SonicWALL SRA 4200. Hardware hacking!

[pappkopp]

Hello!

I picked up an software bricked firewall from SonicWALL.
I opened it up and i saw that it used standard ATx Pc components, so i am wondering if it can be hacked to run custom firmware?


I have the standard hacking tools: Jtag, TTL, Serial etc. Can this be done? I tried to mount the flash card to my workstation but it won't. because it has some kind of bad blocks or something, i think its locked or what?

Ive hocked it up to an videocard, please see the images!
I can provide all the information possible!!

The images are here:
http://imgur.com/a/1He14/embed



Kind Regards.

[amyk]

Do you have any info on the CPU and other hardware on it?

[NiHaoMike]

What happens if you swap the CompactFlash card with one that has a LiveUSB distro installed on it?

[pappkopp]

I will go to the store as soon as i get the time, regarding the flash card. Pick up a new one if no one got an suggestion for mounting the drive on my WorkStation (Linux or Windows tools will do)

Regarding the CPU i don't know anything. I'm gonna pop off the heat-sink if i can't get the flash card to boot.

Regards

[Monkeh]

It shouldn't be much trouble to get a Linux distro booting off those.

It's got hardware crypto of some sort, too.

[pappkopp]

If it got some kind of hardware encryption, then tell me how to get past that feature? or even explain it
Personally i only think that the BIOS has like a feature where it verify's the content of the flash card.

[Monkeh]

If it got some kind of hardware encryption, then tell me how to get past that feature? or even explain it
Personally i only think that the BIOS has like a feature where it verify's the content of the flash card.

Uh, as in a crypto engine..

[TheBay]

Put a PCI graphics card in there with no bracket, see if you get output or POST - If you can enter the BIOS and see boot options then might be halfway there

What flash chip is the PLCC BIOS? Is that a AMI sticker I see on it, looks like a normal x86 686 BIOS sticker.
If the BIOS is locked out or has minimal features I can edit/add functions, if you can get a dump.

[pappkopp]

Hmm.. Where do i find a reader with that socket that fits? I've cleared the BIOS via using the on-board header. That did not change how the computer boot.

Regarding the PCI video card:
http://imgur.com/a/1He14/embed#11

The only thing i get on the monitor is some FreeDOS thing.. If i remove the flash card it won't even power up the fans. I am about to buy an compact flash card and install some embedded Linux on it. But i bet there is an checksum or something in that way on the orginal flash card.

Kind Regards

[nowlan]

Looks to be searching for C:\command.com.
Probably why its bricked.

Just get a compact flash card and reader and put linux on it.
I doubt you need to worry about signed images etc.

[pappkopp]

Just get a compact flash card and reader and put linux on it.
I doubt you need to worry about signed images etc.

Yeah, i have an compact disk reader. But when i connect it to my reader it won't mount under any circumstances, when i see the debug message on my Linux system it whines about bad sectors and I/O errors. Therefore no mounting for that card (would be fun to see the contents of it tho)

I will hook up an flash card as soon as possible,. I will keep you guys updated

Kind Regards

[amyk]

The good news is that you seem to have a relatively standard x86 PC.

The bad news is that the rubbish after the "Kernel: allocated ..." line suggests the files on the CF are corrupted.

Have you tried accessing the BIOS setup? Or booting from a USB drive?

Note that the CF interface is essentially EIDE, so if you have an adapter you could try hooking up a regular hard drive to it.

[amyk]

Just get a compact flash card and reader and put linux on it.
I doubt you need to worry about signed images etc.

Yeah, i have an compact disk reader. But when i connect it to my reader it won't mount under any circumstances, when i see the debug message on my Linux system it whines about bad sectors and I/O errors. Therefore no mounting for that card (would be fun to see the contents of it tho)

I will hook up an flash card as soon as possible,. I will keep you guys updated

Kind Regards

Don't mount it, try ddrescue instead.

[TheBay]

Nice to see video output

Do you get a post screen? have you tried F1, F2, other F keys and Del when powering on to get in to a setup?

You need a PLCC to DIP adapter for your programmer, if you haven't got a programmer I love the TL866A at the moment. It's become my main programmer.

Hmm.. Where do i find a reader with that socket that fits? I've cleared the BIOS via using the on-board header. That did not change how the computer boot.

Regarding the PCI video card:
http://imgur.com/a/1He14/embed#11

The only thing i get on the monitor is some FreeDOS thing.. If i remove the flash card it won't even power up the fans. I am about to buy an compact flash card and install some embedded Linux on it. But i bet there is an checksum or something in that way on the orginal flash card.

Kind Regards

[TheBay]

Remove flash card and see if any POST Video output or try removing the battery and boot with no flash card! It might load to CMOS defaults and allow you in to setup hopefully it might need to be left on a while, the OS probably controls fan speed as it boots, though if you do not get POST the bios might not have code to initialise the display adaptor... A few SATA connectors there too, try removing the flash card and making a USB boot disk with Rufus?

[pappkopp]

I tried with an Flash card, but no boot.

There is an Via Chipset on the board, VIA VT1211
Datasheet: http://www.hardwaresecrets.com/datasheets/vt1211.pdf
Info: http://www.via.com.tw/en/products/peripherals/super-io/
 
Hackable? i think so?

[TheBay]

Please try with no flash card and wait for post, or keep hitting keys to get in BIOS.

Via is only Super IO chip? not the main chipset, what do you intend to do with the Via chip?

[pappkopp]

Update:
I have tried to boot from a FreeDOS image, but it don't want to work with me. 

Also there is no BIOS button i can press ( yes i have tried all the standard ones)

Regarding the VIA chip, isn't that  the Disk Controller?

Kind Regards, and keep up the good work :=)

[Monkeh]

Regarding the VIA chip, isn't that  the Disk Controller?

No.. did you read the datasheet you posted?

[pappkopp]

Regarding the VIA chip, isn't that  the Disk Controller?

No.. did you read the datasheet you posted?

I guess that the "Floppy disk" is under the genre of Compact flash disk?

[Monkeh]

Regarding the VIA chip, isn't that  the Disk Controller?

No.. did you read the datasheet you posted?

I guess that the "Floppy disk" is under the genre of Compact flash disk?

Guessing won't get you very far.

[TheBay]

Compact flash is IDE not a floppy controller.

[TheBay]

Regarding the VIA chip, isn't that  the Disk Controller?

No.. did you read the datasheet you posted?

I guess that the "Floppy disk" is under the genre of Compact flash disk?

Guessing won't get you very far.

This forum needs a like button

[Tinkerer]

Just get a compact flash card and reader and put linux on it.
I doubt you need to worry about signed images etc.

Yeah, i have an compact disk reader. But when i connect it to my reader it won't mount under any circumstances, when i see the debug message on my Linux system it whines about bad sectors and I/O errors. Therefore no mounting for that card (would be fun to see the contents of it tho)

I will hook up an flash card as soon as possible,. I will keep you guys updated

Kind Regards

If that flash card has bad sectors, you very likely have corruption.

[tja]

I've just acquired one of these devices, and have spent a little time trying to reverse engineer it.

I took a slightly different approach to video output to the OP, and just soldered a VGA socket into the unpopulated spot on the MB - works fine.

Major problem is I have not been able to get into the BIOS at all, have rebooted many times and pressed all manner of keys - nada.

This is what it says on boot up:

Validating firmware CRC...
CKIMAGES v2.1
Validating files...
CRC is valid.
Booting into firmware…
LINLD v0.97
Kernel command line:
root=/dev/ram0 rw console=ttyS1,115200 ramdisk_size=163840 ide=nodma
Decompressing Linux... Parsing ELF... done .
Booting the kernel .

It appears to boot into FreeDOS, which then loads Linux. It is possible to interrupt the boot process and explore from a FreeDOS prompt, but I haven't found out much. Very limited range of FreeDOS commands available.

I have extracted the BIOS flash rom (a 39sf040) and dumped it using an Arduino lash-up, but I don’t know what to do next - what format should I save the data as, and what utilities can I use to manipulate the BIOS, if any?

All help gratefully received.

Hi-res photos of the board, BIOS dump and boot photos here:
https://drive.google.com/open?id=1WMaan81lUdivlR2-s8uoYmRYDbtQXcHQ

Cheers

Tim