LaFonera

Fon

The Fonera is a Atheros AR2315 based device that ties wireless/ethernet/memory controllers and a MIPS processor into a single chip package. Fon originally gave away a number of Foneras to get the network started which they now sell for about $40ea. Fon's goal is to get users to give away their wireless internet access to other Fon users for the ability to use any Fon access point yourself. As most ISPs prohibit sharing residential internet access in the EULA, the legality of this is questionable but Fon has worked with service providers to create an exception, most notably the PR heavy Time Warner agreement. Fon's profit model is still a matter of speculation.

• OpenWrt: Fon Fonera and Fon Fonera 2

Versions

0.7.1-1 Vulnerable to a number of web interface injection attacks.

0.7.1-2 Above vulnerabilities patched, but new attacks have been found centering around radius

It's recommended to not connect a new fonera to the internet out of the box as it will attempt to download updated firmware. It is reported that holding the reset button on the bottom of the device for for a long period, power cycling, and continuing to hold the reset button for another long period will cause an earlier version of the flash to be loaded. No word on what this does to a Fonera with a replaced firmware.

Models

Hacking a 0.70 Fonera

• Get grammofon.pl from http://stefans.datenbruch.de/lafonera/scripts/grammofon.pl

• Configure a PC's ethernet interface with IP 169.254.255.2 and connect the Fonera to that port. The Fonera should time out and take the IP 169.254.255.1
• Run the following:

   echo -n '/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT' | perl grammofon.pl 169.254.255.1 admin
   echo -n '/etc/init.d/dropbear' | perl grammofon.pl 169.254.255.1 admin 

• SSH to the Fonera as root, with password admin
• Disable the execution of Fon's update scripts by hashing out the last line of /bin/thinclient

   #. /tmp/.thinclient.sh 

• Open up SSH by unhashing the following lines in /etc/firewall.user

   iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
   iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT 

• Reload the firewall config:

   /etc/firewall.user 

• If necessary, add a different IP to the Fonera so it can access the Internet

   ifconfig eth0:2 192.168.0.230
   route add default gw 192.168.0.1 

• Start downloading packages, like the Freifunk Fonera Pack from http://olsrexperiment.de/sven-ola/fonera/:

   ipkg install http://olsrexperiment.de/sven-ola/fonera/ff-fonera-pack_0.3-4_mips.ipk 

• More packages, like Kismet, are available from http://ipkg.k1k2.de/index.php?dir=packages%2F

Short 0.7.1 r1 Hacking

From here but shortened.

• download vmlinux.bin.l7 and root.fs from dd-wrt beta to a local tftp server

• Download hacked kernel to your local webserver

• Download redboot hack to your local webserver

• Download and run sshenable

• Set your IP to 169.254.255.2, login to http://169.254.255.1 as root / admin

• ssh in as root
• mv /etc/init.d/dropbear /etc/init.d/S50dropbear
• cd /tmp

• wget http://169.254.255.2/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma to the fonera

• mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
• reboot
• ssh in as root
• cd /tmp

• wget http://169.254.255.2/out.hex

• mtd -e "RedBoot config" write out.hex "RedBoot config"

• reboot
• Set your ip to 192.168.1.2
• telnet to 192.168.1.254 9000
• ip_address -l 192.168.1.254/24 -h 192.168.1.2
• fis init
• load -r -v -b 0x80041000 root.fs
• fis create -b 0x80041000 -f 0xA8030000 -l 0x002C0000 -e 0x00000000 rootfs
• load -r -v -b 0x80041000 vmlinux.bin.l7
• fis create -r 0x80041000 -e 0x80041000 -l 0x000E0000 vmlinux.bin.l7
• fis create -f 0xA83D0000 -l 0x00010000 -n nvram
• reset
• you'll find dd-wrt now on 192.168.1.1

0.7.1 r2

• download vmlinux.bin.l7 and root.fs from dd-wrt beta to a local tftp server

• Download hacked kernel to your local webserver

• Download redboot hack to your local webserver

• Login root / admin (169.254.255.1 via ethernet)
• Set valid static ip / gateway for your network, set dns to 88.198.165.155
• Connect to your switch and reboot

• Connect to wireless, ssid: MyPlace, wpa key: SN from the bottom of the box

• SSH to 192.168.10.1 as root / admin
• mv /etc/init.d/dropbear /etc/init.d/S50dropbear
• cd /tmp

• wget http://192.168.10.x/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma to the fonera

• mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
• reboot
• (Stay on wireless)
• SSH to 192.168.10.1 as root / admin
• cd /tmp

• wget http://169.254.255.2/out.hex

• mtd -e "RedBoot config" write out.hex "RedBoot config"

• reboot
• connect directly to the ethernet
• Set your ip to 192.168.1.2
• telnet to 192.168.1.254 9000
• ip_address -l 192.168.1.254/24 -h 192.168.1.2
• fis init
• load -r -v -b 0x80041000 root.fs (note that I had some issues with tftp hanging on 2007-07-12 and used 2007-07-04)
• fis create -b 0x80041000 -f 0xA8030000 -l 0x002C0000 -e 0x00000000 rootfs
• load -r -v -b 0x80041000 vmlinux.bin.l7
• fis create -r 0x80041000 -e 0x80041000 -l 0x000E0000 vmlinux.bin.l7
• fis create -f 0xA83D0000 -l 0x00010000 -n nvram
• reset
• you'll find dd-wrt now on 192.168.1.1

Note that the box will upgrade, currently to 0.7.1 r3, which is okay.

Unbricking

If your Fonera stops responding after an update, fear not! It can be recovered.

These directions were taken from http://www.mcgrewsecurity.com/blog/?cat=1.

Redboot listens on port 9000 of 192.168.1.254 for about ten seconds upon boot before it moves on. You have ten seconds to send Ctrl-C on this port to stop it and allow you to interact with RedBoot. It’s easiest to just use this script, redboot.pl, to connect to RedBoot. Leave it running on the computer you’re configuring this from, plug in the router, and it’ll connect up for you and leave you at a RedBoot prompt.

1. Give your computer an IP address on the same subnet

$ sudo ifconfig eth0 192.168.1.2

2. Press and hold the reset button for 15 seconds, then unplug it and plug it back in. I don't know if this is all really needed, but it worked for me. 3. Connect the ethernet cable 4. Run the redboot.pl script:

$ ./redboot.pl 192.168.1.254

5. You should now have a redboot prompt, and can reset the flash and install new firmware.

RedBoot>

Resetting

Recovering from a lost root password in dd-wrt (and presumably unknown network configuration) appears possible by pushing the reset button on the bottom for a couple seconds and waiting for a reboot. You can then reconnect to 192.168.1.1 on the ethernet interface and login as root/admin.

OpenWRT

1. Get redboot access. Directions can be found above and in the dd-wrt/openwrt wikis as well as blogs abound.

2.  ip_address -l 192.168.1.254/24 -h 192.168.1.5  Change the last address to the IP address of your machine, the first address will be the address of the fon.

3. Configure an http server (or tftp server, exclude  -m HTTP  in the follow examples) and download the follow two files from http://downloads.openwrt.org/kamikaze/7.06/atheros-2.6/

   • openwrt-atheros-2.6-root.jffs2-64k
   • openwrt-atheros-2.6-vmlinux.lzma

4. redboot> fis init

5. redboot> load -r -v -b 0x80040450 /openwrt-atheros-2.6-root.jffs2-64k -m HTTP

6. redboot> fis create -b 0x80040450 -f 0xA8030000 -l 0x00700000 -e 0x00000000 rootfs

7. redboot> load -r -v -b %{FREEMEMLO} /openwrt-atheros-2.6-vmlinux.lzma -m HTTP

8. redboot> fis create -r 0x80041000 -e 0x80041000 vmlinux.bin.l7

9. redboot> fis load -l vmlinux.bin.l7

10. redboot> exec

Note that the fis create commands can take quite some time, and after running exec it takes a couple of minutes before OpenWRT shows up on 192.168.1.1. You can telnet in and you'll find a base system awaiting configuration with ipkg

Flash Image System [FIS]

The available flash is partitioned using the 'fis' command in redboot.

Original Configuration (From OpenWrt Wiki):

RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0xA8000000  0x00030000  0x00000000
rootfs            0xA8030000  0xA8030000  0x00700000  0x00000000
vmlinux.bin.l7    0xA8730000  0x80041000  0x000B0000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000

Here is an example of a partitioned flash on a Fonera with DD-WRT v24 Beta:

RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0xA8000000  0x00030000  0x00000000
rootfs            0xA8030000  0xA8030000  0x002C0000  0x00000000
vmlinux.bin.l7    0xA82F0000  0x80041000  0x000E0000  0x80041000
nvram             0xA83D0000  0xA83D0000  0x00010000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000