Back to my La Fonera page
Did this site help you?
Average rating (La Fonera):
2.70/3 (1507 votes)

La Fonera: Firmware upgrades inspected

All La Fonera routers periodically check for new commands from FON. FON can deliver configuration commands as well as instructions how to update the firmware through that channel. Michael also did some research on that issue.

How FON performs updates

After another CGI hack was published, FON pushed another upgrade through its command channel. The following shell code was to be executed on every device:

cd /tmp
wget http://download.fon.com/firmware/update/0.7.0/4/upgrade.fon
/bin/fonverify /etc/public_fon_rsa_key.der /tmp/upgrade.fon

rm -f /tmp/.thinclient.sh

exit

The upgrade procedure downloads the upgrade file and verifies its integrity using a public key present on every router. This is done to prevent code injection through the manipulation of DNS records. The program fonverify also seems to be responsible for extracting and installing the upgrade file, which has the following format:

  1. The header string FON...
  2. ...followed by either the number 3 or 4indicating the nature of the update:
    • upgrades tagged with 3 are complete new firmware images
    • upgrades tagged with 4 are only smaller hotfix upgrades that just replace particular files
  3. The next number possibly refers to the size of the following cryptographic signature, until now we only encountered a value of 512 - The script /bin/fonverify does not even read this value and assumes a signature value of 512 bytes
  4. A 512 byte signature
  5. The rest of the file is a gzip compressed tar archive

You can simply skip the first 520 bytes (header and signature) and extract the attached archive with this command:

wget -q -O - http://download.fon.com/firmware/update/0.7.0/4/upgrade.fon | tail -c +520 - | tar xvfz -

I've also written a script called defon.sh to extract FON upgrade archives.

The upgrade procedureemploys a script called upgrade that is executed to perform the update. If a new firmware is included in the upgrade archive, it is flashed using the mtd utils, and if only a few files are to be changed, another included archive is extracted directly into the root directory.

Because of this fire-and-forget nature of the upgrade procedure, downgrades are not possible under normal circumstances.

Inspected upgrades