Contents

  1. Fonera
    1. Additional Comments
  2. Hardware
    1. Info
    2. Serial Port
    3. Case
    4. Photos
    5. JTAG
  3. Original software
    1. Flash layout
    2. Backup your Fonera's flash
    3. Restore the original firmware
    4. Unbricking the Fonera
      1. Updating / Unbricking via RedBoot
  4. Installing OpenWrt with RedBoot
    1. Installing openwrt with reboot via expect
  5. Telnet into RedBoot
  6. Reflash the RedBoot Config from SSH...
  7. Install The Fonera Pack (from sven-ola): FON + Mesh Network
  8. Basic configuration
    1. Use LAN as WAN port (with NAT)
    2. PPPoE
    3. QoS
    4. Dynamic DNS
    5. WiFi
      1. Enable WiFi
      2. WiFi encryption
      3. WiFi toggle
      4. List connected clients
  9. Hardware Hacks
  10. Resources

Fonera

The Fonera FON2100A is based on an Atheros System on Chip (SoC). It got a MIPS 4KEc V6.4 processor. There is an ongoing process porting OpenWrt to this chip: AtherosPort.

It's almost identical to the Meraki Mini, who provide their own OpenWrt fork.

Additional Comments

Detailed Information may be found in the FCC database: Doing a search on Fonera's FCC-ID reveals, that this device is actually made by Accton/SMC (http://www.accton.com.tw/).

A look at the varius test reports and external photos shows, that this device is provided also under the Trade(Model) Names

Copies of the mentioned FCC-documents may also be found at http://mobileaccess.de/fonera/

According to OpenWrt, the output-power is set to 18dBm, in contrast to the FCC-RF-tests where an output power of almost 25dBm (actually 24.89dBm on channel 6 in 802.11g mode) is measured. Question here is, if further versions will provide an adjustable TX-Power up to that level. Is the information provided by OpenWrt of 18dBm just a hypothetical value??? I found no reference in Kamikaze yet, how to adjust it.

Another interessting issue is the possible frequency range, as specified by Atheros itself at http://www.atheros.com/pt/bulletins/AR5006AP_GBulletin.pdf - where the available band ranges from 2.300GHz to 2.500GHz. Question here is, if there will be an option to use further frequencies than the international standardized 14 Channels. In particular, there might be a very high interest e.g. from the amateur-radio community!

Hardware

Info

Architecture

MIPS 4KEc

Vendor

Bootloader

RedBoot

System-On-Chip

Atheros AR2315

CPU Speed

183 MHz

Flash size

8 MiB

RAM

16 MiB

Wireless

Integrated Atheros 802.11b/g

Ethernet

1x RJ45

USB

No

Serial

Yes

JTAG

No

Serial Port

If the ethernet jack is in front of you, it looks like (RXD and TXD directions are from the computer side, i.e. swapped with respect to Fonera board side) 

+-------------------+
|GND| . |RXD|TXD| . |
|VCC| . | . | . | . |
+-------------------+
+-----+ +--------+    +---+
|Power| |Ethernet|    |Ant|

RXD and TXD are lowlevel (3.3V) signals. NOT RS232 levels. 

VCC (3.3V) -> red
GND        -> blue
RX         -> white
TX         -> orange
b . o w .
r . . . .

Here the picture.

Serial settings are 9600-8-N-1

You should plug in the serialadapter after turning the fonera on, otherwise it won't boot. (Comment by HaraldGeyer: My Fonera boots just fine with the serial adapter plugged in.)

Case

To open the case, remove the two rubber feet on the opposite site to the antenna jack, they will reveal two crosspoint screws.

Photos

JTAG

There seems to be a 14 pin unpopulated JTAG, but it is not that important as the RedBoot boatloader does not seem to be crippled.

Original software

+PHY ID is 0022:5521
Ethernet eth0: MAC address xx:xx:xx:xx:xx
IP: 0.0.0.0/255.255.255.255, Gateway: 0.0.0.0
Default server: 0.0.0.0
RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version v1.3.0 - built 16:57:58, Aug  7 2006
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Board: ap51
RAM: 0x80000000-0x81000000, [0x80040450-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 1.000 seconds - enter ^C to abort
^C
RedBoot>

Flash layout

RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0xA8000000  0x00030000  0x00000000
rootfs            0xA8030000  0xA8030000  0x00700000  0x00000000
vmlinux.bin.l7    0xA8730000  0x80041000  0x000B0000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000

As you can see, the vmlinux.bin.l7 partition is of B0000, ergo 720896 bytes length. That means, that the kernel size should not exceed 720kb, but if it is smaller, everthing will be fine. Like wise the rootfs partition has a size of 0x700000 or 7340032 bytes. You've got 7.3 MiB space.

Backup your Fonera's flash

After gaining the SSH access use these commands: 

cd /dev/mtdblock
httpd -p 9090

Connect to the Fonera through the private network. Now you can download the mtd partiotions using the addresses: 

http://192.168.10.1:9090/0ro
http://192.168.10.1:9090/1ro
http://192.168.10.1:9090/2ro
http://192.168.10.1:9090/3ro
http://192.168.10.1:9090/4ro
http://192.168.10.1:9090/5ro
http://192.168.10.1:9090/6ro
http://192.168.10.1:9090/7ro

Also take note of the output of the command 

cat /proc/mtd

That should be: 

dev:    size   erasesize  name
mtd0: 00030000 00010000 "RedBoot"
mtd1: 006f0000 00010000 "rootfs"
mtd2: 00560000 00010000 "rootfs1"
mtd3: 00010000 00010000 "config"
mtd4: 000b0000 00010000 "vmlinux.bin.l7"
mtd5: 0000f000 00010000 "FIS directory"
mtd6: 00001000 00010000 "RedBoot config"
mtd7: 00010000 00010000 "board_config"

Restore the original firmware

Unbricking the Fonera

Updating / Unbricking via RedBoot

NOTE: Word on IRC is that the instructions down in the "Flashing OpenWrt" section are the ones you should use. Specifying all those parameters to "fis create" is said to be no good idea. Yet, I will leave this section until further confirmation. - Fatus

On your computer: 

$ wget -q -O - http://downloads.fon.com/firmware/current/fonera_0.7.1.1.fon | tail -c +520 - | tar xvfz -
upgrade
rootfs.squashfs
kernel.lzma
hotfix
$ cp kernel.lzma /tftp/
$ cp rootfs.squashfs /tftp/
# in.tftpd -vvv -l -s /tftp/ -r blksize

On your Fonera

Enable networking (I do not have to remind you to plug your network cable in, do I? ;-) 

RedBoot> ip_address -l 192.168.5.75/24 -h 192.168.5.2
IP: 192.168.5.75/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.5.2

Load the Kernel to the ramdisk 

RedBoot> load -r -v -b 0x80041000 kernel.lzma
Using default protocol (TFTP)
Raw file loaded 0x80041000-0x800c0fff, assumed entry at 0x80041000

The Kernel is now stored in the ramdisk at address 0x80041000, we can now write the file from the ramdisk to the flash 

RedBoot> fis create -r 0x80041000 -e 0x80041000 vmlinux.bin.l7
An image named 'vmlinux.bin.l7' exists - continue (y/n)? y
... Erase from 0xa8730000-0xa87e0000: ...........
... Program from 0x80041000-0x800c1000 at 0xa8730000: ........
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

And now the same for the rootfs: 

RedBoot> load -r -v -b 0x80041000 rootfs.squashfs
Using default protocol (TFTP)
Raw file loaded 0x80041000-0x801c0fff, assumed entry at 0x80041000

And now write it to the flash: 

RedBoot> fis create -b 0x80041000 -f 0xA8030000 -l 0x00700000 -e 0x00000000 rootfs
An image named 'rootfs' exists - continue (y/n)? y
... Erase from 0xa8030000-0xa8730000: ..........................................................................................................
... Program from 0x80041000-0x80741000 at 0xa8030000: ..........................................................................................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

This basically says, that it should write the content from the ramdisk at address 0x80041000 to the already existing flash image vmlinux.bin.l7 with the very same entry point for starting the kernel.

*Those last steps did not really work for me, had an overlapping error so I did it in reverse order and another args when creating vmlinux fis, check below. //QoS 

RedBoot> load -r -v -b 0x80041000 rootfs.squashfs
RedBoot> fis create -b 0x80041000 -f 0xA8030000 -l 0x00700000 -e 0x00000000 rootfs
RedBoot> load -r -v -b 0x80041000 kernel.lzma
RedBoot> fis create -r 0x80041000 -f 0xA8730000 -l 0x000B0000 -e 0x80041000 vmlinux.bin.l7
RedBoot> fis list
Name              FLASH addr  Mem addr    Length      Entry point
RedBoot           0xA8000000  0xA8000000  0x00030000  0x00000000
rootfs            0xA8030000  0xA8030000  0x00700000  0x00000000
vmlinux.bin.l7    0xA8730000  0x80041000  0x000B0000  0x80041000
FIS directory     0xA87E0000  0xA87E0000  0x0000F000  0x00000000
RedBoot config    0xA87EF000  0xA87EF000  0x00001000  0x00000000

Installing OpenWrt with RedBoot

Once you have gained access to !RedBoot either by telnet or the serial console you can install !OpenWrt with the following method.

You have to download two files (right click and save as).

Copy openwrt-atheros-2.6-vmlinux.lzma and openwrt-atheros-2.6-root.squashfs to /tftpboot/ and flash them like this: 

^C
RedBoot> ip_address -h 192.168.5.2 -l 192.168.5.75/24
IP: 192.168.5.75/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.5.2
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-2.6-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80041000-0x800f0fff, assumed entry at 0x80041000
RedBoot> fis init

The values for the -e and -r switches in the 'fis create' RedBoot command below is the Kernel entry point. Do not change this value. 

RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
An image named 'vmlinux.bin.l7' exists - continue (y/n)? y
... Erase from 0xa8730000-0xa87e0000: ...........
... Program from 0x80041000-0x800f1000 at 0xa8730000: ...........
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

"fis free" will print the first and last free block 

RedBoot> fis free
      0xA80F0000 .. 0xA87E0000

Now do the math (last - first, cause you need the difference) 

server:~# bc
obase=16
ibase=16
A87E0000 - A80F0000
6F0000

Replace 0xLENGTH with the value above (0x006F0000 in my case) and flash the the rootfs: 

RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-2.6-root.squashfs
Using default protocol (TFTP)
|
Raw file loaded 0x80041000-0x80200fff, assumed entry at 0x80041000
RedBoot> fis create -l 0xLENGTH rootfs
An image named 'rootfs' exists - continue (y/n)? y
... Erase from 0xa8030000-0xa8730000: ................................................................................................................
... Program from 0x80041000-0x80741000 at 0xa8030000: ..............................................................................................................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset

If everything is okay, then it will now look like this: 

+PHY ID is 0022:5521
...
== Executing boot script in 1.000 seconds - enter ^C to abort
RedBoot> fis load -l vmlinux.bin.l7
Image loaded from 0x80041000-0x80290085
RedBoot> exec
Now booting linux kernel:
 Base address 0x80030000 Entry 0x80041000
 Cmdline :
Linux version 2.6.21.5 (ubuntu@ubuntu-laptop) (gcc version 4.1.2) #1 Sat Sep 29 11:04:17 CEST 2007
CPU revision is: 00019064
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Built 1 zonelists.  Total pages: 4064
Kernel command line: console=ttyS0,9600 rootfstype=squashfs,jffs2 init=/etc/preinit
Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.
Primary data cache 16kB, 4-way, linesize 16 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 64 (order: 6, 256 bytes)
Using 92.000 MHz high precision timer.
Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
Memory: 13504k/16384k available (1955k kernel code, 2880k reserved, 292k data, 116k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
Radio config found at offset 0xf8(0x1f8)
Time: MIPS clocksource has been installed.
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP reno registered
squashfs: version 3.0 (2006/03/15) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver $Revision: 1.90 $ 1 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0xb1100003 (irq = 37) is a 16550A
eth0: Dropping NETIF_F_SG since no checksum feature.
eth0: Atheros AR231x: 00:18:84:14:39:94, irq 4
cmdlinepart partition parsing not available
Searching for RedBoot partition table in spiflash at offset 0x7d0000
Searching for RedBoot partition table in spiflash at offset 0x7e0000
5 RedBoot partitions found on MTD device spiflash
Creating 5 MTD partitions on "spiflash":
0x00000000-0x00030000 : "RedBoot"
0x00030000-0x000f0000 : "vmlinux.bin.l7"
0x000f0000-0x007e0000 : "rootfs"
0x00200000-0x007e0000 : "rootfs_data"
0x007e0000-0x007ef000 : "FIS directory"
0x007ef000-0x007f0000 : "RedBoot config"
nf_conntrack version 0.5.0 (128 buckets, 1024 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP vegas registered
NET: Registered protocol family 1
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 116k freed
Warning: unable to open an initial console.
eth0: Configuring MAC for full duplex
Algorithmics/MIPS FPU Emulator v1.5
- preinit -
jffs2 not ready yet; using ramdisk
mini_fo: using base directory: /
mini_fo: using storage directory: /tmp/root
- init -
init started:  BusyBox v1.4.2 (2007-09-26 19:44:01 CEST) multi-call binary
Please press Enter to activate this console. device eth0 entered promiscuous mode
br-lan: port 1(eth0) entering learning state
br-lan: topology change detected, propagating
br-lan: port 1(eth0) entering forwarding state
PPP generic driver version 2.4.2
wlan: 0.8.4.2 (svn r2568)
ath_hal: module license 'Proprietary' taints kernel.
ath_hal: 0.9.30.13 (AR5212, AR5312, RF2316, TX_DESC_SWAP)
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (svn r2568)
ath_rate_minstrel: look around rate set to 10%
ath_rate_minstrel: EWMA rolloff level set to 75%
ath_rate_minstrel: max segment size in the mrr set to 6000 us
wlan: mac acl policy registered
ath_ahb: 0.9.4.5 (svn r2568)
ath_pci: switching rfkill capability off
ath_pci: switching per-packet transmit power control off
wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: H/W encryption support: WEP AES AES_CCM TKIP
wifi0: mac 11.0 phy 4.8 radio 7.0
wifi0: Use hw queue 1 for WME_AC_BE traffic
wifi0: Use hw queue 0 for WME_AC_BK traffic
wifi0: Use hw queue 2 for WME_AC_VI traffic
wifi0: Use hw queue 3 for WME_AC_VO traffic
wifi0: Use hw queue 8 for CAB traffic
wifi0: Use hw queue 9 for beacons
wifi0: Atheros 2315 WiSoC: mem=0xb0000000, irq=3
jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
jffs2_build_filesystem(): unlocking the mtd device... done.
jffs2_build_filesystem(): erasing all blocks after the end marker... done.
mini_fo: using base directory: /
mini_fo: using storage directory: /jffs
BusyBox v1.4.2 (2007-09-26 19:44:01 CEST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (7.09) -----------------------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@OpenWrt:/#

NOTE: If you changed RedBoot's baud rate to something different than 9600bps, revert that change unless your terminal program does auto baud detection -- OpenWrt logs to its serial console with 9600bps, so having the same baud rate in RedBoot is a good idea.

Installing openwrt with reboot via expect

First you need to have the tftp server working then you need cu , to access the serial port , expect to execute this script. once you have the files needed in the tftp dir you can exec this script (save it to a file and exec it via expect "file name") 

#!/usr/bin/expect -f
spawn cu -l /dev/ttyS0 -s 9600
#match_max 100000
set timeout 3600
# Look for passwod prompt
expect "enter ^C to abort"
send \003
# send blank line (\r) to make sure we get back to gui
expect "RedBoot>"
send -- "ip_address -h 192.168.1.13 -l 192.168.1.21/24\r"
expect "RedBoot>"
send -- "fis init\r"
expect "(y/n)? "
send -- "y\r"
expect "RedBoot>"
send -- "load -r -b %\{FREEMEMLO\} openwrt-atheros-vmlinux.lzma\r"
expect "RedBoot>"
send -- "fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7\r"
expect "RedBoot>"
send -- "load -r -b %\{FREEMEMLO\} openwrt-atheros-root.squashfs\r"
expect "RedBoot>"
send -- "fis create -l 0x006F0000 rootfs\r"
expect "RedBoot>"
send -- "reset\r"

Telnet into RedBoot

You can change the RedBoot configuration, so you can later telnet into this bootloader in order to reflash this device from there, without having serial access.

The default form of the fconfig command will force you to enter the data, change and confirm every initialized variable. To avoid reentering the Boot script data and harming unnecessary variables, run the "fconfig list" command first to look at variable names and values: 

RedBoot> fconfig -l -n
boot_script: true
boot_script_data:
.. fis load -l vmlinux.bin.l7
.. exec
boot_script_timeout: 1
bootp: false
bootp_my_gateway_ip: 0.0.0.0
bootp_my_ip: 0.0.0.0
bootp_my_ip_mask: 255.255.255.255
bootp_server_ip: 0.0.0.0
console_baud_rate: 9600
gdb_port: 9000
info_console_force: false
net_debug: false

Next change only necessary variables (using their names from the previous listing) and update the RedBoot non-volatile configuration after the last change: 

RedBoot> fconfig boot_script_timeout 10
boot_script_timeout: Setting to 10
Update RedBoot non-volatile configuration - continue (y/n)? n
RedBoot> fconfig bootp_my_ip 192.168.5.22
Update RedBoot non-volatile configuration - continue (y/n)? n
RedBoot> fconfig bootp_my_ip_mask 255.255.255.0
Update RedBoot non-volatile configuration - continue (y/n)? n
RedBoot> fconfig bootp_server_ip 192.168.5.2
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

Note: The configuration is only in the RAM until you update the RedBoot non-volatile configuration. If you reset the device without updating, the configuration will not be changed. You can use changes without the update for temporary settings.

Verify the configuration by listing the aliases this time: 

RedBoot> fconfig -l
Run script at boot: true
Boot script:
.. fis load -l vmlinux.bin.l7
.. exec
Boot script timeout (1000ms resolution): 10
Use BOOTP for network configuration: false
Gateway IP address: 0.0.0.0
Local IP address: 192.168.5.22
Local IP address mask: 255.255.255.0
Default server IP address: 192.168.5.2
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false

I specified a 10 second timeout here, so I have this 10 second time frame to telnet into RedBoot. If you are not able to hit the enter-key within 10 seconds after powering up, go for a larger time frame. 

+PHY ID is 0022:5521
Ethernet eth0: MAC address xx:xx:xx:xx:xx:xx
IP: 192.168.5.22/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.5.2
RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version v1.3.0 - built 16:57:58, Aug  7 2006
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Board: ap51
RAM: 0x80000000-0x81000000, [0x80040450-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 10.000 seconds - enter ^C to abort

Actually I had problems with my old BSD telnet on Slackware 11 to send a proper CTRL-C to the RedBoot console. I circumvented the problem with this small trick: 

$ echo -e "\0377\0364\0377\0375\0006" > break
$ nc -vvv 192.168.5.22 9000 < break ; telnet 192.168.5.22 9000
Warning: Inverse name lookup failed for `192.168.5.22'
192.168.5.22 9000 open
== Executing boot script in 7.420 seconds - enter ^C to abort
ÿü^C
RedBoot> ÿüExiting.
Total received bytes: 82
Total sent bytes: 6
Trying 192.168.5.22...
Connected to 192.168.5.22.
Escape character is '^]'.
RedBoot>

I have to CTRL-C abort netcat.

The CTRL-C problem seems to be caused by a disabled TELNET LINEMODE option. When you enable this option by creating a file ~/.telnetrc with the following contents: 

192.168.5.22 9000
        mode line

You can interrupt redboot with CTRL-C: 

$ arping -qf 192.168.5.22 ; telnet 192.168.5.22 9000
WARNING: interface is ignored: Operation not permitted
Trying 192.168.5.22...
?Invalid command
Connected to 192.168.5.22.
Escape character is '^]'.
== Executing boot script in 9.940 seconds - enter ^C to abort
^C
RedBoot>

The boot process is somehow signalled via the LEDs, first only the power LED is on, then the internet LED starts blinking, and when this internet LED is solid green, it is the right time to connect to the RedBoot console.

This is the point, where I disconnected the serial cable and closed the case. If the kernel is booting and SSH working, I do not need any debug-stuff in between. It is possible to unbrick the fonera with this RedBoot console, as I can always reflash to a working firmware.

Reflash the RedBoot Config from SSH...

In order to get the access to RedBoot through an ethernet cable instead of the serial console.

As we can see via 'dmesg' there is a mtd for the RedBoot config: 

<5>Creating 6 MTD partitions on "spiflash":
<5>0x00000000-0x00030000 : "RedBoot"
<5>0x00030000-0x00720000 : "rootfs"
<5>0x00730000-0x007e0000 : "vmlinux.bin.l7"
<5>0x007e0000-0x007ef000 : "FIS directory"
<5>0x007ef000-0x007f0000 : "RedBoot config"
<5>0x007f0000-0x00800000 : "board_config"

We can even dump that mtd content with 

root@OpenWrt:~# cat /dev/mtd/4ro > /tmp/redboot_config
root@OpenWrt:~# strings /tmp/redboot_config
boot_script
boot_script_data
boot_script
fis load -l vmlinux.bin.l7
exec
boot_script_timeout
boot_script
bootp
bootp_my_gateway_ip
bootp
bootp_my_ip
bootp
bootp_my_ip_mask
bootp
bootp_server_ip
console_baud_rate
gdb_port
info_console_force
info_console_number
info_console_force
net_debug

It should be possible to use such a file to reflash other foneras in order to gain RedBoot access without ever opening the case. As long as someone can gain shell access to the Fonera, he could enable RedBoot telnet access to his Fonera and fiddle around with it. With this RedBoot GDB console, you can always restore the original firmware, even if your fonera does not boot your latest Linux experiment.

This would be nice, but does not work, as the "RedBoot config" mtd partion is not writable. 

root@OpenWrt:~# mtd write /tmp/redboot_config "RedBoot config"

According to this post, you can make this partition writable, if you add in kernel/driver/mtd/mtdpart.c after line 435 

                        if (!(slave->mtd.flags & MTD_WRITEABLE)){
                        slave->mtd.flags |= MTD_WRITEABLE;
                        printk ("mtd: partition \"%s\" was read-only -- force writable -- CAMICIA HACK\n",
                                parts[i].name);
                        }

So you have to reflash the Kernel with a Kernel image, that allows writing to the RedBoot config partition and then reflash that config partition in order to gain access to the RedBoot console.

Please note that they were not writeable for a reason. Writing "RedBoot config" is probably going to reset the FIS directory because it is on the same "erase sector". This is not a major problem since with RedBoot we can easily recreate them using the command "fis init" and to install OpenWrt we must do this anyway.

This whole procedure is described here.

The basic steps are: 

root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://ipkg.k1k2.de/hack/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma
root@OpenWrt:~# Connecting to ipkg.k1k2.de[85.10.200.90]:80
openwrt-ar531x-2.4-v 100% |**************************|   512 KB    00:00 ETA
root@OpenWrt:~# mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
Unlocking vmlinux.bin.l7 ...
Erasing vmlinux.bin.l7 ...
Writing from openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma to vmlinux.bin.l7 ... [w]
root@OpenWrt:~# reboot
... wait ...
root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://ipkg.k1k2.de/hack/out.hex
root@OpenWrt:~# Connecting to ipkg.k1k2.de[85.10.200.90]:80
out.hex 100% |*******************************| 4096 00:00 ETA
root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config"
Unlocking RedBoot config ...
Erasing RedBoot config ...
Writing from out.hex to RedBoot config ... [w]
root@OpenWrt:~# reboot
...wait...
$ telnet 192.168.1.254 9000
RedBoot> fis init

Install The Fonera Pack (from sven-ola): FON + Mesh Network

After obtaining ssh and Redboot access, you can either use the manual install of Kamikaze described above or use sven-ola Freifunk upgrade with "EasyFlash" that does all the dirty job by itself!!

This distribution allow to create Fonera's Mesh Networks as described here 

1) Connect the Fonera to the ethernet jack. Use a cross linked cable.
2) Switch on the network card, and run update:
> sudo ifconfig eth0 up
> wget http://download.berlin.freifunk.net/fonera/ap51-flash-fonera-1.0-38
> sudo ./ap51-flash-fonera-1.0-38 eth0
  rootfs(0x006a0000) + kernel(0x00100000) + nvram(0x00000000) sums up to 0x007a0000 bytes
  Peer MAC: 00:18:84:15:53:20
  Peer IP : 192.168.1.254
  Your MAC: 00:ba:be:ca:ff:ee
  Your IP : 192.168.1.0
  Setting IP address...
  Loading rootfs...
  Sending rootfs, 4608 blocks...
  Initializing partitions...
  Rootfs partition size now 0x006b0000
  Flashing rootfs...
          Loading kernel...
  Sending kernel, 2048 blocks...
  Flashing kernel...
  Setting boot_script_data...
  Done. Restarting device...

Basic configuration

Use LAN as WAN port (with NAT)

1. Connect to the LAN port on the Fonera and configure wireless

2. Connect wirelessly to the Fonera to make sure wireless works

/!\ NOTE: before you continue make sure wireless works!

3. Reconfigure the LAN as WAN port

Remove the LAN port from the bridge 

uci del network.lan.ifname

Add a new section for the WAN interface, the WAN interface is eth0 and the WAN protocol is DHCP. 

uci set network.wan=interface
uci set network.wan.ifname=eth0
uci set network.wan.proto=dhcp

Save your changes 

uci commit network

Reread the configuration and reconfigure the network interfaces 

ifup -a && wifi
/etc/init.d/firewall restart

TIP: Now you can also configure PPPoE and QoS. See below.

PPPoE

All required packages are already installed in the default image.To configure PPPoE with UCI, do this: 

uci set network.wan.proto=pppoe
uci set network.wan.username=<pppoe_psername>
uci set network.wan.password=<pppoe_password>
uci commit network && ifup wan

QoS

Install the qos-scripts package 

ipkg install qos-scripts

Basic QoS configuration using UCI: 

uci set qos.wan.upload=192            # Upload speed in KB
uci set qos.wan.download=2048         # Download speed in KB
uci commit qos

Start QoS and enable on next boot 

/etc/init.d/qos start
/etc/init.d/qos enable

Dynamic DNS

Please see Dynamic DNS.

WiFi

This describes the WiFi configuration with the Fonera acting in plain AP mode.

Enable WiFi

uci set wireless.wifi0.disabled=0
uci commit wireless && wifi

WiFi encryption

Plese see OpenWrtDocs/KamikazeConfiguration/WiFiEncryption.

WiFi toggle

Turn WiFi on/off with the Reset button. Please see the WiFi toggle Wiki page.

List connected clients

wlanconfig ath0 list

Hardware Hacks

As with most routers, the Fonera has some gpio pins that extra hardware can be connected to. Here are 2 interesting hardware hacks :

Resources

OpenWrtDocs/Hardware/Fon/Fonera (last edited 2008-06-27 00:40:18 by HaraldGeyer)

Almost all of these pages are editable, create an account and click the edit (Edit) button at the top of the page.