La Fonera lab: Fon un-bricking howto

I've bricked my Fon twice now. That's pretty much the name of the game when you tinker. Fortunately, the Fon has redboot, and if you enabled telnet access to it (you know, BEFORE you brick it!?) you can un-brick it over the network.

Here's a log of my un-bricking session. The bold, bright green is stuff I typed in the console. Dark-green is terminal output and normal text is my commentary as I go along.

As I mentioned, I'm running a tftp server on my MacBook, with the kernel and rootfs files (you can get them here) in /private/tftpboot (the default shared folder for tftpd). For reference, I'm relying on the MacBook's MDI/MDIX auto-crossover functionality (a staple in several ethernet adapters) and using the Fon's ethernet cable connected directly to my MacBook. You may need to use a crossover cable. My MacBook's IP is for this lab.

Power on the FON, and as soon as the "Internet" light comes on, telnet to port 9000 of This is RedBoot's IP address.

$ telnet 9000

I held the return key down for quite a while (5, 10 seconds or so?) until the RedBoot prompt came up. Control C does NOT WORK! Okay, it didn't work for me. Your mileage may vary. I had a whole screen of blank lines for a while and a matching whole screen of "Executing boot script" messages to match them. I spared you from that and only showed three below..

Connected to
Escape character is '^]'.
== Executing boot script in 9.990 seconds - enter ^C to abort
== Executing boot script in 9.990 seconds - enter ^C to abort
== Executing boot script in 9.990 seconds - enter ^C to abort

UPDATE: A reader showed us the awesome redboot.pl script. See the comments of this post for a little more info.

Once in redboot, we set the ip address of the Fon's local ethernet port ( is just fine, so we'll enter that) and the tftp host for the firmware images. Again, I'm using

RedBoot> ip_address -l -h
IP:, Gateway:
Default server:
These steps download the kernel, initialize the flash and write the kernel to the Fon.

RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-2.6-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80040800-0x801007ff, assumed entry at 0x80040800
RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? yes
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7
... Erase from 0xa8030000-0xa80f0000: ............
... Program from 0x80040800-0x80100800 at 0xa8030000: ............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
This shows the block of free space left, we'll need these numbers to properly create the root filesystem

RedBoot> fis free
0xA80F0000 .. 0xA87E0000
Now we need some bc-foo or at least some hex math skills. We'll need the hex difference between the first and last free block. You need to do this in another window. obase=16 and ibase=16 set bc in hexadecimal mode.

$ bc
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
A87E0000 - A80F0000
(Control-D exits bc)

For me, the length of the free space is 0x006F0000. Jot yours down and make sure it's prefixed with 0x and it's 8 hex digits long (padded with zeros if need be). You'll need it in a bit to determine where to write the OpenWrt root filesystem. Now, back to the RedBoot session on the Fon:

RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-2.6-root.squashfs
Using default protocol (TFTP)
Raw file loaded 0x80040800-0x801607ff, assumed entry at 0x80040800

(use the length of the free-space IN PLACE OF
0x006F0000 below if yours differs.)

fis create -l 0x006F0000 rootfs
... Erase from 0xa80f0000-0xa87e0000: ...............................................................................................................
... Program from 0x80040800-0x80160800 at 0xa80f0000: ..................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset
^] (control close-bracket escapes the telnet session)
telnet> close
Connection closed.
Wait a few minutes for the fon to boot, then you can access the actual OS with telnet. I used -lroot so that the telnet client hands the username "root" to the telnet server. By default, BSD's telnet client hands off your current username to the remote server. You may or may not need to use -lroot.

$ telnet -lroot
Connected to
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH

BusyBox v1.4.2 (2007-09-29 07:21:40 CEST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (7.09) -----------------------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
Of course, you should set a root password (using the passwd command) ASAP, and probably enable wireless as below:
root@OpenWrt:/# uci set wireless.wifi0.disabled=0
root@OpenWrt:/# uci commit wireless && wifi

So now all the fun stuff I've done to my Fon (I'm calling it The Patriot for its ability to wreak Surface-To-Air Carnage) are un-done. Fortunately I have most of it backed up.

blog comments powered by Disqus