Hardware

Protectli Products

How to Use 4G LTE Service with the Vault

phil October 9, 2019

4G LTE Service Overview

4G LTE Service consists of a 4G LTE cellular modem and a subscription plan. 4G LTE Service can be used with the Vault as a backup/failover Internet connection in the event the primary WAN service is down or as the primary WAN interface when a wired Internet connection is unavailable . For any business or operation, a 4G LTE failover solution ensures that Internet connectivity is preserved and eliminates potential loss of sales and loss of productivity. Maintaining a constant Internet connection is particularly crucial these days as so many applications and business functions are in the “cloud” and only accessible via the Internet.

4G LTE Service options are extremely cost effective compared to the loss of business and/or productivity. Baseline pricing is $29.99 per month for 1 Giga Byte (GB) of data or $34.99 per month for 1 GB with a public Static IP address. Additional usage is only $1 per 100 MB for either subscription plan. Protectli 4G LTE Products and Services can be found at this link.

In addition to backup/failover, there are numerous applications that are ideal for a standalone cellular connection. Examples are:

Temporary or short term connections for construction sites, sporting events, concerts, etc.
Permanent retail kiosks that are not close to a wired connection
Remote sensor monitoring
Remote vehicle and storage areas
Many others ……

4G LTE Service Configuration

As noted above, the 4G LTE Service consists of a 4G LTE cellular modem and a subscription plan. The modem and subscription plan are ordered together from Protectli. Protectli will insert a SIM card for the subscription plan and test connectivity to the cellular service. When the modem arrives it is fully functional and no configuration is required on the modem itself. It is required to attach the antennas to the “Main” and “Aux” connectors of the modem to get a good signal. Simply connect the LAN port of modem to one of the Vault’s Ethernet ports using the supplied Ethernet cable. There may need to be configuration of the Vault, depending on the installed operating system (OS). See the Protectli Knowledge Base at this link for articles that are specific to 4G LTE and particular OS.

4G LTE Service Specifications

4G LTE Category 4
Max download data rate up to 150 Mbits/second
Max upload data rate up to 50 Mbits/second
3G Failover
Band 2 (1900 MHz), Band 4 (1700/2100 MHz), Band 5 (850 MHz), Band 17 (700 MHz)

4G LTE Service Documents

Data Sheet, see this link
User Manual, see this link

How to Configure a PXE Server on CentOS 7 with pfSense® CE

Luke Green July 24, 2019

Overview

PXE (Preboot Execution Environment), allows for remote clients to boot from a network hosted image. In this article we will be setting up a PXE server on CentOS 7 with a pfSense® router in place. Vault models FW2B, FW4B, and all versions of the FW6 can be flashed to coreboot which has PXE capabilities.

We have guides covering how to install CentOS, pfSense® CE and how to flash coreboot on to the Vault.

Example Setup

For this example we will be configuring a CentOS 7 server for hosting PXE files along side pfSense® running the DHCP server to allow for network boot and install of CentOS 7 on a FW2B flashed with coreboot.

FW6C – Hosting a virtual machine of CentOS 7
FW4B – Running pfSense®
FW2B – coreboot flashed for PXE

Prerequisites

For this guide we will assume the following are in place:

PXE enabled client
CentOS 7 Server
pfSense® router with DHCP enabled

Setting Up the PXE Server

Log into the CentOS 7 server
Verify all the packages are updated using the following command

#yum update -y

Install the required packages using the following command

#yum install syslinux xinetd tftp-server vsftpd wget -y

Edit the TFTP configuration file with the vi command

#vi /etc/xinetd.d/tftp

Change disable from yes to no.
Tips for vi editing: Press ‘Insert’ on the keyboard to edit the file, ‘Esc’ to exit edit mode, and type “:wq” to write and close the file.

Change directory to syslinux and copy the necessary files to the TFTP

#cd /usr/share/syslinux
#cp pxelinux.0 mboot.c32 menu.c32 chain.c32 memdisk /var/lib/tftpboot

Make and change to the tmp directory.
Download a CentOS 7 image. The following address is for a minimal image, but you may find your own mirror and version

#mkdir tmp
#cd tmp/
#wget http://mirrors.ocf.berkeley.edu/centos/7.6.1810/isos/x86_64/CentOS-7-x86_64-Minimal-1810.iso

While in tmp mount the downloaded image and copy the files to the FTP directory

#mount -o loop CentOS-7-x86_64-Minimal-1810.iso /mnt/

Make a directory for the image files and copy them over

#mkdir /var/ftp/pub/centos7
#cp -rf /mnt/* /var/ftp/pub/centos7
#chmod -R 755 /var/ftp/pub/centos7

Make a directory and sub-directory called networkboot/centos7 and copy over vmlinuz along with initrd.img

#mkdir -p /var/lib/tftpboot/networkboot/centos7
#cp /var/ftp/pub/centos7/images/pxeboot/{vmlinuz,initrd.img} /var/lib/tftpboot/networkboot/centos7

Create a PXE configuration file that points to the correct files

#mkdir /var/lib/tftpboot/pxelinux.cfg

Make note of the IP address for the next steps. Use the following command to show IP address

#ip a

Open the PXE configuration file with the vi editor

#vi /var/lib/tftpboot/pxelinux.cfg/default

Add the following lines to this new configuration file. Screenshot below is an example of what it should look like.

default menu.c32
prompt 0
timeout 60

menu title <insert title>
label Install CentOS 7

kernel /networkboot/centos7/vmlinuz
append initrd=/networkboot/centos7/initrd.img inst.repo=ftp://<server_ip_addr>/pub/centos7

use ‘:wq’ to save and exit the editor

Enable and start the TFTP and FTP services

#systemctl enable vsftpd.service
#systemctl start vsftpd.service

#systemctl enable tftp.service
#systemctl start tftp.service

Add firewall rules for the TFTP and FTP servers

#firewall-cmd --permanent --add-service=tftp
#firewall-cmd --permanent --add-service=ftp
#firewall-cmd --reload

Log into your pfSense® webGUI and locate the DHCP Server menu under the Services tab

Scroll down to “Other Options” and fill in the TFTP server IP address
Verify the “Enables network booting” box is ticked
Enter the IP address of the Next Server (same as TFTP)
For “Default BIOS file name” enter pxelinux.0

Click Save

At this point you can boot up the PXE client and verify that it lists the image and network installation functions. If you experience any issues, please feel free to reach out to us at: support@protectli.com

How to configure UEFI on the Vault

Luke Green May 16, 2019

UEFI Overview

UEFI is an acronym for Unified Extensible Firmware Interface. It is a specification that defines a new model for the interface between operating systems (OS) and platform firmware. It is a replacement for legacy BIOS. More information may be found on the UEFI Forum website at: https://uefi.org/

Recent updates to some OS software have introduced incompatibility between the default installation of the OS with some of the Vault hardware platforms. Setting the BIOS mode on the Vault to UEFI eliminates some of these issues. The article below will detail how to set the BIOS mode to UEFI.

Changing BIOS mode to UEFI

Verify that the Vault is powered down
Verify that the monitor is connected
Verify that the USB keyboard is connected
While powering up the Vault, press “DEL” key
Verify that the system boots into the BIOS

Select the “Advanced” tab

Select “CSM Configuration”

Select “Boot option filter”

Verify the Boot option filter menu is displayed
Select “UEFI only”
Press Return(Enter)
Press “F4” to save and exit the BIOS
Power off the Vault

At this point UEFI mode is enabled. See the specific installation guide for the desired OS.

If you experience any issues, please feel free to reach out to: support@protectli.com.

coreboot on the Vault

phil April 16, 2019

coreboot is an open source project focused on the boot and BIOS process for initializing hardware (HW) and booting an operating system (OS). coreboot has roots in the Linux community and can be found on the internet at https://www.coreboot.org/.

coreboot describes itself as: “…an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems.” It is an open source alternative to legacy BIOS options with the following properties:

Fast Boot – Minimal image, removes legacy bloat
Open Source – The source code is available and can be built without any cost or license
Secure – Common backdoors of legacy BIOS can be disabled or not even included in the build
Support for modern HW and Intel CPUs

The coreboot philosophy is to do the absolute bare minimum to discover and initialize hardware (HW), then pass the control to another program called a “payload”. The payload then takes care of user interfaces, drivers, policies, etc. Protectli has implemented coreboot with the SeaBIOS payload.

coreboot is available on the FW2B, FW4B and FW6 series Protectli platforms as an alternative to traditional BIOS.

coreboot has been tested on the FW2B, FW4B and FW6 series with the following OS:

FreeBSD 11.2
OPNsense 19.1
pfSense 2.4.4
Ubuntu 18.10

coreboot can be selected at the time of ordering. It can also be installed in the field. See instructions below for FW2B and FW4B. The FW6 installation is more involved and requires recompiling the default version of the “flashrom” utility. Contact Protectli directly for instructions for the FW6 series.

Boot Menu

When coreboot is installed and the system boots, it will first attempt to boot from the internal mSATA. If there is no bootable OS on the mSATA, it will then attempt to boot from any USB that it discovers. If it is desired to boot from a USB to rather than mSATA, the boot menu can be accessed by pressing the “F11” key when the splash screen is displayed then selecting the desired boot device.

Installation Instructions

Note: Flashing new firmware onto any hardware is potentially dangerous in that if the procedure is interrupted or otherwise not able to complete, your hardware may be rendered useless. Please proceed with caution only after fully understanding each step of the following instructions. If there are any questions, please contact Protectli support BEFORE proceeding.

Note: Coreboot utilizes Legacy BIOS. If the operating system was previously installed under UEFI BIOS, coreboot may no longer recognize that drive.

coreboot is installed using a program called ‘flashrom’ which is available for many linux distributions. Protectli validated the installation of coreboot using flashrom on Ubuntu 18.10 (see this link for guidance on installing Ubuntu on the Vault). While flashrom works under other operating systems, this has not been tested by Protectli. As such, we recommend using Ubuntu to upgrade your Vault to coreboot.

In the instructions below, “#” indicates a command line instruction in an Ubuntu Terminal window. “filename” refers to the actual name of the file.

If not using Ubuntu on the Vault, remove the existing mSATA and replace it with the dedicated mSATA for the coreboot installation process
Install Ubuntu desktop version on the Vault to the dedicated mSATA per the link above
Verify that Ubuntu desktop version is installed and reboot the system
Verify that Ubuntu boots up to the desktop version and the Firefox browser is installed, or install the browser of your choice
Browse to the appropriate coreboot “filename.rom” file and download it to the Ubuntu system. See the table below for links to the coreboot .rom files.
Open a terminal window in Ubuntu. (Applications->Terminal)
Verify the terminal opens and change directory to “Downloads” using the following command:

#cd Downloads

Verify the “filename.rom” file has been downloaded to the “Downloads” directory using the following command:

#ls -la

Download the appropriate SHA256 checksum file per the table below
Verify the “filename.rom.sha” file has been downloaded to the “Downloads” directory using the following command:

#ls -la

If the files are compressed, with a suffix of “.zip”, uncompress them with the following commands:

#unzip filename.rom.zip
#unzip filename.rom.sha256.zip

Run the SHA256 program on the filename.rom file using the following command:

#sha256sum filename.rom

Verify the SHA256 output is the same as the contents of the filename.rom.sha file

#cat filename.rom.sha

Verify the “flashrom” program is present in Ubuntu

#which flashrom

If flashrom is not present, get it from the network and install it in Ubuntu

#sudo apt install flashrom

Verify flashrom is installed on the system

Flash the coreboot image to the system with the the following command:

 #sudo flashrom -p internal -w filename.rom -V -o output-file

where -V indicates verbose and output-file is the name of an output file that is saved with the contents of the flashrom output
Reboot the system
Verify the system boots and displays the coreboot version string on the screen, then the splash screen
Verify the system boots up to Ubuntu desktop
If not using Ubuntu as the OS, power off the system and replace the dedicated Ubuntu mSATA with the mSATA for the desired OS
Reboot the system and verify that it boots to the desired OS

At this point coreboot should be installed. However, as always, feel free to contact us at: support@protectli.com.

Flash from Coreboot to Original(AMI) BIOS

In case you would like to go to back the OEM BIOS, the steps are relatively straightforward. Following the same procedure as flashing Coreboot. Be sure to use the correct BIOS for your Vault.

Using the same Ubuntu install as the instructions above;

Verify the correct BIOS is downloaded from here
Unzip the BIOS in the Downloads folder
Open Terminal and change directory to BIOS folder. Examples below.

For the FW4B

#cd Downloads/4B180727

For the FW2B

#cd Downloads/2B180727

Now run the flashrom command, instead of ‘filename.rom’, use ‘filename.bin’.

Example below would be for the FW4B BIOS file.

 #sudo flashrom -p internal -w YLBWL412.bin -V -o output-file

And for the FW2B

 #sudo flashrom -p internal -w YLBWL212.bin -V -o output-file

After the flash is complete the terminal should output a “VERIFIED” message along with “Restoring MMIO space at…” message
Now Reboot and verify the OEM BIOS is loaded along with booting into the desired OS

coreboot File Table

Model	coreboot .rom file	SHA256 file
FW2B	fw2b_v4.9.0.1.rom	fw2b_v4.9.0.1.rom.sha
FW4B	fw4b_v4.9.0.1.rom	fw4b_v4.9.0.1.rom.sha

How to Customize the Boot Splash Screen

phil September 11, 2018

Overview

The “Splash Screen” is the graphical image or logo that is briefly displayed at boot up of the system. The splash screen for the Vault can be customized to enhance the brand awareness of the product and/or solution. Protectli provides a Windows tool that can be used to change the BIOS and customize the splash screen.

Splash Screen File

The splash screen file is a “bitmap” file with an extension of “.bmp” in Windows. The bitmap file used for the splash screen must have maximum dimensions of 800 x 600 and be less than 1.4 MB. If there is already a logo file in “.jpg” or “.png” format, that file can be converted to a bitmap file using the Windows Paint program or other tools.

Verify the Desired Splash Screen File

On Windows, right click the desired file
Select Properties
Verify “Type of File” is BMP file
Select the Details tab
Verify the Dimensions are 800 x 600 or less
Verify the Size is 1.4 MB or less

Convert the Desired Splash Screen File

If the desired file is in JPG or PNG format, it can be converted to Bitmap using the Windows Paint program. This procedure is only necessary if the desired file is not already in Bitmap format.

On Windows, right click the desired file
Select Edit
Verify the Paint program starts and the graphical image is displayed
Select File->Save As->Save as type:
Verify the dropdown menu that contains these bitmap options is displayed
- Monochrome Bitmap
- 16 Color Bitmap
- 24 Color Bitmap
- 24-bit Bitmap
Select the desired bitmap format
Note that the formats listed in the dropdown are in increasing order of quality and increasing order of size
Select Save
Right click on the newly created bitmap and verify that it is less than 1.4 MB
If greater than 1.4 MB, repeat this procedure with a lesser quality bitmap format

Download the BIOS

The BIOS folder for each specific model of the Vault is available at this link. Be very sure when downloading and installing the BIOS that it is the correct BIOS for the specific Vault. Installing incorrect BIOS may result in an inoperable system.

Download the BIOS zip file for the model of the Vault from the link above
Verify the BIOS zip file is downloaded
Unzip the file and verify the BIOS folder is downloaded

Download the BIOS Logo Tool

There are two BIOS logo tools. One is for the FW1, FW2, and FW4 models of the Vault. The other is for the FW6 models of the Vault. The FW1, FW2, and FW4 tool is at this link. The FW6 tool is at this link.

Download the BIOS logo tool zip file for the model of the Vault from the link above
Verify the proper BIOS logo tool zip file is downloaded
Unzip the BIOS logo tool

Use the BIOS Logo Tool to Change the Splash Screen

Double click on the BIOS Logo executable file
Verify the “Change Logo” application appears on the screen

Change Logo Application

Select the “Load Image” button

Load Image Button

Verify navigator window is displayed

Navigator Window

Verify/Select “Files of type:” All Files
Navigate to the BIOS folder
Select the .bin file
Select “Open”

.bin File

Verify the .bin file is displayed in the proper folder in the “Aptio Image” Box

Aptio Image Box

Select Browse Button

Browse to find Bitmap File

Verify the navigator window is displayed
Select files of type “BMP Files (*bmp)
Navigate to the desired bitmap file
Select the .bmp file
Select Open
Verify the desired bitmap file is displayed in the “Select BMP file” box

Select BMP File

Select the Replace Logo button

Replace Logo

Verify the “Save Image As” button is now not grayed out

Save Image As Button

Select the “Save Image As” button
Verify the navigator window is displayed
Navigate to the BIOS folder, this is where the new BIOS file will be placed
Manually enter the name of the original .bin file, note that it must be exactly the same name

BIN File

Select Save button
Verify the Success message is displayed in the lower left of the tool

Success Message

Create Bootable USB Drive and Install New BIOS

Now that the new bitmap file has been created, the BIOS folder must be transferred to a USB drive and then used to update the BIOS on the Vault. Follow the instructions at this link to create a bootable USB drive, transfer the new BIOS folder to the USB drive, and install the new BIOS on the Vault.

Verify the splash screen has the new logo or image during initial boot
Verify the system boots

At this point, the new splash screen should be installed on The Vault. However, if you experience any issues, please feel free to reach out to us at: support@protectli.com.

Verify Intel Spectre and Meltdown Vulnerabilities

phil August 9, 2018

Overview

There are known security vulnerabilities with Intel processors that are named “Spectre” and “Meltdown”. These vulnerabilities are documented at this link. There is a Windows based tool that can analyze the the system to determine if it is vulnerable to Spectre or Meltdown. This document describes how to use that tool to assess the vulnerability of the Vault. Information regarding specific BIOS updates to the different Vault platforms can be found from links on the product pages.

On a Windows computer,

Browse to InSpectre homepage at https://www.grc.com/inspectre.htm
Scroll down to Download Button and download InSpectre application from this link.
Verify that the file/application “InSpectre.exe” is downloaded to the Windows computer
Run InSpectre (double-click) and verify the application pops up

InSpectre & Meltdown Vulnerability Status – Not Protected

Verify that both Meltdown and Spectre vulnerabilites are protected.

If not, update the Vault to the appropriate BIOS that addresses the vulnerabilities. See the latest BIOS at this link.

Update BIOS on the Vault
Rerun the InSpectre application
Verify vulnerabilities are protected

InSpectre & Meltdown Vulnerability Status – Protected

At this point the Vault should be protected from the Spectre and Meltdown vulnerabilities. However, if there are any issues, feel free to reach out to us at:

support@protectli.com

FW2B FW4B Series Hardware Overview

phil August 8, 2018

As with all Protectli Vault hardware, the FW2B and FW4B series need only RAM (memory) and mSATA (storage) added in order to have a fully functional hardware system. In addition, an optional WiFi module can be installed as well. For more information on HW compatibility, see this link.

The FW2B and FW4B series hardware are slightly different, but the chassis form factor, general board layout, and placement of components is largely the same. The FW2B and FW4B vary mainly in the type of CPU they have and the number of network ports. For a full comparison among different models, please see this page.

The annotated photo below shows the location of the various sockets. The FW2B is pictured. Note that the memory socket is underneath the mSATA and WiFi sockets.

CPU

The FW2B series uses an Intel J3060 processor and the FW4B series uses an Intel J3160 processor. Both of these CPUs have built in suport for Intel’s AES-NI hardware encryption.

Memory

There is a single SODIMM socket for memory. Additional information on compatible memory modules can be found in the Hardware Compatibility page. The maximum supported memory size is 8GB of DDR3L (1.35V).

mSATA

The FW2B, and FW4B series come with a single mSATA socket. This socket is capable of holding any logical size mSATA.

WiFi

The WiFi module socket is a PCIe form factor socket. The FW2B can accommodate a standard PCIe WiFi module. The FW4B while PCIe in form factor, operates over USB channel communication, limiting functionality as compared to pure PCIe modules. Protectli sells a compatible WiFi module that is available here. Instructions for installation of the WiFi module can be found here. The FW2B can also accommodate the Protectli PCIe/USB WiFi module.

Port Connectivity

The ‘Front’ of the FW4B Vault is pictured above. The FW2 is different, as it only has 2 network ports (WAN and LAN) but an additional 4 USB 2.0 ports.

Power should be supplied by the included power supply, which is rated for 12V at 3.3A.

The Power LED, which lights up green when power is applied, indicates that the Vault has power applied. It does not indicate the status for the operating system

The Drive Activity LED will blink, according to mSATA drive activity. Usually, the user will see the most activity as the unit is booting, or if the unit is under heavy load. For most operating systems, this indicator will not be on and only blink occasionally under most conditions.

The Network ports are each independenly connected to the CPU via a PCIe connection. A table that shows port numbering can be found below.

Vault Model	Port 6	Port 5	Port 4	Port 3	Port 2	Port 1
FW1x	-	-	OPT2	OPT1	LAN	WAN
FW2x	-	-	-	-	LAN	WAN
FW4x	-	-	OPT2	OPT1	LAN	WAN
FW6x	OPT4	OPT3	OPT2	OPT1	LAN	WAN
FreeBSD (pfSense) Labeling (in software)	em5	em4	em3	em2	em1	em0
Windows 10 (in software)	Ethernet 5	Ethernet 4	Ethernet 3	Ethernet 2	Ethernet	Ethernet 1

Data Sheets

The FW2B data sheet can be found at this link. The FW4B data sheet can be found at this link.

BIOS Versions for the Vault

phil June 19, 2018

Note: The FW2B and the FW4B had an issue such that they would not work with HDMI displays with a resolution of 1440p (2560×1440). That issue has been resolved using the latest BIOS, version BSW4L009. See the table below to download the latest versions.

Note: Intel has recently announced a security vulnerability that is described at:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

The FW1, FW2, FW4A and FW6 Vaults may be affected by this vulnerability. The FW2B and FW4B are not affected. Protectli understands the urgency of this issue and we are working with our partners to generate BIOS updates to address the issue. We will post the updated BIOS and/or timelines for updated BIOS on this page shortly.

BIOS

BIOS is the abbreviation for Basic Input Output System. It is a small program that is stored on non-volatile memory that is used to initialize the system hardware during the boot process. BIOS is installed on every system when it ships, but occasionally there are upgrades to the BIOS to address various issues. This page has a table with all of the current versions of BIOS for the Vault. BIOS can be downloaded from this table by clicking on the “Download Link” entry and used to upgrade the BIOS on the Vault.

The currently installed BIOS version can be found on the main BIOS page, as seen in the example screenshot below (circled in red):

BIOS Main Tab

See this link for instructions on how to install BIOS on the Vault.

Model	Download Link	BIOS ID	Notes	Release Date
FW1	1-190708	BTL4A012	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW2	2-190708	BTL4A012	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW4A	4A190619	E38L4A12	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW2B	2B191022	BSW4L009	HDMI 1440p Display Fix	October 22, 2019
FW4B	4B191022	BSW4L009	HDMI 1440p Display Fix	October 22, 2019
FW6A	6-190708	KBU6LA09	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW6B	6-190708	KBU6LA09	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW6C	6-190708	KBU6LA09	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019

Notes

Some older versions of FW1 and FW2 Vaults do not automatically update the new Boot Order with version BTL4A012. If this occurs, follow the steps below to set the Boot Order:

Power off the unit
Reboot the unit and hit the DEL key to enter BIOS
Select the Boot Tab
Select “F3” to Load Optimized Defaults
Verify the proper Boot order of 1) UEFI mSATA 2) UEFI USB 3) Legacy mSATA 4) Legacy USB
Select “F4” to Save and Exit
Verify the system boots correctly

Previous Versions

Model	Download Link	BIOS ID	Notes	Release Date
FW1	1-181025	BTL4A010	Intel Spectre and Meltdown fixes	October 25, 2018
FW2	2-180706	BTL4A008	Intel Spectre and Meltdown fixes	July 6, 2018
FW4A	4A180804	E38L4A05 V1.03	Intel Spectre and Meltdown fixes, COM port fix	August 4, 2018
FW2B	2B190619	BSW4L007	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW4B	4B190619	BSW4L007	New Logo, Enable UEFI and Legacy, Boot Order UEFI before Legacy	August 1, 2019
FW6A	6-180614	KBU6LA06	Intel ME, Spectre and Meltdown fixes	June 14, 2018
FW6B	6-180614	KBU6LA06	Intel ME, Spectre and Meltdown fixes	June 14, 2018
FW6C	6-180614	KBU6LA06	Intel ME, Spectre and Meltdown fixes	June 14, 2018

As always, if there are any questions, feel free to reach out to us at:

support@protectli.com

How to perform a BIOS update

phil May 15, 2018

This article will explain how to create a bootable FreeDOS USB drive and prepare the drive with the appropriate BIOS update files for installation on a Protectli Vault. FreeDOS is a free DOS application that is compatible with Intel based computers, such as the Vault. The Vault uses FreeDOS to install BIOS updates to the Vault.

For creating a bootable USB with Windows, Protectli recommends a tool called Rufus. The home page for Rufus is https://rufus.akeo.ie. The Windows system requirements are listed on the Rufus homepage.

Create Bootable FreeDOS USB – Windows

Download the Rufus tool from the home page to a Windows computer
Verify an executable file with a name of rufus-2.17 or similar is downloaded (the version you download may have a higher version number than this example)
- Note that rufus is an executable and does not need to be installed.
Select the Rufus application that was downloaded and verify that the main menu pops up (example screenshot below)
Verify that “FreeDOS” is the default selection

Rufus Main Menu

Insert a USB drive into a USB port on the PC
Verify that Rufus recognizes the USB drive

Rufus Detects USB Drive

Select Start
Verify the warning appears and select Ok

Rufus Warning Message

Verify the FreeDOS is created on the USB, application status is “READY” and the green bar is complete

Rufus Ready Message

Download BIOS and Copy BIOS Folder to FreeDOS USB

*** Important ***

Note that the folder, file, and version names in this article are used as an example. The actual folder, file, and version names will vary depending on the model of Vault and the version of BIOS.

Download the BIOS folder to the Windows machine from the Protectli BIOS Version page at this link
The BIOS folder will be a compressed “zip” file. If compressed, uncompress the zip file
Go to “This PC” on the Windows machine and select the USB drive

Select USB Drive on This PC

Drag/copy the BIOS folder to the USB drive
If prompted, check the box to copy all current items to the USB Drive

Copy Prompt

Verify folder copied to the USB Drive

BIOS Folder in USB Drive

Safely remove the USB drive from the Windows computer

Update BIOS on the Vault

Note: Freedos will not boot in UEFI BIOS. To successfully complete this procedure make sure the BIOS is set to Legacy. We have a guide covering this here. Using the same steps but switch to “Legacy Only”.

Insert the USB drive into the Vault
Hit the “F11” key repeatedly during boot
Verify the Vault boots to the boot selection menu
Select the USB and verify the Vault boots to the DOS prompt
Type “dir” to see the contents of the USB drive
In this example the folder “4A171114” should appear
Type “cd 4A171114” to change directory to the BIOS folder
Type “update.bat”
Verify that the BIOS installation completes

Verify BIOS ID on the Vault

Reboot the Vault
Hit the “DEL” key repeatedly during boot
Verify the Vault boots to the main BIOS window
Verify the BIOS ID is the correct version

BIOS ID

At this point the new BIOS should be installed. However, if there are any issues, feel free to reach out to us at:

support@protectli.com

Troubleshooting the Vault

phil April 26, 2018

With Solid State Drives (SSD) and fanless cooling, the Vault has been extremely stable over the years. However, as with all computers, occasionally the Vault may have various issues.

The most common issues that occur are due to faulty mSATA, faulty DRAM, or need for CMOS reset on the FW1, FW2 and FW4A series.

This article will help the user diagnose and repair the majority of the problems that do occur.

Accessing components

In order to access the components, disconnect power, turn the unit upside down and remove the 4 screws on the bottom plate. The photos below show the internal sockets of the Vault when the bottom plate is removed.

DRAM troubleshooting instructions

Some issues are due to faulty DRAM or system memory.

In order to verify memory, follow these steps:

Remove the bottom plate of the Vault and identify the components per the instructions above.

Verify memory is properly installed. There should be a noticeable “click” when the DRAM is properly inserted into the socket.
Verify the memory for the FW1, FW2, FW2B, FW4A, FW4B series is DDR3L where the “L” is for “low voltage” of 1.35V. DDR3 requires 1.5V and is not compatible with the Vault.
If there are still issues, run a cycle of Memtest. Instructions can be found at this link.
If there are still issues, replace the DRAM with known good DRAM.
If there are still issues, it is likely the DRAM is not the issue.

mSATA troubleshooting instructions

Some issues are due to faulty mSATA or system solid state drive (SSD).

In order to verify mSATA, follow these steps:

Remove the bottom plate of the Vault and identify the components per the instructions above.

There are 2 PCI sockets in the Vault. One is for mSATA and the other is for the WiFi module. See the photos above for the proper mSATA socket. Verify the mSATA is installed in the proper socket and screwed down.
If the mSATA is properly installed and there are still issues, replace it with a known good mSATA.
If there are still issues, then likely the mSATA is not the fault.

CMOS reset instructions

The Vault’s CMOS is a small amount of battery backed memory that contains basic system information for the BIOS. Occassionally the CMOS on the FW1, FW2 and FW4A series units can get into a state where it needs to be reset.

To reset the CMOS, see this link.

Physical Damage

Examine the Vault for any obvious external damage that may have occurred during shipping, installation, or while in service.

Verify that all of the ports, connectors, and power button are properly positioned in the chassis.

Loose components or screws

Shake the Vault

Verify there are no sounds to indicate a loose screw or other loose component
If it sounds like a loose item, open the vault and verify the issue.

Basic troubleshooting

See photos below for the Vault interfaces

Plug one end of the power cable into a live AC power outlet and the other end into the DC power adapter.

Verify both connections are secure.
Verify the LED on the DC power adapter is illuminated.
Connect one end of a video cable to either the VGA connector or to the HDMI connector depending upon the model of the Vault. Connect the other end to the appropriate connection of a video monitor.
Verify the connections are secure.
Note that most video monitors have multiple interfaces such as VGA, HDMI and DVI.
Verify the video monitor is configured to use the correct interface for the Vault or that the video monitor can auto select the correct interface.
Connect a keyboard and mouse to the USB ports on the Vault.
Verify both connections are secure.
Plug the DC power cable into the power jack of the vault
Verify the blue LED on the power button is illuminated.
Verify that the green LED on the front panel is illuminated.

Issues

No Video

Monitor the video screen and verify that the system boots up.

If no video is displayed, it may be due to a “barebone” unit. In other words, there is no DRAM or mSATA installed in the device when it ships from the factory. The FWX001, FW2B, FW4X-0, and FW6X-0 series are all barebone units and require installation of at least DRAM before any video can be displayed.

Verify a working VGA/HDMI cable
If available, try another monitor to check possible compatibility issues

If still no video

Remove the power plug from the Vault
Open the vault per the instructions above and verify that DRAM is properly installed in the system

If DRAM is properly in place,

Follow the CMOS reset instructions above
After CMOS reset, power on the device and verify it displays video and boots correctly
If the system boots correctly, this indicates CMOS reset was required to resolve the issue

If there is still no video

Follow the DRAM troubleshooting instructions above
After DRAM troubleshooting, power on the device and verify it displays video and boots correctly
If the system boots correctly, this indicates replacing faulty DRAM was required to resolve the issue

If there is still no video

Remove the mSATA and verify the system boots up to the BIOS menu
If the system boots correctly, this indicates faulty mSATA that should be replaced

If there is still no video, contact Protectli support at: support@protectli.com

Boot directly to BIOS

If the device boots and goes directly to BIOS

Verify that mSATA is properly installed per the instructions above

If mSATA is properly in place,

Follow the CMOS reset instructions above
After CMOS reset, power on the device and verify it displays video and boots correctly.
If the system boots correctly, this indicates CMOS reset was required to resolve the issue.

If the system still boots directly to BIOS

Follow the mSATA troubleshooting instructions above.
If the system boots correctly, this indicates faulty mSATA that should be replaced.

If the system still boots directly to BIOS, contact Protectli support at: support@protectli.com

No Operating System (OS) found

If the device boots and the following message or similar is displayed on the screen:

“Reboot and Select proper Boot device or Insert boot Media in selected Boot device and press a key”

it means that the device has booted correctly, recognized the mSATA as a bootable device, and there is no OS installed on the mSATA.

Protectli does not install a default OS onto the Vault so this is expected initial behavior.

Install an OS onto the Vault. There are instructions for many of the most popular open source firewalls, routers, network applications, Linux and Windows software packages on the Protectli Knowledge Base at this link.

Verify the installation completes successfully.

OS Installation Issues

Problems installing an OS are typically related to the specific OS image and/or the method used to create the installation image.

Specific instructions for many popular OS can be found on the Protectli Knowledge Base page at this link.

Verify that AMD 64 bit image type is selected, if image type selection is required, depending on the OS.
Verify that a VGA or COM/Serial port image is selected, if required, depending on the OS.
Follow the instructions on the Protectli Knowledge Base page at this link to create a bootable USB drive.

Can’t install OS via COM/Serial port

If an OS cannot be installed via the COM port:

Verify the COM port session has been configured correctly. See this link
Verify the image used for OS installation supports the COM port. Some OS installations require a specific image to use the COM port.

If the COM port session has been configured correctly and the correct image is used for OS installation and there are still issues, follow the instructions above for “No Video”.

Vault Crashes or Reboots

If the Vault “crashes” or peforms erratically during boot up, installation, or while in service,

Follow the mSATA troubleshooting instructions above.
If issues continue, follow the DRAM troubleshooting instructions above
If issues continue, follow the CMOS reset instructions above
If issues continue, it may be due to a corrupt OS. If possible with the OS, save the configuration file. Reinstall the OS.
If issues continue, it is most likely a software OS problem. Common issues are typically posted to the support sites or forums for the specific OS.

Here are some of the support sites for the most common OS:

https://forum.pfsense.org/index.php
https://forums.freebsd.org
https://www.microsoft.com/en-us/itpro/windows/support
https://ubuntuforums.org
https://forum.vyos.io
https://forums.untangle.com
https://community.sophos.com
https://communities.vmware.com/welcome

No Network Connectivity

If an OS is installed and appears to operate correctly, but there is no network connectivity for one or more Ethernet ports, follow these instructions:

For all Ethernet ports:

Verify the Ethernet cable is properly connected between the Vault and a switch/router.
Verify the Green connectivity LED for the port is constantly illuminated.
Verify the Yellow activity LED is blinking

WAN port:

The default IP address on the WAN port for almost all OS is to get an IP address from a DHCP server.

Verify the connected switch/router/network is configured as a DHCP server to provide an IP address to the Vault.
Verify the OS that is installed recognizes a proper IP address on the WAN port.
An address of 169.254.10.1 or 169.254.XX.YY indicates that the IP address was generated automatically by the Vault because it was unable to get an IP address from a DHCP server.

LAN port:

Depending on the OS, the LAN port may get a default static IP address. As an example, pfSense® CE sets a static IP address to 192.168.2.1 and enables it as a DHCP server. FreeBSD automatically names the LAN port “em1” and sets a static IP address to 192.168.2.1 and enables it as a DHCP server.

Verify the OS that is installed recognizes a proper IP address on the LAN port.

OPT1-OPT3 ports:

Depending on the OS, the OPT ports are typically not configured as a default. Sometimes they can be configured during installation, but not always.

Verify the OS that is installed recognizes the OPT ports.
Verify the OS can configure the OPT ports for the proper IP configuration, static, DHCP, IPv4/IPv6, etc.

For all Ethernet ports, verify there are proper firewall rules in place to allow and or deny the desired traffic through the specified port.

More details for configuration of various OS that are compatible with the Vault can be found on the Protectli Knowledge Base page at this link.

Vault seems to be hot

Depending on the load and system activity, the external temperature of the Vault will vary. The Vault uses Intel devices that can monitor the temperature of the CPU, other components and the system. Many OS have the ability to display the temperature data in the dashboard or via other utilities. If running pfSense we have an article here which covers temperatures and a table showing max safe temps.

If the Vault seems hot,

Verify the temperature via the OS dashboard or other utility. CPU core temperatures in the 60’s C are not unusual for heavy load.
For the FW1, FW2, FW4A series, verify that the ventilation slots on the side of the unit are not blocked.
Verify adequate ventilation around the Vault
Verify the ambient temperature where the Vault is installed. Operating temperature is from 0 C to 50 C.

We expect that this troubleshooting guide has the information to resolve most common issues that occur with the Vault. However, if there are still unresolved issues, feel free to reach out to us at:

support@protectli.com

Hardware

4G LTE Service Overview

4G LTE Service Configuration

4G LTE Service Specifications

4G LTE Service Documents

Overview

Example Setup

Prerequisites

Setting Up the PXE Server

UEFI Overview

Changing BIOS mode to UEFI

Boot Menu

Installation Instructions

Flash from Coreboot to Original(AMI) BIOS

coreboot File Table

Overview

Splash Screen File

Verify the Desired Splash Screen File

Convert the Desired Splash Screen File

Download the BIOS

Download the BIOS Logo Tool

Use the BIOS Logo Tool to Change the Splash Screen

Create Bootable USB Drive and Install New BIOS

Overview

CPU

Memory

mSATA

WiFi

Port Connectivity

Data Sheets

BIOS

Notes

Previous Versions

Create Bootable FreeDOS USB – Windows

Download BIOS and Copy BIOS Folder to FreeDOS USB

Update BIOS on the Vault

Verify BIOS ID on the Vault

Accessing components

DRAM troubleshooting instructions

mSATA troubleshooting instructions

CMOS reset instructions

Physical Damage

Loose components or screws

Basic troubleshooting

Issues

No Video

Boot directly to BIOS

No Operating System (OS) found

OS Installation Issues

Can’t install OS via COM/Serial port

Vault Crashes or Reboots

No Network Connectivity

Vault seems to be hot

Added to Cart