Hacking into a SonicWall

ITBioMed

n00b
Joined
Mar 22, 2014
Messages
2
Lately my personal toybox has expanded with a bunch of 5th Gen. SonicWalls that have been discarded because of a Dell upgrade path to 6th. Gen. models. These units are party disabled by Dell: most of the security functions are impaired and the licenses have all been tranfered to the newer models.

However, as SonicWall units have some nice hardware features and are pretty good performers I'd like to give them a second life. Maybe I can make them SNORT around my home network and do some IDS/IPS by installing another distro on them. However, there isn't much info on the net about reprogramming a SonicWall - to be acurate there's none.

I want to start with a TZ210 unit because it's not that much of a pitty if I brick it permanently while on the other hand it is quite comparable with the NSA- series that I also have. So, first some info about the unit:

  • Cavium MIPS64 500MHz Octeon CPU (Single Core, I believe it's CN5010-500BG564)
  • 256MB RAM
  • 32MB Flash memory
  • 2x Gigabit ethernet (separate NICs)
  • 5x Fast ethernet (separate NICs)
  • 1x Console port (serial)

I've connected with the CLI but that's extremely limited and I haven't been able to squeze info about the FS and/or OS out of it. Furthermore I've tried to dissect the firmware using Binwalk (which I usually find very helpful) but more than a rather flat entropy graph (1) I haven't been able to deduce from it. I hoped to find something that gives some indication how it boots but nope.

Luckily there's support for the Octeon MIPS64 platform for some linux and BSD flavors but I've no clue how to get it on it (apart from the fact that I also have to figure out first what modules to include during the kernel compilation).

I'm getting afraid that the only way to load some custom stuff in it is using the 32-pin header on the PCB which can be observed in the picture made by dashpuppy:

DSCN3244.JPG


So, to summarize: I'm stuck. If there's anyone around who likes this project and feels like sharing ideas and thoughts with me, please comment! Although it probably won't be very easy, we'll probably be the first ones hacking into a SonicWall 5th. unit so it's defininately worth it :))

I'm trying to keep track of my progression on my personal site. Some more info and links can be found there as well. See https://itandthebiomedicus.com/?p=125

(1) derived from the sw_tz-210_eng_5.9.0.3.sig firmware
 
Last edited:
Modifying the SonicWALL software, maybe, but if he's trying to load alternative software on hardware he already legally owns, there's nothing wrong with it.

Should be a good learning experience, but damn if it doesn't sound like it's going to be an uphill battle.

Do terms of use even apply to End of Life, unsupported hardware that you picked up second hand?
 
If there are pins for a jtag on the board you may be in luck. That's probably where I would start.
 
We've got a bigger sonic wall at work and all I can say is that the CLI is not bash or any other common shell. It's built to be a cisco iOS like environment.
Good luck on the project though, please post updates as you have them.
 
Have found a little more info. The SonicWall is running VxWork (from Wind River), it's packed into an ELF file and it's bootloader is U-Boot (which is quite nice!). Being a VxWorks device, the 32-pin header is very very likely a JTAG header and programmed with the Wind River JTAG debuggger. First it seems to be loading the SafeBoot firmware and if the diagnostics button isn't pushed it loads the complete/normal SonicWall image. The safeboot firmware probably checks some kind of signature first before loading the full image.

Here's the bootlog:

Code:
U-boot 5.0.2.11 (Production build) (Build time: Oct 17 2008 - 13:26:22)OCTEON SNWL_CHESTNUT-1 CN5010-SCP pass 1.1, Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
DRAM: 256 MB
Flash: 32 MB ( Bank 0: 16 MB Bank 1: 16 MB )
.Uncompressed 0x181d88 bytes
ELF file is 32 bit
Allocating memory for ELF: Base addr, 0×2000000, size: 0xe000000
Loading .text @ 0×82008000 (1389536 bytes)
Loading .data @ 0x8215c000 (178688 bytes)
Loading .cvmx_shared @ 0x82187a00 (416 bytes)
Clearing .bss @ 0x82187c00 (1194416 bytes)
## Loading ELF image with entry point: 0×82008000 …
Bootloader: Done loading app on coremask: 0×1
Loading system information…
Reading system info from flash…
Host Name: bootHost
Target Name: vxTarget
User: target
Attaching interface lo0… done
Loading firmware…
Booting…
ELF file is 32 bit
Re-using existing memory for ELF: Base addr, 0×2000000, size: 0xe000000
Loading .text @ 0×82008000 (21995184 bytes)
Loading .data @ 0×83502000 (2093264 bytes)
Loading .cvmx_shared @ 0x837010d0 (425 bytes)
Clearing .bss @ 0×83701280 (17456848 bytes)
## Loading ELF image with entry point: 0×82008000 …
Bootloader: Done loading app on coremask: 0×1
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Host Name: bootHost
Target Name: vxTarget
User: target
Starting SonicSetup Watchdog
Starting real-time clock
Initializing clock
Tuning clock and timezone
Initializing Memory Zones
Initializing Buffer Zones
Initializing Common Zones
Initializing Semaphores
Initializing System Monitor
Initializing trace call history
Initializing Flash
Adjusting SonicSetup Watchdog if necessary for large prefs
Initialize FDR log
Initializing Ramdisk
Installing date/time hook
Creating File System
filesystem
Initializing CFS
Constructing HTTPS Server dependencies
Setting NTP parameters
Enabling ARP table support
Enabling STATIC NDP table support
Creating interface names and default itids
Initializing core IP packet handler
Initializing memory buffer driver
Initializing Branding
Initializing parameters table
Interfaces Group init-stage 1
Starting Routing engine
Initializing action table search tree
Allocating IPsec SA space
Starting Global Bandwidth Management
Initializing Policy lookup table
Initializing NAT Policy structure
Building DHCP Network Objects
Starting network monitor module
Starting the NAT module
Starting common gateway interface handler
Starting the system timer
Initializing IPNET Glue
Initializing core IPv6 stack
Starting random number generator
Initalizing IPsec handle
Allocating DHCP server lease ranges
Initializing Memory for Application Firewall Config Objects
Building IPS Config Objects
Building AppControl Config Objects
Building AntiSpyware Config Objects
Initializing multiple interfaces handler
Initializing MAC-IP Anti-Spoofing
Initializing flow reporting
Initializing Ip Helper
Starting capture Buffer
Initializing interface packet queue scheme
Initializing QoS Mapping module
Initializing Bandwidth Management Engine
Starting dynamic routing
Initializing Support Services
Initializing backend dynamic update support
Initializing users
Pre-Initializing LDAP client
Pre-initializing Terminal Services support for SSO
1st zebos init
Set default packet capture settings
Initializing Memory for CFS
Initializing WMM
Initializing IPv6 config
Starting firewall logger
********************************************************************************
Validating FLASH parameters

********************************************************************************
Initializing preference export memory buffer devices
Starting appflow report
Starting capture Buffer during startup
Starting IPH compatibility flags
Initializing proper connection count
Adjust memory partitions
Starting synflood protection
Starting Generic Flood Protection
Complete Network Object initialization
Generate Default Bandwidth Object
Setting Time Zone and updating Daylight savings time
Initializing ARP table
Reading Network Interface configurations
Updating global BWM data
Listen to BSP Interface State events
Reading ifConfigs
Initialize ACTIVE WAN
Starting Stateful Packet Inspection engine
Determining High Availability state
Initializing Ethernet links
Initializing Switch Ports
Generating system ARP
Generating dynamic Address Objects
2nd zebos init
Build routing table
Initializing IP Helper
Starting capture Buffer during startup
Initializing SQLite
Starting SwFlow during startup
Starting GeoIP
Initial GUI Interface Statistics Counters
Initializing DNS Rebind Detection
Building NAT tables
Generating gratuitous ARP for NAT
Generating gratuitous ARP for Transparent Mode IPs
Starting registration services
Starting DNS client
Starting DNS client
Initializing syslog client
Starting DNS request task
Starting DAO manager
Log initializations dependent on preferences
Starting RBL driver
Starting licensing services
Initializing connection cache
Activating Ethernet hooks
Initializing HTTP Server
Starting user authentication routines
Starting Zone Policy manager
Initializing Viewpoint reporting
Starting DHCP client
Initializing PPP timers
Initializing L2TP client system
Initializing L2TP Server
Initializing PPTP system
Initializing Acceptable Use Policies
Starting NTP client
Starting IP fragmentation/reassembly handlers
Starting IPsec engine
Initializing HTTPS Server
Initializing web proxy support
Initializing diagnostic admin tools
Reading Qos Conversion Configuration
Starting Endpoint Anomoly detection and Reporting (EAR)
Starting H323 handlers
Starting SIP handlers
Initializing RADIUS client
Initializing LDAP client
Initializing SSO Authentication
Initializing Terminal Services support for SSO
Initializing PPPoE support
Preparing auto-configurator
Starting DHCP server
Initializing DHCP relay over VPN
Starting IGMP Mcast
Initializing Deep Packet Inspection framework
Initializing Content Filtering Services
Initializing Distributed Enforcement Architecture
Building CFS rating database
Set CFS version
Starting Auto-Update timers
SNMP Initialization
Verifying management policy rules
Initializing High Availability routines
Initializing SSL Control Service
Starting Auto-Update timers
Complete One Touch Overrides
Starting hardware watchdog
Firmware Version: SonicOS Enhanced 5.9.0.3-117o
Directory: /depot-14739-51/Octeon/5.9.0/m2/target/oct_mips64/sw_octeon210-sc-base
Initializing FIPS mode
Starting FIPS 186-2 random number generator
Running FIPS mode self-tests
DRNG test passed
RSA test passed
RSA KAT test passed
DSA test passed
DES and 3DES test passed
AES test passed
SHA-1 test passed
HMAC-SHA-1 test passed
DH group 2 test passed
DH group 5 test passed
All cryptographic self-tests succeeded
Initializing NDPP mode
WAN Load Balancing module started
Update Interfaces Groups from prefs
Initializing for TSR generation
Initializing SDP and SSPP (discovery and provision protocol)
Initializing Wireless Zone Module
Initializing Guest Services
Starting Bandwidth Optimization engine
Initializing Flash Dynamic Update
Verifying transaction groups
03/25 11:38:54.064: NOTICE: flashStartup:2108: Transaction Groups are not in sync!
Protecting prefs
Initializing SSLVPN Server
Start processing Interface State Changes
Initializing Reboot Notifier
Check for Diag Restart Requests
Check for Periodic Gratuitous ARP Requests
Checking for Enhanced Upgrade
Initializing ARS
Initializing VPN route monitor
Initializing SSH Service
Initializing CLI interface
Log Firewall activated
Remote Backup Initialization
If configured, send SNMP Cold Start Trap
Starting Hot Swap Controllers
If configured, send IPsec Trap for Manual SAs
Start Ipv6 engine
Starting Anti-Spam Service
Starting Subsystem Detection
Starting License Manager Client
Initializing IPv6 Interface
Initializing PPPHDLC support
Initializing network proxy servers
Added 1539 oui to vendor mappings
Initializing DHCPv6 server
Initializing Router Advertisement Daemon
Initializing DHCPv6 Client
Initializing Multicast Proxy
Upgrade traditional BWM preference
Add an entry to the firmware history

Product Model: TZ 210
Product Code: 6831
Firmware Version: SonicOS Enhanced 5.9.0.3-117o
Serial Number: xxxxxxxxx
X0 IP Addresses: 192.168.25.1

*** Startup time: 03/25/2014 11:39:04.784 ***

Copyright (c) 2012 Dell | SonicWALL, Inc.

User:

And this is the bootlog when booting into safemode:

Code:
U-boot 5.0.2.11 (Production build) (Build time: Oct 17 2008 – 13:26:22)

OCTEON SNWL_CHESTNUT-1 CN5010-SCP pass 1.1, Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
DRAM: 256 MB
Flash: 32 MB ( Bank 0: 16 MB Bank 1: 16 MB )
.

Uncompressed 0x181d88 bytes
ELF file is 32 bit
Allocating memory for ELF: Base addr, 0×2000000, size: 0xe000000
Loading .text @ 0×82008000 (1389536 bytes)
Loading .data @ 0x8215c000 (178688 bytes)
Loading .cvmx_shared @ 0x82187a00 (416 bytes)
Clearing .bss @ 0x82187c00 (1194416 bytes)
## Loading ELF image with entry point: 0×82008000 …
Bootloader: Done loading app on coremask: 0×1
Loading system information…
Reading system info from flash…
Host Name: bootHost
Target Name: vxTarget
User: target
Attaching interface lo0… done
Entering Safemode…
Starting SafeMode WebServer on 192.168.168.168
Also Starting SafeMode WebServer on 192.168.25.1

Your SonicWALL is now running in SafeMode 5.0.1.13.
Connect to the SafeMode WebServer on 192.168.168.168

-Upload and download firmware images and system settings.
-Boot to your choice of firmware and settings.
-Manage system backups.
-Easily return your SonicWALL to a previous system state.
 
Last edited:
Before you guys mess with me you all should know I was a patrol boy when I was in 6th grade and have experience as a hall monitor!
 
I created this account just to reply here.. First, sorry for digging up an old topic, but did this really die here? OP, what was the outcome? Did you get to try the NSA devices? I have an NSA device Id like to load a custom firmware on also. Hoping for a reply.
 
Back
Top