Home >
Fonera Simpl Hacking
The Fonera Simpl is based on Ralink RT3050 SoC. The device is faster and more stable than atheros based fonera. I partially succeeded in hacking Simpl and customized a firmware. Although the firmware has a few bugs, it is stable and has a lot of features than the original fon firmware.
Firmware list
fonera-simpl-4.0.1.4.img Original fon firmware ver.4.0.1.4
fonera-simpl-4.0.1.4-hacked.img
Hacked fon firmware
sdk_root_uImage_ram.img Custamized Firmware with utilities (Ralink SDK)
ralink-custom-20100813.img Custamized Firmware (Ralink SDK)
fonera-simpl-4.0.2.2.img Original fon firmware ver.4.0.2.2 (by Giuseppe)
1. Specifications
Model FON2305E/FON2405E
Architecture MIPS32 Release 1
Wireless IEEE 802.11g / IEEE 802.11b / IEEE 802.11n(2.4GHz only)
Security WiFi Protected Access (WPA) / WEP / WPA2 / WPS
Weight 95g
Power Supply DC 5V 1A
Antenna Terminal Reverse SMA(RP-SMA)
Antenna Gain 2dBi
BootLoader U-BOOT
OS OpenWRT(Linux2.6)
CPU RT3050 320MHz
Memory 32MB
Flash 2MB
Lan 10/100Base-T AutoMDI RJ-45*2
2. Open the case
To open the case remove the four rubber feet. Although the screw is special, some precision minus screwdriver may fit it.
3. Install serial
Solder wires to serial port on the circuit board, Install pull-up register (in my case 1kohm, suitable resitor value usually between 1 kohm and 10 kohm)
Layout for FON2405E serial
J2 o o o o
| | | |
+3V Rx Tx Gnd
\_1K_/
4, Access via serial
Prepare a proper cable and a module for TTL(CMOS). FTDI FT232RL module works well, some serial modules have a problem for Simpl.
Run terminal application on host PC (e.g. putty). And connect at 57600/8N1.
To access u-boot menu is the following:
i. Put AC power plug to Simpl while pressing the reset button.
ii. Wait about four seconds since u-boot menu is displayed.
iii. Then press "2" and release the reset button.
If successful, the u-boot menu like this:
U-Boot 1.1.3 (Jan 6 2010 - 07:10:30)
Board: Fonera
DRAM: 32 MB
relocate_code Pointer at: 81fac000
spi_wait_nsec: 3e
spi deice id: c2 20 15 c2 20 (2015c220)
find flash: mx25l1605d
raspi_read: from:41030000 len:1000
Using default environment
##### The CPU freq = 320 MHZ ####
SDRAM bus set to 16 bit
SDRAM size =32 Mbytes
Please choose the operation:
1: Boot system code via Flash (default).
2: Load system code then write to Flash via TFTP.
3: Entr boot command line interface.
reset pressed for 2 seconds
You selected 2
0
2: System Load Linux Kernel then write to Flash via TFTP.
Warning!! Erase Linux in Flash then burn new one. Are you sure?(Y/N)
If not successful, check serial.
Boot Simpl and press any key. If transmitting keystroke successfully, the terminal is displayed like this:
.W.z.zzzzzzzzzzzzzzzzz...W
5. Setup tftp server
i. Setup tftp server (tftp-hpa) on host PC and start daemon:
# ps ax | grep tftp
5518 root /usr/bin/tftpd-hpa -l -s /var/lib/tftpboot
ii. Copy firmwares to tftp root directory:
cp sdk_root_uImage_ram.img fonera-simpl-4.0.1.4.img fonera-simpl-4.0.1.4-hacked.img ralink-custom-20100813.img /var/lib/tftpboot
iii. Connect ethernet cable to fonera (computer labeled port)
iv. Setup static IP addess of host PC: 10.10.10.3/24
6. Access u-boot menu
7. Load a firmware into ram
i. Select '3' on u-boot menu
ii. Enter commands like this:
RT3052 # tftpboot 80800000 sdk_root_uImage_ram.img
RT3052 # bootm
Note: Ralink firmware only.
8. Backup the original firmware
i. Run telnet to Simpl:
$ telnet 10.10.10.254
ralink login: admin
Password: admin
ii. Extract firmware
# cd /tmp
# dd if=/dev/mtd3ro of=firmware.img
7808+0 records in
7808+0 records out
# ls -l
-rw-r--r-- 1 0 0 3997696 firmware.img
# killall goahead
# httpd -h /tmp
Note: The address of copied data is from 0x20000 to 0x3f0000, but the actual range of kernel + rootfs of fon firmware is from 0x20000 to 0x1f0000.
SDK firmware's log:
Creating 4 MTD partitions on "raspi":
0x00000000-0x00010000 : "Bootloader"
0x003f0000-0x00400000 : "Config"
0x00010000-0x00020000 : "Factory"
0x00020000-0x003f0000 : "Kernel"
Original fon firmware's log:
Creating 6 MTD partitions on "raspi":
0x00000000-0x00010000 : "uboot"
0x00010000-0x00020000 : "boardconfig"
0x00020000-0x00200000 : "image"
0x00020000-0x000b6000 : "linux"
0x000b6000-0x001f0000 : "rootfs"
0x001f0000-0x00200000 : "uci_overlay"
iii. Transfer the copy to host PC
$ wget
http://10.10.10.254/firmware.img--2011-03-06 17:47:12--
http://10.10.10.254/firmware.imgConnecting to 10.10.10.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3997696 (3.8M) [application/octet-stream]
Saving to: `firmware.img'
100%[======================================>] 3,997,696 4.46M/s in 0.9s
2011-03-06 17:47:13 (4.46 MB/s) - `firmware.img' saved [3997696/3997696]
iv. Adjust proper file size
$ dd if=firmware.img of=fonera-simpl-orig.firmware bs=64k count=29
29+0 records in
29+0 records out
$ ls -l
-rw-r--r-- 1 shiva shiva 3997696 Dec 31 1999 firmware.img
-rw-r--r-- 1 shiva shiva 1900544 Mar 6 17:51 fonera-simpl-orig.firmware
If having a problem while restoring orginal firmware, try this:
# dd if=fonera-simpl-orig.firmware of=fonera-simpl-orig.firmware.fix bs=128k conv=sync
This firmware is 64kb bigger than previous one, and it erases "uci_overlay".
9. Firmware installation
a. fonera-simpl-4.0.1.4-hacked.img
A telnetd enabled orignal firmware. To access to Simpl:
i. Run dhcpclient
ii. Run telnet
$ telnet 192.168.10.1
Entering character mode
Escape character is '^]'.
BusyBox v1.11.1 (2010-01-05 11:31:52 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ #
This firmware cannot do many things, only for using research purpose.
b. ralink-custom-20100813.img
Features:
i. Three operation mode: Bridge, Gateway, and AP Client: Bridge and AP Client work well
ii. Qos (not tested)
iii. Channel BandWidth 20/40 (Not tested):
Theoretically twice faster than original fon firmware.
iv: WPS (not tested)
v. Mesh metwork (not tested)
vi. a little advanced firewall settings: MAC/IP/Port filtering etc.
This firmware is built by ralink SDK. A few bugs exist:
i. Click Wireless Settings > Station List on GoAhead does not work and goes down.
ii. AP Client mode requires addtional setting.
10. Access control panel
Default IP addess is 10.10.10.254. Access the control panel via browser.
11. Basic Setting
a. Bridge (AP mode)
Basic setting:
WAN: bridge
LAN: static IP addess (private network, require for AP Client)
LAN2: arbitrary IP addess
Wireless: AP mode
DHCP: enable/disable
b. Gateway (router mode)
Basic setting:
WAN: DSL modem
LAN: static IP addess(private network)
Wireless: AP mode
c. AP Client (Client bridge mode)
It needs a little tweak.
i. Basic setting:
- NAT: disable
- WAN: arbitrary IP addess (e.g. 10.10.10.254/24)
- LAN: static IP address
- LAN2: disable
- DHCP: disable
- Wireless SSID: arbitrary setting, hidden mode
- Wireless security: WPA2-PSK (strongest security)
- AP Client: SSID, Security mode, Encryption Type and Pass Phrase of AP
ii. Access to system via telnet:
# brctl addif br0 apcli0
If apcli0 interface does not exist, AP Client does not work.
12. Test
WAN ==DSL == Simpl 1(GW, Fon firmware) == Simpl 2 (AP,bridge mode customized firmware) ---Simpl 3 (AP Client, customized firmware)==hub==PCs
==: Wired
---: Wireless
Network: 192.168.211.0/27
Simpl 1: 192.168.211.30/27
Simpl 2: 192.168.211.29/27
Simpl 3: 192.168.211.28/27
Network latency:
# ping -c 3 192.168.211.28
PING 192.168.211.28 (192.168.211.28): 56 data bytes
64 bytes from 192.168.211.28: seq=0 ttl=64 time=0.577 ms
64 bytes from 192.168.211.28: seq=1 ttl=64 time=0.547 ms
64 bytes from 192.168.211.28: seq=2 ttl=64 time=0.540 ms
--- 192.168.211.28 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.540/0.554/0.577 ms
# ping -c 3 192.168.211.29
PING 192.168.211.29 (192.168.211.29): 56 data bytes
64 bytes from 192.168.211.29: seq=0 ttl=64 time=1.177 ms
64 bytes from 192.168.211.29: seq=1 ttl=64 time=1.201 ms
64 bytes from 192.168.211.29: seq=2 ttl=64 time=1.386 ms
--- 192.168.211.29 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.177/1.254/1.386 ms
v# ping -c 3 192.168.211.30
PING 192.168.211.30 (192.168.211.30): 56 data bytes
64 bytes from 192.168.211.30: seq=0 ttl=64 time=1.554 ms
64 bytes from 192.168.211.30: seq=1 ttl=64 time=1.546 ms
64 bytes from 192.168.211.30: seq=2 ttl=64 time=1.660 ms
--- 192.168.211.30 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.546/1.586/1.660 ms
# ping -c 3
www.google.comPING
www.google.com (66.249.89.104): 56 data bytes
64 bytes from 66.249.89.104: seq=0 ttl=54 time=40.678 ms
64 bytes from 66.249.89.104: seq=1 ttl=55 time=46.503 ms
64 bytes from 66.249.89.104: seq=2 ttl=54 time=38.789 ms
---
www.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 38.789/41.990/46.503 ms
13. Repeater mode
AP Client also can be Repeater. Assign the SSID of AP to the SSID of AP CLient in Control Panel. Reboot and run the following command:
# brctl addif br0 apcli0
LO TROVATE
QUI_http://www.2shared.com/file/I1RBXRn8/fonera-simpl-4014-hacked.html