Hacer backup de una Fonera

Teniendo acceso por SSH a una Fonera, se puede hacer un tar de los ficheros de la fonera directamente a otra maquina (por si no cupiera en la propia fonera):

ssh root@fon01 "cd /; tar cvf - bin etc lib sbin tmp var jffs rom usr www" | gzip -9 > /tmp/fon01.tar.gz

Tambien se puede usar algo parecido para replicar el SO de una Fonera en un Linux:

$ mkdir /tmp/fon01
$ cd /tmp/fon01
$ ssh root@fon01 "cd /; tar cvf - bin etc lib sbin tmp var jffs rom usr www" | tar xvf -

Esto ultimo puede ser util para verificar desde el Linux que una actualizacion de Fon no va a machacar ficheros de la Fonera que hayamos tocado nosotros antes.

Syslog remoto para la Fonera

Para habilitar el syslog remoto de nuestra Fonera a un servidor de Syslog que tengamos:

fon01# vi /etc/init.d/rcS

Modificamos la linea del syslog por

syslogd -C 16 -L -R 192.168.X.Y

Donde 192.168.X.Y seria la IP de nuestro servidor de syslog.

Reiniciamos el syslog de la fonera:

ps -ef| grep syslog
kill

y lo lanzamos manualmente:

syslogd -C 16 -L -R 192.168.X.Y

En el syslog de nuestro servidor de syslog veremos:

server$ tail -f /var/log/syslog
...
Dec 10 20:22:50 fon01 syslog.info syslogd started: BusyBox v1.1.3
...

Por cierto, para leer el syslog desde la fonera:

fon01# logread
Dec 10 20:22:50 fon01 syslog.info syslogd started: BusyBox v1.1.3
...

De esta forma los logs no se pierden!

Filtrado por MAC para la Fonera

Tengo una Fonera (con firmware de Fon, pero con acceso SSH) y estaba un poco mosqueado de que no tuviera filtrado por MAC de la gente que puede conectarse a la red “privada” (MyPlace).

Pues con estas lineas se puede habilitar el filtrado por MAC. En mi caso, lo pongo en modo whitelist, es decir que pongo la mac de los equipos que autorizo a conectarse. Tambien se puede poner en modo blacklist, es decir poner la mac de los equipos que no dejamos conectar.

Ejecutando estas lineas funciona:

# To flush the list of MAC addresses:
iwpriv ath1 maccmd 3

# To make the list a whitelist (1) / blacklist (2):
iwpriv ath1 maccmd 1

# Add some MACs to the list:

# Equipo 1
iwpriv ath1 addmac xx:xx:xx:xx:xx:xx

# Equipo 2
iwpriv ath1 addmac yy:yy:yy:yy:yy:yy

Para que se haga efectivo en cada reinicio de la Fonera, he puesto estas lineas en el /etc/init.d/S45firewall.

(Saque los comandos iwpriv de MadWifi.org.)

How does the Fonera updates itself?

Let’s see how the Fonera automatically updates itself.

Enter you La Fonera (by SSH). Edit your cron jobs and you’ll see that every day your Fonera runs the following command:

<pre>root@fon01:~# crontab -l
0 * * * * /bin/thinclient cron</pre>

During startup, your Fonera also runs “/bin/thinclient start” from /etc/init.d/N40thinclient.

Let’s see what is that thinclient about:

Firts, check that the last line of /bin/thinclient is commented, like this:

<pre># . /tmp/.thinclient.sh</pre>

Then, run the following command (It won’t upgrade your Fonera!)

<pre>root@fon01:~# sh -x /bin/thinclient start
…
+ echo mode=’start’ wlmac=’00:18:84:XX:XX:XX’ mac=’00:18:84:XX:XX:XX’ fonrev=’2′ firmware=’0.7.1′ chillver=’1.0-1′ thclver=’1.0′ device=’fonera’
+ ssh -T -p 1937 -i /etc/dropbear/key openwrt@download.fon.com
root@fon01:~#
</pre>

(I’ve XX’ed my MAC addresses for obvious privacy reasons).

So, here is how the Fonera start an automatic upgrade: it send by ssh some information about itself: macs, version and revision… What for?

The result of the last command is written into the /tmp/.thinclient.sh file, which is then supposed to be launched. Let’s look at it:

<pre>root@fon01:~# cat .thinclient.sh
cd /tmp
wget http://download.fon.com/firmware/update/0.7.1/2/upgrade.fon
/bin/fonverify /etc/public_fon_rsa_key.der /tmp/upgrade.fon

rm -f /tmp/.thinclient.sh

exit
</pre>

Ok, the the next step of the upgrade is to get the upgrade.fon file from FON, check it’s authenticity and extract it (fonverify)

From a Linux box (not my Fonera), I wget the file and run a hacked version of fonverify (skipping the verification of the file and only extracting it).

Running the fonverify scripts in my Linux, we will get the actual update tarball (in that case: upgrade_0713.tgz) and we will be able to see what it affects in our Fonera:

<pre>alegrome$ tar ztf upgrade_0713.tgz
bin/
bin/thinclient
etc/
etc/init.d/
etc/init.d/N45ntpclient
etc/functions.sh
etc/fon_revision
etc/banner
usr/
usr/lib/
usr/lib/webif/
usr/lib/webif/validate.awk
usr/lib/qos.sh
usr/bin/
usr/bin/haserl
www/
www/cgi-bin/
www/cgi-bin/webif/
www/cgi-bin/webif/adv_net.sh
www/cgi-bin/webif/adv_pf.sh
www/cgi-bin/webif/adv_wifi.sh
www/cgi-bin/webif/connection.sh
www/cgi-bin/webif/language.sh
www/cgi-bin/webif/password.sh
www/cgi-bin/webif/private.sh
www/cgi-bin/webif/public.sh
www/cgi-bin/webif/upgrade.sh
alegrome$
</pre>

Notice that the update from 7.1r2 to 7.1r3 modifies the /bin/thinclient script, what actually re-enabled the automatic updates! Beware of it.

Fin de la promocion “Fonero Gets Fonero”?

La promocion “Fonero Gets Fonero” (FGF) era una promocion de Fon con la cual un Fonero tenia invitaciones para regalar Foneras gratis a sus amigos.

Al entrar en nuestra userzone de Fon, hemos podido comprobar que el boton Fonero Gets Fonero ha desaparecido. Aun asi, es posible acceder a la pagina, con este link, pero esta informa que no tenemos mas invitaciones disponibles.

Por lo visto, segun comentan en este post del Foro de Fon, la promocion se habria acabado.

Lastima, porque el concepto molaba… aun asi, hemos podido aprovecharla un poco.

Non-interactive ssh to your La Fonera

The Dropbear mini ssh daemon doesn’t recognize $HOME/.ssh/authorized_keys files. However, you can configure authorized public keys in /etc/dropbear/authorized_keys (using the same format).

For example, you can do:

scp .ssh/id_rsa.pub root@fon01:/etc/dropbear/authorized_keys

The next time you access your Fonera box, you won’t need to enter root’s password .

Tweak your FON Chillispot allowed URL list

Following Ivan’s article about how the La Fonera automatically updates it’s chilli.conf file (Chillispot configuracion file), and about the fact that you may like to configure your own set of allowed URLs — URLs users can browse without registering against FON radius –, I propose here a modification of /etc/init.d/N50chillispot.

With that patch applyed to N50chillispot:
* You can now specify your own set of allowed URLs. Put the lines into /etc/chilli.allowed (create the file). Leave the file blank or remove file if you don’t want to allow any URL.
* You’ll receive any update to the file (radius changes,…) but you won’t be affected by "uamallowed" lines (your lines will apply instead).

Here is the patch I propose:

--- N50chillispot.old   2007-03-05 11:43:53.000000000 +0100
+++ N50chillispot       2007-03-05 12:22:13.000000000 +0100
@@ -2,7 +2,9 @@
 . /tmp/network-config

 TMP_C=/tmp/chilli.conf
+TMP_C_T=/tmp/chilli.conf.tmp
 ETC_C=/etc/chilli.conf
+ETC_W=/etc/chilli.allowed
 PID_F=/var/run/chilli.pid
 PID_LOOP_F=/var/run/chilli_loop.pid
 LOG_LOOP_F=/var/log/chilli_loop.log
@@ -69,6 +71,9 @@
                --dhcpif $wifi_ifname \
                > $TMP_C
        [ -n "$(cat $TMP_C)" ] &')
                MD5SUM_ETC=$(md5sum $ETC_C | awk '{ print $1 }')
                if [ ! "$MD5SUM_TMP" = "$MD5SUM_ETC" ]; then

(tested on Fonera Firmware Version 0.7.1 rev 1)

Change your Fonera date and timezone

# echo "CET-1CEST-2,M3.5.0/02:00:00,M10.5.0/03:00:00" > /etc/TZ
# ntpclient -c 1 -s -h pool.ntp.org
39143 45854.743  153016.0     25.0  104118.5  43060.3         0
# date
Sun Mar  4 13:44:29 CET 2007

Now the date and timezone is correct.

Reference:
* Timezone at OpenWRT Configuracion wiki

Change your Fonera hostname

The Fonera OS doesn’t bring the hostname command, but you can change it’s default “OpenWrt” hostname to any hostname you like:

# sysctl -w kernel.hostname=fon01
kernel.hostname = fon01
# uname -a
Linux fon01 2.4.32 #9 jue nov 23 12:11:45 UTC 2006 mips unknown

(note: the date is wrong!)

You can make it persistent accross reboot:

echo "kernel.hostname=fon01" >> /etc/sysctl.conf

Shell access (ssh) on your Fonera

Right after receiving my free La Fonera social router, I plugged it into my local home network, and registred it, as explained in the provided guide. The problem (I knew it later), is that when the Fonera boots, it connects to Fon and upgrades itself (and reconfigures itself also).

So, as I plugged my Fonera to Internet, it upgraded to the latest firmware revision, for which there is no known hack to get ssh shell access.

Today I searched for a way to succesfully downgrade my Fonera to it’s original firmware.

After trying several ways (found on the Internet) with no success, this is the way that finally worked for me:

* Configure your PC with ip 169.254.255.2/24
* Connect your PC and the Fonera with a direct cable (straight or crossover ethernet, doesn’t matter, the Fonera is smart enough)
* Press the reset button (down the fonera) for 20 seconds
* Release the button
* From the PC, ping 169.254.255.1 (As it cannot get any DHCP IP, the Fonera autoconfigure it’s eth0:1 with this zeroconf IP).
* Wait till it’s reachable (approx 2mn)

When the IP is reacheable (when the Fonera answers the ping requests), you can now apply the following hack:

Create on your PC 2 html files, with the following content:

step1.html:

step2.html

Now, open step1.html with your favorite browser and click the submit button (if your are asked for login/passwd, unless you changed it, try admin/admin). Once done, do the same with step2, and submit.

The dropbear ssh deamon should now be open on your Fonera! You can get a shell inside your Fonera: connect by ssh to 169.254.255.1 (port 22): user root and password admin, unless you changed it (the same passwd as the web UI).

Final steps are:

* Activate ssh permanently :

root@OpenWrt:~# mv /etc/init.d/dropbear /etc/init.d/S50dropbear

* Unlock firewalling rules :

root@OpenWrt:~# vi /etc/firewall.user

* Uncomment the following :

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT

* Deactivate automatic Fonera updates :

root@OpenWrt:~# vi /bin/thinclient

* Comment the following line (last one) :

#. /tmp/.thinclient.sh

At this point I had some troubles with the Fonera not catching IP by DHCP. By advice of another fonero-geek and friend (Ivan!), I set up the Fonera to use a static IP (using the MyPlace web UI), and everything worked fine. Eventually this morning I changed back the Fonera to get it’s IP by DHCP and it actually worked too.

Some sources that inspired me a lot (and more):
http://imil.net/docs/fonera-ssh.txt
http://blog.blase16.de/2006/11/28/Hacking-Fonera