PyFon – Being a Fonero

The problems I described last time, are gone now 🙂 The paramiko mailinglist is, besides the pretty good documentation, a very good information ressource.

So I built a Fon client in Python which allows you to login to the Fon server and make your Fonera officially online.

So in order to get your copy of PyFON, do a

hg clone http://hg.cryptobitch.de/pyfon

To use it, simply give the MAC address of your Foneras wireless interface as an argument and run it or do it in a more sophisticated way:

muelli@xbox:~/hg/pyfon$ python ./src/pyfonclient.py --loglevel info --firmware 0.7.2 --revision 3 --mode cron --ethernetmac 00:18:84:fo:ob:ar 00:18:84:fo:ob:ar
INFO:root:Connecting to host: download.fon.com:1937 as user: openwrt
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_4.3p2)
INFO:paramiko.transport:Authentication (publickey) successful!
INFO:root:Connect finished
INFO:paramiko.transport:Secsh channel 1 opened.
INFO:root:Found _auth_string: mode='cron' wlmac='00:18:84:ff:ee:dd' mac='00:18:84:fo:ob:ar' fonrev='3' firmware='0.7.2' chillver='1.0-1' thclver='1.0' device='fonera'

INFO:root:Finally closing everything
muelli@xbox:~/hg/pyfon$

If you increase the loglevel to, say, debug, then you’ll get the script which Fon send you and supposes you to execute. If you change your password via the Fon webinterface, you’ll see your new password in that script.

So if you want to disturb the Fon network, you can iterate over all Fon MACs and receive the possible made configuration changes. By that, you’ll get the new passwords as well, of course…

Another funny thing is that the Fon server sends you their banner, if you explicitely request a shell:

In [1]: import pyfonclient
In [2]: c  = pyfonclient.Client()
In [3]: c.connect()
In [4]: channel = c.client.invoke_shell()
In [5]: channel.recv_ready()
Out[5]: True
In [6]: buf=""
In [7]: while channel.recv_ready(): buf += channel.recv(1)
   ...:
In [8]: print buf
Linux fonesfat02 2.6.18-6-amd64 #1 SMP Sun Feb 10 17:50:19 UTC 2008 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
In [9]:

But you can’t execute any command…

Patches are, as always, welcome 🙂

Free FON

You might know that FON thing, which basically provides you with WiFi on many places. They give you an access point which they suppose you to run and provide that WiFi to others. Then you are eligible to use other peoples WiFi.

The given access point connects itself with a script to the main server and tells it, that it’s online. The server then grants you access to other WiFis.

If you flash the access point, which is called “fonera”, with e.g. OpenWRT then you’ll lose that script. This in pretty bad because you *do* provide free WiFi to the people (unless you don’t run an open WiFi) but lose the right to use others.

There are sites out there which describe, howto do the “heartbeat” yourself, but they have major drawbacks:

  • They are written in Bash
  • The key used is in dropbear format, and not OpenSSH

Also note, that you can receive the files from the Fon development site and steal that heartbeat thing from there.

Thanks to this site I found a way to convert the dropbear key to the OpenSSH format (/usr/lib/dropbear/dropbearconvert dropbear openssh fonkey fonkey.ssh), but that bash thing is still ugly. Also, to use OpenSSH, you have to fiddle with permissions of the keyfile, etc.

So in order to run that heartbeat thing properly on, say, your PC, you don’t want to depend on dropbear or “nvram” to get the MAC address of your wireless interface. You might want to run the following script, of course you have to adapt the variables first. I try to get rid of Bash, but I still have a few problems with Pythons SSH package: I can’t send something to “stdin”, like “echo 'foo' | ssh bar” does.

#!/bin/sh
#
# version 1.1.0 

THINCLIENTPATH="/tmp" # path of this file
ROOTHOME="/tmp/root" # root's home dir
SSHPATH="/usr/bin/ssh" # path to ssh
KEY="/tmp/fonkey.ssh.1" # private key for fetching the info from the FON server
THINCLIENTOUT="/tmp/.thinclient.sh" # output file

THINCLIENTOUTDEFAULT="33" # default size of the output file

THCLVER="1.0"
CHILLVER="1.0-1"
FONREV="2" # /etc/fon_revision
FIRMWARE="0.7.2" # taken from /etc/banner (without Beta)
DEVICE="fonera"

USER="openwrt"
SERVER="download.fon.com"
PORT="1937"
FONSIG="$SERVER ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0zJFtj5NtrVsj8+qG0dtPE8WpHHDpTXp5+d3vvtSS7Hx7vYHyrfN/8PBVrrYOgl4dySY65sGtq34EU04VN4a7xQHSKJBunDUSQ/2Xz+eyo53LCVeFy1zNRCmB6jrFlJQvl5yviLvXmMtOGxG8Z1dfu4qavfGtBxwtwxKPKuiyhs="
cat > $KEY <> $ROOTHOME/.ssh/known_hosts
}

exec_cron_mode () {
	check_env
	sleep "$((0x$(head /dev/urandom |hexdump |awk '$2 > 0 {print $2}'|head -n1) % 10))"
	echo "mode='cron' wlmac='$MAC' mac='$ETMAC' fonrev='$FONREV' firmware='$FIRMWARE'" | $SSHPATH -T ${PORT:+ -p $PORT}${KEY:+ -i $KEY} "${USER}@${SERVER}" > $THINCLIENTOUT
	echo "sent: mode='cron' wlmac='$MAC' mac='$ETMAC' fonrev='$FONREV' firmware='$FIRMWARE'"
	exec_check_thinclient
}

exec_start_mode () {
	sleep 10 # make sure WAN is up and crond is running
	check_env
	[ -f "/tmp/crontab" ] || touch /tmp/crontab
	[ `grep -c thinclient /tmp/crontab` = "0" ] && echo "24,54 * 	*	**	root $THINCLIENTPATH/thinclient cron > /dev/null 2>&1 &" >> /tmp/crontab
	echo "mode='start' wlmac='$MAC' mac='$ETMAC' fonrev='$FONREV' firmware='$FIRMWARE' chillver='$CHILLVER' thclver='$THCLVER' device='$DEVICE'" | $SSHPATH -T ${PORT:+ -p $PORT}${KEY:+ -i $KEY} "${USER}@${SERVER}" > $THINCLIENTOUT
	echo "sent: mode='start' wlmac='$MAC' mac='$ETMAC' fonrev='$FONREV' firmware='$FIRMWARE' chillver='$CHILLVER' thclver='$THCLVER' device='$DEVICE'"
	exec_check_thinclient
}

exec_check_thinclient () {
	if [ -f $THINCLIENTOUT ]
	then
		THINSIZE="$(wc -c < $THINCLIENTOUT)"
		if [ $THINSIZE = "0" ]
		then
			echo "Something is wrong, $THINCLIENTOUT is empty"
		elif [ $THINSIZE != "33" ]
		then
			echo "Something is different in $THINCLIENTOUT:"
			cat $THINCLIENTOUT
		else
			echo "$THINCLIENTOUT is the default one, deleted"
			rm $THINCLIENTOUT
		fi
	else
		echo "Something is wrong, $THINCLIENTOUT does not exist!"
	fi
}

case "$1" in
	cron)
		exec_cron_mode
		;;
	start)
		exec_start_mode
		;;
	check)
		exec_check_thinclient
		;;
	*)
		echo "Usage: `basename $0` {cron|start|check}"
		exit
esac
Creative Commons Attribution-ShareAlike 3.0 Unported
This work by Muelli is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported.