I had come across an old Nokia IP260 here at work. The device is long since end-of-life, no longer supported, won't be RMA'd... It can only run versions of IPSO and Checkpoint so ancient that it borders upon useless (and in fact maybe even dangerous). But the hardware works perfectly fine. It boots, loads, and all Checkpoint services operate, if you can get your hands on a license (which you can't, really, because it is so old, end-of-life, and unsupported). So what to do with the hardware? Sure I can cannibalize it for a 20GB Laptop HDD and 1GB Flash card, but the device workes better as a whole... It would be nice to make it function in some manner.
The IP Appliance Operating System, IPSO, is based off of FreeDSB. pfSense is based off FreeBSD. Looks like a match made in heaven. I've read some articles and forum posts about getting different OSes running on IP330, IP560, IP380, etc... But nothing on an IP260. Here is my work at attempting this, and the discoveries made along the way.
First a brief history of the IP260...
First brought to market by Nokia in January 2005, it was meant to be a small appliance. At only 1/2U (half a Rack Unit) size, this was meant for small branch offices and medium to large sized businesses. It runs a Nokia-Specific operating system called IPSO. It is BSD based, and it is not eaasy to get running on a non-IP Appliace. The IP260 went completely end-of-life in June of 2013. The newest version of IPSO it can run is 4.2, and that can only handle Checkpoint R65. R65 is also long-since end-of-life.
Quick Specs:
- Intel Celeron 400MHz CPU
- 512MB RAM
- 1GB Flash Card
- 40GB HDD
- 4 10/100 NIC ports
- Serial Console port
- AUX Serial port
So this is by no means a big beefy device capable of pushing data center kind of traffic, but it is certainly more than adequate for Home and small business use as well as it's original intended use.
Now, I hear you asking, "If it runs IPSO 4.2 and Checkpoint R65 just fine, why change it?" And the answer is simple: licensing. Checkpoint is not free. Far from it. In fact, as far as I can tell, it is one of the more expensive products out there. And since the version of Checkpoint is also end-of-life, getting a license for it will be impossible. So Checkpoint is completely out of the question. While I can certainly then let IPSO run as a router, that could be fine. But this is a network security appliance, and since IPSO is BSD based, then it stands to reason that just about any old BSD based OS should, in theory, work as well.
I had previously come across pfSense in my efforts to find a nice UTM distro. While it met most of my needs, I had found another Linux based distro to serve as my UTM, Sophos. But that is LInux based, not BSD, and will absolutely not work on this IP260. So I decided to revisit pfSense for this. It certainly looks promising.
Throughout the interwebs I managed to find a number of articles regarding other IP Appliances and putting on other OSes, like pfSense, FreeBSD, and Ubuntu. For the most part, other than some interface configurations, the install and setup process went smoothly, as described in the various Install Guides for the respective product. Feeling optimistic about the setup, I simply dove in.
https://doc.pfsense.org/index.php/Installing_pfSense
Following the above guide, I download the "NanoBSD: Embedded install type using the serial console by default" image. I flashed it to the CF card using dd and put the card into the IP260. When I turned on the Appliance, I could see the POST messages on my console connection, and I could see it start to boot:
Loading master boot sector...
Transferring control to the master bootstrap loader...
1 pfSense
2 pfSense
5 Drive 1
F6 PXE
Boot:
Woo Yeah! Success! I select 1 (as per install guide) and right away it crashes:
Unhandled real mode interrupt!
Vector: 0x00000013
CS:IP = 0000:076E
SS:ESP = 0000:7BEC
EAX = 4200 EBX = 7C00 ECX = 0001 EDX = 0180
ESI = 7BEC EDI = 7BFC EBP = 0800 FLG = 7006
DS = 0000 ES = 0000 FS = 0000 GS = 0000
Stack:
7BEC: 0010 7C00 003F 0000
7BFC: 07BE 31FC 8EC0 BCD0
7C0C: E689 B906 A5F3 08B1
7C1C: 45FE 8A00 20B7 4E80
Crap. I knew it was too good to be true. So I went ahead and double (and triple) checked the image, MD5Sum,flash command, and everythuing else. The process was good, I was definitely doing the right steps. Thinking it might be a pfSens problem, I tried the same process with m0n0wall, SmallWall, and t1n1wall. While all are based off of m0n0wall and BSD, they all have their own unique features. I followed their respective guides and all gave me more or less the same results. m0n0wall is now longer being worked on, which spawned the forks of SmallWall and t1n1wall. These 2 new forks are very new, and have yet to form a large community following, so I cannot really seek much help there. Which brings us full-circle back to pfSense. Having few other options, I created a new thread in their forum. Once of the members, charliem, posted the following response:
"The boot loader is trying to use INT13h, AH42, aka 'extended services read' to load the MBR, and appears to be failing. I'd guess the target device doesn't support that, and the bootloader may need to use CHS to access the device instead, like a floppy. Nokia presumably wrote the bios, so they could do what they wanted / needed to, without regards to booting a general purpose OS. But that's just a WAG."
There are a couple of new terms in here that I am not immediately familiar with... "INT13h", "AH42", and "CHS"... What do these mean? A quick Google search brought me to the following sites:
http://www.win.tue.nl/~aeb/linux/Large-Disk-3.html
http://viralpatel.net/taj/tutorial/chs_translation.php
There were a ton of others, but these 2 were the most helpful. Ok, so we're talking about accessing the Hard Drive's Master Boot Record using different methods. Ok, I can work with that. I decided to compare my 1GB card to a working 128MB IPSO card from another IP260 (my IP260 boots this other card just fine, no issues). Myself, I'm not an expert on the fine inner details of the workings of the MBR. One thing I DO know however, is that it stores the Partition Table. So let's compare ther IPSO card to the pfSense card. I ran the following command and got the below outputs:
sfdisk -l
IPSO card:
Disk /dev/sdb: 1011 cylinders, 4 heads, 62 sectors/track
Warning: The partition table looks like it was made
for C/H/S=*/256/63 (instead of 1011/4/62).
For this listing I'll assume that geometry.
Units = cylinders of 8257536 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start End #cyls #blocks Id System
/dev/sdb1 0 - 0 0 0 Empty
/dev/sdb2 0 - 0 0 0 Empty
/dev/sdb3 0 - 0 0 0 Empty
/dev/sdb4 * 0 3- 4- 25000 a6 OpenBSD
end: (c,h,s) expected (3,25,41) found (1023,255,63)
Disk /dev/sdb4: 201 cylinders, 4 heads, 62 sectors/track
Warning: The partition table looks like it was made
for C/H/S=*/256/63 (instead of 201/4/62).
For this listing I'll assume that geometry.
Units = cylinders of 8257536 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start End #cyls #blocks Id System
/dev/sdb4p1 0 - 0 0 0 Empty
/dev/sdb4p2 0 - 0 0 0 Empty
/dev/sdb4p3 0 - 0 0 0 Empty
/dev/sdb4p4 * 0 3- 4- 25000 a6 OpenBSD
end: (c,h,s) expected (3,25,41) found (1023,255,63)
pfSense Card:
Disk /dev/sdb: 1009 cylinders, 32 heads, 62 sectors/track
Warning: The partition table looks like it was made
for C/H/S=*/16/63 (instead of 1009/32/62).
For this listing I'll assume that geometry.
Units = cylinders of 516096 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start End #cyls #blocks Id System
/dev/sdb1 * 0+ 914 915- 461128+ a5 FreeBSD
/dev/sdb2 915+ 1829 915- 461128+ a5 FreeBSD
end: (c,h,s) expected (1023,15,63) found (805,15,63)
/dev/sdb3 1830 1931 102 51408 a5 FreeBSD
start: (c,h,s) expected (1023,15,63) found (806,0,1)
end: (c,h,s) expected (1023,15,63) found (907,15,63)
/dev/sdb4 0 - 0 0 0 Empty
On the IPSO card you can see the following:
for C/H/S=*/256/63 (instead of 1011/4/62)
And some other similar lines. There's that CHS that was mentioned in the forum post! So I am definitely on the right track. We can also see that while the pfSense partitioning scheme makes sense, the IPSO card partitioning is all messed up. It appears to be rather unique to me... I have never seen anything quite like this before.
So the only thing that can work from these partition schemes are the bootloaders, located within the MBR. Through my Google searches for "INT13h", "AH42", and "CHS", I came across some pages that mention making changes to the MBR using a Hex Editor. In Windows, there are many many applications that can edit the MBR directly. While handy to know, I do not actually have Windows anywhere; I use Linux only. So what to do? Using the dd command, you can easily extract the MBR using the following command:
dd if=/dev/sdb of=mbr bs=512 count=1
Once done, you are now in posession of the MBR in binary format, all 1s and 0s. using xxd, you can easily convert this binary file to semi-readable Hex code:
xxd mbr > mbr.txt
Which gave me the following Hex Code outputs:
IPSO MBR:
0000000: eb1b 9090 161f 666a 0051 5006 5331 c088 ......fj.QP.S1..
0000010: f050 6a10 89e5 e8be 008d 6610 cbfc 31c9 .Pj.......f...1.
0000020: 8ec1 8ed9 8ed1 bc00 7c89 e6bf 0007 fec5 ........|.......
0000030: f3a5 beee 7d80 fa80 722c b601 e867 00b9 ....}...r,...g..
0000040: 0100 bebe 8db6 0180 7c04 a675 07e3 19f6 ........|..u....
0000050: 0480 7514 83c6 10fe c680 fe05 72e9 49e3 ..u.........r.I.
0000060: e1be 7c7d eb52 31d2 8916 0009 b610 e835 ..|}.R1........5
0000070: 00bb 0090 8b77 0a01 debf 00b0 b900 ac29 .....w.........)
0000080: f1f3 a429 f930 c0f3 aae8 0300 e981 13fa ...).0..........
0000090: e464 a802 75fa b0d1 e664 e464 a802 75fa .d..u....d.d..u.
00000a0: b0df e660 fbc3 bb00 8c8b 4408 8b4c 0a0e ...'......D..L..
00000b0: e853 ff73 21be 797d e813 00be 817d e80d .S.s!.y}.....}..
00000c0: 0030 e4cd 16cd 19bb 0700 b40e cd10 ac84 .0..............
00000d0: c075 f4b4 01f9 c32e f606 8a08 8074 21bb .u...........t!.
00000e0: aa55 52b4 41cd 135a 7216 81fb 55aa 7510 .UR.A..Zr...U.u.
00000f0: f6c1 0174 0b89 eeb4 42cd 13b0 ffe6 80c3 ...t....B.......
0000100: 52b4 08cd 1388 f55a 72cc 80e1 3f74 c4fa R......Zr...?t..
0000110: 668b 4608 5266 0fb6 d966 31d2 66f7 f388 f.F.Rf...f1.f...
0000120: eb88 d543 30d2 66f7 f388 d75a 663d ff03 ...C0.f....Zf=..
0000130: 0000 fb77 9e86 c4c0 c802 08e8 4091 88fe ...w........@...
0000140: 28e0 8a66 0238 e072 0288 e0bf 0500 c45e (..f.8.r.......^
0000150: 0450 b402 cd13 5b73 0a4f 741c 30e4 cd13 .P....[s.Ot.0...
0000160: 93eb eb0f b6c3 0146 0873 03ff 460a d0e3 .......F.s..F...
0000170: 005e 0528 4602 7788 c352 6500 426f 6f74 .^.(F.w..Re.Boot
0000180: 0020 6572 726f 720d 0a00 0090 9090 9090 . error.........
0000190: 9090 9090 9090 9090 9090 9090 9090 9090 ................
00001a0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
00001b0: 9090 9090 9090 9090 9090 9090 9090 0000 ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001e0: 0000 0000 0000 0000 0000 0000 0000 8000 ................
00001f0: 0100 a6ff ffff 0000 0000 50c3 0000 55aa ..........P...U.
pfSense MBR:
0000000: fc31 c08e c08e d88e d0bc 007c 89e6 bf00 .1.........|....
0000010: 06b9 0001 f3a5 89fd b108 f3ab fe45 f2e9 .............E..
0000020: 008a f646 b720 7407 804e b740 8a56 b688 ...F. t..N.@.V..
0000030: 5600 52e8 f200 bbc2 0731 d288 6ffc 0fa3 V.R......1..o...
0000040: 56b7 7318 8a07 84c0 7412 bf84 07b1 08f2 V.s.....t.......
0000050: ae81 c706 008a 0d01 cfe8 bd00 4280 c310 ............B...
0000060: 73d9 582c 7f3a 0675 0472 0548 740d 30c0 s.X,.:.u.r.Ht.0.
0000070: 04b0 8846 b4bf ae07 e89e 00be 7207 e8b3 ...F........r...
0000080: 008a 56b5 4ee8 a500 eb05 b023 e8ac 0030 ..V.N......#...0
0000090: e4cd 1a89 d703 7ebc b403 e8a0 00f6 c401 ......~.........
00000a0: 7511 30e4 cd1a 39fa 72ee 8a46 b580 4eb7 u.0...9.r..F..N.
00000b0: 40eb 0bb4 02e8 8500 3c0d 74ee 2c31 3c05 @.......<.t.,1<.
00000c0: 7502 cd18 73c4 980f a346 1073 bd88 46b5 u...s....F.s..F.
00000d0: 89ee 8a14 89f3 3c04 9c74 0ac0 e004 05be ......<..t......
00000e0: 0793 c607 8053 f646 b740 7508 bb00 06b4 .....S.F.@u.....
00000f0: 03e8 5000 5e9d 7506 8a56 b480 ea30 bb00 ..P.^.u..V...0..
0000100: 7cb4 02e8 3e00 7282 81bf fe01 55aa 0f85 |...>.r.....U...
0000110: 78ff 56e8 1200 5eff e30f ab56 10be 8007 x.V...^....V....
0000120: e80a 0089 fee8 0c00 be82 07eb 07b0 3100 ..............1.
0000130: d0e8 0700 aca8 8074 f824 7fb4 0152 31d2 .......t.$...R1.
0000140: cd14 5ac3 8a74 018b 4c02 b001 5689 e784 ..Z..t..L...V...
0000150: d274 19f6 46b7 8074 1366 6a00 66ff 7408 .t..F..t.fj.f.t.
0000160: 0653 6a01 6a10 89e6 4880 cc40 cd13 89fc .Sj.j...H..@....
0000170: 5ec3 0a46 3620 5058 450d 0a42 6f6f 743a ^..F6 PXE..Boot:
0000180: 20a0 0d8a 83a5 a6a9 0607 0b0c 1013 1205 ...............
0000190: 0403 01bf 5769 ee4c 696e 75f8 7066 5365 ....Wi.Linu.pfSe
00001a0: 6e73 e590 9090 9090 9090 9090 9090 4472 ns............Dr
00001b0: 6976 6520 0000 8083 9090 9090 b600 8001 ive ............
00001c0: 0100 a50f ff92 3f00 0000 9112 0e00 0001 ......?.........
00001d0: c193 a50f ff25 0f13 0e00 9112 0e00 0000 .....%..........
00001e0: c126 a50f ff8b a025 1c00 a091 0100 0000 .&.....%........
00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.
Great. So now I can see that the Bootloader for both are WILDLY different... But what to do about it? While I can certainly start copy/pasting various Hex peices, but without knowing what they mean and do, it'll likely be a pointless task. Searching Google for any DIY bootloader info, I came across the following sites:
http://wiki.osdev.org/MBR_%28x86%29
http://viralpatel.net/taj/tutorial/hello_world_bootloader.php
http://stackoverflow.com/questions/568359/write-mbr-code
http://wiki.osdev.org/Rolling_Your_Own_Bootloader
Great... The Bootloader code is written in Assembly Language. While very powerful, it is VERY low-level, and is so unused and obscure these days that it borders on being a dead language. Using the commands from the Stack Overflow site, I extracted (disassembled) the MBR bootloader code.
First, extract the MBR:
dd if=/dev/sdc of=mbr.bin bs=512 count=1Now, disassemble the bootcode:
ndisasm -b16 -o7C00h mbr.bin > mbr.asm
IPSO Bootcode:
[At Checkpoint's request, I have removed the IPSO bootcode itself]
pfSense Bootcode:
00007C00 FC cld
00007C01 31C0 xor ax,ax
00007C03 8EC0 mov es,ax
00007C05 8ED8 mov ds,ax
00007C07 8ED0 mov ss,ax
00007C09 BC007C mov sp,0x7c00
00007C0C 89E6 mov si,sp
00007C0E BF0006 mov di,0x600
00007C11 B90001 mov cx,0x100
00007C14 F3A5 rep movsw
00007C16 89FD mov bp,di
00007C18 B108 mov cl,0x8
00007C1A F3AB rep stosw
00007C1C FE45F2 inc byte [di-0xe]
00007C1F E9008A jmp word 0x622
00007C22 F646B720 test byte [bp-0x49],0x20
00007C26 7407 jz 0x7c2f
00007C28 804EB740 or byte [bp-0x49],0x40
00007C2C 8A56B6 mov dl,[bp-0x4a]
00007C2F 885600 mov [bp+0x0],dl
00007C32 52 push dx
00007C33 E8F200 call word 0x7d28
00007C36 BBC207 mov bx,0x7c2
00007C39 31D2 xor dx,dx
00007C3B 886FFC mov [bx-0x4],ch
00007C3E 0FA356B7 bt [bp-0x49],dx
00007C42 7318 jnc 0x7c5c
00007C44 8A07 mov al,[bx]
00007C46 84C0 test al,al
00007C48 7412 jz 0x7c5c
00007C4A BF8407 mov di,0x784
00007C4D B108 mov cl,0x8
00007C4F F2AE repne scasb
00007C51 81C70600 add di,0x6
00007C55 8A0D mov cl,[di]
00007C57 01CF add di,cx
00007C59 E8BD00 call word 0x7d19
00007C5C 42 inc dx
00007C5D 80C310 add bl,0x10
00007C60 73D9 jnc 0x7c3b
00007C62 58 pop ax
00007C63 2C7F sub al,0x7f
00007C65 3A067504 cmp al,[0x475]
00007C69 7205 jc 0x7c70
00007C6B 48 dec ax
00007C6C 740D jz 0x7c7b
00007C6E 30C0 xor al,al
00007C70 04B0 add al,0xb0
00007C72 8846B4 mov [bp-0x4c],al
00007C75 BFAE07 mov di,0x7ae
00007C78 E89E00 call word 0x7d19
00007C7B BE7207 mov si,0x772
00007C7E E8B300 call word 0x7d34
00007C81 8A56B5 mov dl,[bp-0x4b]
00007C84 4E dec si
00007C85 E8A500 call word 0x7d2d
00007C88 EB05 jmp short 0x7c8f
00007C8A B023 mov al,0x23
00007C8C E8AC00 call word 0x7d3b
00007C8F 30E4 xor ah,ah
00007C91 CD1A int 0x1a
00007C93 89D7 mov di,dx
00007C95 037EBC add di,[bp-0x44]
00007C98 B403 mov ah,0x3
00007C9A E8A000 call word 0x7d3d
00007C9D F6C401 test ah,0x1
00007CA0 7511 jnz 0x7cb3
00007CA2 30E4 xor ah,ah
00007CA4 CD1A int 0x1a
00007CA6 39FA cmp dx,di
00007CA8 72EE jc 0x7c98
00007CAA 8A46B5 mov al,[bp-0x4b]
00007CAD 804EB740 or byte [bp-0x49],0x40
00007CB1 EB0B jmp short 0x7cbe
00007CB3 B402 mov ah,0x2
00007CB5 E88500 call word 0x7d3d
00007CB8 3C0D cmp al,0xd
00007CBA 74EE jz 0x7caa
00007CBC 2C31 sub al,0x31
00007CBE 3C05 cmp al,0x5
00007CC0 7502 jnz 0x7cc4
00007CC2 CD18 int 0x18
00007CC4 73C4 jnc 0x7c8a
00007CC6 98 cbw
00007CC7 0FA34610 bt [bp+0x10],ax
00007CCB 73BD jnc 0x7c8a
00007CCD 8846B5 mov [bp-0x4b],al
00007CD0 89EE mov si,bp
00007CD2 8A14 mov dl,[si]
00007CD4 89F3 mov bx,si
00007CD6 3C04 cmp al,0x4
00007CD8 9C pushfw
00007CD9 740A jz 0x7ce5
00007CDB C0E004 shl al,0x4
00007CDE 05BE07 add ax,0x7be
00007CE1 93 xchg ax,bx
00007CE2 C60780 mov byte [bx],0x80
00007CE5 53 push bx
00007CE6 F646B740 test byte [bp-0x49],0x40
00007CEA 7508 jnz 0x7cf4
00007CEC BB0006 mov bx,0x600
00007CEF B403 mov ah,0x3
00007CF1 E85000 call word 0x7d44
00007CF4 5E pop si
00007CF5 9D popfw
00007CF6 7506 jnz 0x7cfe
00007CF8 8A56B4 mov dl,[bp-0x4c]
00007CFB 80EA30 sub dl,0x30
00007CFE BB007C mov bx,0x7c00
00007D01 B402 mov ah,0x2
00007D03 E83E00 call word 0x7d44
00007D06 7282 jc 0x7c8a
00007D08 81BFFE0155AA cmp word [bx+0x1fe],0xaa55
00007D0E 0F8578FF jnz word 0x7c8a
00007D12 56 push si
00007D13 E81200 call word 0x7d28
00007D16 5E pop si
00007D17 FFE3 jmp bx
00007D19 0FAB5610 bts [bp+0x10],dx
00007D1D BE8007 mov si,0x780
00007D20 E80A00 call word 0x7d2d
00007D23 89FE mov si,di
00007D25 E80C00 call word 0x7d34
00007D28 BE8207 mov si,0x782
00007D2B EB07 jmp short 0x7d34
00007D2D B031 mov al,0x31
00007D2F 00D0 add al,dl
00007D31 E80700 call word 0x7d3b
00007D34 AC lodsb
00007D35 A880 test al,0x80
00007D37 74F8 jz 0x7d31
00007D39 247F and al,0x7f
00007D3B B401 mov ah,0x1
00007D3D 52 push dx
00007D3E 31D2 xor dx,dx
00007D40 CD14 int 0x14
00007D42 5A pop dx
00007D43 C3 ret
00007D44 8A7401 mov dh,[si+0x1]
00007D47 8B4C02 mov cx,[si+0x2]
00007D4A B001 mov al,0x1
00007D4C 56 push si
00007D4D 89E7 mov di,sp
00007D4F 84D2 test dl,dl
00007D51 7419 jz 0x7d6c
00007D53 F646B780 test byte [bp-0x49],0x80
00007D57 7413 jz 0x7d6c
00007D59 666A00 push dword 0x0
00007D5C 66FF7408 push dword [si+0x8]
00007D60 06 push es
00007D61 53 push bx
00007D62 6A01 push byte +0x1
00007D64 6A10 push byte +0x10
00007D66 89E6 mov si,sp
00007D68 48 dec ax
00007D69 80CC40 or ah,0x40
00007D6C CD13 int 0x13
00007D6E 89FC mov sp,di
00007D70 5E pop si
00007D71 C3 ret
00007D72 0A4636 or al,[bp+0x36]
00007D75 205058 and [bx+si+0x58],dl
00007D78 45 inc bp
00007D79 0D0A42 or ax,0x420a
00007D7C 6F outsw
00007D7D 6F outsw
00007D7E 743A jz 0x7dba
00007D80 20A00D8A and [bx+si-0x75f3],ah
00007D84 83A5A6A906 and word [di-0x565a],byte +0x6
00007D89 07 pop es
00007D8A 0B0C or cx,[si]
00007D8C 1013 adc [bp+di],dl
00007D8E 1205 adc al,[di]
00007D90 0403 add al,0x3
00007D92 01BF5769 add [bx+0x6957],di
00007D96 EE out dx,al
00007D97 4C dec sp
00007D98 696E75F870 imul bp,[bp+0x75],word 0x70f8
00007D9D 6653 push ebx
00007D9F 656E gs outsb
00007DA1 73E5 jnc 0x7d88
00007DA3 90 nop
00007DA4 90 nop
00007DA5 90 nop
00007DA6 90 nop
00007DA7 90 nop
00007DA8 90 nop
00007DA9 90 nop
00007DAA 90 nop
00007DAB 90 nop
00007DAC 90 nop
00007DAD 90 nop
00007DAE 44 inc sp
00007DAF 7269 jc 0x7e1a
00007DB1 7665 jna 0x7e18
00007DB3 2000 and [bx+si],al
00007DB5 00808390 add [bx+si-0x6f7d],al
00007DB9 90 nop
00007DBA 90 nop
00007DBB 90 nop
00007DBC B600 mov dh,0x0
00007DBE 800101 add byte [bx+di],0x1
00007DC1 00A50FFF add [di-0xf1],ah
00007DC5 92 xchg ax,dx
00007DC6 3F aas
00007DC7 0000 add [bx+si],al
00007DC9 0091120E add [bx+di+0xe12],dl
00007DCD 0000 add [bx+si],al
00007DCF 01C1 add cx,ax
00007DD1 93 xchg ax,bx
00007DD2 A5 movsw
00007DD3 0FFF ud0
00007DD5 250F13 and ax,0x130f
00007DD8 0E push cs
00007DD9 0091120E add [bx+di+0xe12],dl
00007DDD 0000 add [bx+si],al
00007DDF 00C1 add cl,al
00007DE1 26A5 es movsw
00007DE3 0FFF ud0
00007DE5 8BA0251C mov sp,[bx+si+0x1c25]
00007DE9 00A09101 add [bx+si+0x191],ah
00007DED 0000 add [bx+si],al
00007DEF 0000 add [bx+si],al
00007DF1 0000 add [bx+si],al
00007DF3 0000 add [bx+si],al
00007DF5 0000 add [bx+si],al
00007DF7 0000 add [bx+si],al
00007DF9 0000 add [bx+si],al
00007DFB 0000 add [bx+si],al
00007DFD 0055AA add [di-0x56],dl
So now I've got the bootcodes disassembled and ready for analysis. using meld, I decided to try to compare the 2 files side-by-side. Needless to say, there are no similarities of consequence.
At this point, I am sadly at a bit of a stand-still... I do not know nor understand Assembly code. So while it is right in front of me, ready to picked apart and reverse-engineered, it might as well be written in an alien language. Sadly, I am stuck here at this point until I either learn assembly, or think of an alternative way to try this.
While I was originally writing this article, I had expected to be able to successfully install pfSense, and thus titled the article accordingly: "pfSense on Nokia IP260". Now, in light of the fact that I cannot really continue, I have to change the title to something more appropriate... Something like "Nokia IP260 - New Discoveries for an Old Device" (in fact, this is what I decided to use). Now that I have reached the end of this road (for now anyways), I can't help but reflect upon an comment that was made in the pfSense thread:
"Nokia presumably wrote the bios, so they could do what they wanted / needed to, without regards to booting a general purpose OS."
Indeed, that is exactly what happened here. When you boot the appliance, the POST screen shows you the following:
F... E... D... C... B... A... 9... 8... 7... 6... 5... 4... 3... 2... 1... 0...
Nokia Baja BIOS bootstrap loader, Version 2.02
Copyright (c) 1997-2005, Nokia, Inc.
Unknown motherboard type 6186, Manu. Rev 2, Board Rev 1
CPU Id 0x06B0 stepping 4, Rev 0, L2 Cache 256KB
512MB SDRAM memory
DIMM 0 256 MBytes, Single Sided DIMM 1 256 MBytes, Single Sided
Look at that, "Nokia Baja BIOS bootstrap loader, Version 2.02" Indeed, this is very likely a proprietary BIOS. Which brings us back to the initial error message I was getting, "Unhandled real mode interrupt!". Once the BIOS loads the Bootloader, the Bootloader operates in what is known as "Real Mode". Which would explain the error: the pfSense Bootloader is sending an interrupt that does not exist in the Nokia Baja BIOS.According to some internal discussions here at work, it seems that the IP26x series of appliances had a unique set of hardware architecture that was unique to the IP26x series appliances; there is nothing else quite like these. It would seem that the BIOS was created specifically to load the IPSO Bootloader, which is meant to load IPSO only. Based on this assumption, the only to move forward with this would be to either backwards engineer the IPSO bootloader, or make pfSense work with the IPSO Bootloader.
For now, this project is getting pushed to the back burner while I continue to research and tinker, and work on other projects. If/when I make any new discoveries, I will keeping this article updated.
Comments
wrote the book in it or something. I think that you could do with a few pics to drive the message home a bit, but
instead of that, this is excellent blog. A fantastic read.
I'll definitely be back.