A little while ago, I purchased Zsun SD111 W-Fi USB flash drive, and after several tentatives, I finally found a way to access the device’s serial console. Since then the company announced another wireless storage device with Zsun Wi-Fi card reader, and Zoobab decided to try to hack it too.
Since the device is pretty hard to open without damaging the enclosure, connecting the serial pin was not really an option, and the first exploit was to input shell commands in the web interface SSID field… For example, entering reboot there, would indeed reboot the device.
However, this would still not allow full shell access, and finally after a broader port scan, it was found out that TCP port 11880 was open for telnet daemon. You can then access the shell as root with the same password as SD111: “zsun1188”. For some reasons, telnet can’t work with the device, and socat must be used instead.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
zoobab@zoobab /Users/zoobab [9]$ socat - TCP4:10.168.168.1:11880 ������!���� (none) login: root root Password: zsun1188 Welcome to ------- | / /--/ ___ | / | /| \/ _____ --|--| /_____\ |--- --|-- //--/ / / | __|__ | /|\ / \/ /___\ / | ___|___ ___|____ / | \ / / \| 深圳至上移动科技有限公司 Shenzhen Zsun Cloud Technology Co., LTD. www.zsuncloud.com BusyBox v1.01 (2014.12.27-02:50+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. ~ # |
That’s it you now have full access to this small and inexpensive Linux device powered by Atheros AR9331 SoC with 32MB RAM and 16MB flash, plus up to 64GB storage on micro SD card.
Thanks to Zoobab for his work.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
TIL: Hanzi ascii art… 至上移动 🙂
& something the size of a 1 RMB coin can have slightly better specs than TP-Link WR703N…
(do these all have the same root password, making them very insecure now?)
Same thing with a battery?
https://www.chinavasion.com/china/wholesale/Computer_Accessories/Wifi/Zsun_SD111_Wi-Fi_Wireless_16GB_U_Disk_-_Flash_Drive_For_Android_IOS_Phone_PC/
OK it looks like CNX reviewed the model I just posted (with a battery and some flash), but Zoobab built on his results to hack the tiny one with an SD card reader. (Battery, flash and SD card reader aside, they also seem to have different size flash chips – only 8Mb in the one CNX reviewed apparently)
From a user perspective, is there any difference between the Zsun device and other wireless (hotspot) storage solutions? (airstash, cloudftp/iUSBport , camranger, etc)
I was trying to think about real-life uses for this hack. For exa, ple,with WR703 you make an internet radio when USB souncard added. This one only has USB power and no other conectivity options apart wi-fi.
Its perfect for a “anonymouse” dropbox. If this hack allows you to install piratebox firmware it could be interesting.
Other use case is a wifi sniffer, dump everything that is not encrypted to the sdcard.
@iamfrankenstein
O, wait ar9331 needs a usb wifi card to sniff wifi 🙁
Next step is to try to flash openwrt on it.
I also bought a bunch of those readers to see how hackable are they. I’ve managed to flash openwrt on it (based on the carambola 2 config), but it required some hacking and soldering. There is much work to be done to have a way to easily install openwrt through software. On the PCB there are nice test points which include a serial port and one ethernet port (which you have to use to upload images to uboot)! The part of the PCB sandwich with the sd card reader can be safely removed, which gives you easy access to the… Read more »
@zoobab
My next step is to first order 2 (just did 🙂 ). Are there any good pictures of the pcb? could be handy to compare with wr703n schematic to spot differences.
@iamfrankenstein
Yes there are internal PCB pics here:
http://wp12362093.server-he.de/cloud/index.php/s/IutpWsMCpxNjOAs
http://wp12362093.server-he.de/cloud/index.php/s/xJzNPC7SSrQnrtk
http://wp12362093.server-he.de/cloud/index.php/s/fmiykeSpxuhQwC0
http://wp12362093.server-he.de/cloud/index.php/s/gANwpLbqwvaBczi
Still not clear what is the exact serial pinout.
@Emeryth
Can you share your tips on how you managed to do it? Software side, just dd over the whole flash including the bootloader config should do it 🙂
@zoobab
I’ll try to write down everything I’ve learned about the reader and post it somewhere.
I am not familiar with gear best, but they are selling now for <$12
http://www.gearbest.com/memory-cards/pp_164717.html
@zoobab
I’m dropping the link right now, but I will be expanding the article:
https://wiki.hackerspace.pl/projects:zsun-wifi-card-reader
@Emeryth
Thanks for the link. Keep us updated once you expand the article.
Hi guys,
How can I switch between USB and WiFi mode in windows? Is there any application for windows OS? just like what is available for android or iOS. Is there any command to use in an explorer? It is necessary for me to be able to switch between modes in windows OS.
I was able to get this working (sort of) in Windows. I downloaded the APK and used the ARC Welder Chrome extension to turn it into a Chrome app. I am able to access the card, change the mode from Wifi to PC, etc. I assume the same process would work in Chrome on Linux or Mac or ChromeOS.
Would love to have OpenWRT on here, or even just Samba or vsftpd…can I do that through the socat shell?
@HR @HR: You can download the “Windows version” from http://zsuncloud.com/supper-disk-2-download. For me it gives scrambled text (probably not installed Chinese character set) on the buttons when you run it; but actually there is a switch in the middle of the screen. Pulling it left and right allows you to switch from WIFI to USB. Apperently there is SAMBA on it (see See http://forum.banggood.com/forum-topic-71346.html) You can just type “\\wulian” in explorer to connect to connect to the drive (or 10.168.168.1\public) Alternatively, you can also fire up the “windows version” and press the button in the middle at the bottom of the… Read more »
can anybody pls make an ‘ps -a’ output on the root telnet session in the case of mode switched to either “wireless” and “PC-USB mode”.
It appears that mine does not start the SMB-server – I always get a “APP-error connection refused” in the zsun-IApp and no response to port 445 nor via windows SMB as described above. Anyone else having this issue?
@Falkens
You want to run:
curl -X POST --data workmode=0 http://10.168.168.1:8080/goform/Setcardworkmode
to get into wireless mode (workmode=1 for PC mode)
Then you can do a:
sudo mount.cifs //10.168.168.1/Public $PWD/ZSUN -ousername=admin,password=admin,uid=`id -un`,gid=`id -gn`
To mount the drive.