If this were a live FonBar, you would log in to the hotspot through the form above.
 

HAK5 Hacks A La Fonera

October 1, 2008

Today’s HAK5 video podcast features Darren Kitchen doing a demonstration of replacing stock Fon firmware on a FON2100 with Jasager Karma using the Freifunk Ap51 EasyFlash GUI utility.

If you prefer an online tutorial, with plenty of excellent pictures, you can find it here in Kitchen’s blog, or here in the Hack5 forum.

I haven’t followed these steps personally, and haven’t used some of the helper tools, but everything looks ok after brief inspection. Use at your own risk.

As usual, i’m VERY amused at all of the references to some kind of device called “a FON”, and still don’t understand how a young, four-legged ruminant is involved, but then noone ever listens to me. 😉


September Feature Article: FrancoFON

September 1, 2008

Fans of FreeWLAN, will take an interest in FrancoFON. Both of these projects have designed firmware plugins, which improve Fon’s La Fonera v1.x wifi router firmware. They impliment features that Fon stripped out of open-source OpenWRT, or enhance existing features.

Here are the highlights of the current version 2.23.6:

  • Antenna power tuning
  • Better firewall
  • Blacklist for sites that may never be visited from public network
  • Configuration can be backed up and restored
  • Diagnostic windows allowing to run command on La Fonera directly from admin console.
  • Display last version available. (in red if version is not up to date)
  • DNS modifications
  • DynDNS management.
  • Firmware Can be upgraded from an alternative server
  • Hosts file management
  • Internet feed may be aquired in wifi client (ponte2) mode instead of from Ethernet port, relay it as Fon hotspot
  • Local user management
  • MAC addresses may be banned from public and private network, with scheduler.
  • Multiple languages; English, French and Roman
  • Port forwarding wizard
  • PPPoE password now permits @ and / characters, up to length of 64 characters
  • Private network SSID can be hidden
  • Private signal still present in ponte2 mode
  • Real time display for private and public connections.
  • Real Time display of status and ID of connected Foneros.
  • Reboot/connection notification by mail
  • Remote reboot
  • Reserve address on private network (static DNS?)
  • Router may be given a name (hostname?)
  • Router SSH administration may be enabled/disabled
  • Router web administration via Ethernet port may be enabled/disabled.
  • Time-zone Configuration
  • Whitelist for sites that may always be visited from public network (without logging in)

This is very similar to the feature-set of FreeWLAN. Both projects support multiple languages, but if you are interested in joining development, speakers of German may prefer FreeWLAN, while speakers of French may prefer FrancoFON.

Though this edition dates from May 15, 2008, FrancoFON is back from holiday with the September Newsletter, and have plans to enhance the La Fonera Plus/2 router next!


Flashing La Fonera over Serial Port

February 8, 2008

Here are instructions for restoring your FON firmware entirely through the serial connector. Most instructions which i’ve seen on the web assume that you have telnet over Ethernet access to Redboot, which is a chicken and egg problem!

EDIT: ChrisPHL points out that I can enable telnet over Ethernet before I even init or flash any firmware by using the RedBoot FCONFIG command: FreeWLAN.info. So why follow this tutorial? While serial console may be slower than uploading via Ethernet, you’ll save time because you won’t need to set up TFTP server, manually configure TCP/IP, rearrange cords, change cords back, reconfigure DHCP, etc.

This tutorial worked just fine for my La Fonera 1.0 (FON2100). If you have the La Fonera 1.1 (FON2200), 1.5 (FON2201), or 2.0 (FON2202), you may find that telnet over Ethernet is allready enabled! One reader has informed me that his newer FON2200 seems to have an *older* version of RedBoot (V1.00 – built 10:37:27, Dec 12 2006) installed on it than mine (V1.3.0), and that the memory range begins at a different address. If this tutorial doesn’t seem to do the trick, try k0k0′s German tutorial, which uses different addresses starting with the second ‘load’ command. FON2201 and FON2202 use different firmware and are based on yet another circuit board. They will certainly require different load addresses.

It is possible to transfer the files using XMODEM or YMODEM if you use a terminal emulator like HyperTerminal. ZMODEM would be even faster and more accurate, but I was unable to get that to work. When I used HyperTerminal, I am pretty sure I used hardware handshaking, but k0k0, administrator of FreeWLAN’s forums recommends setting this to NO handshaking. This may be necessary if you can receive text from the serial port, but cannot get it to respond to keystrokes.

The two firmware files, rootfs.squashfs and kernel.lzma were aquired from this archive, and are stored on my local hard drive. I did not set up a TFTP or web server, as that would require a network connection, and is again, a chicken and the egg problem. :wink:

To start with, I have built a working serial voltage adapter, as seen in my previous post, interrupted the bootup with CTL-C, and executed the following commands in Redboot:

1) RedBoot> baudrate 115200 (much faster connection, but I needed to close and restart HyperTerminal using the new speed)

2) RedBoot> fis init -f (this deletes all of the onboard firmware!)

typical response from RedBoot:
About to initialize [format] FLASH image system – continue (y/n)? y
*** Initialize FLASH Image System
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .

The following commands and memory addresses are taken directly from the DD-WRT tutorial on “Reflashing LaFonera original firmware“, except that i’ve gotten the files I need by other means, and i’ve adjusted the commands for using YMODEM over the serial console instead of TFTP server at a fixed IP. You may use XMODEM if you choose instead, but it is a bit slower. If you must use XMODEM, and it will not start, try switching your terminal emulator from hardware handshaking to XON/XOFF – or vice-versa.

3) RedBoot> load -r -m ymodem rootfs.squashfs -b 0×80040450

typical response from RedBoot:
CCCCRaw file loaded 0×80040450-0x801c044f, assumed entry at 0×80040450
xyzModem – CRC mode, 2(SOH)/1536(STX)/0(CAN) packets, 6 retries

Whew! That was fun! I haven’t used YMODEM since the early 1980′s! As you see “xyzModem” implies that ZMODEM is supported, but the command “-m ZMODEM” is rejected by RedBoot. YMODEM and XMODEM may sit idle for a while before they start transferring. Be patient. :lol:

4) RedBoot> fis create -b 0×80040450 -f 0xA8030000 -l 0×00700000 -e 0×00000000 rootfs

typical response from RedBoot: (THIS CAN TAKE A LONG TIME!)
… Erase from 0xa8030000-0xa8730000: ……………………………………
…………………………………………………………….
… Program from 0×80040450-0×80740450 at 0xa8030000: ……………………..
……………………………………………………………………..
……
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .

5) RedBoot> load -r -m ymodem -b %{FREEMEMLO} kernel.lzma

typical response from RedBoot:
CCRaw file loaded 0×80040800-0x800c07ff, assumed entry at 0×80040800
xyzModem – CRC mode, 2(SOH)/512(STX)/0(CAN) packets, 4 retries

6) RedBoot> fis create -r 0×80041000 -e 0×80041000 vmlinux.bin.l7

typical response from RedBoot:
… Erase from 0xa8730000-0xa87b0000: ……..
… Program from 0×80040800-0x800c0800 at 0xa8730000: ……..
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .

7) RedBoot> fis load -l vmlinux.bin.l7

typical response from RedBoot (after a really long pause):
Image loaded from 0×80041000-0x801ba000

8) RedBoot> exec

typical response from RedBoot:
Now booting linux kernel:
Base address 0×80030000 Entry 0×80041000
Cmdline

At this point the serial connection froze. I powercycled La Fonera and observed Redboot come up, and then the serial connection froze again shortly after stating that it was booting the linux kernel… but Wireless Connection Manager showed that MyPlace had been created and I was able to access the onboard web admin. The router is now factory-fresh, circa firmware version 0.7.1 r1! 8)

Next, i’ll leave the Ethernet disconnected, and configure the fonware over a wifi connection to load FreeWLAN. Once that is working, then i’ll install the CAMICIA modified bootloader over SSH *before* I begin experimenting with configuration changes again. ;)

EDIT: The following page of RedBoot Command Line Options helped me a lot in making this tutorial: AdvancedRelay


Building a Cable to Debrick La Fonera WIFI Router

February 8, 2008

Well, all great minds screw up once in a while. I was thrilling away with my La Fonera 1.0, freshly hot-rodded with FreeWLAN v0.9.2, when the Fon came to a screeching halt! I was trying to do something Really Cool, and set it up as a Transparent Ethernet bridge. In this mode, the La Fonera would work as a wifi client device. The WAN Ethernet port would be repurposed as a LAN port, which would be bridged to the upstream LAN and DHCP server. This way, I could turn my tiny USB-Ethernet print server into a wireless one.

Well, it turns out that FreeWLAN’s QRM implementation isn’t quite working perfectly. To make matters worse, I can’t just hold down the ‘ole reset button because that button is ignored until the firmware finishes booting and polls it! This La Fonera isn’t finding the WLAN I configured it to join, so it isn’t setting up it’s virtual interfaces. I’m told that it’s stuck in this incompletely booted state forever. All I can do is ping it under very particular circumstances. No SSH, and no web admin exist any more.

Proponents of FreeWLAN advise flashing the kernel ASAP with one which allows reflashing the firmware over the Ethernet cable. I have done this before, when I was using DD-WRT for the La Fonera, but had not yet done it with this particular router. This leaves only flashing by serial connector. This is often referred to as a “JTAG” connector, but technically the La Fonera just has a serial connector that is simply at a lower voltage (TTL) than the serial port (RS232) you may have on the back of your PC. This requires a voltage-level adjustor. The folks at FreeWLAN were very helpful in providing me a list of options, and I decided that I would build the serial adaptor myself.

CLICK ANY PICTURE BELOW FOR LARGER IMAGE

La Fonera 1.0 (FON2100) (left), (right) La Fonera 1.1 (FON2200)

The popular design utilizes a Maxim 232 or 3232 integrated circuit. Maxim will provide free samples of this part, with free shipping from their website. I ordered two, which arrived about a week later.

I went to Radio Shack, our local overpriced electronics parts store, for 5 polarized tantalum capacitors, a small breadboard, and a 9-pin female serial connector. The bill came to $12.91 with tax.

I used sections of an old floppy cable for wire and for the connector to the La Fonera, as the holes were exactly right.

As luck would have it, the first one I built didn’t work properly. On my first trip to Radio Shack, I had bought slightly cheaper nonpolarized electrolytic capacitors. The MAX3232 datasheet said that nonpolarized would work, but perhaps that is not so for this particular project. I’m happier with the way the much smaller tantalum capacitors look, anyway.

We have RedBoot!

Also, if I let it boot up uninterrupted, I can hit ENTER for a telnet session to the OpenWRT firmware which the fonware is based on:

Next up is flashing the CAMICIA edition of the linux kernel which permits access to Redboot over the Ethernet port. I may choose XMODEM to transfer files while connected to the serial port. Then i’ll switch to Ethernet to more quickly flash the 0.7.1 edition of fonware which works best with FreeWLAN. Switching to wifi, I’ll manually configure fonware to download FreeWLAN right away, before I ever connect the Ethernet to the Internet, preventing further fonware updates. Fonware updates get slipstreamed into future FreeWLAN editions, and thus the router really does stay up-to-date.


SSH for La Fonera + Plus

October 28, 2007

The first crack for La Fonera Plus comes to us courtesy of FrancoFon. FrancoFon was recently heralded by Fon President Martin Varsavsky for their La Fonera 1.x improvements. Like FreeWLAN, FrancoFon does not replace Fon’s firmware, but adds functionality through modular addons.

La_Fonera_Plus/Ouvrir_ssh_sans_cable…

http://www.fonboard.nl/wiki/La_Fonera_Plus_Access

http://www.fonboard.nl/wiki/HowTo_Foneraplus_unlocking/en

How to activate SSH on Fonera Plus

Configure your computer with 192.168.1.254 IP address

Install a little webserver on your computer (like Apache)

Download the file redboot.pl

Download the firmware file firmware_francofon.bin and put it into the home directory of your webserver

Install perl and its dependencies perl-Net-Telnet and also, install fping.

Connect the La Fonera directly to your computer.

Start the previously download script: perl redboot.pl 192.168.1.1

Start your fonera.

Once done, you should have access to telnet command.

Enter the following command:

ip_address -l 192.168.1.1/24 -h 192.168.1.254
and enter:

fis delete image
load -r -b 0×80100000 /firmware_francofon.bin -m HTTP -h 192.168.1.254
fis create -b 0×80100000 -l 0×00237040 -f 0xA8040000 -e 0×80040400 -r 0×80040400 image

Wait until the end of the flashing! That’s all, you should have now access to SSH

So it looks like the trick was in discovering which IP:port La Fonera Plus was listening to when it powers up, and designing the script to hammer at it. This is how telnet access is aquired, and from there, the firmware_francofon.bin addition can be downloaded from your client PC. SSH is then one of the benefeits of using the FrancoFon add-on.

I’m interested in seeing a comparison of the features between FreeWLAN and FrancoFon to show what each project offers, and which features work better.

It sounds like FrancoFon is sharing their method with FreeWLAN, so we should see that become available for La Fonera Plus soon too!

http://fonblog.eu/2007/10/28/fonera-plus-hack-finally-we-did-it/


Make your hotspot mobile with La Fontap

October 12, 2007

Here’s a little project I actually did some months ago. I hope it inspires a wave of (legal) guerilla hotspot activity. Milk your wifi and bring affordable Internet to a hotel or cafe near you!

Some people have discussed tapping a USB connection for 5v DC. You can also tap a PS/2 keyboard port (if you have one) for 5v without any additional circuitry. The tap I have wasn’t entirely built by me. It was provided by Logitech to supply power to an old webcam. It can connect to both large and small keyboard connectors, and has an extra side wire where the 5v is split off. I stripped the wires and determined which one was + and – by trial and error. The power connector was cut off from some other transformer. I keep lots of small parts like this.

Here is a photo of a PS/2 connector showing which pins you need to tap:

Here is a photo of my La Fonera resting comfortably with it’s new power connector:

Here is La Fonera behind my trusty old laptop, showing that it is indeed working with the laptop keyboard port as power source, and Ethernet jack as Internet source. Sorry it is underexposed, I wanted you to see the glowing LEDs better. I hope you can see, on La Fonera I have power, Internet and WLAN lights all working, and also the link light on my Ethernet jack. Click photo for larger version:

Finally, it was necessary to enable Internet Connection Sharing (ICS), which is included with most versions of Windows. Alternatives and equivalents exist for every major operating system.

My Internet source is my WPA encrypted Linksys router, and I need to share it with my La Fonera, which is connected to the Ethernet jack. Sharing can only be enabled for one network device, and it is automatically assumed that every other network device will be bound to it. Note that ICS does not appear as a menu choice unless your computer has at least two enabled networking devices. Under Network Connections, I select the wifi adapter, NOT the Ethernet jack, and enable ICS on the Advanced tab:

Now, what can you use this for? Perhaps you are unable to run an Ethernet cable out to your La Fonera, but are within range of another hotspot which you are permitted to access. Perhaps you would like to provide a Fon hotspot for a group of people, and have a cellular data, WiMax or other wireless modem device to supply the Internet connection. It may even be possible to pay for a connection to an expensive commercial hotspot, and spend a day making some positive income by reselling it at Fon’s cheaper rates to everyone else there. You could even use an existing Fon hotspot; pay for a Fon daily pass, and then resell another Bill’s wifi for your own profit (please get his permission first)!

This arrangement should work to supply at least a basic Internet connection, for WWW and email. It is probably a poor substitute at best, for true WDS meshing, to extend the range of your wifi. Performance will certainly suffer due to latency and the effects of performing NAT behind another NAT. Lastly, ICS does not always recognise unusual network devices, especially ones which require special drivers. Some ISPs may require such drivers to help enforce their one-computer-per-customer Terms of Service.

I’d love to hear from anyone who has milked another wifi hotspot like this. ;)


FreeWLAN Project Enhances La Fonera

October 2, 2007

Fon’s firmware has been the subject of controversy. While receiving praise for it’s “plug-and-play” simplicity, Fon has eliminated features required by many ISPs, and needed by potential wifi users. Fon has also declared a ”Fonero Promise” in effect, forbidding any modification of the firmware. What can we Foneros do to make the Fon System more attractive to the wifi community?

The FreeWLAN Community is an innovative group of hosted projects working to enhance the abilities of Fon’s La Fonera line of routers. They maintain both English and German discussion boards, an online wiki and bugtracker. This is quite a professional operation for a group of volunteers!

FreeWLAN operates in a grey area around Fon’s covenant by adding firmware as plugins, rather than modifying existing code. Additional features show up as new pages in the router’s onboard administration. Fon’s code is not cracked, and their system of authentication and client management is not circumvented.

Let’s welcome the new release of FreeWLAN v0.9.0 today, which includes the following new abilities (copied from their press release):

  • Bandwidth limiting
  • Bridging Ethernetport to private WiFi
  • Connection to the web via WLAN (Pseudo-WDS) –> QRM (Quasi Repeater Mode) with detailed settings
  • DynDNS-Client
  • Family- & Friends-Accounts
  • Fonero-Status of connected guests
  • Hostname editable
  • MAC-Blocking
  • MAC-Cloning
  • Mail service
  • MyPlace works in QRM => three (!) WiFis
  • Private WiFi’s SSID hideable
  • Static DHCP (binding IP to MAC)
  • UAM-Allowed editable
  • WiFi-Scan in QRM => Display on status page

In addition, the Help System and Speed Information have been updated.

Installation is as simple as changing your DNS server and SSID settings, rebooting your La Fonera router, and watching it update itself!

These folks appear to nurture the kind of creative spirit which a grass-roots startup like Fon needs in order to have a competitive edge. Attention Fon: hire these guys before someone else does! ;)

Click the picture below for FreeWLAN’s web demo:


Still waiting for USB? Add SD today!

May 22, 2007

The good people at Hackaday have allready brought us the tutorial on adding an SD card to a Linksys router.

Now there’s a similar enhancement for the La Fonera 1.0!

It seems to me that the Laffy mod could also be done with an old floppy cable connector just like the Linksys mod. Let us know if you fried your El Cheapo trying this mod out. Also, let us know how well it works for you! :)