In an earlier article, I went over a few discoveries I made on a Nokia IP260 while trying to install pfSense on it. In the comments, someone wondered if Coreboot would work on it. Not being one to shy away from such a challenge, I dove right in. Here are my findings.

For starters, let's first discuss coreboot, what it is and what it could do for us. From the coreboot website: "coreboot is an extended firmware platform". And from their About page: "Coreboot performs a little bit of hardware initialization and then executes additional boot logic, called a payload."

So in short, coreboot is a very basic BIOS, which can then either load an more featureful BIOS like SeaBIOS, or bootloader like GRUB, which would then load the rest of the Operating System. More importantly though, coreboot is completely open source, so it can be modified in any way we see fit. Provided you have the expertise to do so that is.

Not being one to reinvent the wheel, I just searched the coreboot website for anything relating to Nokia, and IP Appliances. And sure enough, I'm not the first to try this:

https://www.coreboot.org/Nokia_IP330

https://www.coreboot.org/Mini_HOWTO:_using_a_CF_card_for_testing_and_developing_coreboot

Looking the pages over, it looks pretty straightforward; flash a CF card, and boot it. Granted, the hardware (and BIOS) for the IP530/330 differs in many key and fundamental ways, but you never know, right?

So, download the .img file and put it onto a CF Card with the following command:

pv -ptreb linux-nokia-ip530-coreboot.img | dd of=/dev/sdb

Put the card in to the IP260, and here's the boot output:

F... E... D... C... B... A... 9... 8... 7... 6... 5... 4... 3... 2... 1... 0... 
Nokia Baja BIOS bootstrap loader, Version 2.02
Copyright (c) 1997-2005, Nokia, Inc.
Unknown motherboard type 6186, Manu. Rev 2, Board Rev 1
CPU Id 0x06B0 stepping 4, Rev 0, L2 Cache 256KB
512MB SDRAM memory
DIMM 0 256 MBytes, Single Sided  DIMM 1 256 MBytes, Single Sided  
Loading kernel from BIOS_BOOT
Loading master boot sector...
Transferring control to the master bootstrap loader...
Missing operating system.
Unhandled real mode interrupt!
Vector: 0x00000018
CS:IP = 0000:0791
SS:ESP = 0000:7BCE
EAX = 0E0A  EBX = 0007  ECX = 0000  EDX = 0000
ESI = 0679  EDI = 0800  EBP = 7BD2  FLG = 7246
DS  = 0000      ES =  0000      FS  = 0000      GS  = 0000
Stack:
   7BCE: 0004 0800 7E00 0000
   7BDE: 7BF2 0000 0000 003F
   7BEE: 0000 065B 0000 0080
   7BFE: 0000 0000 0000 0000

From experience in my previous article, I know that this means the BIOS can't load the bootloader. Myself, I'm not TOO sruprised with this since the original image file was for an IP330/530. But it sure would have been nice to have it work. From here, it looks like I will have to figure out for myself. Next up, would be to gather some finer details about the raw hardware that comprises an IP260.

For this, I boot into IPSO 4.2, and gather the dmesg output:

Copyright (c) 1982, 1986, 1989, 1991, 1993
        The Regents of the University of California.  All rights reserved.
Resizing packet buffers: mbufs 15360 clusters 14000
releng 1515  05.11.2010-205957
CPU: 401-MHz Celeron (686-class CPU)
real memory  = 536870912 (512M bytes)
avail memory = 512786432 (489M bytes)
Baja Motherboard
pciich0 <Intel ICH Host-Hub Interface Bridge,DRAM Controller> rev 4 on pci0:0:0
pciich1 <Intel ICH AGP/PCI Bridge> rev 4 on pci0:1:0
pciich2 <Intel ICH LPC Bridge Function> rev 5 on pci0:31:0
pciich3 <Intel ICH IDE> rev 5 on pci0:31:1
pciich_ide : Initializing disk DMA and isa bus
Probing for devices on the ISA bus:
sio0 at 0x3f8-0x3ff irq 4 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
wdc0 at 0x1f0-0x1f7 irq 14 on isa
wdc0: unit 0 (wd0): <STI Flash 8.0.0>, LBA
wd0: 128MB (250880 sectors), LBA geometry: 248 cyls, 16 heads, 63 S/T
wd0: Physical geometry: 980 cyls, 8 heads, 32 S/T
wdc0: unit 1 (wd1): <FUJITSU MHV2040AS>, LBA, DMA, SMART
wd1: 40007MB (78140160 sectors), LBA geometry: 4864 cyls, 255 heads, 63 S/T
wd1: Physical geometry: 16383 cyls, 16 heads, 63 S/T
Monitor (S)ATA devices for failure ..
npx0 on motherboard
npx0: INT 16 interface
superionatb0 at 0x0 on isa
pciich4 <Intel ICH SMBUS> rev 5 on pci0:31:3
Configuring SMBus on Baja
pcidec0 <INTEL 244E ICH > rev 5 on pci0:30:0
pcic0 <TI PCI-1520 PCI-CardBus Bridge> rev 1 int a irq 7 on pci1:1:0
pcic1 <TI PCI-1520 PCI-CardBus Bridge> rev 1 int a irq 7 on pci1:1:1
fxp0 <Intel EtherExpress Pro 10/100B Ethernet> rev 16 int a irq 9 onboard 1
fxp1 <Intel EtherExpress Pro 10/100B Ethernet> rev 16 int a irq 10 onboard 2
fxp2 <Intel EtherExpress Pro 10/100B Ethernet> rev 16 int a irq 11 onboard 3
fxp3 <Intel EtherExpress Pro 10/100B Ethernet> rev 16 int a irq 12 onboard 4
ubsec0 <Broadcom 5823 Encryption Accelerator> rev 1 int a irq 5 on pci1:0:0
changing root device to wd0f
Creating process 0 (the swapper)
RTC: 20/00/10 01:10:33,             A=26, B=42, C=00, sec=0x50f8a109
netlog:eth4 .. enabling 100baseTX/UTP port in full duplex mode
netlog:eth2 .. enabling 10baseT/UTP port in half duplex mode
netlog:eth3 .. enabling 10baseT/UTP port in half duplex mode
netlog:eth1 .. enabling 10baseT/UTP port in half duplex mode

Alright... Here's some good info I can start to work with. In this output, we can see the Motherboard model name:

CPU: 401-MHz Celeron (686-class CPU)
real memory  = 536870912 (512M bytes)
avail memory = 512786432 (489M bytes)
Baja Motherboard

Now, I have to be honest, I have never before heard of a "Baja Motherboard". But there are many things out there I have never heard of before so that's no big deal. Let us take a look coreboot's list of supported motherboards:

http://www.coreboot.org/Supported_Motherboards

TL;DR, there's no Baja Motherboard. There is only 1 mention og Nokia/Checkpoint/IP Appliances, and it's the one we already know about, the IP530/330. Searching Google for "Baja Motherboard" turns up a TON of completely unrelated results involving Baja California, and the only relevant results all relate to the IP260. So this is rather pretty clearly a proprietary Nokia Motherboard and BIOS. Taking a look at the IP260 release date:

http://www.checkpoint.com/support-services/support-life-cycle-policy/

This was released to the public in 2005. Who knows how long it was in development... But the point here is that it was developed during a time where Nokia certainly had the resources and ability to do so. So it's not so far-fetched as to conclude that his device is very propriatary, and made with NO provisions for 3rd party Operating Systems.

Is this the end? Well, not quite. Coreboot has info on how to compile coreboot. With this, we should, in theory, be able to custom compile a version of coreboot to wotk for the IP260. Let's take a look:

https://www.coreboot.org/Build_HOWTO

Oh yeah! We even have a list of requirements:

Requirements:
gcc / g++ (gcc-multilib is ideal, makes building payloads a lot easier)
make
cmake (if using clang/llvm)
ncurses-dev (for make menuconfig)

Hmmm... I do not think IPSO ships with make or the gcc libraries... Let us try:

IP260[admin]# make
make: Command not found.
IP260[admin]# find / -name make
JonM-IP260[admin]#

While I'm not too surprised, I AM a little disappointed. Reaching out to some contacts internal to Checkpoint, it looks like these are not publicly available directly from Chekpoint. Again, not surprised, and again, still a bit disappointed.

So what to do? I know that IPSO is BSD-based, so in theory, 'make' and the gcc libraries from FreeBSD *SHOULD* work; provided we use the right versions. Taking a look at Wikipedia, we can easily gather the following details about what version FreeBSD is used:

https://en.wikipedia.org/wiki/Check_Point_IPSO

"IPSO SB was originally derived ... from FreeBSD 2.1-STABLE and cross-compiled on FreeBSD 2.2.6-RELEASE and 3.5-RELEASE platforms."

"IPSO 6.0 ... is based on FreeBSD 6.x."

IPSO SB, simply put, is beyond ancient, so whatever FreeBSD version we want to try, it will likely have to be above 3.5. IPSO 6 is based off FreeBSD 6. So now we know we need to use a version somewhere between 3.5 and 6. I know there is some way you can set up an environment to compile things for another environment, but that gets to a level I am completely unfamiliar and unexperienced with, so to me that is a bit too difficult.

Now I will need to try to install and boot some FreeBSD versions, and see if I can stumble upon the correct version.

Taking a stab with the naming conventions, I am first going to try FreeBSD 4.2... So I get a VM built and FreeBSD 4.2 installed and booted. Using a few Linux commands I am familiar with, I was able to locate the files I would need. YAY! Now to get them OFF the VM. And this is where my *BSD knowledge ends. In order to get the files off, I would need to S/FTP (or some other network file transfer) them off the device. Using Google, I was able to find a few hints on basic configurations for an interface in *BSD, but they don't seem to be working for me... Whether due to my BSD being such an old verrsion, or me just doing it wrong, I cannot tell. But what I CAN tell, is that simply getting the files off a base install won't be so quick and easy as I had hoped... This is going to be a project in and of itself, which I will likely tackle another day and write another article.

In conclusion, while it may be technically possible to get coreboot to work with an IP260, there is no small amount of work needed to further this cause. For now, it is beyond my knowledge and skills, and cannot be done. At this point, I am starting to wonder if maybe I would be better off finding use for the IP260 WITH IPSO 4.2 installed and running, rather than trying to install something else... What do you think?