Zsun SD11x are Wi-Fi flash drives for 8 to 128 GB eMMC, alternative to Sandisk or Kingston. Yesterday, I soldered the UART pins to Zsun SD111 (8GB) flash drive to access the serial console, but I did not manage to enter the terminal as it was password-protected. I posted my results anyway, as I was convinced I would get some clever ideas from my readers, some of which appeared to be a little time consuming, but Zoobab offered a simple solution that consisted in changing the boot parameters, by replacing /sbin/init by /bin/sh.
The first step is to interrupt the boot by pressing space or another key, in order to access U-boot.
Now we can check the U-boot environment
bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/init mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
Environment size: 361/65532 bytes
Let’s keep everything the same, except the init, which can be modified with the command below:
ar7240> setenv bootargs console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/sh mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
Let’s start Linux:
It will end with:
ar7240wdt_init: Registering WDT success VFS: Mounted root (jffs2 filesystem) on device 31:2. Freeing unused kernel memory: 128k freed BusyBox v1.01 (2014.06.20-01:25+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. /bin/sh: can't access tty; job control turned off / #
Perfect! We’ve got access to the command line. Let’s have look at the users:
~ # cat /etc/passwd root:x:0:0:root:/root:/bin/sh Admin:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:65534:65534:nobody:/home:/bin/sh ap71:x:500:0:Linux User,,,:/root:/bin/sh
If we look at the shadow file only root and Admin have a password, so you could login with user ap71 without password for example, but that’s not too useful since you would not have root access. So I simply changed the root password with passwd command, but let’s me access the board via the UART console or telnet.
I’ve run some command to find out more about the system.
~ # uname -a Linux (none) 2.6.31--LSDK-9.2.0_U11.14 #1 Wed Aug 6 13:13:40 HKT 2014 mips unknown ~ # df -h Filesystem Size Used Available Use% Mounted on /dev/root 6.6M 5.8M 796.0k 88% / /dev/sda1 7.4G 18.8M 7.4G 0% /etc/disk ~ # cat /proc/cpuinfo system type : Atheros AR9330 (Hornet) processor : 0 cpu model : MIPS 24Kc V7.4 BogoMIPS : 266.24 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0943, 0x0650] ASEs implemented : mips16 shadow register sets : 1 core : 0 VCED exceptions : not available VCEI exceptions : not available ~ # busybox BusyBox v1.01 (2014.06.20-01:25+0000) multi-call binary Usage: busybox [function] [arguments]... or: [function] [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as! Currently defined functions: [, arping, ash, awk, brctl, busybox, cat, chgrp, chmod, cp, cut, date, dd, df, dirname, dmesg, du, echo, egrep, env, ethdebug, ethreg, expr, factoryreset, false, fgrep, find, getty, grep, httpd, id, ifconfig, init, insmod, iproute, kill, killall, linuxrc, ln, login, ls, lsmod, md, md5sum, mkdir, mknod, mktemp, mm, modprobe, more, mount, mv, passwd, ping, ps, pwd, reboot, rm, rmdir, rmmod, route, sed, sh, sleep, strings, su, sync, tail, tar, telnet, telnetd, test, tftp, touch, true, tty, udhcpc, udhcpd, umount, uname, vconfig, vi, wc, xargs ~ #
The linux kernel contains the string “LSDK-9.2.0″ which appears to be an SDK for Atheros AR93XX, and can be downloaded here (I have not tried/verified the download). So the device is not running OpenWRT. Since telnet is not exactly secure, and want to access the device over the network, you should probably install dropbear, There’s only 796 KB left on the SPI flash, so what you can do is probably limited, although it might be possible to delete unused files to get extra space. Have fun!