Advanced Transcend WiFi SD Hacking: Custom Kernels, X, and Firefox

ts-wifi-advanced

[Dmitry] read about hacking the Transcend WiFi cards, and decided to give it a try himself.   We already covered [Pablo's] work with the Transcend card. [Dmitry] took a different enough approach to warrant a second look.

Rather than work from the web interface and user scripts down, [Dmitry] decided to start from Transcend’s GPL package and work his way up. Unfortunately, he found that the package was woefully incomplete – putting the card firmly into the “violates GPL” category. Undaunted, [Dmitry] fired off some emails to the support staff and soldiered on.

It turns out the card uses u-boot to expand the kernel and basic file system into a ramdisk. Unfortunately the size is limited to 3MB. The limit is hard-coded into u-boot, the sources of which transcend didn’t include in the GPL package.

[Dmitry] was able to create his own binary image within the 3MB limit and load it on the card. He discovered a few very interesting (and scary) things. The flash file system must be formatted FAT32, or the controller will become very upset. The 16 (or 32)GB of flash is also mounted read/write to TWO operating systems. Linux on the SD card, and whatever host system the card happens to be plugged in to. This is dangerous to say the least. Any write to the flash could cause a collision leading to lost data – or even a completely corrupt file system.

[Dmitry] spent even more time fighting with kernel builds. In the end he did emerge victorious. He was able to bring up his own kernel on the WiFi SD card’s ARMv5 controller and run anything he wanted. He tested the system by booting up with X windows forwarding through an SSH tunnel over WiFi. He was even able to get Firefox running in X, albeit very slowly.  The card doesn’t even need to be in a host system – only power and ground are needed to boot and access it via WiFi.

After all this was done, [Dmitry] finally got a response back from one of Transcend’s support engineers.  They are “Uninterested” in complying with GPL, and he is “free to report this to any Linux organization” Ouch! That’s one of the most cavalier GPL violations we’ve seen in a long time.

Update: It looks like Transcend has added u-boot sources to their GPL package. However, [Dmitry] states in the comments that they are still missing kernel config and some of the module sources.

Comments

  1. Alec Smecher says:

    Dmitry, I’d suggest publishing the email trail that ended with Transcend declaring that they would not comply with the GPL. If it’s as flagrant as you make it out to be, I suspect it’ll come back to haunt them.

  2. If things this small are this capable, I fear what the US government has that’s even smaller and probably as featured as a raspi in power by comparison.

    That said, these would make for some interesting dead drop servers if one could come up with a nice waterproof battery pack for it…use it for passing info in a localized area..even better if you find a way to add a better antenna for more wifi range.

  3. Tisper says:

    I agree with Mr. Alec here. It’s like they are stealing work from volunteers.
    I don’t know why companies do that. I’d bet that if they would open up they would get lots of more sales. At least doing it this way, a lot of hackers get to have lots of fun, and the rest of us gets to use a product the way it is meant to be anyways xD

    Report it to the OpenSource world, i bet something can be done =D

    Awesome job here

    • Truth says:

      I’d start here with a violation of the GPL – https://www.gnu.org/licenses/gpl-violation.html

      • Truth says:

        There is an update on the site “UPDATE: after my emails to them and them telling me to go away, it appears they did include the u-boot source code in their GPL zip archive quietly.”

    • Roger Wolff says:

      Apparently the GPL violation is that the sources of the modules are not distributed.
      Weather that is a violation, depends on how you interpret “derived work”. If you take an open source image library and use it to create a file conversion tool, that is clearly a “derived work”. So some people (notably the FSF) started calling “linking” the act of creating a derived work. But that is just their interpretation of the word “derived work”.

      Next comes the question of when are you really linking with a piece of open source? Are you linking with the OS when your closed source binary loads and somehow manages to call the operating system? Most people would agree: No. Similarly, what if you load a module into the kernel? Linus, and he has a thing or two to say in the Linux community, has clarified that: as long as you use the published symbols as entry points into the kernel, loading a module should be considered the same as running a binary in userspace.

      So….. from the information I have, I cannot conclude that transcend violates the GPL by not providing the source to those two modules.

      • NVIDIA and AMD both release their shims for drivers as GPL, while drivers themselves are blobs. This has been declared OK. Direct linking with the kernel (last i heard) was not ok

        • Jasper Janssen says:

          Loading a module is not “direct linking with the kernel”.

        • There is precedent for binary-only driver modules, that I believe the kernel developer leads have said is legally OK but VERY discouraged. As in, “don’t expect us to ever make your life easy”

          Examples of things that include binary-only .ko modules that have proven to be a massive pain for the opensource community but haven’t caused legal trouble for the OEM:
          Samsung’s FSR flash translation layer (Galaxy S family of devices, major pain in the ass that required major work from opensource firmware authors to replace with MTD)
          Samsung’s RFS filesystem driver (Galaxy S family of devices – easily replaced by ext4)
          The ath6k wifi driver module on the Samsung Tab 7 Plus and Tab 7.7

  4. cpct says:

    Wow, when reading the article I thought about getting one of these cards to play with it too, but after reading the last sentences I’m convinced to avoid Transcend from now on.

    • get it anyways. It is a *REALLY* fun toy with lots of uses, and it is *CHEAP* and I did get it to run custom code in every way imaginable, and so can you

      • Nate B says:

        This is the same chip found in the PQI Air Card, right? I wonder if their firmware is any different. (I’m on a cellular connection right now otherwise I’d just download it and diff!)

      • signal7 says:

        Buying it anyway would be the same thing as endorsing a GPL violation, if you ask me. Companies that don’t play by the rules should be sanctioned, regardless of the functionality of the product.

        Besides that – one of my ex-gf’s had a Transcend wireless adapter in her PC which I installed. The thing worked, albeit just barely. I haven’t had a good opinion of companies products since.

  5. Galane says:

    Any chance it’ll work with the Palm OS SDIO WiFi drivers? Combined with the Power SDHC and FAT32 drivers I could finally have *both* WiFi and lots of storage on my Tungsten E2 that I haven’t used in over 2 years…

  6. OldCrow says:

    GPL violations can and should be reported. For example, email to: license-violation@gpl-violations.org . They’re definitely interested and can either take the case or at least assist in taking it forward to the relevant authorities. See http://gpl-violations.org/faq/violation-faq.html for more info.

  7. HackJack says:

    Regarding both internal and external host mounting the FAT32 fs as R/W. If the internal host only writes to pre-existing file and without changing its size. Will it still be an issue?

  8. Xtremegamer says:

    i see a possible cheap solution, could you put it in your car-radio that has a SD-card reader . it then creates a “dummy” sound file so you can stream music via Wifi – just a tought

    • that will work

      • Bob says:

        Plenty of cheap TV’s out there that are not network enabled but do have USB ports for playback of media saved to thumbdrives.
        If one were to put this card in place and create a suitable video file that the TV was able to play, but actually it was a wifi stream coming over.
        Network enabled TV for MUCH less than many of the other solutions out there.

        Pretty much any cheap device which lacks network ability but has a USB interface. LCD picture frames, cheap CCTV recorders. Big list !

  9. Cristian says:

    I’m thinking very expensive Wifi-throwies ? Considering it only needs power and ground to boot up..

  10. Pixel_K says:

    Exellent work ! I added a reference to it to the OpenWRT thread dedicated to the KA2000 cards harcking : https://forum.openwrt.org/viewtopic.php?pid=212845

  11. Coolty says:

    Hey, anyone know what the WiFI AP password is? It shows up as WIFISDV1.6 and 12345678 is not working

    • Ah, I forgot to explain the update process, so unless you read the doc you’ll be lost. Place my file son card. wait 1 min. remove card. reinsert card. wait 6 min (very important). remove card. reinsert card. wait till “wifisd” network shows up. connect to it

      “wifisd1.6″ means card is updating – you cannot connect to it

  12. I’m confused. If they are “uninterested” in complying with the GPL, isn’t it easier for them to not even acknowledge it than to put a woefully incomplete source package up?

    • Greenaum says:

      Maybe they think they’ve done enough to baffle a judge into letting them off, should it ever go to court. There’s little point in sensible engineering-type people discussing the fantasy world that is suing people. And that’s the area of concern.

      • rasz says:

        Not in Germany – afair GPL violations fights in germany by simply going to court, stating their case and getting said companys products BANNED from Import into EU – that works wonders for GPL compliance.

  13. Is it possible to access the I/O pins of the card or is the CPU just connected to the memory?

  14. Robert says:

    Did anyone manage to boot one of these ( Trancend) cards by just applying power without having a full functionning host?

    I tried all kinds of ways for just powering it ( sd card readers on usb chargers or on mintyboost, regulated power directly to the appropriate pins… ) None worked.

    All I could find on this topic seems to indicate that WifiSD cards just won’t boot without a proper usb host, although the other brands seem to do.

    Can anybody confirm their experience ? can those exact cards be booted with just power applied ? Does the line that mentions it in the linked article has to do with the kernel being changed? or should it work out of the box ?

    This device has tons of potential uses, but most of them depend on this being possible.

    • Charles says:

      I have tried tirelessly to make mine boot, even while talking to it. I’ve tried talking in SPI mode, but it ploughs over my commands, so writes get corrupted. I tried booting it using the SD command set, I seem to be able to get it to read, but still no dice. This card does NOT want to boot up. I tried emailing them, but they refused to give me any additional help.

      • Robert says:

        Did you try accessing it through serial port or used any other form of debugging ( such as boot scripts writing to a logfile on the data partition ) that could indicate at which stage it hangs ?

      • rasz says:

        “Ok, FWIW to make the card boot standalone, without being plugged into a host:
        KA2000#setenv bootalone ‘go 208000′
        KA2000#setenv bootcmd
        KA2000#setenv bootcmd ‘run set_bootargs; run bootalone’
        KA2000#saveenv”

        • Charles says:

          How would I go about doing so from a command-line in a booted system? Also, I would prefer to find how to mimic a real system. I have tried a multitude of solutions to talking to the card, and I am finding more and more ways the card is out-of-spec. I.e. it claims it will only use 100mA, and even if you offer it more, it rejects you and says everything is fine :-p.

  15. Dodo says:

    I don’t understand why these people who don’t want to release sources don’t simply use embedded FreeBSD… It is as easy to port to embedded targets (to arm at least) as linux and you do not need to give corporate know-how away. The feature set is comparable to linux for a device like this. The BSD codebase is slightly cleaner (imho), but that doesn’t matter much if you only need to add some modules.

    It’s actually stupid, there probably is little of value in this card a competitor could use except the WiFi driver. For some reason WiFi chipset vendors absolutely don’t like the source of there drivers public.

  16. HelToupee says:

    I’m glad I read this. I’m in the market for a WiFi SD card ever since my camera got stolen out of my car with my Eye-Fi in it. I’d been looking into this card in particular, due to the community’s work in hacking it. I believe very strongly that the GPL is a good thing, and not complying with it undermines all the work countless programmers have donated to the cause, so I won’t be buying any more Transcend products.

    • Nate B says:

      Tell me you plan to put a phone-home (and report the MACs of nearby wifi networks) function on this thing? So in case it’s stolen again, you can track it down. :)

      • freax says:

        That actually is a nice idea. With googles location API, you can then find the location (it allows you to feed it timestamped data of seen wifis and it uses the algorithms also used in android phones to give you an approximate position). Only problem is that needs to find an open WLAN to call home.

  17. ejonesss says:

    in theory you could get around the 3 meg limit by using symbolic links or aliases.

    just as you make a shortcut in windows to point to an external drive or alias on the mac or meta file on the web couldnt you make something on the firmware partition to point to the user partition where the binary could live?

    or if you can back up the firmware and completely repartition the card to make the firmware partition bigger and flash the firmware back via something like a normal restore on the mac like you would do to build a boot disk for a hackintosh.

  18. rasz says:

    How is the wifi transfer speed of this card?
    can it stream >10Mbits from the SD to remote host?

    this card + cheapest loop recording keychain #808 camera = instant networked camera

  19. Fallen says:

    I’m interested in these, but the cheapest I can seem to find is $60 or so. Which is a little much since I just want to screw around with them. Not to sound cliche or anything, but you could get the parts to build a little 32 gig wifi server for that (although good luck making it that small ahah)

  20. potatoman412 says:

    Can’t help but think of how similar this sounds to my problems with VIA8650 wmt android tablet i had. Ran 1.6 and was the hardest thing in the world to get to boot and root. It wouldn’t even take uberoid so I ended up digging around the uboot numbers and this story is dragging on. In the end I was very much upset at the lack of support the same as Dmitry and the uboot woes rung a bell. Kudos for persevering and interested to finish reading as I ironically recover from the second kidney stone surgery (the first of which led me to reading endless forums on the device lol). Thanks :)

  21. hospadar says:

    You gotta be careful hacking in the transcend, you might accidentally awaken a perversion that swallows up the entire beyond. Eh? Fire upon the deep anyone?

  22. Not Linus Torvalds says:

    The article spends a lot of time complaining that the module source isn’t available, but Linus Torvalds himself does not think the GPL should apply to all kernel modules. If you claim it’s GPL via MODULE_LICENSE(“gpl”) then you get access to more symbols and functions, but short of that, he does not have a problem with non-GPL modules.

    • Dave G says:

      Linus is not a lawyer and did not write the GPL, in fact the writer of the GPL fairly dislikes Linus. Remember Linus took credit for Linux completely disregarding the other %99 of GNU/LINUX. The GPL is a legal document that a lot of lawyers spent a lot of time locking down definitions of, it is not open for interpretation if they do not want to follow the GPL they are free to write their own. Take a watch of Revolution OS if you forget the 90′s.

    • Adam says:

      The issue here isn’t with new non-GPL modules though. The issue is that Transcend haven’t released the GPL source code (as they are obliged) that other people have kindly made available to the community.

  23. notmyfault2000 says:

    Is it possible to partition the thing, so that the first partition is FAT32 to keep the controller happy, and the second is ext? It might need some poking the FAT32′s bootsector to combine it with an MBR, but other than confusing some tools I don’t see why it can’t be done…

  24. TacticalNinja says:
  25. Pocket beowulf cluster says:

    Ok, so now just need a hack to expand http://www.lexar.com/workflow to more than four ports so that one could have a battery powered, pocket sized beowulf cluster of transcent SDHC’s!
    At least that should in theory give one enough power to do something like
    Leapcast ( https://github.com/dz0ny/leapcast ) perhaps?
    Or alternatively, should be able to utilize the SDHC’s to make/drive
    video glasses such as ( http://geeknizer.com/diy-build-google-glass/ )
    with led screen(s) that have a reasonable battery life.

    • John says:

      Maybe I’m missing what you’re getting at, but in terms of power/price the PandaBoard is well ahead of even 4 of these things, and has gobs more RAM and lots of I/O options.

      • SDHC powered example says:

        Concept: Take aforementioned SDHC ‘linuxable” WiFi card, add lego block
        pin hole camera, nitrol wire, and appropriate conductive ink pattern for solar
        cell power to paper air plane that under the right lighting conditions can now
        be steared via phone accellerator while taking in the birds eye view.
        BandaBoard would require a fairly large paper airplane even before
        adding in power requirements as compaired to utilizing the SDHC small
        form factor

      • SDHC powered example says:

        WiFi card is a lot lighter on the glass rims than a Pandaboard.
        Although in all fairness, Using the wifi card attached to DIY led glass display
        as a way to feed video to/from the pandaboard would likely be a better way to go.

  26. Whatnot says:

    So on that dual access to the filesystem, can’t it flag things as ‘in use’ and force exclusive access to prevent a conflict? Do they really leave it to chance?

    • Drone says:

      Yes, it is possible to protect files from being accessed by two processes at the same time. I n Unix/Linux think they’re called “locks”. There are at least several types of locks available. But I don’t know if this is something the Transcend developers are using.

  27. PrincessArial says:

    Any way it can work without requiring configuration files on the FAT partition? There are sensors that won’t work if “foreign” files exist on the SD card.

  28. Great work. Finally i got this. i’ve also a little bit info about firefox on this site: http://www.ComeToHack.com/

  29. Craig says:

    I’ve bought a hell of a lot of Transcend products over the years and often recommended their stuff to others but such blatant and wilful GPL violation is disgusting. I won’t being giving them a single dollar more until they get their heads out of their asses and make this right.

    FUCK YOU TRANSCEND.

    • CNLohr says:

      It’s really not that bad. I am really frustrated. Transcend FINALLY LETS HACKERS PLAY WITH THEIR STUFF, unlike EVERYONE ELSE. Because we can play with it, we’ve found something that they may be under NDA not to disclose, and now, because they were nice enough to give us this access, they have to suffer? We should be thanking them and understanding. It’s not like they modified core kernel code. This is hardly different from the Nvidia propreitary drivers!!!

  30. geekmaster says:

    I partitioned mine with gparted, using a 5GB FAT32 and a 9GB ext4. There was no “firmware partition”. I have Magic Lantern on it which works with my Canon EOS DSLR camera, and I also use it to boot my Raspberry Pi. For the Pi, I can update the 6GB FAT32 partition (swapping “native mode” kernels and such) over Wi-Fi. Sweet!

    It should be possible to do a simple “store and forward” messaging system (like email in the olden days), even without hacking it. But better to customize the card firmware and set up some kind of Wi-Fi tethering for the Pi, I think…

    I have my Rift head tracking and my Razer Hydra working on my RasPi, and I plan to do some kind of Wi-Fi proxy or something using this card…

    • geekmaster says:

      I love swapping RasPi kernels over WiFi without removing the SD card from the Pi. It make kernel debugging so sweet. Of course, I need a RasPi reset switch. Cutting power to the Pi to reboot means I also need to reconnect to the SD WiFi and login again (with Dmitry’s password). ;)

      Now, I just need to get a communications channel going between the SD card processor and the Pi. For now, sending message packets through a shared file is a viable (but dirty) hack…

      • geekmaster says:

        Meh.. The FAT filesystem gets inconsistent if I write files from both sides. The SD card (via SSH) only sees the changes it made and does not see those from the Pi or from WiFi, not even after doing a sync. Likewise, the external connections do not see changes made by the SD card processor (ssh) until after the card is rebooted, and then some stuff might be missing. There must be a better way. I wonder how a camera saving photos to it does not confuse it…

  31. Cannibal Flea says:

    Just a question, how does one set the date and time on this device. There is no ntp client available and the system resets everytime the device is turned off. Any ideas?

  32. David Lang says:

    Just a note that there is now a 1.9 firmware (newer than what Dimitry knew about when he updated his post (and his initial work was done on the 1.6 firmware)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s