps once and then shuts down. It does the same without the CF card.

    With the original SonicOS CF, this is the console output a couple of seconds after the beep:

    SonicROM Booting…........................

    Initializing Firmware loader
    Initializing FLASH
    Loading Firmware
    Uncompressing Firmware
    Starting Firmware at 0x408000

    SonicOS Booting....................................

    So there is definitely some protection at the bios level. Oh well, it was worth a try… Now back on the shelf collecting dust!

  • Netgate Administrator

    Even if that is the case I would expect to see some output on the console from the BIOS with no CF card in it. After all there must be some diagnostic capability for a failed CF card. Even if it just says 'Error' and shuts down.
    Have you tried some other serial baud rates? Did you try pressing TAB?
    You could try the VGA port if you have cables/soldering skills.
    Don't give up that easily!  :)


  • I did more testing. Unfortunately there is no console output before the first beep regardless of the baud rates. I tried with TAB, but nothing happens. I also tried a smaller 256GB card with Monowall, but it didn't work either. I even tried to swap cf cards on the fly after the firmaware was loaded  :o

    I'm afraid that this is way beyond my expertise at this point.  :-[

  • My watchguard box will be coming soon, once in place I will crack open my Sonicwall.