I had come across an old Nokia IP260 here at work. The device is long since end-of-life, no longer supported, won't be RMA'd... It can only run versions of IPSO and Checkpoint so ancient that it borders upon useless (and in fact maybe even dangerous). But the hardware works perfectly fine. It boots, loads, and all Checkpoint services operate, if you can get your hands on a license (which you can't, really, because it is so old, end-of-life, and unsupported). So what to do with the hardware? Sure I can cannibalize it for a 20GB Laptop HDD and 1GB Flash card, but the device workes better as a whole... It would be nice to make it function in some manner.

The IP Appliance Operating System, IPSO, is based off of FreeDSB. pfSense is based off FreeBSD. Looks like a match made in heaven. I've read some articles and forum posts about getting different OSes running on IP330, IP560, IP380, etc... But nothing on an IP260. Here is my work at attempting this, and the discoveries made along the way.

First a brief history of the IP260...

First brought to market by Nokia in January 2005, it was meant to be a small appliance. At only 1/2U (half a Rack Unit) size, this was meant for small branch offices and medium to large sized businesses. It runs a Nokia-Specific operating system called IPSO. It is BSD based, and it is not eaasy to get running on a non-IP Appliace. The IP260 went completely end-of-life in June of 2013. The newest version of IPSO it can run is 4.2, and that can only handle Checkpoint R65. R65 is also long-since end-of-life.

Quick Specs:

  • Intel Celeron 400MHz CPU
  • 512MB RAM
  • 1GB Flash Card
  • 40GB HDD
  • 4 10/100 NIC ports
  • Serial Console port
  • AUX Serial port

So this is by no means a big beefy device capable of pushing data center kind of traffic, but it is certainly more than adequate for Home and small business use as well as it's original intended use.

Now, I hear you asking, "If it runs IPSO 4.2 and Checkpoint R65 just fine, why change it?" And the answer is simple: licensing. Checkpoint is not free. Far from it. In fact, as far as I can tell, it is one of the more expensive products out there. And since the version of Checkpoint is also end-of-life, getting a license for it will be impossible. So Checkpoint is completely out of the question. While I can certainly then let IPSO run as a router, that could be fine. But this is a network security appliance, and since IPSO is BSD based, then it stands to reason that just about any old BSD based OS should, in theory, work as well.

I had previously come across pfSense in my efforts to find a nice UTM distro. While it met most of my needs, I had found another Linux based distro to serve as my UTM, Sophos. But that is LInux based, not BSD, and will absolutely not work on this IP260. So I decided to revisit pfSense for this. It certainly looks promising.

Throughout the interwebs I managed to find a number of articles regarding other IP Appliances and putting on other OSes, like pfSense, FreeBSD, and Ubuntu. For the most part, other than some interface configurations, the install and setup process went smoothly, as described in the various Install Guides for the respective product. Feeling optimistic about the setup, I simply dove in.


Following the above guide, I download the "NanoBSD: Embedded install type using the serial console by default" image. I flashed it to the CF card using dd and put the card into the IP260. When I turned on the Appliance, I could see the POST messages on my console connection, and I could see it start to boot:

Loading master boot sector...
Transferring control to the master bootstrap loader...

1 pfSense
2 pfSense
5 Drive 1


Woo Yeah! Success! I select 1 (as per install guide) and right away it crashes:

Unhandled real mode interrupt!
Vector: 0x00000013
CS:IP = 0000:076E
SS:ESP = 0000:7BEC
EAX = 4200 EBX = 7C00 ECX = 0001 EDX = 0180
ESI = 7BEC EDI = 7BFC EBP = 0800 FLG = 7006
DS = 0000 ES = 0000 FS = 0000 GS = 0000
7BEC: 0010 7C00 003F 0000
7BFC: 07BE 31FC 8EC0 BCD0
7C0C: E689 B906 A5F3 08B1
7C1C: 45FE 8A00 20B7 4E80

Crap. I knew it was too good to be true. So I went ahead and double (and triple) checked the image, MD5Sum,flash command, and everythuing else. The process was good, I was definitely doing the right steps. Thinking it might be a pfSens problem, I tried the same process with m0n0wall, SmallWall, and t1n1wall. While all are based off of m0n0wall and BSD, they all have their own unique features. I followed their respective guides and all gave me more or less the same results. m0n0wall is now longer being worked on, which spawned the forks of SmallWall and t1n1wall. These 2 new forks are very new, and have yet to form a large community following, so I cannot really seek much help there. Which brings us full-circle back to pfSense. Having few other options, I created a new thread in their forum. Once of the members, charliem, posted the following response:

"The boot loader is trying to use INT13h, AH42, aka 'extended services read' to load the MBR, and appears to be failing.  I'd guess the target device doesn't support that, and the bootloader may need to use CHS to access the device instead, like a floppy.  Nokia presumably wrote the bios, so they could do what they wanted / needed to, without regards to booting a general purpose OS.  But that's just a WAG."

There are a couple of new terms in here that I am not immediately familiar with... "INT13h", "AH42", and "CHS"... What do these mean? A quick Google search brought me to the following sites:



There were a ton of others, but these 2 were the most helpful. Ok, so we're talking about accessing the Hard Drive's Master Boot Record using different methods. Ok, I can work with that. I decided to compare my 1GB card to a working 128MB IPSO card from another IP260 (my IP260 boots this other card just fine, no issues). Myself, I'm not an expert on the fine inner details of the workings of the MBR. One thing I DO know however, is that it stores the Partition Table. So let's compare ther IPSO card to the pfSense card. I ran the following command and got the below outputs:

sfdisk -l

IPSO card:

Disk /dev/sdb: 1011 cylinders, 4 heads, 62 sectors/track
Warning: The partition table looks like it was made
for C/H/S=*/256/63 (instead of 1011/4/62).
For this listing I'll assume that geometry.
Units = cylinders of 8257536 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start End #cyls #blocks Id System
/dev/sdb1 0 - 0 0 0 Empty
/dev/sdb2 0 - 0 0 0 Empty
/dev/sdb3 0 - 0 0 0 Empty
/dev/sdb4 * 0 3- 4- 25000 a6 OpenBSD
end: (c,h,s) expected (3,25,41) found (1023,255,63)

Disk /dev/sdb4: 201 cylinders, 4 heads, 62 sectors/track
Warning: The partition table looks like it was made
for C/H/S=*/256/63 (instead of 201/4/62).
For this listing I'll assume that geometry.
Units = cylinders of 8257536 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start End #cyls #blocks Id System
/dev/sdb4p1 0 - 0 0 0 Empty
/dev/sdb4p2 0 - 0 0 0 Empty
/dev/sdb4p3 0 - 0 0 0 Empty
/dev/sdb4p4 * 0 3- 4- 25000 a6 OpenBSD
end: (c,h,s) expected (3,25,41) found (1023,255,63)

pfSense Card:

Disk /dev/sdb: 1009 cylinders, 32 heads, 62 sectors/track
Warning: The partition table looks like it was made
for C/H/S=*/16/63 (instead of 1009/32/62).
For this listing I'll assume that geometry.
Units = cylinders of 516096 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start End #cyls #blocks Id System
/dev/sdb1 * 0+ 914 915- 461128+ a5 FreeBSD
/dev/sdb2 915+ 1829 915- 461128+ a5 FreeBSD
end: (c,h,s) expected (1023,15,63) found (805,15,63)
/dev/sdb3 1830 1931 102 51408 a5 FreeBSD
start: (c,h,s) expected (1023,15,63) found (806,0,1)
end: (c,h,s) expected (1023,15,63) found (907,15,63)
/dev/sdb4 0 - 0 0 0 Empty

On the IPSO card you can see the following:

for C/H/S=*/256/63 (instead of 1011/4/62)

And some other similar lines. There's that CHS that was mentioned in the forum post! So I am definitely on the right track. We can also see that while the pfSense partitioning scheme makes sense, the IPSO card partitioning is all messed up. It appears to be rather unique to me... I have never seen anything quite like this before.

So the only thing that can work from these partition schemes are the bootloaders, located within the MBR. Through my Google searches for "INT13h", "AH42", and "CHS", I came across some pages that mention making changes to the MBR using a Hex Editor. In Windows, there are many many applications that can edit the MBR directly. While handy to know, I do not actually have Windows anywhere; I use Linux only. So what to do? Using the dd command, you can easily extract the MBR using the following command:

dd if=/dev/sdb of=mbr bs=512 count=1

Once done, you are now in posession of the MBR in binary format, all 1s and 0s. using xxd, you can easily convert this binary file to semi-readable Hex code:

xxd mbr > mbr.txt

Which gave me the following Hex Code outputs:


0000000: eb1b 9090 161f 666a 0051 5006 5331 c088 ......fj.QP.S1..
0000010: f050 6a10 89e5 e8be 008d 6610 cbfc 31c9 .Pj.......f...1.
0000020: 8ec1 8ed9 8ed1 bc00 7c89 e6bf 0007 fec5 ........|.......
0000030: f3a5 beee 7d80 fa80 722c b601 e867 00b9 ....}...r,...g..
0000040: 0100 bebe 8db6 0180 7c04 a675 07e3 19f6 ........|..u....
0000050: 0480 7514 83c6 10fe c680 fe05 72e9 49e3 ..u.........r.I.
0000060: e1be 7c7d eb52 31d2 8916 0009 b610 e835 ..|}.R1........5
0000070: 00bb 0090 8b77 0a01 debf 00b0 b900 ac29 .....w.........)
0000080: f1f3 a429 f930 c0f3 aae8 0300 e981 13fa ...).0..........
0000090: e464 a802 75fa b0d1 e664 e464 a802 75fa .d..u....d.d..u.
00000a0: b0df e660 fbc3 bb00 8c8b 4408 8b4c 0a0e ...'......D..L..
00000b0: e853 ff73 21be 797d e813 00be 817d e80d .S.s!.y}.....}..
00000c0: 0030 e4cd 16cd 19bb 0700 b40e cd10 ac84 .0..............
00000d0: c075 f4b4 01f9 c32e f606 8a08 8074 21bb .u...........t!.
00000e0: aa55 52b4 41cd 135a 7216 81fb 55aa 7510 .UR.A..Zr...U.u.
00000f0: f6c1 0174 0b89 eeb4 42cd 13b0 ffe6 80c3 ...t....B.......
0000100: 52b4 08cd 1388 f55a 72cc 80e1 3f74 c4fa R......Zr...?t..
0000110: 668b 4608 5266 0fb6 d966 31d2 66f7 f388 f.F.Rf...f1.f...
0000120: eb88 d543 30d2 66f7 f388 d75a 663d ff03 ...C0.f....Zf=..
0000130: 0000 fb77 9e86 c4c0 c802 08e8 4091 88fe ...w........@...
0000140: 28e0 8a66 0238 e072 0288 e0bf 0500 c45e (..f.8.r.......^
0000150: 0450 b402 cd13 5b73 0a4f 741c 30e4 cd13 .P....[s.Ot.0...
0000160: 93eb eb0f b6c3 0146 0873 03ff 460a d0e3 .......F.s..F...
0000170: 005e 0528 4602 7788 c352 6500 426f 6f74 .^.(F.w..Re.Boot
0000180: 0020 6572 726f 720d 0a00 0090 9090 9090 . error.........
0000190: 9090 9090 9090 9090 9090 9090 9090 9090 ................
00001a0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
00001b0: 9090 9090 9090 9090 9090 9090 9090 0000 ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001e0: 0000 0000 0000 0000 0000 0000 0000 8000 ................
00001f0: 0100 a6ff ffff 0000 0000 50c3 0000 55aa ..........P...U.

pfSense MBR:

0000000: fc31 c08e c08e d88e d0bc 007c 89e6 bf00 .1.........|....
0000010: 06b9 0001 f3a5 89fd b108 f3ab fe45 f2e9 .............E..
0000020: 008a f646 b720 7407 804e b740 8a56 b688 ...F. t..N.@.V..
0000030: 5600 52e8 f200 bbc2 0731 d288 6ffc 0fa3 V.R......1..o...
0000040: 56b7 7318 8a07 84c0 7412 bf84 07b1 08f2 V.s.....t.......
0000050: ae81 c706 008a 0d01 cfe8 bd00 4280 c310 ............B...
0000060: 73d9 582c 7f3a 0675 0472 0548 740d 30c0 s.X,.:.u.r.Ht.0.
0000070: 04b0 8846 b4bf ae07 e89e 00be 7207 e8b3 ...F........r...
0000080: 008a 56b5 4ee8 a500 eb05 b023 e8ac 0030 ..V.N......#...0
0000090: e4cd 1a89 d703 7ebc b403 e8a0 00f6 c401 ......~.........
00000a0: 7511 30e4 cd1a 39fa 72ee 8a46 b580 4eb7 u.0...9.r..F..N.
00000b0: 40eb 0bb4 02e8 8500 3c0d 74ee 2c31 3c05 @.......<.t.,1<.
00000c0: 7502 cd18 73c4 980f a346 1073 bd88 46b5 u...s....F.s..F.
00000d0: 89ee 8a14 89f3 3c04 9c74 0ac0 e004 05be ......<..t......
00000e0: 0793 c607 8053 f646 b740 7508 bb00 06b4 .....S.F.@u.....
00000f0: 03e8 5000 5e9d 7506 8a56 b480 ea30 bb00 ..P.^.u..V...0..
0000100: 7cb4 02e8 3e00 7282 81bf fe01 55aa 0f85 |...>.r.....U...
0000110: 78ff 56e8 1200 5eff e30f ab56 10be 8007 x.V...^....V....
0000120: e80a 0089 fee8 0c00 be82 07eb 07b0 3100 ..............1.
0000130: d0e8 0700 aca8 8074 f824 7fb4 0152 31d2 .......t.$...R1.
0000140: cd14 5ac3 8a74 018b 4c02 b001 5689 e784 ..Z..t..L...V...
0000150: d274 19f6 46b7 8074 1366 6a00 66ff 7408 .t..F..t.fj.f.t.
0000160: 0653 6a01 6a10 89e6 4880 cc40 cd13 89fc .Sj.j...H..@....
0000170: 5ec3 0a46 3620 5058 450d 0a42 6f6f 743a ^..F6 PXE..Boot:
0000180: 20a0 0d8a 83a5 a6a9 0607 0b0c 1013 1205 ...............
0000190: 0403 01bf 5769 ee4c 696e 75f8 7066 5365 ....Wi.Linu.pfSe
00001a0: 6e73 e590 9090 9090 9090 9090 9090 4472 ns............Dr
00001b0: 6976 6520 0000 8083 9090 9090 b600 8001 ive ............
00001c0: 0100 a50f ff92 3f00 0000 9112 0e00 0001 ......?.........
00001d0: c193 a50f ff25 0f13 0e00 9112 0e00 0000 .....%..........
00001e0: c126 a50f ff8b a025 1c00 a091 0100 0000 .&.....%........
00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.

Great. So now I can see that the Bootloader for both are WILDLY different... But what to do about it? While I can certainly start copy/pasting various Hex peices, but without knowing what they mean and do, it'll likely be a pointless task. Searching Google for any DIY bootloader info, I came across the following sites:





Great... The Bootloader code is written in Assembly Language. While very powerful, it is VERY low-level, and is so unused and obscure these days that it borders on being a dead language. Using the commands from the Stack Overflow site, I extracted (disassembled) the MBR bootloader code.

First, extract the MBR:

dd if=/dev/sdc of=mbr.bin bs=512 count=1
Now, disassemble the bootcode:

ndisasm -b16 -o7C00h mbr.bin > mbr.asm

IPSO Bootcode:

[At Checkpoint's request, I have removed the IPSO bootcode itself]

pfSense Bootcode:

00007C00  FC                cld
00007C01  31C0              xor ax,ax
00007C03  8EC0              mov es,ax
00007C05  8ED8              mov ds,ax
00007C07  8ED0              mov ss,ax
00007C09  BC007C            mov sp,0x7c00
00007C0C  89E6              mov si,sp
00007C0E  BF0006            mov di,0x600
00007C11  B90001            mov cx,0x100
00007C14  F3A5              rep movsw
00007C16  89FD              mov bp,di
00007C18  B108              mov cl,0x8
00007C1A  F3AB              rep stosw
00007C1C  FE45F2            inc byte [di-0xe]
00007C1F  E9008A            jmp word 0x622
00007C22  F646B720          test byte [bp-0x49],0x20
00007C26  7407              jz 0x7c2f
00007C28  804EB740          or byte [bp-0x49],0x40
00007C2C  8A56B6            mov dl,[bp-0x4a]
00007C2F  885600            mov [bp+0x0],dl
00007C32  52                push dx
00007C33  E8F200            call word 0x7d28
00007C36  BBC207            mov bx,0x7c2
00007C39  31D2              xor dx,dx
00007C3B  886FFC            mov [bx-0x4],ch
00007C3E  0FA356B7          bt [bp-0x49],dx
00007C42  7318              jnc 0x7c5c
00007C44  8A07              mov al,[bx]
00007C46  84C0              test al,al
00007C48  7412              jz 0x7c5c
00007C4A  BF8407            mov di,0x784
00007C4D  B108              mov cl,0x8
00007C4F  F2AE              repne scasb
00007C51  81C70600          add di,0x6
00007C55  8A0D              mov cl,[di]
00007C57  01CF              add di,cx
00007C59  E8BD00            call word 0x7d19
00007C5C  42                inc dx
00007C5D  80C310            add bl,0x10
00007C60  73D9              jnc 0x7c3b
00007C62  58                pop ax
00007C63  2C7F              sub al,0x7f
00007C65  3A067504          cmp al,[0x475]
00007C69  7205              jc 0x7c70
00007C6B  48                dec ax
00007C6C  740D              jz 0x7c7b
00007C6E  30C0              xor al,al
00007C70  04B0              add al,0xb0
00007C72  8846B4            mov [bp-0x4c],al
00007C75  BFAE07            mov di,0x7ae
00007C78  E89E00            call word 0x7d19
00007C7B  BE7207            mov si,0x772
00007C7E  E8B300            call word 0x7d34
00007C81  8A56B5            mov dl,[bp-0x4b]
00007C84  4E                dec si
00007C85  E8A500            call word 0x7d2d
00007C88  EB05              jmp short 0x7c8f
00007C8A  B023              mov al,0x23
00007C8C  E8AC00            call word 0x7d3b
00007C8F  30E4              xor ah,ah
00007C91  CD1A              int 0x1a
00007C93  89D7              mov di,dx
00007C95  037EBC            add di,[bp-0x44]
00007C98  B403              mov ah,0x3
00007C9A  E8A000            call word 0x7d3d
00007C9D  F6C401            test ah,0x1
00007CA0  7511              jnz 0x7cb3
00007CA2  30E4              xor ah,ah
00007CA4  CD1A              int 0x1a
00007CA6  39FA              cmp dx,di
00007CA8  72EE              jc 0x7c98
00007CAA  8A46B5            mov al,[bp-0x4b]
00007CAD  804EB740          or byte [bp-0x49],0x40
00007CB1  EB0B              jmp short 0x7cbe
00007CB3  B402              mov ah,0x2
00007CB5  E88500            call word 0x7d3d
00007CB8  3C0D              cmp al,0xd
00007CBA  74EE              jz 0x7caa
00007CBC  2C31              sub al,0x31
00007CBE  3C05              cmp al,0x5
00007CC0  7502              jnz 0x7cc4
00007CC2  CD18              int 0x18
00007CC4  73C4              jnc 0x7c8a
00007CC6  98                cbw
00007CC7  0FA34610          bt [bp+0x10],ax
00007CCB  73BD              jnc 0x7c8a
00007CCD  8846B5            mov [bp-0x4b],al
00007CD0  89EE              mov si,bp
00007CD2  8A14              mov dl,[si]
00007CD4  89F3              mov bx,si
00007CD6  3C04              cmp al,0x4
00007CD8  9C                pushfw
00007CD9  740A              jz 0x7ce5
00007CDB  C0E004            shl al,0x4
00007CDE  05BE07            add ax,0x7be
00007CE1  93                xchg ax,bx
00007CE2  C60780            mov byte [bx],0x80
00007CE5  53                push bx
00007CE6  F646B740          test byte [bp-0x49],0x40
00007CEA  7508              jnz 0x7cf4
00007CEC  BB0006            mov bx,0x600
00007CEF  B403              mov ah,0x3
00007CF1  E85000            call word 0x7d44
00007CF4  5E                pop si
00007CF5  9D                popfw
00007CF6  7506              jnz 0x7cfe
00007CF8  8A56B4            mov dl,[bp-0x4c]
00007CFB  80EA30            sub dl,0x30
00007CFE  BB007C            mov bx,0x7c00
00007D01  B402              mov ah,0x2
00007D03  E83E00            call word 0x7d44
00007D06  7282              jc 0x7c8a
00007D08  81BFFE0155AA      cmp word [bx+0x1fe],0xaa55
00007D0E  0F8578FF          jnz word 0x7c8a
00007D12  56                push si
00007D13  E81200            call word 0x7d28
00007D16  5E                pop si
00007D17  FFE3              jmp bx
00007D19  0FAB5610          bts [bp+0x10],dx
00007D1D  BE8007            mov si,0x780
00007D20  E80A00            call word 0x7d2d
00007D23  89FE              mov si,di
00007D25  E80C00            call word 0x7d34
00007D28  BE8207            mov si,0x782
00007D2B  EB07              jmp short 0x7d34
00007D2D  B031              mov al,0x31
00007D2F  00D0              add al,dl
00007D31  E80700            call word 0x7d3b
00007D34  AC                lodsb
00007D35  A880              test al,0x80
00007D37  74F8              jz 0x7d31
00007D39  247F              and al,0x7f
00007D3B  B401              mov ah,0x1
00007D3D  52                push dx
00007D3E  31D2              xor dx,dx
00007D40  CD14              int 0x14
00007D42  5A                pop dx
00007D43  C3                ret
00007D44  8A7401            mov dh,[si+0x1]
00007D47  8B4C02            mov cx,[si+0x2]
00007D4A  B001              mov al,0x1
00007D4C  56                push si
00007D4D  89E7              mov di,sp
00007D4F  84D2              test dl,dl
00007D51  7419              jz 0x7d6c
00007D53  F646B780          test byte [bp-0x49],0x80
00007D57  7413              jz 0x7d6c
00007D59  666A00            push dword 0x0
00007D5C  66FF7408          push dword [si+0x8]
00007D60  06                push es
00007D61  53                push bx
00007D62  6A01              push byte +0x1
00007D64  6A10              push byte +0x10
00007D66  89E6              mov si,sp
00007D68  48                dec ax
00007D69  80CC40            or ah,0x40
00007D6C  CD13              int 0x13
00007D6E  89FC              mov sp,di
00007D70  5E                pop si
00007D71  C3                ret
00007D72  0A4636            or al,[bp+0x36]
00007D75  205058            and [bx+si+0x58],dl
00007D78  45                inc bp
00007D79  0D0A42            or ax,0x420a
00007D7C  6F                outsw
00007D7D  6F                outsw
00007D7E  743A              jz 0x7dba
00007D80  20A00D8A          and [bx+si-0x75f3],ah
00007D84  83A5A6A906        and word [di-0x565a],byte +0x6
00007D89  07                pop es
00007D8A  0B0C              or cx,[si]
00007D8C  1013              adc [bp+di],dl
00007D8E  1205              adc al,[di]
00007D90  0403              add al,0x3
00007D92  01BF5769          add [bx+0x6957],di
00007D96  EE                out dx,al
00007D97  4C                dec sp
00007D98  696E75F870        imul bp,[bp+0x75],word 0x70f8
00007D9D  6653              push ebx
00007D9F  656E              gs outsb
00007DA1  73E5              jnc 0x7d88
00007DA3  90                nop
00007DA4  90                nop
00007DA5  90                nop
00007DA6  90                nop
00007DA7  90                nop
00007DA8  90                nop
00007DA9  90                nop
00007DAA  90                nop
00007DAB  90                nop
00007DAC  90                nop
00007DAD  90                nop
00007DAE  44                inc sp
00007DAF  7269              jc 0x7e1a
00007DB1  7665              jna 0x7e18
00007DB3  2000              and [bx+si],al
00007DB5  00808390          add [bx+si-0x6f7d],al
00007DB9  90                nop
00007DBA  90                nop
00007DBB  90                nop
00007DBC  B600              mov dh,0x0
00007DBE  800101            add byte [bx+di],0x1
00007DC1  00A50FFF          add [di-0xf1],ah
00007DC5  92                xchg ax,dx
00007DC6  3F                aas
00007DC7  0000              add [bx+si],al
00007DC9  0091120E          add [bx+di+0xe12],dl
00007DCD  0000              add [bx+si],al
00007DCF  01C1              add cx,ax
00007DD1  93                xchg ax,bx
00007DD2  A5                movsw
00007DD3  0FFF              ud0
00007DD5  250F13            and ax,0x130f
00007DD8  0E                push cs
00007DD9  0091120E          add [bx+di+0xe12],dl
00007DDD  0000              add [bx+si],al
00007DDF  00C1              add cl,al
00007DE1  26A5              es movsw
00007DE3  0FFF              ud0
00007DE5  8BA0251C          mov sp,[bx+si+0x1c25]
00007DE9  00A09101          add [bx+si+0x191],ah
00007DED  0000              add [bx+si],al
00007DEF  0000              add [bx+si],al
00007DF1  0000              add [bx+si],al
00007DF3  0000              add [bx+si],al
00007DF5  0000              add [bx+si],al
00007DF7  0000              add [bx+si],al
00007DF9  0000              add [bx+si],al
00007DFB  0000              add [bx+si],al
00007DFD  0055AA            add [di-0x56],dl

So now I've got the bootcodes disassembled and ready for analysis. using meld, I decided to try to compare the 2 files side-by-side. Needless to say, there are no similarities of consequence.

At this point, I am sadly at a bit of a stand-still... I do not know nor understand Assembly code. So while it is right in front of me, ready to picked apart and reverse-engineered, it might as well be written in an alien language. Sadly, I am stuck here at this point until I either learn assembly, or think of an alternative way to try this.

While I was originally writing this article, I had expected to be able to successfully install pfSense, and thus titled the article accordingly: "pfSense on Nokia IP260". Now, in light of the fact that I cannot really continue, I have to change the title to something more appropriate... Something like "Nokia IP260 - New Discoveries for an Old Device" (in fact, this is what I decided to use). Now that I have reached the end of this road (for now anyways), I can't help but reflect upon an comment that was made in the pfSense thread:

"Nokia presumably wrote the bios, so they could do what they wanted / needed to, without regards to booting a general purpose OS."

Indeed, that is exactly what happened here. When you boot the appliance, the POST screen shows you the following:

F... E... D... C... B... A... 9... 8... 7... 6... 5... 4... 3... 2... 1... 0...
Nokia Baja BIOS bootstrap loader, Version 2.02
Copyright (c) 1997-2005, Nokia, Inc.
Unknown motherboard type 6186, Manu. Rev 2, Board Rev 1
CPU Id 0x06B0 stepping 4, Rev 0, L2 Cache 256KB
512MB SDRAM memory
DIMM 0 256 MBytes, Single Sided  DIMM 1 256 MBytes, Single Sided

Look at that, "Nokia Baja BIOS bootstrap loader, Version 2.02" Indeed, this is very likely a proprietary BIOS. Which brings us back to the initial error message I was getting, "Unhandled real mode interrupt!". Once the BIOS loads the Bootloader, the Bootloader operates in what is known as "Real Mode". Which would explain the error: the pfSense Bootloader is sending an interrupt that does not exist in the Nokia Baja BIOS.According to some internal discussions here at work, it seems that the IP26x series of appliances had a unique set of hardware architecture that was unique to the IP26x series appliances; there is nothing else quite like these. It would seem that the BIOS was created specifically to load the IPSO Bootloader, which is meant to load IPSO only. Based on this assumption, the only to move forward with this would be to either backwards engineer the IPSO bootloader, or make pfSense work with the IPSO Bootloader.

For now, this project is getting pushed to the back burner while I continue to research and tinker, and work on other projects. If/when I make any new discoveries, I will keeping this article updated.



# złe nawyki 2020-11-05 04:41
Its like you read my mind! You appear to know so much about this, like you
wrote the book in it or something. I think that you could do with a few pics to drive the message home a bit, but
instead of that, this is excellent blog. A fantastic read.
I'll definitely be back.
Reply | Reply with quote | Quote

Add comment

Security code