Friday, August 1, 2008

Hacking La Fonera Part 1: DD-WRT

WARNING: THE ORIGINAL CREATORS OF THIS GUIDE ARE NOT RUNNING THEIR WEBSITE ANYMORE. PLEASE DO NOT EMAIL ME WITH YOUR PROBLEMS. SOME OF THE LINKS CONTAINED IN THIS POST MAY BE BROKEN AND YOU MIGHT NOT BE ABLE TO DOWNLOAD ALL OF THE NECESSARY FILES. I WILL FIND A WAY TO DISTRIBUTE ALL OF THE FILES SO THAT USERS CAN DOWNLOAD THEM. UPDATE: ALL LINKS SHOULD BE GOOD TO GO

************************************************************************************

I know that this is totally against what My Fon Blog is all about, but I think it is important to take the time and try to understand why the hacker community loves Fon (and their cheap routers). Yes, I'll will admit it, one of my Foneras is running DD-WRT and I don't regret doing it. I now understand why people do it. The whole process is very simple and once everything is done, you will realize the power that DD-WRT has and how crappy Fon's firmware really is. Sometime later I will make a post on how to put the Fon firmware back onto the router, and maybe some other stuff as well. We'll just have to wait and see. Have Fon! (Yes, I was trying to make a joke.)

*************************************************************************************

(Below is a is a copy and paste from UselessHacks (with a few minor changes), They are the ones who created this guide and deserve full credit. I am merely distributing this guide to help people out. Oh yeah, here's another tip, disable any firewall or security suite you have installed on your computer. Some stuff won't work with it running.)

FON Router Hacking Guide

Note: This guide has been updated as of Aug 8, 2008 to reflect the new flashing procedures related to DD-WRT v24 SP1.

The following is a guide to flashing the Fonera Access Point, into a mini-router (albeit with only one ethernet jack) running the excellent, open-source DD-WRT firmware. This provides many useful features, such as turning the router into a wireless repeater, or even an ethernet to wireless bridge.

Preparation

Download the latest version of the following items (I recommend saving them all into a special folder on your desktop for convenience):

Putty

HTTP File Server (HFS)

Tftpd32 (Extract the Tftpd32 zip file to your special folder)
DD-WRT Fonera Firmware-> Atheros WiSoc-> Fonera

(Download linux.bin for v24-sp1, root.fs and vmlinux.bin.l7 for pre-RC7)

SSHEnable.htm

openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma

out.hex

It’s important to download everything you need before you get started, because you will not have internet access throughout this tutorial. All of the programs listed are installer free, meaning that at the end of this tutorial, you just have to throw everything in the trash. No messy uninstalls, no shortcuts all over the place.

If you have already enabled SSH access on your router, please skip to Flashing the Firmware.

Connecting La Fonera

Plug the Fonera into the power, and into the LAN port on your computer.

In Windows, disable all other network connections besides the one connected to the Fonera. You’ll need to set the following settings in the LAN ports properties. Disable all firewalls, or at least make sure that port 22, 23, and 9000 are open.

IP: 169.254.255.2

Subnet: 255.255.0.0 (System will fill it in for you)
Default Gateway: 169.254.255.1

DNS: 169.254.255.1

Once all three leds are blinking (1-2 minutes), you should be able to open a browser, type 169.254.255.1 and see the Router Status. If not, wait a little while longer. If you are still not getting anything, re-check your settings.

The first time you log into the router, you will need to supply the following:

Username: root

Password: admin

If the firmware version is 0.7.1 r1 or lower, please skip to Enabling SSH.

If you have version 0.7.1 r2, you will fall in two categories:

1. Your router shipped with a previous firmware, and you let it update itself from FON’s servers. You will need to downgrade before continuing with this guide.

Downgrading

  • After the Fonera has been on for a couple minutes, push the reset button on the bottom, and hold it in for several seconds (30-45 secs is fine). Wait for it to finish rebooting (1-2 minutes), then check again to see wh at f irmwa re version you have.
  • If it’s now at or below 0.7.1 r1, then you may move to the next step, Enabling SSH.

2. Your router shipped with 0.7.1r2 installed. You will need to do the Kolofonium Hack, then when you come back here, you will start at Enabling RedBoot.

This works on the newest firmware:

1. Hold reset button for 30 seconds
2. Remove the power connector while still holding reset.
3. Replace power connector and continue holding reset button until “wifi” lights up and goes away again (a good 2-3 minutes of holding it).

4. Let go and wait for “wifi” to come back (2-3 minutes).

  • Supposedly, you will now be able to follow the rest of this guide without troubles. I will need to verify this, but for now, I am all out of routers. Feel free to give it a shot.

Enabling SSH

Now open the SSHEnable.htm (that you downloaded earlier), hit submit.

Enabling RedBoot

Now open HFS. The first time you open it, a prompt will ask you if you want to include HFS in your context menu. I chose “No”. Now, right click on the little house icon, and select “Add Files…”, and add openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma and out.hex.

Now, open Putty and SSH into 169.254.255.1, click “Open”:

If this is your first time SSH’ing into the router, you will be faced with the following dialog prompt. Despite how serious it sounds, never fear, just click “Yes.”

Login using:

Username: root

Password: admin

As you type in the password, nothing will appear to happen, but continue typing anyways, and then hit enter.

I’ll also share with you a huge time saver. In order to copy from this tutorial the commands and paste them into the SSH terminal, first highlight what you want to copy (make sure not to include any extra spaces), right click the highlighted text and hit copy. Then right click your SSH window. This will automatically insert whatever you highlighted into where the green cursor is located.

Once logged in, execute the following command:

mv /etc/init.d/dropbear /etc/init.d/S50dropbear

This enables SSH permanently so that if you need to reset the router, you won’t need to run SSHEnable.htm again. If you have done this step before, it will return an error, and you can just continue on with the guide.

For the following, after every line, hit enter and wait for it return to a prompt again:

cd /tmp
wget http://169.254.255.2/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma
mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
reboot

Now a prompt should pop up saying “Server unexpectedly closed network connection”; Just hit “OK”. The Fonera will now be restarting and will take 1-2 minutes (all three lights will be on). If you are impatient, you can do the following:

Unplug the Fonera from the power. Open up a command prompt in Windows (Start->Run->”cmd”), and type the following line:
ping 169.254.255.1 -t
Plug the Fonera back into the power. Whenever you start to see “Reply from 169.254.255.1…”, you can move on to the following step.

Right click on title bar of Putty and hit “Restart Session.” You will now need to login again.

Username: root

Password: admin

For the following, after every line, hit enter and wait for it return to a prompt again:

cd /tmp

wget http://169.254.255.2/out.hex
mtd -e "RedBoot config" write out.hex "RedBoot config"

reboot

Click “OK” on the unexpected connection close box.

Congratulations, you have now enabled RedBoot, which will allow us access to the bootloader. There we can flash the firmware to DD-WRT.

You can now exit the HFS program if you want.

Flashing the Firmware

Change the IP to 192.168.1.166, subnet 255.255.255.0.

You should not need to change the gateway or DNS servers, but you can if you want (i.e. if you are having an error). They will need to be changed back in the last step if you decide to change them here.

Now open Tftpd32:

Make sure that linux.bin (Note: root.fs and vmlinux.bin.l7 for pre-RC7) is in the same folder as the Tftpd32 program (or in the folder that is listed in “Current Directory” in Tftpd32).

Now, we can use Putty again for Telneting to the Fonera, or you can use whatever other program you have available. Right-click title bar of Putty, select “New Session.” Make sure to select the Telnet button in Putty, IP to 192.168.1.254, and then change the port to 9000. Its best to do it in that order, since Putty automatically changes the port number to 23 whenever you click the Telnet button.

If you are having trouble knowing when to start the Telnet connection, open up a command prompt in Windows (Start->Run->”cmd”), and type the following line:
ping 192.168.1.254 -t
Whenever you start to see “Reply from 192.168.1.254…”, then hit connect in the Telnet client.

Once you’re connected, enter the following commands. After each line, hit enter. The “fis” commands will take a long time (up to 10 minutes), but it will return to a “RedBoot>” prompt whenever it is ready to continue (refer to the second picture for how it will look). I got impatient and entered the next lines before the prompt appeared, and I ended up having to restart the whole process.

For the newer releases after RC7,

there is a new flashing procedure, as follows:

ip_address -l 192.168.1.254/24 -h 192.168.1.166

fis init

Type “y”, and hit enter.

load -r -b 0x80041000 linux.bin
fis create linux

Do not reboot yet. Boot script needs to be modified.

RedBoot> fconfig and press ENTER

Run script at boot: true Press ENTER

Boot script:
.. fis load -l vmlinux.bin.l7
.. exec
Enter script, terminate with empty line
>> fis load -l linux
and press ENTER

>> exec and press ENTER
>> Press ENTER

Boot script timeout (1000ms resolution):

10 and press ENTER
Use BOOTP for network configuration: false Press ENTER
Gateway IP address: Press ENTER
Local IP address: 192.168.1.254 and press ENTER

Local IP address mask: 255.255.255.0 and press ENTER
Default server IP address: press ENTER
Console baud rate: 9600 and press ENTER
GDB connection port: 9000 and press ENTER

Force console for special debug messages: false Press ENTER

Network debug at boot time: false Press ENTER
Update RedBoot non-volatile configuration - continue (y/n)? y and press ENTER
... Erase from 0xa87e0000-0xa87f0000: .

... Program from 0x80ff0000-0x81000000 at 0xa87e000

0: .
RedBoot>reset and press ENTER

Now skip to Post Flashing.

The following procedures are for RC6.2 and earlier:

ip_address -l 192.168.1.254/24 -h 192.168.1.166
fis init

Type “y”, and hit enter.

load -r -v -b 0x80041000 root.fs


Note: The line below is correct; “rootfs” is not a typo.

fis create -b 0x80041000 -f 0xA8030000 -l 0x002C0000 -e 0x00000000 rootfs


load -r -v -b 0x80041000 vmlinux.bin.l7
fis create -r 0x80041000 -e 0x80041000 -l 0x000E0000 vmlinux.bin.l7
fis create -f 0xA83D0000 -l 0x00010000 -n nvram
reset


Post Flashing

Once it finishes rebooting, you can connect to it over a wireless card at IP 192.168.1.1, or if you want to manage it over the ethernet port, you will need to change your IP address again to

IP: 169.254.255.2
Subnet: 255.255.0.0 (System will fill it in for you)

Default Gateway: 169.254.255.1
DNS: 169.254.255.1

Now, you can connect to the DD-WRT web interface by opening a web browser and typing 192.168.1.1. If you want the router to give you an IP address automatically over ethernet, you will need to change the mode of the router. As of right now, they are still working out some of the bugs, but I have gotten the “Client Bridge” mode to work on 3/19/07 firmware, following these instructions.

Also, you need to remember that any time you reset your router by hitting the button on the bottom (or in the firmware), you will need to manually set your IP again to the 169.254.255.2…etc. as above, in order to access it over the Ethernet port (well, until they change the firmware to where it defaults to putting the DHCP server on the ethernet port, if they ever do).

Also, watch the DD-WRT wiki for news about less buggy firmware releases, and make sure to upgrade using the fonera-firmware.bin files through the web gui. Its much easier!

If you are to this point, and your router is not responding, wait 5 minutes, and check your IP settings. If you are still not getting an response, I would recommend the following:

1. Unplug the power from the fonera
2. Make sure you have all the other network connections disabled
3. Set the ip to the 192.168.1.166 with the same options as above.
4. Start the pinging (ping 192.168.1.254 -t)
5. Plug in the power to the router
6. In about 10-50 seconds, you should see a response. If you don’t, wait a little longer and double check your IP settings.
7. If you finally see a response, Start again “Flashing the Firmware,” but unplug the power from the router first, because there is a narrow gap of time that the Redboot option is open.

Related links:

Original Hackers of the FON

DD-WRT Fonera Wiki

*************************************************************************************

LINKAGE:

DD-WRT

FON router hacking guide

16 comments:

  1. thanks for gettin these instructions down to the nitty gritty - they worked great! :)

    have you gotten a chance to play with the hotspot side of things yet?

    ReplyDelete
  2. thanks, I didnt make the original guide, I just reproduced it. dd wrt has a guide to set up chilispot if your interested. It looks pretty simple. http://www.dd-wrt.com/wiki/index.php/LaFonera_Software_Chilispot

    I plan on making some more guides to follow up with this article and finish it off by restoring the fonera back to stock firmware.

    ReplyDelete
  3. this command bricks the fonera everytime "mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7"

    your guide also has the wrong IP address coded inside the enablessh.html file.

    ReplyDelete
  4. the right click suggestion to download the openwrt firmware was not a very good thing.
    I did exactly that (right click... save as) without noticing, that the link was actually dead. As a result, I had a tiny file with the html error message with the name of the openwrt firmware file.

    It took me a while to figure out, why I never received a ping reply after rebooting the Fon router.

    As you can easily guess, the router is now bricked. Will try to see if I manage to get it unbricked with a serial upload.

    Asta la vista
    'Fonakias'

    ReplyDelete
  5. Like I said before, I didn't write this guide. I am just making it available to people, since the original doesnt exist anymore. I replaced the two bad files (this is the cause of both your issues fonbrick and Fonakias.

    ReplyDelete
  6. Thank you for changing this part and thank you for keeping this guide available for us to read through.

    Most of us enjoy 'tampering', 'experimenting' and 'playing with fire'...

    It will take some time and effort to unbrick it (serial connection) but... no pain, no gain...

    Ebay has suitable "serial cables" staring at 5 US$... I ordered mine yesterday (from China)to continue the game... till it will arrive, I have plenty time to search for the next guide on the net.

    Asta la Vista
    'Fonakias'

    ReplyDelete
  7. Help Help I have done something with my FON La Fonera 2100 I've tried to use this step by step from http://www.hak5.org/store/wifi-pineapple
    but now I can not get in touch with it
    what should I do
    you are so smart and know so much about it, can you help me ????

    ReplyDelete
  8. please use the Hak5 forums, http://www.hak5.org/forums/

    ReplyDelete
  9. It has been awhile since I have done this. I was able to do this with one fon router. I had two and messed up the first and completed the second. I am trying to fix the first one. I have a serial connection and can get into redboot. I am having trouble finding the last steps now to flash DD-WRT. If anyone could post or send me a link that would be great: trevorpauljohnson@gmail.com

    ReplyDelete
  10. So i was able to go through up to post flashing. My problem was that I lost the "WLAN" light after the last SSH session. I assumed it would come back on when I was done messing with all of the RedBoot stuff, but after I entered the reset command I still have no WLAN to connect to. Any ideas what I did wrong?

    ReplyDelete
  11. sorry jake, I am not the original author is this article. the people who made it no longer have a website, so unfortunately i can not help you.

    ReplyDelete
  12. 100% working; if all things are made by wifi, the ip addresses are little bit diffrent.

    ReplyDelete
  13. Jake, you have to connect by wire, no need to wlan.
    In flash procedure, the AP does'nt wake up anymore, until u finish the flash.
    U need to connect wired, telnet, flash( can be about an hour long!!!), reboot (1-10 min) , and login to webgui, config and (should) reenable the wlan on router ;) i belive :)

    s.
    poffsoft

    ReplyDelete
  14. I just wanted to say this walktrough still works. I'm a total noob and I managed to get my fonera working thanks to this post. thnx for keeping this up here. The most important tip is patience. this is not your standard next-next-finish procedure.

    ReplyDelete
  15. Thank you for the detailed explanation. Still works perfectly.

    ReplyDelete
  16. well this is a bit late but thanks a ton for ur incredible work. did as the guide and worked like charm. having now a new old device worth playing with a bit.

    ReplyDelete