Home‎ > ‎

Fonera Simpl Hacking

The Fonera Simpl is based on Ralink RT3050 SoC. The device is faster and more stable than previous Fonera 2100 series. But it is not easy to do hacking and to replace custom firmware for this new model. I found to access to the SoC at last and I managed to replace this original firmware to my custom firmware.

0.Firmware list

 fonera-simpl-4.0.1.4.img   Original fon firmware v.4.0.1.4
 fonera-simpl-4.0.1.4-hacked.img
 Hacked fon firmware v.4.0.1.4 (telnet enabled)
 sdk_root_uImage_ram.img Custamized Firmware with utilities (Ralink SDK based)
 ralink-custom-20100813.img Custamized Firmware (Ralink SDK based)
 fonera-simpl-4.0.2.2.img    Original fon firmware v.4.0.2.2 (by Giuseppe)
openwrt-foneraN-fonita-squashfs_22-SEP-2016.img Fon-ng (v4.0.2.3) based custom firmware 



1. Specifications

Model  FON2305E/FON2405E
Architecture MIPS32 Release 1
Wireless  IEEE 802.11g / IEEE 802.11b / IEEE 802.11n(2.4GHz only)
Security  WiFi Protected Access (WPA) / WEP / WPA2 / WPS
Weight  95g
Power Supply  DC 5V 1A  
Antenna Terminal  Reverse SMA(RP-SMA)
Antenna Gain  2dBi
BootLoader  U-BOOT
OS  OpenWRT(Linux2.6)
CPU  RT3050 320MHz
Memory    32MB
Flash  2MB
Lan  10/100Base-T AutoMDI RJ-45*2

2. Access to the case

Remove four rubber feet. T
he screws are special, but some precision minus screwdriver may use to them.

3. Serial cable installation

Solder wires to serial port on the circuit board, Install pull-up register (in my case 1kohm,  suitable resitor value usually between 1 kohm and 10 kohm)

Layout for FON2405E serial
J2  o     o     o     o

    |     |     |     |
   +3V   Rx    Tx    Gnd
    \_1K_/




4, Access to SoC via serial

Prepare a proper cable and a module for TTL(CMOS). FTDI FT232RL module works well,  some serial modules have a problem for Simpl.
Run terminal application on host PC (e.g. putty).  And connect at 57600/8N1.




U-Boot 1.1.3 (Jan  6 2010 - 07:10:30)

Board: Fonera
DRAM:  32 MB
relocate_code Pointer at: 81fac000
spi_wait_nsec: 3e
spi deice id: c2 20 15 c2 20 (2015c220)
find flash: mx25l1605d
raspi_read: from:41030000 len:1000
Using default environment


 ##### The CPU freq = 320 MHZ ####

SDRAM bus set to 16 bit
 SDRAM size =32 Mbytes

Please choose the operation:
   1: Boot system code via Flash (default).
   2: Load system code then write to Flash via TFTP.
   3: Entr boot command line interface.
reset pressed for 2 seconds

You selected 2
                                                                              0
2: System Load Linux Kernel then write to Flash via TFTP.
 Warning!! Erase Linux in Flash then burn new one. Are you sure?(Y/N)




5. Setup tftp server

i. Setup tftp server (tftpd-hpa) on host PC and start daemon:

#  apt install tfpd-hpa openbsd-inetd

Edit /etc/inetd.conf

tftp dgram udp wait root /usr/sbin/in.tftpd /usr/sbin/in.tftpd -s /var/lib/tftpboot

Run inetd daemon

# /etc/init.d/inetd start

ii. Copy firmware to tftproot directory:

cp (firmware) /var/lib/tftpboot

iii. Connect ethernet cable to fonera (computer side port)
iv. Setup static IP addess of host PC: 10.10.10.3/24

6. Access u-boot menu

The way to access to u-boot is the following:

i. Put AC power plug to Simpl while pressing the reset button.manage
ii. Wait about four seconds, u-boot menu will be displayed.
iii. If installing a firmware to flash memory, press 2 and release the reset button, 
If loading to RAM memory for testing, pess 3.

7. Load a firmware into ram for testing

i. Select '3' on u-boot menu
ii. Enter commands like this:
RT3052 # tftpboot 80800000 sdk_root_uImage_ram.img
RT3052 # bootm

Note: Ralink firmware only.

8. Backup the original firmware

i. Run telnet to Simpl:

$ telnet 10.10.10.254
ralink login: admin
Password: admin

ii. Extract firmware

# cd /tmp
# dd if=/dev/mtd3ro of=firmware.img
7808+0 records in
7808+0 records out
# ls -l
-rw-r--r--    1 0        0         3997696 firmware.img
# killall goahead
# httpd -h /tmp

Note: The address of copied data is from 0x
20000 to 0x3f0000, but the actual range of kernel + rootfs of fon firmware is from 0x20000 to 0x1f0000.

SDK firmware's log:
Creating 4 MTD partitions on "raspi":
0x00000000-0x00010000 : "Bootloader"
0x003f0000-0x00400000 : "Config"
0x00010000-0x00020000 : "Factory"
0x00020000-0x003f0000 : "Kernel"

Original fon firmware's log:
Creating 6 MTD partitions on "raspi":
0x00000000-0x00010000 : "uboot"
0x00010000-0x00020000 : "boardconfig"
0x00020000-0x00200000 : "image"
0x00020000-0x000b6000 : "linux"
0x000b6000-0x001f0000 : "rootfs"
0x001f0000-0x00200000 : "uci_overlay"

iii. Transfer the copy  to host PC

$ wget http://10.10.10.254/firmware.img
--2011-03-06 17:47:12--  http://10.10.10.254/firmware.img
Connecting to 10.10.10.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3997696 (3.8M) [application/octet-stream]
Saving to: `firmware.img'

100%[======================================>] 3,997,696   4.46M/s   in 0.9s   

2011-03-06 17:47:13 (4.46 MB/s) - `firmware.img' saved [3997696/3997696]

iv. Adjust proper file size

$ dd if=firmware.img of=fonera-simpl-orig.firmware bs=64k count=29
29+0 records in
29+0 records out
$ ls -l
-rw-r--r--    1 shiva    shiva     3997696 Dec 31  1999 firmware.img
-rw-r--r--    1 shiva    shiva     1900544 Mar  6 17:51 fonera-simpl-orig.firmware

If having a problem while restoring orginal firmware, try this:

# dd if=fonera-simpl-orig.firmware of=fonera-simpl-orig.firmware.fix bs=128k conv=sync

This firmware is 64kb bigger than previous one, and it erases
"uci_overlay".

9. Firmware installation into flash memory

a. fonera-simpl-4.0.1.4-hacked.img

A telnetd enabled orignal firmware. To access to Simpl:

i. Run dhcpclient
ii. Run telnet

$ telnet 192.168.10.1

Entering character mode
Escape character is '^]'.


BusyBox v1.11.1 (2010-01-05 11:31:52 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ #

This firmware cannot do many things, only for using research purpose.

b. ralink-custom-20100813.img

Features:
i. Three operation mode: Bridge, Gateway, and AP Client: Bridge and AP Client work well
ii. Qos (not tested)
iii. Channel BandWidth 20/40 (Not tested):
Theoretically twice faster than original fon firmware.
iv: WPS (not tested)
v. Mesh metwork (not tested)
vi. a little advanced firewall settings: MAC/IP/Port filtering etc.

This firmware is built by ralink SDK. A few bugs exist:
i. Click Wireless Settings > Station List on GoAhead does not work and goes down.
ii. AP Client mode requires addtional setting.

10. Access control panel

Default IP addess is 10.10.10.254. Access the control panel via browser.

11. Basic Setting

a. Bridge  (AP mode)
Basic setting:
WAN: bridge
LAN: static IP addess (private network, require for AP Client) 
LAN2: arbitrary IP addess
Wireless: AP mode
DHCP: enable/disable 

b. Gateway (router mode)
Basic setting:
WAN: DSL modem
LAN: static IP addess(private network)
Wireless: AP mode

c. AP Client (Client bridge mode)

It needs a little tweak.

i. Basic setting:
- NAT: disable
- WAN: arbitrary IP addess (e.g. 10.10.10.254/24)
- LAN: static IP address
- LAN2: disable
- DHCP: disable
- Wireless SSID: arbitrary setting, hidden mode
- Wireless security: WPA2-PSK (strongest security)
- AP Client: SSID, Security mode, Encryption Type and Pass Phrase of AP
 
ii. Access to system via telnet:
# brctl addif br0 apcli0

If apcli0 interface does not exist, AP Client does not work.

12. Test

WAN ==DSL == Simpl 1(GW, Fon firmware) == Simpl 2 (AP,bridge mode customized firmware) ---Simpl 3 (AP Client, customized firmware)==hub==PCs

==: Wired
---: Wireless
Network: 192.168.211.0/27
Simpl 1: 192.168.211.30/27
Simpl 2: 192.168.211.29/27
Simpl 3: 192.168.211.28/27

Network latency:

# ping -c 3 192.168.211.28
PING 192.168.211.28 (192.168.211.28): 56 data bytes
64 bytes from 192.168.211.28: seq=0 ttl=64 time=0.577 ms
64 bytes from 192.168.211.28: seq=1 ttl=64 time=0.547 ms
64 bytes from 192.168.211.28: seq=2 ttl=64 time=0.540 ms

--- 192.168.211.28 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.540/0.554/0.577 ms
# ping -c 3 192.168.211.29
PING 192.168.211.29 (192.168.211.29): 56 data bytes
64 bytes from 192.168.211.29: seq=0 ttl=64 time=1.177 ms
64 bytes from 192.168.211.29: seq=1 ttl=64 time=1.201 ms
64 bytes from 192.168.211.29: seq=2 ttl=64 time=1.386 ms

13. Repeater mode

AP Client also can be Repeater. Set SSID to AP Client with same SSID name of AP in Control Panel. Reboot and run this command:

# brctl addif br0 apcli0


Add New custom firmware (22 SEP 2016)

This is Fon-ng based firmaware which is removed fon modules and some customized.

 

note: 11N Mode (150 Mbps) does not work for my PC


ċ
FON_SIMPL_4.0.2.3_GPL_Little_My.tar.bz2
(13713k)
Hiroyuki shree,
Sep 22, 2016, 7:42 AM
ċ
fonera-simpl-4.0.1.4-hacked.img
(1792k)
Hiroyuki shree,
Mar 22, 2011, 9:47 PM
ċ
fonera-simpl-4.0.1.4.img
(1856k)
Hiroyuki shree,
Mar 22, 2011, 9:47 PM
ċ
fonera-simpl-4.0.2.2.img
(1856k)
Hiroyuki shree,
Mar 22, 2011, 9:48 PM
ċ
md5sum
(0k)
Hiroyuki shree,
Mar 22, 2011, 9:49 PM
ċ
openwrt-foneraN-fonita-squashfs_22-SEP-2016.img
(1798k)
Hiroyuki shree,
Sep 22, 2016, 5:20 AM
ċ
ralink-custom-20100813.img
(1856k)
Hiroyuki shree,
Mar 22, 2011, 9:50 PM
ċ
sdk_root_uImage_ram.img
(2536k)
Hiroyuki shree,
Mar 22, 2011, 9:51 PM
ċ
unsquashfs
(46k)
Hiroyuki shree,
Sep 5, 2011, 4:26 PM
Comments