Changes: Unlock la fonera plus

Unlock La Fonera Plus

This how to has been originally written by Giorgio Zarrelli .

Edited and tweaked by Dema .

The unlocking method has been made by Lama Bleu.

This how-to is licensed under Creative Commons Attribution-Noncommercial-Share Alike 3.0

File:Somerights20.png

---

Big fat disclaimer

The procedure we are going to describe will involve a memory reflashing of la Fonera+. Since this a very delicate action , we are not responsible of malfunctions that may appear after applying or breaking of functionality of the hardware.

All actions are taken under your own responsability.

Well , after saying this . LET'S GET STARTED !

Ubuntu Linux howto

With this howto we will guide you through a step by step method for unlocking La Fonera plus using Ubuntu Linux.
You can perform the same thing with all other linux distros of course but we don't supply commands to retrieve tftp daemon or sudoers actions.

After all , if you didn't select Linux for human beings , it means that you are a nerd and step by step instructions annoy you :)

What you need

1. one computer running Ubuntu Linux
2. one ethernet cable patch

The server side

First we need to install the Tftp daemon on the Ubuntu server

sudo apt-get install tftpd

Since tftpd is launched by inetd , we may also need to edit the file /etc/inetd.conf as shown below

sudo nano -w /etc/inetd.conf
tftp dgram udp wait nobody /usr/sbin/tcpd in.tftpd /srv/tftp

Then we need to setup the directory where the image file will be placed to flash the fonera memory

sudo mkdir /srv/tftp 

Now we have to enter the tftpd repository and download the image file in it:

cd /srv/tftp
sudo wget http://www.leeman.be/fon/GetImage.php

Uncompress the .zip downloaded. Final size is 6.5 Mb.

Now it's time to restart openbsd-inetd (it was probably installed together with tftpd):

sudo /etc/init.d/openbsd-inetd restart

The Client side

Take a network cable, plug one end in the Fonera+ (black hole) and the other end in the ethernet card on your Laptop pc.

Time to give your PC a new network address:

sudo ifconfig eth0 192.168.1.254

And now let's create a dirty little script. It will arp the network waiting for 192.168.1.1 (the Fonera+ to answer). As it answers, the script will telnet on it and send a CTRL C signal. Look, there's a tiny error in the script, in he tnc section, just to force the things to work. I will look later how to fix it. Anyway, it works.

Let's create the script:

echo 'echo -e "\0377\0364\0377\0375\0006" >break.bin; sudo /usr/bin/arping -f 192.168.1.1; sudo nc -vvv 192.168.1.1 9000 <break.bin;
telnet 192.168.1.1 9000' > catch_fonera+

Time to make it executable:

chmod u+x catch_fonera+

Access redboot of la Fonera plus

At this point, switch off La Fonera+.

Now execute the script:

./catch_fonera+

Fill in your Ubuntu user password and switch on the Fonera+. This little box will boot up and RedBoot will wait for 2 seconds to receive a CTRL C signal through a telnet session on his 192.168.1.1 ethernet interface.

You should see the following on your screen:

./catch_fonera+
[sudo] password for zarrelli:
ARPING 192.168.1.1 from 192.168.1.254 eth0
Unicast reply from 192.168.1.1 [XX:XX:XX:XX:XX:XX]  0.992ms
Sent 9 probes (9 broadcast(s))
Received 1 response(s)
fonera [192.168.1.1] 9000 (?) open
== Executing boot script in 0.890 seconds - enter ^C to abort
^C
RedBoot>
sent 6, rcvd 82
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'. 
RedBoot>

Be carefull: as you will also see the following line:

RedBoot> ��
strike CRTL C on your  keyboard and you will receive a working
RedBoot>

Some checkings before flashing

Now, do check if you FLASH addr are shown as those following (you cand do it by issuing "fis list" command):

RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0x80040400  0x00030000  0xA8000000
loader            0xA8030000  0x80100000  0x00010000  0x80100000
image             0xA8040000  0x80040400  0x00230004  0x80040400
image2            0xA8660000  0xA8660000  0x00140000  0x80040400
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000

Take a sharp look to the above output , you should get exactly the same values in your screen.

Now we make some other checkings

RedBoot> x -b 0xa8040000 -l 32
A8040000: 00 21 BF DE A2 14 D3 9B  00 0A 50 34 6D 00 00 80  |.!........P4m...|
A8040010: 00 FF FF FF FF FF FF FF  FF 00 04 02 48 80 0E 0F  |............H...|

and another one

RedBoot> x -b 0xa8250000 -l 32
A8250000: 1E 5E B5 70 5D FA DE 16  AE 98 85 61 87 D5 E2 09  |.^.p]......a....|
A8250010: D2 C1 70 A0 DD F6 2A 30  7F C8 5E 0B 00 DF 50 0A  |..p...*0..^...P.|

Once again , if you get exactly the same values on your screen , you should be able to perform the flashing.

Loading the image to la fonera with tftp

Now it's time to tftp the image.bin file from you PC to the Fonera+, and verify checksum:

Flashing

We are at a dangerous step, reprogramming the FLASH memory: Answer "y" when it asks you to continue flashing the memory.

Resetting

Ok, you are done! The last command is a reset, to reboot your new FREE Fonera+:

RedBoot> reset

Final settings and checkings

As the Fonera+ reboots, connect to you private wireless network (AKA MyPlace), and use SSH to step in your Fonera+:

zarrelli@moveaway:~$ ssh -l root 192.168.10.1
The authenticity of host '192.168.10.1 (192.168.10.1)' can't be establish
RSA key fingerprint is 5c:d3:42:ed:52:6d:c0:c6:fb:ec:84:57:18:24:d7:be.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.1' (RSA) to the list of known host
root@192.168.10.1's password:
BusyBox v1.4.1 (2007-09-03 10:39:50 UTC) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
 ______                                           __
/\  ___\                                         /\ \
\ \ \__/  __     ___      __   _ __    __        \_\ \___
\ \  _\/ __`\ /' _ `\  /'__`\/\`'__\/'__`\     /\___  __\
 \ \ \/\ \L\ \/\ \/\ \/\  __/\ \ \//\ \L\.\_   \/__/\ \_/
  \ \_\ \____/\ \_\ \_\ \____\\ \_\\ \__/.\_\      \ \_\
   \/_/\/___/  \/_/\/_/\/____/ \/_/ \/__/\/_/       \/_/
--------------  Fonera 1.5 Firmware (v1.1.1.1) -----------------
           * Based on OpenWrt - http://openwrt.org
           * Powered by FON - http://www.fon.com
    -----------------------------------------------------
root@OpenWrt:~# Ohhhhh...la Fonera+ è aperta....

Wow!!! Your Fonera+ is now FREE!

Windows howto

With this howto we will guide you through a the step by step method for unlocking La Fonera plus using Windows.

What you need

1. один компьютер под управлением Windows 2000 или Windows XP или Vista (бле)
2. one ethernet cables patch

Swiss-knife for Window$-fonero

We strongly suggest to install following tools for Windows users :

TFTPD32.exe to access RedBoot and upload your image file to the Fonera+.
Last version 3.23 is only 480 kB size, download page is here. Autor's homepage is here (also DHCP server, Syslog..)

Another freeware TFTPD server can be downloaded on sourceforge.net here

PuTTY is a client terminal which supports telnet, SSH, SSH-tunneling and serial connections, all that we need for La Fonera+.
Official PuTTY page is here For download page we suggest to download full installer package "A Windows installer for everything except PuTTYtel"

WinSCP is also a good tool to transfer files to/from your Fonera+ and also editing files ( vi editor is not implemented on the Busybox compiled by FON )

The server side

First switch-off your LaFonera+ !

Install PuTTY with default settings. Copy TFTPD32.EXE to your Windows Desktop

We need assign to LAN a static IP for the computer on which TFPTD32 is installed.
Open your control panel, network connections, and set your IP address to 192.168.1.254, netmask 255.255.255.0
If your computer is normally running with static IP, please write your config on a little post-it first ! Or use advandced configuration for TCP/IP protocol and add a second IP address to your ethernet interface.

As it is not easy to access RedBoot console, just launch a in a MS-DOS background windows a permanent ping to your Fonera+:
Start Menu/Run and type : cmd (plus Enter ..)

ping -t 192.168.1.1

Don't worry when you receive the message "Host is not responding" or similar..

Accessing RedBoot

Not easy to access RedBoot, perhaps some scripts can help you on this NSLU2 excellent page
Just few seconds after booting your Fonera+ you must start a telnet connection to your Fonera+ on 192.168.1.1 port 9000.
By default RedBoot is listening on port 9000 only 2 seconds before normal kernel boot.

Launch PuTTY configuration and use this screen-copy to configure it. Parameters to configure : "Host name (or IP address): 192.168.1.1", "Port 9000", and for connection type check "Telnet" You can save this configuration ( in this example fill "RedBoot" or "Fonera+" for "saved sessions", then click "Save".

File:PuTTY-redboot.png

Now try to connect RedBoot, but be very prompt and synchrone !! Only 2 seconds from starting !
- manage your windows on the screen to see simultaneously "MSDOS ping -t" and PuTTY connection window.
- power-on your LA Fonera+, click "Open" button on PuTTY screen.
- as you see from "ping windows" : "reply from 192.168.1.1" , press Enter and immediately CTRL-C on your keyboard.
OK ! You've got the prompt for RedBoot like this !
Most complicated task is done now !

== Executing boot script in 0.890 seconds - enter ^C to abort
^C
RedBoot>

If your Fonera+ seems to boot normally and you can't acces RedBoot, please re-try.

Some checkings before flashing

Now, do check if you FLASH addr are shown as those following (you can do it by issuing "fis list" command):

RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0x80040400  0x00030000  0xA8000000
loader            0xA8030000  0x80100000  0x00010000  0x80100000
image             0xA8040000  0x80040400  0x00230004  0x80040400
image2            0xA8660000  0xA8660000  0x00140000  0x80040400
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000

Take a sharp look to the above output , you should get exactly the same values in your screen.

Now we make some other checkings

RedBoot> x -b 0xa8040000 -l 32
A8040000: 00 21 BF DE A2 14 D3 9B  00 0A 50 34 6D 00 00 80  |.!........P4m...|
A8040010: 00 FF FF FF FF FF FF FF  FF 00 04 02 48 80 0E 0F  |............H...|

and another one

RedBoot> x -b 0xa8250000 -l 32
A8250000: 1E 5E B5 70 5D FA DE 16  AE 98 85 61 87 D5 E2 09  |.^.p]......a....|
A8250010: D2 C1 70 A0 DD F6 2A 30  7F C8 5E 0B 00 DF 50 0A  |..p...*0..^...P.|

Once again , if you get exactly the same values on your screen , you should be able to perform the flashing.

Now it's time to load the file to RAM of the La Fonera+

Loading the image to la fonera with tftp

Let's prepare the TFTPD32 server. Launch TFTPD32.EXE, and as in this example, create a new directory C:\local (the server root directory)
Change parameters :

   Current directory : C:\local

   Server interface : select 192.168.1.254 if necessary.

File:Tftp32-settings.png

Download and unzip this file to C:\local

Now it's time to tftp the image.bin file from you PC to the Fonera+, and verify checksum:

A pop-up will appear on TFP32D during transfer

Flashing

We are at a dangerous step, reprogramming the FLASH memory: Answer "y" when it asks you to continue flashing the memory.

Important note : while pressing "y" to accept flash process, your Fonera+ stop to answer pings on background MSDOS windows. Message "Erase from 0xa8260000-0xa8650000: ." and remaining dots don't appear. Don't worry, don't reboot just wait few minutes. Ping will answer, remaining text will be displayed on your screen. Each dot is 64 kB memory-block. Scrolling is correct while flashing from serial port.

Resetting

Ok, you are done! The last command is a reset, to reboot your new FREE Fonera+:

RedBoot> reset

Final settings and checkings

As the Fonera+ reboots, connect to your private wireless network (AKA MyPlace), or with ethernet cable, and use SSH to step in your Fonera+.
If your Fonera+ is connected to WAN (internet), wait Power LED becomes to green before SSH to it.
If no WAN connected, wait 2 minutes.

As in first step, create a new profile in PuTTY to connect your Fonera+
Parameters to configure : "Host name (or IP address): 192.168.10.1" . For connection type check "SSH", port number will toggle to "22"
You can save this configuration : choose a name for "saved sessions", then click "Save".

Click "Open". This is first connection, so accept PuTTY security alert below)

File:Key-valid.png

You get the login prompt, default password for "root" is "admin

File:Free-FON2201.png

MacosX howto

in this sections we will guide you in the unlocking process under MacosX . This is my laptop OS , so I can guarantee upon direct testing that it works like a charm.

What you need

1. one computer running MacosX
2. one ethernet cable patch

The server side

We need to install the Tftp program.
I choose a very easy to use tftpserver.

It's called tftpserver (doh!) and you can grab it here.

Once installed , open a terminal (yes macosx is fun also with terminal) and type

cd 
mkdir tftp

to create the tftp directory.

Now open the tftpserver program and change path to the tftp directory which you created in your home.

File:Tftpmacox.png

Back to the terminal and grab the image file for flashing la fonera

cd
cd tftp
wget http://www.leeman.be/fon/GetImage.php

Once de-zipped file size is 6.5 Mb.

now we can click on start TFTP in the tftpserver window

The Client side

Take a network cable, plug one end in the Fonera+ (black hole) and the other end in the ethernet port on your macbook(pro) or Imac or MacPro or Minime.

Time to give your Mac a new network address:

sudo ifconfig en0 192.168.1.254

And now let's create a little dirty script. It will arp the network waiting for 192.168.1.1 (the Fonera+ to answer). As it answers, the script will telnet on it and send a CTRL C signal. Look, there's a tiny error in the script, in nc section, just to force the things to work. I will look later how to fix it. Anyway, it works.

Let's create the script:

echo "echo -e "\0377\0364\0377\0375\0006" >break.bin; sudo /usr/bin/arping -f
192.168.1.1; sudo nc -vvv 192.168.1.1 9000 <break.bin; telnet 192.168.1.1
9000" > catch_fonera+

Time to make it executable:

chmod u+x catch_fonera+

Access redboot of la Fonera plus

At this point, switch off La Fonera+.

Now execute the script:

./catch_fonera+

Fill in your Mac user password and switch on the Fonera+. This little box will boot up and RedBoot will wait for 2 seconds to receive a CTRL C signal through a telnet session on his 192.168.1.1 ethernet interface.

Here what you will likely see:

./catch_fonera+
[sudo] password for zarrelli:
ARPING 192.168.1.1 from 192.168.1.254 eth0
Unicast reply from 192.168.1.1 [XX:XX:XX:XX:XX:XX]  0.992ms
Sent 9 probes (9 broadcast(s))
Received 1 response(s)
fonera [192.168.1.1] 9000 (?) open
== Executing boot script in 0.890 seconds - enter ^C to abort
^C
RedBoot>

 sent 6, rcvd 82
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

RedBoot>

Be careful: as you will see the following line:

RedBoot> ��

strike CRTL C on your keyboard and you will receive a working

RedBoot>

prompt.

Some checkings before flashing

Now, do check if you FLASH addr are shown as those following (you can do it by issuing "fis list" command):

RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0x80040400  0x00030000  0xA8000000
loader            0xA8030000  0x80100000  0x00010000  0x80100000
image             0xA8040000  0x80040400  0x00230004  0x80040400
image2            0xA8660000  0xA8660000  0x00140000  0x80040400
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000

Take a sharp look to the above output , you should get exactly the same values in your screen.

Now we make some other checkings

RedBoot> x -b 0xa8040000 -l 32
A8040000: 00 21 BF DE A2 14 D3 9B  00 0A 50 34 6D 00 00 80  |.!........P4m...|
A8040010: 00 FF FF FF FF FF FF FF  FF 00 04 02 48 80 0E 0F  |............H...|

and another one

RedBoot> x -b 0xa8250000 -l 32
A8250000: 1E 5E B5 70 5D FA DE 16  AE 98 85 61 87 D5 E2 09  |.^.p]......a....|
A8250010: D2 C1 70 A0 DD F6 2A 30  7F C8 5E 0B 00 DF 50 0A  |..p...*0..^...P.|

Once again , if you get exactly the same values on your screen , you should be able to perform the flashing.

Loading the image to la fonera with tftp

Now it's time to tftp the image.bin file from you PC to the Fonera+ and verify checksum:

Flashing

We are at a dangerous step, reprogramming the FLASH memory: Answer "y" when it asks you to continue flashing the memory.

Resetting

Ok, you are done! The last command is a reset, to reboot your new FREE Fonera+:

RedBoot> reset

Final settings and checkings

As the Fonera+ reboots, connect to you private wireless network (AKA MyPlace), and use SSH to step in your Fonera+:

zarrelli@moveaway:~$ ssh -l root 192.168.10.1
The authenticity of host '192.168.10.1 (192.168.10.1)' can't be establish


RSA key fingerprint is 5c:d3:42:ed:52:6d:c0:c6:fb:ec:84:57:18:24:d7:be.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.1' (RSA) to the list of known host
root@192.168.10.1's password:


BusyBox v1.4.1 (2007-09-03 10:39:50 UTC) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

 ______                                           __
 /\  ___\                                         /\ \
 \ \ \__/  __     ___      __   _ __    __        \_\ \___
 \ \  _\/ __`\ /' _ `\  /'__`\/\`'__\/'__`\     /\___  __\
  \ \ \/\ \L\ \/\ \/\ \/\  __/\ \ \//\ \L\.\_   \/__/\ \_/
   \ \_\ \____/\ \_\ \_\ \____\\ \_\\ \__/.\_\      \ \_\
    \/_/\/___/  \/_/\/_/\/____/ \/_/ \/__/\/_/       \/_/

--------------  Fonera 1.5 Firmware (v1.1.1.1) -----------------

            * Based on OpenWrt - http://openwrt.org
            * Powered by FON - http://www.fon.com
     -----------------------------------------------------
root@OpenWrt:~# Ohhhhh...la Fonera+ è aperta....

Wow!!! Your Fonera+ is now FREE!

Final settings, tweaking (all OS)

Updating personal config from FON

Just after flashing your Fonera+ will reset with factory default settings. You can verify this going into your HTTP console on 192.168.10.1

To update your config log-on to www.fon.com, and access userzone.
Select your router, and update WiFi private and public SSID names. If you don't want to change the name, please just change one letter, click on "update" button, and change again to the right name.
For the private WLAN: change the WEP/WPA key encryption using the same method.

Fon.com servers will send the new config to your Fonera+. Wait few minutes and check in your local HTTP console. You don't need to reboot.

Registered or not ?

If your Fonera+ has been registered before the SSH-unlock, check on your local HTTP console status if all is OK.
If logo displayed is "your Fonera+ has not been registered", it is important to change this parameters to give access to users on your public WLAN.

To do this, open SSH console :

echo 1 > /etc/config/registered

Reboot your Fonera+, connect again to your HTTP local console, and verify the change to the logo: " Your Fonera is registered OK"

IPK packages

In this section , you will learn how to install additional packages to your la Fonera plus.

BEWARE installing additional packages may compromise the stability of la fonera , cause memory leaks and malfunctions. Install packages under your own responsability

Installing packages

Official kernel version compiled for firmware 1.1.1r1 is 2.6.19.2.
You can install ipk packages from this OpenWRT repository : http://downloads.openwrt.org/kamikaze/7.06/atheros-2.6/packages except for kmod-* packages.
kmod packages must be installed from original FON compilation
Here you can find a temporary repository for these kmod-*-fonera-1_mips.ipk packages.

Sometimes ipkg is very long to run, and memory errors can occur.
Tips :

• "wget" your ipk package to /tmp, and then run it.
  
• Kill not needed processes with a "killall" command for : dnsmasq,chilli,fonstate,httpd,fonsmcd,crond,hotplug2,logger,syslogd,klogd,watch_chilli
• remove /usr/lib/ipkg/status (see https://dev.openwrt.org/ticket/2702)

Busybox upgrade

Busybox provided in original firmware by FON is very poor.
Upgrading Busybox to version 1.4.2-1 will permit you to use "vi" editor, and retrieve colors for displaying files and directories. Perhaps more !

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://downloads.openwrt.org/kamikaze/7.06/atheros-2.6/packages/busybox_1.4.2-1_mips.ipk
Connecting to downloads.openwrt.org [195.56.146.238:80 ]
busybox_1.4.2-1_mips 100% |*****************************|   312 KB 00:00:00 ETA
root@OpenWrt:~# ipkg install busybox_1.4.2-1_mips.ipk
Upgrading busybox on root from 1.4.1-1 to 1.4.2-1...
Configuring busybox
Done.

Installation is about 5 to 7 minutes, be patient.
If you get error message : ipkg: fork failed: Cannot allocate memory , please kill all processes as described in "ipkg installing packages" section
Reboot your Fonera+ after upgrading

Auto-updates (thinclient)

FREEWLAN comments welcome !! You have more experience about bricking with auto-update...

Edit the file /bin/thinclient :

Comment this line with a starting # like this

#       . /tmp/.thinclient.sh

Insert a new line just after, like this:

cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M')

Verify :

root@OpenWrt:~# thinclient dummy
root@OpenWrt:~# ls -l /tmp/th*
-rw-r--r--    1 root     root            0 Oct 24 07:45 /tmp/thinclient-20071024-0745
root@OpenWrt:~#

Upgrade commands files sent by thinclient are now stored on /tmp.
Check messages on FON thematic boards to know if this upgrade will modify or not the firmware.
As with classic Fonera, you can launch the upgrade manually.
In this example " . /tmp/thinclient-20071024-0745" will start upgrade for hotfix/firmware.