Muhblog

Autoupdate v0.7.1r3

2007-04-10T16:00:00.000+01:00

There is a new firmware update to version 0.7.1r3. You can browse the contents here. Thanks Stefan!

Kolofonium still working :-)

Here a quote:

Improvements:

[Web Interface] New input chars accepted: added new chars as valid for some specific PPPoE usernames.
[Time system] Improved network time server selection.
Bugs:

[Bandwidth sharing] Upload limitation error fixed.
[Web Interface] Fixed Asian languages. Korean, Traditional Chinese and Japanese should work fine now.
[Web Interface] Fixed port forwarding page. It will not fail anymore when trying to delete rules if the set is empty.

Stefan vs. FON

2007-03-19T11:23:00.000+01:00

For the German guys. Here is an interesting story about the FON's blog-comment policy.

BTW, Kolofonium freed nearly 300 La Foneras.

Kolofonium is out!

2007-03-13T14:54:00.000+01:00

To all the naggers: "Here you are!"

Kolofonium is described in detail at Stefan's website.

For all the road runners:
Change the nameserver (DNS) of your La Fonera to 88.198.165.155 and reboot. Now you should be able to connect via SSH. This should work with other firmwares, too. Please change the nameserver according to your ISP or network setup after the reboot.

That's it! Have fun!

Here is a cute counter. For each "freed" La Fonera there is one icon:

Kolofonium is coming very soon!

2007-02-28T16:40:00.001+01:00

~~Just a few more days! Be patient.~~

Just a few more hours!

http://stefans.datenbruch.de/lafonera/#kolofonium

FON reminds users to use unmodified software

2007-01-24T11:17:00.000+01:00

The German FON blog reminds the users to use only official FON software. They quote point 6.7 of the general conditions.

The German version:

Um eine korrekte Funktion der FON Hotspots zu gewährleisten, müssen die Linuse und Bills ausschließlich offizielle Versionen der FON Software einsetzen.

The English version:

In order to guarantee the correct functioning of the FON Hotspots, the Linuses and Bills shall exclusively use the official versions of the FON Software.

It is interesting that the German version says "müssen" (engl. to have to) and the English version says "shall". I am not a lawyer, but it looks strange to me. Anyone (especially lawyers) knows how to interpret such terms please leave a comment.

The following is fully neutral: Please read the comments and answers of Peter of the blog. Very interesting... Sorry, but this is in German. But the non-German readers can try Google translate. (Bear in mind that the quoted part of the condition is also translated from the German version.)

Furthermore the German FON blog is moderated, this means submitted comments need further approval. Stefan offered them information about a security flaw with the firewall rules when using multiple IP subnets. His comment is still not published yet...

Codename Kolofonium release date

2007-01-13T11:46:00.000+01:00

Hey guys, Stefan and me won't release the hack for the new 0.7.1-2 version until the first La Foneras with a flashed 0.7.1-2 firmware will be shipped. Its codename is "kolofonium" and it is easy as using the La Fonera's web interface (this time with your standard browser!).

We won't release it earlier, because you can reset the La Foneras to its flashed firmware and use one the known hacks. Freddy described several ways to do it here.

Please leave a comment when you get your first 0.7.1-2 flashed La Fonera.

We did it again!

2007-01-08T20:36:00.000+01:00

After a few days of searching and trying, we found yet another way to open the SSH port of a La Fonera. It works with all firware versions (also the new 0.7.1-2). Stay tuned!

Fonera Autoupdate version 0.7.1 rev 2

2007-01-03T17:53:00.000+01:00

My La Fonera just wants a new autoupdate. The extracted .fon is available here (thanks to Stefan).

It updates the webinterface, the validate.awk (checks correct input of the webinterface) and haserl (CGI wrapper for shell scripts).

~~We will investigate if they fixed webinterface.~~

Update: We tried a lot, but still with no luck. It looks like, the FON developers did a good job (this time). But we didn't give up yet...

Chillispot for OpenWrt for FON

2007-01-02T23:06:00.000+01:00

FON patched chillispot a little bit. E.g. the 001-endian_fix.patch fixes the dhcp server of chillispot. This one and 100-fon.patch works fine with chillispot 1.1, but the others need further attention. I am not a C programmer. Maybe someone could help.

Anyway you can use the chillispot of the FON sources. It is version 1.0. It also installs chilli_radconfig. You can generate the long string - describe in the previous post. Thanks Anton for the comment. He says, that you can just use uamserver https://login.fon.com/cp/index.php in the chilli.conf. Anyway, I generated the string with chilli_radconfig. Maybe the string is needed for the first time registration of a La Fonera. This would support the assumption. But this is all speculations.

I tried to use it but with no success yet. The chilli.conf looks like that:

radiusserver1 radius01.fon.com
radiusserver2 radius02.fon.com
radiussecret garrafon
# MAC address of wlan device (wifi0)
radiusnasid XX:XX:XX:XX:XX:XX

# IP of the OpenFonera
dns1 192.168.1.223
dns2 192.168.1.223

# interface of the FON_AP
dhcpif ath0

uamsecret garrafon
uamanydns
uamallowed www.martinvarsavsky.net,www.google.com,www.flickr.com,static.flickr.com,video.google.com,216.239.51.0/24,66.249.81.0/24
uamallowed www.fon.com,www.paypal.com,www.paypalobjects.com,www.skype.com,66.249.93.0/24,72.14.207.0/24,72.14.209.0/24,84.96.67.0/24,213.91.9.0/24,80.118.99.0/24
uamallowed shop.fon.co.kr,secure.nuguya.com,inilite.inicis.com,fon-en.custhelp.com,maps.fon.com,c20.statcounter.com
uamserver https://login.fon.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/cp/index.php

When I start it with chilli -d -f -c /etc/chilli.conf and connecting a peer to the FON_AP the output is:

chillispot[675]: chilli.c: 3090: New DHCP request from MAC=XX-XX-XX-XX-XX-XX
New DHCP connection established
DHCP requested IP address
chillispot[675]: ippool.c: 436: No more IP addresses available
chillispot[675]: chilli.c: 3045: Failed allocate dynamic IP address
DHCP requested IP address
chillispot[675]: chilli.c: 3051: Client MAC=XX-XX-XX-XX-XX-XX assigned IP 192.168.182.2

When I try to open a webpage, chillispot reports several times:

cb_dhcp_data_ind. Packet received. DHCP authstate: 5
cb_tun_ind. Packet received: Forwarding to link layer

But it won't open a webpage. The redirection doesn't work. I think the problem is my iptables configuration. Anyone who knows how to set up iptables proper for chillispot please leave a comment.

Chillispot configuration for OpenWRT for FON

2007-01-02T10:58:00.000+01:00

As you know in the last days I flashed a La Fonera with OpenWRT (Kamikaze). Currently I am working on a proper configuration for chillispot, to make it possible to add FON support (FON AP) to every device running OpenWRT.

Configuration is simple, but the problem is, that the /etc/chilli.conf of an original La Fonera contains a line like:

uamserver https://login.fon.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/cp/index.php

The XXX... is a string of numbers and letters. This string is created by /usr/sbin/chilli_radconfig. Stefan told me that chilli_radconfig fetches the configuration file somehow from FON. One of the parameters for it is the MAC address of the WIFI device.

I'll keep you up to date on any progress.

OpenFonera

2006-12-29T20:24:00.000+01:00

After receiving my second La Fonera I was brave enough to flash OpenWRT Kamikaze. The used HOWTO described it very well and it worked without problems.

Now my first La Fonera serves a FON hotspot and my private (bridged) LAN. The second La Fonera is connected to my privat LAN via WPA over the first La Fonera. Now I can play with OpenWRT (Kamikaze) on my second La Fonera.

The described method uses the RedBoot shell. I don't know exactly how RedBoot works and wonder if it is possible to rescue the La Fonera in any case (wrong flashing, wrong configuration, ...). If anyone knows, please tell.

OpenWRT for the La Fonera?

2006-12-26T12:34:00.000+01:00

It is nothing new, that the firmware for the La Fonera is based on OpenWRT. But in the last few days the developers are making progress to get OpenWRT running on the La Fonera. I found an interesting thread on the OpenWRT forum. The developers added support for Atheros based devices (La Fonera, Meraki) to the Kamikaze (the experimental branch of OpenWRT). So don't grab the sources, compile it and flash it, unless you know what you are doing.

My advice: Be patient and stay tuned!

Code injection without the FON servers

2006-12-22T18:25:00.000+01:00

Stefan and me have written another script to open your La Fonera. It works with the firmware version 0.7.1 rev 1. The script and more information is available here.

UPDATE: There are now two scripts available. One for the new and one for the old firmware version.

Have yourself some happy holidays and Merry Christmas!

ipkg of the La Fonera broken?

2006-12-22T10:29:00.000+01:00

Before christmas a new post. There are some issues with the ikpg system of the La Fonera. You can use repositories like this, this and this. I installed successfully e.g. the wol (Wake On Lan) package with ipkg install wol after adding one of the repositories above. But after executing ipkg remove wol it took too long, so I hit Ctrl-C. ipkg started to delete the /usr/bin/ directory. There is something wrong with the ipkg version of the La Fonera. USE IT WITH CAUTION! I will try to investigate this issue.

Hmm, it tried to install and remove a package again - without a flaw. Last night I did it, and the /usr/bin was partly deleted. The difference between the two cases: Last night I was a little bit impatient and hit Ctrl-C.

So my advice, keep it running and be patient. :)

Updates explained and bridging mode

2006-11-27T21:15:00.000+01:00

Yesterday I updated my La Fonera manually to version 0.7.1-1. There is an update available, which really flashes the La Fonera. The update of the autoupdate is just a gzipped tarball containing updated files. I updated it without flashing, so in case of any bricking stuff I can reset my La Fonera. Stefan is hosting information about it.

Finally the bridging mode with the private network works. It was really annoying that associated clients with the private network are masqueraded. Associated clients could access the LAN, but hosts of the LAN could not acces associated clients of the private signal.
With the bridging mode associated clients are in the same subnet of the LAN - no more masquerading is needed. The bridging mode only affects the private signal, the public FON hotspot still uses masquerading.

Frederik released a script for the bridging mode, but the FON hotspot did not function. I changed reworked it and now it works like a charm. Please start it manually and do not put it in /etc/init.d/. It possible it will not work with any version. It tried 0.7.1 rev 1 only.

Ok, here it is. You have to replace XX-XX-XX-XX-XX-XX with the MAC of the public FON hotspot! Please use it only if you know what you are doing.

#!/bin/ash
echo "Setting up LAN bridge"

# Kill DHCP server+ client
/usr/bin/killall dnsmasq
/usr/bin/killall -9 udhcpc

# create bridge interface
/usr/sbin/brctl addbr br0
/usr/sbin/brctl stp br0 off 
/usr/sbin/brctl setfd br0 0

# shutdown/remove IPs from the old interfaces
/sbin/ifconfig eth0:1 down 
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig ath1 0.0.0.0

# bring up the bridge interface
/sbin/ifconfig br0 up

# add the old interfaces to the bridge
/usr/sbin/brctl addif br0 ath1
/usr/sbin/brctl addif br0 eth0

# Set IP for the bridge
/sbin/udhcpc -i br0 -R # get new IP via dhcp
#/sbin/ifconfig br0 192.168.0.103 # static IP

# set firewall rules
iptables -A INPUT -i br0 -j ACCEPT
iptables -A OUTPUT -o br0 -j ACCEPT

# add bridge to hostapd.conf and restart hostapd (allows to use WPA) 
[ `grep -c bridge=br0 /tmp/hostapd.conf` = "0" ] && echo bridge=br0 >> /tmp/hostapd.conf
/usr/bin/killall killall hostapd
/usr/sbin/hostapd -B /tmp/hostapd.conf

# stopping chillispot
/etc/init.d/N50chillispot stop

# bringing ath0 (hotspot interface) down
/sbin/ifdown hotspot

# bringing it manually up
wlanconfig ath0 create wlandev wifi0 wlanmode ap
iwconfig ath0 essid "FON_AP"
ifconfig ath0 up

# restarting dnsmasq but without dhcp
dnsmasq

# restarting chilli
chilli --dns1=192.168.1.222 --dns2=192.168.1.222 --radiusnasid=XX-XX-XX-XX-XX-XX --dhcpif ath0

# configuring iptables
iptables -R NET_ACCESS 6 -i br0 -j ACCEPT
iptables -R NET_ACCESS 7 -o br0 -j ACCEPT
iptables -t nat -R POSTROUTING 2 -o br0 -j MASQUERADE

La Foneras want an autoupdate

2006-11-24T20:05:00.000+01:00

FON wants all La Foneras to update. Here is the shellcode to be executed:

cd /tmp
wget http://download.fon.com/firmware/update/0.7.0/4/upgrade.fon
/bin/fonverify /etc/public_fon_rsa_key.der /tmp/upgrade.fon

rm -f /tmp/.thinclient.sh

exit

It will upgrade the La Fonera to 0.7.1 rev 1.

Btw, if you want to have a look into the .fon files you can use this short unfonify.sh script:

#!/bin/sh
SIZE=$(du -b $1 | cut -f1)
tail -c $((SIZE-519)) $1 > $1.tar.gz

Usage: unfonify.sh upgrade.fon
It will cut off the first bytes containing the signature and generate a gzipped tarball, which you can easily extract.

WARNING: If you still waiting for your La Fonera and want to gain ssh access, you should NOT connect it to the internet. Just plug in the powercable, connect to the private network (the WPA key is the serial no.) and exploit it via the webinterface.

New Fonera Firmware v0.7.1 rev 1

2006-11-24T09:59:00.000+01:00

As you can read on the german blog FON released a new firmware for the La Fonera. It's too bad they are not releasing the source along with it. I postet a comment on the blog~~, but it needs further aproval~~.

Among other things the changelog says:
"[Web interface] Corrected bug that caused a security problem when using strange characters on the forms."
We will see if FON fixed the holes to get into the blackbox.

Btw, yesterday we (Stefan and me) had a short meeting with Florian Forster in Cologne. He contacted us a few days after releasing our hack and is responsible for marketing in Germany. In the next days I will post a little bit about it. Here is a picture of his business card (of course some informations are disguised).

2nd Hack

2006-11-20T21:38:00.000+01:00

BingoBommel released another hack without using the webinterface of Fon which is fixed anyway. He also offers two HTML files to make it very easy to start and open SSH.

BingoBommel uses one security hole, but there are more vulnerabilities in the webinterface of the La Fonera enabling code injection...

FON fixed it

2006-11-08T22:37:00.000+01:00

It looks like FON has fixed their webinterface. It is no longer possible to submit manipulated ESSIDs to the remote configuration interface.

If you try it anyway, the section in the shell script is just gone. Same for the ESSID of your private network.

We did it, that's why

2006-11-07T00:23:00.000+01:00

The release of "Hacking the La Fonera" set of an avalanche of discussions. To explain our motives we released "Hacking the La Fonera: Why we did it".

Feel free to post comments.

Open your La Fonera

2006-11-05T22:26:00.000+01:00

We decided to publish a guide to "open" your La Fonera. Stefan is hosting it here. You will find a detailed description of the remote configuration of La Fonera. Besides, a small Perl script is available to easily execute any shell code.

So FON decided not to read the man page, which turned out rather nasty...

2006-11-04T18:38:00.000+01:00

After a little bit experimenting and a short chat with Stefan Tomanek, we successfully injected some code into the La Fonera without opening it.

We are now able to connect via SSH (dropbear) to the La Fonera.

So guys, get yourself a free La Fonera (at least in germany)!

And thanks Stefan!

The SSH Connection

2006-11-04T09:17:00.000+01:00

La Fonera uses the dropbear SSH client with public key authentication. The private key of La Fonera is available in the sources (/etc/dropbear/key) and here. It looks like every La Fonera uses the same private key with no passphrase. You can connect to download.fon.com and get the shell script (described earlier), if you type:

echo "mode='start' wlmac='FONERASWLANMAC' mac='FONERASETHERNETMAC' fonrev='4' firmware='0.7.0' chillver='1.0' thclver='1.0' device='fonera'" | dbclient -T -i PATHTOTHEPRIVATEKEY -p 1937 openwrt@download.fon.com

Fonera phones home

2006-11-04T08:49:00.000+01:00

Fonera starts a small sript thinclient at every bootup and every hour. The thinclient connects via SSH to download.fon.com:1937 and sends its mac addresses and version. It gets back a shell script which is dropped at /tmp/.thinclient.sh. This shell script is executed by the thinclient. Fon could paste any code there and has full control of La Fonera...

Normally the shell script contains harmless code:

rm -f /tmp/.thinclient.sh
exit

But you can configure La Fonera via the webpage of FON. You can change the WPA key of the private WLAN, change the admin password, change the ESSIDs. If you do so the sended script looks different.

Updating your ESSIDs:

# begin # setssidprivate
awk -v cfgfile="/etc/config/fon" -v "updatestr=private.essid=YOURPRIVATEESSID" -f /usr/lib/webif/uci-update.awk -f - > /etc/config/fon.new <<EOF
BEGIN {
       cfg = read_file(cfgfile)
       print update_config(cfg, updatestr)
}
EOF
if [ $? -eq 0 ]; then
       mv /etc/config/fon.new /etc/config/fon
       ifup lan
else
       rm /etc/config/fon.new
fi
# end # set ssid fonera

# begin # set ssid fonera
awk -v cfgfile="/etc/config/fon" -v "updatestr=public.essid=YOURPUBLICESSID" -f /usr/lib/webif/uci-update.awk -f - > /etc/config/fon.new <<EOF
BEGIN {
       cfg = read_file(cfgfile)
       print update_config(cfg, updatestr)
}
EOF
if [ $? -eq 0 ]; then
       mv /etc/config/fon.new /etc/config/fon
       iwconfig ath0 essid FON_'YOURPUBLICESSID'
else
       rm /etc/config/fon.new
fi
# end # set ssid fonera
rm -f /tmp/.thinclient.sh
exit

Updating your WPA key:

# begin # setwpapassword
awk -v cfgfile="/etc/config/fon" -v "updatestr=private.password=YOURWPAPASSWORD" -f /usr/lib/webif/uci-update.awk -f - > /etc/config/fon.new <<EOF
BEGIN {
       cfg = read_file(cfgfile)
       print update_config(cfg, updatestr)
}
EOF
if [ $? -eq 0 ]; then
       mv /etc/config/fon.new /etc/config/fon
       ifup lan
else
       rm /etc/config/fon.new
fi
# end # setwpapassword
rm -f /tmp/.thinclient.sh
exit

Playing with La Fonera

2006-11-04T08:42:00.000+01:00

I will post here some informations I discovered while playing with "La Fonera".