I recently got a Watchguard M400 appliance and wanted to do something with it (basically upgrade it with a much more powerful CPU, which is not compatible with the original BIOS), but the onboard system is very closed and you basically can't do anything with it without paying a license for each feature..
Here are the steps I took to update the BIOS to a fully unlocked one, update the CPU and install the system I wanted (here it will be Opnsense but at this point you can basically install anything).
This thread on NetGate forum helped a lot, I found everything I needed to be able to do it: https://forum.netgate.com/post/836153
WFXepc tool to control fans: https://github.com/Zorrototo/WGXepc/blob/master/WGXepc.c
First step to be able to update and unlock the BIOS is to create a FreeDos bootable CF card.
The simplest way is to use Rufus on Windows, plug the CF card into a card reader, start Rufus, and select FreeDos in the drop-down list instead of selecting an ISO file, and follow the usual procedure to create the bootable FreeDos system from Rufus.
Once it is done, download the modified Freedos files (it also contains tools to be able to manipulate the BIOS from FreeDos, and is preconfigured for French keyboard layout) http://gromano.fr/bludit/bl-content/uploads/pages/98ab652e003b6333492565629d4f2cfe/freedos.zip and extract everything on the FreeDos CF card, replacing the existing.
Download the modified BIOS http://gromano.fr/bludit/bl-content/uploads/pages/98ab652e003b6333492565629d4f2cfe/m400.rom.zip and put it in the BIOS folder on the CF card.
The CF card is ready to be booted now, put it back in the M400, plug the Serial cable and open Putty. Make sure to configure Putty properly for FreeDos. Speed to 9600 bauds, Data bits to 8, Stop bits to 1, Parity and Flow control to NONE.
Connect with Putty, and start the M400. The FreeDos CF card boots up, three beeps will be eared once it is started (it is part of the modified FreeDos files, in the AUTOEXEC.BAT script).
It was with a lot of trials that I eventually have been able to input text from Putty, initially it was not working at all no input would register. I'm not 100% what made it work but I think it was when I plugged a keyboard in the M400 and rebooted, that my input from Putty started to register.
Once your keyboard input is working in Putty, follow the procedure to back up the current BIOS, and update with the provided one. Basically the three following commands to backup and then update the BIOS:
cd BIOS
afudos backup.rom /O
afudos m400.rom /B /P /N[2.4.4-RELEASE][root@5100.stevew.lan]/root: cu -l /dev/cuaU1 -s 9600
Connected
Freedos on COM1:
Freedos
Current date is Sun 03-03-2019
Current time is 9:30:01.88 pm
C:\>dir
Volume in drive C is FREEDOS1.0
Volume Serial Number is 4A84-36BD
Directory of C:\
KERNEL SYS 44,889 08-20-06 7:08a
COMMAND COM 66,945 08-29-06 2:40a
BIOS <DIR> 03-03-19 8:37p
AUTOEXEC BAT 277 03-03-19 9:28p
MODE COM 16,254 05-12-05 12:05p
4 file(s) 128,365 bytes
1 dir(s) 23,560,192 bytes free
C:\>cd bios
C:\BIOS>afudos
+---------------------------------------------------------------------------+
| AMI Firmware Update Utility v3.07.00 |
| Copyright (C)2014 American Megatrends Inc. All Rights Reserved. |
+---------------------------------------------------------------------------+
| Usage: AFUDOS.EXE <ROM File Name> [Option 1] [Option 2]... |
| or |
| AFUDOS.EXE <Input or Output File Name> <Command> |
| or |
| AFUDOS.EXE <Command> |
| ------------------------------------------------------------------------- |
| Commands: |
| /O - Save current ROM image to file |
| /U - Display ROM File's ROMID |
| /S - Refer to Options: /S |
| /D - Verification test of given ROM File without flashing BIOS. |
| /A - Refer to Options: /A |
| /OAD - Refer to Options: /OAD |
| /CLNEVNLOG - Refer to Options: /CLNEVNLOG |
| Options: |
| /MEUL: - Program ME Entire Firmware Block, which supports |
| Production.BIN and PreProduction.BIN files. |
| /Q - Silent execution |
| /X - Don't Check ROM ID |
| /CAF - Compare ROM file's data with Systems is different or |
| not, if not then cancel related update. |
| /S - Display current system's ROMID |
| /JBC - Don't Check AC adapter and battery |
| /HOLEOUT: - Save specific ROM Hole according to RomHole GUID. |
| NewRomHole1.BIN /HOLEOUT:GUID |
| /SP - Preserve Setup setting. |
| /R - Preserve ALL SMBIOS structure during programming |
| /Rn - Preserve SMBIOS type N during programming(n=0-255) |
| /B - Program Boot Block |
| /P - Program Main BIOS |
| /N - Program NVRAM |
| /K - Program all non-critical blocks. |
| /Kn - Program n'th non-critical block(n=0-15). |
| /HOLE: - Update specific ROM Hole according to RomHole GUID. |
| NewRomHole1.BIN /HOLE:GUID |
| /L - Program all ROM Holes. |
| /Ln - Program n'th ROM Hole only(n=0-15). |
| /ECUF - Update EC BIOS when newer version is detected. |
| /E - Program Embedded Controller Block |
| /ME - Program ME Entire Firmware Block. |
| /FDR - Flash Flash-Descriptor Region. |
| /MER - Flash Entire ME Region. |
| /MEUF - Program ME Ignition Firmware Block. |
| /A - Oem Activation file |
| /OAD - Delete Oem Activation key |
| /CLNEVNLOG - Clear Event Log. |
| /CAPSULE - Override Secure Flash policy to Capsule |
| /RECOVERY - Override Secure Flash policy to Recovery |
| /EC - Program Embedded Controller Block. (Flash Type) |
| /REBOOT - Reboot after programming. |
| /SHUTDOWN - Shutdown after programming. |
+---------------------------------------------------------------------------+
C:\BIOS>dir
Volume in drive C is FREEDOS1.0
Volume Serial Number is 4A84-36BD
Directory of C:\BIOS
. <DIR> 03-03-19 8:37p
.. <DIR> 03-03-19 8:37p
M400 ROM 8,388,608 01-14-19 10:57a
AFUDOS EXE 168,944 11-10-14 3:14p
AFUEFI EXE 159,392 04-24-14 3:59p
3 file(s) 8,716,944 bytes
2 dir(s) 23,560,192 bytes free
C:\BIOS>afudos backup.rom /O
+---------------------------------------------------------------------------+
| AMI Firmware Update Utility v3.07.00 |
| Copyright (C)2014 American Megatrends Inc. All Rights Reserved. |
+---------------------------------------------------------------------------+
Saving current BIOS into file: backup.rom
Reading flash ............... done
C:\BIOS>dir
Volume in drive C is FREEDOS1.0
Volume Serial Number is 4A84-36BD
Directory of C:\BIOS
. <DIR> 03-03-19 8:37p
.. <DIR> 03-03-19 8:37p
M400 ROM 8,388,608 01-14-19 10:57a
AFUDOS EXE 168,944 11-10-14 3:14p
AFUEFI EXE 159,392 04-24-14 3:59p
BACKUP ROM 4,194,304 03-03-19 9:52p
4 file(s) 12,911,248 bytes
2 dir(s) 19,365,888 bytes free
C:\BIOS>afudos m400.rom /B /P /N
+---------------------------------------------------------------------------+
| AMI Firmware Update Utility v3.07.00 |
| Copyright (C)2014 American Megatrends Inc. All Rights Reserved. |
+---------------------------------------------------------------------------+
Reading flash ............... done
- ME Data Size checking . ok
- FFS checksums ......... ok
Erasing Boot Block .......... done
Updating Boot Block ......... done
Verifying Boot Block ........ done
Erasing Main Block .......... done
Updating Main Block ......... done
Verifying Main Block ........ done
Erasing NVRAM Block ......... done
Updating NVRAM Block ........ done
Verifying NVRAM Block ....... done
C:\BIOS>Once it is done, the Watchguard M400 will need to reboot twice, taking some time (may be a couple minute or more in total). Let it do its things, don't shut it down during this post BIOS upgrade phase. When everything will be complete, you will be able to see the boot process from Putty, and will be able, now, to access the BIOS by pressing DEL or ESCAPE.
Version 2.15.1236. Copyright (C) 2012 American Megatrends, Inc.
MB-WG7585W Ver.WD0_MOD2_SW 20/02/2018
Press <DEL> or <ESC> to enter setup.
Tab key on remote keyboard to enter setup menu, and key 'o' for popup menu. https://docs.opnsense.org/manual/cpu-microcode.html
https://forum.opnsense.org/index.php?topic=17907.0
https://forum.netgate.com/topic/124734/watchguard-firebox-m400-m500/20