GeekEvening 0x0f
             Fonera Hack!
How to make a Fonera your preferred hackin’ toy?


          Andrea Chiffi aka “m...
Intro
                              Hacking
                             Flashing
                           Configuring
  ...
Intro
                                Hacking
                               Flashing
                             Configur...
Intro
                                Hacking
                               Flashing
                             Configur...
Intro
                               Hacking
                              Flashing
                            Configuring...
Intro
                                Hacking    What’s FON?
                               Flashing    What’s Fonera?
   ...
Intro
                               Hacking    What’s FON?
                              Flashing    What’s Fonera?
     ...
Intro
                               Hacking    What’s FON?
                              Flashing    What’s Fonera?
     ...
Intro
                               Hacking    What’s FON?
                              Flashing    What’s Fonera?
     ...
Intro
                               Hacking    What’s FON?
                              Flashing    What’s Fonera?
     ...
Intro
                                 Hacking    What’s FON?
                                Flashing    What’s Fonera?
 ...
Intro
                                 Hacking    What’s FON?
                                Flashing    What’s Fonera?
 ...
Intro
                                 Hacking    What’s FON?
                                Flashing    What’s Fonera?
 ...
Intro
                              Hacking    What’s FON?
                             Flashing    What’s Fonera?
       ...
Intro
                              Hacking    What’s FON?
                             Flashing    What’s Fonera?
       ...
Intro
                              Hacking    What’s FON?
                             Flashing    What’s Fonera?
       ...
Intro
                              Hacking    What’s FON?
                             Flashing    What’s Fonera?
       ...
Intro
                              Hacking    What’s FON?
                             Flashing    What’s Fonera?
       ...
Intro
                         Hacking    What’s FON?
                        Flashing    What’s Fonera?
                 ...
Intro
                                    Hacking     What’s FON?
                                   Flashing     What’s F...
Intro
                                    Hacking     What’s FON?
                                   Flashing     What’s F...
Intro
                                    Hacking     What’s FON?
                                   Flashing     What’s F...
Intro
                         Hacking    What’s FON?
                        Flashing    What’s Fonera?
                 ...
Intro
                            Hacking    What’s FON?
                           Flashing    What’s Fonera?
           ...
Intro
                               Hacking     What’s FON?
                              Flashing     What’s Fonera?
   ...
Intro
                            Hacking    What’s FON?
                           Flashing    What’s Fonera?
           ...
Intro
                         Hacking    What’s FON?
                        Flashing    What’s Fonera?
                 ...
Intro
                          Hacking    What’s FON?
                         Flashing    What’s Fonera?
               ...
Intro
                                    Hacking
                                              Enable SSH access
        ...
Intro
                                    Hacking
                                              Enable SSH access
        ...
Intro
                                  Hacking
                                            Enable SSH access
            ...
Intro
                                  Hacking
                                            Enable SSH access
            ...
Intro
                                        Hacking
                                                    Enable SSH acces...
Intro
                                        Hacking
                                                    Enable SSH acces...
Intro
                                        Hacking
                                                    Enable SSH acces...
Intro
                                        Hacking
                                                    Enable SSH acces...
Intro
                                        Hacking
                                                    Enable SSH acces...
Intro
                                        Hacking
                                                    Enable SSH acces...
Intro
                                    Hacking
                                               Enable SSH access
       ...
Intro
                        Hacking
                                   Enable SSH access
                       Flashing...
Intro
                             Hacking
                                        Enable SSH access
                     ...
Intro
                         Hacking
                                    Enable SSH access
                        Flash...
Intro
                         Hacking
                                    Enable SSH access
                        Flash...
Intro
                              Hacking
                                         Enable SSH access
                   ...
Intro
                             Hacking
                                        Enable SSH access
                     ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                                                        Hacking             RedBoot
                                ...
Intro
                                   Hacking       RedBoot
                                  Flashing       OpenWrt
  ...
Intro
                                   Hacking       RedBoot
                                  Flashing       OpenWrt
  ...
Intro
                                   Hacking       RedBoot
                                  Flashing       OpenWrt
  ...
Intro
                                   Hacking       RedBoot
                                  Flashing       OpenWrt
  ...
Intro
                                   Hacking       RedBoot
                                  Flashing       OpenWrt
  ...
Intro
                                   Hacking       RedBoot
                                  Flashing       OpenWrt
  ...
Intro
                                        Hacking      RedBoot
                                       Flashing      Op...
Intro
                                        Hacking      RedBoot
                                       Flashing      Op...
Intro
                                                 Hacking         RedBoot
                                           ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                             Hacking    RedBoot
                            Flashing    OpenWrt
                    ...
Intro
                               Hacking    RedBoot
                              Flashing    OpenWrt
                ...
Intro
                               Hacking    RedBoot
                              Flashing    OpenWrt
                ...
Intro
                                                           Hacking             RedBoot
                             ...
Intro
                              Hacking    RedBoot
                             Flashing    OpenWrt
                  ...
Intro
                              Hacking    RedBoot
                             Flashing    OpenWrt
                  ...
Intro
                              Hacking    RedBoot
                             Flashing    OpenWrt
                  ...
Intro
                              Hacking    RedBoot
                             Flashing    OpenWrt
                  ...
Intro
                              Hacking    RedBoot
                             Flashing    OpenWrt
                  ...
Intro
                              Hacking    RedBoot
                             Flashing    OpenWrt
                  ...
Intro
                                                     Hacking          RedBoot
                                      ...
Intro
                                                        Hacking          RedBoot
                                   ...
Intro
                                                  Hacking          RedBoot
                                         ...
Intro
                                                  Hacking          RedBoot
                                         ...
Intro
                                                  Hacking          RedBoot
                                         ...
Intro           MadWifi driver
                                                     Hacking           Access Point
        ...
Intro     MadWifi driver
                                      Hacking     Access Point
                                   ...
Intro     MadWifi driver
                          Hacking     Access Point
                         Flashing     Client mo...
Intro    MadWifi driver
                                 Hacking    Access Point
                                Flashing  ...
Intro   MadWifi driver
                            Hacking   Access Point
                           Flashing   Client mode...
Intro
                              Hacking    Adding a second antenna
                             Flashing    Adding a S...
Intro
                          Hacking    Adding a second antenna
                         Flashing    Adding a SD-Card
 ...
Intro
                                Hacking    Adding a second antenna
                               Flashing    Adding...
Intro
                          Hacking   Adding a second antenna
                         Flashing   Adding a SD-Card
   ...
Intro
                          Hacking   Adding a second antenna
                         Flashing   Adding a SD-Card
   ...
Intro
                          Hacking   Adding a second antenna
                         Flashing   Adding a SD-Card
   ...
Intro
                         Hacking    Adding a second antenna
                        Flashing    Adding a SD-Card
   ...
Intro
                             Hacking    Adding a second antenna
                            Flashing    Adding a SD-...
Intro
                             Hacking    Adding a second antenna
                            Flashing    Adding a SD-...
Intro
                             Hacking    Adding a second antenna
                            Flashing    Adding a SD-...
Intro
                             Hacking    Adding a second antenna
                            Flashing    Adding a SD-...
Intro
                                Hacking    Adding a second antenna
                               Flashing    Adding...
That’s all folks!




  Thank you for your attention.

  Questions?

  Ok, now I’m going to drink some rum. . . ;-)




  ...
That’s all folks!




  Thank you for your attention.

  Questions?

  Ok, now I’m going to drink some rum. . . ;-)




  ...
That’s all folks!




  Thank you for your attention.

  Questions?

  Ok, now I’m going to drink some rum. . . ;-)




  ...
References I

  ◮   FON official site
  ◮   Autopsy of a fonera
  ◮   Paolo Gatti’s italian blog
  ◮   Kolofonium hack
  ◮  ...
References II

  ◮   Using Openwrt on La Fonera for Dummies
  ◮   DD-Wrt website
  ◮   Fonera’s modding list
  ◮   Fonera’...
Creative Commons License

   Released under CC 2.5 Attribution, NonCommercial, ShareAlike




          Sources: http://sa...
Upcoming SlideShare
Loading in …5
×

GeekEvening 0x0f Fonera Hack! eserved@d = *@let@token How to ...

2,783 views

Published on

1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
2,783
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

GeekEvening 0x0f Fonera Hack! eserved@d = *@let@token How to ...

  1. 1. GeekEvening 0x0f Fonera Hack! How to make a Fonera your preferred hackin’ toy? Andrea Chiffi aka “much0” email: much0@salug.it IM: much0@jabber.org Salento GNU/Linux Users Group member since 2002 Free Software Foundation member since 2006 May 22, 2008
  2. 2. Intro Hacking Flashing Configuring Modding SaLUG! Chi c’´ dietro a questo evento? e SaLUG! Salento GNU/Linux Users Group www.salug.it Associazione culturale salentina, senza fine di lucro ed apartitica, composta esclusivamente da volontari con la passione per i computer e l’informatica, ma soprattutto per il Software Libero. RiseUp HackLab quel sottoinsieme del SaLUG! che dorme poco la notte e beve tanto caff`. . . e Andrea Chiffi “much0” Fonera Hack!
  3. 3. Intro Hacking Flashing Configuring Modding Geek-evening e Hacking Sessions Incontri di condivisione di conoscenze: Geek-evening: Incontri pomeridiani in cui vengono discussi argomenti di informatica libera avanzata, ma con termini semplici. Vengono presentati tecnologie e strumenti innovativi, utili e alla portata di tutti gli appassionati di informatica. Hacking Sessions: Incontri notturni destinati ad un target pi´ preparato, meno divulgativi, pi´ pratici. u u Questi incontri sono realizzati presso lo spazio sociale ZEI. www.zei.le.it Andrea Chiffi “much0” Fonera Hack!
  4. 4. Intro Hacking Flashing Configuring Modding Outline I 1 Intro What’s FON? What’s Fonera? Hardware Overview 2 Hacking Enable SSH access Serial Port 3 Flashing RedBoot OpenWrt dd-wrt 4 Configuring MadWifi driver Andrea Chiffi “much0” Fonera Hack!
  5. 5. Intro Hacking Flashing Configuring Modding Outline II Access Point Client mode / Client bridge mode Repeater WDS 5 Modding Adding a second antenna Adding a SD-Card Modding++ Andrea Chiffi “much0” Fonera Hack!
  6. 6. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding What’s FON? [1] FON is the largest WiFi community in the world FON is a Community of people making WiFi universal and free FON is a company created in February 2006 in Madrid, Spain Their vision is WiFi everywhere made possible by the members of the Community, Foneros Foneros share some of their home Internet connection and get free access to the Community’s FON Spots worldwide Fonspot’s map: http://maps.fon.com Andrea Chiffi “much0” Fonera Hack!
  7. 7. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding What’s Fonera? small wireless router made by FON you can buy it at http://shop.fon.com/ or your local FON reseller or. . . eBay Different models (but same CPU/WiFi): 1 FON2100 (first version: no longer available) 2 FON2200 (second version: currently avaliable) 3 Fonera+ (new model: currently avaliable) 4 Fonera 2.0 (in development status: not avaliable) Andrea Chiffi “much0” Fonera Hack!
  8. 8. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding What’s Fonera? small wireless router made by FON you can buy it at http://shop.fon.com/ or your local FON reseller or. . . eBay Different models (but same CPU/WiFi): 1 FON2100 (first version: no longer available) 2 FON2200 (second version: currently avaliable) 3 Fonera+ (new model: currently avaliable) 4 Fonera 2.0 (in development status: not avaliable) Andrea Chiffi “much0” Fonera Hack!
  9. 9. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding What’s Fonera? small wireless router made by FON you can buy it at http://shop.fon.com/ or your local FON reseller or. . . eBay Different models (but same CPU/WiFi): 1 FON2100 (first version: no longer available) 2 FON2200 (second version: currently avaliable) 3 Fonera+ (new model: currently avaliable) 4 Fonera 2.0 (in development status: not avaliable) Andrea Chiffi “much0” Fonera Hack!
  10. 10. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding What’s Fonera? small wireless router made by FON you can buy it at http://shop.fon.com/ or your local FON reseller or. . . eBay Different models (but same CPU/WiFi): 1 FON2100 (first version: no longer available) 2 FON2200 (second version: currently avaliable) 3 Fonera+ (new model: currently avaliable) 4 Fonera 2.0 (in development status: not avaliable) Andrea Chiffi “much0” Fonera Hack!
  11. 11. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding Fonera’s models FON2100 & FON2200 1 ethernet port (WAN) 1 wifi section Fonera+ 2 ethernet port (WAN & LAN) 1 wifi section Fonera 2.0 2 ethernet port (WAN & LAN) 1 wifi section 1 USB port more RAM (32 MB) Andrea Chiffi “much0” Fonera Hack!
  12. 12. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding Fonera’s models FON2100 & FON2200 1 ethernet port (WAN) 1 wifi section Fonera+ 2 ethernet port (WAN & LAN) 1 wifi section Fonera 2.0 2 ethernet port (WAN & LAN) 1 wifi section 1 USB port more RAM (32 MB) Andrea Chiffi “much0” Fonera Hack!
  13. 13. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding Fonera’s models FON2100 & FON2200 1 ethernet port (WAN) 1 wifi section Fonera+ 2 ethernet port (WAN & LAN) 1 wifi section Fonera 2.0 2 ethernet port (WAN & LAN) 1 wifi section 1 USB port more RAM (32 MB) Andrea Chiffi “much0” Fonera Hack!
  14. 14. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding Fonera’s CPU & WiFi section [2] Atheros AR2315 2.4 GHz Single Chip Integrated 32–bit MIPS R4000–class processor Freq.: 183.5 MHz Wireless MAC: 802.11b (1–11 Mpbs), 802.11g (1–54 Mbps) Operating frequencies: from 2.300 to 2.500 GHz Hardware Encryption: AES, TKIP, WEP Ethernet MAC: 10/100 Mbps Peripheral Interface: GPIOs, LEDs Memory Interface: FLASH, SDRAM Operating Voltage: 1.9 and 3.3 V Andrea Chiffi “much0” Fonera Hack!
  15. 15. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding Fonera’s CPU & WiFi section [2] Atheros AR2315 2.4 GHz Single Chip Integrated 32–bit MIPS R4000–class processor Freq.: 183.5 MHz Wireless MAC: 802.11b (1–11 Mpbs), 802.11g (1–54 Mbps) Operating frequencies: from 2.300 to 2.500 GHz Hardware Encryption: AES, TKIP, WEP Ethernet MAC: 10/100 Mbps Peripheral Interface: GPIOs, LEDs Memory Interface: FLASH, SDRAM Operating Voltage: 1.9 and 3.3 V Andrea Chiffi “much0” Fonera Hack!
  16. 16. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding Fonera’s CPU & WiFi section [2] Atheros AR2315 2.4 GHz Single Chip Integrated 32–bit MIPS R4000–class processor Freq.: 183.5 MHz Wireless MAC: 802.11b (1–11 Mpbs), 802.11g (1–54 Mbps) Operating frequencies: from 2.300 to 2.500 GHz Hardware Encryption: AES, TKIP, WEP Ethernet MAC: 10/100 Mbps Peripheral Interface: GPIOs, LEDs Memory Interface: FLASH, SDRAM Operating Voltage: 1.9 and 3.3 V Andrea Chiffi “much0” Fonera Hack!
  17. 17. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding Fonera’s CPU & WiFi section [2] Atheros AR2315 2.4 GHz Single Chip Integrated 32–bit MIPS R4000–class processor Freq.: 183.5 MHz Wireless MAC: 802.11b (1–11 Mpbs), 802.11g (1–54 Mbps) Operating frequencies: from 2.300 to 2.500 GHz Hardware Encryption: AES, TKIP, WEP Ethernet MAC: 10/100 Mbps Peripheral Interface: GPIOs, LEDs Memory Interface: FLASH, SDRAM Operating Voltage: 1.9 and 3.3 V Andrea Chiffi “much0” Fonera Hack!
  18. 18. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding Fonera’s CPU & WiFi section [2] Atheros AR2315 2.4 GHz Single Chip Integrated 32–bit MIPS R4000–class processor Freq.: 183.5 MHz Wireless MAC: 802.11b (1–11 Mpbs), 802.11g (1–54 Mbps) Operating frequencies: from 2.300 to 2.500 GHz Hardware Encryption: AES, TKIP, WEP Ethernet MAC: 10/100 Mbps Peripheral Interface: GPIOs, LEDs Memory Interface: FLASH, SDRAM Operating Voltage: 1.9 and 3.3 V Andrea Chiffi “much0” Fonera Hack!
  19. 19. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding Atheros chipset AR5006AP Andrea Chiffi “much0” Fonera Hack!
  20. 20. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding RAM, Flash & Power RAM (Hynix HY57V281620E) size: 16 MB (128 Mbit organized in 16 bit blocks) type: synchronous DRAM Flash (FON2100: ST M25P64, FON2200: MX 25l640SMC-20G) size: 8 MB (64 Mbit) type: serial flash, with a 50MHz SPI bus (slower than a parallel bus, thus flashing a new firmware could take a rather long time) Power model FON2100: 5 V, 2 A (WLAN off: 4–6 Watt, WLAN on: 9 Watt) model FON2200: 7.5 V, 1 A (An internal DC-DC voltage regulator drops voltage to 3.3V) Andrea Chiffi “much0” Fonera Hack!
  21. 21. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding RAM, Flash & Power RAM (Hynix HY57V281620E) size: 16 MB (128 Mbit organized in 16 bit blocks) type: synchronous DRAM Flash (FON2100: ST M25P64, FON2200: MX 25l640SMC-20G) size: 8 MB (64 Mbit) type: serial flash, with a 50MHz SPI bus (slower than a parallel bus, thus flashing a new firmware could take a rather long time) Power model FON2100: 5 V, 2 A (WLAN off: 4–6 Watt, WLAN on: 9 Watt) model FON2200: 7.5 V, 1 A (An internal DC-DC voltage regulator drops voltage to 3.3V) Andrea Chiffi “much0” Fonera Hack!
  22. 22. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding RAM, Flash & Power RAM (Hynix HY57V281620E) size: 16 MB (128 Mbit organized in 16 bit blocks) type: synchronous DRAM Flash (FON2100: ST M25P64, FON2200: MX 25l640SMC-20G) size: 8 MB (64 Mbit) type: serial flash, with a 50MHz SPI bus (slower than a parallel bus, thus flashing a new firmware could take a rather long time) Power model FON2100: 5 V, 2 A (WLAN off: 4–6 Watt, WLAN on: 9 Watt) model FON2200: 7.5 V, 1 A (An internal DC-DC voltage regulator drops voltage to 3.3V) Andrea Chiffi “much0” Fonera Hack!
  23. 23. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding FON2100 (front) Andrea Chiffi “much0” Fonera Hack!
  24. 24. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding FON2100 (back) Andrea Chiffi “much0” Fonera Hack!
  25. 25. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding FON2200 (front) SERIAL LEDs PORT POWER SDRAM Second Ethernet Antenna (RJ45) WIFI section CPU Ethernet transceiver JTAG Antenna 1 40 MHz Crystal Andrea Chiffi “much0” Fonera Hack!
  26. 26. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding FON2200 (back) Voltage Regulator RESET button FLASH memory (Firmware) MAC & S/N Label Andrea Chiffi “much0” Fonera Hack!
  27. 27. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding FON2100 Overheating Issue/Bug 80◦ C 70◦ C 50◦ C 40◦ C 25◦ C Andrea Chiffi “much0” Fonera Hack!
  28. 28. Intro Hacking What’s FON? Flashing What’s Fonera? Configuring Hardware Overview Modding FON2100 Overheating Solution [13] Andrea Chiffi “much0” Fonera Hack!
  29. 29. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding Enable SSH Access [3] Configure your ethernet card and connect directly to fonera’s ethernet port: IP: 169.254.255.2 Subnet mask: 255.255.0.0 Gateway: 169.254.255.1 DNS: 169.254.255.1 Fw version: 0.7.1 r1 (webif bug – use HTML injection) Injection in http://169.254.255.1/cgi-bin/webif/connection.sh $(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT) $(/etc/init.d/dropbear) Andrea Chiffi “much0” Fonera Hack!
  30. 30. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding Enable SSH Access [3] Configure your ethernet card and connect directly to fonera’s ethernet port: IP: 169.254.255.2 Subnet mask: 255.255.0.0 Gateway: 169.254.255.1 DNS: 169.254.255.1 Fw version: 0.7.1 r1 (webif bug – use HTML injection) Injection in http://169.254.255.1/cgi-bin/webif/connection.sh $(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT) $(/etc/init.d/dropbear) Andrea Chiffi “much0” Fonera Hack!
  31. 31. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding Enable SSH Access [3] Fw version: 0.7.1 r2 (webif bug corrected – use DNS spoofing) set fonera’s DNS to 88.198.165.155 (kolofonium.datenbruch.de) Kolofonium Hack [4] reboot (fonera must be connected to internet) restore fonera’s default DNS (213.134.45.129) 0.7.1-r5, 0.7.2-r2,r3 (DNS used for the fw upgrade is blocked) try Kolofonium hack (not all have “internal” DSN blocked) try resetting your fonera: press reset button for more than 30s (since wireless led turn off) and reboot try downgrading the firmware (via webif) Andrea Chiffi “much0” Fonera Hack!
  32. 32. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding Enable SSH Access [3] Fw version: 0.7.1 r2 (webif bug corrected – use DNS spoofing) set fonera’s DNS to 88.198.165.155 (kolofonium.datenbruch.de) Kolofonium Hack [4] reboot (fonera must be connected to internet) restore fonera’s default DNS (213.134.45.129) 0.7.1-r5, 0.7.2-r2,r3 (DNS used for the fw upgrade is blocked) try Kolofonium hack (not all have “internal” DSN blocked) try resetting your fonera: press reset button for more than 30s (since wireless led turn off) and reboot try downgrading the firmware (via webif) Andrea Chiffi “much0” Fonera Hack!
  33. 33. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding After enabling SSH. . . connect via SSH (username: root, password: admin): ssh root@169.254.255.1 mv /etc/init.d/dropbear /etc/init.d/S50dropbear edit /etc/firewall.user and remove comments of this 2 lines: # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT edit /bin/thinclient to prevent fonera’s automatic firmware upgrading, adding a # to comment this line: /tmp/.thinclient.sh append this line to /tmp/.thinclient.sh to save automatic firmware upgrade: cp /tmp/.thinclient.sh /tmp/thinclient-$(date ‘+%Y%m%d-%H%M’) However, you can access the fonera’s console via a serial cable. . . ;-) Andrea Chiffi “much0” Fonera Hack!
  34. 34. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding After enabling SSH. . . connect via SSH (username: root, password: admin): ssh root@169.254.255.1 mv /etc/init.d/dropbear /etc/init.d/S50dropbear edit /etc/firewall.user and remove comments of this 2 lines: # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT edit /bin/thinclient to prevent fonera’s automatic firmware upgrading, adding a # to comment this line: /tmp/.thinclient.sh append this line to /tmp/.thinclient.sh to save automatic firmware upgrade: cp /tmp/.thinclient.sh /tmp/thinclient-$(date ‘+%Y%m%d-%H%M’) However, you can access the fonera’s console via a serial cable. . . ;-) Andrea Chiffi “much0” Fonera Hack!
  35. 35. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding After enabling SSH. . . connect via SSH (username: root, password: admin): ssh root@169.254.255.1 mv /etc/init.d/dropbear /etc/init.d/S50dropbear edit /etc/firewall.user and remove comments of this 2 lines: # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT edit /bin/thinclient to prevent fonera’s automatic firmware upgrading, adding a # to comment this line: /tmp/.thinclient.sh append this line to /tmp/.thinclient.sh to save automatic firmware upgrade: cp /tmp/.thinclient.sh /tmp/thinclient-$(date ‘+%Y%m%d-%H%M’) However, you can access the fonera’s console via a serial cable. . . ;-) Andrea Chiffi “much0” Fonera Hack!
  36. 36. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding After enabling SSH. . . connect via SSH (username: root, password: admin): ssh root@169.254.255.1 mv /etc/init.d/dropbear /etc/init.d/S50dropbear edit /etc/firewall.user and remove comments of this 2 lines: # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT edit /bin/thinclient to prevent fonera’s automatic firmware upgrading, adding a # to comment this line: /tmp/.thinclient.sh append this line to /tmp/.thinclient.sh to save automatic firmware upgrade: cp /tmp/.thinclient.sh /tmp/thinclient-$(date ‘+%Y%m%d-%H%M’) However, you can access the fonera’s console via a serial cable. . . ;-) Andrea Chiffi “much0” Fonera Hack!
  37. 37. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding After enabling SSH. . . connect via SSH (username: root, password: admin): ssh root@169.254.255.1 mv /etc/init.d/dropbear /etc/init.d/S50dropbear edit /etc/firewall.user and remove comments of this 2 lines: # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT edit /bin/thinclient to prevent fonera’s automatic firmware upgrading, adding a # to comment this line: /tmp/.thinclient.sh append this line to /tmp/.thinclient.sh to save automatic firmware upgrade: cp /tmp/.thinclient.sh /tmp/thinclient-$(date ‘+%Y%m%d-%H%M’) However, you can access the fonera’s console via a serial cable. . . ;-) Andrea Chiffi “much0” Fonera Hack!
  38. 38. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding After enabling SSH. . . connect via SSH (username: root, password: admin): ssh root@169.254.255.1 mv /etc/init.d/dropbear /etc/init.d/S50dropbear edit /etc/firewall.user and remove comments of this 2 lines: # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT edit /bin/thinclient to prevent fonera’s automatic firmware upgrading, adding a # to comment this line: /tmp/.thinclient.sh append this line to /tmp/.thinclient.sh to save automatic firmware upgrade: cp /tmp/.thinclient.sh /tmp/thinclient-$(date ‘+%Y%m%d-%H%M’) However, you can access the fonera’s console via a serial cable. . . ;-) Andrea Chiffi “much0” Fonera Hack!
  39. 39. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding RS232 To TTL RS-232 (PC) TTL (fonera) Logic -15V. . . -3V +2V. . . +5V High (1) +3V. . . +15V 0V. . . +0.8V Low (0) Andrea Chiffi “much0” Fonera Hack!
  40. 40. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding RS232 To TTL with MAX232 Andrea Chiffi “much0” Fonera Hack!
  41. 41. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding RS232 To TTL with MAX232 (components) 1 x female serial port connector (DB9) 1 x MAX232 4 x 1uF capacitor 1 x 10uF capacitor Soldering iron, wires, breadboard etc. Andrea Chiffi “much0” Fonera Hack!
  42. 42. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding RS232 To TTL with MAX232 (my circuit) [5] Andrea Chiffi “much0” Fonera Hack!
  43. 43. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding RS232 To TTL with MAX232 (my TTL connector) [5] Andrea Chiffi “much0” Fonera Hack!
  44. 44. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding RS232 To TTL without MAX232 [6] Only a couple of BJT transistors are needed: conversion done by heat dissipation. Andrea Chiffi “much0” Fonera Hack!
  45. 45. Intro Hacking Enable SSH access Flashing Serial Port Configuring Modding USB To TTL Most (old?) cellular phones can connect to PC via a data cable. All(?) cellular phones’ ports use TTL logic. I’ve used my (not original) CA-42 Nok*a data cable to connect my PC (via USB) to the Fonera (via internal serial port) and . . . It works! :-) Andrea Chiffi “much0” Fonera Hack!
  46. 46. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding RedBoot Fonera’s boot manager based on eCos real-time operating system Hardware Abstraction Layer (developed by Red Hat) allows download and execution of embedded applications via serial (X/Y–modem protocol) or Ethernet (TFTP protocol), including embedded Linux and eCos applications provides an interactive command line interface allow management of the Flash images, image download, RedBoot configuration, etc., accessible via serial or ethernet for automated startup, boot scripts can be stored in Flash allowing for example loading of images from Flash, hard disk, or a TFTP server release under eCos License (GPL-compatible Free Software license) Andrea Chiffi “much0” Fonera Hack!
  47. 47. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding RedBoot Fonera’s boot manager based on eCos real-time operating system Hardware Abstraction Layer (developed by Red Hat) allows download and execution of embedded applications via serial (X/Y–modem protocol) or Ethernet (TFTP protocol), including embedded Linux and eCos applications provides an interactive command line interface allow management of the Flash images, image download, RedBoot configuration, etc., accessible via serial or ethernet for automated startup, boot scripts can be stored in Flash allowing for example loading of images from Flash, hard disk, or a TFTP server release under eCos License (GPL-compatible Free Software license) Andrea Chiffi “much0” Fonera Hack!
  48. 48. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding RedBoot Fonera’s boot manager based on eCos real-time operating system Hardware Abstraction Layer (developed by Red Hat) allows download and execution of embedded applications via serial (X/Y–modem protocol) or Ethernet (TFTP protocol), including embedded Linux and eCos applications provides an interactive command line interface allow management of the Flash images, image download, RedBoot configuration, etc., accessible via serial or ethernet for automated startup, boot scripts can be stored in Flash allowing for example loading of images from Flash, hard disk, or a TFTP server release under eCos License (GPL-compatible Free Software license) Andrea Chiffi “much0” Fonera Hack!
  49. 49. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding RedBoot Fonera’s boot manager based on eCos real-time operating system Hardware Abstraction Layer (developed by Red Hat) allows download and execution of embedded applications via serial (X/Y–modem protocol) or Ethernet (TFTP protocol), including embedded Linux and eCos applications provides an interactive command line interface allow management of the Flash images, image download, RedBoot configuration, etc., accessible via serial or ethernet for automated startup, boot scripts can be stored in Flash allowing for example loading of images from Flash, hard disk, or a TFTP server release under eCos License (GPL-compatible Free Software license) Andrea Chiffi “much0” Fonera Hack!
  50. 50. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding RedBoot Fonera’s boot manager based on eCos real-time operating system Hardware Abstraction Layer (developed by Red Hat) allows download and execution of embedded applications via serial (X/Y–modem protocol) or Ethernet (TFTP protocol), including embedded Linux and eCos applications provides an interactive command line interface allow management of the Flash images, image download, RedBoot configuration, etc., accessible via serial or ethernet for automated startup, boot scripts can be stored in Flash allowing for example loading of images from Flash, hard disk, or a TFTP server release under eCos License (GPL-compatible Free Software license) Andrea Chiffi “much0” Fonera Hack!
  51. 51. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding RedBoot Fonera’s boot manager based on eCos real-time operating system Hardware Abstraction Layer (developed by Red Hat) allows download and execution of embedded applications via serial (X/Y–modem protocol) or Ethernet (TFTP protocol), including embedded Linux and eCos applications provides an interactive command line interface allow management of the Flash images, image download, RedBoot configuration, etc., accessible via serial or ethernet for automated startup, boot scripts can be stored in Flash allowing for example loading of images from Flash, hard disk, or a TFTP server release under eCos License (GPL-compatible Free Software license) Andrea Chiffi “much0” Fonera Hack!
  52. 52. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding RedBoot Fonera’s boot manager based on eCos real-time operating system Hardware Abstraction Layer (developed by Red Hat) allows download and execution of embedded applications via serial (X/Y–modem protocol) or Ethernet (TFTP protocol), including embedded Linux and eCos applications provides an interactive command line interface allow management of the Flash images, image download, RedBoot configuration, etc., accessible via serial or ethernet for automated startup, boot scripts can be stored in Flash allowing for example loading of images from Flash, hard disk, or a TFTP server release under eCos License (GPL-compatible Free Software license) Andrea Chiffi “much0” Fonera Hack!
  53. 53. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Booting. . . § ¤ +PHY ID i s 0 0 2 2 : 5 5 2 1 E t h e r n e t e t h 0 : MAC a d d r e s s 0 0 : 1 8 : 8 4 : xx : xx : xx I P : 1 9 2 . 1 6 8 . 1 . 2 5 4 / 2 5 5 . 2 5 5 . 2 5 5 . 0 , Gateway : 0 . 0 . 0 . 0 Default server : 0.0.0.0 RedBoot ( tm ) b o o t s t r a p and debug e n v i r o n m e n t [ROMRAM] Non−c e r t i f i e d r e l e a s e , v e r s i o n v1 . 3 . 0 − b u i l t 1 6 : 5 7 : 5 8 , Aug 7 2006 C o p y r i g h t (C) 2 0 0 0 , 2 0 0 1 , 2 0 0 2 , 2 0 0 3 , 2004 Red Hat , I n c . Board : ap51 RAM: 0 x80000000 −0x81000000 , [ 0 x80040450 −0x 8 0 f e 1 0 0 0 ] a v a i l a b l e FLASH : 0 x a 8 0 0 0 0 0 0 − 0 x a 8 7 f 0 0 0 0 , 128 b l o c k s o f 0 x00010000 b y t e s e a c h . == E x e c u t i n g b o o t s c r i p t i n 1 0 . 0 0 0 s e c o n d s − e n t e r ˆC t o a b o r t ˆC RedBoot> ¦ ¥ Andrea Chiffi “much0” Fonera Hack!
  54. 54. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Flashing To boot the device you need: boot manager ⇒ RedBoot kernel root filesystem dd-wrt v24 rc6.2 files dd-wrt v24 files vmlinux.bin.l7 (kernel) linux.bin (kernel + rootfs) root.fs (root fs) or fonera-firmware.bin (to upgrade via webif) OpenWrt files http://downloads.openwrt.org/ openwrt-atheros-2.6-vmlinux.lzma (kernel) openwrt-atheros-2.6-root.jffs2-64k (root fs) Andrea Chiffi “much0” Fonera Hack!
  55. 55. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Flashing To boot the device you need: boot manager ⇒ RedBoot kernel root filesystem dd-wrt v24 rc6.2 files dd-wrt v24 files vmlinux.bin.l7 (kernel) linux.bin (kernel + rootfs) root.fs (root fs) or fonera-firmware.bin (to upgrade via webif) OpenWrt files http://downloads.openwrt.org/ openwrt-atheros-2.6-vmlinux.lzma (kernel) openwrt-atheros-2.6-root.jffs2-64k (root fs) Andrea Chiffi “much0” Fonera Hack!
  56. 56. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Flashing To boot the device you need: boot manager ⇒ RedBoot kernel root filesystem dd-wrt v24 rc6.2 files dd-wrt v24 files vmlinux.bin.l7 (kernel) linux.bin (kernel + rootfs) root.fs (root fs) or fonera-firmware.bin (to upgrade via webif) OpenWrt files http://downloads.openwrt.org/ openwrt-atheros-2.6-vmlinux.lzma (kernel) openwrt-atheros-2.6-root.jffs2-64k (root fs) Andrea Chiffi “much0” Fonera Hack!
  57. 57. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Flashing To boot the device you need: boot manager ⇒ RedBoot kernel root filesystem dd-wrt v24 rc6.2 files dd-wrt v24 files vmlinux.bin.l7 (kernel) linux.bin (kernel + rootfs) root.fs (root fs) or fonera-firmware.bin (to upgrade via webif) OpenWrt files http://downloads.openwrt.org/ openwrt-atheros-2.6-vmlinux.lzma (kernel) openwrt-atheros-2.6-root.jffs2-64k (root fs) Andrea Chiffi “much0” Fonera Hack!
  58. 58. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Flashing To boot the device you need: boot manager ⇒ RedBoot kernel root filesystem dd-wrt v24 rc6.2 files dd-wrt v24 files vmlinux.bin.l7 (kernel) linux.bin (kernel + rootfs) root.fs (root fs) or fonera-firmware.bin (to upgrade via webif) OpenWrt files http://downloads.openwrt.org/ openwrt-atheros-2.6-vmlinux.lzma (kernel) openwrt-atheros-2.6-root.jffs2-64k (root fs) Andrea Chiffi “much0” Fonera Hack!
  59. 59. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Flashing To boot the device you need: boot manager ⇒ RedBoot kernel root filesystem dd-wrt v24 rc6.2 files dd-wrt v24 files vmlinux.bin.l7 (kernel) linux.bin (kernel + rootfs) root.fs (root fs) or fonera-firmware.bin (to upgrade via webif) OpenWrt files http://downloads.openwrt.org/ openwrt-atheros-2.6-vmlinux.lzma (kernel) openwrt-atheros-2.6-root.jffs2-64k (root fs) Andrea Chiffi “much0” Fonera Hack!
  60. 60. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding First reflash FON2200 At Fonera’s startup, RedBoot manager opens by default a telnet server on port 9000 (IP: 192.168.1.254). We can use that port to connect to RedBoot and reflash the fonera. ;-) FON2100 RedBoot not open telnet server on port 9000 and RedBoot’s config partition is not writable by default FON firmware. Solution is: flash an other kernel that permit writing to RedBoot’s config partition mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7 change RedBoot configuration by rewriting RedBoot’s config partition mtd -e "RedBoot config" write out.hex "RedBoot config" Andrea Chiffi “much0” Fonera Hack!
  61. 61. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding First reflash FON2200 At Fonera’s startup, RedBoot manager opens by default a telnet server on port 9000 (IP: 192.168.1.254). We can use that port to connect to RedBoot and reflash the fonera. ;-) FON2100 RedBoot not open telnet server on port 9000 and RedBoot’s config partition is not writable by default FON firmware. Solution is: flash an other kernel that permit writing to RedBoot’s config partition mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7 change RedBoot configuration by rewriting RedBoot’s config partition mtd -e "RedBoot config" write out.hex "RedBoot config" Andrea Chiffi “much0” Fonera Hack!
  62. 62. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Flash partitions Name Partition ID Size Description RedBoot 0 192 KB Boot manager rootfs 1 ... Root filesystem vmlinux.bin.l7 2 ... Linux kernel FIS directory 3 60 KB Partition table RedBoot config 4 4 KB RedBoot configuration § ¤ RedBoot> f i s i n i t About t o i n i t i a l i z e [ f o r m a t ] FLASH image s y s t e m − c o n t i n u e ( y /n ) ? y ∗∗∗ I n i t i a l i z e FLASH Image System . . . E r a s e from 0 xa87e0000 −0x a 8 7 f 0 0 0 0 : . . . . Program from 0 x 8 0 f f 0 0 0 0 −0x81000000 a t 0 x a 8 7 e 0 0 0 0 : . ¦ ¥ Andrea Chiffi “much0” Fonera Hack!
  63. 63. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding OpenWrt [8] minimalistic Busybox/Linux distribution GPL licensed for embedded devices provides a fully writable filesystem with package management provides a set of tools for building a rootfs/kernel (toolchain for your device) provides software as IPKG packages (apt-get like; automatic dependencies) also kernel modules are packaged (name like “kmod-. . . ”) uses UCI (Universal Configuration Interface) for system/package configuration (“config.section.key=value” syntax) Andrea Chiffi “much0” Fonera Hack!
  64. 64. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding OpenWrt [8] minimalistic Busybox/Linux distribution GPL licensed for embedded devices provides a fully writable filesystem with package management provides a set of tools for building a rootfs/kernel (toolchain for your device) provides software as IPKG packages (apt-get like; automatic dependencies) also kernel modules are packaged (name like “kmod-. . . ”) uses UCI (Universal Configuration Interface) for system/package configuration (“config.section.key=value” syntax) Andrea Chiffi “much0” Fonera Hack!
  65. 65. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding OpenWrt [8] minimalistic Busybox/Linux distribution GPL licensed for embedded devices provides a fully writable filesystem with package management provides a set of tools for building a rootfs/kernel (toolchain for your device) provides software as IPKG packages (apt-get like; automatic dependencies) also kernel modules are packaged (name like “kmod-. . . ”) uses UCI (Universal Configuration Interface) for system/package configuration (“config.section.key=value” syntax) Andrea Chiffi “much0” Fonera Hack!
  66. 66. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding OpenWrt [8] minimalistic Busybox/Linux distribution GPL licensed for embedded devices provides a fully writable filesystem with package management provides a set of tools for building a rootfs/kernel (toolchain for your device) provides software as IPKG packages (apt-get like; automatic dependencies) also kernel modules are packaged (name like “kmod-. . . ”) uses UCI (Universal Configuration Interface) for system/package configuration (“config.section.key=value” syntax) Andrea Chiffi “much0” Fonera Hack!
  67. 67. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding OpenWrt [8] minimalistic Busybox/Linux distribution GPL licensed for embedded devices provides a fully writable filesystem with package management provides a set of tools for building a rootfs/kernel (toolchain for your device) provides software as IPKG packages (apt-get like; automatic dependencies) also kernel modules are packaged (name like “kmod-. . . ”) uses UCI (Universal Configuration Interface) for system/package configuration (“config.section.key=value” syntax) Andrea Chiffi “much0” Fonera Hack!
  68. 68. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding OpenWrt [8] minimalistic Busybox/Linux distribution GPL licensed for embedded devices provides a fully writable filesystem with package management provides a set of tools for building a rootfs/kernel (toolchain for your device) provides software as IPKG packages (apt-get like; automatic dependencies) also kernel modules are packaged (name like “kmod-. . . ”) uses UCI (Universal Configuration Interface) for system/package configuration (“config.section.key=value” syntax) Andrea Chiffi “much0” Fonera Hack!
  69. 69. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding OpenWrt versions White Russian old stable version (not more developed) kernel 2.4 web interface (package x-wrt) Kamikaze current/new version kernel 2.6 it lacks fully featured web interface (partial support) Andrea Chiffi “much0” Fonera Hack!
  70. 70. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding OpenWrt versions White Russian old stable version (not more developed) kernel 2.4 web interface (package x-wrt) Kamikaze current/new version kernel 2.6 it lacks fully featured web interface (partial support) Andrea Chiffi “much0” Fonera Hack!
  71. 71. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding OpenWrt flashing via serial port § ¤ RedBoot> l o a d −v −r −b %{FREEMEMLO} − ymodem m CRaw f i l e l o a d e d 0 x80040800 −0x 8 0 1 0 0 7 f f , assumed e n t r y a t 0 x80040800 xyzModem − CRC mode , 6 1 4 5 (SOH) / 0 ( STX ) / 0 (CAN) p a c k e t s , 2 r e t r i e s RedBoot> f i s c r e a t e −r 0 x80041000 −e 0 x80041000 v m l i n u x . b i n . l 7 . . . E r a s e from 0 xa8030000 −0x a 8 0 f 0 0 0 0 : . . . . . . . . . . . . . . . Program from 0 x80040800 −0x80100800 a t 0 x a 8 0 3 0 0 0 0 : . . . . . . . . . . . . . . . E r a s e from 0 xa87e0000 −0x a 8 7 f 0 0 0 0 : . . . . Program from 0 x 8 0 f f 0 0 0 0 −0x81000000 a t 0 x a 8 7 e 0 0 0 0 : . RedBoot> l o a d −v −r −b %{FREEMEMLO} − ymodem m CRaw f i l e l o a d e d 0 x80040800 −0x 8 0 1 e 0 7 f f , assumed e n t r y a t 0 x80040800 xyzModem − CRC mode , 1 3 3 1 7 (SOH) / 0 ( STX ) / 0 (CAN) p a c k e t s , 6 r e t r i e s RedBoot> f i s c r e a t e −l 0 x006F0000 r o o t f s . . . E r a s e from 0 x a 8 0 f 0 0 0 0 −0x a 8 7 e 0 0 0 0 : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Program from 0 x80040800 −0x 8 0 1 e 0 8 0 0 a t 0 x a 8 0 f 0 0 0 0 : . . . . . . . . . . . . . . . . . . . . . . . . . . E r a s e from 0 xa87e0000 −0x a 8 7 f 0 0 0 0 : . . . . Program from 0 x 8 0 f f 0 0 0 0 −0x81000000 a t 0 x a 8 7 e 0 0 0 0 : . ¦ ¥ Andrea Chiffi “much0” Fonera Hack!
  72. 72. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding dd-wrt [11] another mini-distro for embedded systems based on Linksys firmware complete web interface more features added (WDS, Radius auth., QoS, HotSpot Portal, DDNS, VLAN, . . . ) indirect support to ipkg OpenWRT packets GPL license Andrea Chiffi “much0” Fonera Hack!
  73. 73. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding dd-wrt [11] another mini-distro for embedded systems based on Linksys firmware complete web interface more features added (WDS, Radius auth., QoS, HotSpot Portal, DDNS, VLAN, . . . ) indirect support to ipkg OpenWRT packets GPL license Andrea Chiffi “much0” Fonera Hack!
  74. 74. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding dd-wrt [11] another mini-distro for embedded systems based on Linksys firmware complete web interface more features added (WDS, Radius auth., QoS, HotSpot Portal, DDNS, VLAN, . . . ) indirect support to ipkg OpenWRT packets GPL license Andrea Chiffi “much0” Fonera Hack!
  75. 75. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding dd-wrt [11] another mini-distro for embedded systems based on Linksys firmware complete web interface more features added (WDS, Radius auth., QoS, HotSpot Portal, DDNS, VLAN, . . . ) indirect support to ipkg OpenWRT packets GPL license Andrea Chiffi “much0” Fonera Hack!
  76. 76. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding dd-wrt [11] another mini-distro for embedded systems based on Linksys firmware complete web interface more features added (WDS, Radius auth., QoS, HotSpot Portal, DDNS, VLAN, . . . ) indirect support to ipkg OpenWRT packets GPL license Andrea Chiffi “much0” Fonera Hack!
  77. 77. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding dd-wrt [11] another mini-distro for embedded systems based on Linksys firmware complete web interface more features added (WDS, Radius auth., QoS, HotSpot Portal, DDNS, VLAN, . . . ) indirect support to ipkg OpenWRT packets GPL license Andrea Chiffi “much0” Fonera Hack!
  78. 78. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding dd-wrt (v24) flashing via TFTP § ¤ RedBoot> i p a d d r e s s −h 1 9 2 . 1 6 8 . 1 . 1 I P : 1 9 2 . 1 6 8 . 1 . 2 5 4 / 2 5 5 . 2 5 5 . 2 5 5 . 0 , Gateway : 0 . 0 . 0 . 0 Default server : 192.168.1.1 RedBoot> l o a d −r −v −b 0 x80041000 l i n u x . b i n U s i n g d e f a u l t p r o t o c o l (TFTP) − Raw f i l e l o a d e d 0 x80041000 −0x 8 0 6 a 0 f f f , assumed e n t r y a t 0 x80041000 RedBoot> f i s c r e a t e l i n u x . . . E r a s e from 0 xa8030000 −0x a 8 6 9 0 0 0 0 : . . . . . . . . . . . . . . . ............. . . . Program from 0 x80041000 −0x 8 0 6 a 1 0 0 0 a t 0 x a 8 0 3 0 0 0 0 : ............ . . . E r a s e from 0 xa87e0000 −0x a 8 7 f 0 0 0 0 : . . . . Program from 0 x 8 0 f f 0 0 0 0 −0x81000000 a t 0 x a 8 7 e 0 0 0 0 : . RedBoot> f c o n f i g Run s c r i p t a t b o o t : t r u e E n t e r s c r i p t , t e r m i n a t e w i t h empty l i n e >> f i s l o a d −l l i n u x >> e x e c >> Boot s c r i p t t i m e o u t ( 1 0 0 0 ms r e s o l u t i o n ) : 10 L o c a l IP a d d r e s s : 1 9 2 . 1 6 8 . 1 . 2 5 4 C o n s o l e baud r a t e : 9600 GDB c o n n e c t i o n p o r t : 9000 Update RedBoot non−v o l a t i l e c o n f i g u r a t i o n − c o n t i n u e ( y /n ) ? y . . . E r a s e from 0 xa87e0000 −0x a 8 7 f 0 0 0 0 : . . . . Program from 0 x 8 0 f f 0 0 0 0 −0x81000000 a t 0 x a 8 7 e 0 0 0 0 : . RedBoot> r e s e t . . . Resetting . ¦ ¥ Andrea Chiffi “much0” Fonera Hack!
  79. 79. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding How to enable JFFS2 Under dd-wrt (v24 rc6.2) web interface: goto Administration → Management → JFFS2 Support JFFS2: Enable (click Apply, wait. . . and reboot) Clean JFFS2: Enable (click Apply, wait. . . and reboot) Result: § ¤ root@dd−w r t# mount ... / d e v / m t d b l o c k /4 on / j f f s t y p e j f f s 2 ( rw ) root@dd−w r t# d f Filesystem 1k−b l o c k s Used A v a i l a b l e Use% Mounted on / dev / r o o t 2816 2816 0 100% / ... / d e v / m t d b l o c k /4 4096 340 3756 8% / j f f s ¦ ¥ Andrea Chiffi “much0” Fonera Hack!
  80. 80. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Flashing From Linux via mtd § ¤ Usage : mtd [< o p t i o n s > . . . ] <command> [< a r g u m e n t s > . . . ] <d e v i c e > The d e v i c e i s i n t h e f o r m a t o f mtdX ( eg : mtd4 ) o r i t s l a b e l . mtd r e c o g n i z e s t h e s e commands : unlock unlock the device erase e r a s e a l l d a t a on d e v i c e w r i t e < i m a g e f i l e >|− w r i t e <i m a g e f i l e > ( use − f o r s t d i n ) to d e v i c e Following options are a v a i l a b l e : −q q u i e t mode ( o n c e : no [ w ] on w r i t i n g , t w i c e : no s t a t u s m e s s a g e s ) −r r e b o o t a f t e r s u c c e s s f u l command −f force write without trx checks −e <d e v i c e > e r a s e <d e v i c e > b e f o r e e x e c u t i n g t h e command Example : To w r i t e l i n u x . t r x t o mtd4 l a b e l e d a s l i n u x and r e b o o t a f t e r w a r d s mtd −r w r i t e l i n u x . t r x l i n u x ¦ ¥ mtd -e vmlinux.bin.l7 write openwrt-atheros-2.6-vmlinux.lzma vmlinux.bin.l7 mtd -e rootfs write openwrt-atheros-2.6-root.jffs2-64k rootfs Andrea Chiffi “much0” Fonera Hack!
  81. 81. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Flashing From Linux via mtd § ¤ Usage : mtd [< o p t i o n s > . . . ] <command> [< a r g u m e n t s > . . . ] <d e v i c e > The d e v i c e i s i n t h e f o r m a t o f mtdX ( eg : mtd4 ) o r i t s l a b e l . mtd r e c o g n i z e s t h e s e commands : unlock unlock the device erase e r a s e a l l d a t a on d e v i c e w r i t e < i m a g e f i l e >|− w r i t e <i m a g e f i l e > ( use − f o r s t d i n ) to d e v i c e Following options are a v a i l a b l e : −q q u i e t mode ( o n c e : no [ w ] on w r i t i n g , t w i c e : no s t a t u s m e s s a g e s ) −r r e b o o t a f t e r s u c c e s s f u l command −f force write without trx checks −e <d e v i c e > e r a s e <d e v i c e > b e f o r e e x e c u t i n g t h e command Example : To w r i t e l i n u x . t r x t o mtd4 l a b e l e d a s l i n u x and r e b o o t a f t e r w a r d s mtd −r w r i t e l i n u x . t r x l i n u x ¦ ¥ mtd -e vmlinux.bin.l7 write openwrt-atheros-2.6-vmlinux.lzma vmlinux.bin.l7 mtd -e rootfs write openwrt-atheros-2.6-root.jffs2-64k rootfs Andrea Chiffi “much0” Fonera Hack!
  82. 82. Intro Hacking RedBoot Flashing OpenWrt Configuring dd-wrt Modding Flashing From Linux via mtd § ¤ Usage : mtd [< o p t i o n s > . . . ] <command> [< a r g u m e n t s > . . . ] <d e v i c e > The d e v i c e i s i n t h e f o r m a t o f mtdX ( eg : mtd4 ) o r i t s l a b e l . mtd r e c o g n i z e s t h e s e commands : unlock unlock the device erase e r a s e a l l d a t a on d e v i c e w r i t e < i m a g e f i l e >|− w r i t e <i m a g e f i l e > ( use − f o r s t d i n ) to d e v i c e Following options are a v a i l a b l e : −q q u i e t mode ( o n c e : no [ w ] on w r i t i n g , t w i c e : no s t a t u s m e s s a g e s ) −r r e b o o t a f t e r s u c c e s s f u l command −f force write without trx checks −e <d e v i c e > e r a s e <d e v i c e > b e f o r e e x e c u t i n g t h e command Example : To w r i t e l i n u x . t r x t o mtd4 l a b e l e d a s l i n u x and r e b o o t a f t e r w a r d s mtd −r w r i t e l i n u x . t r x l i n u x ¦ ¥ mtd -e vmlinux.bin.l7 write openwrt-atheros-2.6-vmlinux.lzma vmlinux.bin.l7 mtd -e rootfs write openwrt-atheros-2.6-root.jffs2-64k rootfs Andrea Chiffi “much0” Fonera Hack!
  83. 83. Intro MadWifi driver Hacking Access Point Flashing Client mode / Client bridge mode Configuring Repeater Modding WDS MadWifi VAPs WiFi modes Station (managed mode) Access–Point (master/infrastructure mode) Ad–Hoc Wireless Distribution System (WDS) Monitor Multiple Virtual Access Point (VAP)... ...but only 1 station/ad–hoc/monitor! § ¤ usage : w l a n c o n f i g athX c r e a t e [ n o u n i t ] w l a n d e v w i f i Y wlanmode [ s t a | adhoc | ap | m o n i t o r | wds | ahdemo ] [ b s s i d | −b s s i d ] [ n o s b e a c o n ] usage : w l a n c o n f i g athX d e s t r o y usage : w l a n c o n f i g athX l i s t [ a c t i v e | ap | c a p s | chan | f r e q | k e y s | s c a n | s t a | wme ] ¦ ¥ Andrea Chiffi “much0” Fonera Hack!
  84. 84. Intro MadWifi driver Hacking Access Point Flashing Client mode / Client bridge mode Configuring Repeater Modding WDS Access Point modem ethernet, router ADSL o linea HAG Fastweb telefonica Fonera Andrea Chiffi “much0” Fonera Hack!
  85. 85. Intro MadWifi driver Hacking Access Point Flashing Client mode / Client bridge mode Configuring Repeater Modding WDS Client Mode / Client Bridge Mode Router Access Point Fonera Andrea Chiffi “much0” Fonera Hack!
  86. 86. Intro MadWifi driver Hacking Access Point Flashing Client mode / Client bridge mode Configuring Repeater Modding WDS Repeater Expanded HotSpot HotSpot Limit Fonera Router Access Point Andrea Chiffi “much0” Fonera Hack!
  87. 87. Intro MadWifi driver Hacking Access Point Flashing Client mode / Client bridge mode Configuring Repeater Modding WDS WDS (Wireless Distribution System) Wireless Distribution System (WDS) Fonera Router Access Point Andrea Chiffi “much0” Fonera Hack!
  88. 88. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Adding a Second Antenna I Needed: RP-SMA female connector 10 cm of RG174 wifi cable (impedance 50 ohm) welder and solder wire Andrea Chiffi “much0” Fonera Hack!
  89. 89. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Adding a Second Antenna II Andrea Chiffi “much0” Fonera Hack!
  90. 90. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Adding a SD-Card [18, 15] I SD-Card Fonera SDIO GPIO DO (pin 7) SW1 3 CLK (pin 5) SW2 4 DI (pin 2) SW5 1 CS (pin 1) SW6 7 Gnd (pin 3) Gnd n/a Gnd (pin 6) Gnd n/a Vcc (pin 4) Vcc n/a Remove 4 capacitors near SDIO pins Andrea Chiffi “much0” Fonera Hack!
  91. 91. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Adding a SD-Card [18, 15] II Andrea Chiffi “much0” Fonera Hack!
  92. 92. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Adding a SD-Card [18, 15] III Andrea Chiffi “much0” Fonera Hack!
  93. 93. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Adding a SD-Card [18, 15] IV Andrea Chiffi “much0” Fonera Hack!
  94. 94. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Adding a SD-Card [18, 15] V Andrea Chiffi “much0” Fonera Hack!
  95. 95. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Modding++ [12] I Upgrading RAM to 32MB Adding a LCD display Andrea Chiffi “much0” Fonera Hack!
  96. 96. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Modding++ [12] II MP3 wireless streaming Fonera GPS – a wardriving tool ;-) Fonera SMS – send/receive SMS Garden’s irrigation tool. . . LOL! Andrea Chiffi “much0” Fonera Hack!
  97. 97. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Modding++ [12] III Fonera Robot Andrea Chiffi “much0” Fonera Hack!
  98. 98. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Modding++ [12] IV Switch hack by sydro (a SaLUG! member) Andrea Chiffi “much0” Fonera Hack!
  99. 99. Intro Hacking Adding a second antenna Flashing Adding a SD-Card Configuring Modding++ Modding Modding++ [12] V Fonera Ferrari! Andrea Chiffi “much0” Fonera Hack!
  100. 100. That’s all folks! Thank you for your attention. Questions? Ok, now I’m going to drink some rum. . . ;-) Andrea Chiffi “much0” Fonera Hack!
  101. 101. That’s all folks! Thank you for your attention. Questions? Ok, now I’m going to drink some rum. . . ;-) Andrea Chiffi “much0” Fonera Hack!
  102. 102. That’s all folks! Thank you for your attention. Questions? Ok, now I’m going to drink some rum. . . ;-) Andrea Chiffi “much0” Fonera Hack!
  103. 103. References I ◮ FON official site ◮ Autopsy of a fonera ◮ Paolo Gatti’s italian blog ◮ Kolofonium hack ◮ My RS-232 to TTL converter pics ◮ RS232 to TTL without MAX232 ◮ WIFI-ITA (wireless italian portal) ◮ OpenWrt website ◮ La Fonera dalla scatola a OpenWRT Andrea Chiffi “much0” Fonera Hack!
  104. 104. References II ◮ Using Openwrt on La Fonera for Dummies ◮ DD-Wrt website ◮ Fonera’s modding list ◮ Fonera’s fan cooling ◮ Esperimenti con la fonera ◮ SD/MMC card fits in floppy edge-connector ◮ Fonera SD Card Hack ◮ Customizing hardware: MMC ◮ mmc mod info Andrea Chiffi “much0” Fonera Hack!
  105. 105. Creative Commons License Released under CC 2.5 Attribution, NonCommercial, ShareAlike Sources: http://salug.it/~much0/fonera/ Copyright (C) 2008 - Andrea Chiffi a.k.a. much0 <much0@salug.it> Andrea Chiffi “much0” Fonera Hack!

×