Forgiven Posted September 10, 2013 Share Posted September 10, 2013 I just posted that Pablo hacked the Transcend wifi enabled SD disk which comes equipped with BusyBox linux. It seems these little wireless disk drives have all the makings of a cool mini AP. I noticed that Sandisk now has a 32G wifi enabled flash drive. It has a built in battery, usb connection pin (for connection and recharging), a replaceable microSD card, and a wifi transmitter (albeit short range). Imagine hacking it and enabling it with the wifi pineapple features, all in a device the size of a lipstick dispenser! Quote Link to comment Share on other sites More sharing options...
Blindkitty38 Posted September 26, 2013 Share Posted September 26, 2013 Thats amazing. Link to the drive? Quote Link to comment Share on other sites More sharing options...
Forgiven Posted September 26, 2013 Author Share Posted September 26, 2013 Links are in the original post. Quote Link to comment Share on other sites More sharing options...
Forgiven Posted October 22, 2013 Author Share Posted October 22, 2013 Seems folks have really opened up the Transcend Wifi SD card...here is a link from Dmitry. Quote Link to comment Share on other sites More sharing options...
br0k3nilluzion Posted October 22, 2013 Share Posted October 22, 2013 man, if you can add this to the Rubber ducky.. you could modify it to be able to change the scripts on on the fly.. have a base system, change it on the fly.. all from the convienience of a phone or tablet on hand..!!!!!!! Quote Link to comment Share on other sites More sharing options...
Lord_humungus Posted October 23, 2013 Share Posted October 23, 2013 Seems good! Quote Link to comment Share on other sites More sharing options...
Forgiven Posted October 23, 2013 Author Share Posted October 23, 2013 man, if you can add this to the Rubber ducky.. you could modify it to be able to change the scripts on on the fly.. have a base system, change it on the fly.. all from the convienience of a phone or tablet on hand..!!!!!!! B) Yep. Quote Link to comment Share on other sites More sharing options...
Forgiven Posted October 26, 2013 Author Share Posted October 26, 2013 (edited) I started my attempt to hack the Sandisk by seeking to use the methods that worked for the Transcend, to no avail. The next best pathway for exploitation is directly attacking through the USB, IMHO. To that aim, I have acquired a FaceDancer21, created by the neighborly genius of Travis Goodspeed ($70 int3.cc) (yes that's more than the drive...money isn't really an issue when it comes to me wanting to know how to get in). I spent the day today flashing the firmware on the FD21. Tomorrow, I will begin my attack....(queue evil genius laugh with old pipe organ dududuuuus). Edited October 26, 2013 by Forgiven Quote Link to comment Share on other sites More sharing options...
Xqtftqx Posted November 7, 2013 Share Posted November 7, 2013 This little guy caught my eye as well and i decided id share what i have learned about it... First of all, its running off the AirStash software. The previous versions of this software have had success running commands by exec in server side includes. This is not the case with the sandisk drive :( There is a firmware file available on the website here: http://kb.sandisk.com/app/answers/detail/a_id/12713 placed on the root of the drive, the drive will flash the firmware. Ive ran the file through binrev with no success, maybe some weird compression i dont know too much about. A port scan of the device shows only httpd, the device also has webdav support. The device has the ability to connect to your own wifi, if you set it up via the app so that you can transfer files without loosing internet connection. When connected to the drive on the computer, on the root of the server is a status.xml file which basically provides all the information available to the app. (Wifi status, card status, etc) On the web interface there is also a settings page that allows you to change the name/set a password. This is probably the best attack vector. Thats all i got Quote Link to comment Share on other sites More sharing options...
Forgiven Posted November 10, 2013 Author Share Posted November 10, 2013 I've been on the name/password page. I disagree with that going anywhere as an vector. I looked at the binary code on the site you linked. Using Hex-Editor, I was able to open the file. The text, when viewed in UTF-16, is Chinese. For me, that's tough...I tried the google translate terms for "password", "key", "unlock", "shell." No luck. I wonder if putting a different ROM on there would get me in the driver's seat... Quote Link to comment Share on other sites More sharing options...
Xqtftqx Posted November 26, 2013 Share Posted November 26, 2013 I've been on the name/password page. I disagree with that going anywhere as an vector. I looked at the binary code on the site you linked. Using Hex-Editor, I was able to open the file. The text, when viewed in UTF-16, is Chinese. For me, that's tough...I tried the google translate terms for "password", "key", "unlock", "shell." No luck. I wonder if putting a different ROM on there would get me in the driver's seat... Would you mind posting the hexdump? in ascii that is. UTF-16 is kinda a pain to use on linux, and id like to take a look at it. Quote Link to comment Share on other sites More sharing options...
Forgiven Posted December 23, 2013 Author Share Posted December 23, 2013 Would you mind posting the hexdump? in ascii that is. UTF-16 is kinda a pain to use on linux, and id like to take a look at it. I just returned to this and saw your request. I will have to go back and re-open it. Quote Link to comment Share on other sites More sharing options...
Xqtftqx Posted January 15, 2014 Share Posted January 15, 2014 In ascii (text) i dont see any chinese characters when I convert it. Quote Link to comment Share on other sites More sharing options...
exente Posted February 20, 2014 Share Posted February 20, 2014 Hi, I'm interested in this topic, I bougth one of this the last week and I would like to open in order to view how it's capable to do I follow al of your tests, I had same results, the only thing I could view was following: - It has a Web Server to download the files, but you can't upload from a Web Browser. Only things you can change in options section is WiFi settings (open/WPA, password, etc) - For Apple and Android, there is an application to manage the pendrive, Donwload, upload files, sharing a Wifi to bridge the internet connection, and no more I remember - Deep scan shows that only 80 port it's open with the Web Services, as I suppose, mobile apps use this port to connect - For this Web Service, this scan shows following procedures allowed: GET HEAD PUT DELETE PROPFIND MOVE Anybody has an idea I can try? PD: I apologize for my English Quote Link to comment Share on other sites More sharing options...
HoodooTheGreat Posted March 15, 2014 Share Posted March 15, 2014 Has anyone discovered any new information on opening this thing up for customization? Quote Link to comment Share on other sites More sharing options...
Forgiven Posted May 20, 2014 Author Share Posted May 20, 2014 Not yet Hoodoo. Quote Link to comment Share on other sites More sharing options...
dienilno Posted June 18, 2014 Share Posted June 18, 2014 (edited) I have the larger Sandisk Media Drive. I was able to simply telnet with "admin" username and password.Device is running Freescale LTIB (Linux Target Image Builder).Freescale MX50 PlatformARMv7 800 MHz processor125MB RAM Welcome to EWNUL0(SanDisk Media ) Embedded Linux Environment Firmware Ver: 2.93 , by QSIMedia_Drive login: adminPassword:admin@Media_Drive ~$ cat /etc/ltib-releaseRelease date = Thu Apr 5 12:52:57 2012 UTCRelease user = qsiRelease host = ubuntuRelease dir = /home/qsi/freescale/sdk/ltibSCM wtag = noneSCM tag = noneRelease tag = noneApp version = 9.1.1 From the admin user, you can retrieve the hashed root password from /etc/shadow. admin@Media_Drive ~$ busyboxBusyBox v1.15.0 () multi-call binaryCopyright © 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenkoand others. Licensed under GPLv2.See source distribution for full notice. Edited June 18, 2014 by dienilno Quote Link to comment Share on other sites More sharing options...
Nayheyxus Posted October 2, 2014 Share Posted October 2, 2014 those credentials didn't work for me. Has anyone had any success with moding this device? I've port scanned the device several times, and recently I've been analyzing the firmware via ida. Which isn't my strong suit unless it's simple malware im reverse engineering. Quote Link to comment Share on other sites More sharing options...
drOS Posted October 28, 2014 Share Posted October 28, 2014 Hi Guys, Not a crazy hacker here but I see there is discussion about hacking the Sandisk Wireless Connect. As one can see on : http://kb.sandisk.com/app/answers/detail/a_id/12713/session/L2F2LzEvdGltZS8xNDE0NDk3MzYxL3NpZC9wQm1sNV81bQ%3D%3D There are two firmware branches for the Sandisk Wireless Connect Flash Drive : 16/32GB (AO2S 1103) 64GB (AO2E 1103) I guess both models are exactly the same in terms of hardware so I wonder if there's an easy way to force the firmware of the 64GB model (AO2E) on the 16/32GB (AO2S) model. That might help to unlock exFat support for model AO2S. That will allow anyone who already has a 64 or even 128GB card to buy the 16GB model and expand it to 128GB while gaining exFat support. Trying to rename the "wfd1103e.df2" as "wfd1103.df2" and putting in the drive for upgrade does not seem to work at all. No success in trying to edit the file, maybe there's need for some specific hex editor to actually be able to modify the identifier. Any ideas ? Quote Link to comment Share on other sites More sharing options...
cooper Posted October 28, 2014 Share Posted October 28, 2014 (edited) Um... I think you're mistaken. Think of your SD card as a harddisk. It doesn't care if the filesystem on it is exFAT, FAT, NTFS, ext[234], brtfs or any other filesystem for that matter. That's something the application (typically the camera being the limiting factor here) and the PC get to work out amongst themselves. I also don't believe updating the firmware magically doubles its capacity. There's a very small chance that a higher capacity SD card with a defect is found to work reliably at half its capacity and this is enforced using firmware allowing them to sell the product at a lower capacity against a lower price. In this case replacing the firmware would make this previously unavailable section of storage available again, defect and all, but I wouldn't bet on that being the common case and I would also be very, VERY weary of this extra batch of storage since, as I said, it's likely to be defective in whatever subtle or unsubtle ways. Edited October 28, 2014 by Cooper Quote Link to comment Share on other sites More sharing options...
drOS Posted October 28, 2014 Share Posted October 28, 2014 Cooper : The idea is not to get 64GB from a 16GB which would be unrealistic. But actually replace the 16GB sd card with a 64 or 128GB sdxc card and be able to use exFat. Currently Sandisk limits the 16 and 32GB version to FAT32 file system for some reason, hence the difference of firmware versions provided for 16/32 model and 64 model which is the only to support exFat. I guess this might be a licence cost issue (exFat is Microsoft after all). So the idea is to override this firmware limitation for model AO2S. Quote Link to comment Share on other sites More sharing options...
cooper Posted October 28, 2014 Share Posted October 28, 2014 (edited) 1. Insert card in PC with exFAT support. 2. Format card using exFAT. 3. Profit. Most of my SD cards have ext3 or ext4 on them, not in the least because I put it there. At higher capacities exFAT makes sense given the limitations of the FAT filesystem. At lower capacities you don't really gain much, if anything, by using exFAT. Why are you so eager to have it? Edited October 28, 2014 by Cooper Quote Link to comment Share on other sites More sharing options...
drOS Posted October 28, 2014 Share Posted October 28, 2014 Cooper, I have the feeling you're answering to me without actually reading me :) I know I can format the card with exFat, but as previously mentioned, Sandisk limits Wireless Connect drives bought with 16 or 32GB of storage to FAT32 compatibility only. When you format an 64GB or whatever the size SD card in exFat and you put it in a Wireless Connect Flash drive that initially shipped with a 16/32GB sd card, the wireless functionality of the drive is disabled, you have an error message on the iOS app inviting you to reformat your sd card on a "supported format". That's the reason why they distribute two different firmware branches. This limit is supposedly wanted by Sandisk to incite you to buy a 64GB version instead of buying a 16GB model for half the price and put your own bigger SD card. Or it might be because they don't want to pay the exFat licence to Microsoft for their smaller storage versions. Quote Link to comment Share on other sites More sharing options...
Nayheyxus Posted October 28, 2014 Share Posted October 28, 2014 Eh I haven't really worked much on RE the flash drives firmware, been distracted with building sdr crap. I doubt the actual hardware differs between the two variants. Size increase would be nice, but utilizing the device's wireless radio in some other fashion would be my main focus. Gaining a root shell, or modification of the firmware seems it would give some insight on both goals. Quote Link to comment Share on other sites More sharing options...
drOS Posted October 28, 2014 Share Posted October 28, 2014 I guess getting a root access to the device would also help for simply enabling exFat (or even other FS) support to the 16/32GB model. I also tried to telnet it but the service doesn't appear to respond. Though as previously mentioned, I'm not a hacker at all so maybe I didn't try it the right way. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.