0.Firmware list
| fonera-simpl-4.0.1.4.img | Original fon firmware v.4.0.1.4 |
fonera-simpl-4.0.1.4-hacked.img
| Hacked fon firmware v.4.0.1.4 (telnet enabled)
|
| sdk_root_uImage_ram.img | Custamized Firmware with utilities (Ralink SDK based)
|
| ralink-custom-20100813.img | Custamized Firmware (Ralink SDK based)
|
| fonera-simpl-4.0.2.2.img | Original fon firmware v.4.0.2.2 (by Giuseppe) |
| openwrt-foneraN-fonita-squashfs_22-SEP-2016.img | Fon-ng (v4.0.2.3) based custom firmware |
1. Specifications
Model FON2305E/FON2405E
Architecture MIPS32 Release 1
Wireless IEEE 802.11g / IEEE 802.11b / IEEE 802.11n(2.4GHz only)
Security WiFi Protected Access (WPA) / WEP / WPA2 / WPS
Weight 95g
Power Supply DC 5V 1A
Antenna Terminal Reverse SMA(RP-SMA)
Antenna Gain 2dBi
BootLoader U-BOOT
OS OpenWRT(Linux2.6)
CPU RT3050 320MHz
Memory 32MB
Flash 2MB
Lan 10/100Base-T AutoMDI RJ-45*2
2. Access to the case
Remove four rubber feet. The screws are special, but some precision minus screwdriver may use to them.
3. Serial cable installation
Solder wires to serial port on the circuit board, Install pull-up register (in my case 1kohm, suitable resitor value usually between 1 kohm and 10 kohm)
Layout for FON2405E serial
J2 o o o o
| | | |
+3V Rx Tx Gnd
\_1K_/
4, Access to SoC via serial
Prepare a proper cable and a module for TTL(CMOS). FTDI FT232RL module works well, some serial modules have a problem for Simpl.
Run terminal application on host PC (e.g. putty). And connect at 57600/8N1.
U-Boot 1.1.3 (Jan 6 2010 - 07:10:30)
Board: Fonera
DRAM: 32 MB
relocate_code Pointer at: 81fac000
spi_wait_nsec: 3e
spi deice id: c2 20 15 c2 20 (2015c220)
find flash: mx25l1605d
raspi_read: from:41030000 len:1000
Using default environment
##### The CPU freq = 320 MHZ ####
SDRAM bus set to 16 bit
SDRAM size =32 Mbytes
Please choose the operation:
1: Boot system code via Flash (default).
2: Load system code then write to Flash via TFTP.
3: Entr boot command line interface.
reset pressed for 2 seconds
You selected 2
0
2: System Load Linux Kernel then write to Flash via TFTP.
Warning!! Erase Linux in Flash then burn new one. Are you sure?(Y/N)
5. Setup tftp server
i. Setup tftp server (tftpd-hpa) on host PC and start daemon:
# apt install tfpd-hpa openbsd-inetd
Edit /etc/inetd.conf
tftp dgram udp wait root /usr/sbin/in.tftpd /usr/sbin/in.tftpd -s /var/lib/tftpboot
Run inetd daemon
# /etc/init.d/inetd start
ii. Copy firmware to tftproot directory:
cp (firmware) /var/lib/tftpboot
iii. Connect ethernet cable to fonera (computer side port)
iv. Setup static IP addess of host PC: 10.10.10.3/24
6. Access u-boot menu
The way to access to u-boot is the following:
i. Put AC power plug to Simpl while pressing the reset button.manage
ii. Wait about four seconds, u-boot menu will be displayed.
iii. If installing a firmware to flash memory, press 2 and release the reset button,
If loading to RAM memory for testing, pess 3.
7. Load a firmware into ram for testing
i. Select '3' on u-boot menu
ii. Enter commands like this:
RT3052 # tftpboot 80800000 sdk_root_uImage_ram.img
RT3052 # bootm
Note: Ralink firmware only.
8. Backup the original firmware
i. Run telnet to Simpl:
$ telnet 10.10.10.254
ralink login: admin
Password: admin
ii. Extract firmware
# cd /tmp
# dd if=/dev/mtd3ro of=firmware.img
7808+0 records in
7808+0 records out
# ls -l
-rw-r--r-- 1 0 0 3997696 firmware.img
# killall goahead
# httpd -h /tmp
Note: The address of copied data is from 0x20000 to 0x3f0000, but the actual range of kernel + rootfs of fon firmware is from 0x20000 to 0x1f0000.
Creating 4 MTD partitions on "raspi":
0x00000000-0x00010000 : "Bootloader"
0x003f0000-0x00400000 : "Config"
0x00010000-0x00020000 : "Factory"
0x00020000-0x003f0000 : "Kernel"
Original fon firmware's log:
Creating 6 MTD partitions on "raspi":
0x00000000-0x00010000 : "uboot"
0x00010000-0x00020000 : "boardconfig"
0x00020000-0x00200000 : "image"
0x00020000-0x000b6000 : "linux"
0x000b6000-0x001f0000 : "rootfs"
0x001f0000-0x00200000 : "uci_overlay"
iii. Transfer the copy to host PC
$ wget http://10.10.10.254/firmware.img
--2011-03-06 17:47:12-- http://10.10.10.254/firmware.img
Connecting to 10.10.10.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3997696 (3.8M) [application/octet-stream]
Saving to: `firmware.img'
100%[======================================>] 3,997,696 4.46M/s in 0.9s
2011-03-06 17:47:13 (4.46 MB/s) - `firmware.img' saved [3997696/3997696]
iv. Adjust proper file size
$ dd if=firmware.img of=fonera-simpl-orig.firmware bs=64k count=29
29+0 records in
29+0 records out
$ ls -l
-rw-r--r-- 1 shiva shiva 3997696 Dec 31 1999 firmware.img
-rw-r--r-- 1 shiva shiva 1900544 Mar 6 17:51 fonera-simpl-orig.firmware
If having a problem while restoring orginal firmware, try this:
# dd if=fonera-simpl-orig.firmware of=fonera-simpl-orig.firmware.fix bs=128k conv=sync
This firmware is 64kb bigger than previous one, and it erases "uci_overlay".
9. Firmware installation into flash memory
a. fonera-simpl-4.0.1.4-hacked.img
A telnetd enabled orignal firmware. To access to Simpl:
i. Run dhcpclient
ii. Run telnet
$ telnet 192.168.10.1
Entering character mode
Escape character is '^]'.
BusyBox v1.11.1 (2010-01-05 11:31:52 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ #
This firmware cannot do many things, only for using research purpose.
b. ralink-custom-20100813.img
Features:
i. Three operation mode: Bridge, Gateway, and AP Client: Bridge and AP Client work well
ii. Qos (not tested)
iii. Channel BandWidth 20/40 (Not tested):
Theoretically twice faster than original fon firmware.
iv: WPS (not tested)
v. Mesh metwork (not tested)
vi. a little advanced firewall settings: MAC/IP/Port filtering etc.
This firmware is built by ralink SDK. A few bugs exist:
i. Click Wireless Settings > Station List on GoAhead does not work and goes down.
ii. AP Client mode requires addtional setting.
10. Access control panel
Default IP addess is 10.10.10.254. Access the control panel via browser.
11. Basic Setting
a. Bridge (AP mode)
Basic setting:
WAN: bridge
LAN: static IP addess (private network, require for AP Client)
LAN2: arbitrary IP addess
Wireless: AP mode
DHCP: enable/disable
b. Gateway (router mode)
Basic setting:
WAN: DSL modem
LAN: static IP addess(private network)
Wireless: AP mode
c. AP Client (Client bridge mode)
It needs a little tweak.
i. Basic setting:
- NAT: disable
- WAN: arbitrary IP addess (e.g. 10.10.10.254/24)
- LAN: static IP address
- LAN2: disable
- DHCP: disable
- Wireless SSID: arbitrary setting, hidden mode
- Wireless security: WPA2-PSK (strongest security)
- AP Client: SSID, Security mode, Encryption Type and Pass Phrase of AP
ii. Access to system via telnet:
# brctl addif br0 apcli0
If apcli0 interface does not exist, AP Client does not work.
12. Test
WAN ==DSL == Simpl 1(GW, Fon firmware) == Simpl 2 (AP,bridge mode customized firmware) ---Simpl 3 (AP Client, customized firmware)==hub==PCs
==: Wired
---: Wireless
Network: 192.168.211.0/27
Simpl 1: 192.168.211.30/27
Simpl 2: 192.168.211.29/27
Simpl 3: 192.168.211.28/27
Network latency:
# ping -c 3 192.168.211.28
PING 192.168.211.28 (192.168.211.28): 56 data bytes
64 bytes from 192.168.211.28: seq=0 ttl=64 time=0.577 ms
64 bytes from 192.168.211.28: seq=1 ttl=64 time=0.547 ms
64 bytes from 192.168.211.28: seq=2 ttl=64 time=0.540 ms
--- 192.168.211.28 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.540/0.554/0.577 ms
# ping -c 3 192.168.211.29
PING 192.168.211.29 (192.168.211.29): 56 data bytes
64 bytes from 192.168.211.29: seq=0 ttl=64 time=1.177 ms
64 bytes from 192.168.211.29: seq=1 ttl=64 time=1.201 ms
64 bytes from 192.168.211.29: seq=2 ttl=64 time=1.386 ms
13. Repeater mode
AP Client also can be Repeater. Set SSID to AP Client with same SSID name of AP in Control Panel. Reboot and run this command:
# brctl addif br0 apcli0
Add New custom firmware (22 SEP 2016)
This FW is Fon-ng based firmware which is removed fon related packages.
UPDATE: fon2405e hack (August 14 2020)
Replace SPI flash with new one (8mb or 4mb) and OpenWrt firmware
