Hack a Sandisk 32G Wifi enabled flash drive

[Forgiven]

I just posted that Pablo hacked the Transcend wifi enabled SD disk which comes equipped with BusyBox linux. It seems these little wireless disk drives have all the makings of a cool mini AP. I noticed that Sandisk now has a 32G wifi enabled flash drive. It has a built in battery, usb connection pin (for connection and recharging), a replaceable microSD card, and a wifi transmitter (albeit short range). Imagine hacking it and enabling it with the wifi pineapple features, all in a device the size of a lipstick dispenser!

[Blindkitty38]

Thats amazing. Link to the drive?

[Forgiven]

Links are in the original post.

[Forgiven]

Seems folks have really opened up the Transcend Wifi SD card...here is a link from Dmitry.

[br0k3nilluzion]

man, if you can add this to the Rubber ducky.. you could modify it to be able to change the scripts on on the fly.. have a base system, change it on the fly.. all from the convienience of a phone or tablet on hand..!!!!!!!

[Lord_humungus]

Seems good!

[Forgiven]

man, if you can add this to the Rubber ducky.. you could modify it to be able to change the scripts on on the fly.. have a base system, change it on the fly.. all from the convienience of a phone or tablet on hand..!!!!!!!

B) Yep.

[Forgiven]

I started my attempt to hack the Sandisk by seeking to use the methods that worked for the Transcend, to no avail. The next best pathway for exploitation is directly attacking through the USB, IMHO. To that aim, I have acquired a FaceDancer21, created by the neighborly genius of Travis Goodspeed ($70 int3.cc) (yes that's more than the drive...money isn't really an issue when it comes to me wanting to know how to get in). I spent the day today flashing the firmware on the FD21. Tomorrow, I will begin my attack....(queue evil genius laugh with old pipe organ dududuuuus).

Edited October 26, 2013 by Forgiven

[Xqtftqx]

This little guy caught my eye as well and i decided id share what i have learned about it...

First of all, its running off the AirStash software. The previous versions of this software have had success running commands by exec in server side includes. This is not the case with the sandisk drive :(

There is a firmware file available on the website here:

http://kb.sandisk.com/app/answers/detail/a_id/12713

placed on the root of the drive, the drive will flash the firmware. Ive ran the file through binrev with no success, maybe some weird compression i dont know too much about.

A port scan of the device shows only httpd, the device also has webdav support.

The device has the ability to connect to your own wifi, if you set it up via the app so that you can transfer files without loosing internet connection.

When connected to the drive on the computer, on the root of the server is a status.xml file which basically provides all the information available to the app. (Wifi status, card status, etc)

On the web interface there is also a settings page that allows you to change the name/set a password. This is probably the best attack vector.

Thats all i got

[Forgiven]

I've been on the name/password page. I disagree with that going anywhere as an vector.

I looked at the binary code on the site you linked. Using Hex-Editor, I was able to open the file. The text, when viewed in UTF-16, is Chinese. For me, that's tough...I tried the google translate terms for "password", "key", "unlock", "shell." No luck.

I wonder if putting a different ROM on there would get me in the driver's seat...

[Xqtftqx]

I've been on the name/password page. I disagree with that going anywhere as an vector.

I looked at the binary code on the site you linked. Using Hex-Editor, I was able to open the file. The text, when viewed in UTF-16, is Chinese. For me, that's tough...I tried the google translate terms for "password", "key", "unlock", "shell." No luck.

I wonder if putting a different ROM on there would get me in the driver's seat...

Would you mind posting the hexdump? in ascii that is. UTF-16 is kinda a pain to use on linux, and id like to take a look at it.

[Forgiven]

Would you mind posting the hexdump? in ascii that is. UTF-16 is kinda a pain to use on linux, and id like to take a look at it.

I just returned to this and saw your request. I will have to go back and re-open it.

[Xqtftqx]

In ascii (text) i dont see any chinese characters when I convert it.

[exente]

Hi, I'm interested in this topic, I bougth one of this the last week and I would like to open in order to view how it's capable to do

I follow al of your tests, I had same results, the only thing I could view was following:

- It has a Web Server to download the files, but you can't upload from a Web Browser. Only things you can change in options section is WiFi settings (open/WPA, password, etc)

- For Apple and Android, there is an application to manage the pendrive, Donwload, upload files, sharing a Wifi to bridge the internet connection, and no more I remember

- Deep scan shows that only 80 port it's open with the Web Services, as I suppose, mobile apps use this port to connect

- For this Web Service, this scan shows following procedures allowed: GET HEAD PUT DELETE PROPFIND MOVE

Anybody has an idea I can try?

PD: I apologize for my English

[HoodooTheGreat]

Has anyone discovered any new information on opening this thing up for customization?

[Forgiven]

Not yet Hoodoo.

[dienilno]

I have the larger Sandisk Media Drive. I was able to simply telnet with "admin" username and password.

Device is running Freescale LTIB (Linux Target Image Builder).

Freescale MX50 Platform
ARMv7 800 MHz processor
125MB RAM

Welcome to EWNUL0(SanDisk Media ) Embedded Linux Environment
Firmware Ver: 2.93 , by QSI


Media_Drive login: admin
Password:
admin@Media_Drive ~$ cat /etc/ltib-release
Release date = Thu Apr 5 12:52:57 2012 UTC
Release user = qsi
Release host = ubuntu
Release dir = /home/qsi/freescale/sdk/ltib
SCM wtag = none
SCM tag = none
Release tag = none
App version = 9.1.1

From the admin user, you can retrieve the hashed root password from /etc/shadow.

admin@Media_Drive ~$ busybox
BusyBox v1.15.0 () multi-call binary
Copyright © 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Edited June 18, 2014 by dienilno

[Nayheyxus]

those credentials didn't work for me. Has anyone had any success with moding this device? I've port scanned the device several times, and recently I've been analyzing the firmware via ida. Which isn't my strong suit unless it's simple malware im reverse engineering.

[drOS]

Hi Guys,

Not a crazy hacker here but I see there is discussion about hacking the Sandisk Wireless Connect.

As one can see on : http://kb.sandisk.com/app/answers/detail/a_id/12713/session/L2F2LzEvdGltZS8xNDE0NDk3MzYxL3NpZC9wQm1sNV81bQ%3D%3D

There are two firmware branches for the Sandisk Wireless Connect Flash Drive :

• 16/32GB (AO2S 1103)
• 64GB (AO2E 1103)

I guess both models are exactly the same in terms of hardware so I wonder if there's an easy way to force the firmware of the 64GB model (AO2E) on the 16/32GB (AO2S) model.

That might help to unlock exFat support for model AO2S. That will allow anyone who already has a 64 or even 128GB card to buy the 16GB model and expand it to 128GB while gaining exFat support.

Trying to rename the "wfd1103e.df2" as "wfd1103.df2" and putting in the drive for upgrade does not seem to work at all.

No success in trying to edit the file, maybe there's need for some specific hex editor to actually be able to modify the identifier.

Any ideas ?

[cooper]

Um... I think you're mistaken.

Think of your SD card as a harddisk. It doesn't care if the filesystem on it is exFAT, FAT, NTFS, ext[234], brtfs or any other filesystem for that matter. That's something the application (typically the camera being the limiting factor here) and the PC get to work out amongst themselves.

I also don't believe updating the firmware magically doubles its capacity. There's a very small chance that a higher capacity SD card with a defect is found to work reliably at half its capacity and this is enforced using firmware allowing them to sell the product at a lower capacity against a lower price. In this case replacing the firmware would make this previously unavailable section of storage available again, defect and all, but I wouldn't bet on that being the common case and I would also be very, VERY weary of this extra batch of storage since, as I said, it's likely to be defective in whatever subtle or unsubtle ways.

Edited October 28, 2014 by Cooper

[drOS]

Cooper : The idea is not to get 64GB from a 16GB which would be unrealistic.

But actually replace the 16GB sd card with a 64 or 128GB sdxc card and be able to use exFat.

Currently Sandisk limits the 16 and 32GB version to FAT32 file system for some reason, hence the difference of firmware versions provided for 16/32 model and 64 model which is the only to support exFat.

I guess this might be a licence cost issue (exFat is Microsoft after all).

So the idea is to override this firmware limitation for model AO2S.

[cooper]

1. Insert card in PC with exFAT support.

2. Format card using exFAT.

3. Profit.

Most of my SD cards have ext3 or ext4 on them, not in the least because I put it there. At higher capacities exFAT makes sense given the limitations of the FAT filesystem. At lower capacities you don't really gain much, if anything, by using exFAT. Why are you so eager to have it?

Edited October 28, 2014 by Cooper

[drOS]

Cooper, I have the feeling you're answering to me without actually reading me :)

I know I can format the card with exFat, but as previously mentioned, Sandisk limits Wireless Connect drives bought with 16 or 32GB of storage to FAT32 compatibility only.

When you format an 64GB or whatever the size SD card in exFat and you put it in a Wireless Connect Flash drive that initially shipped with a 16/32GB sd card, the wireless functionality of the drive is disabled, you have an error message on the iOS app inviting you to reformat your sd card on a "supported format".

That's the reason why they distribute two different firmware branches.

This limit is supposedly wanted by Sandisk to incite you to buy a 64GB version instead of buying a 16GB model for half the price and put your own bigger SD card.

Or it might be because they don't want to pay the exFat licence to Microsoft for their smaller storage versions.

[Nayheyxus]

Eh I haven't really worked much on RE the flash drives firmware, been distracted with building sdr crap. I doubt the actual hardware differs between the two variants. Size increase would be nice, but utilizing the device's wireless radio in some other fashion would be my main focus. Gaining a root shell, or modification of the firmware seems it would give some insight on both goals.

[drOS]

I guess getting a root access to the device would also help for simply enabling exFat (or even other FS) support to the 16/32GB model.

I also tried to telnet it but the service doesn't appear to respond. Though as previously mentioned, I'm not a hacker at all so maybe I didn't try it the right way.