Jump to content

Hack a Sandisk 32G Wifi enabled flash drive


Forgiven

Recommended Posts

I thought those wifi sd cards were a complete package rather than something with a separate microSD card inserted.

Okay, so SanDisk makes 2 types of Wifi "wrappers" for your SD cards - one for 64+GB which can only (or also?) work with exFAT and one for 32-GB which can only work with FAT32. You have the latter, but want it to behave like the former since you want to use it with exFAT-formatted SD cards.

Question then still is, why are you so hell-bent on exFAT since regular FAT32 can address up to 2 TB and as such should be a workable solution - reformat the large SD cards using FAT32 and you should be golden.

But aside from that feasibility question, we're all about the hack and this most certainly counts as a hack to me.

Since they didn't release any GPL'd code for the thing we can possibly assume that it's not running Linux? Maybe do an nmap of www.sandisk.org once you've connected to the wifi to see what pops up?

What I'm guessing is that they only have a meg of firmware storage on there and including support for both filesystems exceeds the available firmware space. In that case they could just release a single version of the wifi adapter card for a fixed price and not have the hassle of needing to verify 2 firmwares each time a bug is found. Never attribute to malice and all that.

Link to comment
Share on other sites

  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

I've run Nmap scans, if memory serves port 80 is the only open port. I seem to recall an unfimilar port being open, but don't quote me on that. I'll run one in a few hours and report back(depends on when I can sneak away from my work desk).

Link to comment
Share on other sites

Most likely it's some sort of Unix. The other variants of SanDisk wifi storage run a type of unix. The media connect drive I believe, of course I can't remember how I found that out, and our dear sweet friend Google is once again failing at providing me with any useful information to corroborate this.

Link to comment
Share on other sites

Sorry for the delay on the scan, running it now. 53/udp open\filtered. Going to scan every virtual nook and cranny. Though I doubt I'll find any exploitable port for us to dock our metaphoric pirate ship in.. eh scratch that last comment sounds way to dirty.

-Cooper,

The device has a few gpl's associated with it's firmware, but sadly I don't see anything pointing to linux. Which is disappointing for my dreams of portable wifi sniffing, but based on what I've read it wouldn't make sense for SanDisk to sell 3 separate wifi comnect devices; each bearing identical designs and specifying each device's hardware for compatibility with a finte of micro SD storage sizes. 3 separate firmwares which are restricted by firmware on the device itself would be much simpler when compared to having 3 different design specs. The only difference between the SanDisk connect device's are what size microsd card it's been packaged with. Beyond that no other features are present. In addition I'm not to familiarized with fcc regulations but there is one test for the connect flash drive and the test doesn't specifically mention size difference, it simply says testing for sdws2(the product name which all 3 sizes share). Which in my experience there is typically a note on the models tested based if the hardware has different designs.

Edited by Nayheyxus
Link to comment
Share on other sites

The three devices support all types and sizes of sd/sdxc cards.

However, only the 64GB version supports exFat on those.

I believe it's disabled simply because of the licence fee. I read somewhere that it's something like $300 000 flat fee + $0.75 per device to legally ship with exFat support.

Link to comment
Share on other sites

Well if anyone wants to continue modifications to this device i can send you all the info I've come up with. Shoot me a message. I'm going to work on my many other projects, so I probably won't come back to this for a while

Link to comment
Share on other sites

  • 4 weeks later...

I have the 64Gb version, and I would like to gain access to it as well.

I did hex diffs of the firmwares and they are different in many ways, what looks like most likely the boot loader section they are the same.

I have also experimented with the webpages as an atack vertor and I have come up with some interesting things.

I have been using greasemonkey to inject my own buttons and forms and java script to pull information from the device.

model = A02S
hostname = sandiskf70a38.local
ssid = CENSORED
ap = undefined
sidelink = undefined
version = 3.4.1
buildmodel = A02E
numericversion = 1103
storederror = undefined
battery = undefined
bitrate = undefined
appversion = 2.2.32.2.5
serial = CENSORED
security = wpa
wpapsk = CENSORED
auth = all
authhash = CENSORED
authowner = owner
channel = 0
timeout = 0
cards = undefined
client = undefined
features = 1111

as you can tell there is stuff there that you cannot config through the webpage.

I find the feature mask interesting since 1111 most likely means all features on maybe the 32gb version does not.

also in the settings.js there is a function called coex_on and coex_off which might be a demo mode or something

// ==UserScript==
// @name        wfd testing
// @namespace   dc
// @include     http://__IPADDRESS__/static/settings.html
// @version     1
// @grant       none
// ==/UserScript==


//allow pasting


function _get_DOM_child(root) {
  if (root==null || root==undefined) return undefined;
  try {
    var msg = "";
    for (var child = root.firstChild; child; child = child.nextSibling) {
      var name = child.localName || child.baseName;
      var text = child.textContent || child.text;
      msg = msg + name + " = " + text + "\n";
    }
  } catch (e) {
    alert('get_DOM_child: ERROR: '+ e);
  }
  alert(msg);
  return undefined;
}

function testing1() {
    var callback = function(value) {
      _get_DOM_child(value);
        //alert(value.toSource());
    };
    get_XML_info("/settings.xml", callback, false);
}

function testing() {
  var btn = document.getElementById('new_button');
  btn.value = "woots";
  return;
}

function cb(val) {
}

function createButton(name,id,script) {
  var newGroup = document.createElement('div');
  newGroup.setAttribute('class', 'group');
  var newLabel = document.createElement('div');
  newLabel.setAttribute('class', 'label');
  var newChild = document.createElement('div');
  newChild.setAttribute('class', 'value');
  var newButton = document.createElement('input');
  newButton.setAttribute('id', id);
  newButton.setAttribute('type','button');
  newButton.setAttribute('value',name);
  newButton.setAttribute('onclick',script);
  newGroup.appendChild(newLabel);
  newGroup.appendChild(newChild);
  newChild.appendChild(newButton);
  return newGroup;
}

var span = document.getElementById('settings');
var parent = span.parentNode;
if (span && parent) {
    var newScript = document.createElement('script');
    newScript.appendChild(document.createTextNode(testing));
    newScript.appendChild(document.createTextNode(testing1));
    newScript.appendChild(document.createTextNode(cb));
    newScript.appendChild(document.createTextNode(_get_DOM_child));
    parent.insertBefore(newScript,parent.firstElementChild);
    parent.appendChild(createButton("Test 1","test_1","testing1()"),span.nextSibling);
    parent.appendChild(createButton("Coex On","test_2","coex_on()"),span.nextSibling);
    parent.appendChild(createButton("Coex Off","test_3","coex_off()"),span.nextSibling);
}

change the __IPADDRESS__ to your devices ip

Link to comment
Share on other sites

I updated the script a bit and found out the features = 1111 is a group

and it expands to what the features are are you will see below

model = A02S
hostname = sandiskf70a38.local
ssid = CENSORED
ap = undefined
sidelink = undefined
version = 3.4.1
buildmodel = A02E
numericversion = 1103
storederror = undefined
battery = undefined
bitrate = undefined
appversion = 2.2.32.2.5
ios = 2.2.3
android = 2.2.5
serial = CENSORED
security = wpa
wpapsk = CENSORED
auth = all
authhash = CENSORED
authowner = owner
channel = 6
timeout = 0
cards = undefined
client = undefined
features = 1111
exfat = 1
security = 1
cachent = 1
coex = 1
Link to comment
Share on other sites

Way cool thanks for sharing that! I'm considering opening mine up to look for any embedded vulnerabilities. I wish finding specific information online wasn't such so frustrating, I've been trying to find all the fcc test photots so I can get a look at the pcb. Has anyone disassemble theirs yet?

Edited by Nayheyxus
Link to comment
Share on other sites

This is the newest dump

the app version compatibility is really the only thing diff from the last and the grouping

model = A02S
hostname = sandiskf70a38.local
ssid = CENSORED
ap = undefined
sidelink = undefined
version = 3.4.1
buildmodel = A02E
numericversion = 1103
storederror = undefined
battery = undefined
bitrate = undefined
appversion = 2.2.32.2.5
[appversion]
ios = 2.2.3
android = 2.2.5
[/appversion]
serial = CENSORED
security = wpa
wpapsk = CENSORED
auth = all
authhash = CENSORED
authowner = owner
channel = 6
timeout = 0
cards = undefined
client = undefined
features = 1111
[features]
exfat = 1
security = 1
cachent = 1
coex = 1
[/features]

here is the new script

// ==UserScript==
// @name        wfd testing
// @namespace   dc
// @include     http://__IPADDRESS__/static/settings.html
// @version     1
// @grant       none
// ==/UserScript==


//allow pasting


function _get_DOM_child(root,group) {
  if (root==null || root==undefined) return undefined;
  var msg = "";
  try {
    for (var child = root.firstChild; child; child = child.nextSibling) {
      var name = child.localName || child.baseName;
      var text = child.textContent || child.text;
      if(name != undefined ) {
        msg = msg + name + " = " + text + "\n";
      }
      msg = msg + _get_DOM_child(child,name);
    }
  } catch (e) {
    alert('get_DOM_child: ERROR: '+ e);
  }
  if(msg != "") {
    if(group != undefined) {
      msg = "[" + group + "]\n" + msg + "[/" + group + "]\n";
    }    
  }
  return msg;
}

function testing1() {
    var callback = function(value) {
      var msg = _get_DOM_child(value,undefined);
      alert(msg);
    };
    get_XML_info("/settings.xml", callback, false);
}

function testing() {
  var btn = document.getElementById('new_button');
  btn.value = "woots";
  return;
}

function cb(val) {
}

function createButton(name,id,script) {
  var newGroup = document.createElement('div');
  newGroup.setAttribute('class', 'group');
  var newLabel = document.createElement('div');
  newLabel.setAttribute('class', 'label');
  var newChild = document.createElement('div');
  newChild.setAttribute('class', 'value');
  var newButton = document.createElement('input');
  newButton.setAttribute('id', id);
  newButton.setAttribute('type','button');
  newButton.setAttribute('value',name);
  newButton.setAttribute('onclick',script);
  newGroup.appendChild(newLabel);
  newGroup.appendChild(newChild);
  newChild.appendChild(newButton);
  return newGroup;
}

var span = document.getElementById('settings');
var parent = span.parentNode;
if (span && parent) {
    var newScript = document.createElement('script');
    newScript.appendChild(document.createTextNode(testing));
    newScript.appendChild(document.createTextNode(testing1));
    newScript.appendChild(document.createTextNode(cb));
    newScript.appendChild(document.createTextNode(_get_DOM_child));
    //coex_off
    parent.insertBefore(newScript,parent.firstElementChild);
    parent.appendChild(createButton("Get XML Settings","test_1","testing1()"),span.nextSibling);
    parent.appendChild(createButton("Coex On","test_2","coex_on()"),span.nextSibling);
    parent.appendChild(createButton("Coex Off","test_3","coex_off()"),span.nextSibling);
}
Link to comment
Share on other sites

So I was able to finally get mine apart with out breaking the case.

the wireless card is an Atheros AR6103G-BM2D, at first when I looked at the FCC pictures which show an AR9K chip, I thought that the CPU (Central Processing Unit) for this device might be the Atheros chip as well as a SOC (System on Chip) but its not. The CPU looks to be the Atmel 32UCA.

I'm guessing due to that, there is no Linux but an RTOS (Real Time Operating System), that is running this device.

Now I am going to see if there is a flash(NOR/NAND) chip the stores the firmware or if it goes directly on the chip. also I need to figure out if the firmware is encrypted which I am guessing that it is, but hoping not.

Link to comment
Share on other sites

Devilsclaw you are amazing, how did u pop the case off? You obtained more info and coded a button inject exploit within what like a day? I wish I had half your talent and I feel I feel like Wayne's world style "We're're not worthy" for I bow to ya sir!

Edited by Nayheyxus
Link to comment
Share on other sites

First step to popping off the case is popping off the usb shield.

You will notice on the on the slider rail for the usb cover, are legs, I used a small flat head screw driver that fit width wise in the rail.

with the usb cover fully hiding the usb plug, I push the flat head under one side and unseated it, then I held it in the unseated state

and did the same on the other side.

Now the plastic cover needs to be popped open from the side of the usb plug , gently, you have to do both sides of the plug,

now, the bottom half (the top being the side with the button) where the sliding rails are gently push the flat head to the bottom side,

of the case, both sides, now you need to use the flat head and push with more pressure being on the bottom half of the case in the

case split, and pop open parts of the case all around the device.

this will get the device open.

BTW: here is the documentation on the USB Lithium-Ion battery charger.

Part Number: CDU TI 42i

http://www.ti.com/lit/ds/symlink/bq24072.pdf

when you pop open your case you will see a set of resistors that are not populated,

I am guessing at the moment that if they are configured differently that It will power up

the device in a different state that might allow direct programing of the device,

they have to get the firmware on there initially some how, either via a chip programmer

before its stuffed on the the device or with it fully intact. I'm guessing the latter.

Edited by devilsclaw
Link to comment
Share on other sites

Dissembling 32, will post in a moment

Link to comment
Share on other sites

I found out more about the processor:

AT32UC3A4256S which is a 100pin (FBGA) and that is has 256kilibits of internal flash that can be protected.

The internal flash must have the boot loader which then loads the rest of the firmware from the 2MB flash chip.

the CPU also supports AES encryption at the hardware level which is most most likely what the firmware is encrypted

with.

If the internal flash is protected then there most likely is no way to read out the boot loader, which would mean, no way

to decrypt the main flash.

if that is the case which I will try to figure out, then the only option would but to create a new firmware from scratch and replace

the internal firmware, and the main.

only time will tell.

Link to comment
Share on other sites

The arrangement of the resistors on rt1 seems like it could be for debugging.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...