Linux Based Zsun WiFi Card Reader Has Been Hacked Too…

Orange Pi Development Boards

A little while ago, I purchased Zsun SD111 W-Fi USB flash drive, and after several tentatives, I finally found a way to access the device’s serial console. Since then the company announced another wireless storage device with Zsun Wi-Fi card reader, and Zoobab decided to try to hack it too.

Zsun_SD_Card_Reader_Serial_ConsoleSince the device is pretty hard to open without damaging the enclosure, connecting the serial pin was not really an option, and the first exploit was to input shell commands in the web interface SSID field… For example, entering reboot there, would indeed reboot the device.

However, this would still not allow full shell access, and finally after a broader port scan, it was found out that TCP port 11880 was open for telnet daemon. You can then access the shell as root with the same password as SD111: “zsun1188”. For some reasons, telnet can’t work with the device, and socat must be used instead.

That’s it you now have full access to this small and inexpensive Linux device powered by Atheros AR9331 SoC with 32MB RAM and 16MB flash, plus up to 64GB storage on micro SD card.

Thanks to Zoobab for his work.

21
Leave a Reply

avatar
21 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
13 Comment authors
BogeskovFalkenstagTired8281HR Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
onebir
Guest
onebir

TIL: Hanzi ascii art… 至上移动 🙂

& something the size of a 1 RMB coin can have slightly better specs than TP-Link WR703N…

(do these all have the same root password, making them very insecure now?)

onebir
Guest
onebir

OK it looks like CNX reviewed the model I just posted (with a battery and some flash), but Zoobab built on his results to hack the tiny one with an SD card reader. (Battery, flash and SD card reader aside, they also seem to have different size flash chips – only 8Mb in the one CNX reviewed apparently)

ben
Guest
ben

From a user perspective, is there any difference between the Zsun device and other wireless (hotspot) storage solutions? (airstash, cloudftp/iUSBport , camranger, etc)

Nerijus
Guest
Nerijus

onebir :
TIL: Hanzi ascii art… 至上移动
& something the size of a 1 RMB coin can have slightly better specs than TP-Link WR703N…
(do these all have the same root password, making them very insecure now?)

I was trying to think about real-life uses for this hack. For exa, ple,with WR703 you make an internet radio when USB souncard added. This one only has USB power and no other conectivity options apart wi-fi.

iamfrankenstein
Guest
iamfrankenstein

Its perfect for a “anonymouse” dropbox. If this hack allows you to install piratebox firmware it could be interesting.
Other use case is a wifi sniffer, dump everything that is not encrypted to the sdcard.

iamfrankenstein
Guest
iamfrankenstein

@iamfrankenstein
O, wait ar9331 needs a usb wifi card to sniff wifi 🙁

zoobab
Guest

Next step is to try to flash openwrt on it.

Emeryth
Guest

I also bought a bunch of those readers to see how hackable are they.

I’ve managed to flash openwrt on it (based on the carambola 2 config), but it required some hacking and soldering.
There is much work to be done to have a way to easily install openwrt through software.

On the PCB there are nice test points which include a serial port and one ethernet port (which you have to use to upload images to uboot)!
The part of the PCB sandwich with the sd card reader can be safely removed, which gives you easy access to the SoC’s USB port.

iamfrankenstein
Guest
iamfrankenstein

@zoobab
My next step is to first order 2 (just did 🙂 ). Are there any good pictures of the pcb? could be handy to compare with wr703n schematic to spot differences.

zoobab
Guest

@Emeryth
Can you share your tips on how you managed to do it? Software side, just dd over the whole flash including the bootloader config should do it 🙂

Emeryth
Guest

@zoobab
I’ll try to write down everything I’ve learned about the reader and post it somewhere.

hp
Guest
hp

I am not familiar with gear best, but they are selling now for <$12

http://www.gearbest.com/memory-cards/pp_164717.html

Emeryth
Guest

@zoobab
I’m dropping the link right now, but I will be expanding the article:
https://wiki.hackerspace.pl/projects:zsun-wifi-card-reader

HR
Guest
HR

Hi guys,
How can I switch between USB and WiFi mode in windows? Is there any application for windows OS? just like what is available for android or iOS. Is there any command to use in an explorer? It is necessary for me to be able to switch between modes in windows OS.

Tired8281
Guest
Tired8281

I was able to get this working (sort of) in Windows. I downloaded the APK and used the ARC Welder Chrome extension to turn it into a Chrome app. I am able to access the card, change the mode from Wifi to PC, etc. I assume the same process would work in Chrome on Linux or Mac or ChromeOS.

Would love to have OpenWRT on here, or even just Samba or vsftpd…can I do that through the socat shell?

tag
Guest
tag

@HR
@HR:

You can download the “Windows version” from http://zsuncloud.com/supper-disk-2-download.
For me it gives scrambled text (probably not installed Chinese character set) on the buttons when you run it; but actually there is a switch in the middle of the screen. Pulling it left and right allows you to switch from WIFI to USB.

Apperently there is SAMBA on it (see See http://forum.banggood.com/forum-topic-71346.html)
You can just type “\\wulian” in explorer to connect to connect to the drive (or 10.168.168.1\public)

Alternatively, you can also fire up the “windows version” and press the button in the middle at the bottom of the screen. If you wait for a couple of seconds it will open an explorer screen

Falkens
Guest
Falkens

can anybody pls make an ‘ps -a’ output on the root telnet session in the case of mode switched to either “wireless” and “PC-USB mode”.
It appears that mine does not start the SMB-server – I always get a “APP-error connection refused” in the zsun-IApp and no response to port 445 nor via windows SMB as described above. Anyone else having this issue?

Bogeskov
Guest
Bogeskov

@Falkens

You want to run:

curl -X POST --data workmode=0 http://10.168.168.1:8080/goform/Setcardworkmode

to get into wireless mode (workmode=1 for PC mode)

Then you can do a:

sudo mount.cifs //10.168.168.1/Public $PWD/ZSUN -ousername=admin,password=admin,uid=`id -un`,gid=`id -gn`

To mount the drive.