Fon

The Fonera is a Atheros AR2315 based device that ties wireless/ethernet/memory controllers and a MIPS processor into a single chip package. Fon originally gave away a number of Foneras to get the network started which they now sell for about $40ea. Fon's goal is to get users to give away their wireless internet access to other Fon users for the ability to use any Fon access point yourself. As most ISPs prohibit sharing residential internet access in the EULA, the legality of this is questionable but Fon has worked with service providers to create an exception, most notably the PR heavy Time Warner agreement. Fon's profit model is still a matter of speculation.

Versions

0.7.1-1 Vulnerable to a number of web interface injection attacks.

0.7.1-2 Above vulnerabilities patched, but new attacks have been found centering around radius

It's recommended to not connect a new fonera to the internet out of the box as it will attempt to download updated firmware. It is reported that holding the reset button on the bottom of the device for for a long period, power cycling, and continuing to hold the reset button for another long period will cause an earlier version of the flash to be loaded. No word on what this does to a Fonera with a replaced firmware.

Models

Model

Shipped Version

Power Supply

Logo Color

Notes

FON2100A/B/C

0.7.1 r1

5V/2A

Yellow

Still got one as of 2007-07

FON2200

0.7.1 r2

7.5V/1A

Orange

Got one 2007-07

Hacking a 0.70 Fonera

Short 0.7.1 r1 Hacking

From here but shortened.

0.7.1 r2

Note that the box will upgrade, currently to 0.7.1 r3, which is okay.

Unbricking

If your Fonera stops responding after an update, fear not! It can be recovered.

These directions were taken from http://www.mcgrewsecurity.com/blog/?cat=1.

Redboot listens on port 9000 of 192.168.1.254 for about ten seconds upon boot before it moves on. You have ten seconds to send Ctrl-C on this port to stop it and allow you to interact with RedBoot. It’s easiest to just use this script, redboot.pl, to connect to RedBoot. Leave it running on the computer you’re configuring this from, plug in the router, and it’ll connect up for you and leave you at a RedBoot prompt.

1. Give your computer an IP address on the same subnet

$ sudo ifconfig eth0 192.168.1.2

2. Press and hold the reset button for 15 seconds, then unplug it and plug it back in. I don't know if this is all really needed, but it worked for me. 3. Connect the ethernet cable 4. Run the redboot.pl script:

$ ./redboot.pl 192.168.1.254

5. You should now have a redboot prompt, and can reset the flash and install new firmware.

RedBoot>

Resetting

Recovering from a lost root password in dd-wrt (and presumably unknown network configuration) appears possible by pushing the reset button on the bottom for a couple seconds and waiting for a reboot. You can then reconnect to 192.168.1.1 on the ethernet interface and login as root/admin.

OpenWRT

  1. Get redboot access. Directions can be found above and in the dd-wrt/openwrt wikis as well as blogs abound.
  2.  ip_address -l 192.168.1.254/24 -h 192.168.1.5  Change the last address to the IP address of your machine, the first address will be the address of the fon.

  3. Configure an http server (or tftp server, exclude  -m HTTP  in the follow examples) and download the follow two files from http://downloads.openwrt.org/kamikaze/7.06/atheros-2.6/

    • openwrt-atheros-2.6-root.jffs2-64k
    • openwrt-atheros-2.6-vmlinux.lzma
  4. redboot> fis init

  5. redboot> load -r -v -b 0x80040450 /openwrt-atheros-2.6-root.jffs2-64k -m HTTP

  6. redboot> fis create -b 0x80040450 -f 0xA8030000 -l 0x00700000 -e 0x00000000 rootfs

  7. redboot> load -r -v -b %{FREEMEMLO} /openwrt-atheros-2.6-vmlinux.lzma -m HTTP

  8. redboot> fis create -r 0x80041000 -e 0x80041000 vmlinux.bin.l7

  9. redboot> fis load -l vmlinux.bin.l7

  10. redboot> exec

Note that the fis create commands can take quite some time, and after running exec it takes a couple of minutes before OpenWRT shows up on 192.168.1.1. You can telnet in and you'll find a base system awaiting configuration with ipkg

Flash Image System [FIS]

The available flash is partitioned using the 'fis' command in redboot.

Original Configuration (From OpenWrt Wiki):

RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0xA8000000  0x00030000  0x00000000
rootfs            0xA8030000  0xA8030000  0x00700000  0x00000000
vmlinux.bin.l7    0xA8730000  0x80041000  0x000B0000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000

Here is an example of a partitioned flash on a Fonera with DD-WRT v24 Beta:

RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0xA8000000  0x00030000  0x00000000
rootfs            0xA8030000  0xA8030000  0x002C0000  0x00000000
vmlinux.bin.l7    0xA82F0000  0x80041000  0x000E0000  0x80041000
nvram             0xA83D0000  0xA83D0000  0x00010000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000

LaFonera (last edited 2012-04-10 19:01:09 by stgt-5f70abf6)