Posted by Deliverator on February 24th, 2007
After a day filled with frustrations, I decided what I needed was a good, challenging late night hack session. I’ve had a funky little “La Fonera” wifi router sitting on my shelf for a while, so I decided to see what I could do with it. The “La Fonera” is from a spanish company called Fon, which is trying to build a hotspot network by literally giving away access points. The idea is that if you host a Fon hotspot, you can get on any of the other hotspots in the network for free, but non-members have to pay. I am not sure how that business model is working for them. As Matt is fond of saying, “its not my job to support your *^*&^*& business model.” For a while they were giving away WRT54GL’s, but despite a rather large cash infusion from google, I guess this proved too expensive. So, they rolled their own solution in the form of “La Fonera.” I am getting sick of saying La Fonera, so I will just call it the little white box. The little white box is quite little, and white. The little part makes it an interesting target for hacking, while the white part just makes me want to kill whoever started this particular design craze at Apple. So, lets see what we can do with this little white box, eh?
Sebastian Gottschall, chief developer of the excellent dd-wrt wireless firmware project, recently started releasing builds of dd-wrt for the little white box. OpenWRT is also a possibility. In fact, the little white box ships with a highly modified and locked down version of OpenWRT. Unlike most devices supported by dd-wrt, getting the firmware on the little white box isn’t as simple as just hitting the upload firmware button in the webmin interface (like you can on a WRT54GL). To start with, the little white box checks for a cryptographic signature on any firmware you try to upload using their web interface, so we have to find another method. The little white box uses an unmodified version of the Redboot bootstap environment, so if you can somehow get access to Redboot, you can use it to upload a new flash image from a TFTP server. There is a serial console with pin headers on the little white box. Unfortunately, it is a TTL type serial port, so you would need to build an adapter to use it. Eric Butler was kind enough to offer me the parts I would need (particularly a MAX232 TTL converter chip), but I was in no mood to wait, so I needed to find another way to get access to Redboot.
For this, it sure would help to have root SSH or telnet access to the little white box. I found a page which described a neat form submission data injection attack, similar to what was first used to open up the WRT54G. Unfortunately, my little white box came with a firmware which validates form submissions for things like escape characters. At this point, I am getting sick of the little white box, so I will now just call it lwb. Fortunately, I was able to downgrade to a firmware revision that doesn’t! Once you are at the lower firmware revision, be careful to keep your lwb from going online, as the lwb auto-updates! Using the above linked method, I was able to get myself root SSH access.
I quickly used vi to make the change permanent and keep the box from updating itself behind my back. Once into the lwb, I was able to swap in a different kernel, which can be found with some difficulty at this site. After rebooting with this new kernel and a few steps I don’t understand, you get access to Redboot via telnet on port 9000 on the lwb’s wired port.
Once into Redboot, you need to set up a tftp server and use it to serve up the latest dd-wrt firmware files to the lwb by carefully typing the instructions. If you screw up at this stage or any other stage, you are likely to your little white box into a little white brick. Thankfully, all went well and I now have a Fonera which is free as in source as well as free as in beer.
Once I’ve had some fun with my Freed Fonera, I will probably flash it back to the original firmware, as Fon’s business model just might catch on if google’s deep pockets allow them to give away a few million more of these things.
Many thanks to all those who did a great job documenting the technical details of getting dd-wrt running on the lwb.