Hacking Transcend Wifi SD Cards

[Pablo] is a recent and proud owner of a Transcend WiFi SD Card. It allows him to transfer his pictures to any  WiFi-enabled device in a matter of seconds.

As he suspected that some kind of Linux was running on it, he began to see if he could get a root access on it… and succeeded.

His clear and detailed write-up begins with explaining how a simple trick allowed him to browse through the card’s file system, which (as he guessed correctly) is running busybox. From there he was able to see if any of the poorly written Perl scripts had security holes… and got more than he bargained for.

He first thought he had found a way to make the embedded Linux launch user provided scripts and execute commands by making a special HTTP POST request… which failed due to a small technicality. His second attempt was a success: [Pablo] found that the user set password is directly entered in a Linux shell command. Therefore, the password “admin; echo haxx > /tmp/hi.txt #” could create a hi.txt text file.

From there things got easy. He just had to make the card download another busybox to use all the commands that were originally disabled in the card’s Linux. In the end he got the card to connect a bash to his computer so he could launch every command he wanted.

As it was not enough, [Pablo] even discovered an easy way to find the current password of the card. Talk about security…

107 thoughts on “Hacking Transcend Wifi SD Cards

    1. Also,

      “One of the scripts (rcS.p) which is run on startup automatically executes autorun_fu.sh if it is placed in the root of the SD card. This will ease development and further hacking. Thanks, Transcend!”

  1. As far as I’m aware, nobody’s really gotten into the (slightly cheaper but infinitely suckier) eye-fi cards, right? There’s some hacking activity around the periphery, but nobody’s opening up the in-card OS like Pablo’s doing to the Transcend.

    This is one of the cooler developments I’ve seen lately. Every hacker who sees an eye-fi has a zillion ideas for it, and it can’t do any of those things. I figure it’s now merely a matter of weeks until the Transcend is hacked to do all those things and more.

    1. Hi Nate, this is Pablo. I can’t confirm it, but I think most wifi SD cards are running a similar variant of the same codebase, so I’m betting they are all vulnerable in the same way. At least another variant of SD cards I didn’t know of until recently, PQI Air, are running almost the same code.

      1. Hi Pablo,

        The Flucard Pro wifi SD has a serial connection on the PCB.
        I know it’s a big ask, but could you open the case please and check if the Transcend has the same port ?
        That just takes the hacking posibilities to a whole new level !!

      2. Gentlemen, is it possible to hack a wi-fi SD card to allow it to “receive” an image stream?All of the uses for these seem to focus on getting images “off” the card from a camera.. I’d like to get images “on” the card for a picture frame. Seems like this would be a popular use case… thanks!

      3. Hi Pablo

        I would like to use a WiFi SD card to transmit data from an environmental monitor. Do you know how this could be achieved or could you point me in the right direction for help with this please?

        Thanks

        Andy Maslin

      4. Hi Pablo

        I use a seismograph that after recording an event, downloads it to an SD card. To access the data, you have to take out the SD card and plug it into a pc. My wishlist would be to use a Wi-Fi SD card and to access it remotely and download the files.

        Is this something that could interest you if I were to offer you some financial gain to make this happen.

        Thank you

        Andy

        1. i’m afraid it does not work on any SD card since it needs neccessary compartments in it (like the miniature wifi chip, cpu and a complete mini cimputer architecture) and even if it has, like other wifi-capable SD card brands, the exact build-up may differ so much that the same firmware image does not work on them.

    2. I would be interested. I had one for my palm ages ago when they first came out. Had to cobble a good bit of that to even get it to work (bad disconnect issues iirc) but that was PalmOS. Ended up bluetooth wapping not long after that and sold the wifye to uprgrade my moto razr. Not sure about using it with anything else so I guess my comment is pretty useless as is my memory lol.

      Kudos to Pablo for getting in there and rooting around ;)

        1. It’s sending pictures, not doing anything that lives depend on. That’s a private namespace IP, so you’d have to be connected to the card’s wifi to exploit it.

          Yes, if you can get that close, you could maybe install some monitoring software or something like that, but you’d have to do it whilst the camera was switched on. With the range these things have, that’s practically physical access.

          I can think of at least one way of doing it, with preparation, but lest’s face it – if a cracker has physical access, you’ve lost anyway. If your photos are that sensitive, you shouldn’t be using a wifi card.

    1. I dunno but something makes me think there’s a lot of flash.

      Realistically the CPU’s almost certainly an ARM, because what else is there, and because that’s what a lot of normal storage-only SD cards use. And because it’s arguable which has the most developed and mature Linux, ARM or x86.

      But that’s just a guess. HAD did a nice article a while back about a factory that makes SD cards. They manipulate the tiny, rice-grain sized ARM MCU into the casing, along with the flash itself, using a tool that looks a lot like a wooden chopstick with a notch cut in the end. Raw, uncased ARM silicon, in both cases. Either the room’s just not that dusty (certainly not a clean-room, no masks on the staff), or they can cope with whatever rate of failures they get.

      It’s impressive the ARM was created by a team of 2 or 3 people in Cambridge, their first CPU, as an improvement for the BBC Micro. At the time it was 4x the speed of comparable chips made by companies like Intel and Motorola that had a decade or more of history, and a huge staff full of PhDs. *Indian* PhDs too! And we know how good they are at CPU design.

  2. Are you telling me, we have now a fully functional WiFi+SD dongle for sensor data harvesting systems? Does it work with only power supplied (a wireless memory stick!)? Does the kernel have any kind of access to IO ports? How does power consumption looks? That would be the smallest and cheapest mobile platform with plenty of storage memory and WiFi abilities I have ever seen. Woah!!

    1. This is a very interesting question. I believe SD cards uses SPI. So if the card will run on its own just by injecting power you should be able to run any devices the work on SPI. Plus, since there’s all that storage inside, the hack really just needs to get the system to execute a script file stored there.

      I want to see this done sooooo badly!

      1. I’m also extremely excited about the possibilities!

        Although it’s a tiny bit frustrating that people are ripping into the “security” of this thing. I doubt they care at all about people getting access to the system underneath. Someone could copy the data off by simply plugging the SD card into their computer so it’s not something they had to worry about.

        Not every company is obsessed with preventing customers from tinkering with their hardware.

        1. I think that there is a sizable market for something like this. Perhaps it will be small at first since only hackers would be interested or have the knowhow to do this. But imagine the possibilities of having an SD card sized microcontroller with built in WiFi. There is already SPI– would it be possible to reconfigure these as GPIO? A lot of projects that use a WiFi enabled Arduino could probably switch to this. The small size and low power consumption would probably open up even more possibilities. Lower price points with less storage?

          Transcend, please see this as a possibility rather than just a hole to be plugged.

          1. SPI is most likely a black box from linux side – driver just sets up dma transfers between this black box and flash
            still good enough for connecting atmega/pic and bitbanging fat SPI host between them

        2. SPI port is accessible on most AVR chips – you can grab an SD card shield for an arduino and use the SDfat.h library to read files from the card, and do something based on them. Like (pseudo code)

          SD.open(“/sites/hackaday.com”)
          While (!SD.Available()) { delay 100; } // wait for the “file” to get data
          While (SD.Available))
          {
          byte fileByte = SD.read()
          }

          Basically using the file system to map the arduino’s I/O to your card’s ability to write arbitrary files.

      2. SPI is just one of several modes which can be used to access SD cards and so it must be supported by this card as well. However, SD cards can only act as an SPI slave and not as the master. I have no Idea whether this is fixed by the hardware or can be reconfigured in software. Being able to reconfigure (some of the) pins as GPIO, tty, SPI master or i2c master would really make this device well suited for a variety of applications. But without any kind of communication except WIFI the use of this cards is quite limited.

        1. If SPI or any other communication possibilities are unreachable, there is still a “lock” switch. I mean, that it is a hardware switch, so there must be an easy approach to read its’ state. Bitbanging this one, might be a way to go (yet quite inconvenient).

          1. As far as I can tell, lock switches on SD cards are not actually electrical; they simply block something on the reader (not even the card itself), which tells it to let it write.

          2. The lock of SD cards is just a piece of plastic and has no electrical connection to the card. The lock is supposed to be read out and honored by the card reader e.g. using a light barrier. Many cheap card readers don’t honor the lock switch at all.

    2. It lacks the space for a normal 3dbi antenna, it probably doesn’t use 100 mW of transmit power either … so range is going to be smaller as with normal WiFi solutions.

    1. How is it a flawed product? Because it doesn’t have NSA-style security? Sounds like they released a good product that can be made GREAT with a little hacking! Either way, thanks are due ;-)

    1. Oh god, that’d be awesome! Attach a few into various household objects with tiny power supplies, or just into toys with batteries. Bury a couple in the garden (maybe with a small wire antenna!). Let The Man come and take away your data then!

      Is it possible to have them powered-off most of the time, switching on to wait for a specific coded Wifi packet? So you know exactly when, 1 minute in 20, to transmit. Other than that they’re undetectable, and never transmit til they’re first told to.

      Another idea for power, fit a tiny Li polymer battery in there. In fact one of the main ideas of Li polymer was being able to make the case into the battery. Have the whole thing be a battery! Just room for the chips and wiring. It can charge up when it’s plugged in to whatever device.

  3. “telnetd -l /bin/sh &” in a file called “autorun.sh” in the root of the card is slightly easier. ;)

    Also, it appears that this particular card does not work with hosts that want to use SPI mode – at least my code thinks that it never responds to the initialisation sequence that works fine with a lot of other cards.

  4. This gives me hope that someone like Pablo will unlock the sucky first generation Eye-Fy cards so I can send pics directly to my Nexus 7 like the newer versions claim to do. Not familiar with the transend but currently I have to go through my wi-fy network…up to the web…then back to my PC just to use the damn thing!

    1. Providing information on the form at your link, then pressing the “Download” button, only takes me to a page containing this (binary) information:
      “���դ@�U ! dlcenterdlcenter”

      1. Okay, the download started when I copied the full URL (up through the .zip) to the web browser address bar instead of clicking the broken link above. Pressing the “Download” button then started a 56MB download (now in progress)…

    2. no, this is a bullshit “here is a busybox sourcefile, now fuck off” link
      GPL states you need to provide working makefiles that let you compile whole thing, not raw sourcefiles without your patches

    3. They need to post the sources for u-boot too as well as the appropriate .config files to build u-boot/busybox/kernel.

      THEN they will be welcomed into the GPL ccompliant (well mostly) world.

    1. It’s not nearly as limited as you think. That’s easily enough to run a very small web server that supports shell or perl cgi, a dropbear ssh daemon and busybox cron. You might be able to do a bit of lightweight graphics processing on pictures that end up on the filesystem. I don’t know if you’d be able to run motion (a piece of motion detecting software) on it in realtime, but it should work with a long enough interval between shots. In the embedded no-GUI embedded Linux world, 32MB of RAM is actually quite a lot. Linux has been successfully running very well on machines with only 16MB and I know it runs to some extent (though probably with no web server) on machines with as little as 8MB of RAM.

        1. That’s the crux of it. Linux is overall a heavier OS than whatever was on the PSP. And it’s not just the OS that is heavier, but also the userland tools. Still, there’s a ton of cool stuff one could accomplish. For example, it should be straightfoward to put a simple bootloader on the card itself that the host machine can run, then the Linux/ARM part of the card could go and grab a complete filesystem package and install it to the card to boot the machine. I suppose you could do a lot of that with a regular SD card, but this would reduce the amount of setup code that needed to happen on the host computer. (Don’t bother picking apart the idea too much, it’s just something I thought up a couple minutes ago).

  5. Hey, I submitted this! :D

    Anyway, I also found this neat card that uses micro SD cards, and it’s pretty much hacked. It’s called the PQI Air Card, and if you put a file named autorun.sh in the root of the SD Card, it will run those commands!

    Here’s the long hacking discovery [translated from japanese]

    http://translate.google.com/translate?act=url&depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://hitoriblog.com/%3Fp%3D12627&sandbox=0&usg=ALkJrhiPlAyn6K6fiHHkRj3s-cBdebiqMw

  6. I want one that’ll work on Palm OS devices that don’t have built in WiFi. Would also need an SDHC driver. There is such a driver but it’s A. not free and B. uses DRM.

    1. For obvious reason you can, but to be able to access the root of the card, you’d still need a wifi adapter for the pi to connect to the card (the pi will access the card through wifi, not directly through the card slot).

    1. It’s not even similar to the imp. The imp is just a wifi module, which happens to be (confusingly) packaged in an SD-like package that uses an SD-like slot. You can’t treat it like an SD card. It’s like on old PCs when you’d get a scanner that connected through a 6-pin mini-DIN, and then someone tries to plug a mouse into the scanner controller card because it’s the same plug, but it doesn’t work. Being on the same connector doesn’t mean anything! They picked the SD connector because it’s cheap, not because they’re doing anything SD-like.

      The Transcend, on the other hand, is a true SD card, or pretends to be. Hosts that don’t know anything about its wifi capabilities can read and write files to it, and the little linux genie behind the curtain does all the wifi magic unbeknownst to the host.

      Plug an imp into an SD host and it’s not even detected.

      1. @Nate: I’d hate to be an ass, but he never mentioned anything about the Imp and this SD card to be similar. Rather the idea of how it *may* be used when this hack gets traction.

        1. Ahh, point taken! I misread. Yeah, they’re not direct drop-ins for each other, but this or something like this could obviate much of the need for the imp. Frankly, I’m more interested in the Carambola2 or HLK-RM04 for that problem-space, because the OS is saner. :)

  7. There are other cards like this, who can also be easily hacked. The Flucard for example (most of the info is unfortunately in japanese, where it was apperently available for two years already).

    1. and also that the Flucard had a TXD/RXD pad out on it’s PCB !!!!!!!!
      Amazing. Potential full interface!

      Those pads seem not to be present on the PQI according to the Japanese blog.

      Does someone have a Transcend already and can check for serial ??

  8. A wireless enabled SDCard ???
    I can forsee this as being a new security nightmare ( I mean: what happens if it gets inside your laptop, or if somebody uses this remotely to write a corrupted/backdoored firmware image on the sdcard that some cameras/hardware will happily update without second thought ).
    Especially since for now the default Wifi password is 12345678
    But I need one right now :)
    The legitimate/hacking possibilities seem endless.

    A wireless, solarpowered pico dead drop in a tictac box is on the making !

    1. The whole purpose of these things is so that you don’t need to stick it into anything like a laptop, it’s to enable your camera to transmit the pictures.
      However, it’s still a security nightmare since many of them require you to use the company’s servers via proprietary software I gather, and yeah there goes your freedom liberty and privacy.. Especially if those servers run through or are in the US obviously.

  9. These cards are pretty cool, I’d imagine there is some signing or write-protect somewhere to protect bootrom etc..

    Someone told me there is a 32GB and 64GB 802.11ac suite of xSD cards coming soon.

  10. Did anyone tried powering this card externally (i.e. pin 4 and 6 to usb power and the rest of pins to the host) to boot the firmware? The spec says it requires 2.8-3.7v. I want to use this card in my cpap machine (it has SD card slot to store sleep data) and remotely scp the data daily to my linux desktop but this card does not boot on my cpap machine. I have already setup this card so I can scp files from it (if you are interested for ssh access you can read my howto here: http://blog.selvans.net/2014/05/howto-setup-keybased-ssh-scp-to.html ) and it works great in camera. Unfortunately, I suspect the SD card slot on the cpap machine does not provide enough power to boot the firmware and I am looking into powering it via external USB power. Love to hear if anyone tried or had success in powering this externally.

  11. I am trying to figure out if it would be possible to hack an wifi-sd card into a streaming device, like an airplay or sort of a2dp streaming.

    Would this be possible? Would be so great if anyone could make this happen!

  12. I bought a SanDisk Eye-Fi card and it was the worst mistake.

    I had to create an online account to use it even though I don’t use any online services. I just use it to send pic via my wi-fi router to my PC with an app the runs on the PC.

    The only reason to require an online login is to make the software dependent on a server.

    They just sent me an email saying that they’re pulling the plug on the server 16 Sep 2016 and from then on it wont work anymore.

    Obviously this is a deliberate act. If you buy an Eye-Fi card then it will be switched off when they decide it’s time for you to buy another and you existing one will no longer work!

    So what ever you do – DO NOT EVER buy a Eye-Fi card.

    http://boingboing.net/2016/06/30/eye-fi-orphans-14-products-wh.html

  13. Can anybody here help me to automatically sync the files from http://192.168.11.254/sd/DCIM on the WIFI SD card to a location on my android device? No apps out there seem to do it.
    If I type http://192.168.11.254/sd/DCIM into google chrome on the device the location works and I can see the images on the card.
    I am trying to use an app called folder sync to reference this http://192.168.11.254/sd/DCIM but can’t get it to recognise or login. Could I have to manually specify a port perhaps?
    Folder sync can sync lots of online cloud services like dropbox, icloud, onedrive, sugarsync, etc with your android device.
    It has some custom options like FTP, SFTP, SMB/CIFS and WebDAV but I am not sure which one to use and how to tweak it to work? Not much experience. Any help would be massively appreciated.

  14. I’d like to stream audio recordings to a PC for real-time machine audio transcription. Was wondering if that’s possible with SD cards. If not, I imagine someone with hacking skills could make it happen?

  15. having come across this, still having an old 32gb transcend, i didn’t get this to work at first.
    in an openwrt forum i found this: just put it into the autorun.sh from the firmware update
    and put it into sd root:

    #!/bin/sh

    cp /hardware.info /mnt/sd
    cp /ts_version.inc /mnt/sd
    sync
    cp /www/sd/busybox-armv5l /sbin/busybox-extra
    chmod a+x /sbin/busybox-extra
    /sbin/busybox-extra telnetd -l /bin/bash &
    /sbin/busybox-extra tcpsvd -vE 0.0.0.0 21 ftpd -w /www/sd &

    telnet and ftp up and running on the latest firmware of the transcend wifisd 32gb.
    Thank you very much

Leave a Reply to somunCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.