Difference between revisions of "Wifi SD"

From eLinux.org
Jump to: navigation, search
(IP address discovery)
(browse file system)
Line 30: Line 30:
 
== Hacks ==
 
== Hacks ==
 
...
 
...
 +
 +
=== Use the web-interface to browse the entire file system ===
 +
The section "Files" of the web-interface allows you to browse the SD-card's content but not the system's entire file system.
 +
However, there is a little trick.
 +
Again, the URL
 +
http://[IP]/cgi-bin/file_list.pl?dir=%2Fwww%2Fsd%2F
 +
does not permit to directly list the root directory. You can move up one level, anyways. '%2F' is the url-encoded form of the slash character "/". Just use '..' to enter the parent directory.
 +
http://[IP]/cgi-bin/file_list.pl?dir=%2Fwww%2Fsd%2F..%2F..%2F
 +
This navigates to "...?dir=/www/sd/../../" which is the same as "/", the root directory. Voila, there you are.
  
 
== Firmware ==
 
== Firmware ==

Revision as of 23:34, 24 October 2013

So called WiFi SD cards are actually designed to transfer pictures taken with a digital camera to any wifi-enabled device. In fact, such small devices can not only store up to 32GBs in such a tiny space, but are embedded system fully capable of running applications, including a webserver, communicating with other devices over WiFi, and even powering its own wireless network.

There are several vendors of WiFi enabled SD cards:

  • Transcend WiFi SD
  • Eye-Fi
  • SanDisk
  • Thoshiba FlashAir
  • PQI Air Card
  • Flucard
  • Spectec SDIO WiFi
  • ... to be extende ...

However, it is assumed that moest are based upon the same hardware.

This page is dedicated to collect information about WiFi SD cards. It is work in progress and any contribution is more than welcome.

Transcend WiFi SD card

  • CPU: ARMv5, ARM926EJ-S rev 5 (v5l)
  • RAM: 32MByte
  • WiFi: ath65/AR6003
  • 16/32GB Class 10 SDHC

IP-Address

If your card is configured in so called 'internet mode' you might wonder how to discover its IP address. To start all services and to connect to your WiFi takes about 30 seconds. The brute force method is to simply scan your network:

nmap -sP 192.168.1.0/24

Well, therefore should be a much more sophisticated method. It is reported that an UDP Broadcast on port 55777 will be sent (see https://forum.openwrt.org/viewtopic.php?pid=209999#p209999).

Hacks

...

Use the web-interface to browse the entire file system

The section "Files" of the web-interface allows you to browse the SD-card's content but not the system's entire file system. However, there is a little trick. Again, the URL

http://[IP]/cgi-bin/file_list.pl?dir=%2Fwww%2Fsd%2F

does not permit to directly list the root directory. You can move up one level, anyways. '%2F' is the url-encoded form of the slash character "/". Just use '..' to enter the parent directory.

http://[IP]/cgi-bin/file_list.pl?dir=%2Fwww%2Fsd%2F..%2F..%2F

This navigates to "...?dir=/www/sd/../../" which is the same as "/", the root directory. Voila, there you are.

Firmware

To see what is inside of `initramfs3.gz` you have to take off the first 8-bytes.

dd if=initramfs3.gz bs=8 skip=1 of=real_initramfs3.gz

Those 8-bytes are representing "KAGZ" + the size of the file (32-bit integer). To interpret the second word as 32-bit integer on little endian machines say

hexdump -s4 -n4 -e '"((((0" 4/1 "*256+%d)" "\n"' initramfs3.gz | bc

Lets see what is inside:

gzip -d real-initramfs3.gz 
file real-initramfs3 
> real-initramfs3: ASCII cpio archive (SVR4 with no CRC)
cpio -it < real-initramfs3

Wow, there is Linux working!

Resources