pFsense on old sonicwalls?

[Zachariah Mully]

$work is getting ready to toss a bunch of old Sonicwalls. I popped the cover off one and it's got a bog standard Celeron 2GHz CPU, 256MB ram, and 4-6 nice Intel NICs. I imagine they'd run pFSense beautifully, anyone actually done it though? Wondering if they threw some proprietary crap in...

Z

[Gary Sparkes]

jeeze. that seems... big for a SonicWALL. I've only seen MIPS based ones. if you can see boot over the serial console you *might* have a chance.l

On Fri, Mar 20, 2015 at 3:34 PM, Zachariah Mully <mack...@gmail.com> wrote:

$work is getting ready to toss a bunch of old Sonicwalls. I popped the cover off one and it's got a bog standard Celeron 2GHz CPU, 256MB ram, and 4-6 nice Intel NICs. I imagine they'd run pFSense beautifully, anyone actually done it though? Wondering if they threw some proprietary crap in...

Z

--
--
Like what we do? Support HacDC by becoming a member. Learn more here: http://hacdc.org/membership/
--
You received this message because you are subscribed to the HacDC "Blabber" group.
To post to this group, send email to Bla...@hacdc.org
To unsubscribe from this group, send email to
Blabber+u...@hacdc.org
For more options, visit this group at
http://groups.google.com/a/hacdc.org/group/Blabber

To unsubscribe from this group and stop receiving emails from it, send an email to Blabber+u...@hacdc.org.

--

Gary G. Sparkes Jr.
KB3HAG

[shawn wilson]

It might also have proprietary hardware you'll need to fish out the driver for.

I'm guessing there's no video head on it? Might look at the board closer and see if the headers were just never put on and what type of serial might be available.

I'm assuming you can't get a shell on this thing? If so, go spelunking. If not,
I'd pop out the storage, copy over busybox, ssh, and set a root pass (make sure PAM allows it)...  and go spelunking.

Basically, it'd run if BSD has drivers for the hardware.

[Zachariah Mully]

Yup they have VGA, keyboard and IDE headers, though they're all non-standard connectors so I'd have to figure out the pinout. I can't imagine they've anything super proprietary other than maybe the crypto accelerator, and I don't need that for my home firewall. I am going to order a new CF card to flash pFSense on, and go from there. Probably cut a hole in the case above the CPU heatsink in the case to mount an old PSU fan, so I can toss the half dozen 1u noise makers it's currently got it in.

If I get it to work, I'll see about getting the rest donated to the space.

Z

[Fredrik Nyman]

Odds seem very high that it is a OEM motherboard. Most likely one made specifically for embedded applications like this with better than consumer grade reliability and long product availability. Unless you have volumes way higher than SonicWall's, it gets prohibitively expensive to develop/manufacture custom x86 boards. 

[Julia Longtin]

pics?

[shawn wilson]

On Sat, Mar 21, 2015 at 9:49 PM, Julia Longtin <julia....@gmail.com> wrote:
> pics?
... or it didn't happen

>
> On Sun, Mar 22, 2015 at 1:46 AM, Fredrik Nyman <fredri...@gmail.com>
> wrote:
>>
>> Odds seem very high that it is a OEM motherboard. Most likely one made
>> specifically for embedded applications like this with better than consumer
>> grade reliability and long product availability. Unless you have volumes way
>> higher than SonicWall's, it gets prohibitively expensive to
>> develop/manufacture custom x86 boards.
>>

Well, not so much custom fab but "if we get 10k of these boards
without these headers, how much cheaper would it be". I'm sure FoxConn
would do this (they've got their own boards after all so no outside
licensing there).

>>
>> On Saturday, March 21, 2015, Zachariah Mully <mack...@gmail.com> wrote:
>>>
>>> Yup they have VGA, keyboard and IDE headers, though they're all
>>> non-standard connectors so I'd have to figure out the pinout.

Custom pinout for VGA? I doubt it - check for jumpers near it. Also,
I'm sure they passed console=ttyS0 (or whatever the OS equiv is) and
might not even have a video driver loaded. However, POST should show
up.

>>> If I get it to work, I'll see about getting the rest donated to the
>>> space.
>>>

I think the minimum for HacDC taking it is 2Ghz DC, but...

[Zachariah Mully]

Finally got a CF card for pfSense this weekend.

Unfortunately, it looks like Sonicwall (at least this 2003-2004 vintage) used a custom BIOS that looks for a signed boot image. Oh well. Apparently Watchguard does not do this, appear to be a fairly popular option for pfSense hardware.

Z

[Fredrik Nyman]

What model are they? If the servers are badge-engineered Dells, for
example, it might be possible to flash a new Dell BIOS.

[Zachariah Mully]

I believe these are pre-Dell.

[Alex Smith (K4RNT)]

I thought everyone here was brainwashed into thinking that it's not worth running if it isn't Linux. You know that pfSense is FreeBSD, right?

Just kidding. I'm surprised to hear something like this from this group. ;)

" 'With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and warning... The first time any man's freedom is trodden on, we’re all damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG episode "The Drumhead"
- Alex Smith
- Huntsville, Alabama metropolitan area USA

[Gary Sparkes]

Not like I don't use pfSense and advocate VyOS if you absolutely must whitebox it ......

'cept I don't mind not having a web interface. Or a cisco-like configuration and management CLI.

[Julia Longtin]

again, pics of the boards would be nice. CoreBoot may also be a bios reflash possibility.

Julia Longtin

[condew HacDC]

Looks like Zach is demonstrating the downside of  the "Secure Boot" Microsoft has planned for our future; otherwise usable hardware turned into trash because it requires signed software and a user intending to put it to a new use can't get the key.  I'm sure the commercial software makers love this as it eliminates competition from Linux -- no hardware to run on.  I'm sure the manufacturers love this, if you want to meet a new need, you've got to buy a new box.  The loser?  The user.

[Gary Sparkes]

You mean the future that has been here as an option for hardware for the past 20 some years?

TiVO anyone?

[condew HacDC]

I mean the option that is to become mandatory and can't be turned off.  So you can brick your PC like you can brick your tablet.  Progress.

[Michael Cramer]

It will be no more or less mandatory than today with the plethora of Android devices that you cannot root. 

Sent from Outlook

[Derek LaHousse]

I for one would welcome the ability to embed signing keys into the
firmware of my devices and sign my kernels. So I look for Secure Boot
enabled hardware with user-modifiable keys.

[Fredrik Nyman]

How common is secure boot-enabled hardware with user-modifiable keys?
Do tier-1 OEMs like Dell, HP and Lenovo typically offer it on servers,
desktops and/or laptops?

[Michael Cramer]

It's almost universal on Asus and Acer platforms. And pretty much universal in every motherboard manufacturer you can buy on Newegg. 

Microsoft lets you turn off secure boot on the Surface Pro line of products but has no documented way of changing keys. 

Sent from Outlook

[Gary Sparkes]

All hardware currently shipping from OEMs that can come with Windows 8 and 8.1 comes with this capability.

So, essentially, all hardware produced today. 

Secure Boot is available on all modern server hardware I have touched in the past few years. 

[condew HacDC]

Speaking of Android devices you cannot root, apparently Google deceided to delete all the books and movies I bought from Google Play from my tablet, probably during one of the recent updates to Android.  So I'm out camping miles from an internet connection and find that the book I was planning to read before bed, the one I downloaded months ago and had started reading, was unavailable.  Just a little tweek to show me who's the boss of my tablet.

[Edmund Biro]

(sorry for resurrecting)... I have a NSA3500, (well, two)... so have some skin in this.

1. this guy: https://hardforum.com/threads/hacking-into-a-sonicwall.1812087/

(quick summary)  

 Hacking into a SonicWall  https://hardforum.com/threads/hacking-into-a-sonicwall.1812087/

Discussion in 'Networking & Security' started by ITBioMed, Mar 22, 2014.

Mar 22, 2014 #1

ITBioMed

n00bie

Messages:2

Joined:Mar 22, 2014

Lately my personal toybox has expanded with a bunch of 5th Gen. SonicWalls that have been discarded because of a Dell upgrade path to 6th. Gen. models. These units are party disabled by Dell: most of the security functions are impaired and the licenses have all been tranfered to the newer models.

However, as SonicWall units have some nice hardware features and are pretty good performers I'd like to give them a second life. Maybe I can make them SNORT around my home network and do some IDS/IPS by installing another distro on them. However, there isn't much info on the net about reprogramming a SonicWall - to be acurate there's none. 

I want to start with a TZ210 unit because it's not that much of a pitty if I brick it permanently while on the other hand it is quite comparable with the NSA- series that I also have. So, first some info about the unit:

Cavium MIPS64 500MHz Octeon CPU (Single Core, I believe it's CN5010-500BG564)

256MB RAM

32MB Flash memory

2x Gigabit ethernet (separate NICs)

5x Fast ethernet (separate NICs)

1x Console port (serial)

Abstracting:
Have found a little more info. The SonicWall is running VxWork (from Wind River), it's packed into an ELF file and it's bootloader is U-Boot (which is quite nice!). Being a VxWorks device, the 32-pin header is very very likely a JTAG header and programmed with the Wind River JTAG debuggger. First it seems to be loading the SafeBoot firmware and if the diagnostics button isn't pushed it loads the complete/normal SonicWall image. The safeboot firmware probably checks some kind of signature first before loading the full image.

Here's the bootlog:

Code:

U-boot 5.0.2.11 (Production build) (Build time: Oct 17 2008 - 13:26:22)OCTEON SNWL_CHESTNUT-1 CN5010-SCP pass 1.1, Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
DRAM: 256 MB
Flash: 32 MB ( Bank 0: 16 MB Bank 1: 16 MB )
.Uncompressed 0x181d88 bytes
ELF file is 32 bit
Allocating memory for ELF: Base addr, 0×2000000, size: 0xe000000
Loading .text @ 0×82008000 (1389536 bytes)
Loading .data @ 0x8215c000 (178688 bytes)
Loading .cvmx_shared @ 0x82187a00 (416 bytes)
Clearing .bss @ 0x82187c00 (1194416 bytes)
## Loading ELF image with entry point: 0×82008000 …
Bootloader: Done loading app on coremask: 0×1
Loading system information…
Reading system info from flash…
Host Name: bootHost
Target Name: vxTarget
User: target
Attaching interface lo0… done
Loading firmware…
Booting…
ELF file is 32 bit
Re-using existing memory for ELF: Base addr, 0×2000000, size: 0xe000000
Loading .text @ 0×82008000 (21995184 bytes)
Loading .data @ 0×83502000 (2093264 bytes)
Loading .cvmx_shared @ 0x837010d0 (425 bytes)
Clearing .bss @ 0×83701280 (17456848 bytes)
## Loading ELF image with entry point: 0×82008000 …
Bootloader: Done loading app on coremask: 0×1
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Host Name: bootHost
Target Name: vxTarget
User: target
Starting SonicSetup Watchdog
Starting real-time clock
Initializing clock
Tuning clock and timezone
Initializing Memory Zones
Initializing Buffer Zones
Initializing Common Zones
Initializing Semaphores
Initializing System Monitor
Initializing trace call history
Initializing Flash
Adjusting SonicSetup Watchdog if necessary for large prefs
Initialize FDR log
Initializing Ramdisk
Installing date/time hook
Creating File System
filesystem
Initializing CFS
Constructing HTTPS Server dependencies
Setting NTP parameters
Enabling ARP table support
Enabling STATIC NDP table support
Creating interface names and default itids
Initializing core IP packet handler
Initializing memory buffer driver
Initializing Branding
Initializing parameters table
Interfaces Group init-stage 1
Starting Routing engine
Initializing action table search tree
Allocating IPsec SA space
Starting Global Bandwidth Management
Initializing Policy lookup table
Initializing NAT Policy structure
Building DHCP Network Objects
Starting network monitor module
Starting the NAT module
Starting common gateway interface handler
Starting the system timer
Initializing IPNET Glue
Initializing core IPv6 stack
Starting random number generator
Initalizing IPsec handle
Allocating DHCP server lease ranges
Initializing Memory for Application Firewall Config Objects
Building IPS Config Objects
Building AppControl Config Objects
Building AntiSpyware Config Objects
Initializing multiple interfaces handler
Initializing MAC-IP Anti-Spoofing
Initializing flow reporting
Initializing Ip Helper
Starting capture Buffer
Initializing interface packet queue scheme
Initializing QoS Mapping module
Initializing Bandwidth Management Engine
Starting dynamic routing
Initializing Support Services
Initializing backend dynamic update support
Initializing users
Pre-Initializing LDAP client
Pre-initializing Terminal Services support for SSO
1st zebos init
Set default packet capture settings
Initializing Memory for CFS
Initializing WMM
Initializing IPv6 config
Starting firewall logger
********************************************************************************
Validating FLASH parameters

********************************************************************************
Initializing preference export memory buffer devices
Starting appflow report
Starting capture Buffer during startup
Starting IPH compatibility flags
Initializing proper connection count
Adjust memory partitions
Starting synflood protection
Starting Generic Flood Protection
Complete Network Object initialization
Generate Default Bandwidth Object
Setting Time Zone and updating Daylight savings time
Initializing ARP table
Reading Network Interface configurations
Updating global BWM data
Listen to BSP Interface State events
Reading ifConfigs
Initialize ACTIVE WAN
Starting Stateful Packet Inspection engine
Determining High Availability state
Initializing Ethernet links
Initializing Switch Ports
Generating system ARP
Generating dynamic Address Objects
2nd zebos init
Build routing table
Initializing IP Helper
Starting capture Buffer during startup
Initializing SQLite
Starting SwFlow during startup
Starting GeoIP
Initial GUI Interface Statistics Counters
Initializing DNS Rebind Detection
Building NAT tables
Generating gratuitous ARP for NAT
Generating gratuitous ARP for Transparent Mode IPs
Starting registration services
Starting DNS client
Starting DNS client
Initializing syslog client
Starting DNS request task
Starting DAO manager
Log initializations dependent on preferences
Starting RBL driver
Starting licensing services
Initializing connection cache
Activating Ethernet hooks
Initializing HTTP Server
Starting user authentication routines
Starting Zone Policy manager
Initializing Viewpoint reporting
Starting DHCP client
Initializing PPP timers
Initializing L2TP client system
Initializing L2TP Server
Initializing PPTP system
Initializing Acceptable Use Policies
Starting NTP client
Starting IP fragmentation/reassembly handlers
Starting IPsec engine
Initializing HTTPS Server
Initializing web proxy support
Initializing diagnostic admin tools
Reading Qos Conversion Configuration
Starting Endpoint Anomoly detection and Reporting (EAR)
Starting H323 handlers
Starting SIP handlers
Initializing RADIUS client
Initializing LDAP client
Initializing SSO Authentication
Initializing Terminal Services support for SSO
Initializing PPPoE support
Preparing auto-configurator
Starting DHCP server
Initializing DHCP relay over VPN
Starting IGMP Mcast
Initializing Deep Packet Inspection framework
Initializing Content Filtering Services
Initializing Distributed Enforcement Architecture
Building CFS rating database
Set CFS version
Starting Auto-Update timers
SNMP Initialization
Verifying management policy rules
Initializing High Availability routines
Initializing SSL Control Service
Starting Auto-Update timers
Complete One Touch Overrides
Starting hardware watchdog
Firmware Version: SonicOS Enhanced 5.9.0.3-117o
Directory: /depot-14739-51/Octeon/5.9.0/m2/target/oct_mips64/sw_octeon210-sc-base
Initializing FIPS mode
Starting FIPS 186-2 random number generator
Running FIPS mode self-tests
DRNG test passed
RSA test passed
RSA KAT test passed
DSA test passed
DES and 3DES test passed
AES test passed
SHA-1 test passed
HMAC-SHA-1 test passed
DH group 2 test passed
DH group 5 test passed
All cryptographic self-tests succeeded
Initializing NDPP mode
WAN Load Balancing module started
Update Interfaces Groups from prefs
Initializing for TSR generation
Initializing SDP and SSPP (discovery and provision protocol)
Initializing Wireless Zone Module
Initializing Guest Services
Starting Bandwidth Optimization engine
Initializing Flash Dynamic Update
Verifying transaction groups
03/25 11:38:54.064: NOTICE: flashStartup:2108: Transaction Groups are not in sync!
Protecting prefs
Initializing SSLVPN Server
Start processing Interface State Changes
Initializing Reboot Notifier
Check for Diag Restart Requests
Check for Periodic Gratuitous ARP Requests
Checking for Enhanced Upgrade
Initializing ARS
Initializing VPN route monitor
Initializing SSH Service
Initializing CLI interface
Log Firewall activated
Remote Backup Initialization
If configured, send SNMP Cold Start Trap
Starting Hot Swap Controllers
If configured, send IPsec Trap for Manual SAs
Start Ipv6 engine
Starting Anti-Spam Service
Starting Subsystem Detection
Starting License Manager Client
Initializing IPv6 Interface
Initializing PPPHDLC support
Initializing network proxy servers
Added 1539 oui to vendor mappings
Initializing DHCPv6 server
Initializing Router Advertisement Daemon
Initializing DHCPv6 Client
Initializing Multicast Proxy
Upgrade traditional BWM preference
Add an entry to the firmware history

Product Model: TZ 210
Product Code: 6831
Firmware Version: SonicOS Enhanced 5.9.0.3-117o
Serial Number: xxxxxxxxx
X0 IP Addresses: 192.168.25.1

*** Startup time: 03/25/2014 11:39:04.784 ***

Copyright (c) 2012 Dell | SonicWALL, Inc.

User: