Zsun SD11x are Wi-Fi flash drives for 8 to 128 GB eMMC, alternative to Sandisk or Kingston. Yesterday, I soldered the UART pins to Zsun SD111 (8GB) flash drive to access the serial console, but I did not manage to enter the terminal as it was password-protected. I posted my results anyway, as I was convinced I would get some clever ideas from my readers, some of which appeared to be a little time consuming, but Zoobab offered a simple solution that consisted in changing the boot parameters, by replacing /sbin/init by /bin/sh.
The first step is to interrupt the boot by pressing space or another key, in order to access U-boot.
Now we can check the U-boot environment
ar7240> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/init mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
bootcmd=bootm 0x9f6B0000
bootdelay=4
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=10.168.168.1
serverip=10.168.168.10
stdin=serial
stdout=serial
stderr=serial
ethact=eth0Environment size: 361/65532 bytes
Let’s keep everything the same, except the init, which can be modified with the command below:
ar7240> setenv bootargs console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/sh mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
Let’s start Linux:
1 |
ar7240> boot |
It will end with:
1 2 3 4 5 6 7 8 9 10 |
ar7240wdt_init: Registering WDT success VFS: Mounted root (jffs2 filesystem) on device 31:2. Freeing unused kernel memory: 128k freed BusyBox v1.01 (2014.06.20-01:25+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. /bin/sh: can't access tty; job control turned off / # |
Perfect! We’ve got access to the command line. Let’s have look at the users:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
~ # cat /etc/passwd root:x:0:0:root:/root:/bin/sh Admin:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:65534:65534:nobody:/home:/bin/sh ap71:x:500:0:Linux User,,,:/root:/bin/sh |
If we look at the shadow file only root and Admin have a password, so you could login with user ap71 without password for example, but that’s not too useful since you would not have root access. So I simply changed the root password with passwd command, but let’s me access the board via the UART console or telnet.
I’ve run some command to find out more about the system.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
~ # uname -a Linux (none) 2.6.31--LSDK-9.2.0_U11.14 #1 Wed Aug 6 13:13:40 HKT 2014 mips unknown ~ # df -h Filesystem Size Used Available Use% Mounted on /dev/root 6.6M 5.8M 796.0k 88% / /dev/sda1 7.4G 18.8M 7.4G 0% /etc/disk ~ # cat /proc/cpuinfo system type : Atheros AR9330 (Hornet) processor : 0 cpu model : MIPS 24Kc V7.4 BogoMIPS : 266.24 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0943, 0x0650] ASEs implemented : mips16 shadow register sets : 1 core : 0 VCED exceptions : not available VCEI exceptions : not available ~ # busybox BusyBox v1.01 (2014.06.20-01:25+0000) multi-call binary Usage: busybox [function] [arguments]... or: [function] [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as! Currently defined functions: [, arping, ash, awk, brctl, busybox, cat, chgrp, chmod, cp, cut, date, dd, df, dirname, dmesg, du, echo, egrep, env, ethdebug, ethreg, expr, factoryreset, false, fgrep, find, getty, grep, httpd, id, ifconfig, init, insmod, iproute, kill, killall, linuxrc, ln, login, ls, lsmod, md, md5sum, mkdir, mknod, mktemp, mm, modprobe, more, mount, mv, passwd, ping, ps, pwd, reboot, rm, rmdir, rmmod, route, sed, sh, sleep, strings, su, sync, tail, tar, telnet, telnetd, test, tftp, touch, true, tty, udhcpc, udhcpd, umount, uname, vconfig, vi, wc, xargs ~ # |
The linux kernel contains the string “LSDK-9.2.0” which appears to be an SDK for Atheros AR93XX, and can be downloaded here (I have not tried/verified the download). So the device is not running OpenWRT. Since telnet is not exactly secure, and want to access the device over the network, you should probably install dropbear, There’s only 796 KB left on the SPI flash, so what you can do is probably limited, although it might be possible to delete unused files to get extra space. Have fun!
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
Nice! 🙂
Thanks for leading it to a logical end! Just as a sanity check, for me link “appears to be an SDK for Atheros AR93XX, and can be downloaded here” leads to 404 page on Baidu, is it only for me?
Please publish the original root password hash, some kindly soul might crack it to save everyone else the soldering step!
Lovely hacking in progress (actually finished) article. Kudos
@Paul
The link is working for me
@David W
Sorry, I did not save it. I remember I did a Google Search just in case but nothing showed up.
@David W
That’s the string I found in my search history: CNrdqzpcFZ9ir40
Not sure it’s complete, but It can still be useful maybe. I may be for root or Admin user. I can’t remember.
How big is the flash?
You could create an overlayfs on top of the small flash to use the 8gb drive.
Openwrt should fit on there without any pain.
@cnxsoft
Strange, it looks like a crypt hash, but Crypt hashes are 13 character length and yours is 15 characters.
@dmsc
It’s incomplete, There was a separator, but if that was part of a common hash it would have shown up in Google search. So it’s just the beginning of the hash.
you have a tftp client on busybox, no wget, so you can easily download code on there if the network is up.
> You could create an overlayfs on top of the small flash to use the 8gb drive.
> Openwrt should fit on there without any pain.
The whole point why this device is interesting and stands out of the crowd is that you can (should be able to) install Debian on it, not just OpenWRT. And because it’s emmc, it even should offer decent performance with Debian.
I made a complete jffs2 bin file thanks to flashrom, my shadow file:
root:$1$$CNrdqzpcFZ9ir40/3h43i.:10933:0:99999:7:::
Admin:$1$$CNrdqzpcFZ9ir40/3h43i.:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::
Firmware = 3.6
I’ve also made a dump of the raw flash file, and I get the same shadow file as iamfrankenstein. BIN uploaded here: http://cl.ly/ZFTl
Working on cracking the password so we can do solderless hacking!
Password cracked in literally 3 seconds on a 7980 GPU using hashcat. Photo: http://cl.ly/ZHWg
oclHashcat64 shadow.txt uniq.txt -m 500 -r .\rules\best64.rule -r .\rules\InsidePro-PasswordsPro.rule –gpu-temp-disable
I added a few terms to the start of the uniq v14 dictionary that I found on the zsun website:
zsun
cnx
software
wifi
drive
wireless
docooler
sd113
sd112
sd111
cloud
Mobile
Technology
Shenzhen
supreme
GuangDong
super
disk
apple
dish
Jiudiankaifang
The password is simply “zsun1188” 🙂
@pinchies
Thanks! I did not know the command line to crack passwords neither, so now I know 🙂
Did you really find “cnx” and “software” on zsun website :p