Two Slashes

Note: I apologize for not replacing this guide sooner after the “attack of the script kiddy”. If you came and wondered why it was missing, sorry to inconvenience you. And now to the original article.

—

Requisite Disclaimer: The contents of this page are for exploratory purposes only. They should be followed only if you understand what this implies, and if you are comfortable with any and all consequences of your actions should you choose to follow these guides. Violation of Fon’s Terms of Service is not something I’m promoting, and the following is only provided as research.

Please note that the parts of this guide pertinent to enabling SSH have been tested on and only work with firmware 0.7.1 rev. 1 or older (check the router’s web-based control panel to find your version). Users with firmware 0.7.1 rev. 2 or newer can follow the directions located here. If you need help with this, please let me know, as I also have experience using that mod.
Physical Specifications

Doing some poking into the specifications of the Fonera, I’ve compiled the following list of statistics and specifications:

• The device is manufactured by a company called Accton. Analysis and exploration of the Accton product line reveals that the Fonera may be a derivative of Accton’s MR3201A model.
• The device itself is comprised of:
  • 184 MHz Atheros AR531X processor
  • 16 MB RAM, 8 MB Flash ROM
  • 1x Auto-Sensing Altima AC101 Ethernet Port
  • 802.11b/g Wireless, with a Reverse SMA Antenna Jack and 2 dBi gain antenna (removable)
  • 3 LEDs (Power, Internet (Ethernet Activity), Wireless (Wireless Activity))

Virtual Specifications

The original firmware of the La Fonera is based upon OpenWRT. The default firmware provides two access points (much in the same way as the MR3201A). One, for private use, is encrypted using WPA using the device’s serial number, available on the bottom of the unit. The latest revision at the time of writing is 0.7.1.2. Fon has added routines that require an official signature in the firmware in order for a flashing to commence, as a way to prevent the flashing of unauthorized alternative firmwares. It also occasionally sends heartbeats to Fon to confirm that you are complying with the Terms of Service.

Required Resources

To do everything I list below, you will need the following:

• A La Fonera
• PuTTY, PumpKIN, and HFS (for Windows), users of other operating systems will require access to working SSH client, telnet client, TFTP server, and HTTP web server.
• Hacked Fon Kernel (enables writing to MTD)
• Latest DD-WRT Build for Fon (older version provided in package, newer releases available here)
• HTML Pages for SSH Exploit for 0.7.0/1 series Fon firmware
• A copy of the DD-WRT Wiki page for flashing firmware (mostly for reference)

(Items shaded green above are included in the Fonera “care package” I have built, available for download here. Copies of PumpKIN and HFS are included as well.)

Preliminary Configuration

The steps you do here will be required for later, so it is best to prepare beforehand.

Extract the contents of the care package, or download everything necessary (this, this, and the DD-WRT firmware). Also, download the software mentioned and linked to above, if necessary.

Also, configure and start your HTTP and TFTP servers. The files must be in the root directory of the server (especially for TFTP) and accessible for this hack to work. If your software supports notifications of access, I suggest you turn them on. This can be a great diagnostic tool to ensure that your computer and the Fonera are talking to each other. (If you need help configuring my suggested applications, click here for help configuring HFS and here for help with PumpKIN. If you are still having problems or seem to have gotten lost along the way, e-mail me at one of the addresses on the Contact page.)

Getting SSH Access

Before we can even think to replace the firmware, the first thing we must do is get access to the Fon. This is required because we will require access to the inner workings to enable the flashing of alternative firmwares.

1. Using the HTML pages included (or make them yourself using the directions here), enable the SSH server by clicking the Submit button on both pages in the correct order. This will have to be done wirelessly as the wired connection is configured as a WAN port at the moment.
   • If you notice anything along the lines of a ‘Invalid Option’message appearing, attempt to reset the Fonera to drop to lower firmware. If resetting does not help, Fon may have patched the flaw. If this is the case, you must either find a new one, or stop, as the rest of this document is useless to you.
2. Using Putty (or the equivalent), SSH into the Fonera, and issue the following commands to apply a hacked kernel (for writing to RedBoot):
   

   cd /tmp

   wget http://your_server_here/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma

   mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7

   reboot

   The commands above will change to a temporary directory, download a hacked kernel from your computer via HTTP, and then install the kernel in place of Fon’s official one. After this is completed, the Fonera will reboot to apply the new firmware. If it works correctly, you should see the lights on the Fonera go out and lose your wireless connection as the device restarts.

3. When the Fonera reboots, reconnect to the network, then issue the following commands to overwrite the RedBoot (bootloader) configuration and prevent the Fon locked-in firmware from booting.
   

   cd /tmp

   wget http://your_server_here/out.hex

   mtd -e “RedBoot config” write out.hex “RedBoot config”

   reboot

   You will again notice that the lights on the Fonera go out. You will also notice that they never come back on, and that you are no longer able to connect to it wirelessly.

4. At this point, you probably are freaking out that you bricked it; it looks like it, eh? If it looks like a dead fish, that’s good. Continue. If your Fonera reboots and somehow magically reincarnates itself, go repeat this section because you obviously screwed up somewhere. Also, repeat the section if you encounter any errors, just as a way to be sure something stupid didn’t happen the first time.

Loading New Firmware

1. Now that your Fonera is prepped, unplug the power and do one of these two things:
   1. Using a crossover cable, connect the Fonera to the back of your computer. Configure your computer for a static IP address in the 192.168.1.* subnet. (This method has failed to work for me, but it is mentioned as a valid method in several guides. Use at your own risk.)
   2. Connect your computer to a hub/switch/router (router preferred), and make sure you know the IP, especially if the computer is configured to set up network connections using DHCP. Then connect the Fonera to the same networking device. (This method is what I use, and has worked every time. Just make sure you know what your computer’s IP address is, and make sure you are aware if it changes at all during the course of this section of the guide.)
2. If you have not yet started your TFTP server, start it. (Windows users, this is what PumpKIN is for.)
3. Reconnect the power supply for your Fonera. Then, telnet into the Fonera (IP 192.168.1.254, port 9000) (If you’re using Windows, Putty is preferrable, as the Windows telnet client is unreliable and has been known in my experiences – as well as others’– to not work completely or as desired). Initiate the connection just after the Internet (Ethernet) light on the Fonera lights up, as this is when RedBoot starts looking for activity. If you fail to connect on the first try, power-cycle the router (using the power cord) and try again. It may take a few attempts for you to get the hang of it.
4. When RedBoot offers a prompt for you to enter commands, enter the following line and press Enter.
   

   ip_address -l 192.168.1.254/24 -h [TFTP server address]

   What this does is tell the Fonera that it should retain the 192.168.1.254 IP (if it changes during transfer, you may not be able to fix it, so this is a good thing), and that the computer you specify after ‘-h’is hosting the files it will need to download using the TFTP protocol.

5. Run these commands at the RedBoot prompt as well. Note that some will respond quickly, while others will take up to 10-15 minutes to complete, with absolutely no indication of status that they are doing anything.
   

   fis init

   The router will probably ask for confirmation that you know what you are doing. Answer yes.

   load -r -v -b 0x80041000 root.fs
fis create -b 0x80041000 -f 0xA8030000 -l 0x002C0000 -e 0x00000000 rootfs
load -r -v -b 0x80041000 vmlinux.bin.l7
fis create -r 0x80041000 -e 0x80041000 -l 0x000E0000 vmlinux.bin.l7
fis create -f 0xA83D0000 -l 0x00010000 -n nvram

   These commands will download and write various parts of the new firmware (including file system and the DD-WRT Linux kernel) to your Fonera’s memory, and create a storage space where your settings can be stored.

   reset

   The router will then reboot using your new DD-WRT firmware. It may take several minutes to boot up, but once it is complete, it will begin broadcasting a ‘dd-wrt’SSID by default.

Configuring DD-WRT

So far, you’ve removed Fon’s restrictive firmware and replaced it with the more-open DD-WRT alternative. Now, all you need to do is configure your router and you’re ready to play!

1. Again, whip out your wireless-equipped computer or PDA and connect to the ‘dd-wrt’network broadcast by the Fonera. It should be unencrypted.
2. Using your web browser, connect to 192.168.1.1. The Fonera should provide you with a status page complete with basic running information like IP, uptime, etc. If it does, great. If not, are you sure you’re on the right network?
3. Using the tabs at the top, change the settings to your liking. The default administration username/password combo is ‘root’/'admin’(without the quotes), and this also applies to SSH and telnet access. Remember to note that if you change things like the Fonera’s IP address, you will have to navigate to the new IP after changing it. Also note that the Fonera has a habit of rebooting to apply its settings. You may have to wait several minutes for the settings to be applied, then reconnect to the network once it comes back up.
4. You’ve probably noticed that you can’t access the configuration panel via the wired port on the Fonera. This will always be the case, unless one of two circumstances arises:
   • You have the Fonera configured as a WDS Client or just a plain client. In this case, the roles of the wired and wireless connectivity are reversed, meaning that the wireless is supposed to be the WAN port instead of the Ethernet connection.
   • You have the Fonera configured with WAN off, and set up as an access point. In this case, the administration panel will be accessible through both the wired and wireless connections.

Mimicking the Heartbeat

If you have successfully managed to get through everything here, congratulations. Enjoy the DD-WRT firmware. However, contrary to what one may think, there is still a problem: since you reflashed the Fonera, it won’t be sending a heartbeat back to Fon anytime soon. So, to take care of that, follow the steps here.

Contact and Conclusion

This article is just the first of what I hope to be many hacks and modifications to the La Fonera. Consider it to be the prerequisite, as most of the other hacks will require the alternative firmware to work properly.

As far as contacting me goes, you can use the Contact page to find me and get in touch. In addition, myself and a few colleagues have established an IRC channel at irc.techcentric.org #fonners to discuss these hacks, new hacks or ideas, and help others solve problems.

But for now, enjoy your nice new toy.