Fon router hack

Written by Walter


Nice article about using the 5$ linksys router from FON which runs linux.
Fon seems to be violating your isp's contract (by letting other people share your connection intentionally). So this is a legal gray area. Using a fon router
you violate your isp contract. Hacking the fon router keeps your isp happy but then you are violating fon's contract. Anyway I just liked the hack and the linux based router sounds cewl so here's the article:


Just recently there's been a bit of media coverage of FON, partly due to the fact they've got a bunch of venture capital to make a WiFi-sharing mesh of users across the world, and partly because they were selling subsidised WRT54GL wireless routers to make it possible. These routers are a nice piece of equipment, and run a tiny Linux kernel to make them tick, which is why they were selected - they're easily hackable.


So, what if you want a subsidised router, but don't want to be part of a corporation dressing itself up as a grassroots movement? They say they might have to get the router back off you if you don't play ball. But how do they know if you're playing ball? Well, there's only one way they can know - the router has to be phoning home to let them know.


Normally, to find out if something is phoning home you need to sniff packets and do a bit of digging through logs and things, but as mentioned before, these routers run Linux, and as such have to supply the source code for building the firmware. And FON have to do the same with their special firmware for the WRT54GL, because that's the joy of GPL. A quick Google across their website shows that they have a 93Mb tarball of the firmware source and patches.


I downloaded and decompressed this, and set to work, searching for the term "fon" in the code, and - behold - I found precisely where this occurs. The router uses Chillispot to manage the WLAN, and there's a couple of configuration files in there that deal with the whole FON thing. Here is chilli.conf:


# Powered by FON (www.fon.com)
#
##############################################################################
radiusserver1 emilio.fon.com
radiusserver2 emilio.fon.com
radiussecret garrafon
dhcpif eth1
uamserver https://login.fon.com/cp/index.php
uamsecret garrafon
uamallowed www.fon.com,acceso.fon.com,en.fon.com,es.fon.com,www.paypal.com,www.paypalobjects.com
uamanydns



This file appears to manage wireless connectivity before you login - the idea is that you pay for connectivity for a set period of time, and this allows you to access the login at fon.com for free. The following file is of more interest though, this is called chillispot-fon.init:


#!/bin/sh

RUN_D=/var/run
PID_F=$RUN_D/chilli.pid

case $1 in
start)

# Set internal use variables
MAC=`nvram get il0macaddr|sed s/:/-/g`
NET=`nvram get inet`

# We perform another connectivity check, just in case we are lucky enough or FON startup script didn't exist
if [ $NET -ne 1 ];
then
wget "http://download.fon.com/heartbeat.php?mac=$MAC" -O /tmp/inet.html
if [ -s inet.html ];
then
nvram set inet=1
NET=1
fi
fi

# check wether we already have internet access
if [ $NET -eq 1 ];
then

# Break bridging between interfaces
/usr/sbin/brctl delif br0 "$(nvram get wl0_ifname)"
/sbin/insmod tun >/dev/null 2>&1
[ -d $RUN_D ] || mkdir -p $RUN_D
if [ -L /etc/chilli.conf ];
then
rm /etc/chilli.conf
cp /rom/etc/chilli.conf /etc
# Set the mac as nasid
if [ -z MAC ] && [ ! -w /etc/chilli.conf ];
then
echo "radiusnasid fon" >> /etc/chilli.conf
else
echo "radiusnasid $MAC" >> /etc/chilli.conf
fi
fi

/usr/sbin/chilli --interval=300 --dns1="$(nvram get lan_ipaddr)" --dns2="$(nvram get lan_ipaddr)"

fi
;;
stop)
[ -f $PID_F ] && kill $(cat $PID_F) >/dev/null 2>&1
;;
*)
echo "usage: $0 (start|stop)"
exit 1
esac

exit $?



There's two lines in that little lot that are responsible for the phoning home that the the router does. This line gets the MAC address of the router, which is the unique hardware address of the network interface, and converts it from the format 00:00:00:00:00:00 to 00-00-00-00-00-00:


MAC=`nvram get il0macaddr|sed s/:/-/g`


Whereas this line is the line that reports this address back to FON to let them know that you're hooked up:


wget "http://download.fon.com/heartbeat.php?mac=$MAC" -O /tmp/inet.html


What does all that mean? Well, you could register your reduced-price router with FON, reflash the firmware and periodically call the download.fon.com link, maybe in a cron job or from some other script on the router, just to keep up the appearance that the FON firmware is active and phoning home. I'm not sure how often the script gets called, having not looked very far, but it's going to be one of three events: on booting up, when someone tries to connect, or when a certain amount of time has passed. I suspect it's when people try to connect, and I'll do a little more investigation to find out.


It's clear FON haven't thought this through terribly well, because there's no garbage control on the heartbeat.php script. It'll reply with OK regardless of what you replace $MAC with.


Back to archive