La Fonera 2100 and OpenWRT 7.09 Kamikaze

Most of this manual, or similar, can be found from multiple differen web sites. This manual is a collection of procedures that worked for me. REMEMBER! do this on your own risk, because this can result into a bricked box.

The box itself is interesting, because it contains Atheros wireless and you can get it very cheaply or even for free. Check out La Fonera site.

You need to have the OpenWRT 7.09 kamikaze binaries (openwrt-atheros-2.6-vmlinux.lzma, openwrt-atheros-2.6-root.squashfs) and at least fping and tftpd packages installed on your machine. On the hardware side you will probably need an extra router.

If you have a La Fonera box that says to be version 0.7.2.r3. In that version all (?) of the bugs, used to get the box SSH enabled, were fixed. Luckily there is a work around. For the work around you need extra router that you can use to fool the box.

The basic idea in this work around is to set the extra router LAN IP to 213.134.45.129 and the mask to 255.255.255.0 and its DNS settings to static and both primary and secondary DNS addresses to address 88.198.165.155. Now connect the La Fon to the switch of the extra router. Remeber keep the WAN cable of the extra router at this point.

Now connect to the La Fons wireless access point. The La Fon box should be visible with ESSIDs LaFon (or something alike) and MyPlace. Connect to the MyPlace ESSID. When connection to the AP the WAP passphrace is the serial number on the bottom of the device. Access the La Fons web interface and go to the advanced menu and under it internet connection. In this menu you will have a change to select IP settings. If the box is new and nothing is changed the username/passwd for the advanced menu should be admin/admin. Now set the node to have a static IP 213.134.45.200 mask 255.255.255.0 and set the gateway to 213.134.45.129 and the DNS to the same address as the gateway. Now press submit on the page and the should down grade to older version. For me it was 0.7.0.r4. Now you can create the following file on your machine and open it in your browser.

<html> <head></head><body><center> <form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data"> <input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT && /etc/init.d/dropbear)" /> <input type="submit" name="submit" value="Submit" /> </form> </center></body></html>

After pressing the submit button on the page. The La Fon web interface complaining about invalid username. The consequence should be that you can open an ssh connection to the box with command "ssh root@192.168.10.1" with the root password admin. Below is the output from the Box.

root@192.168.10.1's password: BusyBox v1.1.3 (2006.09.11-19:54+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. _______ _______ _______ | ____|| || _ | | ____|| - || | | | | | |_______||__| |__| |___| Fonera Firmware (Version 0.7.0 rev 4) ------------- * * Based on OpenWrt - http://openwrt.org * Powered by FON - http://www.fon.com ---------------------------------------------------

Next you want to get the devices redboot enabled. The idea is to get couple of files and write the files to the flash with mtd. Below are the commands and their outputs. Remember to put the WAN cable back to the extra router (do not wait too long before the next steps because the fon box may try to upgrade).

root@OpenWrt:~# wget http://fonera.info/camicia/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma Connecting to fonera.info[87.106.220.204]:80 openwrt-ar531x-2.4-v 100% |***************************************************************************| 512 KB 00:00 ETA root@OpenWrt:~# mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7 Unlocking vmlinux.bin.l7 ... Erasing vmlinux.bin.l7 ... Writing from openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma to vmlinux.bin.l7 ... [[w] root@OpenWrt:~# reboot ... Enable the SSH with the web form from above and connect again ... root@OpenWrt:~# wget http://fonera.info/camicia/out.hex Connecting to fonera.info[87.106.220.204]:80 out.hex 100% |***************************************************************************| 4096 00:00 ETA root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config" Unlocking RedBoot config ... Erasing RedBoot config ... Writing from out.hex to RedBoot config ... [w]

Now the box should boot to redboot only and listening to telnet on port 9000. Connect your machine directly to the La Fons WAN port and setup your machines IP address to 192.168.1.161/24 and add the default route to the interface ("sudo ip addr add 192.168.1.161/24 dev eth0" and "sudo route add default dev eth0", it may be easier if you kill the NetworkManager process so it does not try to mess with the addresses). You can use the following script to connect to the box. This script is just a helper and it can be done manually. If this is an install to a "virgin" box just telnetting to the address 192.168.1.254 and port 9000 is enough. After the installation, if the fconfigs boot option is set to true you will have from 4 to 10 seconds to connect to the redboot before it starts loads and execs the linux partition.

while true; do fping -t 200 192.168.1.254 && break; done; \ sleep 5; echo -e "\x3" | nc -w 1 -vvv 192.168.1.254 9000 ; \ telnet 192.168.1.254 9000

Next you will have to have tftpd server running on your machine. Make /tftpboot directory on your machine and modify the /etc/inetd.conf to contain the following line (note the /tftpboot in the end, default is /srv/tftp, but usually the root is tftpboot).

tftp dgram udp wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd /tftpboot

Set the rights of the folder to 777 (sudo chmod 777 /tftpboot) and its owner to nobody (sudo chown nobody /tftpboot). Copy the OpenWRT files to the /tftpboot and chmod them to 777 and chown them to nobody. After this restart or start inetd service so it reads the new config.

Now to the interesting part, the rewriting of the flash. First telnet to the La Fon connected directly to your machine. Then setup the tftp on the La Fon. NOTE! that some of the commands can take even 20 minutes so no hurry.

RedBoot> ip_address -l 192.168.1.254/24 -h 192.168.1.161 IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0 Default server: 192.168.1.161

After this you need to get the kernel, initialize the flash and create a partition for it. Below is the commands and the outputs on the Fon box. In the "fis create" do not change the memory addresses because otherwise the kernel won't be loaded.

RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-2.6-vmlinux.lzma Using default protocol (TFTP) Raw file loaded 0x80040800-0x801007ff, assumed entry at 0x80040800 RedBoot> fis init About to initialize [format] FLASH image system - continue (y/n)? y *** Initialize FLASH Image System ... Erase from 0xa87e0000-0xa87f0000: . ... Program from 0x80ff0000-0x81000000 at 0xa87e0000: . RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7 ... Erase from 0xa8030000-0xa80f0000: ............ ... Program from 0x80040800-0x80100800 at 0xa8030000: ............ ... Erase from 0xa87e0000-0xa87f0000: . ... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

After this you have to check the free space available

RedBoot> fis free 0xA80F0000 .. 0xA87E0000

After this extract the first from the later.

machine:~# bc obase=16 ibase=16 A87E0000 - A80F0000 6F0000

Now load the root filesystem to the box and create the partition for it. In the "fis create" REMEMBER to add the extra 00 to the start of the length of the free space.

RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-2.6-root.squashfs Using default protocol (TFTP) Raw file loaded 0x80040800-0x801607ff, assumed entry at 0x80040800 RedBoot> fis create -l 0x006F0000 rootfs ... Erase from 0xa80f0000-0xa87e0000: ............................................................................................................... ... Program from 0x80040800-0x80160800 at 0xa80f0000: .................. ... Erase from 0xa87e0000-0xa87f0000: . ... Program from 0x80ff0000-0x81000000 at 0xa87e0000: . RedBoot>

Now the flash layout should look something like this (this output is taken from box containing a modded version of OpenWRT so the lengths may vary a bit).

RedBoot> fis list Name FLASH addr Mem addr Length Entry point RedBoot 0xA8000000 0xA8000000 0x00030000 0x00000000 vmlinux.bin.l7 0xA8030000 0x80041000 0x000B0000 0x80041000 rootfs 0xA80E0000 0x80040800 0x00700000 0x80040800 FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0x00000000 RedBoot config 0xA87EF000 0xA87EF000 0x00001000 0x00000000 RedBoot>

The boot configuration should look something like this.

RedBoot> fconfig -l Run script at boot: true Boot script: .. fis load -l vmlinux.bin.l7 .. exec Boot script timeout (1000ms resolution): 10 Use BOOTP for network configuration: false Gateway IP address: 0.0.0.0 Local IP address: 192.168.1.254 Local IP address mask: 255.255.255.0 Default server IP address: 0.0.0.0 Console baud rate: 9600 GDB connection port: 9000 Force console for special debug messages: false Network debug at boot time: false

Now power cycle the box and try to telnet to 192.168.1.1 port 23 and you should get into the Fon box.

user@machine:~$ telnet 192.168.1.1 23 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. === IMPORTANT ============================ Use 'passwd' to set your login password this will disable telnet and enable SSH ------------------------------------------ BusyBox v1.4.2 (2007-09-29 07:21:40 CEST) Built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M KAMIKAZE (7.09) ----------------------------------- * 10 oz Vodka Shake well with ice and strain * 10 oz Triple sec mixture into 10 shot glasses. * 10 oz lime juice Salute! --------------------------------------------------- root@OpenWrt:/#

If you got this far and everything is OK. From here it is just configuring the OpenWRT, like setting up the wireless and so on.

All of these manuals/tutorials are provided as is. They worked for me and that is all the help I give with them, so if I forgot something or there is a typo you can inform me but do not expect me to solve your problems :) Oh and almost forgot, use them at your own risk.