Jump to content

Hack a Sandisk 32G Wifi enabled flash drive


Forgiven

Recommended Posts

Interesting, forgive my ignorance, does the firmware have any bearing to what size memory module it can utilize? Or does the difference just act as a sudo embedded security alternative?

Link to comment
Share on other sites

  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

First off the external flash looks to be the same size, which is where the main firmware is stored. the internal flash is not the same size 128 vs 256 Kb.

The less space your have means the less you can implement, but I am still guessing that the internal flash is either the boot loader or the first stage boot loader and then the second stage would be in the external flash.

The latter is starting to feel more likely since if you hex compare the two firmwares you will notices that one section is exactly the same, which I

am guessing is the second stage boot loader.

It also points to if there is encryption that both devices are using the same encryption key.

Link to comment
Share on other sites

After looking at the USB/Battery Charger documentation and the RT1 resistors and lack of, It seems the ones that are not stuffed,

would be used to configure how the USB Charger works, so its not for debugging.

I am also not seeing anything that looks like possible JTAG points. I have to look at the CPU documentation about boot order but its

possible that the external flash is preloaded and then they flash the device via that, because I am not really seeing any programming,

points, unless that is on the battery side or under the sdcard slot.

Link to comment
Share on other sites

I've been running usb sniffing though i didnt expect to find anything. The was a sorta interesting initial handshake, but I'm fairly sure it's just standard USB mass storage jibba jabber. Running a mitm attack sniffing it's traffic while I change various settings within the apk. Some very interesting data being swapped, I wish I hadn't updated my device I would love to see how the drive reacts to an update, and how the app writes to the drive

Link to comment
Share on other sites

Well I decompiled the APK a couple days ago and I looked through it a bit, still looking, but Im just guessing that it uploads the file to the root of the device just like manually updating works.

Especially since they tell you to power off the divice and power it back on to update.

Link to comment
Share on other sites

Binwalk hex dumping is the closest thing to the matrix as anyone can get, am I right hehee. Anywho, I've been trying to decipher my wireshark sniff logs. The airstash protocol is pretty foreign. I captured the entire conversation the device's software exchanges with the Android app, and my plan of attack is replicate the firmware upgrade with a fake new version, undoubtedly this will brick my neat little flash drive. Well worth the sacrifice to further knowledge on it, and I can easily justify buying another

Link to comment
Share on other sites

So I did more research on the CPU, the default bootloader that comes on these things is designed use something they call BatchISP as the programmer to load on the application.

They also state the to reprogram the bootloader they need to use the JTAGICE MkII, Since I dont see any JTAG pins or open test points, I am guessing the default bootloader is still there and that they are using what AVR considers an app to be loaded.

Now the problem is the fuses as what they call them but there non volatile bits that are used to configure the boot process a bit.

If a particular bit is set, then the application is call in all cases of the boots, which basically blocks us from using the bootloader

to program it.

So that leaves us with either figuring out how to get a JTAG device connected and changing the fuse bits to boot off the bootloader and

reading the code out of the device if possible, or nothing.

I might be possible that part of the update is unencrypted or all of it but I would have to look up how to disassemble AVS 32bit code.

Link to comment
Share on other sites

Damn ya beat me to posting the jtag info ya just posted hehe. But glad you did you articulated it far better than I could have. Yup airstash android wearable license inc. Ive read that at least 400 times today in my wireshark log, been reading it continuously thinking magically ill understand what's going on in the packet. There are 2 fuses that must be the for the jtag ice. Jtag enable fuse and ocd enable fuse. If the fuse is unintentionally disabled then then the user can enable the fuse by means of the other programming interfaces (eg isp)

Edited by Nayheyxus
Link to comment
Share on other sites

A02 seems to be a comman model actually in the airstash family. .

Link to comment
Share on other sites

  • 1 month later...

I just bought the 16GB model at Walmart on clearance. Did not update the firmware in case I can be of any help. Very interested to see what can be done with these devices. Just setup a FTP server at home and was thinking how useful that full functionality could be on one of these devices. Let me know if I can help in any way with testing or anything.

Link to comment
Share on other sites

Sadly, my wifi flash drive has died. I wish I could say that the drive was lost in the line of Hacked firmware flashing, as I had intended. However the drive was killed by Dr.Pepper and a clumsy kitty Cat.

Link to comment
Share on other sites

  • 1 month later...

One thing I found while I was researching the device was a conference held about the programming and design of this wifi flash drive. The presentation seemed to have a lot of valuable information, and could gice some insight into hacking it. The presentation was very dull, and shortly after this discovery my drive died. YouTube "racket conference" and if you can withstand a very boring presentation,

this could be exactly what we needed to mod this device. Edited by Nayheyxus
Link to comment
Share on other sites

  • 2 months later...
  • 8 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...