Hacking Transcend Wifi SD Cards

[Pablo] is a recent and proud owner of a Transcend WiFi SD Card. It allows him to transfer his pictures to any  WiFi-enabled device in a matter of seconds.

As he suspected that some kind of Linux was running on it, he began to see if he could get a root access on it… and succeeded.

His clear and detailed write-up begins with explaining how a simple trick allowed him to browse through the card’s file system, which (as he guessed correctly) is running busybox. From there he was able to see if any of the poorly written Perl scripts had security holes… and got more than he bargained for.

He first thought he had found a way to make the embedded Linux launch user provided scripts and execute commands by making a special HTTP POST request… which failed due to a small technicality. His second attempt was a success: [Pablo] found that the user set password is directly entered in a Linux shell command. Therefore, the password “admin; echo haxx > /tmp/hi.txt #” could create a hi.txt text file.

From there things got easy. He just had to make the card download another busybox to use all the commands that were originally disabled in the card’s Linux. In the end he got the card to connect a bash to his computer so he could launch every command he wanted.

As it was not enough, [Pablo] even discovered an easy way to find the current password of the card. Talk about security…

Comments

  1. Addidis says:

    Nice work.

  2. Nate B says:

    As far as I’m aware, nobody’s really gotten into the (slightly cheaper but infinitely suckier) eye-fi cards, right? There’s some hacking activity around the periphery, but nobody’s opening up the in-card OS like Pablo’s doing to the Transcend.

    This is one of the cooler developments I’ve seen lately. Every hacker who sees an eye-fi has a zillion ideas for it, and it can’t do any of those things. I figure it’s now merely a matter of weeks until the Transcend is hacked to do all those things and more.

  3. Tobias M. says:

    hahaha. Thank you. A extremly interesting article to read and I had a good laugh about the implementation of the login methods of the card *YMMD*

  4. jcwren says:

    Good thing the “programmers” at Transcend don’t write code for defense systems, nuclear reactors and space shuttles…

    • Phil Culmer says:

      Not everything needs to be locked up solid. The programmers gave it what it needed, and left out the bloat.

      • kuschku says:

        Quote: “gave it what it needed”

        That’s funny, ’cause they made the password of the root-account public.

        • Phil Culmer says:

          It’s sending pictures, not doing anything that lives depend on. That’s a private namespace IP, so you’d have to be connected to the card’s wifi to exploit it.

          Yes, if you can get that close, you could maybe install some monitoring software or something like that, but you’d have to do it whilst the camera was switched on. With the range these things have, that’s practically physical access.

          I can think of at least one way of doing it, with preparation, but lest’s face it – if a cracker has physical access, you’ve lost anyway. If your photos are that sensitive, you shouldn’t be using a wifi card.

          • Kamil Szot says:

            Hacker, knowing password could put on the card autorun.inf or a executable file that looks like interesting jpeg file and own photographers PC.

  5. az1324 says:

    So what is the CPU/RAM on this?

    • Greenaum says:

      I dunno but something makes me think there’s a lot of flash.

      Realistically the CPU’s almost certainly an ARM, because what else is there, and because that’s what a lot of normal storage-only SD cards use. And because it’s arguable which has the most developed and mature Linux, ARM or x86.

      But that’s just a guess. HAD did a nice article a while back about a factory that makes SD cards. They manipulate the tiny, rice-grain sized ARM MCU into the casing, along with the flash itself, using a tool that looks a lot like a wooden chopstick with a notch cut in the end. Raw, uncased ARM silicon, in both cases. Either the room’s just not that dusty (certainly not a clean-room, no masks on the staff), or they can cope with whatever rate of failures they get.

      It’s impressive the ARM was created by a team of 2 or 3 people in Cambridge, their first CPU, as an improvement for the BBC Micro. At the time it was 4x the speed of comparable chips made by companies like Intel and Motorola that had a decade or more of history, and a huge staff full of PhDs. *Indian* PhDs too! And we know how good they are at CPU design.

    • somun says:

      Looks like it’s an ARM (ARM926EJ-S to be more precise).
      http://www.reddit.com/r/netsec/comments/1k4zhz/i_rooted_my_transcend_wifi_sd_card_and_wrote_a/

      The thing has hardware java :)

  6. Filip Jaskólski says:

    Are you telling me, we have now a fully functional WiFi+SD dongle for sensor data harvesting systems? Does it work with only power supplied (a wireless memory stick!)? Does the kernel have any kind of access to IO ports? How does power consumption looks? That would be the smallest and cheapest mobile platform with plenty of storage memory and WiFi abilities I have ever seen. Woah!!

    • Mike Szczys says:

      This is a very interesting question. I believe SD cards uses SPI. So if the card will run on its own just by injecting power you should be able to run any devices the work on SPI. Plus, since there’s all that storage inside, the hack really just needs to get the system to execute a script file stored there.

      I want to see this done sooooo badly!

      • SlowPip says:

        I’m also extremely excited about the possibilities!

        Although it’s a tiny bit frustrating that people are ripping into the “security” of this thing. I doubt they care at all about people getting access to the system underneath. Someone could copy the data off by simply plugging the SD card into their computer so it’s not something they had to worry about.

        Not every company is obsessed with preventing customers from tinkering with their hardware.

      • Filip Jaskólski says:

        Great news everybody!

        I have found the answer here: http://www.dpreview.com/forums/thread/3366283 (6th post from the top). The card boots with only power supplied! That is something! If only SPI port is accessible, I am buying this one, without any doubts.

        • peter says:

          I think that there is a sizable market for something like this. Perhaps it will be small at first since only hackers would be interested or have the knowhow to do this. But imagine the possibilities of having an SD card sized microcontroller with built in WiFi. There is already SPI– would it be possible to reconfigure these as GPIO? A lot of projects that use a WiFi enabled Arduino could probably switch to this. The small size and low power consumption would probably open up even more possibilities. Lower price points with less storage?

          Transcend, please see this as a possibility rather than just a hole to be plugged.

          • rasz says:

            SPI is most likely a black box from linux side – driver just sets up dma transfers between this black box and flash
            still good enough for connecting atmega/pic and bitbanging fat SPI host between them

          • rasz says:

            what i meant was black box that only exposes sdcard block write/read transfers and hides all the mmc/sdcard/spi commands

        • Starbuck says:

          SPI port is accessible on most AVR chips – you can grab an SD card shield for an arduino and use the SDfat.h library to read files from the card, and do something based on them. Like (pseudo code)

          SD.open(“/sites/hackaday.com”)
          While (!SD.Available()) { delay 100; } // wait for the “file” to get data
          While (SD.Available))
          {
          byte fileByte = SD.read()
          }

          Basically using the file system to map the arduino’s I/O to your card’s ability to write arbitrary files.

      • Jakob says:

        SPI is just one of several modes which can be used to access SD cards and so it must be supported by this card as well. However, SD cards can only act as an SPI slave and not as the master. I have no Idea whether this is fixed by the hardware or can be reconfigured in software. Being able to reconfigure (some of the) pins as GPIO, tty, SPI master or i2c master would really make this device well suited for a variety of applications. But without any kind of communication except WIFI the use of this cards is quite limited.

        • Filip Jaskólski says:

          If SPI or any other communication possibilities are unreachable, there is still a “lock” switch. I mean, that it is a hardware switch, so there must be an easy approach to read its’ state. Bitbanging this one, might be a way to go (yet quite inconvenient).

          • ad1217 says:

            As far as I can tell, lock switches on SD cards are not actually electrical; they simply block something on the reader (not even the card itself), which tells it to let it write.

          • Jakob says:

            The lock of SD cards is just a piece of plastic and has no electrical connection to the card. The lock is supposed to be read out and honored by the card reader e.g. using a light barrier. Many cheap card readers don’t honor the lock switch at all.

      • tuxfool says:

        Just to clarify Old SD standards do support SPI, But newer such as SDHC or SDXC no longer require it.

    • Pinky's Brain says:

      It lacks the space for a normal 3dbi antenna, it probably doesn’t use 100 mW of transmit power either … so range is going to be smaller as with normal WiFi solutions.

  7. HackJack says:

    A big THANK YOU to Transcend for releasing flawed product!

    Kudos to Pablo for unlocking something with a lot of potentials.

    • mjrippe says:

      How is it a flawed product? Because it doesn’t have NSA-style security? Sounds like they released a good product that can be made GREAT with a little hacking! Either way, thanks are due ;-)

  8. six677 says:

    tiny NAS anyone?

    • Greenaum says:

      Oh god, that’d be awesome! Attach a few into various household objects with tiny power supplies, or just into toys with batteries. Bury a couple in the garden (maybe with a small wire antenna!). Let The Man come and take away your data then!

      Is it possible to have them powered-off most of the time, switching on to wait for a specific coded Wifi packet? So you know exactly when, 1 minute in 20, to transmit. Other than that they’re undetectable, and never transmit til they’re first told to.

      Another idea for power, fit a tiny Li polymer battery in there. In fact one of the main ideas of Li polymer was being able to make the case into the battery. Have the whole thing be a battery! Just room for the chips and wiring. It can charge up when it’s plugged in to whatever device.

  9. This might even be the simplest wifi-option for a raspi… (if the sdcard works there..)

  10. Arne Nonymous says:

    “telnetd -l /bin/sh &” in a file called “autorun.sh” in the root of the card is slightly easier. ;)

    Also, it appears that this particular card does not work with hosts that want to use SPI mode – at least my code thinks that it never responds to the initialisation sequence that works fine with a lot of other cards.

  11. smoketester says:

    This gives me hope that someone like Pablo will unlock the sucky first generation Eye-Fy cards so I can send pics directly to my Nexus 7 like the newer versions claim to do. Not familiar with the transend but currently I have to go through my wi-fy network…up to the web…then back to my PC just to use the damn thing!

  12. Gdogg says:

    OMG those scripts are embarrassing. Literally first year CS majors should write better code. Maybe they intentionally left them open?

  13. Nate B says:

    Ahh, guys?

    http://www.transcend-info.com/Support/DLCenter/dllogin.asp?Link=dlcenter|Driver|WiFiSD_GPL_release.zip

    The GPL is a glorious thing.

    • geekmaster says:

      Providing information on the form at your link, then pressing the “Download” button, only takes me to a page containing this (binary) information:
      “���դ@�U ! dlcenterdlcenter”

      • geekmaster says:

        Okay, the download started when I copied the full URL (up through the .zip) to the web browser address bar instead of clicking the broken link above. Pressing the “Download” button then started a 56MB download (now in progress)…

    • Pinky's Brain says:

      Does that come with the scripts? Or any ability to install your own versions?

      GPLv2 might get you the code, but not the the means to run it … only GPLv3 does that.

    • rasz says:

      no, this is a bullshit “here is a busybox sourcefile, now fuck off” link
      GPL states you need to provide working makefiles that let you compile whole thing, not raw sourcefiles without your patches

    • GPSFan says:

      They need to post the sources for u-boot too as well as the appropriate .config files to build u-boot/busybox/kernel.

      THEN they will be welcomed into the GPL ccompliant (well mostly) world.

  14. Jakob says:

    Just found some info about CPU and memory over at reddit:

    http://www.reddit.com/r/netsec/comments/1k4zhz/i_rooted_my_transcend_wifi_sd_card_and_wrote_a/

    It’s a 400 MHz ARM with only 32 MB of ram. I didn’t expect a powerful processor (since the SD card package doesn’t allow too much heat dissipation) but 32 MB ram is really quite limited.

    • John says:

      It’s not nearly as limited as you think. That’s easily enough to run a very small web server that supports shell or perl cgi, a dropbear ssh daemon and busybox cron. You might be able to do a bit of lightweight graphics processing on pictures that end up on the filesystem. I don’t know if you’d be able to run motion (a piece of motion detecting software) on it in realtime, but it should work with a long enough interval between shots. In the embedded no-GUI embedded Linux world, 32MB of RAM is actually quite a lot. Linux has been successfully running very well on machines with only 16MB and I know it runs to some extent (though probably with no web server) on machines with as little as 8MB of RAM.

      • six677 says:

        first gen playstation portables only had 32mb of RAM and look what they accomplish graphically, albeit with a damn lightweight OS.

        • John says:

          That’s the crux of it. Linux is overall a heavier OS than whatever was on the PSP. And it’s not just the OS that is heavier, but also the userland tools. Still, there’s a ton of cool stuff one could accomplish. For example, it should be straightfoward to put a simple bootloader on the card itself that the host machine can run, then the Linux/ARM part of the card could go and grab a complete filesystem package and install it to the card to boot the machine. I suppose you could do a lot of that with a regular SD card, but this would reduce the amount of setup code that needed to happen on the host computer. (Don’t bother picking apart the idea too much, it’s just something I thought up a couple minutes ago).

          • Erik Johansson says:

            32MB Linux Installations was standard not even 10 years ago. The last time a saw such a webserver was in 2003.

          • Erik Johansson says:

            hmm.. it’s 2013 already, time flies. So 32MB was obviously not standard 10 years ago, more like 15 years? :-)

      • assimilat says:

        Also /w that 16GB of flash you could prolly setup a hefty swap file/partition…Depending on how the embedded system accesses the storage that is.

      • Franklin Templeton says:

        pollux

  15. lukes says:

    This is great, now you have a cheap way to get storage and wifi on your teensy or pie. and some extra cpu cycles too.
    Thanks

  16. Coolty says:

    Hey, I submitted this! :D

    Anyway, I also found this neat card that uses micro SD cards, and it’s pretty much hacked. It’s called the PQI Air Card, and if you put a file named autorun.sh in the root of the SD Card, it will run those commands!

    Here’s the long hacking discovery [translated from japanese]

    http://translate.google.com/translate?act=url&depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://hitoriblog.com/%3Fp%3D12627&sandbox=0&usg=ALkJrhiPlAyn6K6fiHHkRj3s-cBdebiqMw

  17. Galane says:

    I want one that’ll work on Palm OS devices that don’t have built in WiFi. Would also need an SDHC driver. There is such a driver but it’s A. not free and B. uses DRM.

  18. Can someone tell me if you could use this in a raspberry-pi? I am having wonderful thoughts of Wireless IP Cameras running off of Raspberry-pi…

    • TacticalNinja says:

      For obvious reason you can, but to be able to access the root of the card, you’d still need a wifi adapter for the pi to connect to the card (the pi will access the card through wifi, not directly through the card slot).

  19. BartGrantham says:

    I can’t imagine the Electric Imp guys (http://electricimp.com/) being thrilled about this development. It’s certainly a compelling alternative for hobbyist uses.

    • Nate B says:

      It’s not even similar to the imp. The imp is just a wifi module, which happens to be (confusingly) packaged in an SD-like package that uses an SD-like slot. You can’t treat it like an SD card. It’s like on old PCs when you’d get a scanner that connected through a 6-pin mini-DIN, and then someone tries to plug a mouse into the scanner controller card because it’s the same plug, but it doesn’t work. Being on the same connector doesn’t mean anything! They picked the SD connector because it’s cheap, not because they’re doing anything SD-like.

      The Transcend, on the other hand, is a true SD card, or pretends to be. Hosts that don’t know anything about its wifi capabilities can read and write files to it, and the little linux genie behind the curtain does all the wifi magic unbeknownst to the host.

      Plug an imp into an SD host and it’s not even detected.

      • BartGrantham says:

        Sure, it’s a different featureset. But it’s not too much of a stretch to imagine this thing repurposed into the same space, or even different designs incorporating this kind of device rather than the electric imp.

      • TacticalNinja says:

        @Nate: I’d hate to be an ass, but he never mentioned anything about the Imp and this SD card to be similar. Rather the idea of how it *may* be used when this hack gets traction.

        • Nate B says:

          Ahh, point taken! I misread. Yeah, they’re not direct drop-ins for each other, but this or something like this could obviate much of the need for the imp. Frankly, I’m more interested in the Carambola2 or HLK-RM04 for that problem-space, because the OS is saner. :)

  20. JG says:

    If it’s running linux, might gpl require them to publish their firmware?

  21. Evocube says:

    Hmmm. Who’s going to turn this into a parallel processing unit?

  22. i wonder if you can even add WiFi penetrating scripts to access people WiFi or even access people smartphones/ laptops/ etc just by using the card, there so many idea’s you can do with this card.

  23. Hans says:

    There are other cards like this, who can also be easily hacked. The Flucard for example (most of the info is unfortunately in japanese, where it was apperently available for two years already).

  24. Robert says:

    With insight from the aforementioned Japanese blog, I was able to unpack, modify, and repack the firmware initramfs.

    It’s pretty straightforward: http://www.fernjager.net/post-8/sdcard

    Now, go roll your own distro!

  25. TacticalNinja says:

    Now to buy one before the Transcend guys patches this issue. (which I doubt they’ll even bother)

  26. Robert says:

    A wireless enabled SDCard ???
    I can forsee this as being a new security nightmare ( I mean: what happens if it gets inside your laptop, or if somebody uses this remotely to write a corrupted/backdoored firmware image on the sdcard that some cameras/hardware will happily update without second thought ).
    Especially since for now the default Wifi password is 12345678
    But I need one right now :)
    The legitimate/hacking possibilities seem endless.

    A wireless, solarpowered pico dead drop in a tictac box is on the making !

    • flink says:

      It’s really be something if they could stuff that into a microSD format.

    • Whatnot says:

      The whole purpose of these things is so that you don’t need to stick it into anything like a laptop, it’s to enable your camera to transmit the pictures.
      However, it’s still a security nightmare since many of them require you to use the company’s servers via proprietary software I gather, and yeah there goes your freedom liberty and privacy.. Especially if those servers run through or are in the US obviously.

  27. xorpunk says:

    These cards are pretty cool, I’d imagine there is some signing or write-protect somewhere to protect bootrom etc..

    Someone told me there is a 32GB and 64GB 802.11ac suite of xSD cards coming soon.

  28. Greg says:

    Anyone know if wifi chipset on this card allow to enable monitor mode.

  29. Greg says:

    I found some post, that it is Atheros AR6003, so linux driver ath6kl doesn’t support monitor mode or injection of packets ;(

  30. flink says:

    Whhheeeeee! There goes my weekly toy budget!

  31. Janna says:

    No monitor mode :(

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s