Advanced Transcend WiFi SD Hacking: Custom Kernels, X, And Firefox

[Dmitry] read about hacking the Transcend WiFi cards, and decided to give it a try himself.   We already covered [Pablo’s] work with the Transcend card. [Dmitry] took a different enough approach to warrant a second look.

Rather than work from the web interface and user scripts down, [Dmitry] decided to start from Transcend’s GPL package and work his way up. Unfortunately, he found that the package was woefully incomplete – putting the card firmly into the “violates GPL” category. Undaunted, [Dmitry] fired off some emails to the support staff and soldiered on.

It turns out the card uses u-boot to expand the kernel and basic file system into a ramdisk. Unfortunately the size is limited to 3MB. The limit is hard-coded into u-boot, the sources of which transcend didn’t include in the GPL package.

[Dmitry] was able to create his own binary image within the 3MB limit and load it on the card. He discovered a few very interesting (and scary) things. The flash file system must be formatted FAT32, or the controller will become very upset. The 16 (or 32)GB of flash is also mounted read/write to TWO operating systems. Linux on the SD card, and whatever host system the card happens to be plugged in to. This is dangerous to say the least. Any write to the flash could cause a collision leading to lost data – or even a completely corrupt file system.

[Dmitry] spent even more time fighting with kernel builds. In the end he did emerge victorious. He was able to bring up his own kernel on the WiFi SD card’s ARMv5 controller and run anything he wanted. He tested the system by booting up with X windows forwarding through an SSH tunnel over WiFi. He was even able to get Firefox running in X, albeit very slowly.  The card doesn’t even need to be in a host system – only power and ground are needed to boot and access it via WiFi.

After all this was done, [Dmitry] finally got a response back from one of Transcend’s support engineers.  They are “Uninterested” in complying with GPL, and he is “free to report this to any Linux organization” Ouch! That’s one of the most cavalier GPL violations we’ve seen in a long time.

Update: It looks like Transcend has added u-boot sources to their GPL package. However, [Dmitry] states in the comments that they are still missing kernel config and some of the module sources.

95 thoughts on “Advanced Transcend WiFi SD Hacking: Custom Kernels, X, And Firefox

    1. In his writeup page the email address contacts for the 2 representatives he contacted are listed. I’d put them here but that might break rules. You can report them if you like. I’d do it but I’m not that savvy with the rules of the GNU.

  1. If things this small are this capable, I fear what the US government has that’s even smaller and probably as featured as a raspi in power by comparison.

    That said, these would make for some interesting dead drop servers if one could come up with a nice waterproof battery pack for it…use it for passing info in a localized area..even better if you find a way to add a better antenna for more wifi range.

  2. I agree with Mr. Alec here. It’s like they are stealing work from volunteers.
    I don’t know why companies do that. I’d bet that if they would open up they would get lots of more sales. At least doing it this way, a lot of hackers get to have lots of fun, and the rest of us gets to use a product the way it is meant to be anyways xD

    Report it to the OpenSource world, i bet something can be done =D

    Awesome job here

    1. Apparently the GPL violation is that the sources of the modules are not distributed.
      Weather that is a violation, depends on how you interpret “derived work”. If you take an open source image library and use it to create a file conversion tool, that is clearly a “derived work”. So some people (notably the FSF) started calling “linking” the act of creating a derived work. But that is just their interpretation of the word “derived work”.

      Next comes the question of when are you really linking with a piece of open source? Are you linking with the OS when your closed source binary loads and somehow manages to call the operating system? Most people would agree: No. Similarly, what if you load a module into the kernel? Linus, and he has a thing or two to say in the Linux community, has clarified that: as long as you use the published symbols as entry points into the kernel, loading a module should be considered the same as running a binary in userspace.

      So….. from the information I have, I cannot conclude that transcend violates the GPL by not providing the source to those two modules.

        1. There is precedent for binary-only driver modules, that I believe the kernel developer leads have said is legally OK but VERY discouraged. As in, “don’t expect us to ever make your life easy”

          Examples of things that include binary-only .ko modules that have proven to be a massive pain for the opensource community but haven’t caused legal trouble for the OEM:
          Samsung’s FSR flash translation layer (Galaxy S family of devices, major pain in the ass that required major work from opensource firmware authors to replace with MTD)
          Samsung’s RFS filesystem driver (Galaxy S family of devices – easily replaced by ext4)
          The ath6k wifi driver module on the Samsung Tab 7 Plus and Tab 7.7

      1. This is the same chip found in the PQI Air Card, right? I wonder if their firmware is any different. (I’m on a cellular connection right now otherwise I’d just download it and diff!)

      2. Buying it anyway would be the same thing as endorsing a GPL violation, if you ask me. Companies that don’t play by the rules should be sanctioned, regardless of the functionality of the product.

        Besides that – one of my ex-gf’s had a Transcend wireless adapter in her PC which I installed. The thing worked, albeit just barely. I haven’t had a good opinion of companies products since.

  3. Any chance it’ll work with the Palm OS SDIO WiFi drivers? Combined with the Power SDHC and FAT32 drivers I could finally have *both* WiFi and lots of storage on my Tungsten E2 that I haven’t used in over 2 years…

    1. Loved the Tungsten, but it was ‘so close yet so far’ to the smartphone revolution. I never got much use out of it other than as an MP3 player and notepad. It did have a reasonably nice screen for what it was. Lemmings looked good. :p

    2. I dropped my E2 last month, it is dead. I had a “spare” E2, but it’s battery is dead. The famous Internet auction site (hereafter referred to as TAS (That Auction Site)) lists replacement batteries, but those cost more than some of the E2’s up for bid. (sigh!)

    3. Inside it should be like two computers connected in parallel to one SD card, if this one is same as my Flucard(which uses exact same Wi-Fi card SoC called Ka2000). It should be possible to make the host and on-board Linux communicate over SD bus with bogus command or dummy write or something, but I’ve never seen it done anywhere.

      1. Presumably the included firmware’s written with that in mind though, so that will never happen. Or otherwise however many thousands of cards out there are gonna cause a lot of problems.

    1. Sounds reasonable. Though it might be a good idea to also place the pre-existing file in a special directory, that won’t be used by the external host; and/or prevent the internal host from writing updates to that file’s timestamps. Otherwise when the timestamps are updated, you might get concurrency issues updating the directory.

  4. i see a possible cheap solution, could you put it in your car-radio that has a SD-card reader . it then creates a “dummy” sound file so you can stream music via Wifi – just a tought

      1. Plenty of cheap TV’s out there that are not network enabled but do have USB ports for playback of media saved to thumbdrives.
        If one were to put this card in place and create a suitable video file that the TV was able to play, but actually it was a wifi stream coming over.
        Network enabled TV for MUCH less than many of the other solutions out there.

        Pretty much any cheap device which lacks network ability but has a USB interface. LCD picture frames, cheap CCTV recorders. Big list !

    1. Ah, I forgot to explain the update process, so unless you read the doc you’ll be lost. Place my file son card. wait 1 min. remove card. reinsert card. wait 6 min (very important). remove card. reinsert card. wait till “wifisd” network shows up. connect to it

      “wifisd1.6” means card is updating – you cannot connect to it

    1. Maybe they think they’ve done enough to baffle a judge into letting them off, should it ever go to court. There’s little point in sensible engineering-type people discussing the fantasy world that is suing people. And that’s the area of concern.

      1. Not in Germany – afair GPL violations fights in germany by simply going to court, stating their case and getting said companys products BANNED from Import into EU – that works wonders for GPL compliance.

  5. Did anyone manage to boot one of these ( Trancend) cards by just applying power without having a full functionning host?

    I tried all kinds of ways for just powering it ( sd card readers on usb chargers or on mintyboost, regulated power directly to the appropriate pins… ) None worked.

    All I could find on this topic seems to indicate that WifiSD cards just won’t boot without a proper usb host, although the other brands seem to do.

    Can anybody confirm their experience ? can those exact cards be booted with just power applied ? Does the line that mentions it in the linked article has to do with the kernel being changed? or should it work out of the box ?

    This device has tons of potential uses, but most of them depend on this being possible.

    1. I have tried tirelessly to make mine boot, even while talking to it. I’ve tried talking in SPI mode, but it ploughs over my commands, so writes get corrupted. I tried booting it using the SD command set, I seem to be able to get it to read, but still no dice. This card does NOT want to boot up. I tried emailing them, but they refused to give me any additional help.

      1. Did you try accessing it through serial port or used any other form of debugging ( such as boot scripts writing to a logfile on the data partition ) that could indicate at which stage it hangs ?

      2. “Ok, FWIW to make the card boot standalone, without being plugged into a host:
        KA2000#setenv bootalone ‘go 208000’
        KA2000#setenv bootcmd
        KA2000#setenv bootcmd ‘run set_bootargs; run bootalone’
        KA2000#saveenv”

        1. How would I go about doing so from a command-line in a booted system? Also, I would prefer to find how to mimic a real system. I have tried a multitude of solutions to talking to the card, and I am finding more and more ways the card is out-of-spec. I.e. it claims it will only use 100mA, and even if you offer it more, it rejects you and says everything is fine :-p.

  6. I don’t understand why these people who don’t want to release sources don’t simply use embedded FreeBSD… It is as easy to port to embedded targets (to arm at least) as linux and you do not need to give corporate know-how away. The feature set is comparable to linux for a device like this. The BSD codebase is slightly cleaner (imho), but that doesn’t matter much if you only need to add some modules.

    It’s actually stupid, there probably is little of value in this card a competitor could use except the WiFi driver. For some reason WiFi chipset vendors absolutely don’t like the source of there drivers public.

  7. I’m glad I read this. I’m in the market for a WiFi SD card ever since my camera got stolen out of my car with my Eye-Fi in it. I’d been looking into this card in particular, due to the community’s work in hacking it. I believe very strongly that the GPL is a good thing, and not complying with it undermines all the work countless programmers have donated to the cause, so I won’t be buying any more Transcend products.

      1. That actually is a nice idea. With googles location API, you can then find the location (it allows you to feed it timestamped data of seen wifis and it uses the algorithms also used in android phones to give you an approximate position). Only problem is that needs to find an open WLAN to call home.

  8. in theory you could get around the 3 meg limit by using symbolic links or aliases.

    just as you make a shortcut in windows to point to an external drive or alias on the mac or meta file on the web couldnt you make something on the firmware partition to point to the user partition where the binary could live?

    or if you can back up the firmware and completely repartition the card to make the firmware partition bigger and flash the firmware back via something like a normal restore on the mac like you would do to build a boot disk for a hackintosh.

        1. Hack a Day, where it’s OK to be a turd in response to someone helping you. Even when, by failing reading comprehension, you’re the one who is wrong.

          Robert didn’t say he used an arduino, turd.

        2. Just sumbled upon those comments months later via google, thanks for the laughs :)
          There was no arduino in the mix whatsoever, only an arduino battery shield to keep the 808 running.
          The 808 used a “dashboard cam” type firmware where the video file was split at small time intervals and dumed to the card, to be then recovered via wifi from the card by final host, resulting in a not-so-real-time recording with a filelength-seconds lag.
          The dashcam type firmware is necessary so you can both power the device and run recordings at the same time, which most default firmwares don’t allow.
          Not a full blast neetworked camera, but enough to POC the feasability bandwitdh wise.
          Glad I could help you kind sir.

          1. Please! Please! Please! PLEASE document your project! This sounds awesome!
            So what’s the wifi range? What’s the wifi speed? How much power does the wifi-sd-card (“wiCard”?) consume?

  9. I’m interested in these, but the cheapest I can seem to find is $60 or so. Which is a little much since I just want to screw around with them. Not to sound cliche or anything, but you could get the parts to build a little 32 gig wifi server for that (although good luck making it that small ahah)

  10. Can’t help but think of how similar this sounds to my problems with VIA8650 wmt android tablet i had. Ran 1.6 and was the hardest thing in the world to get to boot and root. It wouldn’t even take uberoid so I ended up digging around the uboot numbers and this story is dragging on. In the end I was very much upset at the lack of support the same as Dmitry and the uboot woes rung a bell. Kudos for persevering and interested to finish reading as I ironically recover from the second kidney stone surgery (the first of which led me to reading endless forums on the device lol). Thanks :)

  11. The article spends a lot of time complaining that the module source isn’t available, but Linus Torvalds himself does not think the GPL should apply to all kernel modules. If you claim it’s GPL via MODULE_LICENSE(“gpl”) then you get access to more symbols and functions, but short of that, he does not have a problem with non-GPL modules.

    1. Linus is not a lawyer and did not write the GPL, in fact the writer of the GPL fairly dislikes Linus. Remember Linus took credit for Linux completely disregarding the other %99 of GNU/LINUX. The GPL is a legal document that a lot of lawyers spent a lot of time locking down definitions of, it is not open for interpretation if they do not want to follow the GPL they are free to write their own. Take a watch of Revolution OS if you forget the 90’s.

    2. The issue here isn’t with new non-GPL modules though. The issue is that Transcend haven’t released the GPL source code (as they are obliged) that other people have kindly made available to the community.

  12. Is it possible to partition the thing, so that the first partition is FAT32 to keep the controller happy, and the second is ext? It might need some poking the FAT32’s bootsector to combine it with an MBR, but other than confusing some tools I don’t see why it can’t be done…

  13. Ok, so now just need a hack to expand http://www.lexar.com/workflow to more than four ports so that one could have a battery powered, pocket sized beowulf cluster of transcent SDHC’s!
    At least that should in theory give one enough power to do something like
    Leapcast ( https://github.com/dz0ny/leapcast ) perhaps?
    Or alternatively, should be able to utilize the SDHC’s to make/drive
    video glasses such as ( http://geeknizer.com/diy-build-google-glass/ )
    with led screen(s) that have a reasonable battery life.

      1. Concept: Take aforementioned SDHC ‘linuxable” WiFi card, add lego block
        pin hole camera, nitrol wire, and appropriate conductive ink pattern for solar
        cell power to paper air plane that under the right lighting conditions can now
        be steared via phone accellerator while taking in the birds eye view.
        BandaBoard would require a fairly large paper airplane even before
        adding in power requirements as compaired to utilizing the SDHC small
        form factor

      2. WiFi card is a lot lighter on the glass rims than a Pandaboard.
        Although in all fairness, Using the wifi card attached to DIY led glass display
        as a way to feed video to/from the pandaboard would likely be a better way to go.

    1. Yes, it is possible to protect files from being accessed by two processes at the same time. I n Unix/Linux think they’re called “locks”. There are at least several types of locks available. But I don’t know if this is something the Transcend developers are using.

  14. I’ve bought a hell of a lot of Transcend products over the years and often recommended their stuff to others but such blatant and wilful GPL violation is disgusting. I won’t being giving them a single dollar more until they get their heads out of their asses and make this right.

    FUCK YOU TRANSCEND.

    1. It’s really not that bad. I am really frustrated. Transcend FINALLY LETS HACKERS PLAY WITH THEIR STUFF, unlike EVERYONE ELSE. Because we can play with it, we’ve found something that they may be under NDA not to disclose, and now, because they were nice enough to give us this access, they have to suffer? We should be thanking them and understanding. It’s not like they modified core kernel code. This is hardly different from the Nvidia propreitary drivers!!!

      1. Why should the software developers be “thanking them and understanding” when Transcend have violated the terms under which the software was shared? If Transcend don’t want to comply with the licence, their only option is to not use the software in the first place.

        What you’re saying is that Transcend should be free to disregard their obligations because they let people play around with their stuff, when such stuff wouldn’t even get to market without the hard work of the Linux and u-boot developers. But I suppose the sentiment is that those hard-working developers should appreciate the pat on the back (and slap across the face) from their corporate betters.

        Transcend still sell these devices, contrary to various reports, so unless they’ve remedied their licence violation (and hopefully sent their representatives off for a refresher course on customer relations and ethics), they’re happily making money off people who don’t dare to challenge them in case the torrent of shiny toys be interrupted for even a moment.

        And last time I checked, Nvidia drivers – bad and dodgy enough as they are – aren’t sitting at the bootloader level and concealing special information about how you even start the operating system successfully on your computer, so it is rather different.

  15. I partitioned mine with gparted, using a 5GB FAT32 and a 9GB ext4. There was no “firmware partition”. I have Magic Lantern on it which works with my Canon EOS DSLR camera, and I also use it to boot my Raspberry Pi. For the Pi, I can update the 6GB FAT32 partition (swapping “native mode” kernels and such) over Wi-Fi. Sweet!

    It should be possible to do a simple “store and forward” messaging system (like email in the olden days), even without hacking it. But better to customize the card firmware and set up some kind of Wi-Fi tethering for the Pi, I think…

    I have my Rift head tracking and my Razer Hydra working on my RasPi, and I plan to do some kind of Wi-Fi proxy or something using this card…

    1. I love swapping RasPi kernels over WiFi without removing the SD card from the Pi. It make kernel debugging so sweet. Of course, I need a RasPi reset switch. Cutting power to the Pi to reboot means I also need to reconnect to the SD WiFi and login again (with Dmitry’s password). ;)

      Now, I just need to get a communications channel going between the SD card processor and the Pi. For now, sending message packets through a shared file is a viable (but dirty) hack…

      1. Meh.. The FAT filesystem gets inconsistent if I write files from both sides. The SD card (via SSH) only sees the changes it made and does not see those from the Pi or from WiFi, not even after doing a sync. Likewise, the external connections do not see changes made by the SD card processor (ssh) until after the card is rebooted, and then some stuff might be missing. There must be a better way. I wonder how a camera saving photos to it does not confuse it…

    2. “It DOES get very very upset if you repartition the card or format it with something other then FAT32 – do not do this. ” — dmitry

      > I partitioned mine with gparted, using a 5GB FAT32 and a 9GB ext4

      “The lesson here is do NOT write to /mnt/sd ” — dmitry

      What lesson did you suffer?

Leave a Reply to Pixel_KCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.