Installing OpenWRT on Watchguard T40W

othermully · April 14, 2025, 7:26pm

Hello, I am attempting to install OpenWRT onto a second hand watchguard t40w I have. I am new to building firmware and flashing embedded devices, so this project is over my head and I need some guidance/tips.

Specs:
Board: LS1043A QDS
Storage: mSATA 16GB
Bootloader: Custom U-Boot for Watchguard

I currently have a TFTP server and an active serial connection to the device. I have tried multiple different file types using openWRTs 'make menuconfig'. From the looks of it in the current u-boot environment, its booting the Watchguard kernel file which is a .itb file.

I'm assuming that since the bootloader is customized for the watchguard there might be some sort of mechanism that prevents loading other types of images or even prevents from booting anything that isn't watchguard specific. The main error messages I receive when attempting to boot the images (.bin, .itb, .uimage) is that it cannot get the kernel image from the boot file.

I have attempted creating a .bin image which the LS1043A target selected in the menuconfig for OpenWRT as well as creating an .itb image from the image builder.

My main question is, would it be worth the effort to re-flash U-Boot so I have a fresh U-Boot configuration, or has anyone worked with a LS1043A QDS board before with success?

Wallbanger · April 15, 2025, 1:32pm

Show serial bootlog, pls, in Code-Tags...
And maybe https://wikidevi.wi-cat.ru/WatchGuard_Firebox_T40-W_(FS4AE5W) is helpful...

othermully · April 15, 2025, 7:17pm

Here it is, don't mind the boot error, I don't have the mSATA installed at the moment

U-Boot 2018.09 (Dec 05 2019 - 10:13:47 -0800)

SoC:  LS1043AE Rev1.1 (0x87920011)
Clock Configuration:
       CPU0(A53):1000 MHz  CPU1(A53):1000 MHz  CPU2(A53):1000 MHz  
       CPU3(A53):1000 MHz  
       Bus:      300  MHz  DDR:      1600 MT/s  FMAN:     500  MHz
Reset Configuration Word (RCW):
       00000000: 0610000a 0a000000 00000000 00000000
       00000010: 45580002 00000012 40044000 c1002000
       00000020: 00000000 00000000 00000000 0003fffe
       00000030: 20004504 0418320a 00000096 00000001
Model: LS1043A QDS Board - T40/T20
Board: LS1043AQDS, boot from vBank: 0
I2C:   ready
DRAM:  Initializing DDR...
Detected UDIMM Fixed DDR4 on board
3.9 GiB (DDR4, 32-bit, CL=11, ECC off)
Using SERDES1 Protocol: 17752 (0x4558)
SEC Firmware: Bad firmware image (not a FIT image)
Waking secondary cores to start from fbd35000
All (4) cores are up.
MMC:   FSL_SDHC: 0
Loading Environment from SPI Flash... SF: Detected mx25u3235f with page size 256 Bytes, erase size 64 KiB, total 4 MiB
OK
In:    serial
Out:   serial
Err:   serial
Net:   SF: Detected mx25u3235f with page size 256 Bytes, erase size 64 KiB, total 4 MiB
Fman1: Uploading microcode version 108.4.9
PCIe0: pcie@3400000 Root Complex: no link
PCIe1: pcie@3500000 Root Complex: x1 gen1
PCIe2: pcie@3600000 disabled
FM1@DTSEC1 [PRIME], FM1@DTSEC2, FM1@DTSEC3, FM1@DTSEC5, FM1@DTSEC6
### main_loop entered: bootdelay=3

### main_loop: bootcmd="run wgBoot SysA"
WatchGuard U-Boot 2018.09 - Dec 05 2019 10:13:47--------------------------------------------------------------------------||||||||||||||||||||||||-------------------------------------------------------------------------++++Use the ^ and v keys to select which entry is highlighted.Press enter to boot the selected OS.WatchGuard (SYSA)                                                     WatchGuard (SYSB Recovery/Diagnostic Mode)                       Booting SYSA key to stop autoboot:  3 
scanning bus for devices...
SATA link 0 timeout.
AHCI 0001.0301 32 slots 1 ports 6 Gbps 0x1 impl SATA mode
flags: 64bit ncq pm clo only pmp fbss pio slum part ccc apst 
Wrong Image Format for bootm command
ERROR: can't get kernel image!

Wallbanger · April 16, 2025, 8:30am

Hardware specs are here https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Hardware-Guides/firebox-t40-hardware-guide.html?cshid=10001
But nothing about the SoC. First move would be to find out, whether the SoC is supported by linux.

Request Support for Meraki MX67C is the only thread I found with LSA1043A. You have to wait what the Pros say, sorry...

tmn505 · April 16, 2025, 10:38am

The issue is You don't post what are those error messages and go for the solution which is the one most difficult to achieve. There's no need to change bootloader if You can interrupt it and boot unsigned system/kernel from other medium. The usual customization are specified in U-Boot environment and likely it's possible to alter it from U-Boot console. But before You'll think about doing that, You need kernel with dtb adapted to the board. As 1st step try to tftpboot initramfs (select ramdisk image in menuconfig) for fsl_ls1043a-rdb board just to test if the kernel loads and boots. The vendor kernel is probably new enough to use dtb, so the next step is to use binwalk to extract it and decompile it to dts (or upload the file with .itb extension somewhere). Please post that dts here. That dts is a hardware description which could be used unmodified or will need slight modification to run with mainline kernel.

Anyway, You might want to ask @neg2led for more, as he did experiment with https://github.com/neggles/openwrt/commits/firebox-t20 but I don't know how far did he go with it.