pfSense Support Subscription

Author Topic: Watchguard XTM 5 Series  (Read 124990 times)

0 Members and 1 Guest are viewing this topic.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11875
  • Karma: +458/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #30 on: April 26, 2013, 01:47:32 pm »
Like I say I think fmertz already implemented all of this. See:
http://forum.pfsense.org/index.php/topic,44034.msg276249.html#msg276249

Try that and see what happens.

Steve

Edit: Yep all looks to be there.
« Last Edit: April 26, 2013, 01:50:03 pm by stephenw10 »

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11875
  • Karma: +458/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #31 on: May 14, 2013, 05:23:57 pm »
I finally got around to updating WGXepc to include the code for the XTM5. It turned out to be rather more difficult than I'd imagined.
Anyway get it here or here(Oops the topic was locked!).

Whilst investigating the SuperIO chip I found it was controlling the fans so I added code for that too. By default the fans are connected to the system_fan output which is set to run in 'Thermal Cruise' mode. The target temperature register is set to 0x37, I've yet to work out what that translates to but it must be quite high since the fans always run slow. They ramp down to a minimum speed but that is conveniently controllable. I have included code to set that in WGXepc.  :) Obviously be careful messing about with the cooling but it shouldn't be possible to cause any problems as the fans will just ramp up if it gets hot. Unfortunately there is a quirk with setting the minimum value to a speed that is greater than the current fan speed. The only way I could get this to take effect was to switch to manual mode and then back to Thermal Cruise which causes the fans to goto max and then ramp back down. Not the end of the world but slightly annoying (to me at least!). It may also be possible to set the target temperature. Th diagnostic LEDs are probably also connected via the SuperIO but I haven't thought of a good use for them yet.  ;)

Steve

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11875
  • Karma: +458/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #32 on: May 19, 2013, 06:41:44 am »
Investigating the XTM8 box caused me to re-investigate the various bios editing tools available and I have now found that newer versions of amibcp are able to correctly edit the SuperIO tables without corrupting the bios in the process. So now we can have the bios correctly configure the SIO chip for gpio use and set the arm/disarm LED to red at boot, which seems like the way it should have been all along.

Flashing the bios is always a risk and I have bricked my own box doing it many times! However it was always due to a corrupt bios file rather than the flashing process itself and it is possible to recover from a bad flash (see earlier posts here). So the modified bios file is here. Flash at your own risk!

Modifications are:
Bios setup menus are unlocked and some aditional menus are unhidden.
LCD now reports 'pfSense V1.8' at boot time.
Speedstep is unlocked and enabled if you have a compatible CPU.
Arm/Disarm LED is now red from boot.

Probably the safest way to get this file, least chance of corruption, is to fetch it straight to the box.
Code: [Select]
[2.1-BETA1][root@pfsense.localdomain]/tmp(10): fetch https://sites.google.com/site/pfsensefirebox/home/xtm5_83.rom
xtm5_83.rom                                   100% of 1024 kB 1957 kBps

You can then also check its MD5 sum is correct:
Code: [Select]
[2.1-BETA1][root@pfsense.localdomain]/tmp(11): md5 xtm5_83.rom
MD5 (xtm5_83.rom) = e75bc93ca2db547a3facb8d611f0d441

Then write it with flashrom from there:
Code: [Select]
[2.1-BETA1][root@pfsense.localdomain]/tmp(13): flashrom -w xtm5_83.rom
flashrom v0.9.5.2-r1515 on FreeBSD 8.3-RELEASE-p8 (i386), built with libpci 3.1.9, GCC 4.2.1 20070719  [FreeBSD], little endian
flashrom is free software, get the source code at http://www.flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7/ICH7R". Enabling flash write... OK.
Found ST flash chip "M25P80" (1024 kB, SPI) at physical address 0xfff00000.
Flash image seems to be a legacy BIOS. Disabling coreboot-related checks.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.

It may be necessary to reset the CMOS with the on board jumper to get access to the bios menus. My box has been unlocked for so long I can't remember if I had to and I have no easy way to test.  ::)

Steve



« Last Edit: May 19, 2013, 07:17:50 am by stephenw10 »

Offline menacingm

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #33 on: July 13, 2013, 07:40:27 am »
Bravo as always Stephen. I will definitely take a look at this when I get ready to swap out the processor as speedstep is a much needed feature. Till then I'll stick with your new release of WGXepc.

Any subtle differences in the hardware between the XTM5 and XTM8? My understanding is that the hardware was the same and the different versions referenced unlocked features by license for the Watchguard software. Curious.

Thanks!

Quote
Modifications are:
Bios setup menus are unlocked and some aditional menus are unhidden.
LCD now reports 'pfSense V1.8' at boot time.
Speedstep is unlocked and enabled if you have a compatible CPU.
Arm/Disarm LED is now red from boot.

Probably the safest way to get this file, least chance of corruption, is to fetch it straight to the box.
Code: [Select]
[2.1-BETA1][root@pfsense.localdomain]/tmp(10): fetch https://sites.google.com/site/pfsensefirebox/home/xtm5_83.rom
xtm5_83.rom                                   100% of 1024 kB 1957 kBps

You can then also check its MD5 sum is correct:
Code: [Select]
[2.1-BETA1][root@pfsense.localdomain]/tmp(11): md5 xtm5_83.rom
MD5 (xtm5_83.rom) = e75bc93ca2db547a3facb8d611f0d441

Then write it with flashrom from there:
Code: [Select]
[2.1-BETA1][root@pfsense.localdomain]/tmp(13): flashrom -w xtm5_83.rom
flashrom v0.9.5.2-r1515 on FreeBSD 8.3-RELEASE-p8 (i386), built with libpci 3.1.9, GCC 4.2.1 20070719  [FreeBSD], little endian
flashrom is free software, get the source code at http://www.flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7/ICH7R". Enabling flash write... OK.
Found ST flash chip "M25P80" (1024 kB, SPI) at physical address 0xfff00000.
Flash image seems to be a legacy BIOS. Disabling coreboot-related checks.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.

It may be necessary to reset the CMOS with the on board jumper to get access to the bios menus. My box has been unlocked for so long I can't remember if I had to and I have no easy way to test.  ::)

Steve





Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11875
  • Karma: +458/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #34 on: July 13, 2013, 11:30:19 am »
The XTM5 and XTM8 are very different. Different box, different mother board.

To get Speedstep sort-of working I had to use a modified DSDT file. However even when I had it seemingly functioning I could see any effects on either power consumption or heat. I put it down to the board/CPU supporting higher C states which reduce power anyway.

Steve

Offline iolaus

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #35 on: September 05, 2013, 03:16:10 pm »
Just ordered an XTM 505 off ebay and I'm excited to try out pfSense on it.  Has anyone successfully booted from or attached a USB drive or HDD yet?  Also, has anyone tried stephenw10's firmware update?

Thanks!


Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11875
  • Karma: +458/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #36 on: September 05, 2013, 03:41:42 pm »
Hmm, interesting, it looks like I never tried it after unlocking the BIOS. It's definitely not possible to boot from USB without altering some bios settings and to do that you need to flash the unlocked version. That obviously carries some risk but I'm quite confident that image I linked to is not corrupt. I uploaded it, downloaded it again and re-flashed it to my box without issue. Just make sure the MD5 sum is correct.

Steve

Offline Eams

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #37 on: September 06, 2013, 04:41:48 pm »
From my experience with the XTM8 (810), you can't boot anything from the usb ports - I tried!

I imagine the XTM505 will be the same - bios locked down and restricted as to what can be used - ie mouse and keyboard is pretty much as far as the bios will get you - until you unlock it.

My XTM8 is currently out of action - deffo be careful flashing the bios ;)

Eamon

Offline menacingm

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #38 on: September 10, 2013, 08:42:24 am »
StephenW10,

A little late of a response but yea duh about the hardware differences... I was thinking XTM5 series: 515, 505 etc which are all the same hardware. I can't keep up with all the Watchguard models you are working on.  :P

Also, after trying LCDProc-Dev (latest package) it seems the key mapping was not integrated into the latest dev package as my key mapping are still off. I'll post in the appropriate thread about this as well but wanted to reference it here, this being the official thread for XTM5 devices. Also, Stephen, could you enlighten me on the shellcmd you use to start/restart the LCDProc service? Thanks.

LCDProc-Dev Thread:http://forum.pfsense.org/index.php/topic,44034.msg349010.html#msg349010

iolaus,
With all due respect to StephenW10 and thanks for his hard work, there isn't much to gain from unlocking the bios.

I would echo Eams warning in that you do not want to flash your bios unless you know 100% that you will benefit from the features. If you want to tinker, I would suggest only doing so if you are not really relying on the hardware and can afford to brick it. You will need to have a level of comfort/experience with modifying hardware/bios as you may need to create a serial jumper soldered to the board to unbrick it or reflash the serial flash device (at least this was my understanding from reading through StephenW10s posts. Please correct me if I'm wrong).

Offline iolaus

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #39 on: September 10, 2013, 09:49:12 am »
I will be using my XTM505 in my local network so I'll definitely have to be careful not to brick it.  I had hoped to try out Snort but I'm wondering if I have to worry about the finite write capabilities of the CF card.  If so, is it possible to install additional storage (SSD or larger USB Flash), perhaps as secondary storage, without unlocking the BIOS?

Offline menacingm

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #40 on: September 10, 2013, 10:06:16 am »
I had the same issue and question but the answer for me was much simpler/easier than having to install secondary storage. Instead I used the SHELLCMD package to mount an NFS Share at post boot and then setup logs to write to the share. A much more elegant solution, especially if you hope to use any other software (Splunk etc) to parse your log files.

Hope that helps.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11875
  • Karma: +458/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #41 on: September 10, 2013, 12:57:04 pm »
I have to agree, general policy for flashing your bios should always be don't do it unless it offers something you need. That might go double for some hacked bios you downloaded from a forum!  ;)
That said I have flashed it many times succefully, I'd have no hesitation flashing a new box if I found one for the right price. The problems Eamon had with the XTM8 were mostly due to a bios chip that wasn't correctly handled by flashrom. It was doubly unfortunate because it reported no errors and seemed to be functioning correctly.

The XTM5 has provision for an internal HD by way of a power connector on the PSU and sata connectors on the board. I can't remember if the standard bios has HD auto detection enabled.   :-\

Steve

Offline angelkiller

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #42 on: September 14, 2013, 05:12:59 am »
Hi, i can confirm that the bios from stephenw10 (xtm5_83.rom) works like a charm on my XTM 510. If i remind correctly, i boot pfsense on it and downloaded the bios direct to the XTM510 in a shell.
After flashing i was wondering that the bios was still locked, but i read that the cmos have to reset. I removed the power cord and the battery, drink a coffee, and anything was fine with unlocked bios.

Thanks to stephenw10!

Now i try my luck with a XTM810 to boot a other system as Watchguards XTM OS.

Offline iolaus

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #43 on: September 15, 2013, 06:29:48 pm »
Some updates:

I've got my XTM 505 up and running.  I replaced the CPU with a Core2Duo E4500, replaced the RAM with a couple 1GB sticks I had lying around, and installed a 2.5" HD which I also had lying around.

I mounted the HD to a modified Intel 2.5" to 3.5" converter cage.  The cage is mounted to the XTM 505 right behind the LCD on risers.

The XTM successfully finds the SATA HD without any BIOS modification and I have SHELLCMD mounting it at boot time.

Pictures:

« Last Edit: September 15, 2013, 06:33:52 pm by iolaus »

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11875
  • Karma: +458/-15
    • View Profile
Re: Watchguard XTM 5 Series
« Reply #44 on: September 15, 2013, 06:41:16 pm »
Nice!  :)
I would recommend removing the VPN accelerator card. It's just using power and isn't doing anything useful, unfortunately.

Steve