Zsun SD111 Is Now “Officially” an Hackable Wireless Flash Drive

Zsun SD11x are Wi-Fi flash drives for 8 to 128 GB eMMC, alternative to Sandisk or Kingston. Yesterday, I soldered the UART pins to Zsun SD111 (8GB) flash drive to access the serial console, but I did not manage to enter the terminal as it was password-protected. I posted my results anyway, as I was convinced I would get some clever ideas from my readers, some of which appeared to be a little time consuming, but Zoobab offered a simple solution that consisted in changing the boot parameters, by replacing /sbin/init by /bin/sh.

Zsun_SD111_UART_Pins

The first step is to interrupt the boot by pressing space or another key, in order to access U-boot.
Now we can check the U-boot environment

ar7240> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/init mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
bootcmd=bootm 0x9f6B0000
bootdelay=4
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=10.168.168.1
serverip=10.168.168.10
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 361/65532 bytes

Let’s keep everything the same, except the init, which can be modified with the command below:

ar7240> setenv bootargs console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/sh mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)

Let’s start Linux:


It will end with:


Perfect! We’ve got access to the command line. Let’s have look at the users:


If we look at the shadow file only root and Admin have a password, so you could login with user ap71 without password for example, but that’s not too useful since you would not have root access. So I simply changed the root password with passwd command, but let’s me access the board via the UART console or telnet.

I’ve run some command to find out more about the system.


The linux kernel contains the string “LSDK-9.2.0” which appears to be an SDK for Atheros AR93XX, and can be downloaded here (I have not tried/verified the download). So the device is not running OpenWRT. Since telnet is not exactly secure, and want to access the device over the network, you should probably install dropbear, There’s only 796 KB left on the SPI flash, so what you can do is probably limited, although it might be possible to delete unused files to get extra space. Have fun!

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

Radxa Orion O6 Armv9 mini-ITX motherboard
Subscribe
Notify of
guest
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
15 Comments
oldest
newest
onebir
onebir
10 years ago

Nice! 🙂

Paul
Paul
10 years ago

Thanks for leading it to a logical end! Just as a sanity check, for me link “appears to be an SDK for Atheros AR93XX, and can be downloaded here” leads to 404 page on Baidu, is it only for me?

David W
David W
10 years ago

Please publish the original root password hash, some kindly soul might crack it to save everyone else the soldering step!

agumonkey
10 years ago

Lovely hacking in progress (actually finished) article. Kudos

zoobab
10 years ago

How big is the flash?

You could create an overlayfs on top of the small flash to use the 8gb drive.

Openwrt should fit on there without any pain.

dmsc
dmsc
10 years ago

cnxsoft :
@David W
That’s the string I found in my search history: CNrdqzpcFZ9ir40
Not sure it’s complete, but It can still be useful maybe. I may be for root or Admin user. I can’t remember.

Strange, it looks like a crypt hash, but Crypt hashes are 13 character length and yours is 15 characters.

zoobab
10 years ago

you have a tftp client on busybox, no wget, so you can easily download code on there if the network is up.

Paul
Paul
10 years ago

> You could create an overlayfs on top of the small flash to use the 8gb drive.
> Openwrt should fit on there without any pain.

The whole point why this device is interesting and stands out of the crowd is that you can (should be able to) install Debian on it, not just OpenWRT. And because it’s emmc, it even should offer decent performance with Debian.

iamfrankenstein[nl]
iamfrankenstein[nl]
9 years ago

I made a complete jffs2 bin file thanks to flashrom, my shadow file:

root:$1$$CNrdqzpcFZ9ir40/3h43i.:10933:0:99999:7:::
Admin:$1$$CNrdqzpcFZ9ir40/3h43i.:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::

Firmware = 3.6

pinchies
pinchies
9 years ago

I’ve also made a dump of the raw flash file, and I get the same shadow file as iamfrankenstein. BIN uploaded here: http://cl.ly/ZFTl

Working on cracking the password so we can do solderless hacking!

pinchies
pinchies
9 years ago

Password cracked in literally 3 seconds on a 7980 GPU using hashcat. Photo: http://cl.ly/ZHWg

oclHashcat64 shadow.txt uniq.txt -m 500 -r .\rules\best64.rule -r .\rules\InsidePro-PasswordsPro.rule –gpu-temp-disable

I added a few terms to the start of the uniq v14 dictionary that I found on the zsun website:

zsun
cnx
software
wifi
drive
wireless
docooler
sd113
sd112
sd111
cloud
Mobile
Technology
Shenzhen
supreme
GuangDong
super
disk
apple
dish
Jiudiankaifang

The password is simply “zsun1188” 🙂

Boardcon Rockchip RK3588S SBC with 8K, WiFI 6, 4G LTE, NVME SSD, HDMI 2.1...