Watchguard XTM 2 Series (20, 21, 23 they seem to be same)

Post new topic   Reply to topic    DD-WRT Forum Index -> ARM or PPC based Hardware
Author Message
biktor
DD-WRT Novice


Joined: 12 May 2014
Posts: 2

PostPosted: Mon May 12, 2014 19:20    Post subject: Watchguard XTM 2 Series (20, 21, 23 they seem to be same) Reply with quote
Second post on the forum, so hello everyone Smile

Quick question, is anyone working with these things?
I've been playing with one today, and I thought I'd share my few findings with you in case someone wants to play...

XTM 2 Series use an Intel XScale CPU at 666 MHz, with 256Mb of RAM and 256 MiB of flash (Samsung)
They have a little serial port inside which can be accessed by opening the case.
I used a Bus Pirate to connect to it:

____ ethernet ports_____

X GND --> CPU WITH HEATSINK
X RX --> CPU WITH HEATSINK
X TX --> CPU WITH HEATSINK
X --> CPU WITH HEATSINK
_______front leds______
(my ASCII art skills are really lacking...)

Serial port is TTL, 115200 8N1

ARM Bootloader is RedBoot (it calls it Watchguard RedBoot).
If you let it boot it will give you three options:
SysA
SysB
Safe Mode
BUT, if you press CTRL+C on the console while powering it up it will ask you for a password. That password is the same as the Edge models (thanks for the password guys!):
F5BA25AB44724fb5A6DD37554809CE34

Code:

Password> F5BA25AB44724fb5A6DD37554809CE34

Trying NPE-C...success. Using NPE-C with PHY 16.

Trying NPE-A...success. Using NPE-A with PHY 5.
Ethernet wan: MAC address 00:**:**:**:**:**

RedBoot> version

RedBoot(tm) bootstrap and debug environment with USB-serial [ROMRAM]
Red Hat certified release, version 2.04 - built 10:36:53, Mar 16 2010

Platform: KIXRP435 Development Platform (IXP43X) BE
Copyright (C) 2000, 2001, 2002, 2003, 2004, 2007 Free Software Foundation, Inc.

RAM: 0x00000000-0x10000000, [0x001cff50-0x0ffd1000] available
FLASH: 0x50000000 - 0x50100000, 16 blocks of 0x00010000 bytes each.

Flash:
Code:

RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0x500f0000-0x50100000: .
... Program from 0x0ffe0000-0x0fff0000 at 0x500f0000: .
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0x50000000  0x50000000  0x00080000  0x00000000
FIS directory     0x500F0000  0x500F0000  0x0000F000  0x00000000
RedBoot config    0x500FF000  0x500FF000  0x00001000  0x00000000

Linux boot log:
Code:


Uncompressing Linux...................................................................................................... done, booting the kernel.
Linux version 2.6.21.7 (release@cm17se) (gcc version 4.1.1) #1 Wed Jul 20 13:00:50 PDT 2011
CPU: XScale-IXP43x Family [69054041] revision 1 (ARMv5TE), cr=000039ff
Machine: WatchGuard Edge2 Platform (Richland)
Memory policy: ECC disabled, Data cache writeback
CPU0: D VIVT undefined 5 cache
CPU0: I cache: 32768 bytes, associativity 32, 32 byte lines, 32 sets
CPU0: D cache: 32768 bytes, associativity 32, 32 byte lines, 32 sets
Built 1 zonelists.  Total pages: 65024
Kernel command line: console=ttyS0,115200 root=/dev/mtdblock7
PID hash table entries: 1024 (order: 10, 4096 bytes)
Console: colour dummy device 80x30
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Memory: 256MB = 256MB total
Memory: 256420KB available (2936K code, 273K data, 104K init)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
IXP4xx: Using 16MiB expansion bus window size
I am a ixp43xx CPU
I am a ixp43xx CPU
PCI: IXP4xx is host
PCI: IXP4xx Using direct access for memory space
PCI: bus0: Fast back to back transfers enabled
Generic PHY: Registered new driver
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
Time: OSTS clocksource has been installed.
IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
TCP reno registered
NetWinder Floating Point Emulator V0.97 (extended precision)
JFFS2 version 2.2. (NAND) (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
Loaded PCF8594C2 I2C EEPROM NVRAM driver
Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO map 0xc8000000 mem 0xffbeb003 (irq = 15) is a XScale
serial8250.0: ttyS1 at I/O 0x0 (irq = -939520001) is a 16550A
RAMDISK driver initialized: 16 RAM disks of 30000K size 1024 blocksize
loop: loaded (max 8 devices)
nbd: registered device at major 43
IXP4XX-Flash.0: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
IXP4XX-Flash.0: CFI does not contain boot bank location. Assuming top.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
RedBoot partition parsing not available
cmdlinepart partition parsing not available
IXP425 Flash: Using static MTD partitions.
Creating 6 MTD partitions on "IXP4XX-Flash.0":
0x00000000-0x00080000 : "Redboot"
0x00080000-0x000a0000 : "cfg0"
0x000a0000-0x000b0000 : "cfg1"
0x000b0000-0x000c0000 : "mfg"
0x000c0000-0x000d0000 : "bootOpt"
0x000e0000-0x00100000 : "RedbootConfig"
WatchGuard Edge NAND driver V.1.0 (Jul 20 2011)
NAND device: Manufacturer ID: 0xec, Chip ID: 0xda (Samsung NAND 256MiB 3,3V 8-bit)
Scanning device for bad blocks
Scan Chip -1 NAND 256MiB 3,3V 8-bit From 0(0x0) To 2048(0x800) For bad blocks sized 0x20000
Bad eraseblock 808 (0x328) at 0x06500000
Creating 5 MTD partitions on "NAND 256MiB 3,3V 8-bit":
0x00000000-0x00400000 : "SysA Kernel"
0x00400000-0x08000000 : "SysA Code"
0x08000000-0x0e400000 : "SysA Data"
0x0e400000-0x0e800000 : "SysB Kernel"
0x0e800000-0x10000000 : "SysB Code"
usbmon: debugfs is not available
ixp4xx-ehci ixp4xx-ehci.0: IXP4XX EHCI Host Controller
ixp4xx-ehci ixp4xx-ehci.0: new USB bus registered, assigned bus number 1
ixp4xx-ehci ixp4xx-ehci.0: irq 32, io mem 0xcd000000
ixp4xx-ehci ixp4xx-ehci.0: USB 0.0 started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ixp4xx-ehci ixp4xx-ehci.1: IXP4XX EHCI Host Controller
ixp4xx-ehci ixp4xx-ehci.1: new USB bus registered, assigned bus number 2
ixp4xx-ehci ixp4xx-ehci.1: irq 33, io mem 0xce000000
ixp4xx-ehci ixp4xx-ehci.1: USB 0.0 started, EHCI 1.00
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver usbserial
/builds/utm-11_4_1_csp/src/322805/linux/drivers/usb/serial/usb-serial.c: USB Serial Driver core
/builds/utm-11_4_1_csp/src/322805/linux/drivers/usb/serial/usb-serial.c: USB Serial support registered for pl2303
usbcore: registered new interface driver pl2303
/builds/utm-11_4_1_csp/src/322805/linux/drivers/usb/serial/pl2303.c: Prolific PL2303 USB to serial adaptor driver
mice: PS/2 mouse device common for all mice
i2c /dev entries driver
rtc-s35390a 0-0030: S35390A found
rtc-s35390a 0-0030: rtc core: registered rtc-s35390a as rtc0
TCP cubic registered

xfrm_shim_init: Built Jul 20 2011 13:00:49 CPUs 1

Initializing WG IPsec Cluster Handler
Initializing WG IPsec Cluster Topology Structure
NET: Registered protocol family 1
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
Mobile IPv6
NET: Registered protocol family 17
XScale DSP coprocessor detected.
VFS: Mounted root (jffs2 filesystem).
Freeing init memory: 104K
rtl8366s version 0.1 (Jul 20 2011)
rtl8366s h/w revision=6027
RTL8366 force link success!
RTL8366 TMIIOneArm disable!
RTL8366 TMIIOneArm success!
ixp400: module license 'unspecified' taints kernel.
richland: Starting Richland Board Driver V2.6 Built Jul 20 2011 13:02:07
ixp400_eth: Starting IXP400 NPE Ethernet Driver V1.6 Built Jul 20 2011 13:01:27
ixp400_eth: CPU clock speed (approx) = 665 MHz
ixp400_eth: Init Chip realtek_split 3f7
rtl8366s h/w revision=6027
RTL8366 force link success!
RTL8366 TMIIOneArm disable!
RTL8366 TMIIOneArm success!
ixp400_eth: Set Jumbo
ixp400_eth: Set CPU Port
ixp400_eth: ACL split
ixp400_eth: Split up Realtek device
ixp400_eth: Starting Queue Manager...
ixp400_eth: ixCryptoAccInit() completed without error
ixp400_eth: Setting PHY 16 Speed 100 Duplex FULL Autonegotiation ON
ixp400_eth: Setting PHY 17 Speed 100 Duplex FULL Autonegotiation ON
ixp400_eth: Setting PHY 18 Speed 100 Duplex FULL Autonegotiation ON
ixp400_eth: Setting PHY 32 Speed 100 Duplex FULL Autonegotiation ON
ixp400_eth: Setting PHY 33 Speed 100 Duplex FULL Autonegotiation ON
ixp400_eth: Setting PHY 34 Speed 100 Duplex FULL Autonegotiation ON
ixp400_eth: eth0 is using NPE C PHY 16
ixp400_eth: eth1 is using NPE C PHY 17
ixp400_eth: eth2 is using NPE C PHY 18
ixp400_eth: eth3 is using NPE A PHY 32
ixp400_eth: eth4 is using NPE A PHY 33
ixp400_eth: eth5 is using NPE A PHY 34
ixp400_eth: Register tx_done_disable_cb(1)
ixp400_eth: eth3 Realtek Tag 9001
ixp400_eth: Register tx_done_disable_cb(2)
ixp400_eth: eth4 Realtek Tag 9002
ixp400_eth: eth5 Realtek Tag 9004
ixCryptoAccInit failed, assuming already initialised!
disabling IPv6 autoconf
disabling IPv6 autoconf
PPP generic driver version 2.4.2
PPP MPPE Compression module registered
PPP Deflate Compression module registered
NET: Registered protocol family 24
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
The version in configuration is not 11.4.1, conversion logic will run.
Start to convert: IPS
The task of IPS is no need to convert.
Finished to convert: IPS
Start to convert: Static-NAT
The task of Static-NAT is no need to convert.
Finished to convert: Static-NAT
Start to convert: app-action
The task of app-action is no need to convert.
Finished to convert: app-action
Start to convert: Active-Directoy
Finished to convert: Active-Directoy
Start to convert: service-idle-timeout
Finished to convert: service-idle-timeout
Start to convert: dns-forword
Finished to convert: dns-forword
Start to convert: service
Finished to convert: service
Run-time assertion '0 != pctxt->pXMLInfo' failed.  Line 52, File ../../rtxmlsrc/rtXmlpCreateReader.c
wg_notifier: Loaded
Netfilter messages via NETLINK v0.30.
ip_tables: (C) 2000-2006 Netfilter Core Team
ip_conntrack version 2.4 (2048 buckets, 16384 max) - 308 bytes per conntrack
ip6_tables: (C) 2000-2006 Netfilter Core Team
ip_conntrack_ftp: Maximum expected value 1
ip_conntrack_pptp version 3.1 loaded
ip_nat_pptp version 3.0 loaded
ctnetlink v0.90: registering with nfnetlink.
arp_tables: (C) 2002 David S. Miller
u32 classifier
    Performance counters on
    input device check on
    Actions configured
Bridge firewalling registered
Ebtables v2.0 registered
GRE over IPv4 tunneling driver
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
JFFS2 notice: (879) check_node_data: wrong data CRC in data node at 0x063b8000: read 0x72b9975d, calculated 0xb257fd56.
ipt_addrpairs v0.1.0: Loaded
xt_ifset: Loaded with set limit 5000 and entry limit 5000
xt_classify : Loaded
xt_master: Loaded
xt_MASTER: Loaded
xt_alias: Loaded
Schedule: Loaded
xt_POLICY: Loaded
xt_policy : Loaded
xt_EXPIRES: Loaded
xt_IPPRECEDENCE: Loaded
xt_PKTCACHE: Loaded
xt_session : Loaded limit 1000 hash 1024 WG IPC ID 92274688 (0x05800000)
xt_CONNCLASSIFY: Loaded
xt_connclassify : Loaded
xt_ipspoof : Loaded
xt_LBDNAT: Loaded
xt_MWAN: Loaded
xt_psd: Loaded
xt_ipsd: Loaded
xt_ddos: Loaded
xt_dos: Loaded
xt_wgaccount: Loaded
xt_WGTEE: Loaded
xt_block : Loaded limit 1000 hash 1024 WG IPC ID 155189248
xt_localroute: Loaded
xt_duplicate: Loaded
WG workqueue: Loaded
bw driver: Loaded
Linking 2.4.so to sandbox
Setting IPv4 route garbage collection timeout to 2 minutes
JFFS2 notice: (1063) check_node_data: wrong data CRC in data node at 0x05c50800: read 0xef353f1d, calculated 0xa96a498b.
(MAC ADDRESSES REMOVED)


Hope it's of some use!

EDIT:
Kernel load address:
load_addr:0x00800000, load_end:0x00b00000, entry:0x00800000, current: 300000

Anyone knows how tu force the thing to drop me to some shell?
Admin user is supposed to drop to an ASH shell but that seems to be replaced with Watchguard's proprietary stuff...
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Thu May 22, 2014 19:56    Post subject: Reply with quote
NOR or NAND flash?
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 56

PostPosted: Fri Jul 18, 2014 18:39    Post subject: Reply with quote
Late to the party. Rolling Eyes
I thought I put up a thread on these boxes already somewhere but I can;t find it now.
Anyway it's like the previous model, both NOR and NAND but the majority is NAND with only redboot and config in NOR.
Might be an interesting target. They have been superceded by the XTM25/26 now so many are coming up for sale though they are still supported by Watchguard for while yet.
Of note the XTM25/26 uses U-Boot and has a different password. Sad

Steve
nudelskopf
DD-WRT Novice


Joined: 12 Apr 2021
Posts: 1

PostPosted: Tue Apr 13, 2021 7:25    Post subject: Reply with quote
stephenw10 wrote:

Of note the XTM25/26 uses U-Boot and has a different password. Sad

Steve


Hello,

do you or does anyone know the password for the WatchGuard U-Boot?

Thanks Very Happy
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 56

PostPosted: Tue Apr 13, 2021 10:08    Post subject: Reply with quote
Not as far as I know. I'd love to hear if find it. Wink
zastrix
DD-WRT Novice


Joined: 13 Mar 2023
Posts: 1

PostPosted: Mon Mar 13, 2023 21:43    Post subject: Reply with quote
Created an account just to say that I'm also interested if someone found the U-boot password. I found one on the flea market and the hardware does seem interesting.

Edit:

There is also https://github.com/greguu/linux_kernel_xtm2_richland/issues/1 for bringing OpenWRT to the devices. Some stuff isn't working but the majority is.

This is for the older versions which use RedBoot.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> ARM or PPC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum