Home

Zsun SD11x are Wi-Fi flash drives for 8 to 128 GB eMMC, alternative to Sandisk or Kingston. Yesterday, I soldered the UART pins to Zsun SD111 (8GB) flash drive to access the serial console, but I did not manage to enter the terminal as it was password-protected. I posted my results anyway, as I was convinced I would get some clever ideas from my readers, some of which appeared to be a little time consuming, but Zoobab offered a simple solution that consisted in changing the boot parameters, by replacing /sbin/init by /bin/sh.

Zsun_SD111_UART_Pins

The first step is to interrupt the boot by pressing space or another key, in order to access U-boot.
Now we can check the U-boot environment

ar7240> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/init mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)
bootcmd=bootm 0x9f6B0000
bootdelay=4
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=10.168.168.1
serverip=10.168.168.10
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 361/65532 bytes

Let’s keep everything the same, except the init, which can be modified with the command below:

ar7240> setenv bootargs console=ttyS0,115200 root=31:02 rootfstype=jffs2 rw init=/sbin/sh mtdparts=ar7240-nor0:64k(u-boot),64k(u-boot-env),6720k(rootfs),1216k(uImage),64k(NVRAM),64k(ART)

Let’s start Linux:

ar7240> boot

It will end with:

ar7240wdt_init: Registering WDT success
VFS: Mounted root (jffs2 filesystem) on device 31:2.
Freeing unused kernel memory: 128k freed


BusyBox v1.01 (2014.06.20-01:25+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/sh: can't access tty; job control turned off
/ #

Perfect! We’ve got access to the command line. Let’s have look at the users:

~ # cat /etc/passwd 
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh

If we look at the shadow file only root and Admin have a password, so you could login with user ap71 without password for example, but that’s not too useful since you would not have root access. So I simply changed the root password with passwd command, but let’s me access the board via the UART console or telnet.

I’ve run some command to find out more about the system.

~ # uname -a
Linux (none) 2.6.31--LSDK-9.2.0_U11.14 #1 Wed Aug 6 13:13:40 HKT 2014 mips unknown
~ # df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 6.6M      5.8M    796.0k  88% /
/dev/sda1                 7.4G     18.8M      7.4G   0% /etc/disk
~ # cat /proc/cpuinfo
system type             : Atheros AR9330 (Hornet)
processor               : 0
cpu model               : MIPS 24Kc V7.4
BogoMIPS                : 266.24
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 16
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0943, 0x0650]
ASEs implemented        : mips16
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

~ # busybox
BusyBox v1.01 (2014.06.20-01:25+0000) multi-call binary

Usage: busybox [function] [arguments]...
or: [function] [arguments]...

BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable.  Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as!

Currently defined functions:
[, arping, ash, awk, brctl, busybox, cat, chgrp, chmod, cp, cut,
date, dd, df, dirname, dmesg, du, echo, egrep, env, ethdebug,
ethreg, expr, factoryreset, false, fgrep, find, getty, grep, httpd,
id, ifconfig, init, insmod, iproute, kill, killall, linuxrc, ln,
login, ls, lsmod, md, md5sum, mkdir, mknod, mktemp, mm, modprobe,
more, mount, mv, passwd, ping, ps, pwd, reboot, rm, rmdir, rmmod,
route, sed, sh, sleep, strings, su, sync, tail, tar, telnet, telnetd,
test, tftp, touch, true, tty, udhcpc, udhcpd, umount, uname, vconfig,
vi, wc, xargs

~ #

The linux kernel contains the string “LSDK-9.2.0″ which appears to be an SDK for Atheros AR93XX, and can be downloaded here (I have not tried/verified the download). So the device is not running OpenWRT. Since telnet is not exactly secure, and want to access the device over the network, you should probably install dropbear, There’s only 796 KB left on the SPI flash, so what you can do is probably limited, although it might be possible to delete unused files to get extra space. Have fun!

Read more: http://www.cnx-software.com/2014/11/16/zsun-sd111-is-now-officially-an-hackable-wireless-flash-drive/#ixzz3JFrwKHrP

Publicités

Laisser un commentaire

Choisissez une méthode de connexion pour poster votre commentaire:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s