Jump to content

Hack a Sandisk 32G Wifi enabled flash drive


Forgiven
 Share

Recommended Posts

I just posted that Pablo hacked the Transcend wifi enabled SD disk which comes equipped with BusyBox linux. It seems these little wireless disk drives have all the makings of a cool mini AP. I noticed that Sandisk now has a 32G wifi enabled flash drive. It has a built in battery, usb connection pin (for connection and recharging), a replaceable microSD card, and a wifi transmitter (albeit short range). Imagine hacking it and enabling it with the wifi pineapple features, all in a device the size of a lipstick dispenser!

Link to comment
Share on other sites

  • 3 weeks later...
  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

  • 4 weeks later...

I started my attempt to hack the Sandisk by seeking to use the methods that worked for the Transcend, to no avail. The next best pathway for exploitation is directly attacking through the USB, IMHO. To that aim, I have acquired a FaceDancer21, created by the neighborly genius of Travis Goodspeed ($70 int3.cc) (yes that's more than the drive...money isn't really an issue when it comes to me wanting to know how to get in). I spent the day today flashing the firmware on the FD21. Tomorrow, I will begin my attack....(queue evil genius laugh with old pipe organ dududuuuus).

Edited by Forgiven
Link to comment
Share on other sites

  • 2 weeks later...

This little guy caught my eye as well and i decided id share what i have learned about it...

First of all, its running off the AirStash software. The previous versions of this software have had success running commands by exec in server side includes. This is not the case with the sandisk drive :(

There is a firmware file available on the website here:

http://kb.sandisk.com/app/answers/detail/a_id/12713

placed on the root of the drive, the drive will flash the firmware. Ive ran the file through binrev with no success, maybe some weird compression i dont know too much about.

A port scan of the device shows only httpd, the device also has webdav support.

The device has the ability to connect to your own wifi, if you set it up via the app so that you can transfer files without loosing internet connection.

When connected to the drive on the computer, on the root of the server is a status.xml file which basically provides all the information available to the app. (Wifi status, card status, etc)

On the web interface there is also a settings page that allows you to change the name/set a password. This is probably the best attack vector.

Thats all i got

Link to comment
Share on other sites

I've been on the name/password page. I disagree with that going anywhere as an vector.

I looked at the binary code on the site you linked. Using Hex-Editor, I was able to open the file. The text, when viewed in UTF-16, is Chinese. For me, that's tough...I tried the google translate terms for "password", "key", "unlock", "shell." No luck.

I wonder if putting a different ROM on there would get me in the driver's seat...

Link to comment
Share on other sites

  • 3 weeks later...

I've been on the name/password page. I disagree with that going anywhere as an vector.

I looked at the binary code on the site you linked. Using Hex-Editor, I was able to open the file. The text, when viewed in UTF-16, is Chinese. For me, that's tough...I tried the google translate terms for "password", "key", "unlock", "shell." No luck.

I wonder if putting a different ROM on there would get me in the driver's seat...

Would you mind posting the hexdump? in ascii that is. UTF-16 is kinda a pain to use on linux, and id like to take a look at it.

Link to comment
Share on other sites

  • 4 weeks later...
  • 4 weeks later...
  • 1 month later...

Hi, I'm interested in this topic, I bougth one of this the last week and I would like to open in order to view how it's capable to do

I follow al of your tests, I had same results, the only thing I could view was following:

- It has a Web Server to download the files, but you can't upload from a Web Browser. Only things you can change in options section is WiFi settings (open/WPA, password, etc)

- For Apple and Android, there is an application to manage the pendrive, Donwload, upload files, sharing a Wifi to bridge the internet connection, and no more I remember

- Deep scan shows that only 80 port it's open with the Web Services, as I suppose, mobile apps use this port to connect

- For this Web Service, this scan shows following procedures allowed: GET HEAD PUT DELETE PROPFIND MOVE

Anybody has an idea I can try?

PD: I apologize for my English

Link to comment
Share on other sites

  • 4 weeks later...
  • 2 months later...
  • 5 weeks later...

I have the larger Sandisk Media Drive. I was able to simply telnet with "admin" username and password.

Device is running Freescale LTIB (Linux Target Image Builder).

Freescale MX50 Platform
ARMv7 800 MHz processor
125MB RAM


Welcome to EWNUL0(SanDisk Media ) Embedded Linux Environment
Firmware Ver: 2.93 , by QSI


Media_Drive login: admin
Password:
admin@Media_Drive ~$ cat /etc/ltib-release
Release date = Thu Apr 5 12:52:57 2012 UTC
Release user = qsi
Release host = ubuntu
Release dir = /home/qsi/freescale/sdk/ltib
SCM wtag = none
SCM tag = none
Release tag = none
App version = 9.1.1

From the admin user, you can retrieve the hashed root password from /etc/shadow.

admin@Media_Drive ~$ busybox
BusyBox v1.15.0 () multi-call binary
Copyright © 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Edited by dienilno
Link to comment
Share on other sites

  • 3 months later...

those credentials didn't work for me. Has anyone had any success with moding this device? I've port scanned the device several times, and recently I've been analyzing the firmware via ida. Which isn't my strong suit unless it's simple malware im reverse engineering.

Link to comment
Share on other sites

  • 4 weeks later...

Hi Guys,

Not a crazy hacker here but I see there is discussion about hacking the Sandisk Wireless Connect.

As one can see on : http://kb.sandisk.com/app/answers/detail/a_id/12713/session/L2F2LzEvdGltZS8xNDE0NDk3MzYxL3NpZC9wQm1sNV81bQ%3D%3D

There are two firmware branches for the Sandisk Wireless Connect Flash Drive :

  • 16/32GB (AO2S 1103)
  • 64GB (AO2E 1103)

I guess both models are exactly the same in terms of hardware so I wonder if there's an easy way to force the firmware of the 64GB model (AO2E) on the 16/32GB (AO2S) model.

That might help to unlock exFat support for model AO2S. That will allow anyone who already has a 64 or even 128GB card to buy the 16GB model and expand it to 128GB while gaining exFat support.

Trying to rename the "wfd1103e.df2" as "wfd1103.df2" and putting in the drive for upgrade does not seem to work at all.

No success in trying to edit the file, maybe there's need for some specific hex editor to actually be able to modify the identifier.

Any ideas ?

Link to comment
Share on other sites

Um... I think you're mistaken.

Think of your SD card as a harddisk. It doesn't care if the filesystem on it is exFAT, FAT, NTFS, ext[234], brtfs or any other filesystem for that matter. That's something the application (typically the camera being the limiting factor here) and the PC get to work out amongst themselves.

I also don't believe updating the firmware magically doubles its capacity. There's a very small chance that a higher capacity SD card with a defect is found to work reliably at half its capacity and this is enforced using firmware allowing them to sell the product at a lower capacity against a lower price. In this case replacing the firmware would make this previously unavailable section of storage available again, defect and all, but I wouldn't bet on that being the common case and I would also be very, VERY weary of this extra batch of storage since, as I said, it's likely to be defective in whatever subtle or unsubtle ways.

Edited by Cooper
Link to comment
Share on other sites

Cooper : The idea is not to get 64GB from a 16GB which would be unrealistic.

But actually replace the 16GB sd card with a 64 or 128GB sdxc card and be able to use exFat.

Currently Sandisk limits the 16 and 32GB version to FAT32 file system for some reason, hence the difference of firmware versions provided for 16/32 model and 64 model which is the only to support exFat.

I guess this might be a licence cost issue (exFat is Microsoft after all).

So the idea is to override this firmware limitation for model AO2S.

Link to comment
Share on other sites

1. Insert card in PC with exFAT support.

2. Format card using exFAT.

3. Profit.

Most of my SD cards have ext3 or ext4 on them, not in the least because I put it there. At higher capacities exFAT makes sense given the limitations of the FAT filesystem. At lower capacities you don't really gain much, if anything, by using exFAT. Why are you so eager to have it?

Edited by Cooper
Link to comment
Share on other sites

Cooper, I have the feeling you're answering to me without actually reading me :)

I know I can format the card with exFat, but as previously mentioned, Sandisk limits Wireless Connect drives bought with 16 or 32GB of storage to FAT32 compatibility only.

When you format an 64GB or whatever the size SD card in exFat and you put it in a Wireless Connect Flash drive that initially shipped with a 16/32GB sd card, the wireless functionality of the drive is disabled, you have an error message on the iOS app inviting you to reformat your sd card on a "supported format".

That's the reason why they distribute two different firmware branches.

This limit is supposedly wanted by Sandisk to incite you to buy a 64GB version instead of buying a 16GB model for half the price and put your own bigger SD card.

Or it might be because they don't want to pay the exFat licence to Microsoft for their smaller storage versions.

Link to comment
Share on other sites

Eh I haven't really worked much on RE the flash drives firmware, been distracted with building sdr crap. I doubt the actual hardware differs between the two variants. Size increase would be nice, but utilizing the device's wireless radio in some other fashion would be my main focus. Gaining a root shell, or modification of the firmware seems it would give some insight on both goals.

Link to comment
Share on other sites

I guess getting a root access to the device would also help for simply enabling exFat (or even other FS) support to the 16/32GB model.

I also tried to telnet it but the service doesn't appear to respond. Though as previously mentioned, I'm not a hacker at all so maybe I didn't try it the right way.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...