Unlock la fonera plus

=Unlock La Fonera Plus= This how to has been originally written by Giorgio Zarrelli.

Edited and tweaked by Dema.

The unlocking method has been made by Lama Bleu.

This how-to is licensed under Creative Commons Attribution-Noncommercial-Share Alike 3.0



Big fat disclaimer
The procedure we are going to describe will involve a memory reflashing of la Fonera+. Since this a very delicate action, we are not responsible of malfunctions that may appear after applying or breaking of functionality of the hardware.

All actions are taken under your own responsability.

Well, after saying this. LET'S GET STARTED !

= Ubuntu Linux howto=

With this howto we will guide you through a step by step method for unlocking La Fonera plus using Ubuntu Linux. You can perform the same thing with all other linux distros of course but we don't supply commands to retrieve tftp daemon or sudoers actions.

After all, if you didn't select Linux for human beings , it means that you are a nerd and step by step instructions annoy you :)

What you need

 * 1) one computer running Ubuntu Linux
 * 2) one ethernet cable patch

The server side
First we need to install the Tftp daemon on the Ubuntu server

sudo apt-get install tftpd

Since tftpd is launched by inetd, we may also need to edit the file /etc/inetd.conf as shown below sudo nano -w /etc/inetd.conf tftp dgram udp wait nobody /usr/sbin/tcpd in.tftpd /srv/tftp

Then we need to setup the directory where the image file will be placed to flash the fonera memory

sudo mkdir /srv/tftp

Now we have to enter the tftpd repository and download the image file in it:

cd /srv/tftp sudo wget http://www.leeman.be/fon/GetImage.php

Uncompress the .zip downloaded. Final size is 6.5 Mb.

Now it's time to restart openbsd-inetd (it was probably installed together with tftpd):

sudo /etc/init.d/openbsd-inetd restart

The Client side
Take a network cable, plug one end in the Fonera+ (black hole) and the other end in the ethernet card on your Laptop pc.

Time to give your PC a new network address:

sudo ifconfig eth0 192.168.1.254

And now let's create a dirty little script. It will arp the network waiting for 192.168.1.1 (the Fonera+ to answer). As it answers, the script will telnet on it and send a CTRL C signal. Look, there's a tiny error in the script, in he tnc section, just to force the things to work. I will look later how to fix it. Anyway, it works.

Let's create the script:

echo 'echo -e "\0377\0364\0377\0375\0006" >break.bin; sudo /usr/bin/arping -f 192.168.1.1; sudo nc -vvv 192.168.1.1 9000  catch_fonera+

Time to make it executable:

chmod u+x catch_fonera+

Access redboot of la Fonera plus
At this point, switch off La Fonera+.

Now execute the script:

./catch_fonera+

Fill in your Ubuntu user password and switch on the Fonera+. This little box will boot up and RedBoot will wait for 2 seconds to receive a CTRL C signal through a telnet session on his 192.168.1.1 ethernet interface.

You should see the following on your screen:

./catch_fonera+ [sudo] password for zarrelli: ARPING 192.168.1.1 from 192.168.1.254 eth0 Unicast reply from 192.168.1.1 [XX:XX:XX:XX:XX:XX] 0.992ms Sent 9 probes (9 broadcast(s)) Received 1 response(s) fonera [192.168.1.1] 9000 (?) open == Executing boot script in 0.890 seconds - enter ^C to abort ^C RedBoot> sent 6, rcvd 82 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. RedBoot>

Be carefull: as you will also see the following line:

RedBoot> �� strike CRTL C on your keyboard and you will receive a working RedBoot>

Some checkings before flashing
Now, do check if you FLASH addr are shown as those following (you cand do it by issuing "fis list" command): RedBoot> fis list Name             FLASH addr  Mem addr    Length      Entry point RedBoot          0xA8000000  0x80040400  0x00030000  0xA8000000 loader           0xA8030000  0x80100000  0x00010000  0x80100000 image            0xA8040000  0x80040400  0x00230004  0x80040400 image2           0xA8660000  0xA8660000  0x00140000  0x80040400 FIS directory    0xA87E0000  0xA87E0000  0x0000F000  0x00000000 RedBoot config   0xA87EF000  0xA87EF000  0x00001000  0x00000000

Take a sharp look to the above output, you should get exactly the same values in your screen.

Now we make some other checkings

RedBoot> x -b 0xa8040000 -l 32 A8040000: 00 21 BF DE A2 14 D3 9B 00 0A 50 34 6D 00 00 80  |.!........P4m...| A8040010: 00 FF FF FF FF FF FF FF FF 00 04 02 48 80 0E 0F  |............H...|

and another one

RedBoot> x -b 0xa8250000 -l 32 A8250000: 1E 5E B5 70 5D FA DE 16 AE 98 85 61 87 D5 E2 09  |.^.p]......a....| A8250010: D2 C1 70 A0 DD F6 2A 30 7F C8 5E 0B 00 DF 50 0A  |..p...*0..^...P.|

Once again, if you get exactly the same values on your screen , you should be able to perform the flashing.

Loading the image to la fonera with tftp
Now it's time to tftp the image.bin file from you PC to the Fonera+, and verify checksum:

Flashing
We are at a dangerous step, reprogramming the FLASH memory:

Answer "y" when it asks you to continue flashing the memory.

Resetting
Ok, you are done! The last command is a reset, to reboot your new FREE Fonera+: RedBoot> reset

Final settings and checkings
As the Fonera+ reboots, connect to you private wireless network (AKA MyPlace), and use SSH to step in your Fonera+:

zarrelli@moveaway:~$ ssh -l root 192.168.10.1 The authenticity of host '192.168.10.1 (192.168.10.1)' can't be establish RSA key fingerprint is 5c:d3:42:ed:52:6d:c0:c6:fb:ec:84:57:18:24:d7:be. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.1' (RSA) to the list of known host root@192.168.10.1's password: BusyBox v1.4.1 (2007-09-03 10:39:50 UTC) Built-in shell (ash) Enter 'help' for a list of built-in commands. ______                                          __ /\  ___\                                         /\ \ \ \ \__/  __     ___      __   _ __    __        \_\ \___ \ \  _\/ __`\ /' _ `\  /'__`\/\`'__\/'__`\     /\___  __\  \ \ \/\ \L\ \/\ \/\ \/\  __/\ \ \//\ \L\.\_   \/__/\ \_/ \ \_\ \____/\ \_\ \_\ \____\\ \_\\ \__/.\_\     \ \_\    \/_/\/___/  \/_/\/_/\/____/ \/_/ \/__/\/_/       \/_/ --  Fonera 1.5 Firmware (v1.1.1.1) - * Based on OpenWrt - http://openwrt.org * Powered by FON - http://www.fon.com - root@OpenWrt:~# Ohhhhh...la Fonera+ è aperta....

Wow!!! Your Fonera+ is now FREE!

=Windows howto=

With this howto we will guide you through a the step by step method for unlocking La Fonera plus using Windows.

What you need

 * 1) один компьютер под управлением Windows 2000 или Windows XP или Vista (бле)
 * 2) one ethernet cables patch

Swiss-knife for Window$-fonero
We strongly suggest to install following tools for Windows users : TFTPD32.exe to access RedBoot and upload your image file to the Fonera+. Last version 3.23 is only 480 kB size, download page is here. Autor's homepage is here (also DHCP server, Syslog..) Another freeware TFTPD server can be downloaded on sourceforge.net here

PuTTY is a client terminal which supports telnet, SSH, SSH-tunneling and serial connections, all that we need for La Fonera+. Official PuTTY page is here For download page we suggest to download full installer package "A Windows installer for everything except PuTTYtel" WinSCP is also a good tool to transfer files to/from your Fonera+ and also editing files ( vi editor is not implemented on the Busybox compiled by FON )

The server side
First switch-off your LaFonera+ !

Install PuTTY with default settings. Copy TFTPD32.EXE to your Windows Desktop

We need assign to LAN a static IP for the computer on which TFPTD32 is installed. Open your control panel, network connections, and set your IP address to 192.168.1.254, netmask 255.255.255.0 If your computer is normally running with static IP, please write your config on a little post-it first ! Or use advandced configuration for TCP/IP protocol and add a second IP address to your ethernet interface.

As it is not easy to access RedBoot console, just launch a in a MS-DOS background windows a permanent ping to your Fonera+: Start Menu/Run and type : cmd (plus Enter ..)

Don't worry when you receive the message "Host is not responding" or similar..

Accessing RedBoot
Not easy to access RedBoot, perhaps some scripts can help you on this NSLU2 excellent page Just few seconds after booting your Fonera+ you must start a telnet connection to your Fonera+ on 192.168.1.1 port 9000. By default RedBoot is listening on port 9000 only 2 seconds before normal kernel boot.

Launch PuTTY configuration and use this screen-copy to configure it. Parameters to configure : "Host name (or IP address): 192.168.1.1", "Port 9000", and for connection type check "Telnet" You can save this configuration ( in this example fill "RedBoot" or "Fonera+" for "saved sessions", then click "Save".



Now try to connect RedBoot, but be very prompt and synchrone !! Only 2 seconds from starting ! - manage your windows on the screen to see simultaneously "MSDOS ping -t" and PuTTY connection window. - power-on your LA Fonera+, click "Open" button on PuTTY screen. - as you see from "ping windows" : "reply from 192.168.1.1", press Enter and immediately CTRL-C on your keyboard. OK ! You've got the prompt for RedBoot like this ! Most complicated task is done now !

== Executing boot script in 0.890 seconds - enter ^C to abort ^C RedBoot>

If your Fonera+ seems to boot normally and you can't acces RedBoot, please re-try.

Some checkings before flashing
Now, do check if you FLASH addr are shown as those following (you can do it by issuing "fis list" command):

Take a sharp look to the above output, you should get exactly the same values in your screen.

Now we make some other checkings

and another one

Once again, if you get exactly the same values on your screen , you should be able to perform the flashing.

Now it's time to load the file to RAM of the La Fonera+

Loading the image to la fonera with tftp
Let's prepare the TFTPD32 server. Launch TFTPD32.EXE, and as in this example, create a new directory C:\local (the server root directory) Change parameters : Current directory : C:\local Server interface : select 192.168.1.254 if necessary.

Download and unzip this file to C:\local

Now it's time to tftp the image.bin file from you PC to the Fonera+, and verify checksum:

A pop-up will appear on TFP32D during transfer

Flashing
We are at a dangerous step, reprogramming the FLASH memory:

Answer "y" when it asks you to continue flashing the memory.

Important note : while pressing "y" to accept flash process, your Fonera+ stop to answer pings on background MSDOS windows. Message "Erase from 0xa8260000-0xa8650000: ." and remaining dots don't appear. Don't worry, don't reboot just wait few minutes. Ping will answer, remaining text will be displayed on your screen. Each dot is 64 kB memory-block. Scrolling is correct while flashing from serial port.

Resetting
Ok, you are done! The last command is a reset, to reboot your new FREE Fonera+:

Final settings and checkings
As the Fonera+ reboots, connect to your private wireless network (AKA MyPlace), or with ethernet cable, and use SSH to step in your Fonera+. If your Fonera+ is connected to WAN (internet), wait Power LED becomes to green before SSH to it. If no WAN connected, wait 2 minutes.

As in first step, create a new profile in PuTTY to connect your Fonera+ Parameters to configure : "Host name (or IP address): 192.168.10.1". For connection type check "SSH", port number will toggle to "22" You can save this configuration : choose a name for "saved sessions", then click "Save". Click "Open". This is first connection, so accept PuTTY security alert below)

You get the login prompt, default password for "root" is "admin

=MacosX howto= in this sections we will guide you in the unlocking process under MacosX. This is my laptop OS, so I can guarantee upon direct testing that it works like a charm.

What you need

 * 1) one computer running MacosX
 * 2) one ethernet cable patch

The server side
We need to install the Tftp program. I choose a very easy to use tftpserver.

It's called tftpserver (doh!) and you can grab it here.

Once installed, open a terminal (yes macosx is fun also with terminal) and type to create the tftp directory.

Now open the tftpserver program and change path to the tftp directory which you created in your home.



Back to the terminal and grab the image file for flashing la fonera

cd cd tftp wget http://www.leeman.be/fon/GetImage.php

Once de-zipped file size is 6.5 Mb.

now we can click on start TFTP in the tftpserver window

The Client side
Take a network cable, plug one end in the Fonera+ (black hole) and the other end in the ethernet port on your macbook(pro) or Imac or MacPro or Minime.

Time to give your Mac a new network address:

And now let's create a little dirty script. It will arp the network waiting for 192.168.1.1 (the Fonera+ to answer). As it answers, the script will telnet on it and send a CTRL C signal. Look, there's a tiny error in the script, in nc section, just to force the things to work. I will look later how to fix it. Anyway, it works.

Let's create the script:

Time to make it executable:

Access redboot of la Fonera plus
At this point, switch off La Fonera+.

Now execute the script:

Fill in your Mac user password and switch on the Fonera+. This little box will boot up and RedBoot will wait for 2 seconds to receive a CTRL C signal through a telnet session on his 192.168.1.1 ethernet interface.

Here what you will likely see:

Be careful: as you will see the following line:

RedBoot> ��

strike CRTL C on your keyboard and you will receive a working

RedBoot>

prompt.

Some checkings before flashing
Now, do check if you FLASH addr are shown as those following (you can do it by issuing "fis list" command):

Take a sharp look to the above output, you should get exactly the same values in your screen.

Now we make some other checkings

and another one

Once again, if you get exactly the same values on your screen , you should be able to perform the flashing.

Loading the image to la fonera with tftp
Now it's time to tftp the image.bin file from you PC to the Fonera+ and verify checksum:

Flashing
We are at a dangerous step, reprogramming the FLASH memory:

Answer "y" when it asks you to continue flashing the memory.

Resetting
Ok, you are done! The last command is a reset, to reboot your new FREE Fonera+:

Final settings and checkings
As the Fonera+ reboots, connect to you private wireless network (AKA MyPlace), and use SSH to step in your Fonera+:

Wow!!! Your Fonera+ is now FREE!

= Final settings, tweaking (all OS)=

Updating personal config from FON
Just after flashing your Fonera+ will reset with factory default settings. You can verify this going into your HTTP console on 192.168.10.1

To update your config log-on to www.fon.com, and access userzone. Select your router, and update WiFi private and public SSID names. If you don't want to change the name, please just change one letter, click on "update" button, and change again to the right name. For the private WLAN: change the WEP/WPA key encryption using the same method.

Fon.com servers will send the new config to your Fonera+. Wait few minutes and check in your local HTTP console. You don't need to reboot.

Registered or not ?
If your Fonera+ has been registered before the SSH-unlock, check on your local HTTP console status if all is OK. If logo displayed is "your Fonera+ has not been registered", it is important to change this parameters to give access to users on your public WLAN.

To do this, open SSH console :

Reboot your Fonera+, connect again to your HTTP local console, and verify the change to the logo: " Your Fonera is registered OK"

IPK packages
In this section, you will learn how to install additional packages to your la Fonera plus.

BEWARE installing additional packages may compromise the stability of la fonera, cause memory leaks and malfunctions. Install packages under your own responsability

Installing packages
Official kernel version compiled for firmware 1.1.1r1 is 2.6.19.2. You can install ipk packages from this OpenWRT repository : http://downloads.openwrt.org/kamikaze/7.06/atheros-2.6/packages except for kmod-* packages. kmod packages must be installed from original FON compilation Here you can find a temporary repository for these kmod-*-fonera-1_mips.ipk packages.

Sometimes ipkg is very long to run, and memory errors can occur. Tips :
 * "wget" your ipk package to /tmp, and then run it.
 * Kill not needed processes with a "killall" command for : dnsmasq,chilli,fonstate,httpd,fonsmcd,crond,hotplug2,logger,syslogd,klogd,watch_chilli
 * remove /usr/lib/ipkg/status (see https://dev.openwrt.org/ticket/2702)

Busybox upgrade
Busybox provided in original firmware by FON is very poor. Upgrading Busybox to version 1.4.2-1 will permit you to use "vi" editor, and retrieve colors for displaying files and directories. Perhaps more !

Installation is about 5 to 7 minutes, be patient. If you get error message : ipkg: fork failed: Cannot allocate memory , please kill all processes as described in "ipkg installing packages" section Reboot your Fonera+ after upgrading

Auto-updates (thinclient)
'''FREEWLAN comments welcome !! You have more experience about bricking with auto-update...'''

Edit the file /bin/thinclient :

Comment this line with a starting # like this

Insert a new line just after, like this:

Verify :

Upgrade commands files sent by thinclient are now stored on /tmp. Check messages on FON thematic boards to know if this upgrade will modify or not the firmware. As with classic Fonera, you can launch the upgrade manually. In this example " . /tmp/thinclient-20071024-0745" will start upgrade for hotfix/firmware.