Skip to main content

Fon2100 and Jasager

Wireless Pineapple Notes:

  1. Iinitially turned on the router, and noticed it had an SSID set toMyPlace, which was encrypted. I was able to connect to this network using the SN of the router as the network key, which gave my wireless client a address, and the router had (see picture). I could not connect to the WAN port, as this seemed to assume that the router would get a DHCP address, and I didn't give it one.This firmware actually looked pretty sweet out of the box (Check out the TWO wireless interfaces, with a Public and a Private WiFi setup), but in true geek fashion, after inspecting it for 5 minutes I decided to blow it away for Jasagar.

  1. Using the instructions at: I set my client IP to, grabbed jasager_firmware_1.0.tar.bz2,and the from the jasagar site. I put the firmware files inthe /tmp/ of a BT4 laptop, and extracted the zip (tar -xvjfjasager_firmware_1.0.tar.bz2). This left aopenwrt-atheros-root-squashfs file and a openwrt-atheros-vmlinux.lzmafile. Inspection of the file showed that it expected therouter to be on port—good to know. It was then time to upload the firmware and pray.
  2. I chmod'd the to executable, and ran ./redboot.pl192.168.1.245 and then powered up the Fon, per the Jasager instructions. This errored out (no Net/ in @INC). So I ran apt-get install libnet-telnet-perl, and installed the Net::Telnetpackage, and worked fine, but wouldn't connect. I tried running ./, in case I had a FON+ vs a FON (didn't think so) but it still never connected. I ran a tcpdump and found the router listening on The Jasager site says that this is a UK router, and I may be out of luck.  I now have to figure out how to upload the firmware to a device with no IP (it tries to get one atBootup via bootpc, so maybe that is an angle). It looks like I'll either have to hack it via a serial-cable-to-the-board oruse the below hacks to try to enable redboot and try it from there. Since I didn't have a serial-to-usb cable that I wanted to sacrifice,the software hacking seemed the first method to try.  

4. Upon investigation, I determined that I could get to the router with a crossover cable, and opening a browser to  Note the default user id is admin, and the default password is admin.  Since my router had firmware version 0.7.1v2, redboot is not enabled, and you have to hack it to get redboot to work.  There are pretty good instructions here: .  I ran the hack to enable ssh access, but it didn't work, since version 0.7.1r2 FON has patched the web interface injection flaw that they shipped with earlier versions.  So, I needed to run the Kolofonium hack and inject through a RADIUS server.  Luckily, per the previous URL, they set up a fake RADIUS server to run that hack for me, and I simply needed to change the DNS server to the IP address for them to enable SSH access for me!  So far they have done 16423 routers (mine was 16,423rd)! That is WAY too sweet!  After rebooting, I was not able to access the SSH server via the wired connection.  However, I was able to ssh in from the Wireless to, with user id root and password admin!

I then did> mv /etc/init.d/dropbear /etc/init.d/S50dropbear, per
id="be.d" style="text-align: left;">I downloaded and installed HFS (I didn't give it Shell context), and added the two files. 

Here, you'll get a prompt saying "Server unexpectedly closed network connection." and you should hit OK and WAIT for 1-3minutes.  I got that out of ANOTHER set of instructions (after I hit the X to close it)  I also may not have waited as long as I should have at this point... when it came back up and my client tried to wirelessly connect, it wouldn't....I thought it may have dorked the WPA key up or something, so I rebooted again.... and the wireless never came back.... I actually think that the router works, but the wireless is turned off, and the Ethernet port is hosed.   I should have probably seen this post

I sort of bricked my route rat this point.  I actually got another router, and tried this again, with the same result.  I think that Digininja was correct, and you need a serial-to-USB cable for this router.
I think I will have to flash it via a serial port now..... via: or this:

I took the router apart (you have to take the two rubber feet opposite the antenna off, and take those screws out), and verified that I actually had a FON (not FON+), and bought the cable referenced by digininja from SunTekStore (USB cable for Kyocera KX1 KX9 KX12 w CD Drive, item 10002518) for $5.42.

Got the Kyocera KX1 KX9 KX12 CD USB cable), and cut it up and put it on the board.  I installed the drivers for the usb-to-serial cable from  The strange thing about this driver is that I tried on two separate Windows laptops, and couldn't install it.  It turns out that you have to have a USB hub to get the driver to install.   After I did this, I brought up Putty to the Serial COM4 port, and connected to the board (powering it up with no ground connected, and then connecting the ground).   Success!  Here is the long awaited redboot prompt:

I tried using Digininja's 1.0 firmware, and it always locked up when a client connected.
After much, much, much trial and error, I discovered the instructions at: 
These worked fairly well, but wouldn't hand out an IP. After trying forever to get the
 /etc/config/dhcp file working, I started asking questions in the Hak5 Forums. 
In talking to Mr. Protocol (thanks for the help) I saw that he used the GUI to 
configure /etc/config/dhcp, and /etc/dnsmasq.conf so I just logged into the webif 
and configured it like so:

I also turned on the WAN interface and set start, limit, and lease times. This handed out IPs, like so:

I then uploaded a website file to /www/index.html, and resolved all IPs to the Fon by adding 
the line 'address=/#/' to the end of the dnsmasq.conf file.

This will resolve any DNS address to the local address, and Voila!!! I have an automatic Rick-Roller! 
I have a battery powered Fon, so I can turn it on, let it sit, and anyone whom connects it will be Rick Rolled
 no matter what site they try to go to! Here's a pic (notice the visited site was Google)

Not only is the ASCII art cool, it is also faster than trying to serve up a JPG.  It also plays a 
cut mp3 file of the 'Never Gonna Give You Up' song--cut to save space, and start right where it 
should, giving a great RickRolling effect.  
Then, to make this all run with the flip of a switch, automatically start Karma by adding this 
to the end of the start section of /etc/init.d/karma_ui

wlanconfig ath0 create wlandev wifi0 wlanmode master &
ifconfig ath0 up &
iwpriv ath0 karma 1 &

Sawwweeett!! A self contained, automatic RickRoll--no muss-no fuss! 

I brought this setup to Defcon 18, and was interviewed by Darren Kitchen!  
Check out the Hak5 Defcon 18 podcast (around minute 42) for details!


Post a Comment

Popular posts from this blog

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms:

I could tftp a file from-to any Kali box from-to another Kali box
I could NOT tftp files to a specific Windows 7 box from any Kali box
I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box

After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable.

Thus, I switched to tftpd-hpa.   To install:
apt-get install tftpd-hpa

files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to:
chroot -R /srv/tftp

Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa:
change "TFTP_OPTIONS="--secure" to "TFTP_OPTIONS="--secure --create"

I also changed the IP li…

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from:
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:…