Hacking the La Fonera Fon Router with DD-WRT

Filed Under Gadgets & Hardware, Hacks and Mods on 2008-09-24, 21:47

I live across the street from a friend and we thought it would be handy to be able to connect to each other’s machines in order to transfer files back and forth. Rather than just connect to each other’s networks as needed, we figured it’d be easier just to setup a third “across-the-street” network. This means that we both need endpoints to connect to the other. For me, I chose to use an old Fon “La Fonera” router that I had stuffed away in a box months ago. Unfortunately the firmware that ships with the Fon router doesn’t have support to do anything like this. Luckily there are free, open-source firmwares out there like DD-WRT that are robust enough to meet our needs. The first major step was to actually get DD-WRT on this router. Here’s how I did it and how you can too:

You’re first going to need some tools:
– An ethernet cable and a laptop/desktop to use. I also recommend having a second machine that you can use just for an internet connection in case you run into trouble.
– Telnet and SSH clients (putty on windows, built-in on OS X)
– A TFTP server setup with the latest release of DD-WRT:
— For Windows, you can use Simple TFTP server
— For OS X, you can use the built-in TFTP server with the following commands:

sudo mkdir /private/tftpboot
sudo /sbin/service tftp start

To test your TFTP connection put a file in /private/tftpboot and try the following:

tftp localhost
get filename

If TFTP is working, great, go grab the v24 RC7 version of the linux.bin file for DD-WRT here and drop it into /private/tftpboot since we’ll need this later. Just in case, I’ve mirrored a copy of linux.bin.

Ok great, your initial things are setup and ready. The first real step is to get SSH enabled, and this proved to be the most challenging as I tried to piece together information from various sites on various methods. Luckily it should be easy for you. How to go about this is different depending on the firmware you have on your Fon router. I had 0.7.1 r2 so I couldn’t use the html form injection method and had to use what is called the Kolofonium hack. Basically it means you set the Fon router to use manual network settings and set the DNS server to 88.198.165.155. Then plug the router in and it will attempt to connect to a Fon server to update. The new DNS server you’ve specified is special though, and will redirect this request to a different server, which will provide different firmware that will then have SSH enabled on the device. This should work for most devices. Once this is done, you’ll need to SSH into the device (ssh 192.168.1.1 with username of “root” and password of “admin”) and enable it permanently by executing the following:

mv /etc/init.d/dropbear /etc/init.d/S50dropbear

Great, SSH is now enabled permanently. Next up, flashing the firmware. Connect via SSH to the LaFonera, and execute the following commands:

cd /tmp
wget http://fonera.info/camicia/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma
mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
reboot

After a few seconds to allow the Fon to reboot, reconnect over SSH and execute the following:

cd /tmp
wget http://fonera.info/camicia/out.hex
mtd -e “RedBoot config” write out.hex “RedBoot config”
reboot

At this point the Fon router will not be able to boot fully, but don’t worry. We’ll be connecting to it via Telnet. You’ll want to manually configure your machine’s network to be on the 192.168.1.* subnet, I used 192.168.1.166 as the IP for my laptop. Then plug the Fon router in via ethernet and connect via telnet on port 9000, aka “telnet 192.168.1.254 9000″. Once you connect, you may have to hit enter, but then you should see a “RedBoot>” prompt.

Now is the time to use that TFTP server you setup earlier. At the RedBoot> prompt on the Fon router, execute the following:

ip_address -l 192.168.1.254/24 -h 192.168.1.166

If you didn’t setup your computer to 192.168.1.166, replace that with whatever IP address you did use.

Now execute the following:

fis init
load-r -b 0x80041000 linux.bin
fis create linux

The last step (fis create linux) may take awhile. Go make a turkey pot pie or something. Mine took about 20 minutes. When that is done, don’t reboot yet, we still need to set a few things for the Fonera to boot correctly. At the RedBoot> prompt, type “fconfig” and hit enter. Then hit enter (or type the following) as you go through the boot script setup:

Run script at boot: true
Boot script:
.. fis load -l vmlinux.bin.l7
.. exec
Enter script, terminate with empty line
>> fis load -l linux
>> exec
>>
Boot script timeout (1000ms resolution): 10
Use BOOTP for network configuration: false
Gateway IP address:
Local IP address: 192.168.1.254
Local IP address mask: 255.255.255.0
Default server IP address:
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot>reset

Great, now your Fon router should be rebooting. Unplug the ethernet and connect to the wireless AP named “dd-wrt” (login is root/admin if it asks). You should be seeing the DD-WRT control panel in your browser and you are now connected to your Fon router running DD-WRT! Congrats!

Next time, I’ll post how to get your Fon router to act as a wireless bridge to extend your wireless coverage to another device that has an ethernet port, like an XBox or Playstation 3.

A lot of this info came from various sources. I have rewritten and reposted it here in the spirit of propagating the information. In my research I came across some sites and files that were necessary (for old methods) that were no longer available. I didn’t want anyone else to run into this problem. The information above is from my own experience and the combination of bits and pieces from the sites below. Note however that some of these sites may have outdated information, but may be useful if you have older firmware or something:

The Kolofonium Hack (information on how the old and new methods of enabling SSH on the Fonera work. Interesting if you want to know what vulnerabilities are being used to hack this router)
DD-WRT Wiki page on hacking the La Fonera
Hacking the La Fonera (the old method of enabling SSH on old versions of the Fon firmware)

Tagged: , , , ,


Comments