For some reasons, La Fonera only allow users to upload a firmware released by FON.com. The /bin/fonverify upgrade script written by Pablo Martin is using a public-key cryptography for protect the firmware images. Each firmware image has a RIPEMD-160 message digest for verification. Only the verified images will be wrote into the flash.

However, since La Fonera is OpenWRT-based, you can do anything on the device once you get login into the system. There are several ways to do so.

Some of fon routers leave the JTag pins on the board. La Fonera is Atheros AR531X based SOC, which use standart MIPS EJTAG v2.6. If you have a JTag cable, you may do flash writing via the jtag interface. However, mime don’t have the JTag pins, I have to solder the pins header by myself.

Another way to access the system is using a ttl level shifter. Jauzsi has a post describe the serial pinouts for the fonera. There are some HOWTOs (Activar SSH en la Fonera, Habilitando acceso por ssh a la fonera) teaching people make a TTL-To-RS232 converter to connect to the fonera. You can have the serial console after you connect to the device by RS232, and you can alos access to the RedBoot bootloader.

All these methods need some electronic components. Lucky, there some security issues in the current firmware. For example, la fonerea will execute a script named “thinclient” every time when the router is bootup. The “thinclient” will “ssh” into the download.fon.com host by port 1937 to get the config scripts from FON.com. We can use dnsspoof and some program to make the router download some script we want it to run.

In order to do that, you will need some networking skills. There is another easy way to make the router run specified commands. There was a CGI bug in the web admin interface, you can easily injection shell code by a html form. BingoBommel posted the example on blogspot.com I have tested this vulnerability on my device which is version 0.7.0.4. FON.com has already fixed the problem in the latest firmware 0.7.1.1.

But you probably do not have the source code of the scripts before you get into the system. I have wrote a script for “unfonify” (copied from /bin/fonverify) the upgrade archives. You can download the latest firmware, and uncompress the files by the script. Stefans Datenbruch has put the 0.7.1.1 archive files on his web site, and his “Hacking the La Fonera” is very informative too.

La fonera has dropbear installed. Once you get login the system, you can start the ssh server, and login with root account by password “admin”. And then you could reflash any firmware you want on the device.

I’ll try to make the la fonera works with the porta2030 network. Now, have fun. 😉