Zsun SD111 Wi-Fi Flash Drive Hacking Tentative

Two days ago, I reviewed Zsun SD111 a 8GB Wi-Fi flash drive based on Atheros AR9331, and I discovered the telnet port was open, but I could not access it because none of the standard username and password combinations (root/root, admin/admin, root/admin, etc…) would work, which is actually a good thing. However, as I opened the stick, the serial pins were clearly marked, so today I’ve soldered some Dupont wires to access the serial console.

Zsun_SD111_UART_PinsIn order to open the stick, you need a rigid sharp object to push the top cover via the neck strap hole, as shown below, and another tool (mine looks similar to a scalpel) to help popping the cover up.

Zsun_SD111_Open_EnclosureThen I connected the three wires to a USB to TLL debug board, connected it to my PC, started minicom (115200 8N1), and pressed the power button. I could see U-Boot 1.1.4 message, so it seems to be successful, but unfortunately, the boot ended with:


So I was unable to login…

I’ve included the full boot log for reference below:

U-Boot 1.1.4 (Apr  4 2014 – 18:04:53)

AP121 (ar9331) U-boot

DRAM:  32 0
32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 139k for U-Boot at: 81fdc000
Reserving 192k for malloc() at: 81fac000
Reserving 44 Bytes for Board Info at: 81fabfd4
Reserving 36 Bytes for Global Data at: 81fabfb0
Reserving 128k for boot params() at: 81f8bfb0
Stack Pointer at: 81f8bf98
Now running in RAM – U-Boot at: 81fdc000
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x17
flash size 8388608, sector count = 128
Flash: 8 0
8 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag7240_enet_initialize…
Fetching MAC Address from 0x81ff4128
Fetching MAC Address from 0x81ff4128
: cfg1 0x5 cfg2 0x7114
eth0: 00:03:7f:11:56:48
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:11:56:49
athrs26_reg_init_lan
ATHRS26: resetting s26
ATHRS26: s26 reset done
eth1 up
eth0, eth1
Hit any key to stop autoboot:  0
## Booting image at 9f6b0000 …
Image Name:   Linux Kernel Image
Created:      2014-06-20   1:24:58 UTC
Image Type:   MIPS Linux Kernel Image (lzma compressed)
Data Size:    1057231 Bytes = 1 0
1 MB
Load Address: 80002000
Entry Point:  802306f0
Verifying Checksum at 0x9f6b0040 …OK
Uncompressing Kernel Image … OK
No initrd
## Transferring control to Linux (at address 802306f0) …
## Giving linux memsize in bytes, 33554432

Starting kernel …


Shenzhen Zsun Cloud Technology Co.,Ltd.
Shenzhen Zhishang Yidong Keji Youxian Gongsi
www.zsuncloud.com
Linux version 2.6.31–LSDK-9.2.0_U11.14 (ivansi@zsuncloud) (gcc version 4.3.3 (4
flash_size passed from bootloader = 8
arg 1: console=ttyS0,115200
arg 2: root=31:02
arg 3: rootfstype=jffs2
arg 4: rw
arg 5: init=/sbin/init
arg 6: mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uIm)
arg 7: mem=32M
CPU revision is: 00019374 (MIPS 24Kc)
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/
PID hash table entries: 128 (order: 7, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 29364k/32768k available (2248k kernel code, 3404k reserved, 644k data, )
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop… 266.24 BogoMIPS (lpj=532480)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
===== ar7240_platform_init: 0
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
AR7240 GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
NTFS driver 2.1.29 [Flags: R/W DEBUG].
JFFS2 version 2.2 (NAND) (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.
fuse init (API version 7.12)
msgmni has been set to 57
alg: No test for lzma (lzma-generic)
alg: No test for stdrng (krng)
io scheduler noop registered (default)
gpio: ath-gpio module inited!
Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
ttyS0: detected caps 00000000 should be 00000100
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
brd: module loaded
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V1.0 6 cmdlinepart partitions found on MTD device ar7240-nor0
Creating 6 MTD partitions on “ar7240-nor0”:
0x000000000000-0x000000010000 : “u-boot”
0x000000010000-0x000000020000 : “u-boot-env”
0x000000020000-0x0000006b0000 : “rootfs”
0x0000006b0000-0x0000007e0000 : “uImage”
0x0000007e0000-0x0000007f0000 : “NVRAM”
0x0000007f0000-0x000000800000 : “ART”
usbmon: debugfs is not available
usbcore: registered new interface driver usbserial
USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
usbserial: USB Serial Driver core
USB Serial support registered for GSM modem (1-port)
usbcore: registered new interface driver option
option: v0.7.2:USB Driver for GSM modems
nf_conntrack version 0.5.0 (512 buckets, 2048 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
ClusterIP Version 0.8 loaded successfully
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 17
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear <[email protected]>
All bugs added by David S. Miller <[email protected]>
arch/mips/ar7240/gpio.c (ar7240_simple_config_init) AP_RESET_GPIO: 12
arch/mips/ar7240/gpio.c (ar7240_simple_config_init) JUMPSTART_GPIO: 11
ar7240wdt_init: Registering WDT success
VFS: Mounted root (jffs2 filesystem) on device 31:2.
Freeing unused kernel memory: 128k freed
init started:  BusyBox v1.01 (2014.06.20-01:25+0000) multi-call binary
init started:  BusyBox v1.01 (2014.06.20-01:25+0000) multi-call binary
Starting pid 152, console /dev/ttyS0: ‘/etc/rc.d/rcS’
Welcome to
——-      |            /    /–/        ___      |
/           |           /|     \/        _____   –|–|
/_____\      |—       –|–   //–/      /        /  |
__|__       |           /|\    / \/      /___\    /   |
___|___   ___|____      / | \     /               /   \|

Shenzhen Zsun Cloud Technology Co., LTD.
www.zsuncloud.com
ATHR_GMAC: Length per segment 1536
ATHR_GMAC: fifo cfg 3 01f00140
ATHR_GMAC: Mac address for unit 0:bf7f0000
ATHR_GMAC: 00:03:7f:11:56:48
ATHR_GMAC: Max segments per packet :   1
ATHR_GMAC: Max tx descriptor count :   40
ATHR_GMAC: Max rx descriptor count :   252
ATHR_GMAC: Mac capability flags    :   4403
ATHR_GMAC: Mac address for unit 1:bf7f0006
ATHR_GMAC: 00:03:7f:11:56:49
ATHR_GMAC: Max segments per packet :   1
ATHR_GMAC: Max tx descriptor count :   40
ATHR_GMAC: Max rx descriptor count :   96
ATHR_GMAC: Mac capability flags    :   4D83
athr_gmac_ring_alloc Allocated 640 at 0x81d5fc00
athr_gmac_ring_alloc Allocated 4032 at 0x81d36000
Setting Drop CRC Errors, Pause Frames and Length Error frames
Setting PHY…
athr_gmac_ring_alloc Allocated 640 at 0x81d5f800
athr_gmac_ring_alloc Allocated 1536 at 0x81d4d800
ATHRS26: resetting s26
ATHRS26: s26 reset done
Setting Drop CRC Errors, Pause Frames and Length Error frames
Setting PHY…
device eth0 entered promiscuous mode
ehci_hcd: USB 2.0 ‘Enhanced’ Host Controller (EHCI) Driver
Port Status 1c000004
ar7240-ehci ar7240-ehci.0: ATH EHCI
ar7240-ehci ar7240-ehci.0: new USB bus registered, assigned bus number 1
ehci_reset Intialize USB CONTROLLER in host mode: 3
ehci_reset Port Status 1c000000
ar7240-ehci ar7240-ehci.0: irq 3, io mem 0x1b000000
ehci_reset Intialize USB CONTROLLER in host mode: 3
ehci_reset Port Status 1c000000
ar7240-ehci ar7240-ehci.0: USB 2.0 started, EHCI 1.00
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: ATH EHCI
usb usb1: Manufacturer: Linux 2.6.31–LSDK-9.2.0_U11.14 ehci_hcd
usb usb1: SerialNumber: platform
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Initializing USB Mass Storage driver…
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
rm: cannot remove `/var/log.*’: No such file or directory
**** drop_caches_sysctl_handler: all done timer added …****
usb 1-1: new high speed USB device using ar7240-ehci and address 2
Starting pid 373, console /dev/tasf: module license ‘Proprietary’ taints kernel.
Disabling lock debugging due to kernel taint
usb 1-1: New USB device found, idVendor=0424, idProduct=2240
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: Ultra Fast Media
usb 1-1: Manufacturer: Generic
usb 1-1: SerialNumber: 000000225001
usb 1-1: configuration #1 chosen from 1 choice
scsi0 : SCSI emulation for USB Mass Storage devices
ath_hal: 0.9.17.1 (AR9380, DEBUG, REGOPS_FUNC, WRITE_EEPROM, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Righd
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reservd

(none) mips #56 Tath_ahb: 9.2.0_U11.14 (Atheros/multi-bss)
__ath_attach: Set global_scn[0]
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
hu Jun 19 15:45:22 HKT 2014 (none)
(none) login: Bootstrap clock 25MHz
ar9300RadioAttach: Need analog access recipe!!
Restoring Cal data from Flash
Using Cal data from Flash 0xbf7f0000
ath_get_caps[5184] rx chainmask mismatch actual 1 sc_chainmak 0
ath_get_caps[5159] tx chainmask mismatch actual 1 sc_chainmak 0
SC Callback Registration for wifi0
wifi0: Atheros 9380: mem=0xb8100000, irq=2
wlan_vap_create : enter. devhandle=0x81ff02c0, opmode=IEEE80211_M_HOSTAP, flags1
wlan_vap_create : exit. devhandle=0x81ff02c0, opmode=IEEE80211_M_HOSTAP, flags.
device ath0 entered promiscuous mode
br0: port 2(ath0) entering forwarding state
scsi 0:0:0:0: Direct-Access     Generic  Ultra HS-COMBO   1.98 PQ: 0 ANSI: 0
sd 0:0:0:0: [sda] 15630336 512-byte logical blocks: (8.00 GB/7.45 GiB)
sd 0:0:0:0: [sda] Write Protect is off
sd 0:0:0:0: [sda] Assuming drive cache: write through
sd 0:0:0:0: [sda] Assuming drive cache: write through
sda:
sda1
sd 0:0:0:0: [sda] Assuming drive cache: write through
sd 0:0:0:0: [sda] Attached SCSI removable disk

(none) mips #56 Thu Jun 19 15:45:22 HKT 2014 (none)
(none) login:
(none) mips #56 Thu Jun 19 15:45:22 HKT 2014 (none)
(none) login: root
Password:
Login incorrect
(none) login:

In order to disable serial console login, we may need to edit /etc/inittab, and comment out a line with something like /bin/ash –login, and if we add an Ethernet connection, it might be possible to Enter U-boot, and boot from tftp with another AR9331 firmware, and edit the file, but since there’s no Wi-Fi in U-boot this is not an option.

But I’ve noticed there was a new firmware available via Apple Extender Android app, so I started “Shark for Root” in my phone to capture the packets with tcpdump into files called shark_dump_xxxxxxxx.pcap, which can then be opened in WireShark in a computer, and found out the link for the firmware SD111-FW-V3.6.tar.gz.

Zsun_SD111_Firmware_FilesThe file contains a bunch of kernel drivers, scripts, config files, and the kernel (uImage), but there isn’t any root file systems I could find. You can also download earlier version of the firmware V3.4, V3.0 etc… by changing the number in the link. The Android itself store configuration files and libraries in /data/data/com.wltx.mycloudclient directory in the phone.

That’s all I’ve done so far, and I’ve not yet been able to access the serial console.

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX RK3588 mini-ITX motherboard
Subscribe
Notify of
guest
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
5 Comments
oldest
newest
bjarne
bjarne
9 years ago

Thanks.. Looks like there are some similarities with the hardware described at http://wiki.openwrt.org/toh/alfa.network/ap121

Paul
Paul
9 years ago

Great work! Note that SD111-FW-V3.6.tar.gz contains rcS, “config” with manifest and md5. So, there’s a vector to upgrade device per user needs, but yep, would be nice to just guess system password ;-).

zooba
9 years ago

Are you able to stop the boot process at Uboot? If you are able to pass some arguments to the linux kernel like “init=/bin/sh” you might have a shell.

Or try to boot a live system out of the LAN, or out of the serial if the Uboot supports it.

zooba
9 years ago

Another simple hack is to attack the SPI flash directly. You would need to have a tool like flashrom, an FT2232 or a buspirate, and try to dump the content of the flash. This is quite easy to do. Which flash chip is on there?

Khadas VIM4 SBC