Home Software • Updating the firmware on a Juniper SSG5 via CLI

Updating the firmware on a Juniper SSG5 via CLI

 - 31-08-2016

SSG5_Recently I got an old Juniper SSG5 router which was taken out of service. The unit itself dates back from 2010 and never received updates while it was operational. Before taking it into production again I want to make sure that the firmware is up-to-date.

Prerequisites:
Before we can start updating the unit we need to download the firmware. Since the device is EOL we can download the firmware free of charge (but requires you to register once). You can find the download page here.

Although not required, a TFTP server is needed to save the initial configuration and load the new firmware from. In this guide I assume that a TFTP server is available in the network. In this guide my TFTP server listens on IP-address 192.168.0.75.

If you are going to upgrade from a firmware earlier than the 6.3 release you need to download a new key file as well which holds the MD5 checksums for the new images.

Factory resetting the switch:
As this unit came out of production it holds a certain configuration and password I don’t know. So in order to use the device we need to reset it to the factory defaults first. With a paperclip you can reset the device (reset button is on the back) as follows:

1: While the device is running press and hold the reset button for ~6 seconds and release
2: Wait ~2 seconds
3: Press the reset button again for around ~6 seconds and release

The unit should now reboot and restore the factory image into flash. This may take up to 5 minutes to finish.

If you already have this unit in production do not perform these steps as it will wipe your entire configuration!

Logging in on the switch:
The switch has a serial console port which is the most convenient way to administer it. It is also possible to use telnet and/or SSH to log in but it has to be enabled manually per port on the device and is by default disabled.

The console settings are 9600baud 8N1 with no flow control.

The default username and password are both “netscreen“. When logged in successfully you will see the following prompt:
login: netscreen
password:
ssg5-serial->

Checking the current software version:
When logged in to the switch perform the following command to see the current version:

ssg5-serial-> get system
Product Name: SSG5-Serial
Serial Number: 0162122010003603, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.2.0r5.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Thu Jan 28 11:42:26 PST 2010
Base Mac: 28c0.dae8.e140
File Name: ssg5ssg20.6.2.0r5.0, Checksum: 23364b4e
, Total Memory: 256MB

There is more output to be shown, you can press CONTROL + C to cancel the listing.

Saving the configuration:
This step is only needed when you already have the device in production. If you have just factory reset the device this step can be skipped.

When logged in to the console enter the following to save the configuration:
save config to tftp 192.168.0.75 ssg5_31-8-2016.cfg

This will save the current configuration with filename “ssg5_31-8-2016.cfg” to the TFTP server running on 192.168.0.75. If this goes well you should see:
Read the current config.
Save configurations (4935 bytes) to ssg5_31-8-2016.cfg on TFTP server 192.168.0.75.
!!!!!!!!!!!!!!!!!!!!!!
tftp transferred records = 10
tftp success!

TFTP Succeeded
ssg5-serial->

Preparing the firware:
The latest firmware for the SSG5 as of writing is version 6.3.0r22. You should have a file called “ssg5ssg20.6.3.0r22.0.zip”. Unzip the contents of the zip into your TFTP directory (usually /srv/tftp/).

Optionally you may have a bootloader update as well as I had to update as well. You will also have a file called “Loadssg5ssg20v132.d.zip” which needs to be unzipped in the TFTP directory as well.

Updating the firmware:
If you want to update the firmware and are coming from a release before 6.3 you need to update the image MD5 keys first. Make sure you have extracted the zip file containing the keys in your TFTP directory. After unzipping you will have a “imagekey.cer” file that we need to flash first.

You may want to check the keys installed first. you can do this with:
ssg5-serial-> exec pki test skey
exec pki test .
Flash base = 0x51000000, Flash end = 0x0, sector size= 0x4000

KEY1 N/A len =432
308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f800

KEY2 N/A len =432
308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f800

KEY3 N/A len =432
308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f800

You see that the string starts with 308201ac. It’s eigth character is a c which indicates that you have a firmware prior to 6.3 running and you have to update the keys first. Firmware releases in the 6.3 branch have the c replaced with a d.

Issue the following command to load the new keys:
ssg5-serial-> save image-key tftp 192.168.0.75 imagekey.cer
Load file from TFTP 192.168.0.75 (file: imagekey.cer).
!!!!!
tftp received octets = 863
tftp success!
Done

TFTP Succeeded
ssg5-serial->

Now we can check the keys again and you should notice that the “c” is changed to a “d”:
ssg5-serial-> exec pki test skey
exec pki test .
Flash base = 0x51000000, Flash end = 0x0, sector size= 0x4000

KEY1 N/A len =433
308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f800

KEY2 N/A len =433
308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f800

KEY3 N/A len =433
308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f800

Now that the keys are up-to-date we can start the actual firmware update:
ssg5-serial-> save software from tftp 192.168.0.75 ssg5ssg20.6.3.0r22.0 to flash
Load software from TFTP 192.168.0.75 (file: ssg5ssg20.6.3.0r22.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
tftp received octets = 13381258
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 25, cpu = 12, version = 18
update new flash image (02a676a0,13381258)
platform = 25, cpu = 12, version = 18
offset = 20, address = 5800000, size = 13381180
date = 2669, sw_version = 31808000, cksum = 59d01749
Image authenticated!
Program flash (13381258 bytes) ...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++e
Done

This step takes up to 5 minutes to download and install the firmware.

Now that the new firmware is installed we need to reboot the device to load the new firmware. This can simply be done with the reset command:
ssg5-serial-> reset
System reset, are you sure? y/[n] y
In reset ...

After around 5 minutes the device should be back online again and we want to check if the new version is active. Log in and retrieve the system information:
ssg5-serial-> get system
Product Name: SSG5-Serial
Serial Number: 0162122010003603, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r22.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.2
Compiled by build_master at: Wed Mar 9 07:57:20 PST 2016
Base Mac: 28c0.dae8.e140
File Name: ssg5ssg20.6.3.0r22.0, Checksum: 11a822d0
, Total Memory: 256MB

In this case the upgrade went with success!

Updating the bootloader firmware:
Updating the bootloader cannot be performed when the OS is running and can only be performed from the bootloader itself. Reset the device and halt the boot process to gain access to the bootloader prompt:

ssg5-serial-> reset
System reset, are you sure? y/[n] y
In reset ...

Juniper Networks SSG5 Boot Loader Version 1.3.2 (Checksum: A1EAB858)
Copyright (c) 1997-2006 Juniper Networks, Inc.

Total physical memory: 256MB
Test - Pass
Initialization - Done

Hit any key to run loader
Hit any key to run loader

Serial Number [0162122010003603]: READ ONLY
HW Version Number [0710]: READ ONLY
Self MAC Address [28c0-dae8-e140]: READ ONLY
Boot File Name [ssg5ssg20.6.3.0r22.0]: Loadssg5ssg20v132.d
Self IP Address [192.168.2.26]: 192.168.0.7
TFTP IP Address [192.168.2.100]: 192.168.0.75

Save loader config (56 bytes)... Done

Loading file "Loadssg5ssg20v132.d"...
rtatatatatatatatatatatatatatatatatatatatatatatatatatat

Loaded Successfully! (size = 407,771 bytes)

Image authenticated!

Save to on-board flash disk? (y/[n]/m)

Enter “y” at the above question to flash the bootloader firmware.

Save to on-board flash disk? (y/[n]/m) Yes!

Saving system image to on-board flash disk...
Done! (size = 407,771 bytes)

Run downloaded system image? ([y]/n)

Enter “y” at the above question to run the bootloader update:

Run downloaded system image? ([y]/n) Yes!
Check on-board Boot Loader... Update needed!

Are you sure you want to update Boot Loader? (y/n)

Enter “y” to finalize the bootloader update:

Read product information of on-board boot flash device:
Manufacturer ID = 1f
Device ID = 13
Additional Device ID = 10

Boot flash device is AT49LV040B

Erase on-board boot flash device.......... Done

Update Boot Loader....................................................

Verify Boot Loader... Done

Boot Loader has been updated successfully!

Please hit any key to reboot the system...

Press any key to reboot the system. The bootloader update has finished! After this the bootloader tries to update at every reboot which is very inconvenient. You can solve this by removing the bootloader update file from the TFTP folder.

In Software

Author:Jeffrey Langerak

  • Follow Jeffrey Langerakon

Leave a Reply

Your email address will not be published. Required fields are marked*

*

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.