OpenMesh/Robin auf La Fonera
- Fonera und einen Computer mit Netzwerkkabel verbinden
- Netzwerkinterface des Computers eine IP aus 169.254.255.0/24 geben (nicht 169.254.255.1, die hat La Fonera)
- Fonera starten, warten bis 169.254.255.1 erreichbar ist
- Sich das Webinterface (http://169.254.255.1) anschauen, testweise als admin mit dem Passwort admin anmelden
SSH aktivieren
Unsere Firmware ist die 0.7.1 r1. Diese lässt sich mittels Code-Injection über http://169.254.255.1/cgi-bin/webif/adv_pf.sh hacken. Dazu wird einfach der auszuführende Code Zeile für Zeile im Fomular in das Feld „Destination IP“ bzw. „destip“ eingetragen und abgeschickt. Oder man benutzt das Perl-Skript fondue.pl von Michael Kebe und Stefan Tomanek, zu finden unter http://stefans.datenbruch.de/lafonera/
~$ nmap -A 169.254.255.1
Starting Nmap 4.68 ( http://nmap.org ) at 2009-04-07 15:17 CEST
Interesting ports on 169.254.255.1:
Not shown: 1712 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.27
80/tcp open http La Fonera WAP http config
8080/tcp open http-proxy?
~$ echo -e '/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT\n/etc/init.d/dropbear' | perl fondue.pl 169.254.255.1 admin
By your command...
Injecting command /usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT...
Injecting command /etc/init.d/dropbear...
Code has been injected.
~$ ssh root@169.254.255.1
root@169.254.255.1's password:
BusyBox v1.1.3 (2006.11.21-19:49+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ _______ _______
| ____|| || _ |
| ____|| - || | | |
| | |_______||__| |__|
|___|
Fonera Firmware (Version 0.7.1 rev 1) -------------
*
* Based on OpenWrt - http://openwrt.org
* Powered by FON - http://www.fon.com
---------------------------------------------------
root@OpenWrt:~# Bootloader-Zugriff einrichten
Falls beim späteren flashen irgendwas schief laufen sollte, haben wir so immer noch die Möglichkeit, auf den Bootloader zuzugreifen und ein anderes Image aufzuspielen.
Dazu erstmal einen gepatchten Kernel installieren, der uns Schreibzugriff auf den Flash-Speicher von Fonera gestattet:
~$ wget http://ipkg.k1k2.de/hack/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma
~$ scp openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma root@169.254.255.1:/tmp
~$ ssh root@169.254.255.1
root@OpenWRT:~# cd /tmp && mtd -r -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
Unlocking vmlinux.bin.l7 ...
Erasing vmlinux.bin.l7 ...
Writing from openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma to vmlinux.bin.l7 ... [w]Da Fonera jetzt ersteinmal rebootet, muss SSH nochmals geöffnet werden. Dann kommt der eigentliche Bootloader-Hack:
~$ wget http://ipkg.k1k2.de/hack/out.hex
~$ scp out.hex root@169.254.255.1:/tmp
~$ ssh root@169.254.255.1
root@OpenWRT:~# cd /tmp && mtd -r -e "RedBoot config" write out.hex "RedBoot config"Fonera rebootet mal wieder. Danach kann man sich auf dem RedBoot Bootloader anmelden. Zuvor sollte man aber auf dem Computer Kernel und Dateisysteme-Image entweder per TFTP oder HTTP zur Verfügung stellen. Hier werden beide vom Webserver geholt.
Fonera mit OpenWRT Kamikaze 7.09 flashen
~$ telnet 192.168.1.254 9000
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
RedBoot> ip_address -l 192.168.1.254 -h 192.168.1.253
IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.253
RedBoot> load -r -b %{FREEMEMLO} /openwrt-atheros-2.6-vmlinux.lzma -m HTTP
Raw file loaded 0x80040800-0x801007ff, assumed entry at 0x80040800
RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
... Erase from 0xa8030000-0xa80f0000: ............
... Program from 0x80040800-0x80100800 at 0xa8030000: ............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis free
0xA80F0000 .. 0xA87E0000
RedBoot> load -r -b %{FREEMEMLO} /openwrt-atheros-2.6-root.squashfs -m HTTP
Raw file loaded 0x80040800-0x801607ff, assumed entry at 0x80040800
RedBoot> fis create -l 0x6f0000 rootfs
... Erase from 0xa80f0000-0xa87e0000:
...............................................................................................................
... Program from 0x80040800-0x80160800 at 0xa80f0000: ..................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis list
Name FLASH addr Mem addr Length Entry point
RedBoot 0xA8000000 0xA8000000 0x00030000 0x00000000
vmlinux.bin.l7 0xA8030000 0x80041000 0x000C0000 0x80041000
rootfs 0xA80F0000 0x80040800 0x006F0000 0x80040800
FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0x00000000
RedBoot config 0xA87EF000 0xA87EF000 0x00001000 0x00000000
RedBoot> resetAm befreiten La Fonera anmelden
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------
BusyBox v1.4.2 (2007-09-29 07:21:40 CEST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (7.09) -----------------------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
---------------------------------------------------Fonera mit OpenWRT Kamikaze 8.09 flashen
~$ telnet 192.168.1.254 9000
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
RedBoot> ip_address -l 192.168.1.254 -h 192.168.1.253
IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.253
RedBoot> load -r -b %{FREEMEMLO} -m HTTP /openwrt-atheros-vmlinux.lzma
Raw file loaded 0x80040800-0x801007ff, assumed entry at 0x80040800
RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
... Erase from 0xa8030000-0xa80f0000: ............
... Program from 0x80040800-0x80100800 at 0xa8030000: ............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis free
0xA80F0000 .. 0xA87E0000
RedBoot> load -r -b %{FREEMEMLO} -m HTTP /openwrt-atheros-root.squashfs
Raw file loaded 0x80040800-0x801e07ff, assumed entry at 0x80040800
RedBoot> fis create -l 0x6F0000 rootfs
... Erase from 0xa80f0000-0xa87e0000: ...............................................................................................................
... Program from 0x80040800-0x801e0800 at 0xa80f0000: ..........................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis list
Name FLASH addr Mem addr Length Entry point
RedBoot 0xA8000000 0xA8000000 0x00030000 0x00000000
vmlinux.bin.l7 0xA8030000 0x80041000 0x000C0000 0x80041000
rootfs 0xA80F0000 0x80040800 0x006F0000 0x80040800
FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0x00000000
RedBoot config 0xA87EF000 0xA87EF000 0x00001000 0x00000000
RedBoot> resetAm befreiten La Fonera anmelden
~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------
BusyBox v1.11.2 (2009-01-05 06:34:55 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (8.09, r14511) ----------------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
---------------------------------------------------RO.B.IN auf das Fonera flashen
~$ telnet 192.168.1.254 9000
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
RedBoot> ip_address -l 192.168.1.254 -h 192.168.1.253
IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.253
RedBoot> load -r -b %{FREEMEMLO} -m HTTP /Robin/openwrt-atheros-vmlinux.lzma
Raw file loaded 0x80040800-0x800f07ff, assumed entry at 0x80040800
RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
... Erase from 0xa8030000-0xa80e0000: ...........
... Program from 0x80040800-0x800f0800 at 0xa8030000: ...........
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis free
0xA80E0000 .. 0xA87E0000
RedBoot> load -r -b %{FREEMEMLO} -m HTTP /Robin/openwrt-atheros-root.jffs2-64k
Raw file loaded 0x80040800-0x805007ff, assumed entry at 0x80040800
RedBoot> fis create -l 0x700000 rootfs
... Erase from 0xa80e0000-0xa87e0000:
................................................................................................................
... Program from 0x80040800-0x80500800 at 0xa80e0000: ............................................................................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis list
Name FLASH addr Mem addr Length Entry point
RedBoot 0xA8000000 0xA8000000 0x00030000 0x00000000
vmlinux.bin.l7 0xA8030000 0x80041000 0x000B0000 0x80041000
rootfs 0xA80E0000 0x80040800 0x00700000 0x80040800
FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0x00000000
RedBoot config 0xA87EF000 0xA87EF000 0x00001000 0x00000000
RedBoot> resetRobin will seine IP per DHCP bekommen
Also soll er das auch können ;)
BTW, Robin nutzt 169.254.0.0 als Gateway (interface gate0). Aufgepasst!
Am befreiten La Fonera anmelden
~$ ssh -l root $IP
root@A.B.C.D's password:
BusyBox v1.8.2 (2008-11-17 16:50:09 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----. _ | |.-----.----| |__
| - || _ | -__| | |_| | | | || -__|__--| |
|_______|| __|_____|__|__| |__|__|__||_____|____|__|__|
|__| http://www.open-mesh.com ---------------------
Powered by these open source projects:
http://www.blogin.it http://kokoro.ucsd.edu/nodogsplash
http://www.openwrt.org http://www.open-mesh.org
http://www.olsr.org http://coova.org/
running: r1522 2.6.23.17 OLSR nodogsplash open-mesh
01110010 01101111 01100010 01101001 01101110
-------------------------------------------------------------dmesg
root@open-mesh:\~\# dmesg | sed -e „s/\^/ /“ Linux version 2.6.23.17
(ansanto@ansanto-desktop) (gcc version 4.1.2) \#27 Sat Jan 31 17:28:27
CET 2009
CPU revision is: 00019064
Determined physical RAM map:
memory: 01000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
On node 0 totalpages: 4096
Normal zone: 32 pages used for memmap
Normal zone: 0 pages reserved
Normal zone: 4064 pages, LIFO batch:0
Movable zone: 0 pages used for memmap
Built 1 zonelists in Zone order. Total pages: 4064
Kernel command line: console=ttyS0,9600 rootfstype=squashfs,jffs2 init=/etc/preinit
Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.
Primary data cache 16kB, 4-way, linesize 16 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 64 (order: 6, 256 bytes)
Using 92.000 MHz high precision timer.
console [ttyS0] enabled
Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
Memory: 13580k/16384k available (1865k kernel code, 2804k reserved, 302k data, 120k init, 0k highmem)
Calibrating delay loop... 183.50 BogoMIPS (lpj=917504)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
Radio config found at offset 0xf8(0x1f8)
AR531x PCI init...
registering PCI controller with io_map_base unset
done
Generic PHY: Registered new driver
PCI: fixing up device 0,3,0
PCI: Failed to allocate mem resource #1:4000000@84000000 for 0000:00:00.0
PCI: Failed to allocate mem resource #1:4000000@84000000 for 0000:00:01.0
PCI: Failed to allocate mem resource #1:4000000@84000000 for 0000:00:02.0
PCI: Failed to allocate mem resource #1:4000000@84000000 for 0000:00:03.0
PCI: Failed to allocate mem resource #2:400000@81400000 for 0000:00:03.0
Time: MIPS clocksource has been installed.
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP reno registered
ar531x: Registering GPIODEV device
squashfs: version 3.0 (2006/03/15) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver $Revision: 1.90 $ 1 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0xb1100003 (irq = 37) is a 16550A
ICPlus IP175C: Registered new driver
Infineon ADM6996: Registered new driver
Marvell 88E6060: Registered new driver
eth0: Atheros AR231x: 00:18:84:24:75:c8, irq 4
ar2313_eth_mii: probed
eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=0:00)
cmdlinepart partition parsing not available
Searching for RedBoot partition table in spiflash at offset 0x7d0000
Searching for RedBoot partition table in spiflash at offset 0x7e0000
5 RedBoot partitions found on MTD device spiflash
Creating 5 MTD partitions on "spiflash":
0x00000000-0x00030000 : "RedBoot"
0x00030000-0x000e0000 : "vmlinux.bin.l7"
0x000e0000-0x007e0000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
split_squashfs: no squashfs found in "spiflash"
0x007e0000-0x007ef000 : "FIS directory"
0x007ef000-0x007f0000 : "RedBoot config"
Registered led device: wlan
gpiodev: gpio device registered with major 254
gpiodev: gpio platform device registered with access mask FFFFFFFF
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP vegas registered
NET: Registered protocol family 1
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
eth0: Configuring MAC for full duplex
VFS: Mounted root (jffs2 filesystem) readonly.
Freeing unused kernel memory: 120k freed
Please be patient, while OpenWrt loads ...
Algorithmics/MIPS FPU Emulator v1.5
device eth0 entered promiscuous mode
br-lan: port 1(eth0) entering learning state
br-lan: topology change detected, propagating
br-lan: port 1(eth0) entering forwarding state
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
IPP2P v0.8.1_rc1 loading
IMQ starting with 2 devices...
IMQ driver loaded successfully.
Hooking IMQ before NAT on PREROUTING.
Hooking IMQ after NAT on POSTROUTING.
ipt_time loading
ip_queue: failed to register queue handler
wlan: trunk
ath_hal: module license 'Proprietary' taints kernel.
ath_hal: 2008-10-02 (AR5212, AR5312, RF5111, RF5112, RF2316, RF2317, REGOPS_FUNC, TX_DESC_SWAP, DFS, XR)
ath_rate_sample: 1.2 (trunk)
wlan: mac acl policy registered
ath_ahb: trunk
Atheros HAL provided by OpenWrt, DD-WRT and MakSat Technologies
wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: turboG rates: 6Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: H/W encryption support: WEP AES AES_CCM TKIP
ath_ahb: wifi0: Atheros 2315 WiSoC: mem=0xb0000000, irq=3
gpio-buttons driver version 0.1.1
br-lan: port 1(eth0) entering disabled state
device eth0 left promiscuous mode
br-lan: port 1(eth0) entering disabled state