PIX 515E - Downgrade from 7.0 to 5.29 Mayhem

Discussion in 'Cisco' started by Randal T. Rioux, Jul 31, 2006.

  1. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    I have a client who requires a security audit for a 525 with 5.29
    running. All the other systems have been 6.x or 7.x. Needless to say I
    haven't touched 5.x since Clinton was president.

    My test machine here is a 515E with the following specs:

    Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
    Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
    Flash E28F128J3 @ 0xfff00000, 16MB
    BIOS Flash AM29F400B @ 0xfffd8000, 32KB

    After erasing the current image (I like a clean chip) and flashing the
    pix529.bin image, I get either one of the following errors when booting
    (depending on how I smack it around):

    1. Image must be at least 7-0-0-0 error in file flash:/image.bin
    No bootable image in flash. Please download an image from a network
    server in the monitor mode

    Failed to find an image to boot

    2. No bootable image in flash. Please download an image from a
    network server in the monitor mode

    Failed to find an image to boot

    Am I missing something? Would there be any reason for this image not to
    work on a 515E? I've never downgraded, so something may need to be done
    differently and I just don't know how.

    Thanks for any help folks!

    - --
    Randal T. Rioux | Procyon Labs
    IT Security R&D and Consulting
    Virtual: www.procyonlabs.com
    Physical: DC / Baltimore
    PGP: gpg --keyserver pgp.mit.edu --recv-keys 0xD08D1941


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFEzVepRrGMQdCNGUERA66OAKCW97ETsfNQ+Fqc1pF+ucYiKqJpXACfT9cn
    3pjtdZealXo6D5Cgh01bWxY=
    =es9i
    -----END PGP SIGNATURE-----

    --
    Posted via a free Usenet account from http://www.teranews.com
     
    Randal T. Rioux, Jul 31, 2006
    #1
    1. Advertising

  2. In article <44cd4a5f$0$16223$>,
    Randal T. Rioux <> wrote:

    >I have a client who requires a security audit for a 525 with 5.29
    >running. All the other systems have been 6.x or 7.x. Needless to say I
    >haven't touched 5.x since Clinton was president.


    >My test machine here is a 515E with the following specs:


    >Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
    >Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz


    Tricky. The first version of PIX OS that supported the 515E at
    all was PIX 5.2(7), just two subreleases before the version you
    are attempting to test. And in PIX 5 and PIX 6, the maximum RAM
    permitted on the 515E is 64 Kb.

    >After erasing the current image (I like a clean chip) and flashing the
    >pix529.bin image, I get either one of the following errors when booting
    >(depending on how I smack it around):


    Have you tried "flashfs" first ? PIX 5 used a different flash file
    system directory organization.

    Using "flashfs" is tricky: as best I can tell, after using it
    you next have to drop down to the monitor mode. If you save your
    configuration or if you reboot even once before going into the
    monitor, then PIX OS will restore the old flashfs directory structure.
     
    Walter Roberson, Jul 31, 2006
    #2
    1. Advertising

  3. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Walter Roberson wrote:
    > In article <44cd4a5f$0$16223$>,
    > Tricky. The first version of PIX OS that supported the 515E at
    > all was PIX 5.2(7), just two subreleases before the version you
    > are attempting to test. And in PIX 5 and PIX 6, the maximum RAM
    > permitted on the 515E is 64 Kb.


    Does this mean I have to yank half the RAM out, or will it just not
    address the excess?

    > Have you tried "flashfs" first ? PIX 5 used a different flash file
    > system directory organization.
    >
    > Using "flashfs" is tricky: as best I can tell, after using it
    > you next have to drop down to the monitor mode. If you save your
    > configuration or if you reboot even once before going into the
    > monitor, then PIX OS will restore the old flashfs directory structure.


    I can't figure out how to issue flashfs on 7.0(4) (current running
    image, and the only one that seems to run).

    It seems the problem may go deeper. I got the following message at boot
    after flashing 6.1(5) on the box:

    An internal assertion check has failed.
    Copy the following message exactly as it appears,
    along with any visible version strings, and
    then call your support representative.

    assertion "addr < sfmm_chip_size" failed: file "../flash/sfmm.c", line 255

    I tried 5.2(9) again and got the same message. I'm perplexed! :)

    Thanks for you fast response...
    Randy


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFEzXb/RrGMQdCNGUERA05XAJ9Jek8jIOWV/v7fgWmEBLbBaG6t2gCghMR0
    DgDqv1rglzK3Sn/88utRPIs=
    =VAho
    -----END PGP SIGNATURE-----

    --
    Posted via a free Usenet account from http://www.teranews.com
     
    Randal T. Rioux, Jul 31, 2006
    #3
  4. In article <>,
    Randal T. Rioux <> wrote:
    >-----BEGIN PGP SIGNED MESSAGE-----
    >Hash: RIPEMD160
    >
    >Walter Roberson wrote:
    >> And in PIX 5 and PIX 6, the maximum RAM
    >> permitted on the 515E is 64 Kb.


    >Does this mean I have to yank half the RAM out, or will it just not
    >address the excess?


    I don't know; I've seen conflicting reports on that point. It
    appears to vary according to how far back you are going.

    >I can't figure out how to issue flashfs on 7.0(4) (current running
    >image, and the only one that seems to run).


    Looks like the appropriate command is "downgrade":
    http://www.cisco.com/univercd/cc/td...x/pix_sw/v_70/pix_upgd/pixupgrd.htm#wp1263742

    It appears that you cannot directly go lower then 6.2 with that
    command.


    >It seems the problem may go deeper. I got the following message at boot
    >after flashing 6.1(5) on the box:


    > An internal assertion check has failed.


    > assertion "addr < sfmm_chip_size" failed: file "../flash/sfmm.c", line 255


    That looks to me like something related to RAM size.
     
    Walter Roberson, Jul 31, 2006
    #4
  5. Randal T. Rioux

    Sioban Guest


    >> I can't figure out how to issue flashfs on 7.0(4) (current running
    >> image, and the only one that seems to run).

    >
    > Looks like the appropriate command is "downgrade":
    > http://www.cisco.com/univercd/cc/td...x/pix_sw/v_70/pix_upgd/pixupgrd.htm#wp1263742
    >
    > It appears that you cannot directly go lower then 6.2 with that
    > command.


    Yep that's the command you need to use, flashfs has been modified, any attempt to flash with an
    old binary is hazardous.

    You'll have to downgrade to 6.3 or 6.2 and then flash with 5.29 firmware. (I think so)
     
    Sioban, Jul 31, 2006
    #5
  6. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Sioban wrote:
    >>> I can't figure out how to issue flashfs on 7.0(4) (current running
    >>> image, and the only one that seems to run).

    >> Looks like the appropriate command is "downgrade":
    >> http://www.cisco.com/univercd/cc/td...x/pix_sw/v_70/pix_upgd/pixupgrd.htm#wp1263742
    >>
    >> It appears that you cannot directly go lower then 6.2 with that
    >> command.

    >
    > Yep that's the command you need to use, flashfs has been modified, any attempt to flash with an
    > old binary is hazardous.
    >
    > You'll have to downgrade to 6.3 or 6.2 and then flash with 5.29 firmware. (I think so)


    hmmmm... this may be a dumb question, but will I have any problems
    loading 7 back on there when I'm done testing 5?

    Thanks!
    Randy


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFEzoMkRrGMQdCNGUERA6JxAJ4ty08RhI7zV/VpzUxUxyHxAEqOEACaAyj5
    LR5tAoC5zgpvRAYiPCm0yNc=
    =1XQa
    -----END PGP SIGNATURE-----

    --
    Posted via a free Usenet account from http://www.teranews.com
     
    Randal T. Rioux, Jul 31, 2006
    #6
  7. In article <>,
    Randal T. Rioux <> wrote:
    >hmmmm... this may be a dumb question, but will I have any problems
    >loading 7 back on there when I'm done testing 5?


    You might have to load 6.2 first.
     
    Walter Roberson, Aug 1, 2006
    #7
  8. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Sioban wrote:
    >>> I can't figure out how to issue flashfs on 7.0(4) (current running
    >>> image, and the only one that seems to run).

    >> Looks like the appropriate command is "downgrade":
    >> http://www.cisco.com/univercd/cc/td...x/pix_sw/v_70/pix_upgd/pixupgrd.htm#wp1263742
    >>
    >> It appears that you cannot directly go lower then 6.2 with that
    >> command.

    >
    > Yep that's the command you need to use, flashfs has been modified, any attempt to flash with an
    > old binary is hazardous.
    >
    > You'll have to downgrade to 6.3 or 6.2 and then flash with 5.29 firmware. (I think so)


    WOOHOO!

    Worked great. Just had to use "downgrade tftp://x.x.x.x/pix529.bin" and
    it reformatted the flash perfectly. I can't thank you guys enough!

    Now I need to get some work done :)

    Randy



    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFEztNKRrGMQdCNGUERA+4gAJsHlaCueGHEEcMtcI/cIdI3/KApxQCgnXOx
    9ISEI5Cam0IB2HX5w/KSmFk=
    =YoWS
    -----END PGP SIGNATURE-----

    --
    Posted via a free Usenet account from http://www.teranews.com
     
    Randal T. Rioux, Aug 1, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UGhpbC5U?=

    Wireless Homenetwork Mayhem

    =?Utf-8?B?UGhpbC5U?=, Jan 24, 2005, in forum: Wireless Networking
    Replies:
    12
    Views:
    987
    Robert Jacobs
    Jan 26, 2005
  2. Tin-Char D'un

    Mouse pointer mayhem...

    Tin-Char D'un, Jul 25, 2003, in forum: Computer Support
    Replies:
    5
    Views:
    625
    Tin-Char D'un
    Jul 27, 2003
  3. gary

    "Pinging" & mouse/taskbar mayhem!

    gary, Oct 21, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    439
    Stickems
    Oct 21, 2004
  4. Muze Groops

    Windows Driver Error mayhem

    Muze Groops, Sep 22, 2007, in forum: Computer Support
    Replies:
    6
    Views:
    520
    pcbutts1
    Sep 22, 2007
  5. thing2
    Replies:
    2
    Views:
    365
    FreedomChooser
    Aug 20, 2005
Loading...

Share This Page