Home > Hardware, Linux, OpenWRT, Qualcomm Atheros, Testing > Linux Based Zsun WiFi Card Reader Has Been Hacked Too…

Linux Based Zsun WiFi Card Reader Has Been Hacked Too…

A little while ago, I purchased Zsun SD111 W-Fi USB flash drive, and after several tentatives, I finally found a way to access the device’s serial console. Since then the company announced another wireless storage device with Zsun Wi-Fi card reader, and Zoobab decided to try to hack it too.

Zsun_SD_Card_Reader_Serial_ConsoleSince the device is pretty hard to open without damaging the enclosure, connecting the serial pin was not really an option, and the first exploit was to input shell commands in the web interface SSID field… For example, entering reboot there, would indeed reboot the device.

However, this would still not allow full shell access, and finally after a broader port scan, it was found out that TCP port 11880 was open for telnet daemon. You can then access the shell as root with the same password as SD111: “zsun1188”. For some reasons, telnet can’t work with the device, and socat must be used instead.

That’s it you now have full access to this small and inexpensive Linux device powered by Atheros AR9331 SoC with 32MB RAM and 16MB flash, plus up to 64GB storage on micro SD card.

Thanks to Zoobab for his work.

  1. onebir
    July 13th, 2015 at 22:23 | #1

    TIL: Hanzi ascii art… 至上移动 🙂

    & something the size of a 1 RMB coin can have slightly better specs than TP-Link WR703N…

    (do these all have the same root password, making them very insecure now?)

  2. onebir
  3. onebir
    July 13th, 2015 at 22:35 | #3

    OK it looks like CNX reviewed the model I just posted (with a battery and some flash), but Zoobab built on his results to hack the tiny one with an SD card reader. (Battery, flash and SD card reader aside, they also seem to have different size flash chips – only 8Mb in the one CNX reviewed apparently)

  4. ben
    July 13th, 2015 at 23:10 | #4

    From a user perspective, is there any difference between the Zsun device and other wireless (hotspot) storage solutions? (airstash, cloudftp/iUSBport , camranger, etc)

  5. Nerijus
    July 14th, 2015 at 00:30 | #5

    onebir :
    TIL: Hanzi ascii art… 至上移动
    & something the size of a 1 RMB coin can have slightly better specs than TP-Link WR703N…
    (do these all have the same root password, making them very insecure now?)

    I was trying to think about real-life uses for this hack. For exa, ple,with WR703 you make an internet radio when USB souncard added. This one only has USB power and no other conectivity options apart wi-fi.

  6. iamfrankenstein
    July 14th, 2015 at 16:09 | #6

    Its perfect for a “anonymouse” dropbox. If this hack allows you to install piratebox firmware it could be interesting.
    Other use case is a wifi sniffer, dump everything that is not encrypted to the sdcard.

  7. iamfrankenstein
    July 14th, 2015 at 16:16 | #7

    @iamfrankenstein
    O, wait ar9331 needs a usb wifi card to sniff wifi 🙁

  8. July 14th, 2015 at 18:28 | #8

    Next step is to try to flash openwrt on it.

  9. July 15th, 2015 at 13:43 | #9

    I also bought a bunch of those readers to see how hackable are they.

    I’ve managed to flash openwrt on it (based on the carambola 2 config), but it required some hacking and soldering.
    There is much work to be done to have a way to easily install openwrt through software.

    On the PCB there are nice test points which include a serial port and one ethernet port (which you have to use to upload images to uboot)!
    The part of the PCB sandwich with the sd card reader can be safely removed, which gives you easy access to the SoC’s USB port.

  10. iamfrankenstein
    July 15th, 2015 at 16:19 | #10

    @zoobab
    My next step is to first order 2 (just did 🙂 ). Are there any good pictures of the pcb? could be handy to compare with wr703n schematic to spot differences.

  11. July 15th, 2015 at 19:20 | #12

    @Emeryth
    Can you share your tips on how you managed to do it? Software side, just dd over the whole flash including the bootloader config should do it 🙂

  12. July 16th, 2015 at 18:04 | #13

    @zoobab
    I’ll try to write down everything I’ve learned about the reader and post it somewhere.

  13. hp
    July 19th, 2015 at 15:31 | #14

    I am not familiar with gear best, but they are selling now for <$12

    http://www.gearbest.com/memory-cards/pp_164717.html

  14. July 21st, 2015 at 23:27 | #15

    @zoobab
    I’m dropping the link right now, but I will be expanding the article:
    https://wiki.hackerspace.pl/projects:zsun-wifi-card-reader

  15. July 29th, 2015 at 21:13 | #16

    @Emeryth
    Thanks for the link. Keep us updated once you expand the article.

  16. HR
    September 24th, 2015 at 15:44 | #17

    Hi guys,
    How can I switch between USB and WiFi mode in windows? Is there any application for windows OS? just like what is available for android or iOS. Is there any command to use in an explorer? It is necessary for me to be able to switch between modes in windows OS.

  17. Tired8281
    October 12th, 2015 at 09:42 | #18

    I was able to get this working (sort of) in Windows. I downloaded the APK and used the ARC Welder Chrome extension to turn it into a Chrome app. I am able to access the card, change the mode from Wifi to PC, etc. I assume the same process would work in Chrome on Linux or Mac or ChromeOS.

    Would love to have OpenWRT on here, or even just Samba or vsftpd…can I do that through the socat shell?

  18. tag
    October 30th, 2015 at 17:37 | #19

    @HR
    @HR:

    You can download the “Windows version” from http://zsuncloud.com/supper-disk-2-download.
    For me it gives scrambled text (probably not installed Chinese character set) on the buttons when you run it; but actually there is a switch in the middle of the screen. Pulling it left and right allows you to switch from WIFI to USB.

    Apperently there is SAMBA on it (see See http://forum.banggood.com/forum-topic-71346.html)
    You can just type “\\wulian” in explorer to connect to connect to the drive (or 10.168.168.1\public)

    Alternatively, you can also fire up the “windows version” and press the button in the middle at the bottom of the screen. If you wait for a couple of seconds it will open an explorer screen

  19. Falkens
    October 31st, 2015 at 00:53 | #20

    can anybody pls make an ‘ps -a’ output on the root telnet session in the case of mode switched to either “wireless” and “PC-USB mode”.
    It appears that mine does not start the SMB-server – I always get a “APP-error connection refused” in the zsun-IApp and no response to port 445 nor via windows SMB as described above. Anyone else having this issue?

  20. Bogeskov
    March 16th, 2016 at 20:10 | #21

    @Falkens

    You want to run:

    curl -X POST --data workmode=0 http://10.168.168.1:8080/goform/Setcardworkmode

    to get into wireless mode (workmode=1 for PC mode)

    Then you can do a:

    sudo mount.cifs //10.168.168.1/Public $PWD/ZSUN -ousername=admin,password=admin,uid=`id -un`,gid=`id -gn`

    To mount the drive.

  1. No trackbacks yet.