Bebo Blog: Fon2100 and Jasager

Bebo's Geek Blog

Instructions For Geek Projects

Back to Main Page
May 2012

Su Mo Tu We Th Fr Sa
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31
Recent Posts
1. Backtrack Recording
  Friday, November 18, 2011
2. Snorby as IDS
  Saturday, August 13, 2011
3. LAN Chat Servers
  Sunday, July 24, 2011
4. Cable TV Timer for Kids
  Sunday, July 10, 2011
5. Smoothwall on Mini-ITX Board
  Saturday, July 09, 2011
6. VirtualBox Full Screen
  Wednesday, June 15, 2011
7. Beer Can Stove
  Friday, June 10, 2011
8. Phishing with the Fon
  Friday, June 10, 2011
9. Leopard OS-X Virtual Machine
  Thursday, May 12, 2011
10. HP c6180 Printer and Vista
  Monday, May 09, 2011
Recent Comments
1. Sean on FosCam IP Camera Review
  11/11/2010
2. Derek A. Pascual on Fon2100 and Jasager
  10/18/2010
3. MicroConsole on Aircrack-ng on Asus eee
  10/17/2010
4. Loans on DGS 950G Camera Video
  10/17/2010
5. seo company new york on Bootable Thumb Drive AntiVirus
  10/2/2010
6. seo company new york on Lucid Lynx Tweaks
  10/2/2010
7. posizionamento su google on Dell 700m Graphics Issue with Lucid Lynx Ubuntu
  10/2/2010
8. posizionamento su google on Lucid Lynx Tweaks
  10/2/2010
9. posizionamento su google on Aircrack-ng on Asus eee
  10/2/2010
10. computer services westchester on Dell 700m Graphics Issue with Lucid Lynx Ubuntu
  10/1/2010

Fon2100 and Jasager

Wireless Pineapple Notes:

Iinitially turned on the router, and noticed it had an SSID set toMyPlace, which was encrypted. I was able to connect to this network using the SN of the router as the network key, which gave my wireless client a 192.168.10.244 address, and the router had 192.168.10.1. (see picture). I could not connect to the WAN port, as this seemed to assume that the router would get a DHCP address, and I didn't give it one.This firmware actually looked pretty sweet out of the box (Check out the TWO wireless interfaces, with a Public and a Private WiFi setup), but in true geek fashion, after inspecting it for 5 minutes I decided to blow it away for Jasagar.

Using the instructions at: http://www.digininja.org/jasager/installation.php I set my client IP to 192.168.1.1, grabbed jasager_firmware_1.0.tar.bz2,and the redboot.pl from the jasagar site. I put the firmware files inthe /tmp/ of a BT4 laptop, and extracted the zip (tar -xvjfjasager_firmware_1.0.tar.bz2). This left aopenwrt-atheros-root-squashfs file and a openwrt-atheros-vmlinux.lzmafile. Inspection of the redboot.pl file showed that it expected therouter to be on port 192.168.0.1—good to know. It was then time to upload the firmware and pray.
I chmod'd the redboot.pl to executable, and ran ./redboot.pl192.168.1.245 and then powered up the Fon, per the Jasager instructions. This errored out (no Net/Telnet.pm in @INC). So I ran apt-get install libnet-telnet-perl, and installed the Net::Telnetpackage, and redboot.pl worked fine, but wouldn't connect. I tried running ./redboot.pl 192.168.1.1, in case I had a FON+ vs a FON (didn't think so) but it still never connected. I ran a tcpdump and found the router listening on 0.0.0.0. The Jasager site says that this is a UK router, and I may be out of luck. I now have to figure out how to upload the firmware to a device with no IP (it tries to get one atBootup via bootpc, so maybe that is an angle). It looks like I'll either have to hack it via a serial-cable-to-the-board http://www.digininja.org/projects/fon_serial_cable.php oruse the below hacks to try to enable redboot and try it from there. Since I didn't have a serial-to-usb cable that I wanted to sacrifice,the software hacking seemed the first method to try.

4. Upon investigation, I determined that I could get to the router with a crossover cable, and opening a browser to 169.254.255.1. Note the default user id is admin, and the default password is admin. Since my router had firmware version 0.7.1v2, redboot is not enabled, and you have to hack it to get redboot to work. There are pretty good instructions here: http://devolblog.devolfamily.com/dd-wrt-on-la-fonera-router/ . I ran the grammofon.pl hack http://stefans.datenbruch.de/lafonera/ to enable ssh access, but it didn't work, since version 0.7.1r2 FON has patched the web interface injection flaw that they shipped with earlier versions. So, I needed to run the Kolofonium hack and inject through a RADIUS server. Luckily, per the previous URL, they set up a fake RADIUS server to run that hack for me, and I simply needed to change the DNS server to the kolofonium.datenbruch.de IP address for them to enable SSH access for me! So far they have done 16423 routers (mine was 16,423rd)! That is WAY too sweet! After rebooting, I was not able to access the SSH server via the wired connection. However, I was able to ssh in from the Wireless to 169.254.255.1, with user id root and password admin!

I then did> mv /etc/init.d/dropbear /etc/init.d/S50dropbear, per www.dd-wrt.com/phpBB2/viewtopic.php?p=304820

id="be.d" style="text-align: left;">I downloaded and installed HFS (I didn't give it Shell context), and added the two files.

Here, you'll get a prompt saying "Server unexpectedly closed network connection." and you should hit OK and WAIT for 1-3minutes. I got that out of ANOTHER set of instructions (after I hit the X to close it) at:devolblog.devolfamily.com/dd-wrt-on-la-fonera-router. I also may not have waited as long as I should have at this point... when it came back up and my client tried to wirelessly connect, it wouldn't....I thought it may have dorked the WPA key up or something, so I rebooted again.... and the wireless never came back.... I actually think that the router works, but the wireless is turned off, and the Ethernet port is hosed. I should have probably seen this post before:wiki.fon.com/wiki/FreeWLAN

I sort of bricked my route rat this point. I actually got another router, and tried this again, with the same result. I think that Digininja was correct, and you need a serial-to-USB cable for this router.

I think I will have to flash it via a serial port now..... via: http://elfonblog.fondoo.net/?p=101 or this: http://elfonblog.fondoo.net/?tag=fon2100

I took the router apart (you have to take the two rubber feet opposite the antenna off, and take those screws out), and verified that I actually had a FON (not FON+), and bought the cable referenced by digininja from SunTekStore (USB cable for Kyocera KX1 KX9 KX12 w CD Drive, item 10002518) for $5.42.

Got the Kyocera KX1 KX9 KX12 CD USB cable), and cut it up and put it on the board. I installed the drivers for the usb-to-serial cable from http://www.suntekstore.com/usb-cable-for-kyocera-kx1-kx9-kx12-w-cd-drive-.html The strange thing about this driver is that I tried on two separate Windows laptops, and couldn't install it. It turns out that you have to have a USB hub to get the driver to install. After I did this, I brought up Putty to the Serial COM4 port, and connected to the board (powering it up with no ground connected, and then connecting the ground). Success! Here is the long awaited redboot prompt:

I tried using Digininja's 1.0 firmware, and it always locked up when a client connected.

After much, much, much trial and error, I discovered the instructions at:

http://www.hak5.org/w/index.php/Fon_Jasager_Install

These worked fairly well, but wouldn't hand out an IP. After trying forever to get the
 /etc/config/dhcp file working, I started asking questions in the Hak5 Forums. 
In talking to Mr. Protocol (thanks for the help) I saw that he used the GUI to 
configure /etc/config/dhcp, and /etc/dnsmasq.conf so I just logged into the webif 
and configured it like so:


I also turned on the WAN interface and set start, limit, and lease times. This handed out IPs, like so:



I then uploaded a website file to /www/index.html, and resolved all IPs to the Fon by adding 
the line 'address=/#/192.168.1.1' to the end of the dnsmasq.conf file.

This will resolve any DNS address to the local address, and Voila!!! I have an automatic Rick-Roller! 
I have a battery powered Fon, so I can turn it on, let it sit, and anyone whom connects it will be Rick Rolled
 no matter what site they try to go to! Here's a pic (notice the visited site was Google)



Not only is the ASCII art cool, it is also faster than trying to serve up a JPG.  It also plays a 
cut mp3 file of the 'Never Gonna Give You Up' song--cut to save space, and start right where it 
should, giving a great RickRolling effect.

Then, to make this all run with the flip of a switch, automatically start Karma by adding this 
to the end of the start section of /etc/init.d/karma_ui

wlanconfig ath0 create wlandev wifi0 wlanmode master &
ifconfig ath0 up &
iwpriv ath0 karma 1 &


Sawwweeett!! A self contained, automatic RickRoll--no muss-no fuss! 

I brought this setup to Defcon 18, and was interviewed by Darren Kitchen!  
Check out the Hak5 Defcon 18 podcast (around minute 42) for details!

Posted by John's Blog at 11/15/2010 5:22 PM

Categories: uncategorized

Trackbacks

Trackback specific URL for this post

No trackbacks exist for this post.

Comments

Display comments as (Linear | Threaded)

10/1/2010 5:46 PM computer support westchester wrote:
Many other blogs do not cover the topics that are instead covered here
Reply to this
10/18/2010 2:02 PM Derek A. Pascual wrote:
Blogs are a great way to connect strangers, share experience and provide useful information. You have achieved just that. Thanks for sharing.
Reply to this

Hope you enjoyed the blog

Back to Main Page

Recent Posts

Recent Comments

Fon2100 and Jasager

Trackbacks

Comments

Leave a comment