Hacking Transcend Wifi SD Cards

[Pablo] is a recent and proud owner of a Transcend WiFi SD Card. It allows him to transfer his pictures to any  WiFi-enabled device in a matter of seconds.

As he suspected that some kind of Linux was running on it, he began to see if he could get a root access on it… and succeeded.

His clear and detailed write-up begins with explaining how a simple trick allowed him to browse through the card’s file system, which (as he guessed correctly) is running busybox. From there he was able to see if any of the poorly written Perl scripts had security holes… and got more than he bargained for.

He first thought he had found a way to make the embedded Linux launch user provided scripts and execute commands by making a special HTTP POST request… which failed due to a small technicality. His second attempt was a success: [Pablo] found that the user set password is directly entered in a Linux shell command. Therefore, the password “admin; echo haxx > /tmp/hi.txt #” could create a hi.txt text file.

From there things got easy. He just had to make the card download another busybox to use all the commands that were originally disabled in the card’s Linux. In the end he got the card to connect a bash to his computer so he could launch every command he wanted.

As it was not enough, [Pablo] even discovered an easy way to find the current password of the card. Talk about security…

94 thoughts on “Hacking Transcend Wifi SD Cards

    1. Also,

      “One of the scripts (rcS.p) which is run on startup automatically executes autorun_fu.sh if it is placed in the root of the SD card. This will ease development and further hacking. Thanks, Transcend!”

  1. As far as I’m aware, nobody’s really gotten into the (slightly cheaper but infinitely suckier) eye-fi cards, right? There’s some hacking activity around the periphery, but nobody’s opening up the in-card OS like Pablo’s doing to the Transcend.

    This is one of the cooler developments I’ve seen lately. Every hacker who sees an eye-fi has a zillion ideas for it, and it can’t do any of those things. I figure it’s now merely a matter of weeks until the Transcend is hacked to do all those things and more.

    1. Hi Nate, this is Pablo. I can’t confirm it, but I think most wifi SD cards are running a similar variant of the same codebase, so I’m betting they are all vulnerable in the same way. At least another variant of SD cards I didn’t know of until recently, PQI Air, are running almost the same code.

      1. Hi Pablo,

        The Flucard Pro wifi SD has a serial connection on the PCB.
        I know it’s a big ask, but could you open the case please and check if the Transcend has the same port ?
        That just takes the hacking posibilities to a whole new level !!

      2. Gentlemen, is it possible to hack a wi-fi SD card to allow it to “receive” an image stream?All of the uses for these seem to focus on getting images “off” the card from a camera.. I’d like to get images “on” the card for a picture frame. Seems like this would be a popular use case… thanks!

    2. I would be interested. I had one for my palm ages ago when they first came out. Had to cobble a good bit of that to even get it to work (bad disconnect issues iirc) but that was PalmOS. Ended up bluetooth wapping not long after that and sold the wifye to uprgrade my moto razr. Not sure about using it with anything else so I guess my comment is pretty useless as is my memory lol.

      Kudos to Pablo for getting in there and rooting around ;)

  2. hahaha. Thank you. A extremly interesting article to read and I had a good laugh about the implementation of the login methods of the card *YMMD*

        1. It’s sending pictures, not doing anything that lives depend on. That’s a private namespace IP, so you’d have to be connected to the card’s wifi to exploit it.

          Yes, if you can get that close, you could maybe install some monitoring software or something like that, but you’d have to do it whilst the camera was switched on. With the range these things have, that’s practically physical access.

          I can think of at least one way of doing it, with preparation, but lest’s face it – if a cracker has physical access, you’ve lost anyway. If your photos are that sensitive, you shouldn’t be using a wifi card.

          1. Hacker, knowing password could put on the card autorun.inf or a executable file that looks like interesting jpeg file and own photographers PC.

    1. I dunno but something makes me think there’s a lot of flash.

      Realistically the CPU’s almost certainly an ARM, because what else is there, and because that’s what a lot of normal storage-only SD cards use. And because it’s arguable which has the most developed and mature Linux, ARM or x86.

      But that’s just a guess. HAD did a nice article a while back about a factory that makes SD cards. They manipulate the tiny, rice-grain sized ARM MCU into the casing, along with the flash itself, using a tool that looks a lot like a wooden chopstick with a notch cut in the end. Raw, uncased ARM silicon, in both cases. Either the room’s just not that dusty (certainly not a clean-room, no masks on the staff), or they can cope with whatever rate of failures they get.

      It’s impressive the ARM was created by a team of 2 or 3 people in Cambridge, their first CPU, as an improvement for the BBC Micro. At the time it was 4x the speed of comparable chips made by companies like Intel and Motorola that had a decade or more of history, and a huge staff full of PhDs. *Indian* PhDs too! And we know how good they are at CPU design.

      1. It is definitely an arm MCU, in fact it is and ARM V5 because the author was able upload a non crippled busybox binary compiled for arm V5

      1. The hardware java is useless. There is only 1 runtime for it, which is not free. And even getting the documentation for the java core in it requires an NDA.

  3. Are you telling me, we have now a fully functional WiFi+SD dongle for sensor data harvesting systems? Does it work with only power supplied (a wireless memory stick!)? Does the kernel have any kind of access to IO ports? How does power consumption looks? That would be the smallest and cheapest mobile platform with plenty of storage memory and WiFi abilities I have ever seen. Woah!!

    1. This is a very interesting question. I believe SD cards uses SPI. So if the card will run on its own just by injecting power you should be able to run any devices the work on SPI. Plus, since there’s all that storage inside, the hack really just needs to get the system to execute a script file stored there.

      I want to see this done sooooo badly!

      1. I’m also extremely excited about the possibilities!

        Although it’s a tiny bit frustrating that people are ripping into the “security” of this thing. I doubt they care at all about people getting access to the system underneath. Someone could copy the data off by simply plugging the SD card into their computer so it’s not something they had to worry about.

        Not every company is obsessed with preventing customers from tinkering with their hardware.

        1. I think that there is a sizable market for something like this. Perhaps it will be small at first since only hackers would be interested or have the knowhow to do this. But imagine the possibilities of having an SD card sized microcontroller with built in WiFi. There is already SPI– would it be possible to reconfigure these as GPIO? A lot of projects that use a WiFi enabled Arduino could probably switch to this. The small size and low power consumption would probably open up even more possibilities. Lower price points with less storage?

          Transcend, please see this as a possibility rather than just a hole to be plugged.

          1. SPI is most likely a black box from linux side – driver just sets up dma transfers between this black box and flash
            still good enough for connecting atmega/pic and bitbanging fat SPI host between them

        2. SPI port is accessible on most AVR chips – you can grab an SD card shield for an arduino and use the SDfat.h library to read files from the card, and do something based on them. Like (pseudo code)

          SD.open(“/sites/hackaday.com”)
          While (!SD.Available()) { delay 100; } // wait for the “file” to get data
          While (SD.Available))
          {
          byte fileByte = SD.read()
          }

          Basically using the file system to map the arduino’s I/O to your card’s ability to write arbitrary files.

      2. SPI is just one of several modes which can be used to access SD cards and so it must be supported by this card as well. However, SD cards can only act as an SPI slave and not as the master. I have no Idea whether this is fixed by the hardware or can be reconfigured in software. Being able to reconfigure (some of the) pins as GPIO, tty, SPI master or i2c master would really make this device well suited for a variety of applications. But without any kind of communication except WIFI the use of this cards is quite limited.

        1. If SPI or any other communication possibilities are unreachable, there is still a “lock” switch. I mean, that it is a hardware switch, so there must be an easy approach to read its’ state. Bitbanging this one, might be a way to go (yet quite inconvenient).

          1. As far as I can tell, lock switches on SD cards are not actually electrical; they simply block something on the reader (not even the card itself), which tells it to let it write.

          2. The lock of SD cards is just a piece of plastic and has no electrical connection to the card. The lock is supposed to be read out and honored by the card reader e.g. using a light barrier. Many cheap card readers don’t honor the lock switch at all.

    2. It lacks the space for a normal 3dbi antenna, it probably doesn’t use 100 mW of transmit power either … so range is going to be smaller as with normal WiFi solutions.

  4. A big THANK YOU to Transcend for releasing flawed product!

    Kudos to Pablo for unlocking something with a lot of potentials.

    1. How is it a flawed product? Because it doesn’t have NSA-style security? Sounds like they released a good product that can be made GREAT with a little hacking! Either way, thanks are due ;-)

    1. Oh god, that’d be awesome! Attach a few into various household objects with tiny power supplies, or just into toys with batteries. Bury a couple in the garden (maybe with a small wire antenna!). Let The Man come and take away your data then!

      Is it possible to have them powered-off most of the time, switching on to wait for a specific coded Wifi packet? So you know exactly when, 1 minute in 20, to transmit. Other than that they’re undetectable, and never transmit til they’re first told to.

      Another idea for power, fit a tiny Li polymer battery in there. In fact one of the main ideas of Li polymer was being able to make the case into the battery. Have the whole thing be a battery! Just room for the chips and wiring. It can charge up when it’s plugged in to whatever device.

  5. “telnetd -l /bin/sh &” in a file called “autorun.sh” in the root of the card is slightly easier. ;)

    Also, it appears that this particular card does not work with hosts that want to use SPI mode – at least my code thinks that it never responds to the initialisation sequence that works fine with a lot of other cards.

  6. This gives me hope that someone like Pablo will unlock the sucky first generation Eye-Fy cards so I can send pics directly to my Nexus 7 like the newer versions claim to do. Not familiar with the transend but currently I have to go through my wi-fy network…up to the web…then back to my PC just to use the damn thing!

  7. OMG those scripts are embarrassing. Literally first year CS majors should write better code. Maybe they intentionally left them open?

    1. Providing information on the form at your link, then pressing the “Download” button, only takes me to a page containing this (binary) information:
      “���դ@�U ! dlcenterdlcenter”

      1. Okay, the download started when I copied the full URL (up through the .zip) to the web browser address bar instead of clicking the broken link above. Pressing the “Download” button then started a 56MB download (now in progress)…

    2. Does that come with the scripts? Or any ability to install your own versions?

      GPLv2 might get you the code, but not the the means to run it … only GPLv3 does that.

    3. no, this is a bullshit “here is a busybox sourcefile, now fuck off” link
      GPL states you need to provide working makefiles that let you compile whole thing, not raw sourcefiles without your patches

    4. They need to post the sources for u-boot too as well as the appropriate .config files to build u-boot/busybox/kernel.

      THEN they will be welcomed into the GPL ccompliant (well mostly) world.

    1. It’s not nearly as limited as you think. That’s easily enough to run a very small web server that supports shell or perl cgi, a dropbear ssh daemon and busybox cron. You might be able to do a bit of lightweight graphics processing on pictures that end up on the filesystem. I don’t know if you’d be able to run motion (a piece of motion detecting software) on it in realtime, but it should work with a long enough interval between shots. In the embedded no-GUI embedded Linux world, 32MB of RAM is actually quite a lot. Linux has been successfully running very well on machines with only 16MB and I know it runs to some extent (though probably with no web server) on machines with as little as 8MB of RAM.

        1. That’s the crux of it. Linux is overall a heavier OS than whatever was on the PSP. And it’s not just the OS that is heavier, but also the userland tools. Still, there’s a ton of cool stuff one could accomplish. For example, it should be straightfoward to put a simple bootloader on the card itself that the host machine can run, then the Linux/ARM part of the card could go and grab a complete filesystem package and install it to the card to boot the machine. I suppose you could do a lot of that with a regular SD card, but this would reduce the amount of setup code that needed to happen on the host computer. (Don’t bother picking apart the idea too much, it’s just something I thought up a couple minutes ago).

          1. 32MB Linux Installations was standard not even 10 years ago. The last time a saw such a webserver was in 2003.

          2. hmm.. it’s 2013 already, time flies. So 32MB was obviously not standard 10 years ago, more like 15 years? :-)

      1. Also /w that 16GB of flash you could prolly setup a hefty swap file/partition…Depending on how the embedded system accesses the storage that is.

  8. This is great, now you have a cheap way to get storage and wifi on your teensy or pie. and some extra cpu cycles too.
    Thanks

  9. Hey, I submitted this! :D

    Anyway, I also found this neat card that uses micro SD cards, and it’s pretty much hacked. It’s called the PQI Air Card, and if you put a file named autorun.sh in the root of the SD Card, it will run those commands!

    Here’s the long hacking discovery [translated from japanese]

    http://translate.google.com/translate?act=url&depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://hitoriblog.com/%3Fp%3D12627&sandbox=0&usg=ALkJrhiPlAyn6K6fiHHkRj3s-cBdebiqMw

  10. I want one that’ll work on Palm OS devices that don’t have built in WiFi. Would also need an SDHC driver. There is such a driver but it’s A. not free and B. uses DRM.

    1. For obvious reason you can, but to be able to access the root of the card, you’d still need a wifi adapter for the pi to connect to the card (the pi will access the card through wifi, not directly through the card slot).

    1. It’s not even similar to the imp. The imp is just a wifi module, which happens to be (confusingly) packaged in an SD-like package that uses an SD-like slot. You can’t treat it like an SD card. It’s like on old PCs when you’d get a scanner that connected through a 6-pin mini-DIN, and then someone tries to plug a mouse into the scanner controller card because it’s the same plug, but it doesn’t work. Being on the same connector doesn’t mean anything! They picked the SD connector because it’s cheap, not because they’re doing anything SD-like.

      The Transcend, on the other hand, is a true SD card, or pretends to be. Hosts that don’t know anything about its wifi capabilities can read and write files to it, and the little linux genie behind the curtain does all the wifi magic unbeknownst to the host.

      Plug an imp into an SD host and it’s not even detected.

      1. Sure, it’s a different featureset. But it’s not too much of a stretch to imagine this thing repurposed into the same space, or even different designs incorporating this kind of device rather than the electric imp.

      2. @Nate: I’d hate to be an ass, but he never mentioned anything about the Imp and this SD card to be similar. Rather the idea of how it *may* be used when this hack gets traction.

        1. Ahh, point taken! I misread. Yeah, they’re not direct drop-ins for each other, but this or something like this could obviate much of the need for the imp. Frankly, I’m more interested in the Carambola2 or HLK-RM04 for that problem-space, because the OS is saner. :)

  11. i wonder if you can even add WiFi penetrating scripts to access people WiFi or even access people smartphones/ laptops/ etc just by using the card, there so many idea’s you can do with this card.

  12. There are other cards like this, who can also be easily hacked. The Flucard for example (most of the info is unfortunately in japanese, where it was apperently available for two years already).

    1. and also that the Flucard had a TXD/RXD pad out on it’s PCB !!!!!!!!
      Amazing. Potential full interface!

      Those pads seem not to be present on the PQI according to the Japanese blog.

      Does someone have a Transcend already and can check for serial ??

  13. A wireless enabled SDCard ???
    I can forsee this as being a new security nightmare ( I mean: what happens if it gets inside your laptop, or if somebody uses this remotely to write a corrupted/backdoored firmware image on the sdcard that some cameras/hardware will happily update without second thought ).
    Especially since for now the default Wifi password is 12345678
    But I need one right now :)
    The legitimate/hacking possibilities seem endless.

    A wireless, solarpowered pico dead drop in a tictac box is on the making !

    1. The whole purpose of these things is so that you don’t need to stick it into anything like a laptop, it’s to enable your camera to transmit the pictures.
      However, it’s still a security nightmare since many of them require you to use the company’s servers via proprietary software I gather, and yeah there goes your freedom liberty and privacy.. Especially if those servers run through or are in the US obviously.

  14. These cards are pretty cool, I’d imagine there is some signing or write-protect somewhere to protect bootrom etc..

    Someone told me there is a 32GB and 64GB 802.11ac suite of xSD cards coming soon.

  15. I found some post, that it is Atheros AR6003, so linux driver ath6kl doesn’t support monitor mode or injection of packets ;(

  16. Did anyone tried powering this card externally (i.e. pin 4 and 6 to usb power and the rest of pins to the host) to boot the firmware? The spec says it requires 2.8-3.7v. I want to use this card in my cpap machine (it has SD card slot to store sleep data) and remotely scp the data daily to my linux desktop but this card does not boot on my cpap machine. I have already setup this card so I can scp files from it (if you are interested for ssh access you can read my howto here: http://blog.selvans.net/2014/05/howto-setup-keybased-ssh-scp-to.html ) and it works great in camera. Unfortunately, I suspect the SD card slot on the cpap machine does not provide enough power to boot the firmware and I am looking into powering it via external USB power. Love to hear if anyone tried or had success in powering this externally.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s