Meet Der Jasager, the “yes man” VIDEO

http://www.viddler.com/player/1b5f260d

Once you get a fresh install on the Fonera, Jasager should be installed. Try hitting it at http://192.168.1.1:1471

I’ll have more later with my results of playing tricks locally.

I wanted to update this post and put more references to some other great resources to read.

Hak 5 forums have many people playing with the Jasager project. I suggest you read as many post before you attempt this hack.

http://hak5.org/forums/index.php?showtopic=10254&st=0&gopid=147536&#entry147536

HIR is a new website that i found with some good documentation on the Jasager installation if you are wanting to go a different route to flash.

http://www.h-i-r.net/2009/07/evil-wifi-part-1-jasagerfonera-setup.html

La Fonera with Karma and Jasager “YESMAN”

I recently sold one of the La fonera’s that I had stored away. During my sale I was brought to the intentions that the buyer would like a new firmware installed. This firmware is Jasager which is making the hacking scene thinking of new ways to exploit users.

Catch Hak5 latest review of the new tool.

I started with my La Fonera preloaded with DDWRT v24 preSP2 (Build13064) and immediately flashed from redboot to Jasager.
If you are interested in doing this follow these simple instructions:
Download the following tools
Putty 32
tftpd 32

Followed by downloading
* Jasager firmware 1.0 (MD5 56c396772f04e96369422fd9139ee8ee)

Once downloaded you will have 2 files
openwrt-atheros-root.squashfs
openwrt-atheros-vmlinux.lzma

http://www.digininja.org/jasager/download.php

5 Easy steps to writing over DD-WRT
First change your NIC: Set the IP to a manual address I made mine 192.168.1.116
Telnet into your La Fonera: redboot is typically 192.168.1.254 port 9000
Now Start your TFTP server

Now go back to your telnet window and set the ip tables
RedBoot> ip_address -l 192.168.1.254/24 -h 192.168.1.166

You now need to execute the following commands:

RedBoot> fis init
About to initialize [format] FLASH image system – continue (y/n)? y
*** Initialize FLASH Image System
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0×80040400-0x801003ff, assumed entry at 0×80040400
RedBoot> fis create -e 0×80041000 -r 0×80041000 vmlinux.bin.l7

… Erase from 0xa8030000-0xa80f0000: …………
… Program from 0×80040400-0×80100400 at 0xa8030000: …………
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0×80040400-0x801e03ff, assumed entry at 0×80040400
RedBoot> fis create -l 0x6F0000 rootfs

… Erase from 0xa80f0000-0xa87e0000: ………..
… Program from 0×80040400-0x801e0400 at 0xa80f0000: ……………………..
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .

RedBoot> fconfig
Run script at boot: true
Boot script:
Enter script, terminate with empty line
>> fis load -l vmlinux.bin.l7
>> exec
>>
Boot script timeout (1000ms resolution): 2
Use BOOTP for network configuration: false
Gateway IP address:
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0×81000000 at 0xa87e0000: .
RedBoot> reset

^]
telnet> Connection closed.
root@desktop ~ #

After this the Fon should reboot and if you hit 192.168.1.1:1471 in your browser you will get the Jasager interface.

Flashing from DDWRT took about 45 mins.

If someone would like to tell me how to run Jasager with DDWRT and use the IPKG package please do post.