Wireless Pineapple Notes:
- Iinitially turned on the router, and noticed it had an SSID set toMyPlace, which was encrypted. I was able to connect to this network using the SN of the router as the network key, which gave my wireless client a 192.168.10.244 address, and the router had 192.168.10.1. (see picture). I could not connect to the WAN port, as this seemed to assume that the router would get a DHCP address, and I didn't give it one.This firmware actually looked pretty sweet out of the box (Check out the TWO wireless interfaces, with a Public and a Private WiFi setup), but in true geek fashion, after inspecting it for 5 minutes I decided to blow it away for Jasagar.
- Using the instructions at: http://www.digininja.org/jasager/installation.php I set my client IP to 192.168.1.1, grabbed jasager_firmware_1.0.tar.bz2,and the redboot.pl from the jasagar site. I put the firmware files inthe /tmp/ of a BT4 laptop, and extracted the zip (tar -xvjfjasager_firmware_1.0.tar.bz2). This left aopenwrt-atheros-root-squashfs file and a openwrt-atheros-vmlinux.lzmafile. Inspection of the redboot.pl file showed that it expected therouter to be on port 192.168.0.1—good to know. It was then time to upload the firmware and pray.
- I chmod'd the redboot.pl to executable, and ran ./redboot.pl192.168.1.245 and then powered up the Fon, per the Jasager instructions. This errored out (no Net/Telnet.pm in @INC). So I ran apt-get install libnet-telnet-perl, and installed the Net::Telnetpackage, and redboot.pl worked fine, but wouldn't connect. I tried running ./redboot.pl 192.168.1.1, in case I had a FON+ vs a FON (didn't think so) but it still never connected. I ran a tcpdump and found the router listening on 0.0.0.0. The Jasager site says that this is a UK router, and I may be out of luck. I now have to figure out how to upload the firmware to a device with no IP (it tries to get one atBootup via bootpc, so maybe that is an angle). It looks like I'll either have to hack it via a serial-cable-to-the-board http://www.digininja.org/projects/fon_serial_cable.php oruse the below hacks to try to enable redboot and try it from there. Since I didn't have a serial-to-usb cable that I wanted to sacrifice,the software hacking seemed the first method to try.
4. Upon investigation, I determined that I could get to the router with a crossover cable, and opening a browser to 169.254.255.1. Note the default user id is admin, and the default password is admin. Since my router had firmware version 0.7.1v2, redboot is not enabled, and you have to hack it to get redboot to work. There are pretty good instructions here: http://devolblog.devolfamily.com/dd-wrt-on-la-fonera-router/ . I ran the grammofon.pl hackhttp://stefans.datenbruch.de/lafonera/ to enable ssh access, but it didn't work, since version 0.7.1r2 FON has patched the web interface injection flaw that they shipped with earlier versions. So, I needed to run the Kolofonium hack and inject through a RADIUS server. Luckily, per the previous URL, they set up a fake RADIUS server to run that hack for me, and I simply needed to change the DNS server to the kolofonium.datenbruch.de IP address for them to enable SSH access for me! So far they have done 16423 routers (mine was 16,423rd)! That is WAY too sweet! After rebooting, I was not able to access the SSH server via the wired connection. However, I was able to ssh in from the Wireless to 169.254.255.1, with user id root and password admin!
I then did> mv /etc/init.d/dropbear /etc/init.d/S50dropbear, per www.dd-wrt.com/phpBB2/viewtopic.php?p=304820
id="be.d" style="text-align: left;">I downloaded and installed HFS (I didn't give it Shell context), and added the two files.
I sort of bricked my route rat this point. I actually got another router, and tried this again, with the same result. I think that Digininja was correct, and you need a serial-to-USB cable for this router.
I took the router apart (you have to take the two rubber feet opposite the antenna off, and take those screws out), and verified that I actually had a FON (not FON+), and bought the cable referenced by digininja from SunTekStore (USB cable for Kyocera KX1 KX9 KX12 w CD Drive, item 10002518) for $5.42.
Got the Kyocera KX1 KX9 KX12 CD USB cable), and cut it up and put it on the board. I installed the drivers for the usb-to-serial cable fromhttp://www.suntekstore.com/usb-cable-for-kyocera-kx1-kx9-kx12-w-cd-drive-.html The strange thing about this driver is that I tried on two separate Windows laptops, and couldn't install it. It turns out that you have to have a USB hub to get the driver to install. After I did this, I brought up Putty to the Serial COM4 port, and connected to the board (powering it up with no ground connected, and then connecting the ground). Success! Here is the long awaited redboot prompt:
I tried using Digininja's 1.0 firmware, and it always locked up when a client connected.
After much, much, much trial and error, I discovered the instructions at: http://www.hak5.org/w/index.php/Fon_Jasager_Install
These worked fairly well, but wouldn't hand out an IP. After trying forever to get the /etc/config/dhcp file working, I started asking questions in the Hak5 Forums. In talking to Mr. Protocol (thanks for the help) I saw that he used the GUI to configure /etc/config/dhcp, and /etc/dnsmasq.conf so I just logged into the webif and configured it like so:
I also turned on the WAN interface and set start, limit, and lease times. This handed out IPs, like so:
I then uploaded a website file to /www/index.html, and resolved all IPs to the Fon by adding the line 'address=/#/192.168.1.1' to the end of the dnsmasq.conf file. This will resolve any DNS address to the local address, and Voila!!! I have an automatic Rick-Roller! I have a battery powered Fon, so I can turn it on, let it sit, and anyone whom connects it will be Rick Rolled no matter what site they try to go to! Here's a pic (notice the visited site was Google) Not only is the ASCII art cool, it is also faster than trying to serve up a JPG. It also plays a cut mp3 file of the 'Never Gonna Give You Up' song--cut to save space, and start right where it should, giving a great RickRolling effect.
Then, to make this all run with the flip of a switch, automatically start Karma by adding this to the end of the start section of /etc/init.d/karma_ui wlanconfig ath0 create wlandev wifi0 wlanmode master & ifconfig ath0 up & iwpriv ath0 karma 1 & Sawwweeett!! A self contained, automatic RickRoll--no muss-no fuss! I brought this setup to Defcon 18, and was interviewed by Darren Kitchen! Check out the Hak5 Defcon 18 podcast (around minute 42) for details!