Security | LaFonera Hacking

ax0n over at h-i-r.net inspired me to attempt and successfully build this project . His 3 part series (part 1, part 2, part 3) is Awesome (capital A), and he certainly deserves the all the credit for doing the heavy lifting and providing an excellent write up. I used it as my template throughout the entire process.

This document will reference his article A.LOT. I suggest you stop reading this (for now), and head directly to his article to familiarize yourself with it.

I am simply going to focus on OSX (Snow Leopard – 10.6). I wanted this to be available on my MacBook at the drop of a hat.

“So, uh…other than that, what’s the point of this ‘article’ ?” . Hmmm… great question. I better get started before you leave.

Note: I’m assuming you have met all of the hardware requirements in the h-i-r.net article.

Step 1: Flashing the Fon

Enable redboot! I used this guide. The problem however, is that once I had established the ssh connection to the Fon, I was unable to wget the files. Additionally, I was unable to ping anything external. I’m sure I was doing something wrong, and there is a simple fix (comment if there is). So what should I do now? I mean, stuck at the second step in the instructions? Fail. To correct the issue, Grab the files referenced in the instructions from here and here and while your at it grab this (you’ll need all of these files), launch a tftp server, unpack the files and place them in the tftp server directory. Then start server. (be sure to make note of the IP address ). I placed the files in a root dir called “tftp” this makes it a little easier when typing the path.

Enabling Redboot

Now that we have the files living in the tftp server dir, Launch a terminal, connect to the Fon via ssh and issue the following commands using the following syntax to grab the files (wget http://[ip.add.re.ss]/[dir]/[filename]):

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://201.37.100.106/tftp/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma 
root@OpenWrt:~# mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
root@OpenWrt:~# reboot

After the Fon comes back online, ssh back in and follow the remaining steps in the instructions to enable redboot.

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://201.37.100.106/tftp/out.hex
root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config"
root@OpenWrt:~# reboot

Once you get to the section “now your ready to flash”, you can stop. Those instructions follow a path we aren’t going to.

Installing the Jasager Firmware

Head over to digininja’s site and follow the instructions here “for firmware users”. I skipped the redboot.pl installation, as we already have redboot enabled and working. Download jasegar, unpack it and place it in your tftp dir. (if you didn’t do it earlier) The ONLY tricky part during the flash process is to be SURE you copy and paste the commands or triple check your typing. I mistakenly forgot to load vmlinux.bin.17.  It didn’t brick the Fon, but I was scared to reboot it.

RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801003ff, assumed entry at 0x80040400
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
 
< Wait for a while > note: This took about 2 minutes
 
... Erase from 0xa8030000-0xa80f0000: ............
... Program from 0x80040400-0x80100400 at 0xa8030000: ............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801e03ff, assumed entry at 0x80040400
RedBoot> fis create -l 0x6F0000 rootfs
 
< Wait for a long while > note: This took almost 15 minutes. Don’t panic. It’s working.
 
... Erase from 0xa80f0000-0xa87e0000: ...........
... Program from 0x80040400-0x801e0400 at 0xa80f0000: ..........................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
 
RedBoot> fconfig
Run script at boot: true
Boot script: 
Enter script, terminate with empty line
>> fis load -l vmlinux.bin.l7
>> exec
>> 
Boot script timeout (1000ms resolution): 2 (My default was 10)
Use BOOTP for network configuration: false
Gateway IP address: 
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset
 
^]
telnet> Connection closed.
root@desktop ~ # 

Sweet!

The hard part is over. So what happens if you make a mistake in fconfig like
me? Type fconfig -n it will list all of the nicknames of the fields you can
change. The shell doesn’t know what delete is, and there are all sorts of redboot keyboard-fu you can use to control input. I found it easier to type at the reboot> fconfig field_name [input]. So for
example, if you accidentally entered 192.168.1.11 for the IP address. You could fix just that line by typing: fconfig boot_my_ip 192.168.1.1

Let the Fon reboot, make sure you can ping 192.168.1.1 after all the lights
look good, then open your browser and hit http://192.168.1.1:1471 .

The jasager interface *should* open. If it does not after a few minutes… try the following.

1. Make sure you are loading and executing vmlinux.bin.17 in fconfig
2. Reboot the Fon
3. Double and triple check fconfig.

If all else fails, repeat the process. I ended up flashing almost 10 times
due for various reasons, ranging from mistakes I made in the network config, to
the Fon not playing nice with DHCP. If you need to reflash, redboot is only
available for a few seconds while the fon device is booting. I hope your
SMB, 3-1 infinite guy timing is still there. Here is what I had to do to hit
the timing properly.

1. Remove power from Fon
2. Launch a terminal and start pinging 192.168.1.254
3. Launch another terminal and PREP a telnet session to 192.168.1.254 9000
4. The first reply you receive from ping, press enter on your telnet session
5. If it fails. Repeat process until you get it.

Now, head back to

part 1 of the h-i-r instructions and follow along starting with “tinker
time”

Step 2: Install the pWn

This is the easy part. Below are simply notes regarding the process.

Metasploit and Karma

This is the part where I point you back to h-i-r.net’s part 2 for the complete setup of this step. I was able to drop in the framework to my tools directory with no additional steps required. However, you may want to update ruby if you desire. Then Download karma.rc, put it in the root directory with the framework and we are in the home stretch to put this all together.

Head to part 2 of the h-i-r instructions. Follow from “Time to tweak stuff”. You will need to edit karma.rc before you run it.

Hamster and Ferret

Last files we need to grab are hamster and ferret.

I was having some trouble getting hamster and ferret to compile, even after installing xcode. Luckily, the binaries are compiled for us already . Download them and place them in a directory you will remember.

You will need to set your browsers proxy to 127.0.0.1:1234 to view the Hamster interface. Be sure you add an exception for your NIC’s ip address, so you can monitor Jasager as well.

You can now head back to ax0n’s work and button up the rest of the project.

Starting the entire process

Here are the steps I use when booting this rig.

1. Power on the Fon and connect it to your PC with an Ethernet cable.
2. Make sure Jasager is online and Karma is active. I opted to control its state, instead of automatically starting it.
3. Open a terminal and Launch Metasploit and Karma with> sudo ~./msfconsole -r karma.rc
4. Open another terminal and launch hamster with> sudo ~./hamster
5. Enable your proxy. Or use quickproxy for firefox to quickly enable.
6. Open the Jasager (192.168.1.1:1471) and hamster (127.0.0.1:1234) interfaces
7. Gratz ur l33+

Conclusion

While this guide wasn’t meant to be as comprehensive as the article it was based on. I hope you will find a quick reference for installing this on your Mac Box.

All the files referenced, I have zipped up and stashed them here. Comment with questions or hit me up via twitter