As the new fonera arrive to first people , here’s a brief on the hack side :
- Changed the chillispot daemon in Coova flavour
- Changed the thinclinet mechanism . No more ssh to port 1937 , but a dns text request every minute
- Kolofonium hack to open port 22 no more working. Not only changing the dns to the kolofonium server isn’t allowed , but it seems that also web page to kolofonium creators is blacklisted. Even trying to replicate the fake radius chillispot.conf injection seems not working.
I will wait to put the hands on new fonera and to write more on this pages.
Lama Bleu 10:20 am on August 29, 2007 Permalink |
Hi from France.
Same result on the fonera+ here except this :
- thinclient is always working to fatserver.fon.com on port 1938, with a new SSH key.
- have seen too DNS query every minute ( type TXT). New heartbeat ?
- I made my own radius server, and DNS spoofing to radius01.fon.com :
the line uamallowed is still working ! ( I can add my own site).
Redboot is avalaible so :
New and interesting : i made a dump off all the flash partitions, Redboot bootloader, rootfs and kernel and FIS directory.
Seems to be compressed by LZMA and perhaps encrypted. I can send you the dump by MP. I can’t do nothing with this, and I have a bad knowledge of kernel booting.
I can try to boot fonera+ on ramdisk if you need some testing.
Sorry for this bad english..
Regards.
antonde 10:40 am on August 29, 2007 Permalink |
@Lama just arrived today la fonera+ for betatesting welcome package.
1)that’s why people didn’t notice activity to download.fon.com on port 1937
2)I just monitoring with tcpdump the dns query
3)I think I don’t get this point . How did you manage to spoof DNS on lafonera+?
4)me neither not so skill in kernel and redboot but you can send I can pass to linux guru Anselmi.
5)your english is perfait
Bye Anton
Tommie 11:58 pm on August 31, 2007 Permalink |
I also experimented with the fonera. By redirecting the DNS request on my router, I was able to fake the radius server and replace the hotspot configuration – I was able to verify this by watching the resulting DNS queries after adding hosts to uamallowed. However, the fonera plus does not execute the “ipup” code injected by Kolofonium. I did not check whether my site was blocked, I’ll do that on my next try. I’d also appreciate getting my hands on the firmware images
sid77 9:34 am on September 4, 2007 Permalink |
hi, interesting post
As written by Tommie, trapping dns requests isn’t really difficult: take a look at my “How to transparent proxy la fonera via tor” howto: the firewall script does it as first rule after default policy setup.
steven 7:25 pm on September 5, 2007 Permalink |
Try Cain from the site oxid.it you can arp poison a pc…and get their dns requests translated… like disney.com becomes playboy.com
oxy 5:22 pm on October 13, 2007 Permalink |
Not sure why FON insists on closing these holes. If they were to open it and add SD memory etc, they would sell loads more!
Coova.org » Blog Archive » Project news 4:23 pm on March 30, 2008 Permalink |
[...] great to see CoovaChilli and CoovaAP being used and supported by more companies and projects! FON has been using CoovaChilli, Open-Mesh.com plans to, supported by Worldspot, and Coova officially works with Radiator. In fact, [...]