Zsun SD111 Wi-Fi Flash Drive Hacking Tentative

Two days ago, I reviewed Zsun SD111 a 8GB Wi-Fi flash drive based on Atheros AR9331, and I discovered the telnet port was open, but I could not access it because none of the standard username and password combinations (root/root, admin/admin, root/admin, etc…) would work, which is actually a good thing. However, as I opened the stick, the serial pins were clearly marked, so today I’ve soldered some Dupont wires to access the serial console.

Zsun_SD111_UART_PinsIn order to open the stick, you need a rigid sharp object to push the top cover via the neck strap hole, as shown below, and another tool (mine looks similar to a scalpel) to help popping the cover up.

Zsun_SD111_Open_EnclosureThen I connected the three wires to a USB to TLL debug board, connected it to my PC, started minicom (115200 8N1), and pressed the power button. I could see U-Boot 1.1.4 message, so it seems to be successful, but unfortunately, the boot ended with:


So I was unable to login…

I’ve included the full boot log for reference below:

U-Boot 1.1.4 (Apr  4 2014 – 18:04:53)

AP121 (ar9331) U-boot

DRAM:  32 0
32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 139k for U-Boot at: 81fdc000
Reserving 192k for malloc() at: 81fac000
Reserving 44 Bytes for Board Info at: 81fabfd4
Reserving 36 Bytes for Global Data at: 81fabfb0
Reserving 128k for boot params() at: 81f8bfb0
Stack Pointer at: 81f8bf98
Now running in RAM – U-Boot at: 81fdc000
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x17
flash size 8388608, sector count = 128
Flash: 8 0
8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag7240_enet_initialize…
Fetching MAC Address from 0x81ff4128
Fetching MAC Address from 0x81ff4128
: cfg1 0x5 cfg2 0x7114
eth0: 00:03:7f:11:56:48
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:11:56:49
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
eth1 up
eth0, eth1
Hit any key to stop autoboot:  0
## Booting image at 9f6b0000 …
Image Name:   Linux Kernel Image
Created:      2014-06-20   1:24:58 UTC
Image Type:   MIPS Linux Kernel Image (lzma compressed)
Data Size:    1057231 Bytes = 1 0
1 MB
Load Address: 80002000
Entry Point:  802306f0
Verifying Checksum at 0x9f6b0040 …OK
Uncompressing Kernel Image … OK
No initrd
## Transferring control to Linux (at address 802306f0) …
## Giving linux memsize in bytes, 33554432

Starting kernel …

深圳����������上��移��动��科��技��有��限��公�
Shenzhen Zsun Cloud Technology Co.,Ltd.
Shenzhen Zhishang Yidong Keji Youxian Gongsi
www.zsuncloud.com
Linux version 2.6.31–LSDK-9.2.0_U11.14 ([email protected]) (gcc version 4.3.3 (4
flash_size passed from bootloader = 8
arg 1: console=ttyS0,115200
arg 2: root=31:02
arg 3: rootfstype=jffs2
arg 4: rw
arg 5: init=/sbin/init
arg 6: mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uIm)
arg 7: mem=32M
CPU revision is: 00019374 (MIPS 24Kc)
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/
PID hash table entries: 128 (order: 7, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 29364k/32768k available (2248k kernel code, 3404k reserved, 644k data, )
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop… 266.24 BogoMIPS (lpj=532480)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
===== ar7240_platform_init: 0
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
AR7240 GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
NTFS driver 2.1.29 [Flags: R/W DEBUG].
JFFS2 version 2.2 (NAND) (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.
fuse init (API version 7.12)
msgmni has been set to 57
alg: No test for lzma (lzma-generic)
alg: No test for stdrng (krng)
io scheduler noop registered (default)
gpio: ath-gpio module inited!
Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
ttyS0: detected caps 00000000 should be 00000100
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
brd: module loaded
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V1.0
6 cmdlinepart partitions found on MTD device ar7240-nor0
Creating 6 MTD partitions on “ar7240-nor0”:
0x000000000000-0x000000010000 : “u-boot”
0x000000010000-0x000000020000 : “u-boot-env”
0x000000020000-0x0000006b0000 : “rootfs”
0x0000006b0000-0x0000007e0000 : “uImage”
0x0000007e0000-0x0000007f0000 : “NVRAM”
0x0000007f0000-0x000000800000 : “ART”
usbmon: debugfs is not available
usbcore: registered new interface driver usbserial
USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
usbserial: USB Serial Driver core
USB Serial support registered for GSM modem (1-port)
usbcore: registered new interface driver option
option: v0.7.2:USB Driver for GSM modems
nf_conntrack version 0.5.0 (512 buckets, 2048 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
ClusterIP Version 0.8 loaded successfully
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 17
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear <[email protected]>
All bugs added by David S. Miller <[email protected]>
arch/mips/ar7240/gpio.c (ar7240_simple_config_init) AP_RESET_GPIO: 12
arch/mips/ar7240/gpio.c (ar7240_simple_config_init) JUMPSTART_GPIO: 11
ar7240wdt_init: Registering WDT success
VFS: Mounted root (jffs2 filesystem) on device 31:2.
Freeing unused kernel memory: 128k freed
init started:  BusyBox v1.01 (2014.06.20-01:25+0000) multi-call binary
init started:  BusyBox v1.01 (2014.06.20-01:25+0000) multi-call binary
Starting pid 152, console /dev/ttyS0: ‘/etc/rc.d/rcS’
Welcome to
——-      |            /    /–/        ___      |
/           |           /|     \/        _____   –|–|
/_____\      |—       –|–   //–/      /        /  |
__|__       |           /|\    / \/      /___\    /   |
___|___   ___|____      / | \     /               /   \|
��深��圳��至��上��移��动��科��技��有��限��公�
Shenzhen Zsun Cloud Technology Co., LTD.
www.zsuncloud.com
ATHR_GMAC: Length per segment 1536
ATHR_GMAC: fifo cfg 3 01f00140
ATHR_GMAC: Mac address for unit 0:bf7f0000
ATHR_GMAC: 00:03:7f:11:56:48
ATHR_GMAC: Max segments per packet :   1
ATHR_GMAC: Max tx descriptor count :   40
ATHR_GMAC: Max rx descriptor count :   252
ATHR_GMAC: Mac capability flags    :   4403
ATHR_GMAC: Mac address for unit 1:bf7f0006
ATHR_GMAC: 00:03:7f:11:56:49
ATHR_GMAC: Max segments per packet :   1
ATHR_GMAC: Max tx descriptor count :   40
ATHR_GMAC: Max rx descriptor count :   96
ATHR_GMAC: Mac capability flags    :   4D83
athr_gmac_ring_alloc Allocated 640 at 0x81d5fc00
athr_gmac_ring_alloc Allocated 4032 at 0x81d36000
Setting Drop CRC Errors, Pause Frames and Length Error frames
Setting PHY…
athr_gmac_ring_alloc Allocated 640 at 0x81d5f800
athr_gmac_ring_alloc Allocated 1536 at 0x81d4d800
ATHRS26: resetting s26
ATHRS26: s26 reset done
Setting Drop CRC Errors, Pause Frames and Length Error frames
Setting PHY…
device eth0 entered promiscuous mode
ehci_hcd: USB 2.0 ‘Enhanced’ Host Controller (EHCI) Driver
Port Status 1c000004
ar7240-ehci ar7240-ehci.0: ATH EHCI
ar7240-ehci ar7240-ehci.0: new USB bus registered, assigned bus number 1
ehci_reset Intialize USB CONTROLLER in host mode: 3
ehci_reset Port Status 1c000000
ar7240-ehci ar7240-ehci.0: irq 3, io mem 0x1b000000
ehci_reset Intialize USB CONTROLLER in host mode: 3
ehci_reset Port Status 1c000000
ar7240-ehci ar7240-ehci.0: USB 2.0 started, EHCI 1.00
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: ATH EHCI
usb usb1: Manufacturer: Linux 2.6.31–LSDK-9.2.0_U11.14 ehci_hcd
usb usb1: SerialNumber: platform
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Initializing USB Mass Storage driver…
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
rm: cannot remove `/var/log.*’: No such file or directory
**** drop_caches_sysctl_handler: all done timer added …****
usb 1-1: new high speed USB device using ar7240-ehci and address 2
Starting pid 373, console /dev/tasf: module license ‘Proprietary’ taints kernel.
Disabling lock debugging due to kernel taint
usb 1-1: New USB device found, idVendor=0424, idProduct=2240
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: Ultra Fast Media
usb 1-1: Manufacturer: Generic
usb 1-1: SerialNumber: 000000225001
usb 1-1: configuration #1 chosen from 1 choice
scsi0 : SCSI emulation for USB Mass Storage devices
ath_hal: 0.9.17.1 (AR9380, DEBUG, REGOPS_FUNC, WRITE_EEPROM, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Righd
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reservd

(none) mips #56 Tath_ahb: 9.2.0_U11.14 (Atheros/multi-bss)
__ath_attach: Set global_scn[0]
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
hu Jun 19 15:45:22 HKT 2014 (none)
(none) login: Bootstrap clock 25MHz
ar9300RadioAttach: Need analog access recipe!!
Restoring Cal data from Flash
Using Cal data from Flash 0xbf7f0000
ath_get_caps[5184] rx chainmask mismatch actual 1 sc_chainmak 0
ath_get_caps[5159] tx chainmask mismatch actual 1 sc_chainmak 0
SC Callback Registration for wifi0
wifi0: Atheros 9380: mem=0xb8100000, irq=2
wlan_vap_create : enter. devhandle=0x81ff02c0, opmode=IEEE80211_M_HOSTAP, flags1
wlan_vap_create : exit. devhandle=0x81ff02c0, opmode=IEEE80211_M_HOSTAP, flags=.
device ath0 entered promiscuous mode
br0: port 2(ath0) entering forwarding state
scsi 0:0:0:0: Direct-Access     Generic  Ultra HS-COMBO   1.98 PQ: 0 ANSI: 0
sd 0:0:0:0: [sda] 15630336 512-byte logical blocks: (8.00 GB/7.45 GiB)
sd 0:0:0:0: [sda] Write Protect is off
sd 0:0:0:0: [sda] Assuming drive cache: write through
sd 0:0:0:0: [sda] Assuming drive cache: write through
sda:
sda1
sd 0:0:0:0: [sda] Assuming drive cache: write through
sd 0:0:0:0: [sda] Attached SCSI removable disk

(none) mips #56 Thu Jun 19 15:45:22 HKT 2014 (none)
(none) login:
(none) mips #56 Thu Jun 19 15:45:22 HKT 2014 (none)
(none) login: root
Password:
Login incorrect
(none) login:

In order to disable serial console login, we may need to edit /etc/inittab, and comment out a line with something like /bin/ash –login, and if we add an Ethernet connection, it might be possible to Enter U-boot, and boot from tftp with another AR9331 firmware, and edit the file, but since there’s no Wi-Fi in U-boot this is not an option.

But I’ve noticed there was a new firmware available via Apple Extender Android app, so I started “Shark for Root” in my phone to capture the packets with tcpdump into files called shark_dump_xxxxxxxx.pcap, which can then be opened in WireShark in a computer, and found out the link for the firmware SD111-FW-V3.6.tar.gz.

Zsun_SD111_Firmware_FilesThe file contains a bunch of kernel drivers, scripts, config files, and the kernel (uImage), but there isn’t any root file systems I could find. You can also download earlier version of the firmware V3.4, V3.0 etc… by changing the number in the link. The Android itself store configuration files and libraries in /data/data/com.wltx.mycloudclient directory in the phone.

That’s all I’ve done so far, and I’ve not yet been able to access the serial console.

Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.

Support CNX Software - Donate via PayPal, become a Patron on Patreon, or buy review samples
Subscribe
Notify of
guest
5 Comments
oldest
newest most voted
bjarne
bjarne
5 years ago

Thanks.. Looks like there are some similarities with the hardware described at http://wiki.openwrt.org/toh/alfa.network/ap121

Paul
Paul
5 years ago

Great work! Note that SD111-FW-V3.6.tar.gz contains rcS, “config” with manifest and md5. So, there’s a vector to upgrade device per user needs, but yep, would be nice to just guess system password ;-).

zooba
5 years ago

Are you able to stop the boot process at Uboot? If you are able to pass some arguments to the linux kernel like “init=/bin/sh” you might have a shell.

Or try to boot a live system out of the LAN, or out of the serial if the Uboot supports it.

zooba
5 years ago

Another simple hack is to attack the SPI flash directly. You would need to have a tool like flashrom, an FT2232 or a buspirate, and try to dump the content of the flash. This is quite easy to do. Which flash chip is on there?

Advertisements