Thursday, August 12, 2010

"Wifon" - the Fonera powered handheld wifi pentesting device

Introduction
 "La Fonera" is one of the names for a certain WiFi access point produced by Accton.
It's popular because it's cheap, small and very hackable.

It's got a great Atheros chipset and is well suited for use with "pentesting" software such as aircrack-ng, mdk3 or Karma/Jasager , and there have been attempts at making it portable by adding battery power.

But I've never heard of anyone adding a physical user interface to make the Fonera a truly portable and autonomous device, and I decided to change that...

To get some help and motivation to finish it, I've registered it as a team project for school.

So with 5 people and 6 months of work we came up with this:














I did the hardware and uC firmware, while the rest of the team wrote software that ran on the AP.

The Hardware


- La Fonera WiFi AP running OpenWrt
- ATMEGA88 microcontroller
- 16x4 Character LCD (hd44780 compatible)
- 6 buttons
- power supply
- 2 Li-ion AA sized cells
- box of chocolates, lots of hot glue and tape :P

The total cost (not counting the Fonera) was about $20.

Power

The power supply had to be efficient and provide two voltages - 3.3V for the AP and 5V for the uC and LCD.
3.3V is provided by LM2576 - a switching regulator (for high efficiency), and 5V is provided by a cheap 7805 linear regulator, because the LCD and uC don't require much power.

As a result, the device accepts any voltage above 6V (tested up to 16V), and two 900mAh Li-ion cells allow for 90 minutes of operation.

Microcontroller

No Arduino here, because I'm a cheap anti-arduino bastard ;P
I chose the ATMEGA88 chip, because it's cheap and I'm familiar with it.

The buttons and LCD are directly connected to the uC, which communicates with the AP via UART at 9600 bps. There is a transistor between the TX pin of the uC and the AP to bring down 5V signals to 3.3V, a conversion is not needed for the other UART pin.

Grab the firmware source here: firmware.c


The communication protocol

The communication protocol between the uC and AP is very simple.
A button press sends a single ASCII symbol followed by a carriage return symbol, for example the UP button sends the letter 'w' (0x77) followed by CR (0x0D) .

The screen is updated by sending a 0x02 ASCII symbol followed by 64 bytes of data - the text to be displayed.
The screen is updated frequently enough that we are not using any error checking or correction.

Software on the Fonera

Most of the software was written in Ruby, because that was the only reasonable scripting language that fits on the flash memory of the Fonera, and to our surprise it wasn't very resource-intensive, even on such limited hardware.

My friend - Kacper, wrote the software to allow other applications to use the screen and buttons.
He also wrote a great menu system used by the rest of the team for their apps.

The interface software runs on the serial port instead of a regular terminal.
It poses as a regular terminal, but with a size of 16x4, so that any existing app can run in it, but you have to modify it to be able to read anything :P

Grab the code and more documentation of the interface here:
http://code.mwgamera.name/gitphp/index.php?p=wifon.git


The rest of the team - Adam, Marek and Michał, adapted software to work nicely with the LCD and buttons.

In the end we got these things working:
- displaying networks found by airodump-ng
- deauthentication of a selected client
- connecting to an unsecured network and scanning i with nmap
- several attacks using mdk3
- displaying CPU and memory usage

Example code - script displaying airodump-ng scan results: WifiScan.rb

Conclusion
 



As with most school projects, some things were rushed to meet the deadline, but we're satisfied with the result.

All in all, it's not really a useful device, more of a proof of concept, but it was fun to build and it's working.

Also, we did it because we could, and that is all that matters!

I will post the full sources as soon as all the team members agree.

24 comments:

  1. That is quite amazing. Loved the ASCII art on the boot screen!

    I wonder, as I'm not very educated in these things yet, how hard would it be to make a module that would essentially plug into an Ethernet jack and output a basic wi-fi connection, secured or unsecured? Just a thought.

    You can get back @ me via email. BobaFettFan.Jordan[at]Gmail[dot]com

    ReplyDelete
  2. Where do you go to buy a 1st gen Fonera? I've been looking to get one but Fon doesn't sell them anymore

    ReplyDelete
  3. @jbucky1092:
    OpenMesh sells this:
    https://www.open-mesh.com/store/products.php?product=Open%252dMesh-Mini%252dRouter
    it's the same hardware, unfortunately shipping outside of the USA is very expensive.

    ReplyDelete
  4. @Emeryth: THANK YOU, I've been looking for this hardware for weeks.

    ReplyDelete
  5. That's a nice hack. I love the 4 line terminal you guys built. When you want something more powerful and customizable than a FON, check out the Gateworks boards http://bit.ly/cdniaK

    ReplyDelete
  6. @Geordy:
    Thanks for the tip, those boards look great!

    ReplyDelete
  7. It isn't obvious in the pic. Is there a serial port on the Fonera board ??

    ReplyDelete
  8. @Anonymous:
    Yes, there is a pin 2x5 header with two pins for serial and two pins for power.
    You can see the little piece of red PCB with wires we used to connect to this header.

    ReplyDelete
  9. Can I buy this from you?

    ReplyDelete
  10. ar430w, atheros 2317/8, uart, 16mb ram, 4mb flash...under 25 shipped

    ReplyDelete
  11. I meant all put together.

    ReplyDelete
  12. Hmmmm.... Try this words in google image search: "wr254 lcd"...

    ReplyDelete
  13. NICE project!
    You can probably use thesame on the Fonera+
    it also has a serial port; runs thesame hardware;
    only has an additional network port (nice if you want to tcpdump throughput communications between lan/wan

    ReplyDelete
  14. Would any of these routers work for your mod?

    the link above for the OpenMesh mini doesn't work.

    http://www.open-mesh.com/index.php/compatible-solutions.html

    ReplyDelete
  15. Nevermind ^^

    =)

    http://www.open-mesh.com/index.php/low-cost-mesh/accton-mini-router-w-power-suppply.html

    ReplyDelete
  16. That's a nice hack!!!

    Ruby packages installed on the device.
    How to run the scripts? (wfntty.rb, wfntty.ti, ...)
    THX! Alpha

    ReplyDelete
  17. Great project! I want to build one! Any plans to release complete source so others can hack away?

    ReplyDelete
  18. Hi there,

    any psosibility to get a firware compatible with arduino (Atmega328) ?. nowdays, there are arduinoboards with lcd display and mini keyboard for less than 40$!

    ReplyDelete
  19. @Anonymous:

    The code should be compatible with arduino out of the box, it may require a few tweaks to compile in the arduino IDE though.
    Arduino IDE uses the same compiler (AVR-GCC) but with a library of easier to use functions.

    ReplyDelete
  20. Hi
    Is this project compatible with atmega 8 not atmega 88.I am confused image shows atmega 8 and you wrote atmega 88 which is correct?:)
    Best regards

    ReplyDelete
  21. @Anonymous:

    This project is compatible with both ATmega8 and ATmega88.
    I used an ATmega88 but I only had an ATmega8 part in EagleCAD where I made the schematic.

    ReplyDelete
  22. Thanks for your reply.
    One more question please.
    Do you have a compiled version of firmware.c?I compiled myself for atmega8 but i get errors and warnings on AVR Studio 4.Here is a screenshot:
    http://www.image-share.com/ijpg-918-71.html
    Thanks in advance

    ReplyDelete
  23. This comment has been removed by the author.

    ReplyDelete