devilsclaw
-
Posts
18 -
Joined
-
Last visited
-
Days Won
2
Posts posted by devilsclaw
-
-
So I did more research on the CPU, the default bootloader that comes on these things is designed use something they call BatchISP as the programmer to load on the application.
They also state the to reprogram the bootloader they need to use the JTAGICE MkII, Since I dont see any JTAG pins or open test points, I am guessing the default bootloader is still there and that they are using what AVR considers an app to be loaded.
Now the problem is the fuses as what they call them but there non volatile bits that are used to configure the boot process a bit.
If a particular bit is set, then the application is call in all cases of the boots, which basically blocks us from using the bootloader
to program it.
So that leaves us with either figuring out how to get a JTAG device connected and changing the fuse bits to boot off the bootloader and
reading the code out of the device if possible, or nothing.
I might be possible that part of the update is unencrypted or all of it but I would have to look up how to disassemble AVS 32bit code.
-
Well I decompiled the APK a couple days ago and I looked through it a bit, still looking, but Im just guessing that it uploads the file to the root of the device just like manually updating works.
Especially since they tell you to power off the divice and power it back on to update.
-
I guess it could of been booted off the sdcard slot, I forgot about that.
Infact that migth explain why there is a 16Mbyte unformatted partition on the sdcard, which appears to of been wiped or unitialized.
-
After looking at the USB/Battery Charger documentation and the RT1 resistors and lack of, It seems the ones that are not stuffed,
would be used to configure how the USB Charger works, so its not for debugging.
I am also not seeing anything that looks like possible JTAG points. I have to look at the CPU documentation about boot order but its
possible that the external flash is preloaded and then they flash the device via that, because I am not really seeing any programming,
points, unless that is on the battery side or under the sdcard slot.
-
First off the external flash looks to be the same size, which is where the main firmware is stored. the internal flash is not the same size 128 vs 256 Kb.
The less space your have means the less you can implement, but I am still guessing that the internal flash is either the boot loader or the first stage boot loader and then the second stage would be in the external flash.
The latter is starting to feel more likely since if you hex compare the two firmwares you will notices that one section is exactly the same, which I
am guessing is the second stage boot loader.
It also points to if there is encryption that both devices are using the same encryption key.
-
Based off the picture the only difference that jumps out at me is the CPU AT32UC3A4128S , which has smaller internal flash,
which is why there are two different firmwares.
-
I found out more about the processor:
AT32UC3A4256S which is a 100pin (FBGA) and that is has 256kilibits of internal flash that can be protected.
The internal flash must have the boot loader which then loads the rest of the firmware from the 2MB flash chip.
the CPU also supports AES encryption at the hardware level which is most most likely what the firmware is encrypted
with.
If the internal flash is protected then there most likely is no way to read out the boot loader, which would mean, no way
to decrypt the main flash.
if that is the case which I will try to figure out, then the only option would but to create a new firmware from scratch and replace
the internal firmware, and the main.
only time will tell.
-
I took some highres picture of the 64Gig version:
-
First step to popping off the case is popping off the usb shield.
You will notice on the on the slider rail for the usb cover, are legs, I used a small flat head screw driver that fit width wise in the rail.
with the usb cover fully hiding the usb plug, I push the flat head under one side and unseated it, then I held it in the unseated state
and did the same on the other side.
Now the plastic cover needs to be popped open from the side of the usb plug , gently, you have to do both sides of the plug,
now, the bottom half (the top being the side with the button) where the sliding rails are gently push the flat head to the bottom side,
of the case, both sides, now you need to use the flat head and push with more pressure being on the bottom half of the case in the
case split, and pop open parts of the case all around the device.
this will get the device open.
BTW: here is the documentation on the USB Lithium-Ion battery charger.
Part Number: CDU TI 42i
http://www.ti.com/lit/ds/symlink/bq24072.pdf
when you pop open your case you will see a set of resistors that are not populated,
I am guessing at the moment that if they are configured differently that It will power up
the device in a different state that might allow direct programing of the device,
they have to get the firmware on there initially some how, either via a chip programmer
before its stuffed on the the device or with it fully intact. I'm guessing the latter.
-
-
-
It has a 16Mbit flash chip 25p16 (vdfn) , which is 2Mbytes in size, which is consistent with the flash file size that is on the 64gig version I think the 32gig version has a smaller flash chip, which might be why it does not have exfat.
-
This part is not true "FCC pictures which show an AR9K chip" , just re-looked and the picture was upside down and my mind converted it for me. thanks mind
-
So I was able to finally get mine apart with out breaking the case.
the wireless card is an Atheros AR6103G-BM2D, at first when I looked at the FCC pictures which show an AR9K chip, I thought that the CPU (Central Processing Unit) for this device might be the Atheros chip as well as a SOC (System on Chip) but its not. The CPU looks to be the Atmel 32UCA.
I'm guessing due to that, there is no Linux but an RTOS (Real Time Operating System), that is running this device.
Now I am going to see if there is a flash(NOR/NAND) chip the stores the firmware or if it goes directly on the chip. also I need to figure out if the firmware is encrypted which I am guessing that it is, but hoping not.
-
This is the newest dump
the app version compatibility is really the only thing diff from the last and the grouping
model = A02S hostname = sandiskf70a38.local ssid = CENSORED ap = undefined sidelink = undefined version = 3.4.1 buildmodel = A02E numericversion = 1103 storederror = undefined battery = undefined bitrate = undefined appversion = 2.2.32.2.5 [appversion] ios = 2.2.3 android = 2.2.5 [/appversion] serial = CENSORED security = wpa wpapsk = CENSORED auth = all authhash = CENSORED authowner = owner channel = 6 timeout = 0 cards = undefined client = undefined features = 1111 [features] exfat = 1 security = 1 cachent = 1 coex = 1 [/features]
here is the new script
// ==UserScript== // @name wfd testing // @namespace dc // @include http://__IPADDRESS__/static/settings.html // @version 1 // @grant none // ==/UserScript== //allow pasting function _get_DOM_child(root,group) { if (root==null || root==undefined) return undefined; var msg = ""; try { for (var child = root.firstChild; child; child = child.nextSibling) { var name = child.localName || child.baseName; var text = child.textContent || child.text; if(name != undefined ) { msg = msg + name + " = " + text + "\n"; } msg = msg + _get_DOM_child(child,name); } } catch (e) { alert('get_DOM_child: ERROR: '+ e); } if(msg != "") { if(group != undefined) { msg = "[" + group + "]\n" + msg + "[/" + group + "]\n"; } } return msg; } function testing1() { var callback = function(value) { var msg = _get_DOM_child(value,undefined); alert(msg); }; get_XML_info("/settings.xml", callback, false); } function testing() { var btn = document.getElementById('new_button'); btn.value = "woots"; return; } function cb(val) { } function createButton(name,id,script) { var newGroup = document.createElement('div'); newGroup.setAttribute('class', 'group'); var newLabel = document.createElement('div'); newLabel.setAttribute('class', 'label'); var newChild = document.createElement('div'); newChild.setAttribute('class', 'value'); var newButton = document.createElement('input'); newButton.setAttribute('id', id); newButton.setAttribute('type','button'); newButton.setAttribute('value',name); newButton.setAttribute('onclick',script); newGroup.appendChild(newLabel); newGroup.appendChild(newChild); newChild.appendChild(newButton); return newGroup; } var span = document.getElementById('settings'); var parent = span.parentNode; if (span && parent) { var newScript = document.createElement('script'); newScript.appendChild(document.createTextNode(testing)); newScript.appendChild(document.createTextNode(testing1)); newScript.appendChild(document.createTextNode(cb)); newScript.appendChild(document.createTextNode(_get_DOM_child)); //coex_off parent.insertBefore(newScript,parent.firstElementChild); parent.appendChild(createButton("Get XML Settings","test_1","testing1()"),span.nextSibling); parent.appendChild(createButton("Coex On","test_2","coex_on()"),span.nextSibling); parent.appendChild(createButton("Coex Off","test_3","coex_off()"),span.nextSibling); }
-
I updated the script a bit and found out the features = 1111 is a group
and it expands to what the features are are you will see below
model = A02S hostname = sandiskf70a38.local ssid = CENSORED ap = undefined sidelink = undefined version = 3.4.1 buildmodel = A02E numericversion = 1103 storederror = undefined battery = undefined bitrate = undefined appversion = 2.2.32.2.5 ios = 2.2.3 android = 2.2.5 serial = CENSORED security = wpa wpapsk = CENSORED auth = all authhash = CENSORED authowner = owner channel = 6 timeout = 0 cards = undefined client = undefined features = 1111 exfat = 1 security = 1 cachent = 1 coex = 1
-
I have the 64Gb version, and I would like to gain access to it as well.
I did hex diffs of the firmwares and they are different in many ways, what looks like most likely the boot loader section they are the same.
I have also experimented with the webpages as an atack vertor and I have come up with some interesting things.
I have been using greasemonkey to inject my own buttons and forms and java script to pull information from the device.
model = A02S hostname = sandiskf70a38.local ssid = CENSORED ap = undefined sidelink = undefined version = 3.4.1 buildmodel = A02E numericversion = 1103 storederror = undefined battery = undefined bitrate = undefined appversion = 2.2.32.2.5 serial = CENSORED security = wpa wpapsk = CENSORED auth = all authhash = CENSORED authowner = owner channel = 0 timeout = 0 cards = undefined client = undefined features = 1111
as you can tell there is stuff there that you cannot config through the webpage.
I find the feature mask interesting since 1111 most likely means all features on maybe the 32gb version does not.
also in the settings.js there is a function called coex_on and coex_off which might be a demo mode or something
// ==UserScript== // @name wfd testing // @namespace dc // @include http://__IPADDRESS__/static/settings.html // @version 1 // @grant none // ==/UserScript== //allow pasting function _get_DOM_child(root) { if (root==null || root==undefined) return undefined; try { var msg = ""; for (var child = root.firstChild; child; child = child.nextSibling) { var name = child.localName || child.baseName; var text = child.textContent || child.text; msg = msg + name + " = " + text + "\n"; } } catch (e) { alert('get_DOM_child: ERROR: '+ e); } alert(msg); return undefined; } function testing1() { var callback = function(value) { _get_DOM_child(value); //alert(value.toSource()); }; get_XML_info("/settings.xml", callback, false); } function testing() { var btn = document.getElementById('new_button'); btn.value = "woots"; return; } function cb(val) { } function createButton(name,id,script) { var newGroup = document.createElement('div'); newGroup.setAttribute('class', 'group'); var newLabel = document.createElement('div'); newLabel.setAttribute('class', 'label'); var newChild = document.createElement('div'); newChild.setAttribute('class', 'value'); var newButton = document.createElement('input'); newButton.setAttribute('id', id); newButton.setAttribute('type','button'); newButton.setAttribute('value',name); newButton.setAttribute('onclick',script); newGroup.appendChild(newLabel); newGroup.appendChild(newChild); newChild.appendChild(newButton); return newGroup; } var span = document.getElementById('settings'); var parent = span.parentNode; if (span && parent) { var newScript = document.createElement('script'); newScript.appendChild(document.createTextNode(testing)); newScript.appendChild(document.createTextNode(testing1)); newScript.appendChild(document.createTextNode(cb)); newScript.appendChild(document.createTextNode(_get_DOM_child)); parent.insertBefore(newScript,parent.firstElementChild); parent.appendChild(createButton("Test 1","test_1","testing1()"),span.nextSibling); parent.appendChild(createButton("Coex On","test_2","coex_on()"),span.nextSibling); parent.appendChild(createButton("Coex Off","test_3","coex_off()"),span.nextSibling); }
change the __IPADDRESS__ to your devices ip
Hack a Sandisk 32G Wifi enabled flash drive
in Hacks & Mods
Posted
These devices are clone airstash devices, firmware format is the same and versioning is the same.
content is not the same though. well not exatly