Reminder: after resetting or flashing a new image, you will need to pair with your unit again (https://firewalla.com/install). Your old Firewalla icon will not work.
This tutorial explains how to flash the image of Firewalla Gold and Gold Plus boxes. To flash:
- Gold SE boxes, see this guide.
- Purple series boxes, see this guide.
- Red, Blue, and Blue Plus boxes, see this guide.
In case anything goes wrong and the "reset to factory default" does not work, here is how to recover:
- Do not delete or unpair the previous instance in your Firewalla mobile app if you want to restore your previous configuration from it later using the Migration feature.
- Download the Firewalla Gold Series installer image:
- Download link: fireupdater-3.0929.img.gz (Ubuntu 22.04 LTS)
- MD5sum: 2c1e2628b20c9c374a489a2a0a4c0d5c
sha256: 094ad9229396d3adb9c96e189069659e447de606832daac75d9bf1ebc40346fa
-
BETA Image, download link: gold-fireupdater-0.0709.img.gz (Ubuntu 22.04.4 LTS)
MD5sum: 0f536fc1e023a2c0d8c103c3b41380d5
sha256: 66d0b1c7ce4741fcc79427a4718fb691f519b667a3959630529864bdb783c348
- [Gold Plus] PPPoE download performance can now reach 2.3gbps even with QoS enabled.
- [Gold] PPPoE download performance can now reach 1gbps even with QoS enabled.
- General Performance Improvements
- Download a flash program. We use etcher.io in this example.
Note: if Etcher doesn't work on macOS Catalina (10.15), please see below for a workaround.
- Launch the etcher and select the image you've downloaded before.
- Plug a USB drive with at least 16 GB disk space into your computer, and select it as the flash target.
- Select Flash!
- After flashing, unplug the USB drive from your computer and plug it into the other USB slot on Firewalla Gold (please DO NOT remove the red dongle).
- Power cycle the Gold box (Unplug the power cable and plug it back in) to start flashing the Gold box. A display monitor may be connected via the HDMI port to watch the flashing process.
- Wait about 10 minutes (this may vary depending on the USB drive) for the beep sounds from the internal speaker of the Gold or Gold Plus box. (Gold SE does not have a speaker).
- If all is O.K., the Gold/Gold Plus will beep twice every 5 seconds.
- If flashing fails, the Gold/Gold plus will beep 3 times every 5 seconds.
In case of failure, see Troubleshooting below.
- Unplug the USB drive, then power cycle the Gold box.
- The box will be powered up as new, and ready for pairing.
Troubleshooting
Flashing should take about 10 minutes. If it takes substantially more than that, there may be some issues. Here are some things you can check:
- Check that the image is for Gold, not Gold SE.
- Check that USB drive was imaged successfully with Etcher.
- Try a different USB drive.
- In case of failure, if a monitor has been connected via HDMI, you may take a photo of the screen output and submit it with a support case.
Restoring Configuration
When installing the new version, the iOS app will use "Quick Setup" to restore the previous network configuration.
Then please use Settings -> Advanced -> Migrate from other boxes to restore rules and device names after installation. See the tutorial on how to migrate: How to migrate data from one Firewalla Box to another? Note: please do not unpair the old box before the migration. Just use the USB to flash, install, and migrate. After migration, you can tap and hold on the previous Firewalla Icon, and tap "unpair" to remove the previous pairing.
How to flash image file to USB drive via Linux command line (Warning, Pro users only)
# Make sure the device file is the device file of the USB drive, flashing to the wrong device file may cause unexpected data loss
gunzip -c <image_file> | sudo dd of=<usb device file> bs=32M status=progress
# Example
gunzip -c fireupdater-3.0.0929.img.gz | sudo dd of=/dev/sdc bs=32M status=progress
Known Issues
Etcher prompts for user confirmation before flash on Windows 10
Solution: Start Etcher with administrative privilege
Etcher fails to start flashing in MacOS
Solution: Unmount auto-mounted partitions from the USB drive by running the following commands in Terminal
x=$(diskutil list | awk '/external/ {print $1}')
sudo umount ${x}s1 ${x}s2
Etcher doesn't work on MacOS Catalina (10.15)
Solution: Here is an open issue on GitHub etcher project to track this: https://github.com/balena-io/etcher/issues/2833
Here is a workaround you can use before etcher fixes this issue.
- Open Terminal.app
- Run this command in the terminal:
sudo /Applications/balenaEtcher.app/Contents/MacOS/balenaEtcher
- Type your MacOS login password when asked.
Older Images:
-
Ubuntu 20.04 LTS (Supports Gold Only)
- Download link: fireupdater-3.0.0113.img.gz
- MD5sum: eb64d196a7a9f9d80f6fd914334aea46
-
Ubuntu 18.04 LTS (Supports Gold Only)
- Download link: firestaller-0.132.img.gz
- MD5sum: 22ecc3d8d41d874338597e620ca371f0
Comments
35 comments
Will all of the settings and/or customizations be retained after flashing? I assume yes, but wanted to make sure.
bks
You should have the option to restore your old configuration after flashing.
Only about 20 minutes into everything is back online, but so far so good. The instructions were spot on. It seemed to take my app and the box about 6-10 minutes to sync back up AFTER I was done following the instructions. So probably about 30 minutes total from start to finish with downloading, flashing USB drive, flashing box, pairing app. Simply well done to the team at Firewalla.
As far as keeping settings, be sure to choose "Quick Setup" once your box has been discovered and you scan it, it will restore your box but it seems to have deleted all of my rules. It did keep all of my network information including DHCP reservations as I am using Router Mode. Also, the DoH "False Positive" of being "on" (the radio button being blue on the main menu page) seems to be back for me. I tried turning DoH on and off as well as closed the app and when I opened back up, the radio button was still blue.
Thanks for the feedback. You can migrate the old rules from Settings -> Advanced -> Migrate from Other Box.
We'll improve the quick setup to include rules and other settings.
For the DoH bug, will check it.
After the update, what box version should be shown?
I had to reset my Gold due to a bug and during the normal re-initialization process, updates were downloaded.
I'm showing 1.970 (e97c31fa), with a last update dsate of 5/25/2020.
Is that the latest or do I need to reimage it again?
bks
@Brian
There are two pieces of softwares. The Firewalla software and the OS image.
Version 1.970 and hash (e97c31fa) are the latest. (as the Firewalla software)
I think you may also receive the email on the latest base image (firestaller-0.128.img.gz). This is the OS image. You don't have to reimage the 0.128 base image, but we recommend to, because it will (very likely) be the final base image for customers. There are some bug fixes comparing with the previous OS image 0.127.img.gz.
Melvin
Flashing the new image went well. Got two beeps from the box when paired and three beeps when I selected “Quick Setup”.
The “Quick Setup” was still “Applying Network settings...” after 30 minutes. I abandoned this and paired with the Gold again.
This time I selected to set up a new device, selected router, connected to the modem, selected DHCP and let it run. Still waiting for “Applying network settings...” to complete.
After 20 minutes, nothing more happened.
I removed and reapplied power to the Gold. After pairing and selecting Quick Setup again, the Gold properly configured itself and started normal operation.
@Bob,
Can you share remote support to help@firewalla.com , so that we can check what's wrong?
Melvin
@Melvin,
How can I check the OS base image version?
Eli
@Eli
cat /etc/firewalla_release
Windows instructions as well for those looking. I used Rufus (https://rufus.ie/) portable which was very straight forward. Simply download the img.gz file linked above, select your target USB device, select the image or boot selection within the tool, then hit start.
Hi Firewalla Team,
cat /etc/firewalla_release shows me following ..
Model: Gold
Version: 0.106.img
Build Date: Sun May 24 18:03:30 UTC 2020
HASH: 957c2aabd77bb55028b4763f471ce9f9
Version 0.106.img? Is this correct?
I have an beta gold unit. You mailed us on May 27 to update to 0.128. I did that, but why I have the old version string? Is maybe something not correct?
Now is 0.132 available. Is the OS base image also autoupdated? Is there a change log? What's the official recommendation, should we reflash our devices?
Alex
Please ignore the 0.132 version, it is the image builder. The image is still the production one.
Please provide more secure hash sums (ideally SHA512) and ideally also GPG signatures for ensuring the security of the installer image.
I don't pretend to be a security expert, though as I've understood it:
Requesting this respectfully, of course...it's just that even if likelihood is low that the router image were compromised, the security of everything connected to the Firewalla's network seems like it would be a runaway train....
Do the automatic firmware updates get verified by MD5 file hashsums as well?
If so, can the security of this be upgraded as soon as possible, please?
I'm currently on the alpha release for FWG. If I re-flash the FWG with fireupdate-3.0.0113.img.gz, will that take me back to the beta versions, or will FWG update to the alpha release automatically?
The goal is to get to the 20.04 base image plus be on the alpha release cycles.
Thank you!
bks
You will have to rejoin the alpha/beta you were on before with the previous image.
That's what I needed to know! Thank you!
bks
If we have upgraded to 8 GB of ram, do we have to install the 4 GB stick before flashing this image?
Yes, the install script may check the hardware specs to confirm it's the right hardware to install.
Maybe for the future you could allow flashing with a 8gb module too since the CPU support's 8gb of ram 🙂
A few notes for those doing the upgrade.
1) If you are using MSP, you have to add the “new” box in and remote the old one.
2) If you are in Beta or Early Access/Alpha, you will have to manually put the box back into those programs (to get to EA, you have to first go to Beta).
3) Migrating box settings over did NOT migrate VPN Client settings over. I had both a PIA OpenVPN client configuration and a WireGuard S2S VPN configured that I had to recreate. It would have been good to warn us that these were not migrated over (unless this is a bug in the migration code).
4) For me, at least, the port lights did not flash on unused ports 3 or 1 (I’m only using 4 and 2 currently). 2 and 4 had flashing yellow lights and solid orange lights.
5) The upgrade took about 6 minutes, the migration took another 5+ minutes and then the Beta+Alpha upgrades took another 5+ minutes. All told, about 20 minutes not counting any time to flash the USB drive.
6) I’m not sure why they don’t tell us to use the power button on the front of the Gold (Rev A, at least) vs. the hard power removal. It seemed to work for the initial reboot to start the upgrade.
7) Historical data is not copied over in the “migration” process, so you lose history on network performance, netflows, and any alarms
heath
I see a new image based on Ubuntu 22. What's the difference between that and the one based on 20? Is it good for a daily use even if in beta?
@Radagast82
Not much difference. We provide this as an option if people really want to use the latest Ubuntu LTS. We have been using it for over a month, looks pretty stable.
is there any guidance if every link is failing md5sum?
@w m
Which tool reported the "failing md5sum" error? Was it from a 3rdparty md5 tool or from Firewalla box when flashing it to the box? If it's the former, you may need to find a reliable way to download it again. The md5 listed in the page is correct (just double checked).
Is there a way to have a .bin file over .img? Currently running a Chromebook and the recovery tool only allows .bin to create bootable flash drive.
BTW, I noticed a somewhat of a perception change (maybe just my own!) in how the above article is worded now.
Previously, I got a sense that both 20.04 LTS and 22.04 LTS were sort of beta since FWG shipped with 18.04 LTS as base OS. Now the above reads as if 22.04 LTS is current where as 18.04 and 20.04 are "older". Is that a shift in stance from firewalla support? Based on above, I did upgrade to 22.04 LTS last night and admittedly it was a smooth process exactly as described above but I am asking if that is the official recommendation.
@Xraptor29, can you rename the downloaded file?
@Hiranmoy
What we did in Ubuntu 22 was to unify both Gold and Gold Plus under the same image.
Please sign in to leave a comment.