Linux Based Zsun WiFi Card Reader Has Been Hacked Too…

A little while ago, I purchased Zsun SD111 W-Fi USB flash drive, and after several tentatives, I finally found a way to access the device’s serial console. Since then the company announced another wireless storage device with Zsun Wi-Fi card reader, and Zoobab decided to try to hack it too.

Zsun_SD_Card_Reader_Serial_ConsoleSince the device is pretty hard to open without damaging the enclosure, connecting the serial pin was not really an option, and the first exploit was to input shell commands in the web interface SSID field… For example, entering reboot there, would indeed reboot the device.

However, this would still not allow full shell access, and finally after a broader port scan, it was found out that TCP port 11880 was open for telnet daemon. You can then access the shell as root with the same password as SD111: “zsun1188”. For some reasons, telnet can’t work with the device, and socat must be used instead.

That’s it you now have full access to this small and inexpensive Linux device powered by Atheros AR9331 SoC with 32MB RAM and 16MB flash, plus up to 64GB storage on micro SD card.

Thanks to Zoobab for his work.

Share this:
FacebookTwitterHacker NewsSlashdotRedditLinkedInPinterestFlipboardMeWeLineEmailShare

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX Rockchip RK3588 mini-ITX motherboard

21 Replies to “Linux Based Zsun WiFi Card Reader Has Been Hacked Too…”

  1. TIL: Hanzi ascii art… 至上移动 🙂

    & something the size of a 1 RMB coin can have slightly better specs than TP-Link WR703N…

    (do these all have the same root password, making them very insecure now?)

  2. OK it looks like CNX reviewed the model I just posted (with a battery and some flash), but Zoobab built on his results to hack the tiny one with an SD card reader. (Battery, flash and SD card reader aside, they also seem to have different size flash chips – only 8Mb in the one CNX reviewed apparently)

  3. From a user perspective, is there any difference between the Zsun device and other wireless (hotspot) storage solutions? (airstash, cloudftp/iUSBport , camranger, etc)

  4. onebir :
    TIL: Hanzi ascii art… 至上移动
    & something the size of a 1 RMB coin can have slightly better specs than TP-Link WR703N…
    (do these all have the same root password, making them very insecure now?)

    I was trying to think about real-life uses for this hack. For exa, ple,with WR703 you make an internet radio when USB souncard added. This one only has USB power and no other conectivity options apart wi-fi.

  5. Its perfect for a “anonymouse” dropbox. If this hack allows you to install piratebox firmware it could be interesting.
    Other use case is a wifi sniffer, dump everything that is not encrypted to the sdcard.

  6. I also bought a bunch of those readers to see how hackable are they.

    I’ve managed to flash openwrt on it (based on the carambola 2 config), but it required some hacking and soldering.
    There is much work to be done to have a way to easily install openwrt through software.

    On the PCB there are nice test points which include a serial port and one ethernet port (which you have to use to upload images to uboot)!
    The part of the PCB sandwich with the sd card reader can be safely removed, which gives you easy access to the SoC’s USB port.

  7. @zoobab
    My next step is to first order 2 (just did 🙂 ). Are there any good pictures of the pcb? could be handy to compare with wr703n schematic to spot differences.

  8. Hi guys,
    How can I switch between USB and WiFi mode in windows? Is there any application for windows OS? just like what is available for android or iOS. Is there any command to use in an explorer? It is necessary for me to be able to switch between modes in windows OS.

  9. I was able to get this working (sort of) in Windows. I downloaded the APK and used the ARC Welder Chrome extension to turn it into a Chrome app. I am able to access the card, change the mode from Wifi to PC, etc. I assume the same process would work in Chrome on Linux or Mac or ChromeOS.

    Would love to have OpenWRT on here, or even just Samba or vsftpd…can I do that through the socat shell?

  10. @HR
    @HR:

    You can download the “Windows version” from http://zsuncloud.com/supper-disk-2-download.
    For me it gives scrambled text (probably not installed Chinese character set) on the buttons when you run it; but actually there is a switch in the middle of the screen. Pulling it left and right allows you to switch from WIFI to USB.

    Apperently there is SAMBA on it (see See http://forum.banggood.com/forum-topic-71346.html)
    You can just type “\\wulian” in explorer to connect to connect to the drive (or 10.168.168.1\public)

    Alternatively, you can also fire up the “windows version” and press the button in the middle at the bottom of the screen. If you wait for a couple of seconds it will open an explorer screen

  11. can anybody pls make an ‘ps -a’ output on the root telnet session in the case of mode switched to either “wireless” and “PC-USB mode”.
    It appears that mine does not start the SMB-server – I always get a “APP-error connection refused” in the zsun-IApp and no response to port 445 nor via windows SMB as described above. Anyone else having this issue?

  12. @Falkens

    You want to run:

    curl -X POST --data workmode=0 http://10.168.168.1:8080/goform/Setcardworkmode

    to get into wireless mode (workmode=1 for PC mode)

    Then you can do a:

    sudo mount.cifs //10.168.168.1/Public $PWD/ZSUN -ousername=admin,password=admin,uid=`id -un`,gid=`id -gn`

    To mount the drive.

Leave a Reply

Your email address will not be published. Required fields are marked *

Boardcon Rockchip RK3588S SBC with 8K, WiFI 6, 4G LTE, NVME SSD, HDMI 2.1...
Boardcon Rockchip RK3588S SBC with 8K, WiFI 6, 4G LTE, NVME SSD, HDMI 2.1...