Nayheyxus Posted December 1, 2014 Share Posted December 1, 2014 Interesting, forgive my ignorance, does the firmware have any bearing to what size memory module it can utilize? Or does the difference just act as a sudo embedded security alternative? Quote Link to comment Share on other sites More sharing options...
devilsclaw Posted December 1, 2014 Share Posted December 1, 2014 First off the external flash looks to be the same size, which is where the main firmware is stored. the internal flash is not the same size 128 vs 256 Kb. The less space your have means the less you can implement, but I am still guessing that the internal flash is either the boot loader or the first stage boot loader and then the second stage would be in the external flash. The latter is starting to feel more likely since if you hex compare the two firmwares you will notices that one section is exactly the same, which I am guessing is the second stage boot loader. It also points to if there is encryption that both devices are using the same encryption key. Quote Link to comment Share on other sites More sharing options...
devilsclaw Posted December 1, 2014 Share Posted December 1, 2014 After looking at the USB/Battery Charger documentation and the RT1 resistors and lack of, It seems the ones that are not stuffed, would be used to configure how the USB Charger works, so its not for debugging. I am also not seeing anything that looks like possible JTAG points. I have to look at the CPU documentation about boot order but its possible that the external flash is preloaded and then they flash the device via that, because I am not really seeing any programming, points, unless that is on the battery side or under the sdcard slot. Quote Link to comment Share on other sites More sharing options...
devilsclaw Posted December 1, 2014 Share Posted December 1, 2014 I guess it could of been booted off the sdcard slot, I forgot about that. Infact that migth explain why there is a 16Mbyte unformatted partition on the sdcard, which appears to of been wiped or unitialized. Quote Link to comment Share on other sites More sharing options...
Nayheyxus Posted December 1, 2014 Share Posted December 1, 2014 I've been running usb sniffing though i didnt expect to find anything. The was a sorta interesting initial handshake, but I'm fairly sure it's just standard USB mass storage jibba jabber. Running a mitm attack sniffing it's traffic while I change various settings within the apk. Some very interesting data being swapped, I wish I hadn't updated my device I would love to see how the drive reacts to an update, and how the app writes to the drive Quote Link to comment Share on other sites More sharing options...
devilsclaw Posted December 1, 2014 Share Posted December 1, 2014 Well I decompiled the APK a couple days ago and I looked through it a bit, still looking, but Im just guessing that it uploads the file to the root of the device just like manually updating works. Especially since they tell you to power off the divice and power it back on to update. Quote Link to comment Share on other sites More sharing options...
Nayheyxus Posted December 1, 2014 Share Posted December 1, 2014 Binwalk hex dumping is the closest thing to the matrix as anyone can get, am I right hehee. Anywho, I've been trying to decipher my wireshark sniff logs. The airstash protocol is pretty foreign. I captured the entire conversation the device's software exchanges with the Android app, and my plan of attack is replicate the firmware upgrade with a fake new version, undoubtedly this will brick my neat little flash drive. Well worth the sacrifice to further knowledge on it, and I can easily justify buying another Quote Link to comment Share on other sites More sharing options...
devilsclaw Posted December 2, 2014 Share Posted December 2, 2014 So I did more research on the CPU, the default bootloader that comes on these things is designed use something they call BatchISP as the programmer to load on the application. They also state the to reprogram the bootloader they need to use the JTAGICE MkII, Since I dont see any JTAG pins or open test points, I am guessing the default bootloader is still there and that they are using what AVR considers an app to be loaded. Now the problem is the fuses as what they call them but there non volatile bits that are used to configure the boot process a bit. If a particular bit is set, then the application is call in all cases of the boots, which basically blocks us from using the bootloader to program it. So that leaves us with either figuring out how to get a JTAG device connected and changing the fuse bits to boot off the bootloader and reading the code out of the device if possible, or nothing. I might be possible that part of the update is unencrypted or all of it but I would have to look up how to disassemble AVS 32bit code. Quote Link to comment Share on other sites More sharing options...
devilsclaw Posted December 2, 2014 Share Posted December 2, 2014 These devices are clone airstash devices, firmware format is the same and versioning is the same. content is not the same though. well not exatly Quote Link to comment Share on other sites More sharing options...
Nayheyxus Posted December 2, 2014 Share Posted December 2, 2014 (edited) Damn ya beat me to posting the jtag info ya just posted hehe. But glad you did you articulated it far better than I could have. Yup airstash android wearable license inc. Ive read that at least 400 times today in my wireshark log, been reading it continuously thinking magically ill understand what's going on in the packet. There are 2 fuses that must be the for the jtag ice. Jtag enable fuse and ocd enable fuse. If the fuse is unintentionally disabled then then the user can enable the fuse by means of the other programming interfaces (eg isp) Edited December 2, 2014 by Nayheyxus Quote Link to comment Share on other sites More sharing options...
Nayheyxus Posted December 2, 2014 Share Posted December 2, 2014 A02 seems to be a comman model actually in the airstash family. . Quote Link to comment Share on other sites More sharing options...
nellush Posted January 24, 2015 Share Posted January 24, 2015 I just bought the 16GB model at Walmart on clearance. Did not update the firmware in case I can be of any help. Very interested to see what can be done with these devices. Just setup a FTP server at home and was thinking how useful that full functionality could be on one of these devices. Let me know if I can help in any way with testing or anything. Quote Link to comment Share on other sites More sharing options...
Nayheyxus Posted January 24, 2015 Share Posted January 24, 2015 Sadly, my wifi flash drive has died. I wish I could say that the drive was lost in the line of Hacked firmware flashing, as I had intended. However the drive was killed by Dr.Pepper and a clumsy kitty Cat. Quote Link to comment Share on other sites More sharing options...
Forgiven Posted March 10, 2015 Author Share Posted March 10, 2015 Seems like devilsclaw has been making some good progress on this hack. I'm inspired to head back in! Quote Link to comment Share on other sites More sharing options...
Nayheyxus Posted March 10, 2015 Share Posted March 10, 2015 (edited) One thing I found while I was researching the device was a conference held about the programming and design of this wifi flash drive. The presentation seemed to have a lot of valuable information, and could gice some insight into hacking it. The presentation was very dull, and shortly after this discovery my drive died. YouTube "racket conference" and if you can withstand a very boring presentation, this could be exactly what we needed to mod this device. Edited March 10, 2015 by Nayheyxus Quote Link to comment Share on other sites More sharing options...
Cleafspear Posted May 23, 2015 Share Posted May 23, 2015 i posted my inital hack of the media drive version at https://forums.hak5.org/index.php?/topic/35884-sandisk-wireless-media-drive-root-crackand-other-useful-info/ it has a bit of info that may be handy finding out whats on these powerful but tiny devices Quote Link to comment Share on other sites More sharing options...
daivermaster Posted February 18, 2016 Share Posted February 18, 2016 Hello. FW 4.1.0 http://kb.sandisk.com/app/answers/detail/a_id/17556/~/updating-the-sandisk-connect-wireless-sticks-firmware-manually Any ideas to get root ? Thank you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.