If this were a live FonBar, you would log in to the hotspot through the form above.

HAK5 Hacks A La Fonera

October 1, 2008

Today’s HAK5 video podcast features Darren Kitchen doing a demonstration of replacing stock Fon firmware on a FON2100 with Jasager Karma using the Freifunk Ap51 EasyFlash GUI utility.

If you prefer an online tutorial, with plenty of excellent pictures, you can find it here in Kitchen’s blog, or here in the Hack5 forum.

I haven’t followed these steps personally, and haven’t used some of the helper tools, but everything looks ok after brief inspection. Use at your own risk.

As usual, i’m VERY amused at all of the references to some kind of device called “a FON”, and still don’t understand how a young, four-legged ruminant is involved, but then noone ever listens to me. 😉

September Feature Article: FrancoFON

September 1, 2008

Fans of FreeWLAN, will take an interest in FrancoFON. Both of these projects have designed firmware plugins, which improve Fon’s La Fonera v1.x wifi router firmware. They impliment features that Fon stripped out of open-source OpenWRT, or enhance existing features.

Here are the highlights of the current version 2.23.6:

  • Antenna power tuning
  • Better firewall
  • Blacklist for sites that may never be visited from public network
  • Configuration can be backed up and restored
  • Diagnostic windows allowing to run command on La Fonera directly from admin console.
  • Display last version available. (in red if version is not up to date)
  • DNS modifications
  • DynDNS management.
  • Firmware Can be upgraded from an alternative server
  • Hosts file management
  • Internet feed may be aquired in wifi client (ponte2) mode instead of from Ethernet port, relay it as Fon hotspot
  • Local user management
  • MAC addresses may be banned from public and private network, with scheduler.
  • Multiple languages; English, French and Roman
  • Port forwarding wizard
  • PPPoE password now permits @ and / characters, up to length of 64 characters
  • Private network SSID can be hidden
  • Private signal still present in ponte2 mode
  • Real time display for private and public connections.
  • Real Time display of status and ID of connected Foneros.
  • Reboot/connection notification by mail
  • Remote reboot
  • Reserve address on private network (static DNS?)
  • Router may be given a name (hostname?)
  • Router SSH administration may be enabled/disabled
  • Router web administration via Ethernet port may be enabled/disabled.
  • Time-zone Configuration
  • Whitelist for sites that may always be visited from public network (without logging in)

This is very similar to the feature-set of FreeWLAN. Both projects support multiple languages, but if you are interested in joining development, speakers of German may prefer FreeWLAN, while speakers of French may prefer FrancoFON.

Though this edition dates from May 15, 2008, FrancoFON is back from holiday with the September Newsletter, and have plans to enhance the La Fonera Plus/2 router next!

Why have so many Foneros abandoned Fon?

April 4, 2008

Fon President Martin Varsavsky has posted an adorable leetle survey on his blog today. Either he has no idea why Fon is failing under his leadership, or else he knows, and won’t list those reasons because he has no intention of fixing them.

The reason most Foneros have quit Fon is due to anemic equipment and firmware imposed upon them, and the culture of dishonesty in Fon’s press releases and business practices.

After promising to give us firmware which supported dual-SSIDs, Fon switches the bait and presents us with their proprietary, locked-down 1-port router with this feature. No dual-SSID for us Linksys and Buffalo Foneros. It’s just as well, because it turns out that many wifi adapters can’t cope with the little transmission trick that produces two SSIDs.

People with pre-existing home networks discover that they can’t access their LAN resources, even when using the private WLAN. There is no “bridge to WAN” feature. This device *looks* like an AP, but is instead a NAT router. This is one of the main reasons people abandoned Fon. They didn’t want to *start* a network. They needed to *expand* one (and on a budget).

This little overheating brick had WDS meshing built-in at first, but this was undocumented. Hackers learned to use it to aquire an Internet connection without paying or logging in. Fon quickly took WDS out, and has still never admitted it existed. Pres. V pontificates in his blog that the range-extending Fontenna (he sells) is superior to connection-relaying meshing, despite the poor performance of said Fontenna. He should have instead sold us a kit to mount the router outside, with an embedded booster antenna and PoE adapter.

Nearly two years later, La Fonera still doesn’t support MAC cloning, which is such a trivial feature to add. It is necessary for modems/ISPs which lock your service to your WAN MAC. This is another big reason people abandoned Fon- they never got it connected to the Internet. This feature wouldn’t even threaten the sales of additional Fon hardware. :(

Instead of improving the La Fonera firmware (except to rush out patches to keep people from aquiring better access to their device and developing new features), Fon spends R&D on further routers: Want one precious LAN jack? Buy the new router, at twice the price of the old one! This is surely why they don’t give us WAN bridge in the original La Fonera for free.

What would Foneros really prefer that Fon focus their attention on? Bringing the feature set of the router at least up to the point of every other cheap router on the market, nurturing and empowering the creative community that has built up around Fon, and showing some real progress for a change. Instead, here is “La Fonera Orwellian Name”, for $100, which lets you download free bittorrents of Fearless Leader’s video clips. Ugh.

“Buy thees Skype phone and make calls for free at any Fon hotspot in the world!” they said. Well, sure- if you had the encryption key for all of those Fonero’s private networks. The darn thing wasn’t able to log in through Fon’s public hotspot, until many months later, when a firmware patch was provided. Calls were then free if they were Skype-to-Skype, or you were spending the included “free” 20 trial Skypeout minutes. Skype pulled the ads down. Ugh.

“We split the profits 50-50!”. An outright lie. First, Fon takes unspecified “fees and taxes” out, then splits what is left. Fon refuses to itemize this amount, which varies from country to country and depends on the ISP, so there is no way to tell if they are paying you fairly. Fon only pays Bills if their hotspot is the Point Of Sale for day passes, not for bandwidth, length of wifi sessions, or number of customers. If paid-up customers wander over to his hotspot, Bills get nothing for the service he provides.

Fon’s price per day is quite reasonable when compared to other for-pay mobile Internet services. However, wifi is free in virtually every coffee shop in the USA, many restaurants and libraries, and provided by many municipalities throughout the city centers. Fon won’t budge on the price, or add something to make their service more desireable than free wifi, like VPN encryption.

Fon’s system mimics other “instant hotspot in-a-box” offerings, but these competitors are offering more flexible terms in setting prices and managing equipment. The competitors let you have control of your Internet connection, your router, and the appearance of your hotspot to the public. Fon pretends that they do too, but in reality, you have almost no control over what they clearly consider to be *their* router, and *their* hotspot.

It’s been obvious in recent months that Fon is fading away. Varsavsky spends his time supporting side projects, which have nothing to do with wifi (Mexican Wave, Fon URL Sortener, and several ways to abuse Gmail), and writing bizzare articles in his Fon Blog. Varsavsky recently dumped much of his Fon stock.

Fortunately, there is a thriving community of hackers who still develop improvements for La Fonera wifi routers. If a Fonero is willing to void his router’s warranty, he can have his MAC cloning, WAN bridge and much more. While they can do nothing about Fon’s awful profit-sharing, the routers themselves can even be flashed with entirely different firmware, and be used with other wifi networks, or even liberated entirely, including features usually found only in very expensive equipment.

There are so many other points, I could write volumes. Please visit Varsavsky’s blog, and instead of taking his survey, leave him comments which surely will fall outside his carefully selected choices.

UPDATE: Y’all will find this very interesting. Martin approved another round of comments to that post in his blog. While he approved a comment I made under a fake name, he did not approve a more coherent comment I made, as myself, discussing the exact same points, somewhat earlier that day. This is not proper management of his blog, this is censorship of those whom he dislikes. What a skunk!

Flashing La Fonera over Serial Port

February 8, 2008

Here are instructions for restoring your FON firmware entirely through the serial connector. Most instructions which i’ve seen on the web assume that you have telnet over Ethernet access to Redboot, which is a chicken and egg problem!

EDIT: ChrisPHL points out that I can enable telnet over Ethernet before I even init or flash any firmware by using the RedBoot FCONFIG command: FreeWLAN.info. So why follow this tutorial? While serial console may be slower than uploading via Ethernet, you’ll save time because you won’t need to set up TFTP server, manually configure TCP/IP, rearrange cords, change cords back, reconfigure DHCP, etc.

This tutorial worked just fine for my La Fonera 1.0 (FON2100). If you have the La Fonera 1.1 (FON2200), 1.5 (FON2201), or 2.0 (FON2202), you may find that telnet over Ethernet is allready enabled! One reader has informed me that his newer FON2200 seems to have an *older* version of RedBoot (V1.00 – built 10:37:27, Dec 12 2006) installed on it than mine (V1.3.0), and that the memory range begins at a different address. If this tutorial doesn’t seem to do the trick, try k0k0′s German tutorial, which uses different addresses starting with the second ‘load’ command. FON2201 and FON2202 use different firmware and are based on yet another circuit board. They will certainly require different load addresses.

It is possible to transfer the files using XMODEM or YMODEM if you use a terminal emulator like HyperTerminal. ZMODEM would be even faster and more accurate, but I was unable to get that to work. When I used HyperTerminal, I am pretty sure I used hardware handshaking, but k0k0, administrator of FreeWLAN’s forums recommends setting this to NO handshaking. This may be necessary if you can receive text from the serial port, but cannot get it to respond to keystrokes.

The two firmware files, rootfs.squashfs and kernel.lzma were aquired from this archive, and are stored on my local hard drive. I did not set up a TFTP or web server, as that would require a network connection, and is again, a chicken and the egg problem. :wink:

To start with, I have built a working serial voltage adapter, as seen in my previous post, interrupted the bootup with CTL-C, and executed the following commands in Redboot:

1) RedBoot> baudrate 115200 (much faster connection, but I needed to close and restart HyperTerminal using the new speed)

2) RedBoot> fis init -f (this deletes all of the onboard firmware!)

typical response from RedBoot:
About to initialize [format] FLASH image system – continue (y/n)? y
*** Initialize FLASH Image System
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .

The following commands and memory addresses are taken directly from the DD-WRT tutorial on “Reflashing LaFonera original firmware“, except that i’ve gotten the files I need by other means, and i’ve adjusted the commands for using YMODEM over the serial console instead of TFTP server at a fixed IP. You may use XMODEM if you choose instead, but it is a bit slower. If you must use XMODEM, and it will not start, try switching your terminal emulator from hardware handshaking to XON/XOFF – or vice-versa.

3) RedBoot> load -r -m ymodem rootfs.squashfs -b 0×80040450

typical response from RedBoot:
CCCCRaw file loaded 0×80040450-0x801c044f, assumed entry at 0×80040450
xyzModem – CRC mode, 2(SOH)/1536(STX)/0(CAN) packets, 6 retries

Whew! That was fun! I haven’t used YMODEM since the early 1980′s! As you see “xyzModem” implies that ZMODEM is supported, but the command “-m ZMODEM” is rejected by RedBoot. YMODEM and XMODEM may sit idle for a while before they start transferring. Be patient. :lol:

4) RedBoot> fis create -b 0×80040450 -f 0xA8030000 -l 0×00700000 -e 0×00000000 rootfs

typical response from RedBoot: (THIS CAN TAKE A LONG TIME!)
… Erase from 0xa8030000-0xa8730000: ……………………………………
… Program from 0×80040450-0×80740450 at 0xa8030000: ……………………..
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .

5) RedBoot> load -r -m ymodem -b %{FREEMEMLO} kernel.lzma

typical response from RedBoot:
CCRaw file loaded 0×80040800-0x800c07ff, assumed entry at 0×80040800
xyzModem – CRC mode, 2(SOH)/512(STX)/0(CAN) packets, 4 retries

6) RedBoot> fis create -r 0×80041000 -e 0×80041000 vmlinux.bin.l7

typical response from RedBoot:
… Erase from 0xa8730000-0xa87b0000: ……..
… Program from 0×80040800-0x800c0800 at 0xa8730000: ……..
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .

7) RedBoot> fis load -l vmlinux.bin.l7

typical response from RedBoot (after a really long pause):
Image loaded from 0×80041000-0x801ba000

8) RedBoot> exec

typical response from RedBoot:
Now booting linux kernel:
Base address 0×80030000 Entry 0×80041000

At this point the serial connection froze. I powercycled La Fonera and observed Redboot come up, and then the serial connection froze again shortly after stating that it was booting the linux kernel… but Wireless Connection Manager showed that MyPlace had been created and I was able to access the onboard web admin. The router is now factory-fresh, circa firmware version 0.7.1 r1! 8)

Next, i’ll leave the Ethernet disconnected, and configure the fonware over a wifi connection to load FreeWLAN. Once that is working, then i’ll install the CAMICIA modified bootloader over SSH *before* I begin experimenting with configuration changes again. ;)

EDIT: The following page of RedBoot Command Line Options helped me a lot in making this tutorial: AdvancedRelay

Building a Cable to Debrick La Fonera WIFI Router

February 8, 2008

Well, all great minds screw up once in a while. I was thrilling away with my La Fonera 1.0, freshly hot-rodded with FreeWLAN v0.9.2, when the Fon came to a screeching halt! I was trying to do something Really Cool, and set it up as a Transparent Ethernet bridge. In this mode, the La Fonera would work as a wifi client device. The WAN Ethernet port would be repurposed as a LAN port, which would be bridged to the upstream LAN and DHCP server. This way, I could turn my tiny USB-Ethernet print server into a wireless one.

Well, it turns out that FreeWLAN’s QRM implementation isn’t quite working perfectly. To make matters worse, I can’t just hold down the ‘ole reset button because that button is ignored until the firmware finishes booting and polls it! This La Fonera isn’t finding the WLAN I configured it to join, so it isn’t setting up it’s virtual interfaces. I’m told that it’s stuck in this incompletely booted state forever. All I can do is ping it under very particular circumstances. No SSH, and no web admin exist any more.

Proponents of FreeWLAN advise flashing the kernel ASAP with one which allows reflashing the firmware over the Ethernet cable. I have done this before, when I was using DD-WRT for the La Fonera, but had not yet done it with this particular router. This leaves only flashing by serial connector. This is often referred to as a “JTAG” connector, but technically the La Fonera just has a serial connector that is simply at a lower voltage (TTL) than the serial port (RS232) you may have on the back of your PC. This requires a voltage-level adjustor. The folks at FreeWLAN were very helpful in providing me a list of options, and I decided that I would build the serial adaptor myself.


La Fonera 1.0 (FON2100) (left), (right) La Fonera 1.1 (FON2200)

The popular design utilizes a Maxim 232 or 3232 integrated circuit. Maxim will provide free samples of this part, with free shipping from their website. I ordered two, which arrived about a week later.

I went to Radio Shack, our local overpriced electronics parts store, for 5 polarized tantalum capacitors, a small breadboard, and a 9-pin female serial connector. The bill came to $12.91 with tax.

I used sections of an old floppy cable for wire and for the connector to the La Fonera, as the holes were exactly right.

As luck would have it, the first one I built didn’t work properly. On my first trip to Radio Shack, I had bought slightly cheaper nonpolarized electrolytic capacitors. The MAX3232 datasheet said that nonpolarized would work, but perhaps that is not so for this particular project. I’m happier with the way the much smaller tantalum capacitors look, anyway.

We have RedBoot!

Also, if I let it boot up uninterrupted, I can hit ENTER for a telnet session to the OpenWRT firmware which the fonware is based on:

Next up is flashing the CAMICIA edition of the linux kernel which permits access to Redboot over the Ethernet port. I may choose XMODEM to transfer files while connected to the serial port. Then i’ll switch to Ethernet to more quickly flash the 0.7.1 edition of fonware which works best with FreeWLAN. Switching to wifi, I’ll manually configure fonware to download FreeWLAN right away, before I ever connect the Ethernet to the Internet, preventing further fonware updates. Fonware updates get slipstreamed into future FreeWLAN editions, and thus the router really does stay up-to-date.

SSH for La Fonera + Plus

October 28, 2007

The first crack for La Fonera Plus comes to us courtesy of FrancoFon. FrancoFon was recently heralded by Fon President Martin Varsavsky for their La Fonera 1.x improvements. Like FreeWLAN, FrancoFon does not replace Fon’s firmware, but adds functionality through modular addons.




How to activate SSH on Fonera Plus

Configure your computer with IP address

Install a little webserver on your computer (like Apache)

Download the file redboot.pl

Download the firmware file firmware_francofon.bin and put it into the home directory of your webserver

Install perl and its dependencies perl-Net-Telnet and also, install fping.

Connect the La Fonera directly to your computer.

Start the previously download script: perl redboot.pl

Start your fonera.

Once done, you should have access to telnet command.

Enter the following command:

ip_address -l -h
and enter:

fis delete image
load -r -b 0×80100000 /firmware_francofon.bin -m HTTP -h
fis create -b 0×80100000 -l 0×00237040 -f 0xA8040000 -e 0×80040400 -r 0×80040400 image

Wait until the end of the flashing! That’s all, you should have now access to SSH

So it looks like the trick was in discovering which IP:port La Fonera Plus was listening to when it powers up, and designing the script to hammer at it. This is how telnet access is aquired, and from there, the firmware_francofon.bin addition can be downloaded from your client PC. SSH is then one of the benefeits of using the FrancoFon add-on.

I’m interested in seeing a comparison of the features between FreeWLAN and FrancoFon to show what each project offers, and which features work better.

It sounds like FrancoFon is sharing their method with FreeWLAN, so we should see that become available for La Fonera Plus soon too!


Make your hotspot mobile with La Fontap

October 12, 2007

Here’s a little project I actually did some months ago. I hope it inspires a wave of (legal) guerilla hotspot activity. Milk your wifi and bring affordable Internet to a hotel or cafe near you!

Some people have discussed tapping a USB connection for 5v DC. You can also tap a PS/2 keyboard port (if you have one) for 5v without any additional circuitry. The tap I have wasn’t entirely built by me. It was provided by Logitech to supply power to an old webcam. It can connect to both large and small keyboard connectors, and has an extra side wire where the 5v is split off. I stripped the wires and determined which one was + and – by trial and error. The power connector was cut off from some other transformer. I keep lots of small parts like this.

Here is a photo of a PS/2 connector showing which pins you need to tap:

Here is a photo of my La Fonera resting comfortably with it’s new power connector:

Here is La Fonera behind my trusty old laptop, showing that it is indeed working with the laptop keyboard port as power source, and Ethernet jack as Internet source. Sorry it is underexposed, I wanted you to see the glowing LEDs better. I hope you can see, on La Fonera I have power, Internet and WLAN lights all working, and also the link light on my Ethernet jack. Click photo for larger version:

Finally, it was necessary to enable Internet Connection Sharing (ICS), which is included with most versions of Windows. Alternatives and equivalents exist for every major operating system.

My Internet source is my WPA encrypted Linksys router, and I need to share it with my La Fonera, which is connected to the Ethernet jack. Sharing can only be enabled for one network device, and it is automatically assumed that every other network device will be bound to it. Note that ICS does not appear as a menu choice unless your computer has at least two enabled networking devices. Under Network Connections, I select the wifi adapter, NOT the Ethernet jack, and enable ICS on the Advanced tab:

Now, what can you use this for? Perhaps you are unable to run an Ethernet cable out to your La Fonera, but are within range of another hotspot which you are permitted to access. Perhaps you would like to provide a Fon hotspot for a group of people, and have a cellular data, WiMax or other wireless modem device to supply the Internet connection. It may even be possible to pay for a connection to an expensive commercial hotspot, and spend a day making some positive income by reselling it at Fon’s cheaper rates to everyone else there. You could even use an existing Fon hotspot; pay for a Fon daily pass, and then resell another Bill’s wifi for your own profit (please get his permission first)!

This arrangement should work to supply at least a basic Internet connection, for WWW and email. It is probably a poor substitute at best, for true WDS meshing, to extend the range of your wifi. Performance will certainly suffer due to latency and the effects of performing NAT behind another NAT. Lastly, ICS does not always recognise unusual network devices, especially ones which require special drivers. Some ISPs may require such drivers to help enforce their one-computer-per-customer Terms of Service.

I’d love to hear from anyone who has milked another wifi hotspot like this. ;)

Join the Beta Testers Team!

June 7, 2007

Apply quickly to be a member of Fon’s Beta Testers Program. Email Fon at beta@fon.com by June 10, 2007. If you are chosen, you’ll have “access” to Fon’s new products and be able to test them before they are available to the public!

  • Candidates must be 18+ years old,
  • read and write passable English,
  • have been an active, registered Fonero for 6+ months,
  • have installed and maintaned a La Fonera for at least 4 months,
  • and live in a select list of countries (including the USA).

Whisher is also seeking Beta Testers for the new Whisher 2.0 client, and they are upping the ante with prizes! They have two Linksys WRT300N Wireless-N routers with matching WUSB300 Wireless-N USB adapters. One prize will be given to a randomly-selected participant, and the another given to the most active tester. Email Whisher at beta@whisher.com. Please include a brief description of your experience and equipment to help them evaluate your application.

  • Candidates must be reasonably familiar with wifi technology and networking concepts,
  • have at least one laptop, PC or Mac that is wireless equipped,
  • have at least one wifi router and the ability to manage it, and
  • have the time to test Whisher’s new client and report dutifully in Whisher’s online bugtracker.

If chosen, you’ll also have access to a private area of the Whisher Forums.

Advance Pix of La Fonera 2.0

June 4, 2007

The bright folks at Engadget.com report that the FCC has recieved registration of Fon’s newest router, the La Fonera 2.0, AKA “The Fon Liberator”. They report that the USB jack appears in only some of the photos and is not mentioned in the documentation they saw.

This appears to be based on the same new hardware as the La Fonera Plus (AKA v1.5). This is arranged differently and is larger than the original v1.0 and v1.1 La Fonera, which was apparently a rebranded Accton MR3201A .pfd link. If anyone knows which product Fon is now rebranding, please comment below!

The question is, since we know this model is coming soon, is superior to the new La Fonera Plus (AKA v1.5) discussed in the last post, and Fon’s 802.11n router is expected at the end of the year (or more likely, fasionably late in early 2008, like all Fon releases), why should we buy the La Fonera Plus (AKA v1.5)? Can you say “Osbourne Effect;)

Advance Pix of La Fonera 1.5

May 30, 2007

No technical details are available at this time, but photos of the upcoming La Fonera 1.5 (AKA “La Fonera Plus”) have come to light. It is somewhat bigger than the La Fonera 1.0 and has an additional Ethernet jack for a LAN connection. The same 4db antenna is provided, so this won’t cut into sales of the Fontenna. 😉

It doesn’t look like any attention was spent on improving air circulation. The new device will obviously be heavier, so the chances of securely attaching it to a window with a double sided suction cup is diminishing. If it turns out to have PoE built in (fat chance), i’ll buy one myself at full price. 😉

Click picture for full size Image. La Fonera 1.5 compared to La Fonera 1.0.

Click picture for full size Image. La Fonera 1.5 compared to La Fonera 1.0.

UPDATE: To our suprise, the La Fonera 1.5/plus does not appear to be based on the Accton MR3202A Mini Router .pdf link. The La Fonera 1.0 is clearly a rebranded MR3201A .pdf link. Accton still has these data sheets for these products, but no longer features them on their Products page. Perhaps Fon bought the 1.0 model at steep discount because of pending discontinuation. Let us know if you’ve found another product that Fon has likely rebranded as the 1.5. This will provide us with operating specs that Fon will never give us willingly. 😉