Archive

Posts Tagged ‘hack’

Linux Based Zsun WiFi Card Reader Has Been Hacked Too…

July 13th, 2015 16 comments

A little while ago, I purchased Zsun SD111 W-Fi USB flash drive, and after several tentatives, I finally found a way to access the device’s serial console. Since then the company announced another wireless storage device with Zsun Wi-Fi card reader, and Zoobab decided to try to hack it too.

Zsun_SD_Card_Reader_Serial_ConsoleSince the device is pretty hard to open without damaging the enclosure, connecting the serial pin was not really an option, and the first exploit was to input shell commands in the web interface SSID field… For example, entering `reboot` there, would indeed reboot the device.

However, this would still not allow full shell access, and finally after a broader port scan, it was found out that TCP port 11880 was open for telnet daemon. You can then access the shell as root with the same password as SD111: “zsun1188″. For some reasons, telnet can’t work with the device, and socat must be used instead.

zoobab@zoobab /Users/zoobab [9]$ socat - TCP4:10.168.168.1:11880
������!����
(none) login: root
root
Password: zsun1188

Welcome to
         -------      |            /    /--/        ___      |
          /           |           /|     \/        _____   --|--|
         /_____\      |---       --|--   //--/      /        /  |
          __|__       |           /|\    / \/      /___\    /   |
         ___|___   ___|____      / | \     /               /   \|
                        深圳至上移动科技有限公司
                        Shenzhen Zsun Cloud Technology Co., LTD.
                        www.zsuncloud.com

BusyBox v1.01 (2014.12.27-02:50+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ #

That’s it you now have full access to this small and inexpensive Linux device powered by Atheros AR9331 SoC with 32MB RAM and 16MB flash, plus up to 64GB storage on micro SD card.

Thanks to Zoobab for his work.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Connect a 9.7″ Retina Display (iPAD 3/4) to Your Computer via a DisplayPort Adapter

March 31st, 2015 7 comments

One way to connect an extra Retina (2048×1536) display to your computer is to purchase Adafruit Qualia 9.7″ DisplayPort Monitor for $224.95. But in case your budget is limited, you could combine an old iPAD 3/4 display with AbuseMark 2048×1536 LCD to DisplayPort Adapter for 3,500 JPY ($29 US). If you don’t have an old iPAD, or would rather not dismantle your “old”-but-still-useful iPAD, you could purchase LG LP097QX1-SPC1/2, LG LP097QX1-SPA1/2/V, or Samsung LTL097QL01-W01 LCD panels instead for about $80 on Amazon US (LP097QX1 / LTL097QL01). If you live in Japan, AbuseMark also ships a complete kit for 12,000 JPY.

AbuseMark_Retian_DisplayPort_Adapter

 

Key features listed for the board:

  • Video Input – DisplayPort
  • Display Connector – 51-pin 0.3mm pitch FPC connector
  • STM32F103CB 32-bit Cortex M3 MCU with native USB for firmware update and power/brightness/etc control
  • Dual TI TPS61187 WLED drivers
  • Power – USB or 5V-powered (separate connector) / 1.35A total current draw.
  • Buck DC/DC converter for panel power
  • Dimmable/controllable RGB LED
  • One push button (power + overloaded function on long press)
  • Firmware upgrade over USB (DFU)
  • Dimensions – 80x40mm
iPAD_Display_DisplayPort_640px

Board Connected to 9.7″ Display (Click to Enlarge)

If you’d like to do something a little more challenging, you could also create your own simpler RetinaDP adapter board using Eagle or KiCAD board design files make by EmerytHacks a few years ago. I’ve also been looking for Retina to HDMI adapter boards, but could not find any…

Thanks to Michaël for the tip.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Categories: Hardware Tags: display, displayport, hack, ipad, recycle

A5-V11 Mini Router Runs OpenWRT (Linux) For Just $8

March 29th, 2015 14 comments

In case you you still think OpenWRT capable NEXX WT1520 router is still too expensive at $15, what about an $8 OpenWRT router? That’s what LY mini wireless router costs including shipping, and it’s better known as A5-V11, the name of its PCB.

A5-V11_OpenWRT_RouterIt’s not exactly a 3G/4G router as the casing implied, but it does support external USB 3G/4G dongles like most other routers with USB on the market.

A5-V11 specifications:

  • SoC – Mediatek/Ralink) RT5350F MIPS processor @ 360MHz
  • System Memory – 32MB RAM (W9825G6EH-75). Some people reported theirs only have 16MB RAM, so YMMV.
  • Storage – 4MB NAND flash (Pm25LQ032)
  • Connectivity – Wi-Fi 802.11b/g/n up to 150 Mbps; 1x 10/100M Ethernet
  • USB – 1x USB 2.0 host port, 1x micro USB port for power
  • Misc – Power LED, factory reset pinhole
  • Power – 5V via micro USB port
  • Dimensions –  6.1 x 2.3 x 1.4 cm

Contrary to WT1520, A5-V11 is already part of OpenWRT trunk, but the firmware image is not automatically built yet. Fully details can be found on OpenWRT Wiki. If you connect a serial board, you may have to add a 470 Ohm to 1 KOhm resistor to the Rx pin to prevent the board from hanging at boot time.

The router can be purchased on Aliexpress for $8.25 including shipping, DealExtreme for $10.86 (with 32MB RAM), or Ebay for $8.72. It might be on other websites too, but since it’s an OEM product without clear branding it may be difficult to find.

Thanks to Maurer for the tip.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

$15 NEXX WT1520 Wi-Fi Router Supports OpenWRT

March 29th, 2015 15 comments

TP-Link WR703N is a popular low cost router well supported by OpenWRT that costs about $23 shipped. But there’s now a new cheaper router that’s been mentioned in comments on CNX Software a few times, with a different processor, but otherwise similar specs plus an extra Ethernet port. NEXX WT1520 is powered by Mediatek RT5350F, sells for $15 including shipping from sites like Banggood, Aliexpress and eBay, and can run OpenWRT, although it’s not officially supported yet.

NEXX_WT1520NEXX WT1520(F/H) specifications:

  • SoC – Mediatek (previously Ralink) RT5350F MIPS processor @ 360MHz
  • System Memory – 32MB RAM
  • Storage – 4MB NAND flash
  • Connectivity:
    • Wi-Fi 802.11b/g/n up to 150 Mbps with built-in PIFA antenna
    • 2x 10/100M Ethernet (LAN and WAN)
  • USB – 1x USB 2.0 host port, 1x micro USB port for power
  • Misc – Status LED, reset pinhole, power button
  • Power – 5V via micro USB port
  • Dimensions –  63 x 43 x 17mm
  • Operating temperature – 0 – 40  C

Some shops can the router WT1520F, while others WT1520H, or even just WT1520, and I’m not sure if there are differences between the two or three models. The router has already been teared down, and serial port connected as shown in the picture below (Source: OpenWRT Wiki).

WT1520 Board with Serial Connection (Click to Enlarge)

WT1520 Board with Serial Connection (Click to Enlarge)

GPIOs do not seem to be easily accessible, so in case you need I/Os or/and an even smaller form factor, you’d probably be better off with something like Vocore + Dock that currently sells for $45 with a serial board, as well as a larger NAND flash.

[Update: WT1520 big brother WT3020 based on Mediatek MT7620 seems to be more popular, sells for $17, and also officially supports OpenWRT]

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Zsun SD111 Is Now “Officially” an Hackable Wireless Flash Drive

November 16th, 2014 15 comments

Zsun SD11x are Wi-Fi flash drives for 8 to 128 GB eMMC, alternative to Sandisk or Kingston. Yesterday, I soldered the UART pins to Zsun SD111 (8GB) flash drive to access the serial console, but I did not manage to enter the terminal as it was password-protected. I posted my results anyway, as I was convinced I would get some clever ideas from my readers, some of which appeared to be a little time consuming, but Zoobab offered a simple solution that consisted in changing the boot parameters, by replacing /sbin/init by /bin/sh.

Zsun_SD111_UART_Pins

The first step is to interrupt the boot by pressing space or another key, in order to access U-boot.
Now we can check the U-boot environment

ar7240> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/init mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
bootcmd=bootm 0x9f6B0000
bootdelay=4
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=10.168.168.1
serverip=10.168.168.10
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 361/65532 bytes

Let’s keep everything the same, except the init, which can be modified with the command below:

ar7240> setenv bootargs console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/sh mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)

Let’s start Linux:

ar7240> boot

It will end with:

ar7240wdt_init: Registering WDT success
VFS: Mounted root (jffs2 filesystem) on device 31:2.
Freeing unused kernel memory: 128k freed


BusyBox v1.01 (2014.06.20-01:25+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/sh: can't access tty; job control turned off
/ #

Perfect! We’ve got access to the command line. Let’s have look at the users:

~ # cat /etc/passwd 
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh

If we look at the shadow file only root and Admin have a password, so you could login with user ap71 without password for example, but that’s not too useful since you would not have root access. So I simply changed the root password with passwd command, but let’s me access the board via the UART console or telnet.

I’ve run some command to find out more about the system.

~ # uname -a
Linux (none) 2.6.31--LSDK-9.2.0_U11.14 #1 Wed Aug 6 13:13:40 HKT 2014 mips unknown
~ # df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 6.6M      5.8M    796.0k  88% /
/dev/sda1                 7.4G     18.8M      7.4G   0% /etc/disk
~ # cat /proc/cpuinfo
system type             : Atheros AR9330 (Hornet)
processor               : 0
cpu model               : MIPS 24Kc V7.4
BogoMIPS                : 266.24
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 16
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0943, 0x0650]
ASEs implemented        : mips16
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

~ # busybox
BusyBox v1.01 (2014.06.20-01:25+0000) multi-call binary

Usage: busybox [function] [arguments]...
or: [function] [arguments]...

BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable.  Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as!

Currently defined functions:
[, arping, ash, awk, brctl, busybox, cat, chgrp, chmod, cp, cut,
date, dd, df, dirname, dmesg, du, echo, egrep, env, ethdebug,
ethreg, expr, factoryreset, false, fgrep, find, getty, grep, httpd,
id, ifconfig, init, insmod, iproute, kill, killall, linuxrc, ln,
login, ls, lsmod, md, md5sum, mkdir, mknod, mktemp, mm, modprobe,
more, mount, mv, passwd, ping, ps, pwd, reboot, rm, rmdir, rmmod,
route, sed, sh, sleep, strings, su, sync, tail, tar, telnet, telnetd,
test, tftp, touch, true, tty, udhcpc, udhcpd, umount, uname, vconfig,
vi, wc, xargs

~ #

The linux kernel contains the string “LSDK-9.2.0″ which appears to be an SDK for Atheros AR93XX, and can be downloaded here (I have not tried/verified the download). So the device is not running OpenWRT. Since telnet is not exactly secure, and want to access the device over the network, you should probably install dropbear, There’s only 796 KB left on the SPI flash, so what you can do is probably limited, although it might be possible to delete unused files to get extra space. Have fun!

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

$25 GL.iNet 6416A is an Hackable OpenWRT Router with Easy UART and GPIO Access

August 25th, 2014 6 comments

There are plenty of low cost routers supporting OpenWRT, but GL.iNet 6416A has several advantages compared to devices like TP-Link WR703N. Both are based on Atheros AR9931, but GL.iNet router has more memory and storage (64MB RAM + 16MB Flash vs 32MB RAM + 4MB Flash), two Ethernet ports instead of just one, and 6 GPIOs, the serial pins, and power signals (5V, 3.3V and GND) are all easily accessible via though holes or headers. Gl.iNet 6416A can be purchased for about $25 on DealExtreme or Amazon US, and it used to be listed on eBay, but is now out of stock.

GL.inet_6416AGl/iNET 6416A specifications:

  • Wi-Fi SoC – Atheros AR9331 MIPS processor @ 400 MHz
  • System Memory – 64MB RAM
  • Storage – 16MB Flash
  • Connectivity – 2x 10/100 Mbit Ethernet ports, 802.11 b/g/n Wi-FI up to 150Mbps
  • USB – 1x USB 2.0 port, 1x micro USB port for power
  • Debugging – Serial console via UART header (GND, Tx, Rx)
  • Expansion – 6 GPIOs, 5V, 3.3V, and GND.
  • Misc – Reset button, LED indicator
  • Power – 5V (micro USB)
  • Dimension – 5.8 x 5.8 x 2.2 cm
  • Weight 42 grams.

The device is also said to support USB webcams (MJPG or YUV), and USB mass storage with FAT32, EXFAT, EXT-2/3/4, and NTFS file systems using the stock firmware. There are also Android and iOS apps to manage the router.

GL.iNet_6416A_Board

GL.iNet 6416A Board Description – Source: Stian Eikeland

6416A router, and its little brother, 6408A, with 8 MB flash, are now part of mainline OpenWRT. You can also follow news and access short tutorials for the board on GL.iNet website, and check out the product page.

Thanks to Nanik for the tip.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Kankun KK-SP3 Wi-Fi Smart Socket Hacked, Based on Atheros AR9331, Running OpenWRT

July 28th, 2014 9 comments

Kankun KK-SP3 is a $20 Wi-Fi smart socket that can be controlled via iOS and Android app. But one person created a Kankun community on Google+ to try to hack the device and control it from a PC, or from outside the home network for example. Up to now, the device has been opened, found to run OpenWRT, and one the member wrote a Windows app to control the socket from a PC. It is a basic smart socket, without power monitoring capabilities, and unless you start hacking the hardware, all you can do is basically turn it on and off.

Kaunkun KK-SP3 Board (Click to Enlarge)

Kankun KK-SP3 Board (Click to Enlarge)

The device is based on Qualcomm Atheros AR9931, found in many low cost routers supporting OpenWRT, and the socket indeed runs OpenWRT, which you can access via SSH or Telnet (username/password: root/admin). There’s 32MB RAM (Winbond W9425G6JH), and a 10A OMRON relay.

SmartPlug_App

SmartPlug Windows App

The smart socket actually communicates with the mobile app using the UDP protocol, but communication appears to be encrypted. So instead of trying to reverse-engineer the protocol, one member (Konstantin) found the relay was controlled by one of the LED GPIO, and provided instructions to access the device from the outside using a CGI file he built (relay.cgi) to control the relay.

Building up on relay.cgi, another member released SmartPlug.exe, a Windows program to control the socket from a PC. There are also more tips on the community such as instructions to access it from the Internet. Since routers based on Atheros AR9331 are quite popular, there are many instructions on the web, and you can find various way to improve the functionality of the device, for example by adding a USB port.

If you want to play around, you can purchase the plug on it can also be found on Aliexpress for as low as $19.99 including shipping, and If you live in China or use forwarding services, it’s available on Taobao for 99 RMB ($16). A new version, Smart Plug 2 (K2), appears to be in the works, with Wi-Fi and RF support, and two USB ports for motion sensing, camera, weather, and light sensor modules. I’ll cover it in another post, if I can find more information.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

The World’s Cheapest Linux Computer? Pogoplug Mobile Now Sells for $7

July 19th, 2014 15 comments

Somebody asked “Anyone knows a computer cheaper than a Raspberry Pi with a network interface?” on Google+ mini PCs community. Some OpenWRT routers such as TPLink WR703N selling for about $20, or the VoCore Wi-Fi module selling for about the same price (Wi-Fi only) were parts of the answers, and I also mentioned some HDMI TV dongles that now sell for around $35, which is still a little cheaper than the Raspberry Pi model B when one considers shipping. But I found the answer by dhead666 particularly interesting:

Pogoplug Mobile goes for 7$ on Amazon and that includes psu and network cable.
It run Linux great (I’m using Arch) but you will want to have a ttl-usb cable and soldering iron available in case you manage to mess u-boot (go to the doozan’s forums for more info about the u-boot).

Let’s have a look.

PogoplugPogoplug Mobile is not a new device, as I wrote about it as far back as 2011, but it was certainly not selling for $7 at the time.

Pogoplug Mobile has the following specifications:

  • Processor – Marvell Kirkwood 88F6192 ARMv5TE compliant processor @ 800 MHz
  • System Memory – 128 MB RAM
  • Storage – 128 MB NAND + SD card slot
  • Connectivity – Gigabit Ethernet
  • USB – 1x USB 2.0 host port

You can find a review of the device, including board and device pictures, on SmallnetBuilder. The product is sold as a backup device connected to a cloud service, but as we’ll see below, you can also install Arch Linux ARM. There are also other Pogoplug models with USB 3.0 and SATA II, but obviously they cost more.

Pogoplug_Mobile_Rear

What about the $7 claim? Pogoplug Mobile can indeed be found on Amazon for about $7, and it’s actually one of the best selling items in the NAS category. I’ve also looked for other models with SATA and USB 3.0, and gotthe following price list

If Amazon US won’t ship to your country, it’s also available on Ebay, but you’ll have to shop around as shipping costs may be prohibitive…

Even at $7, it’s not really a Raspberry Pi killer, as there’s no video output, and it does not seem you have easy access to GPIOs, yet for headless non-embedded applications it looks certainly interesting especially for storage application as it provides Gigabit Ethernet which should be much faster than the 10/100M Ethernet via USB you get with the Raspberry Pi, and it’s a very cheap way to connect any USB hard drive to the network. At this price it’s almost like they sell you the Ethernet cable and power supply, and give you the device for free. The Series 4 are also cost effective if you want SATA, more USB ports, and extra performance with USB 3.0.

To say the least the reviews on Amazon are mixed, with many people saying the device does not work as expected, and they lost their files. Luckily the Pogoplugs are hackable, and instructions to run Arch Linux ARM from SD card are indeed available for Pogoplug Mobile and Pogoplug Series v4, and somebody also managed to boot Debian. There are various instructions from people who played with this extra cheap device on the net.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter