La Fonera with Karma and Jasager “YESMAN”

I recently sold one of the La fonera’s that I had stored away. During my sale I was brought to the intentions that the buyer would like a new firmware installed. This firmware is Jasager which is making the hacking scene thinking of new ways to exploit users.

Catch Hak5 latest review of the new tool.

I started with my La Fonera preloaded with DDWRT v24 preSP2 (Build13064) and immediately flashed from redboot to Jasager.
If you are interested in doing this follow these simple instructions:
Download the following tools
Putty 32
tftpd 32

Followed by downloading
* Jasager firmware 1.0 (MD5 56c396772f04e96369422fd9139ee8ee)

Once downloaded you will have 2 files
openwrt-atheros-root.squashfs
openwrt-atheros-vmlinux.lzma

http://www.digininja.org/jasager/download.php

5 Easy steps to writing over DD-WRT
First change your NIC: Set the IP to a manual address I made mine 192.168.1.116
Telnet into your La Fonera: redboot is typically 192.168.1.254 port 9000
Now Start your TFTP server

Now go back to your telnet window and set the ip tables
RedBoot> ip_address -l 192.168.1.254/24 -h 192.168.1.166

You now need to execute the following commands:

RedBoot> fis init
About to initialize [format] FLASH image system – continue (y/n)? y
*** Initialize FLASH Image System
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801003ff, assumed entry at 0x80040400
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7

… Erase from 0xa8030000-0xa80f0000: …………
… Program from 0x80040400-0x80100400 at 0xa8030000: …………
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0x80040400-0x801e03ff, assumed entry at 0x80040400
RedBoot> fis create -l 0x6F0000 rootfs

… Erase from 0xa80f0000-0xa87e0000: ………..
… Program from 0x80040400-0x801e0400 at 0xa80f0000: ……………………..
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

RedBoot> fconfig
Run script at boot: true
Boot script:
Enter script, terminate with empty line
>> fis load -l vmlinux.bin.l7
>> exec
>>
Boot script timeout (1000ms resolution): 2
Use BOOTP for network configuration: false
Gateway IP address:
Local IP address: 192.168.1.1
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.1.254
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration – continue (y/n)? y
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset

^]
telnet> Connection closed.
root@desktop ~ #

After this the Fon should reboot and if you hit 192.168.1.1:1471 in your browser you will get the Jasager interface.

Flashing from DDWRT took about 45 mins.

If someone would like to tell me how to run Jasager with DDWRT and use the IPKG package please do post.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s