Zsun SD11x are Wi-Fi flash drives for 8 to 128 GB eMMC, alternative to Sandisk or Kingston. Yesterday, I soldered the UART pins to Zsun SD111 (8GB) flash drive to access the serial console, but I did not manage to enter the terminal as it was password-protected. I posted my results anyway, as I was convinced I would get some clever ideas from my readers, some of which appeared to be a little time consuming, but Zoobab offered a simple solution that consisted in changing the boot parameters, by replacing /sbin/init by /bin/sh.
The first step is to interrupt the boot by pressing space or another key, in order to access U-boot.
Now we can check the U-boot environment
bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/init mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
Environment size: 361/65532 bytes
Let’s keep everything the same, except the init, which can be modified with the command below:
ar7240> setenv bootargs console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/sh mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
Let’s start Linux:
It will end with:
ar7240wdt_init: Registering WDT success
VFS: Mounted root (jffs2 filesystem) on device 31:2.
Freeing unused kernel memory: 128k freed
BusyBox v1.01 (2014.06.20-01:25+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/bin/sh: can't access tty; job control turned off
Perfect! We’ve got access to the command line. Let’s have look at the users:
~ # cat /etc/passwd
If we look at the shadow file only root and Admin have a password, so you could login with user ap71 without password for example, but that’s not too useful since you would not have root access. So I simply changed the root password with passwd command, but let’s me access the board via the UART console or telnet.
I’ve run some command to find out more about the system.
~ # uname -a
Linux (none) 2.6.31--LSDK-9.2.0_U11.14 #1 Wed Aug 6 13:13:40 HKT 2014 mips unknown
~ # df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 6.6M 5.8M 796.0k 88% /
/dev/sda1 7.4G 18.8M 7.4G 0% /etc/disk
~ # cat /proc/cpuinfo
system type : Atheros AR9330 (Hornet)
processor : 0
cpu model : MIPS 24Kc V7.4
BogoMIPS : 266.24
wait instruction : yes
microsecond timers : yes
tlb_entries : 16
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0943, 0x0650]
ASEs implemented : mips16
shadow register sets : 1
core : 0
VCED exceptions : not available
VCEI exceptions : not available
~ # busybox
BusyBox v1.01 (2014.06.20-01:25+0000) multi-call binary
Usage: busybox [function] [arguments]...
or: [function] [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as!
Currently defined functions:
[, arping, ash, awk, brctl, busybox, cat, chgrp, chmod, cp, cut,
date, dd, df, dirname, dmesg, du, echo, egrep, env, ethdebug,
ethreg, expr, factoryreset, false, fgrep, find, getty, grep, httpd,
id, ifconfig, init, insmod, iproute, kill, killall, linuxrc, ln,
login, ls, lsmod, md, md5sum, mkdir, mknod, mktemp, mm, modprobe,
more, mount, mv, passwd, ping, ps, pwd, reboot, rm, rmdir, rmmod,
route, sed, sh, sleep, strings, su, sync, tail, tar, telnet, telnetd,
test, tftp, touch, true, tty, udhcpc, udhcpd, umount, uname, vconfig,
vi, wc, xargs
The linux kernel contains the string “LSDK-9.2.0” which appears to be an SDK for Atheros AR93XX, and can be downloaded here (I have not tried/verified the download). So the device is not running OpenWRT. Since telnet is not exactly secure, and want to access the device over the network, you should probably install dropbear, There’s only 796 KB left on the SPI flash, so what you can do is probably limited, although it might be possible to delete unused files to get extra space. Have fun!
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
15 Replies to “Zsun SD111 Is Now “Officially” an Hackable Wireless Flash Drive”
Thanks for leading it to a logical end! Just as a sanity check, for me link “appears to be an SDK for Atheros AR93XX, and can be downloaded here” leads to 404 page on Baidu, is it only for me?
Please publish the original root password hash, some kindly soul might crack it to save everyone else the soldering step!
Lovely hacking in progress (actually finished) article. Kudos
The link is working for me
Sorry, I did not save it. I remember I did a Google Search just in case but nothing showed up.
That’s the string I found in my search history: CNrdqzpcFZ9ir40
Not sure it’s complete, but It can still be useful maybe. I may be for root or Admin user. I can’t remember.
How big is the flash?
You could create an overlayfs on top of the small flash to use the 8gb drive.
Openwrt should fit on there without any pain.
Strange, it looks like a crypt hash, but Crypt hashes are 13 character length and yours is 15 characters.
It’s incomplete, There was a separator, but if that was part of a common hash it would have shown up in Google search. So it’s just the beginning of the hash.
you have a tftp client on busybox, no wget, so you can easily download code on there if the network is up.
> You could create an overlayfs on top of the small flash to use the 8gb drive.
> Openwrt should fit on there without any pain.
The whole point why this device is interesting and stands out of the crowd is that you can (should be able to) install Debian on it, not just OpenWRT. And because it’s emmc, it even should offer decent performance with Debian.
I made a complete jffs2 bin file thanks to flashrom, my shadow file:
Firmware = 3.6
I’ve also made a dump of the raw flash file, and I get the same shadow file as iamfrankenstein. BIN uploaded here: http://cl.ly/ZFTl
Working on cracking the password so we can do solderless hacking!
Password cracked in literally 3 seconds on a 7980 GPU using hashcat. Photo: http://cl.ly/ZHWg
oclHashcat64 shadow.txt uniq.txt -m 500 -r .\rules\best64.rule -r .\rules\InsidePro-PasswordsPro.rule –gpu-temp-disable
I added a few terms to the start of the uniq v14 dictionary that I found on the zsun website:
The password is simply “zsun1188” 🙂
Thanks! I did not know the command line to crack passwords neither, so now I know 🙂
Did you really find “cnx” and “software” on zsun website :p