EZ hack, FON 0.7.1 r5

It is truly amazing how sometmes the easiest things turn out to be the most difficult and long winded, yet on reflection it is trivially simple once you know how.

I received a FON router a few days ago, but never got around to setting it up, although I had done a few for family and friends already, off to ddwrt land.

So, last night I promptly plugged mine in and opened up sshenable.html (right click, save as http://uselesshacks.com/wp-content/uploads/2007/03/sshenable.htm) to sort out dropbear (I didnt check firmware version, just assumed it was 0.7.1 r2 like all the rest I had done. The html injection produced an error page, and thereafter every page on the router produced the dreaded "bus error" text on a plain white background.

The only page that still responded was the firmware upgrade page, so I went to fons website, downloaded the firmware and flashed the router, and voila it worked fine.

Except I was now on 0.7.1 r5????!!! huh!!!??
I tried sshenable again, but had the same error on the dhcp page. I tried to change the dns address to the "well known one" and use putty to ssh in, but that didnt work either, multiple times.

I hit the fon boards in desperation, only to find that some say r5 works with the dns server hack (although I had the distinct impression they hadnt tried) whilst others say r5 is immune to it.

The changelog for r5 shows it is now immune to the dns server hack. I either had to crack this thing open and do the serial port mod, or wait until someone came out with a hack.

Like me.

This is how you do it.
run sshenable, this produces a dreaded error, and will probably give you "bus errors" on every page. That is good.

Go and download winpcap
Go and download ap51-flash-fonera-gui-1.0-24.exe
http://fon.testbox.dk/flashing/GUIflasher/

find your way here http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Frelease+candidates%2FDD-WRT+v24+RC2%2FFonera/
and go get root.fs and vmlinux.bin.l7

you are set.

open up ap-51, slect for rootfs the file root.fs
for kernel, select your file vmlinux.bin.l7
tick the box that say ddwrt..nvram.

make sure your fon router is unplugged from the mains, but the ethernet cable is plugged in to your pc. It doesnt matter what your pc's ipaddress is set to.

now, clikc the "go" button in ap-51, wait a few seconds while the errors go past, then plug the fon into the power. IN around 10 seconds you should see some status messages going by, and you will see root.fs being uploaded to your fon, automagically. It will then proceed to flash root.fs Be aware, this took me 13 minutes.

the seond, automatic stage, is where the kernel is written and flashed to the fonera, this will take a further 8 minutes or so...once complete ap-51 will close with no messages, and your fon will reboot.

Leave it alone for about 10 minutes, let it do it's thing....then try to connect via the ethernet port..it should be on 192.168.1.1
you should also see a wireless ssid pop up, dd-wrt.

Smile, sit back and have a smoke, for we are complete.

P.S. I dont do pictures, the text is comprehensive, but if you dont understand I can explain further in the comments.
I am not sure at which stage ssh became enabled permanently, but it was before using ap-51, so perhaps it was a basic recovery built into the fon after half-bricking it with sshenable.html. I know I didnt consciously do it myself. Also, the dns server hack was not working for me, and if by magic it did,, t would only enable ssh for that session, whereas my router had ssh on permanently after the half-brick.

If you prefer, you can use ap-51 with no files selected, and you will end up with fon firmware and freifunk extensions, with ssh on by default if you want to upgrade somewhere else

Enjoy