바람일려나's Blog
방 한 구석에 앉아 세상을 얘기한다

FON Router Hacking Guide
Published on March 12, 2007 in Hacks. 


The following is a guide to flashing the Fonera Access Point, into a mini-router (albeit with only one ethernet jack) running the excellent, open-source DD-WRT firmware. This provides many useful features, such as turning the router into a wireless repeater, or even an ethernet to wireless bridge. 




1. Power Adapter
2. CD
3. Setup Manual
4. Small FON Sticker
5. Large FON Sticker
6. Flat Ethernet Cable (Straight-through)
7. FON Access Point

To see more pictures of the FON (and its innards!): Pictures of the Disassembled FON
Preparation

Download the latest version of the following items (I recommend saving them all into a special folder on your desktop for convenience): 

Putty
HTTP File Server (HFS)
Tftpd32 (Extract the Tftpd32 zip file to your special folder)
DD-WRT Fonera Firmware (Download root.fs and vmlinux.bin.l7 only.)

And the following files (Right-Click, Save as…) : 

SSHEnable.htm
openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma
out.hex

It’s important to download everything you need before you get started, because you will not have internet access throughout this tutorial. All of the programs listed are installer free, meaning that at the end of this tutorial, you just have to throw everything in the trash. No messy uninstalls, no shortcuts all over the place.

If you have already enabled SSH access on your router, please skip to Flashing the Firmware.
Connecting La Fonera 

Plug the FON into the power, and into the LAN port on your computer. 

In Windows, disable all other network connections besides the one connected to the FON. You’ll need to set the following settings in the LAN ports properties. Disable all firewalls, or at least make sure that port 22, 23, and 9000 are open.

IP: 169.254.255.2
Subnet: 255.255.0.0 (System will fill it in for you)
Default Gateway: 169.254.255.1
DNS: 169.254.255.1



Once all three leds are blinking (1-2 minutes), you should be able to open a browser, type 169.254.255.1 and see the Router Status. If not, wait a little while longer. If you are still not getting anything, re-check your settings.

The first time you log into the router, you will need to supply the following: 

Username: root
Password: admin 



If the firmware version is 0.7.1 r1 or lower, please skip to Enabling SSH.

If you have version 0.7.1 r2, you will fall in two categories:

1. Your router shipped with a previous firmware, and you let it update itself from FON’s servers. You will need to downgrade before continuing with this guide. 
Downgrading
After the FON has been on for a couple minutes, push the reset button on the bottom, and hold it in for several seconds (30-45 secs is fine). Wait for it to finish rebooting (1-2 minutes), then check again to see what firmware version you have. 
If it’s now at or below 0.7.1 r1, then you may move to the next step, Enabling SSH.

2. Your router shipped with 0.7.1r2 installed. You will need to do the Kolofonium Hack, then when you come back here, you will start at Enabling RedBoot. 
EDIT- This is found on the DD-WRT Wiki: 

This works on the newest firmware:
1. Hold reset button for 30 seconds
2. Remove the power connector while still holding reset.
3. Replace power connector and continue holding reset button until "wifi" lights up and goes away again (a good 2-3 minutes of holding it).
4. Let go and wait for "wifi" to come back (2-3 minutes).
Supposedly, you will now be able to follow the rest of this guide without troubles. I will need to verify this, but for now, I am all out of routers. Feel free to give it a shot.
Enabling SSH 

Now open the SSHEnable.htm (that you downloaded earlier), hit submit.


Enabling RedBoot

Now open HFS. The first time you open it, a prompt will ask you if you want to include HFS in your context menu. I chose "No". Now, right click on the little house icon, and select "Add Files…", and add openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma and out.hex. 



Now, open Putty and SSH into 169.254.255.1, click "Open":



If this is your first time SSH’ing into the router, you will be faced with the following dialog prompt. Despite how serious it sounds, never fear, just click "Yes." 



Login using:

Username: root
Password: admin

As you type in the password, nothing will appear to happen, but continue typing anyways, and then hit enter. 

I’ll also share with you a huge time saver. In order to copy from this tutorial the commands and paste them into the SSH terminal, first highlight what you want to copy (make sure not to include any extra spaces), right click the highlighted text and hit copy. Then right click your SSH window. This will automatically insert whatever you highlighted into where the green cursor is located. 

Once logged in, execute the following command:

mv /etc/init.d/dropbear /etc/init.d/S50dropbear

This enables SSH permanently so that if you need to reset the router, you won’t need to run SSHEnable.htm again. If you have done this step before, it will return an error, and you can just continue on with the guide. 

For the following, after every line, hit enter and wait for it return to a prompt again: 

cd /tmp
wget http://169.254.255.2/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma
mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
reboot



Now a prompt should pop up saying "Server unexpectedly closed network connection"; Just hit "OK". 
The FON will now be restarting and will take 1-2 minutes (all three lights will be on). If you are impatient, you can do the following:
Unplug the FON from the power. Open up a command prompt in Windows (Start->Run->"cmd"), and type the following line: 
ping 169.254.255.1 -t 
Plug the FON back into the power. Whenever you start to see "Reply from 169.254.255.1…", you can move on to the following step. 

Right click on title bar of Putty and hit "Restart Session." You will now need to login again. 

Username: root
Password: admin

For the following, after every line, hit enter and wait for it return to a prompt again: 

cd /tmp
wget http://169.254.255.2/out.hex
mtd -e "RedBoot config" write out.hex "RedBoot config"
reboot



Click "OK" on the unexpected connection close box. 

Congratulations, you have now enabled RedBoot, which will allow us access to the bootloader. There we can flash the firmware to DD-WRT.

You can now exit the HFS program if you want. 
Flashing the Firmware

Change the IP to 192.168.1.166, subnet 255.255.255.0.

You should not need to change the gateway or DNS servers, but you can if you want (i.e. if you are having an error). They will need to be changed back in the last step if you decide to change them here.



Now open Tftpd32:


Make sure that root.fs and vmlinux.bin.l7 are in the same folder as the Tftpd32 program (or in the folder that is listed in "Current Directory" in Tftpd32).

Now, we can use Putty again for Telneting to the FON, or you can use whatever other program you have available. Right-click title bar of Putty, select "New Session." Make sure to select the Telnet button in Putty, IP to 192.168.1.254, and then change the port to 9000. Its best to do it in that order, since Putty automatically changes the port number to 23 whenever you click the Telnet button. 


If you are having trouble knowing when to start the Telnet connection, open up a command prompt in Windows (Start->Run->"cmd"), and type the following line: 
ping 192.168.1.254 -t 
Whenever you start to see "Reply from 192.168.1.254…", then hit connect in the Telnet client. 

Once you’re connected, enter the following commands. After each line, hit enter. The "fis" commands will take a long time (up to 10 minutes), but it will return to a "RedBoot>" prompt whenever it is ready to continue (refer to the second picture for how it will look). I got impatient and entered the next lines before the prompt appeared, and I ended up having to restart the whole process. 

ip_address -l 192.168.1.254/24 -h 192.168.1.166
fis init

Type "y", and hit enter.

load -r -v -b 0x80041000 root.fs



Note: The line below is correct; “rootfs” is not a typo.

fis create -b 0x80041000 -f 0xA8030000 -l 0x002C0000 -e 0x00000000 rootfs



load -r -v -b 0x80041000 vmlinux.bin.l7
fis create -r 0x80041000 -e 0x80041000 -l 0x000E0000 vmlinux.bin.l7
fis create -f 0xA83D0000 -l 0x00010000 -n nvram
reset



Once it finishes rebooting, you can connect to it over a wireless card at IP 192.168.1.1, or if you want to manage it over the ethernet port, you will need to change your IP address again to 

IP: 169.254.255.2
Subnet: 255.255.0.0 (System will fill it in for you)
Default Gateway: 169.254.255.1
DNS: 169.254.255.1



Now, you can connect to the DD-WRT web interface by opening a web browser and typing 192.168.1.1. If you want the router to give you an IP address automatically over ethernet, you will need to change the mode of the router. As of right now, they are still working out some of the bugs, but I have gotten the "Client Bridge" mode to work on 3/19/07 firmware, following these instructions. 

Also, you need to remember that any time you reset your router by hitting the button on the bottom (or in the firmware), you will need to manually set your IP again to the 169.254.255.2…etc. as above, in order to access it over the Ethernet port (well, until they change the firmware to where it defaults to putting the DHCP server on the ethernet port, if they ever do).

Also, watch the DD-WRT wiki for news about less buggy firmware releases, and make sure to upgrade using the fonera-firmware.bin files through the web gui. Its much easier!

If you are to this point, and your router is not responding, wait 5 minutes, and check your IP settings. If you are still not getting an response, I would recommend the following:

1. Unplug the power from the fon
2. Make sure you have all the other network connections disabled
3. Set the ip to the 192.168.1.166 with the same options as above.
4. Start the pinging (ping 192.168.1.254 -t)
5. Plug in the power to the router
6. In about 10-50 seconds, you should see a response. If you don’t, wait a little longer and double check your IP settings.
7. If you finally see a response, Start again "Flashing the Firmware," but unplug the power from the router first, because there is a narrow gap of time that the Redboot option is open.

If this guide helped you out, maybe you would be interested in some of the wonderful links provided by the G-man up in the top left corner of my page  

Thanks to Coded Chaos for his wonderful guide as well!

Related links:

Original Hackers of the FON

Coded Chaos’s Guide to Hacking the FON 

Pictures of the Disassembled FON on UselessHacks.com 

DD-WRT Wiki on Fonera Flashing 

DD-WRT Wiki on Adding a Serial port for Telnet Access


Copyright Uselesshacks.com 2007