Zsun SD111 Is Now “Officially” an Hackable Wireless Flash Drive

Orange Pi Development Boards

Zsun SD11x are Wi-Fi flash drives for 8 to 128 GB eMMC, alternative to Sandisk or Kingston. Yesterday, I soldered the UART pins to Zsun SD111 (8GB) flash drive to access the serial console, but I did not manage to enter the terminal as it was password-protected. I posted my results anyway, as I was convinced I would get some clever ideas from my readers, some of which appeared to be a little time consuming, but Zoobab offered a simple solution that consisted in changing the boot parameters, by replacing /sbin/init by /bin/sh.

Zsun_SD111_UART_Pins

The first step is to interrupt the boot by pressing space or another key, in order to access U-boot.
Now we can check the U-boot environment

ar7240> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/init mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
bootcmd=bootm 0x9f6B0000
bootdelay=4
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=10.168.168.1
serverip=10.168.168.10
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 361/65532 bytes

Let’s keep everything the same, except the init, which can be modified with the command below:

ar7240> setenv bootargs console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/sh mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)

Let’s start Linux:


It will end with:


Perfect! We’ve got access to the command line. Let’s have look at the users:


If we look at the shadow file only root and Admin have a password, so you could login with user ap71 without password for example, but that’s not too useful since you would not have root access. So I simply changed the root password with passwd command, but let’s me access the board via the UART console or telnet.

I’ve run some command to find out more about the system.


The linux kernel contains the string “LSDK-9.2.0” which appears to be an SDK for Atheros AR93XX, and can be downloaded here (I have not tried/verified the download). So the device is not running OpenWRT. Since telnet is not exactly secure, and want to access the device over the network, you should probably install dropbear, There’s only 796 KB left on the SPI flash, so what you can do is probably limited, although it might be possible to delete unused files to get extra space. Have fun!

Support CNX Software - Donate via PayPal or become a Patron on Patreon

15
Leave a Reply

avatar
15 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
9 Comment authors
pinchiesiamfrankenstein[nl]zoobabcnxsoftdmsc Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
onebir
Guest
onebir

Nice! 🙂

Paul
Guest
Paul

Thanks for leading it to a logical end! Just as a sanity check, for me link “appears to be an SDK for Atheros AR93XX, and can be downloaded here” leads to 404 page on Baidu, is it only for me?

David W
Guest
David W

Please publish the original root password hash, some kindly soul might crack it to save everyone else the soldering step!

agumonkey
Guest

Lovely hacking in progress (actually finished) article. Kudos

zoobab
Guest

How big is the flash?

You could create an overlayfs on top of the small flash to use the 8gb drive.

Openwrt should fit on there without any pain.

dmsc
Guest
dmsc

@cnxsoft

cnxsoft :
@David W
That’s the string I found in my search history: CNrdqzpcFZ9ir40
Not sure it’s complete, but It can still be useful maybe. I may be for root or Admin user. I can’t remember.

Strange, it looks like a crypt hash, but Crypt hashes are 13 character length and yours is 15 characters.

zoobab
Guest

you have a tftp client on busybox, no wget, so you can easily download code on there if the network is up.

Paul
Guest
Paul

> You could create an overlayfs on top of the small flash to use the 8gb drive.
> Openwrt should fit on there without any pain.

The whole point why this device is interesting and stands out of the crowd is that you can (should be able to) install Debian on it, not just OpenWRT. And because it’s emmc, it even should offer decent performance with Debian.

iamfrankenstein[nl]
Guest
iamfrankenstein[nl]

I made a complete jffs2 bin file thanks to flashrom, my shadow file:

root:$1$$CNrdqzpcFZ9ir40/3h43i.:10933:0:99999:7:::
Admin:$1$$CNrdqzpcFZ9ir40/3h43i.:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::

Firmware = 3.6

pinchies
Guest
pinchies

I’ve also made a dump of the raw flash file, and I get the same shadow file as iamfrankenstein. BIN uploaded here: http://cl.ly/ZFTl

Working on cracking the password so we can do solderless hacking!

pinchies
Guest
pinchies

Password cracked in literally 3 seconds on a 7980 GPU using hashcat. Photo: http://cl.ly/ZHWg

oclHashcat64 shadow.txt uniq.txt -m 500 -r .\rules\best64.rule -r .\rules\InsidePro-PasswordsPro.rule –gpu-temp-disable

I added a few terms to the start of the uniq v14 dictionary that I found on the zsun website:

zsun
cnx
software
wifi
drive
wireless
docooler
sd113
sd112
sd111
cloud
Mobile
Technology
Shenzhen
supreme
GuangDong
super
disk
apple
dish
Jiudiankaifang

The password is simply “zsun1188” 🙂