lafornera hack firm

Written by CodedChaos

Sunday, 04 March 2007

Recently a company called FON started giving away their Fon Routers for free (like here: http://www.fon.com/en/promos/fonbucks ) The idea behind this router is that you hook it up to your internet connection, and it transmits two wifi signals, a WPA secured one, and a unencrypted FON_something signal. From there, you manage your Fon from your user zone on www.fon.com. You choose to charge people for access to your open FON signal or not. For more information on the Fon's original purpose, see their site. Now, this is all well and good. But, what if you could hack this little free router? And maybe install something like dd-wrt, a firmware that many people put on the older Linksys routers. Well, that's what we're going to do today =) Free router + installing dd-wrt = yay. Written by CodedChaos Information Provision: LinkinCable and dd-wrt.com If you like it, please What you need 1 Fon router with firmware 0.7.1 r1 or lower (you'll learn how to find this at the beginning of the guide.) Laptop (something to wirelessly ssh to Fon) SSH Client (We'll be using Putty) Telnet Client (We'll be using Putty) TFTP Server (We'll be using PumpKIN) Cross-over ethernet cable -OR- powered ethernet switch (Guide to making a cross-over cable here: http://www.littlewhitedog.com/content-8.html) Understanding of some SSH and Telnet Understanding of Manual IPs in your OS of choice (OSX, Linux, or Windows) HTML Editor (or notepad) I-Hacked Members: Download this zip file, and skip ahead to "Getting Started" Preparation First, we need to create two HTML files. Create a file called step1.html It's contents should be: <html> <head> </head> <body> <center> <form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh " enctype="multipart/form-data"> <input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="68" > <input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" /> </form> </body> </html> Next make a file called step2.html It's contents should be: <html> <head> </head> <body> <center> <form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh " enctype="multipart/form-data"> <input name="username" value="$(/etc/init.d/dropbear)" size="68" > <input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" /> </form> </body> </html> Since most people use windows, this guide will focus on the Windows method. (For Mac and Linux users, here's some core instructions: http://www.dd-wrt.com/wiki/index.php/La_Fonera_Flashing best of luck to you.) Download the following files. TFTP Server: http://kin.klever.net/dist/pumpkin-2.7.2.exe Latest fonera dd-wrt files from here: http://www.dd-wrt.com (Local copy of Firmware here) SSH/Telnet Client, Putty: http://www.putty.nl/latest/x86/putty.exe Note: The code method is only one of two methods of interfacing to your FON router.  You could also build a TTL->RS232 converter and connect to onboard serial port, as shown here. I-Hacked members: Extract the contents of the zip file you downloaded, everything above is there. Getting Started Start by connecting your FON router to power only. Wait for it to take it's sweet time booting... Once the wireless signal "MyPlace" appears, connect to it. The WPA key is the serial number on the bottom of your FON. Once connected to MyPlace, make sure you disconnect any other internet connections (like ethernet) from your computer. Open step1.html in Firefox/IE/Whatever you use. Click the lovely submit button. A Fon admin page will appear, click the status link in it's navigation. Then, notice your Fon's firmware version. If it is not 0.7.1 r1 or lower, this guide will not work for you. There is one (and only one) expection to this rule. If you connected your FON to the internet prior to attempting this, it automatically upgraded to the latest firmware, which you can undo. If you need to downgrade, follow the Downgrade steps below. If you are below or at version 0.7.1 r1, skip to "Moving Right Along..." Downgrading Hold the reset button on the FON down for about 1 minute. Let it go, make sure that the FON has no internet connection (ethernet cable that leads to net is not connected) Wait for the stupid thing to finish booting. Now, repeat the step from before: Open step1.html in Firefox/IE/Whatever you use. Click the lovely submit button. A Fon admin page will appear, click the status link in it's navigation. Then, notice your Fon's firmware version. If it is not 0.7.1 r1 or lower, this guide will not work for you. If it's still above 0.7.1 r1, then you cannot use this guide period, sorry. If it's now at or below 0.7.1 r1, congrats! You may continue. Moving right along... Open step2.html in Firefox/IE/Whatever you use. Click the lovely submit button. Congrats, you've now enabled SSH. SSH Time In your SSH client (we're using putty) connect to 192.168.10.1 , on port 22. Username: root Password: admin Once logged in, execute the following command. mv /etc/init.d/dropbear /etc/init.d/S50dropbear  Now perform the following actions. vi /etc/firewall.user  Uncomment (remove the # in front of it) the following lines. # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT If you're unfamiliar with vim, here's an easy guide. 1. find the lines above using arrow keys. 2. Press i on your keyboard. 3. Remove the # and space at the beginning of both lines. 4. Press ESC key on keyboard. 5. Press : and then w, then hit enter. 6. Press : and then q, then hit enter. Now, to keep this little prick from automatically upgrading it's firmware. Execute the following command. vi /bin/thinclient.  If you're unfamiliar with vim, here's an easy guide. 1. Use arrow keys to go to the very bottom of the file. 2. Press i on your keyboard. 3. add a # to the line . /tmp/.thinclient.sh 4. Press enter so you're on a new line. 5. Insert this in the new line cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M') 6. Press ESC key on keyboard. It should look like this when you're done: #. /tmp/.thinclient.sh cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M') 7. Press : and then w, then hit enter. 8. Press : and then q, then hit enter. Congrats, you've now permanently enabled SSH, and you disabled auto-update firmware. It gets easier... right? For the moment, yes. More SSH though. Okay, now, let's disconnect the FON's power. Plug in an ethernet cable that will allow it to connect to the internet, don't worry, it can't upgrade it's firmware now. Plug back in the power cord. You should have ethernet and power cords connected now. Wait for it to boot.. Connect to "MyPlace" wifi signal, WPA key is S/N on the bottom of your FON. SSH to 192.168.10.1 on port 22 User: root Pass: admin Execute the following commands. (Each line is a separate command) cd /tmp wget http://fonera.info/camicia/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7 reboot Wait for it to boot..again. Connect to "MyPlace" wifi signal, WPA key is S/N on the bottom of your FON. SSH to 192.168.10.1 on port 22 User: root Pass: admin Execute the following commands. (Each line is a separate command) cd /tmp wget http://fonera.info/camicia/out.hex mtd -e "RedBoot config" write out.hex "RedBoot config" reboot Now the Fon will not completely boot, which is fine, it loads telnet, that's all we really need. Disconnect the Fon's power cord. Almost done... On most newer computers the lan ports autodetect cable states, so you can probably connect your Fon Router to your computer via included cable to complete the remaining instructions.  However if you have problems telnetting in, Connect your computer and the Fon router (which should be unplugged from power right now) together with your cross-over cable Or, if you're like me and don't have a cross-over cable, connect them both to a powered switch (NOT A ROUTER!) Open PumpKIN, which you should have downloaded earlier. I-Hacked Members: Skip to Starting PumpKIN step. Install PumpKIN somewhere that is easy to get to (like the desktop.) No real reason for this, just makes things easier for you. Place the files root.fs and vmlinux.bin.l7 where-ever you installed PumpKIN. Starting PumpKIN Open PumpKIN.exe Check the "Server is running" box. Set your computer's IP to 192.168.1.166 (Start --> Control Panel --> Classic View --> Network Connections --> Find the connection that is your Ethernet Connection --> Right Click it, click Properties --> In new window, in the scroll box, find Internet Protocol (TCP/IP) --> click properties button. Enter the following: IP: 192.168.1.166 Subnet: System will fill it in for you Default Gateway: 192.168.1.1 DNS: 192.168.1.1 Get your telnet client ready to connect to 192.168.1.254 port 9000 Plug in your Fon's power cable. Watch the Fon closely, once the ethernet lights up (flashes, whatever) wait about 2-3 seconds, then attempt to telnet to 192.168.1.254 port 9000. If it connects, you'll see RedBoot> in the telnet window. If you didn't connect, check your IP, check the IP you attempted to telnet to, check the port, check the cross-over cable (or switch) and try again. Once you're connected, enter the following commands. (Each line is a separate command.) ip_address -l 192.168.1.254/24 -h 192.168.1.166 fis init load -r -v -b 0x80041000 root.fs fis create -b 0x80041000 -f 0xA8030000 -l 0x002C0000 -e 0x00000000 rootfs load -r -v -b 0x80041000 vmlinux.bin.l7 fis create -r 0x80041000 -e 0x80041000 -l 0x000E0000 vmlinux.bin.l7 fis create -f 0xA83D0000 -l 0x00010000 -n nvram Note: all the fis commands take like 10 minutes to for the router to do, and they don't have progress dialouge, just chill and go get something to eat =P Also, you may lose connection while this happens.  Just wait for 5-10 mins after issuing the command, and connect back if necessary and run the next one. Here's what the telnet window should look like (similar) when you've finished the last fis command. RedBoot> fis init About to initialize [format] FLASH image system - continue (y/n)? y *** Initialize FLASH Image System ... Erase from 0xa83e0000-0xa83f0000: . ... Program from 0x80ff0000-0x81000000 at 0xa83e0000: . load -r -v -b 0x80041000 root.fs Using default protocol (TFTP) Raw file loaded 0x80041000-0x802e3fff, assumed entry at 0x80041000 RedBoot> fis create -b 0x80041000 -f 0xA8030000 -l 0x002C0000 -e 0x00000000 rootfs ... Erase from 0xa8030000-0xa82f0000: ............................................ ... Program from 0x80041000-0x80301000 at 0xa8030000: ............................................ ... Erase from 0xa83e0000-0xa83f0000: . ... Program from 0x80ff0000-0x81000000 at 0xa83e0000: . RedBoot> load -r -v -b 0x80041000 vmlinux.bin.l7 Using default protocol (TFTP) Raw file loaded 0x80041000-0x80120fff, assumed entry at 0x80041000 RedBoot> fis create -r 0x80041000 -e 0x80041000 -l 0x000E0000 vmlinux.bin.l7 ... Erase from 0xa82f0000-0xa83d0000: .............. ... Program from 0x80041000-0x80121000 at 0xa82f0000: .............. ... Erase from 0xa83e0000-0xa83f0000: . ... Program from 0x80ff0000-0x81000000 at 0xa83e0000: . RedBoot> fis create -f 0xA83D0000 -l 0x00010000 -n nvram ... Erase from 0xa83e0000-0xa83f0000: . ... Program from 0x80ff0000-0x81000000 at 0xa83e0000: . Type the following command. reset That's it. Your LaFonera should reboot and start DD-WRT. It by default will DHCP an IP address and have management on port 8080. If you have it hooked up to another router, have fun finding the Fon's IP, I'd check the main router's DHCP clients list. It took me like 10 minutes to find it (given there's a ton of stuff on my LAN. And I ended up finding it by the Fon's MAC Address.) Should you have any questions you can e-mail CodedChaos@i-hacked.com. Make sure you note in the subject that your e-mail is about Fon Hacking.

Last Updated ( Friday, 09 March 2007 )