Skip to main content

Fon2100 and Jasager


Wireless Pineapple Notes:


  1. Iinitially turned on the router, and noticed it had an SSID set toMyPlace, which was encrypted. I was able to connect to this network using the SN of the router as the network key, which gave my wireless client a 192.168.10.244 address, and the router had 192.168.10.1. (see picture). I could not connect to the WAN port, as this seemed to assume that the router would get a DHCP address, and I didn't give it one.This firmware actually looked pretty sweet out of the box (Check out the TWO wireless interfaces, with a Public and a Private WiFi setup), but in true geek fashion, after inspecting it for 5 minutes I decided to blow it away for Jasagar.


  1. Using the instructions at: http://www.digininja.org/jasager/installation.php I set my client IP to 192.168.1.1, grabbed jasager_firmware_1.0.tar.bz2,and the redboot.pl from the jasagar site. I put the firmware files inthe /tmp/ of a BT4 laptop, and extracted the zip (tar -xvjfjasager_firmware_1.0.tar.bz2). This left aopenwrt-atheros-root-squashfs file and a openwrt-atheros-vmlinux.lzmafile. Inspection of the redboot.pl file showed that it expected therouter to be on port 192.168.0.1—good to know. It was then time to upload the firmware and pray.
  2. I chmod'd the redboot.pl to executable, and ran ./redboot.pl192.168.1.245 and then powered up the Fon, per the Jasager instructions. This errored out (no Net/Telnet.pm in @INC). So I ran apt-get install libnet-telnet-perl, and installed the Net::Telnetpackage, and redboot.pl worked fine, but wouldn't connect. I tried running ./redboot.pl 192.168.1.1, in case I had a FON+ vs a FON (didn't think so) but it still never connected. I ran a tcpdump and found the router listening on 0.0.0.0. The Jasager site says that this is a UK router, and I may be out of luck.  I now have to figure out how to upload the firmware to a device with no IP (it tries to get one atBootup via bootpc, so maybe that is an angle). It looks like I'll either have to hack it via a serial-cable-to-the-board http://www.digininja.org/projects/fon_serial_cable.php oruse the below hacks to try to enable redboot and try it from there. Since I didn't have a serial-to-usb cable that I wanted to sacrifice,the software hacking seemed the first method to try.  

4. Upon investigation, I determined that I could get to the router with a crossover cable, and opening a browser to 169.254.255.1.  Note the default user id is admin, and the default password is admin.  Since my router had firmware version 0.7.1v2, redboot is not enabled, and you have to hack it to get redboot to work.  There are pretty good instructions here: http://devolblog.devolfamily.com/dd-wrt-on-la-fonera-router/ .  I ran the grammofon.pl hackhttp://stefans.datenbruch.de/lafonera/ to enable ssh access, but it didn't work, since version 0.7.1r2 FON has patched the web interface injection flaw that they shipped with earlier versions.  So, I needed to run the Kolofonium hack and inject through a RADIUS server.  Luckily, per the previous URL, they set up a fake RADIUS server to run that hack for me, and I simply needed to change the DNS server to the kolofonium.datenbruch.de IP address for them to enable SSH access for me!  So far they have done 16423 routers (mine was 16,423rd)! That is WAY too sweet!  After rebooting, I was not able to access the SSH server via the wired connection.  However, I was able to ssh in from the Wireless to 169.254.255.1, with user id root and password admin!


I then did> mv /etc/init.d/dropbear /etc/init.d/S50dropbear, per www.dd-wrt.com/phpBB2/viewtopic.php?p=304820
id="be.d" style="text-align: left;">I downloaded and installed HFS (I didn't give it Shell context), and added the two files. 

Here, you'll get a prompt saying "Server unexpectedly closed network connection." and you should hit OK and WAIT for 1-3minutes.  I got that out of ANOTHER set of instructions (after I hit the X to close it) at:devolblog.devolfamily.com/dd-wrt-on-la-fonera-router.  I also may not have waited as long as I should have at this point... when it came back up and my client tried to wirelessly connect, it wouldn't....I thought it may have dorked the WPA key up or something, so I rebooted again.... and the wireless never came back.... I actually think that the router works, but the wireless is turned off, and the Ethernet port is hosed.   I should have probably seen this post before:wiki.fon.com/wiki/FreeWLAN

I sort of bricked my route rat this point.  I actually got another router, and tried this again, with the same result.  I think that Digininja was correct, and you need a serial-to-USB cable for this router.
I think I will have to flash it via a serial port now..... via: http://elfonblog.fondoo.net/?p=101 or this: http://elfonblog.fondoo.net/?tag=fon2100

I took the router apart (you have to take the two rubber feet opposite the antenna off, and take those screws out), and verified that I actually had a FON (not FON+), and bought the cable referenced by digininja from SunTekStore (USB cable for Kyocera KX1 KX9 KX12 w CD Drive, item 10002518) for $5.42.

Got the Kyocera KX1 KX9 KX12 CD USB cable), and cut it up and put it on the board.  I installed the drivers for the usb-to-serial cable fromhttp://www.suntekstore.com/usb-cable-for-kyocera-kx1-kx9-kx12-w-cd-drive-.html  The strange thing about this driver is that I tried on two separate Windows laptops, and couldn't install it.  It turns out that you have to have a USB hub to get the driver to install.   After I did this, I brought up Putty to the Serial COM4 port, and connected to the board (powering it up with no ground connected, and then connecting the ground).   Success!  Here is the long awaited redboot prompt:

I tried using Digininja's 1.0 firmware, and it always locked up when a client connected.
After much, much, much trial and error, I discovered the instructions at:

http://www.hak5.org/w/index.php/Fon_Jasager_Install 
These worked fairly well, but wouldn't hand out an IP. After trying forever to get the
 /etc/config/dhcp file working, I started asking questions in the Hak5 Forums. 
In talking to Mr. Protocol (thanks for the help) I saw that he used the GUI to 
configure /etc/config/dhcp, and /etc/dnsmasq.conf so I just logged into the webif 
and configured it like so:

I also turned on the WAN interface and set start, limit, and lease times. This handed out IPs, like so:


I then uploaded a website file to /www/index.html, and resolved all IPs to the Fon by adding 
the line 'address=/#/192.168.1.1' to the end of the dnsmasq.conf file.

This will resolve any DNS address to the local address, and Voila!!! I have an automatic Rick-Roller! 
I have a battery powered Fon, so I can turn it on, let it sit, and anyone whom connects it will be Rick Rolled
 no matter what site they try to go to! Here's a pic (notice the visited site was Google)



Not only is the ASCII art cool, it is also faster than trying to serve up a JPG.  It also plays a 
cut mp3 file of the 'Never Gonna Give You Up' song--cut to save space, and start right where it 
should, giving a great RickRolling effect.  
Then, to make this all run with the flip of a switch, automatically start Karma by adding this 
to the end of the start section of /etc/init.d/karma_ui

wlanconfig ath0 create wlandev wifi0 wlanmode master &
ifconfig ath0 up &
iwpriv ath0 karma 1 &


Sawwweeett!! A self contained, automatic RickRoll--no muss-no fuss! 

I brought this setup to Defcon 18, and was interviewed by Darren Kitchen!  
Check out the Hak5 Defcon 18 podcast (around minute 42) for details!


Comments

Post a Comment

Popular posts from this blog

HP c6180 Printer and Vista

Hp c6180 driver issues with Vista Home Premium My wife has a Vista Home Premium laptop, and the HP C6180 Photosmart printer keeps disappearing from her available printers.  The only way I've found to fix the problem is to reinstall all the HP software. When I do this, I have to download the (large..507M software from HP, or reinstall the printer (ONLY the printer, not the scanner) with the installation disk, as the drivers are not discovered with a "Windows Update" setting.  My guess is that is because HP doesn't like people to install only the printer driver, which would be easy, but they want folks to install all their crapware as well, so they are withholding the drivers from the on-line Microsoft printer database.  So keep your installation CD!  I've also found that unless I install everything on the CD or in the Full Version download (HP Customer Participation Program, HP Imaging Device functions, HP OCR SW, HP All-In-one SW, HP Photosm...

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms: I could tftp a file from-to any Kali box from-to another Kali box I could NOT tftp files to a specific Windows 7 box from any Kali box I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable. Thus, I switched to tftpd-hpa.   To install: apt-get install tftpd-hpa files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to: chroot -R /srv/tftp Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa: change "TFTP_OPTIONS="--secure"  to "TFTP_OPTIONS="--secure --create" ...

Security Onion on the Antsle

My Setup of Security Onion on the Antsle: Recently my IDS box, an Intel Atom D2500 Fanless Mini-ITX PC, D2500CCE, died.  Truth be told, I think it came from the factory in a bad state, as I originally thought I had a bad graphics driver, but I then noticed that, after much troubleshooting, it wasn't a driver issue at all.  The box just sometimes wouldn't boot up correctly with video.  It seems heat related, something like not enough thermal paste on the CPU, as after it is powered off for a while it is more likely to boot than when it is warm.  Along with that issue, this box maxed out at 4GB of RAM (only has 2 memory slots, each of which will only take a 2GB card max) and had a single processor, so it was under powered for Security Onion. So, I decided to quit limping along on P.O.S. boxes, and buy a little more heavyweight box for my networked IDS.   Security Onion requires a minimum of 8GB of RAM, and 4 cores per their specs page htt...