Hacking La Fonera
Inspired by Michael's and Stefan's hack the FON-Community found the following way to inject shell code into the system without using FON's website or opening the unit.
The method presented here WORKS at least with firmware 0.7.0r4 up to 0.7.1r1!
Attention: It's NOT WORKING for firmware higher than 0.7.1r1! Hint: If your La Fonera was not delivered with this firmware originally to you, reset La Fonera so it will start a new with its original firmware. Make then the SSH-hack first and all updates of the firmware afterwards and you will keep your SSH-access! :-)
How to hack La Fonera?
To open SSH-access and to prevent FON from executing code on your La Fonera do the following:
Safe the following code as "step1.html" on your harddisk:
And now safe this code as "step2.html" on your harddisk:
Set your computer's LAN to IP 169.254.255.2, Subnetmask 255.255.255.0 and Gateway 169.254.255.1. Leave the fields for the DNS-servers empty! Now connect your La Fonera via LAN to your computer and power on La Fonera.
After successful connection open the html-pages "step1.html" and "step2.html" in your browser to see the following:
After this switch to the second webpage (page 02) and click on this SUBMIT-button.
Now you are ready to connect your La Fonera via SSH. Connect with Putty (download here) via SSH (SSH 1) to IP 169.254.255.1 (La Fonera) and log in with username "root" and password "admin" (FON-defaults).
After that, do the following to permanently enable shell-access:
PRESS "i" (insert) to edit the firewall settings by uncommenting the two lines at the SSH section, so it will look like this
Now safe your work by pressing "ESC" and typing ":wq" (write and quit) and pressing ENTER. Now you can reboot La Fonera by using the command "reboot" and pressing ENTER or executing these two commands:
Last but not least you should prevent FON from executing code on your box by changing the last lines of the script
to look like this:
Now safe your work by pressing "ESC" and typing ":wq" (write and quit) and pressing ENTER. Now you can close your SSH-connection (and exit Putty) using the command "exit" and pressing ENTER.
Now only you have full access to your box ... :-)