How to install OpenWrt on Fortigate 90D? | Decoded BIOS

Hi, I have a lot of out of licensed Fortigate90D devices so i want to reuse and run OpenWrt on them. I have dumped and decoded the bios and got some useful datas, according to them we can see u-boot.bin, u-boot.bin.cpu2 and fsoc/spi_boot_fsoc.bin images. So i want to know how we can extract these bootloader images and so install OpenWrt.
Does it applicaple ? Thanks for any help.

Device Specifications
2X BCM53128KQLEG Multiport Gigabit Ethernet Switches
arm926e-js based FortiSOC 900MHz
2GB 1066MHz DDR SDRAM
4MB SPI Flash
Console Port


Here is Fortigate 90D decoded bios dump

no_repeat=1�uart=loadb 100000;go 100000
�mbu=sete tftpip 172.30.80.145;sete myip 172.30.80.154;tftp u-boot.bin;go 8000000
�cpu2img=u-boot.bin.cpu2
�crc=crc $fileaddr $filesize�sfwr=sf probe 0;tftp b000000 fsoc/spi_boot_fsoc.bin;sf wrimg b000000 0
�bootdelay=3
�baudrate=9600
�ethact=nplite#0
�silent=0
�dhcpen=0
�netmask=255.255.255.0
�imagename=fgt90d.out
�tftport=0
�mac0=08:5b:0e:xx:xx:xx
�sn=FGT90DXXXXXXXXXX
�ver=FortiGate-90D (20:14-02.28.2014)
�bootcmd=flat
�myip=10.10.0.100
�tftpip=10.10.0.10
�gatewayip=10.10.0.101   

Full Decoded Dump
https://pastebin.pl/view/e641d7a3
Fortigate90D fgt90d.out Firmware images
Tried to decode using binwalk but no lucks.

FGT_90D-v5-build0305-FORTINET.out
FGT_90D-v6-build0076-FORTINET.out

Start by locating the serial console.

See if we can get a dump on the boot sequence, and if the boot loader can be interrupted.

I am not able to interrupt the boot loader. It is not asking to interrupt with any key may be a hidden key combination? Is it possible? Is there any other way ? According to dumps It updates bootloader with u-boot commands in the background.```

Main boot menu
[C]: Configure TFTP parameters.
[R]: Review TFTP parameters.
[T]: Initiate TFTP firmware transfer.
[F]: Format boot device.
[I]: System information.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot.
[H]: Display this list of options.

If there's a menu one could think there should a way to interact with it.

The u-boot can be made read only by parameter, or by tampering with the RX
connection on the PCB, forcing you to solder a bridge somewhere, to activate it.

Hmm thanks, It seems hard to find that connection on the PCB :slightly_smiling_face: Is there a way to find that? any tip

Not really, need to follow the pathway from the RX pin on the PCB, see if there's an intentional break somewhere.

Disclaimer: I'm not an OpenWrt developer and can't speak for the project.

If that is correct, as in 4 MBit == 512 KByte flash, you can stop right there. It's very hard to get OpenWrt working with 4 MByte, but anything less is impossible (no version of linux will fit into half a megabyte of storage). ARM926E-JS is also a rather ancient ARMv4T SOC, which won't bring you much joy either.

If those are indeed the system specs, it's rather doubtful if this would be accepted as a new target for OpenWrt. Upstream toolchain (gcc, binutils, musl, etc.) support for ARMv4T basically no longer exists (at least not in a remotely maintained form), and adding a ton of custom patches for such an ancient SOC isn't likely to be accepted - but the flash (-size) issue kills this straight away.

1 Like

Oh, sorry i wrote wrong above. It is 4MB SPI Flash. Thanks

The next step would be checking the available system RAM (ideally from the running system - or by visually identifying the RAM chips). Anything less than 32 MB would be a hard no-go, but even 32 MB will be tight.

As i mentioned above it has 2GB DDR SDRAM and SPI Flash only runs system BIOS not running firewall os. ARM based FortiSOC has internal NAND Flash Fortigate runs own firewall image on it and image size 926MB .