Free your La Fonera
For some reasons, La Fonera only allow users to upload a firmware released by FON.com. The /bin/fonverify upgrade script written by Pablo Martin is using a public-key cryptography for protect the firmware images. Each firmware image has a RIPEMD-160 message digest for verification. Only the verified images will be wrote into the flash.
However, since La Fonera is OpenWRT-based, you can do anything on the device once you get login into the system. There are several ways to do so.
Some of fon routers leave the JTag pins on the board. La Fonera is Atheros AR531X based SOC, which use standart MIPS EJTAG v2.6. If you have a JTag cable, you may do flash writing via the jtag interface. However, mime don’t have the JTag pins, I have to solder the pins header by myself.
Another way to access the system is using a ttl level shifter. Jauzsi has a post describe the serial pinouts for the fonera. There are some HOWTOs (Activar SSH en la Fonera, Habilitando acceso por ssh a la fonera) teaching people make a TTL-To-RS232 converter to connect to the fonera. You can have the serial console after you connect to the device by RS232, and you can alos access to the RedBoot bootloader.
All these methods need some electronic components. Lucky, there some security issues in the current firmware. For example, la fonerea will execute a script named “thinclient” every time when the router is bootup. The “thinclient” will “ssh” into the download.fon.com host by port 1937 to get the config scripts from FON.com. We can use dnsspoof and some program to make the router download some script we want it to run.
In order to do that, you will need some networking skills. There is another easy way to make the router run specified commands. There was a CGI bug in the web admin interface, you can easily injection shell code by a html form. BingoBommel posted the example on blogspot.com I have tested this vulnerability on my device which is version 0.7.0.4. FON.com has already fixed the problem in the latest firmware 0.7.1.1.
But you probably do not have the source code of the scripts before you get into the system. I have wrote a script for “unfonify” (copied from /bin/fonverify) the upgrade archives. You can download the latest firmware, and uncompress the files by the script. Stefans Datenbruch has put the 0.7.1.1 archive files on his web site, and his “Hacking the La Fonera” is very informative too.
La fonera has dropbear installed. Once you get login the system, you can start the ssh server, and login with root account by password “admin”. And then you could reflash any firmware you want on the device.
I’ll try to make the la fonera works with the porta2030 network. Now, have fun. 
hiya, you can flash new firmware via TFTP without the need of JTAG. just start serial console and get RedBoot to fetch new image via TFTP, create new rootfs and then boot
i had to find out about this recently… http://log.tigerbus.de/?p=89 have fun 
December 18th, 2006 at 2:14 amWell done, man!
I’m thinking about replace the old redboot or added a new image for a standalone tftp server for upgrading new firmware.
Some of the openwrt based product like ASUS WL-HDD2.5 allow user to enter “failed-safe” mode by press the reset button, and the system will start a tftp server to accept new firmware from the ethernet. And then we don’t need to connect to the rs232 again when we need to download new firmware. (No matter what, the users who want to do this still need a TTL to RS232 serial converter or Nokia Data Cable to get connect to the console.)
December 18th, 2006 at 2:33 am[...] Free your La Fonera [...]
January 6th, 2007 at 12:14 amHello dear freind. i have Jtag and fon routher.
January 7th, 2008 at 1:05 amCould you give me instruction for how to flash fon with JTAG? Which programs? Best Reegards
My mail : marcin@slupski.org
I’ve flashed using a serial cable a few times. The USB to serial cable made from a cell phone data cable is pretty easy to use. Here’s how to make one:
http://fonerahacks.com/index.php/Tutorials-and-Guides/Cell-Phone-USB-Adapter.html
April 6th, 2008 at 11:46 pmHi, hasutrance
April 7th, 2008 at 12:26 amCheck my another post, (Sorry, it’s in Chinese.)
http://people.debian.org.tw/~chihchun/2007/05/17/cheapest-ttl2usb-converter-for-la-fonera/