Cheap WiFi Devices are Hardware Hacker Gold

Cheap consumer WiFi devices are great for at least three reasons. First, they almost all run an embedded Linux distribution. Second, they’re cheap. If you’re going to break a couple devices in the process of breaking into the things, it’s nice to be able to do so without financial fears. And third, they’re often produced on such low margins that security is an expense that the manufacturers just can’t stomach — meaning they’re often trivially easy to get into.

Case in point: [q3k] sent in this hack of a tiny WiFi-enabled SD card reader device that he and his compatriots [emeryth] and [informatic] worked out with the help of some early work by [Benjamin Henrion]. The device in question is USB bus-powered, and sports an SD card reader and an AR9331 WiFi SOC inside. It’s intended to supply wireless SD card support to a cell phone that doesn’t have enough on-board storage.

The hack begins with [Benajmin] finding a telnet prompt on port 11880 and simply logging in as root, with the same password that’s used across all Zsun devices: zsun1188. It’s like they want to you get in. (If you speak Chinese, you’ll recognize the numbers as being a sound-alike for “want to get rich”. So we’ve got the company name and a cliché pun. This is basically the Chinese equivalent of “password1234”.) Along the way, [Benjamin] also notes that the device executes arbitrary code typed into its web interface. Configure it to use the ESSID “reboot”, for instance, and the device reboots. Oh my!

zsun_gpio_bootstrap_annotFrom here [q3k] and co. took over and ported OpenWRT to the device and documented where its serial port and GPIOs are broken out on the physical board. But that’s not all. They’ve also documented how and where to attach a wired Ethernet adapter, should you want to put this thing on a non-wireless network, or use it as a bridge, or whatever. In short, it’s a tiny WiFi router and Linux box in a package that’s about the size of a (Euro coin | US quarter) and costs less than a good dinner out. Just add USB power and you’re good to go.

Nice hack!

50 thoughts on “Cheap WiFi Devices are Hardware Hacker Gold

        1. It’s even cheaper at gearbest dot com.

          What I wonder if there is support for developing scripts and enough free gpio pins.
          If I could set up a minimal web server to read through http a i2c ADC chip, then drive other gpio lines accordingly that would make it truly interesting.

        2. Note: no HTTPS, but that probably doesn’t matter since both the US and Chinese governments can mount a man-in-the-middle attack anyway. Just be careful about using anything other than a US credit card, preferably one with a low balance.

          I wonder if they accept PayPal or bitcoins…

      1. sorry didn’t mean to report comment, meant to click reply.
        Photon might be nice but wouldn’t quote for shipping without me entering details, which I don’t want to do as I bet its not free shipping to the UK so I don’t really want one. China wins with its free shipping, sorry photon

    1. For BLE and Wifi there are many cheap devices, but 802.15.4 is more rare. You can quite cheaply make your own devboard though.

      If you want to buy I can recommend these cheapish boards: http://be.farnell.com/atmel/atmega256rfr2-xpro/rfr2-xpld-pro-eval-board/dp/2295523 (~40€)
      Alternatively, just buy a cheap 802.15.4 module and connect it to an MCU you like. Search on aliexpress and ebay, there are many suppliers of modules with many different chips.

  1. Cool hack indeed, many thanks, ordered one from aliexpress immediately :-)

    Stuff like this or those ~7USD 4g mini routers https://wiki.openwrt.org/toh/unbranded/a5-v11 are great cheap stuff, but with the raspberry zero for $5 these are becoming less interesting now. Why to limit yourself to 32/64MB ram and 4/8/16MB flash when you can get 1GHZ CPU with 512MB RAM for same or lower total price including wi-fi dongle ? The power draw is similar – the pi zero draws ~60mA just like these routers with wi-fi turned off and with wi-fi on it is ~200-300mA in all cases (including esp8266)

    And btw for mobile use there is also this 5 in1 Mini Portable Router (like e.g. http://www.ebay.com/itm/301701710189 ) which is exactly same as the a5-v11 but with builtin battery for $3 more. At least I flashed it with exacly same openwrt image and everything works.

    What I am missing for all these is cheap power source which can be simultaneously charged and still power the device. Those cheap 18650 power banks cannot do both at the same time, there is full ebay of cheap li-pol charger boards or 5v step up boards or those power banks combining both but so far i did not find cheap board that can both charge the battery and power the board when usb power is attached.

    1. I’ve done the ‘simultaneous charge&sourcing power’ thing with a couple of components in my “Project Alice” portable router I’m working on right now. It works great – no reboots, no power surges, it’s working exactly as you describe, though it’s anything but something pre-made. Here’s the reference circuit I used for the switching part: http://blog.zakkemble.co.uk/a-lithium-battery-charger-with-load-sharing/ . Granted, it’s not the same as re-using a portable battery pack – but it provides the information to either hack one already available or build one yourself, since it doesn’t seem so hard. Simplest idea – you don’t modify the powerbank, but add a 5V relay outside that switches the sources (and a really big capacitor, I gotta remind). Or experiment with FETs and make a simple switching circuit that does exactly what you need. If you cannot do either, there are diodes.

    2. It’s not really cheap but i am using an adafruit power boost 1000c in my raspberry pi project and it does simultaneous charge and power for the device. Like i said it’d not cheap though. I paid about $20 for mine.

    1. Sure it can, but there is a SPDT switch on USB, that connects SD reader usb device to the PC when it is plugged, and to the AD9331 when unplugged, but you cannot get AR9331 USB to the connector (and anyway it is USB-A) without soldering.

        1. there are lots of such devices: vocore, olinuxino, hlk-rm04, … and many other boards on RT5350F, or routers like HAME A15 and clones, (7$ on aliexpress, with female USB connector) or Carambola and Black Swift boards with AR9331.
          But 400MHz MIPS without harware acceleration is not the best choice for video compression, unless USB camera provides compressed video (http://vonger.cn).
          There are also Hi3518 boards starting from 12$ with image sensor, ARM9 + hardware video compression and ethernet. This processor also have USB host, so adding 2$ USB WiFi should not be a big problem.

  2. I brought 2 (£5/piece) as soon as I heard about 3 days ago. They arrived last night.

    I bricked one, and accidentally turned off wifi on the other in openWRT.

    I decided to wipe the bricked one for re-flash in uBoot… but in my inexperience I wiped the bootloader (hint: `erase all` is not idiot-proof). Now it really is toast. The pitch of the pins on the flash chip are microscopic, so not much hope of SPI reprogramming the flash chip either.

    At least it was a few hours entertainment though!

    1. You can do a factory reset (which will enable wifi again) of the OpenWrt one by inserting and removing the SD card while it boots (when the LED is blinking slowly).
      Based on my experience, I knew such a function will come in handy. ;)

      1. I too bricked my device by not paying attention when configuring the interfaces.
        But the SD card reset does not work for me. Unit powered from wallwart, when the LED starts to blink slowly I insert the card, wait for a sec, and then remove the card, but no luck. :(

    2. for reprogramming there is this SOIC8 test clip that can be possibly used see e.g. http://www.ebay.com/itm/252201433295 I haven’t see the board so I am not sure it fits. I used it successfully to reprogram standalone W25Q64 chip http://www.ebay.com/itm/181700556507 from raspberry pi via flashrom https://flashrom.org/RaspberryPi Then I tried it to reflash memory in the A5-V11 router in place but I failed. When attaching voltage the whole device powers on and boots which messes the communication (I guess it switches the SPI chip to dual or quad mode) so I probably need to cut the power pin from the board. I wanted to upgrade the 4MB flash in that router to 8MB just to see if I can.

      But maybe since your is not booting at all it will not mess the communication and could be reflashed in place?

  3. Pretty cool, but soon we won’t be able to see any of these projects at all – so small!
    I love the description on Gearbest: “Special soft Grinding process, just like baby skin.” !?!?!

  4. @informatic

    I was attempting to upgrade with the builtin firmware update method but I am confused about .update on smb share.
    I was able to mount the drive via smb (access via \\wulian) under windows but it would not let me create the .update folder. It complained that it needed a filename as it seems to think I was trying to create with only an extension. I tried with the the sdcard formatted fat32 and ext4. Any help appreciated.

  5. @informatic

    I tried updating using the builtin upgrade method and the SD100-openwrt.tar.gz package. Well something went wrong and it bricked the device. No big deal as I plan on soldering an ethernet port and serial connection to the board so I can recover the device. I do have one question concerning that procedure. The instructions state “Where openwrt.bin is your rootfs+kernel image (in that order!)” I assume this means combine the files first. What is the best/proper way to do that? Even better, does that image exist somewhere?

    Thanks in advance.

    1. That sounds interesting. Drop me an email please with further description of what happened with your device. My email is on top of wiki page (with at instead of @)

      About combined binary – i assume it’s just:

      cat openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin openwrt-ar71xx-generic-zsun-sdreader-kernel.bin > openwrt.bin

      But better ask emeryth directly.

    2. The combined image is the one ending with -sysupgrade.bin
      It is generated by buildroot, it is not a simple cat of rootfs and kernel, you need to add space between them so that the kernel address is correct.

  6. Just upgraded to OpenWRT. Dziękuję! I couldn’t get the SMB share method to copy over to the device so I used this: Run the Workmode change and then using the web interface, upload the .tar.gz file to any directory on the device. Unless you run the Workmode change first, you’ll get an error about not being able to upload from this device. Use the telnet backdoor to login and create the /etc/disk/.update directory and the mv the .tar.gz file into that directory. Then perform the upFirmWare. Done. btw, telnet 10.168.168.1 11880 does work with standard telnet client.

  7. Who can help I need a detector gold particles reflected Be the metal surface of gold Distance 200_300 meters and processed to build an image 3 d by smartphone and laptop gift of $ 10,000

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s