Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend
Legend

USB Flash Firmware Upgrade

The SMB series firmware can be upgraded using the WebGUI, but this leaves the factory default image at the former, lower firmware version, as it only updates the primary firmware image. So when using “Revert to the factory default image and settings“, the old firmware version from the factory default image will be used, and the firmware will have to be upgraded using the WebGUI

First SMB models (like SG-80) had a primary (active) and a backup firmware image. The first one was loaded to RAM at boot time, backup is called Factory Default Image in WebGUI. Contemporary SMB models also keep a copy of the last active image before an upgrade:

# show diag
Current system info
-----------------------------------
Current image name: R77_990172929_20_87
Current image version: 929
Previous image name: R77_990172922_20_87
Previous image version: 922
Default image name: R77_990172392_20_80
Default image version: 392
Bootloader version: 64

A script is also available that shows the active and previous image:

# pfrm2.0/opt/fw1/bin/firmware_ver.sh
Usage: firmware_ver.sh [-d   |-r|-v]
        -d : Download from given URL to given path and verify checksum
        -r : Revert to saved image
        -v : Display firmware versions
firmware_ver.sh -v
77 20 80 990172370 /dev/mtd2    77 20 75 990172320 /dev/mtd4

The first one is active, and "Revert to saved image" installs the older firmware shown on the right hand while keeping the current configuration. And there is even another interesting command :

# firmTool -c /dev/mtd2
R77_990172929_20_87
# firmTool -c /dev/mtd4
R77_990172922_20_87
# firmTool -c /dev/mtd6
R77_990172392_20_80

An upgrade from CLI is also possible, even offline (sk143274): Copy the image to the /storage directory (using WinSCP) and run (from Expert mode):

# upgrade_revert_image.sh /storage/%FILENAME% upgrade safe

Or run the following commands online in expert mode (sk141512):

# /opt/fw1/bin/fw check_available_firmware 
# /opt/fw1/bin/fw download_firmware
# /pfrm2.0/bin/cloud_upgrade.sh

Using a USB Flash device, both the SMB series factory default and the primary firmware can be upgraded at once. This installation procedure works after every reboot if the USB medium is attached and readable. Details can be found in sk107592: How perform a fresh/clean install of firmware on 600/700/1100 appliance via USB. Additional advice can be found in sk98549: How to Burn Check Point 600 / 700 / 1100 Appliances version with Disk-On-Key where you read: These instructions should be followed only if recommended by support. So there should be a good reason to do so, like when a Factory Reset does not resolve an issue that appears only on one device (so it is more the step taken before applying for a RMA).

CAUTION: Different USB Flash media may show a different behaviour concerning loading images from USB; for example, USB Flash that installs a new firmware image successfully on 1100 / 600 may fail to install with a SG80. Also, the USB medium must use a FAT32 file system.

Using a USB Flash device is started by a reboot (here from a 600/1100):

** MARVELL BOARD: RD-88F6281A LE 
U-Boot 1.1.4 (Aug 11 2010 - 13:38:30) Check Point version: 3.4.27
U-Boot code: 00600000 -> 0067FFF0  BSS: -> 006CFB00
Soc: 88F6281 A1 (DDR2)
CPU running @ 1200Mhz L2 running @ 400Mhz
SysClock = 400Mhz , TClock = 200Mhz
DRAM CAS Latency = 5 tRP = 5 tRAS = 18 tRCD=6
DRAM CS[0] base 0x00000000   size 256MB
DRAM Total size 256MB  16bit width
************ Hit 'Ctrl + C' for boot menu ************
Addresses 8M - 0M are saved for the U-Boot usage.
Mem malloc Initialization (8M - 7M): Done
NAND:512 MB
Flash:  0 kB
CPU : Marvell Feroceon (Rev 1)
Streaming disabled
Write allocate disabled
Module 0 is RGMII
Module 1 is TDM
USB 0: host mode
PEX 0: interface detected no Link.
Net:   egiga0, egiga1 [PRIME]
Reading data from 0xe0000 -- 100% complete.
Verifying CRC for settings area... Done

On the 1200R this looks different:

OCTEON eMMC stage 1 bootloader
Partition: 1, start: 0x0000000000000800, size: 0x0000000000004800
Reading 457576................................................................................................................................................................................................................................ Done.
Loaded OCTBOOT2BIN
Branch to stage 2 at:0xFFFFFFFF81004000
U-Boot 2013.07 (Development build, svnversion: u-boot:exported, exec:) (Build time: Jan 19 2015 - 10:17:06)
Warning: Board descriptor tuple not found in eeprom, using defaults
EVB7000_SFF board revision major:1, minor:0, serial #: unknown
OCTEON CN7010-SCP pass 1.2, Core clock: 1200 MHz, IO clock: 500 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x4f804000, size: 0x7fc000
DRAM: 1 GiB
Clearing DRAM...... done
Using default environment
MMC:   Octeon MMC/SD0: 1
reading u-boot-octeon_evb7000_sff.bin
U-Boot 2013.07 (Development build, svnversion: u-boot:exported, exec:) (Build time: Jan 11 2015 - 17:13:00)
Check Point version: 990170212
************ Hit 'Ctrl + C' for boot menu ************
OCTEON CN7010-AAP pass 1.2, Core clock: 1200 MHz, IO clock: 500 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x4e000000, size: 0x2000000
DRAM: 1 GiB
Clearing DRAM...... done
Octeon MMC/SD0: 1
Flash: 0 Bytes
PCIe: Port 0 not in PCIe mode, skipping
PCIe: Port 1 not in PCIe mode, skipping
PCIe: Port 2 not in PCIe mode, skipping
PCI console init succeeded, 1 consoles, 1024 bytes each
PCIe: Port 0 not in PCIe mode, skipping
PCIe: Port 1 not in PCIe mode, skipping
PCIe: Port 2 not in PCIe mode, skipping
Type the command 'usb start' to scan for USB storage devices.
mmc1(part 0) is current device
MMC read: dev # 1, address # a80000, count 524288 ... 1024 blocks read: OK
Verifying CRC for settings area... Done

And a 7x0 / 14x0 appliance shows:

Annapurna Labs stage 2: stage2_eth3_ram_loader v1.65.1
Executing next!
Annapurna Labs stage 2: stage2.5_loader v1.65.1
SPD I2C Address:00000057
Executing next!
-----------------------------------------------------
Stage 3 version: 1.65.1
Commit ID: e88c9c4
CVOS commit ID: d32367c
HAL commit ID: 8b8f7b5
Build date: May 20 2015 19:57:35
-----------------------------------------------------
EEPROM Revision ID = 37
Device ID = a312
Device Info: AL31200-1700
Loading DT to 00100000 (18909 bytes)...
Board config ID: alpine_db (S1-L71)
Loading application to 00100000 (458192 bytes)...
Executing application...
U-Boot 2015.01-alpine_db_s1-1.65.1-HAL (Jan 14 2016 - 16:51:23)  Check Point version: 64
I2C:   ready
DRAM:  1 GiB
power_init_board: EEPROM per device information - using defaults!
Board config ID: alpine_db (S1-L71)
NAND:  1024 MiB
  00:00.0     - 1c36:0002 - Network controller
  00:01.0     - 1c36:0001 - Network controller
  00:02.0     - 1c36:0002 - Network controller
  00:03.0     - 1c36:0001 - Network controller
  00:04.0     - 1c36:0011 - Cryptographic device
  00:05.0     - 1c36:0021 - Base system peripheral
PCIE_0: Link up. Speed 2.5GT/s Width x1
  01:00.0     - 168c:003c - Network controller
pci_init_board_external: PCIE_1 no link found
PCIE_2: Link up. Speed 5GT/s Width x1
  02:00.0     - 1912:0015 - Serial bus controller
In:    serial
Out:   serial
Err:   serial
Net:   reg=26 data=36928
reg=26 data=36928
al_eth0, al_eth1 [PRIME], al_eth2, al_eth3
Trying to read nand: 262144 bytes from offset 3145728
Read nand: 262144 bytes from nand
blob magic: a5a51234
blob crc: 359ef56a
Verifying CRC for settings area... Done
************ Hit 'Ctrl + C' for boot menu ************
 2  1      
Saving Environment to NAND...
Erasing NAND...
Erasing at 0x280000 -- 100% complete.
Writing to NAND... OK
Saving Environment to NAND...
Erasing redundant NAND...
Erasing at 0x2c0000 -- 100% complete.
Writing to redundant NAND... OK
Saving Environment to NAND...
Erasing NAND...
Erasing at 0x280000 -- 100% complete.
Writing to NAND... OK
bootargs=boardFlavor=alpine_db_s1 quiet console=ttyS0,115200 noExtPorts= maxcpus=2 cp_net_config=3,(00:1C:7F:73:0A:59)(00:1C:7F:73:0A:5A)(00:1C:7F:73:0A:5B) pci=pcie_bus_perf
device 0 offset 0x380000, size 0x3fc80000
do_nand: set partition base address to=380000
NAND read: device 0 offset 0x380000, size 0x1000000
 16777216 bytes read: OK
## Booting kernel from Legacy Image at 08001000 ...
   Image Name:   Linux-3.10.20-al-5.0-pr2
   Created:      2018-05-10  11:39:02 UTC
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    8658144 Bytes = 8.3 MiB
   Load Address: 00008000
   Entry Point:  00008000
   Verifying Checksum ... OK
## Flattened Device Tree blob at 03b2d008
   Booting using the fdt blob at 0x3b2d008
   Loading Kernel Image ... OK
   reserving fdt memory region: addr=0 size=100000
   Loading Device Tree to 03b11000, end 03b189dc ... OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
INIT: version 2.88 booting
Booting [1mCheck Point RD-6281-A[0m User Space...
.================
INIT: Entering runlevel: 3
............................................................crond[1854]: crond 1.8.1 started, log level 8
........................
System Started...

Now the appliances looks at the USB devices:

/sys/devices/soc.0/fd840000.pcie-external2/pci0002:00/0002:00:00.0/0002:01:00.0/usb1/1-1/1-1:1.0/host0/target0:0:0/0:0:0:0/block/sda/sda1

If a valid file is found, it is read in, verified and installed after reboot:

Verifying image : /mnt/usb1/fw1_sx_dep_R77_990172392_20.img
Installing image : /mnt/usb1/fw1_sx_dep_R77_990172392_20.img
Upgrade log : /mnt/usb1/usb_image_upgrade_00-1C-7F-73-0A-59.log
Restoring to factory default settings
**************************************************************
WARNING:   RESET TO FACTORY DEFAULTS PROCESS STARTED:
WARNING:   PLEASE DO NOT PULL OUT THE POWER CABLE
**************************************************************
INIT:
INIT: Sending processes the TERM signal
Restarting system.

First the firmware flash is erased, then both the default and primary firmware are stored and verified:

device 0 offset 0x380000, size 0x3fc80000
do_nand: set partition base address to=380000
NAND erase: device 0 offset 0x380000, size 0xd800000
Erasing at 0x380000 --   0% complete.
Erasing at 0x580000 --   1% complete.
Erasing at 0x7c0000 --   2% complete.
Erasing at 0x9c0000 --   3% complete.
Erasing at 0xc00000 --   4% complete.
****** lines have been left out here ******
Erasing at 0xdb40000 -- 100% complete.
OK
device 0 offset 0xdb80000, size 0x32480000
do_nand: set partition base address to=db80000
NAND erase: device 0 offset 0xdb80000, size 0xd800000
Erasing at 0xdb80000 --   0% complete.
Erasing at 0xdd80000 --   1% complete.
Erasing at 0xdfc0000 --   2% complete.
Erasing at 0xe1c0000 --   3% complete.
****** lines have been left out here ******
Erasing at 0x1b340000 -- 100% complete.
OK
Saving Environment to NAND...
Erasing NAND...
Erasing at 0x280000 -- 100% complete.
Writing to NAND... OK
Saving Environment to NAND...
Erasing redundant NAND...
Erasing at 0x2c0000 -- 100% complete.
Writing to redundant NAND... OK
device 0 offset 0x2c980000, size 0x13680000
do_nand: set partition base address to=2c980000
NAND erase: device 0 offset 0x2c980000, size 0x13680000
Erasing at 0x2c980000 --   0% complete.
Erasing at 0x2cc80000 --   1% complete.
Erasing at 0x2cf80000 --   2% complete.
Erasing at 0x2d2c0000 --   3% complete.
****** lines have been left out here ******
Erasing at 0x3fcc0000 --  99% complete.
Erasing at 0x3ffc0000 -- 100% complete.
OK
device 0 offset 0x1b380000, size 0x24c80000
do_nand: set partition base address to=1b380000
NAND read: device 0 offset 0x1b380000, size 0x8ec0000
 149684224 bytes read: OK
device 0 offset 0x380000, size 0x3fc80000
do_nand: set partition base address to=380000
NAND write: device 0 offset 0x380000, size 0x8ec0000
NAND write bytes left: 149684224
****** lines have been left out here ******
NAND write bytes left: 15466496
 149684224 bytes written: OK
Saving Environment to NAND...
Erasing NAND...
Erasing at 0x280000 -- 100% complete.
Writing to NAND... OK
bootargs=boardFlavor=alpine_db_s1 quiet console=ttyS0,115200 noExtPorts= maxcpus=2 cp_net_config=3,(00:1C:7F:73:0A:59)(00:1C:7F:73:0A:5A)(00:1C:7F:73:0A:5B) pci=pcie_bus_perf
device 0 offset 0x380000, size 0x3fc80000
do_nand: set partition base address to=380000
NAND read: device 0 offset 0x380000, size 0x1000000
 16777216 bytes read: OK
## Booting kernel from Legacy Image at 08001000 ...
   Image Name:   Linux-3.10.20-al-5.0-pr2
   Created:      2018-05-10  11:39:02 UTC
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    8658144 Bytes = 8.3 MiB
   Load Address: 00008000
   Entry Point:  00008000
   Verifying Checksum ... OK
## Flattened Device Tree blob at 03b2d008
   Booting using the fdt blob at 0x3b2d008
   Loading Kernel Image ... OK
   reserving fdt memory region: addr=0 size=100000
   Loading Device Tree to 03b11000, end 03b189dc ... OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
INIT: version 2.88 booting
Booting [1mCheck Point RD-6281-A[0m User Space...
.================
INIT: Entering runlevel: 3
.............
------------- This is a first boot ---------------
........................................................................
------------- First boot done ---------------
System Started...

Now the unit has booted from the new primary firmware image and the FirstTimeWizard can be run for configuration. If a backup from the same firmware version is available, we can restore the backup. Otherwise, we can install another firmware version using WebGUI to be able to restore the backup. When importing backup, the MAC address, firewall type and license are imported as well. GUI will show all that information imported. This is a "cosmectic" issue that can safely be ignored. The model logo will revert to the right model logo within 24 hours. If you run ifconfig, the correct MAC address is shown. Another possibility is to use autoconf.clish files for configuration as explained in following 3rd part: USB First Time Config using autoconf.clish files.

Firmware files have model-specific names: fw1_dep_R77_990170830_20.img (600 / 1100), fw1_ind_dep_R77_990170830_20.img (1200R), fw1_sx_dep_R77_990170830_20.img (700 / 910 / 1400) and for 15x0 devices fw1_vx_dep_R80_992001434_20.img.

The last available firmware version for older models:

- SG-80: fw1_dep_R75_983004120_20.img = R75.20.71 Build 983004120

- 6x0 / 11x0: fw1_dep_R77_990172487_20.img = R77.20.80 Build 990172487

- 1200R: fw1_ind_dep_R77_990172583_20.img = R77.20.81 Build 990172583

Also see this list SMB documents for more. 

CCSE CCTE CCSM SMB Specialist
5 Replies
Talha
Explorer

Hi  G_W_Albrecht,  We have a checkpoint 1100 Appliance and are trying to find an img file to upgrade its firmware from Image name: R75_983004042_20_65 to the latest version i.e 77.xx . We are trying to do it through WEBui but unfortunately cannot find the img file to download. The img files links given on this url https://support.checkpoint.com/results/sk/sk110875 are all broken. We find an iso file "Check_Point_R77.30_Install_and_Upgrade_T5.Gaia.iso" and copied it to usb drive , then plugged the usb drive in the appliance and rebooted it but can find a way how to upgrade? Even though the firewall is old model but we just opened it from the box. Can you suggest how to upload it from an iso ? And if you could share a link so we can download the latest img firmware file? We spent alot of time on this issue so any help would be appreciated.

0 Kudos
PhoneBoy
Admin
Admin

The links in the SK work if you are logged into support.checkpoint.com AND have a valid software subscription associated with your account.
The fact you're not getting a useful error message is probably related to the new support site that was recently launched.

Check_Point_R77.30_Install_and_Upgrade_T5.Gaia.iso is for different hardware.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Latest firmware (R77.20.87) for the 1400 is available from sk153433. 

Again support entitlements are necessary to download these files.

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend
Legend

@Chris_Atkinson : According to  Latest firmware builds for 77.20.xx SMB appliances, latest 1100 firmware is R77.20.80 Build 990172507 for 600/1100 Appliances. Also available is R77.20.81 Build 990172509 for 600/1100 for 600/1100 Appliances - EA for flexiport, but in sk137212: R77.20.81 for Small and Medium Business Appliances, SMB 1100 is only listed in the limitations.

Checked the link that was given by @Amir_Ayalon here: https://community.checkpoint.com/t5/SMB-Gateways-Spark/Are-the-SMB-devices-vulnerable-to-DNSpooQ/m-p...

CCSE CCTE CCSM SMB Specialist
Chris_Atkinson
Employee Employee
Employee

Of course you are correct I had misread the model of gateway / made a typo.

 

Note: 1100s have reached End of Support per: 

https://www.checkpoint.com/support-services/support-life-cycle-policy/

 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events