Zsun SD111 Is Now “Officially” an Hackable Wireless Flash Drive

Zsun SD11x are Wi-Fi flash drives for 8 to 128 GB eMMC, alternative to Sandisk or Kingston. Yesterday, I soldered the UART pins to Zsun SD111 (8GB) flash drive to access the serial console, but I did not manage to enter the terminal as it was password-protected. I posted my results anyway, as I was convinced I would get some clever ideas from my readers, some of which appeared to be a little time consuming, but Zoobab offered a simple solution that consisted in changing the boot parameters, by replacing /sbin/init by /bin/sh.

Zsun_SD111_UART_Pins

The first step is to interrupt the boot by pressing space or another key, in order to access U-boot.
Now we can check the U-boot environment

ar7240> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/init mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
bootcmd=bootm 0x9f6B0000
bootdelay=4
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=10.168.168.1
serverip=10.168.168.10
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 361/65532 bytes

Let’s keep everything the same, except the init, which can be modified with the command below:

ar7240> setenv bootargs console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/sh mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)

Let’s start Linux:


It will end with:


Perfect! We’ve got access to the command line. Let’s have look at the users:


If we look at the shadow file only root and Admin have a password, so you could login with user ap71 without password for example, but that’s not too useful since you would not have root access. So I simply changed the root password with passwd command, but let’s me access the board via the UART console or telnet.

I’ve run some command to find out more about the system.


The linux kernel contains the string “LSDK-9.2.0” which appears to be an SDK for Atheros AR93XX, and can be downloaded here (I have not tried/verified the download). So the device is not running OpenWRT. Since telnet is not exactly secure, and want to access the device over the network, you should probably install dropbear, There’s only 796 KB left on the SPI flash, so what you can do is probably limited, although it might be possible to delete unused files to get extra space. Have fun!

Share this:
FacebookTwitterHacker NewsSlashdotRedditLinkedInPinterestFlipboardMeWeLineEmailShare

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX Rockchip RK3588 mini-ITX motherboard

15 Replies to “Zsun SD111 Is Now “Officially” an Hackable Wireless Flash Drive”

  1. Thanks for leading it to a logical end! Just as a sanity check, for me link “appears to be an SDK for Atheros AR93XX, and can be downloaded here” leads to 404 page on Baidu, is it only for me?

  2. Please publish the original root password hash, some kindly soul might crack it to save everyone else the soldering step!

  3. How big is the flash?

    You could create an overlayfs on top of the small flash to use the 8gb drive.

    Openwrt should fit on there without any pain.

  4. @cnxsoft

    cnxsoft :
    @David W
    That’s the string I found in my search history: CNrdqzpcFZ9ir40
    Not sure it’s complete, but It can still be useful maybe. I may be for root or Admin user. I can’t remember.

    Strange, it looks like a crypt hash, but Crypt hashes are 13 character length and yours is 15 characters.

  5. > You could create an overlayfs on top of the small flash to use the 8gb drive.
    > Openwrt should fit on there without any pain.

    The whole point why this device is interesting and stands out of the crowd is that you can (should be able to) install Debian on it, not just OpenWRT. And because it’s emmc, it even should offer decent performance with Debian.

  6. I made a complete jffs2 bin file thanks to flashrom, my shadow file:

    root:$1$$CNrdqzpcFZ9ir40/3h43i.:10933:0:99999:7:::
    Admin:$1$$CNrdqzpcFZ9ir40/3h43i.:10933:0:99999:7:::
    bin::10933:0:99999:7:::
    daemon::10933:0:99999:7:::
    adm::10933:0:99999:7:::
    lp:*:10933:0:99999:7:::
    sync:*:10933:0:99999:7:::
    shutdown:*:10933:0:99999:7:::
    halt:*:10933:0:99999:7:::
    uucp:*:10933:0:99999:7:::
    operator:*:10933:0:99999:7:::
    nobody::10933:0:99999:7:::
    ap71::10933:0:99999:7:::

    Firmware = 3.6

  7. I’ve also made a dump of the raw flash file, and I get the same shadow file as iamfrankenstein. BIN uploaded here: http://cl.ly/ZFTl

    Working on cracking the password so we can do solderless hacking!

  8. Password cracked in literally 3 seconds on a 7980 GPU using hashcat. Photo: http://cl.ly/ZHWg

    oclHashcat64 shadow.txt uniq.txt -m 500 -r .\rules\best64.rule -r .\rules\InsidePro-PasswordsPro.rule –gpu-temp-disable

    I added a few terms to the start of the uniq v14 dictionary that I found on the zsun website:

    zsun
    cnx
    software
    wifi
    drive
    wireless
    docooler
    sd113
    sd112
    sd111
    cloud
    Mobile
    Technology
    Shenzhen
    supreme
    GuangDong
    super
    disk
    apple
    dish
    Jiudiankaifang

    The password is simply “zsun1188” 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Boardcon Rockchip RK3588S SBC with 8K, WiFI 6, 4G LTE, NVME SSD, HDMI 2.1...
Boardcon Rockchip RK3588S SBC with 8K, WiFI 6, 4G LTE, NVME SSD, HDMI 2.1...