Difference between revisions of "Wifi SD"
(Link added) |
(IP address discovery) |
||
| Line 16: | Line 16: | ||
= Transcend WiFi SD card = | = Transcend WiFi SD card = | ||
| + | |||
* CPU: ARMv5, ARM926EJ-S rev 5 (v5l) | * CPU: ARMv5, ARM926EJ-S rev 5 (v5l) | ||
* RAM: 32MByte | * RAM: 32MByte | ||
* WiFi: ath65/AR6003 | * WiFi: ath65/AR6003 | ||
* 16/32GB Class 10 SDHC | * 16/32GB Class 10 SDHC | ||
| + | |||
| + | == IP-Address == | ||
| + | If your card is configured in so called 'internet mode' you might wonder how to discover its IP address. To start all services and to connect to your WiFi takes about 30 seconds. | ||
| + | The brute force method is to simply scan your network: | ||
| + | nmap -sP 192.168.1.0/24 | ||
| + | Well, therefore should be a much more sophisticated method. It is reported that an UDP Broadcast on port 55777 will be sent (see https://forum.openwrt.org/viewtopic.php?pid=209999#p209999). | ||
| + | |||
| + | == Hacks == | ||
| + | ... | ||
== Firmware == | == Firmware == | ||
To see what is inside of `initramfs3.gz` you have to take off the first 8-bytes. | To see what is inside of `initramfs3.gz` you have to take off the first 8-bytes. | ||
dd if=initramfs3.gz bs=8 skip=1 of=real_initramfs3.gz | dd if=initramfs3.gz bs=8 skip=1 of=real_initramfs3.gz | ||
| − | Those 8-bytes are | + | Those 8-bytes are representing "KAGZ" + the size of the file (32-bit integer). To interpret the second word as 32-bit integer on little endian machines say |
| + | hexdump -s4 -n4 -e '"((((0" 4/1 "*256+%d)" "\n"' initramfs3.gz | bc | ||
Lets see what is inside: | Lets see what is inside: | ||
| Line 34: | Line 45: | ||
== Resources == | == Resources == | ||
| + | * [http://dmitry.gr/index.php?r=05.Projects&proj=15&proj=15.%20Transcend%20WiFiSD Advanced Transcend WiFiSD hacking] | ||
* [http://haxit.blogspot.com.es/2013/08/hacking-transcend-wifi-sd-cards.html Hacking Transcend WiFi SD Cards ] | * [http://haxit.blogspot.com.es/2013/08/hacking-transcend-wifi-sd-cards.html Hacking Transcend WiFi SD Cards ] | ||
* [http://www.fernjager.net/post-8/sdcard Modifying Transcend WiFi SD Card Firmware] | * [http://www.fernjager.net/post-8/sdcard Modifying Transcend WiFi SD Card Firmware] | ||
Revision as of 22:50, 24 October 2013
So called WiFi SD cards are actually designed to transfer pictures taken with a digital camera to any wifi-enabled device. In fact, such small devices can not only store up to 32GBs in such a tiny space, but are embedded system fully capable of running applications, including a webserver, communicating with other devices over WiFi, and even powering its own wireless network.
There are several vendors of WiFi enabled SD cards:
- Transcend WiFi SD
- Eye-Fi
- SanDisk
- Thoshiba FlashAir
- PQI Air Card
- Flucard
- Spectec SDIO WiFi
- ... to be extende ...
However, it is assumed that moest are based upon the same hardware.
This page is dedicated to collect information about WiFi SD cards. It is work in progress and any contribution is more than welcome.
Transcend WiFi SD card
- CPU: ARMv5, ARM926EJ-S rev 5 (v5l)
- RAM: 32MByte
- WiFi: ath65/AR6003
- 16/32GB Class 10 SDHC
IP-Address
If your card is configured in so called 'internet mode' you might wonder how to discover its IP address. To start all services and to connect to your WiFi takes about 30 seconds. The brute force method is to simply scan your network:
nmap -sP 192.168.1.0/24
Well, therefore should be a much more sophisticated method. It is reported that an UDP Broadcast on port 55777 will be sent (see https://forum.openwrt.org/viewtopic.php?pid=209999#p209999).
Hacks
...
Firmware
To see what is inside of `initramfs3.gz` you have to take off the first 8-bytes.
dd if=initramfs3.gz bs=8 skip=1 of=real_initramfs3.gz
Those 8-bytes are representing "KAGZ" + the size of the file (32-bit integer). To interpret the second word as 32-bit integer on little endian machines say
hexdump -s4 -n4 -e '"((((0" 4/1 "*256+%d)" "\n"' initramfs3.gz | bc
Lets see what is inside:
gzip -d real-initramfs3.gz file real-initramfs3 > real-initramfs3: ASCII cpio archive (SVR4 with no CRC) cpio -it < real-initramfs3
Wow, there is Linux working!
