Home‎ > ‎

Fonera Simpl Hacking

The Fonera Simpl is based on Ralink RT3050 SoC. The device is faster and more stable than atheros based fonera. I  partially succeeded in hacking Simpl and customized a firmware.  Although the firmware has a few bugs, it is stable and has a lot of features than the original fon firmware. 

Firmware list

 fonera-simpl-4.0.1.4.img   Original fon firmware ver.4.0.1.4
 fonera-simpl-4.0.1.4-hacked.img
 Hacked fon firmware
 sdk_root_uImage_ram.img Custamized Firmware with utilities (Ralink SDK)
 ralink-custom-20100813.img Custamized Firmware (Ralink SDK)
 fonera-simpl-4.0.2.2.img    Original fon firmware ver.4.0.2.2 (by Giuseppe)

1. Specifications

Model  FON2305E/FON2405E
Architecture MIPS32 Release 1
Wireless  IEEE 802.11g / IEEE 802.11b / IEEE 802.11n(2.4GHz only)
Security  WiFi Protected Access (WPA) / WEP / WPA2 / WPS
Weight  95g
Power Supply  DC 5V 1A  
Antenna Terminal  Reverse SMA(RP-SMA)
Antenna Gain  2dBi
BootLoader  U-BOOT
OS  OpenWRT(Linux2.6)
CPU  RT3050 320MHz
Memory    32MB
Flash  2MB
Lan  10/100Base-T AutoMDI RJ-45*2

2. Open the case

To open the case remove the four rubber feet.
Although the screw is special, some precision minus screwdriver may fit it.

3. Install serial

Solder wires to serial port on the circuit board, Install pull-up register (in my case 1kohm,  suitable resitor value usually between 1 kohm and 10 kohm)

Layout for FON2405E serial
J2  o     o     o     o

    |     |     |     |
   +3V   Rx    Tx    Gnd
    \_1K_/




4, Access via serial

Prepare a proper cable and a module for TTL(CMOS). FTDI FT232RL module works well,  some serial modules have a problem for Simpl.
Run terminal application on host PC (e.g. putty).  And connect at 57600/8N1.
To access u-boot menu is the following:

i. Put AC power plug to Simpl while pressing the reset button.
ii. Wait about four seconds since u-boot menu is displayed.
iii. Then press "2" and release the reset button.
If successful, the u-boot menu like this:

U-Boot 1.1.3 (Jan  6 2010 - 07:10:30)

Board: Fonera
DRAM:  32 MB
relocate_code Pointer at: 81fac000
spi_wait_nsec: 3e
spi deice id: c2 20 15 c2 20 (2015c220)
find flash: mx25l1605d
raspi_read: from:41030000 len:1000
Using default environment


 ##### The CPU freq = 320 MHZ ####

SDRAM bus set to 16 bit
 SDRAM size =32 Mbytes

Please choose the operation:
   1: Boot system code via Flash (default).
   2: Load system code then write to Flash via TFTP.
   3: Entr boot command line interface.
reset pressed for 2 seconds

You selected 2
                                                                              0
2: System Load Linux Kernel then write to Flash via TFTP.
 Warning!! Erase Linux in Flash then burn new one. Are you sure?(Y/N)

If not successful, check serial.
Boot Simpl and press any key. If transmitting  keystroke successfully, the terminal is displayed like this:

.W.z.zzzzzzzzzzzzzzzzz...W



5. Setup tftp server

i. Setup tftp server (tftp-hpa) on host PC and start daemon:

# ps ax | grep tftp
 5518 root     /usr/bin/tftpd-hpa -l -s /var/lib/tftpboot

ii. Copy firmwares to tftp root directory:

cp sdk_root_uImage_ram.img fonera-simpl-4.0.1.4.img fonera-simpl-4.0.1.4-hacked.img ralink-custom-20100813.img  /var/lib/tftpboot

iii. Connect ethernet cable to fonera (computer labeled port)
iv. Setup static IP addess of host PC: 10.10.10.3/24

6. Access u-boot menu

7. Load a firmware into ram

i. Select '3' on u-boot menu
ii. Enter commands like this:
RT3052 # tftpboot 80800000 sdk_root_uImage_ram.img
RT3052 # bootm

Note: Ralink firmware only.

8. Backup the original firmware

i. Run telnet to Simpl:

$ telnet 10.10.10.254
ralink login: admin
Password: admin

ii. Extract firmware

# cd /tmp
# dd if=/dev/mtd3ro of=firmware.img
7808+0 records in
7808+0 records out
# ls -l
-rw-r--r--    1 0        0         3997696 firmware.img
# killall goahead
# httpd -h /tmp

Note: The address of copied data is from 0x
20000 to 0x3f0000, but the actual range of kernel + rootfs of fon firmware is from 0x20000 to 0x1f0000.

SDK firmware's log:
Creating 4 MTD partitions on "raspi":
0x00000000-0x00010000 : "Bootloader"
0x003f0000-0x00400000 : "Config"
0x00010000-0x00020000 : "Factory"
0x00020000-0x003f0000 : "Kernel"

Original fon firmware's log:
Creating 6 MTD partitions on "raspi":
0x00000000-0x00010000 : "uboot"
0x00010000-0x00020000 : "boardconfig"
0x00020000-0x00200000 : "image"
0x00020000-0x000b6000 : "linux"
0x000b6000-0x001f0000 : "rootfs"
0x001f0000-0x00200000 : "uci_overlay"

iii. Transfer the copy  to host PC

$ wget http://10.10.10.254/firmware.img
--2011-03-06 17:47:12--  http://10.10.10.254/firmware.img
Connecting to 10.10.10.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3997696 (3.8M) [application/octet-stream]
Saving to: `firmware.img'

100%[======================================>] 3,997,696   4.46M/s   in 0.9s   

2011-03-06 17:47:13 (4.46 MB/s) - `firmware.img' saved [3997696/3997696]

iv. Adjust proper file size

$ dd if=firmware.img of=fonera-simpl-orig.firmware bs=64k count=29
29+0 records in
29+0 records out
$ ls -l
-rw-r--r--    1 shiva    shiva     3997696 Dec 31  1999 firmware.img
-rw-r--r--    1 shiva    shiva     1900544 Mar  6 17:51 fonera-simpl-orig.firmware

If having a problem while restoring orginal firmware, try this:

# dd if=fonera-simpl-orig.firmware of=fonera-simpl-orig.firmware.fix bs=128k conv=sync

This firmware is 64kb bigger than previous one, and it erases
"uci_overlay".

9. Firmware installation

a. fonera-simpl-4.0.1.4-hacked.img

A telnetd enabled orignal firmware. To access to Simpl:

i. Run dhcpclient
ii. Run telnet

$ telnet 192.168.10.1

Entering character mode
Escape character is '^]'.


BusyBox v1.11.1 (2010-01-05 11:31:52 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ #

This firmware cannot do many things, only for using research purpose.

b. ralink-custom-20100813.img

Features:
i. Three operation mode: Bridge, Gateway, and AP Client: Bridge and AP Client work well
ii. Qos (not tested)
iii. Channel BandWidth 20/40 (Not tested):
Theoretically twice faster than original fon firmware.
iv: WPS (not tested)
v. Mesh metwork (not tested)
vi. a little advanced firewall settings: MAC/IP/Port filtering etc.

This firmware is built by ralink SDK. A few bugs exist:
i. Click Wireless Settings > Station List on GoAhead does not work and goes down.
ii. AP Client mode requires addtional setting.

10. Access control panel

Default IP addess is 10.10.10.254. Access the control panel via browser.

11. Basic Setting

a. Bridge  (AP mode)
Basic setting:
WAN: bridge
LAN: static IP addess (private network, require for AP Client) 
LAN2: arbitrary IP addess
Wireless: AP mode
DHCP: enable/disable 

b. Gateway (router mode)
Basic setting:
WAN: DSL modem
LAN: static IP addess(private network)
Wireless: AP mode

c. AP Client (Client bridge mode)

It needs a little tweak.

i. Basic setting:
- NAT: disable
- WAN: arbitrary IP addess (e.g. 10.10.10.254/24)
- LAN: static IP address
- LAN2: disable
- DHCP: disable
- Wireless SSID: arbitrary setting, hidden mode
- Wireless security: WPA2-PSK (strongest security)
- AP Client: SSID, Security mode, Encryption Type and Pass Phrase of AP
 
ii. Access to system via telnet:
# brctl addif br0 apcli0

If apcli0 interface does not exist, AP Client does not work.

12. Test

WAN ==DSL == Simpl 1(GW, Fon firmware) == Simpl 2 (AP,bridge mode customized firmware) ---Simpl 3 (AP Client, customized firmware)==hub==PCs

==: Wired
---: Wireless
Network: 192.168.211.0/27
Simpl 1: 192.168.211.30/27
Simpl 2: 192.168.211.29/27
Simpl 3: 192.168.211.28/27

Network latency:

# ping -c 3 192.168.211.28
PING 192.168.211.28 (192.168.211.28): 56 data bytes
64 bytes from 192.168.211.28: seq=0 ttl=64 time=0.577 ms
64 bytes from 192.168.211.28: seq=1 ttl=64 time=0.547 ms
64 bytes from 192.168.211.28: seq=2 ttl=64 time=0.540 ms

--- 192.168.211.28 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.540/0.554/0.577 ms
# ping -c 3 192.168.211.29
PING 192.168.211.29 (192.168.211.29): 56 data bytes
64 bytes from 192.168.211.29: seq=0 ttl=64 time=1.177 ms
64 bytes from 192.168.211.29: seq=1 ttl=64 time=1.201 ms
64 bytes from 192.168.211.29: seq=2 ttl=64 time=1.386 ms

--- 192.168.211.29 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.177/1.254/1.386 ms
v# ping -c 3 192.168.211.30
PING 192.168.211.30 (192.168.211.30): 56 data bytes
64 bytes from 192.168.211.30: seq=0 ttl=64 time=1.554 ms
64 bytes from 192.168.211.30: seq=1 ttl=64 time=1.546 ms
64 bytes from 192.168.211.30: seq=2 ttl=64 time=1.660 ms

--- 192.168.211.30 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.546/1.586/1.660 ms
# ping -c 3 www.google.com
PING www.google.com (66.249.89.104): 56 data bytes
64 bytes from 66.249.89.104: seq=0 ttl=54 time=40.678 ms
64 bytes from 66.249.89.104: seq=1 ttl=55 time=46.503 ms
64 bytes from 66.249.89.104: seq=2 ttl=54 time=38.789 ms

--- www.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 38.789/41.990/46.503 ms

13. Repeater mode

AP Client also can be Repeater. Assign the SSID of AP to the SSID of AP CLient in Control Panel. Reboot and run the following command:

# brctl addif br0 apcli0


Č
ċ
ď
fonera-simpl-4.0.1.4-hacked.img
(1792k)
Hiroyuki shree,
Mar 22, 2011, 9:47 PM
ċ
ď
fonera-simpl-4.0.1.4.img
(1856k)
Hiroyuki shree,
Mar 22, 2011, 9:47 PM
ċ
ď
fonera-simpl-4.0.2.2.img
(1856k)
Hiroyuki shree,
Mar 22, 2011, 9:48 PM
ċ
ď
md5sum
(0k)
Hiroyuki shree,
Mar 22, 2011, 9:49 PM
ċ
ď
ralink-custom-20100813.img
(1856k)
Hiroyuki shree,
Mar 22, 2011, 9:50 PM
ċ
ď
sdk_root_uImage_ram.img
(2536k)
Hiroyuki shree,
Mar 22, 2011, 9:51 PM
ċ
ď
unsquashfs
(46k)
Hiroyuki shree,
Sep 5, 2011, 4:26 PM
Comments