close-circle
Close
0%
0%

Reverse Engineering Toshiba Flashair Wifi SD card

My ventures in reverse engineering Flashair Wifi SD Card.

Similar projects worth following
close
After all the interesting things I have been reading lately about wifi sd cards, and my never ending interest in tiny embedded devices/hacking things that were made for one purpose and using them for some other purpose.. I figured I should pick one up and see what was going on. So I perused one of my favorite auction sites, and found some flashair Toshiba Flashair wifi sd cards going for around $20, so I tossed a few bids out, and ended up winning one for under $22 shipped. Later to find out in my further investigation that I had jumped the gun, and that the Flashair cards do not run Linux, but instead a proprietary OS.. unlike the Transcend, Flucard, and PQI Air. That however did not deter me from looking, who knows what still could be done..

After receiving the card I took a look at the website and saw a firmware update utility (FAFWUpdateTool_v10004) and from my previous research this was possibly the key to figuring out more to this device. So I installed it and read through the documentation provided on the site.

Before actually running the utility however I figured I would look at the card as it opens on my Windows 8.1 laptop.
The first thing that I noticed was that it was formatted in FAT32 and it looked like your regular sd card, with one exception.. some hidden folders.sd card root folder ss
Particularly the hidden one named "SD WLAN", which once opened had one file that really intrigued me, the "CONFIG" file. After opening it up I noticed there were many options and after Googling, many more Official Here andMore Here. So I went about editing it to see what would happen. I wanted it to connect as a client on my network, so I didn't have to connect to it, as the default setting is access point, so I changed APPMODE to 5, changed APPSSID to match mine, and changed APPNETWORKKEY to also match. Next, I found that the unofficial sources stated that there was also a COMMAND function, so I figured "help" might be a good start. I then left everything else alone, then saved and safely removed and reinserted.
My config file looked like the following:

CIPATH=/DCIM/100__TSB/FA000001.JPG
APPMODE=5
APPSSID=MYNETWORKSSID
APPNETWORKKEY=NETWORKKEY
VERSION=F24A6W3AW1.00.04
CID=02544d53573038470750031fac00cc01
PRODUCT=FlashAir
VENDOR=TOSHIBA
COMMAND=help

*note that network key will automatically be *'d out on reboot of card.
After rebooting the card I noticed it showed up on my network, at this point I accessed its web page and was greeted
with the webpage, which was useless.. I wanted to know where the command output was being written to, after digging through the files, I went back to Google, which led me back to the unofficial link above for extrud3d.com (thanks for your help guys).

Anyways, after navigating to /IPADDRESSOFFLASHAIR/eva.cgi, I was presented with a list of the commands:

> help
help show help
version show version
mod Modify Memory
dump Dump Memory
stat show status
ip Address Setting
ping ping
reboot reboot system
macsend MAC frame send
setup TELEC command
send TELEC command
stop TELEC command
show TELEC command
deauth deauth command
print console output
srom SPI ROM access
sleep sleep setting
fat file system
wlan Wireless LAN control
dhcpd DHCP server
dhcpc DHCP client
nbios NetBios service
wps Wi-Fi Protected Setup
sd SD Card Access
http HTTP Client
httpd HTTP Daemon
rfic set RF-IC serial data rfic
iperf Measuring performance
sysclk change System clk
ps ps [on/off] pw pw
pio pio
netlog log
d

followed by what looked like a startup log. Now I was getting somewhere..
So I tried a number of the commands, but I had little luck here and there as they appeared to be very limited as I could not see what the arguments/flags were as appending "-h" or "?" almost never returned anything. It is also a pain because you have to edit the CONFIG file, save, safely remove, pull out, put back in, wait for it to reconnect to the network, then refresh the page each time you want to run a command.

From the interesting ones above, what I could get to run and ascertain:
help command showed the above commands.
version command printed version information.
mod command appeared to be a write function. (I believe this and dump is to some flash storage because it returned all 0's)
dump command returned what appeared to be memory addresses and lengths followed by raw binary output.
stat command returned wlan stats, like signal strength, rx and tx packets etc.
ip command appeared it was to setup ipaddress settings.
ping command pinged address in argument.
fat can do mkdir, cp commands etc, so it is access to the sd card flash system.
all the other ones for the most part required arguments and/or flags that I did not know or returned nothing..

Next thing to do was update the firmware and see what would happen, just as I had researched it added a file which gets deleted on...

Read more »

  • Usage Commands Found!

    Chris Jones05/01/2015 at 21:24 1 comment

    After digging through the data and extracting what I can from the firmware update file I found the following usage data.. It still needs to be cleaned up, but it does help to identify data on the device.

    Usage commands found in no particular order.. (needs to be cleaned up

    usage: fat mkfs drive#
    fat cat  [file]
      file : display file
    fat mkfs [drive]
      drive : drive  no.(0 or 1)
           0: User, 1: System(Hidden)
    
    fat mkdir [dir]
      dir : create directory name
    
    fat write [file] [size]
      file : write check file
      size : write size(1-65535)
    
    fat read  [file]
      file : read check file
    
    fat mv  [org] [new]
      org  : original file
      new  : new file
      
    fat rm  [remove]
      remove : remove file
      
    fat cp  [org] [new]
      org  : source file
      new  : destination file
      
    fat lsr  <dir>
      dir    : directory
      
    fat ls  <dir>
      dir    : directory
    
    usage: test read <file name>
    
    usage: test write <file name> <file size>
    
    usage: test cp <existing file name> <new file name>
    
    usage: test rm <file name>
    
    usage: test mv <source file name> <target file name>
    
    usage: test mkdir <directory name>
    
    srom conf  -f [flow]  -d [val] -s [samp]
      flow   : 0/1 (Invalid / Valid)
      val    : 1-10,16/32/64/128/255
      samp   : 0-63
    
    srom read [addr] -l <length>
      addr   (hex) : 0xXXXXXXXX
      length (dec) : default 4, Max 512  (round 4byte)
    
    srom write [addr] [data] -l <length>
      addr   (hex) : 0xXXXXXXXX
      data   (hex) : 0xYYYYYYYY
      length (dec) : default 4, Max 512  (round 4byte)
    
    Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
                [-r count] [-s count] [[-j host-list] | [-k host-list]]
                [-w timeout] target_name
    Options:
        -t             Ping the specified host until stopped.
                       To see statistics and continue - type Control-Break;
                       To stop - type Control-C.
        -a             Resolve addresses to hostnames.
        -n count       Number of echo requests to send.
        -l size        Send buffer size.
        -f             Set Don't Fragment flag in packet.
        -i TTL         Time To Live.
        -v TOS         Type Of Service.(AC_BE=0x00,AC_BK=0x20,AC_VI=0xA0,AC_VO=0xE0)
        -r count       Record route for count hops.
        -s count       Timestamp for count hops.
        -j host-list   Loose source route along host-list.
        -k host-list   Strict source route along host-list.
        -w timeout     Timeout in milliseconds to wait for each reply.
    
    setup dump  -m [mode] -f <fil>
      mode    : 0-3
                0 : No Dump
                1 : MAC Header Only
                2 : MAC Header and Frame Header
                3 : All
      fil     : 0-2
                0 : Show only My address
                1 : All
                2 : Broadcast Frame hidden dump
    			
    setup reg   -r <addr> -v <data>
      NoOption   : display register setting
      addr (hex) : 0xXXXXXXXX
      data (hex) : 0xYYYYYYYY
      
    setup ch    -f <freq> -c <channel>
      Argumet freq or ch
      freq    : 2412/2417/2422/2427/2432/2437/2442/2447/2452/2457/2462/2467/2472/2484/
                5180/5200/5220/5240/5260/5280/5300/5320/5500/5520/5540/5560/5580/5600/
                5620/5640/5660/5680/5700/5475/5765/5785/5805/5825
      channel : 1`14,36/40/44/48/52/56/60/64,100/104/108/112/116/120/124/128/132/136/
                140/149/153/157/161/165
    
    setup frame -l <macl> -u <macu> -b <body> -s <size> -t <tid> -r <rate>
                -p <power> -a <ack> -m <mcs>
      NoOption   : display frame setting
      
    MAC ADDRESS XX:XX:YY:YY:YY:YY
      macl (hex) : 0xXXXX
      macu (hex) : 0xYYYYYYYY
      body       : 0xZZ   MAC Frame Data
      size       : 0-1500
      tid        : 0-65535
      rate       : 1/2/5/6/9/11/12/18/24/36/48/54(Mbps)
      power      : 0-255
      ack        : 0/1 (Normal/No ack)
      mcs        : 0-7
    
    send pn    -r <rate> -m <mcs> -p <preamble> -g <gi>
      rate     : 1/2/5/6/9/11/12/18/24/36/48/54(Mbps)
      mcs      : 0-7
      preamble : 0/1 (Long Preamble / Short Preamble)
      gi       : 0/1 (Normal GI / Short GI)
      
    send frame -n <count> -i <interval>  -s <sifs> -r <rifs> -e <enc>
      count    : 0-65535
      interval : 0-65535 (msec)
      sifs     : 0/1 (SIFS Burst Invalid / SIFS Burst Valid)
      rifs     : 0/1 (RIFS Burst Invalid / RIFS Burst Valid)
      enc      : 0 : None
                 1 : WEP
                 2 : AES
                 3 : TKIP
    
    send help
    
    send frame -n <count> -i <interval>  -s <sifs> -r <rifs> -e <enc>
    
    send pn    -r <rate> -m <mcs> -p <preamble> -g <gi>
    
    sd buffer [-d | -s]
      -s  : Single buffer
      -d  : Dubble buffer
    
    sd clk ???
      ???  : SD_CLK_CTRL
      
    sd update [filename]
      filename  : file name
    
    
    sd fread  [filename]
      filename  : file name
    
    sd gcmd   [number] <arg>
      number   : XX (dec)
     arg...
    Read more »

  • More info

    Chris Jones05/01/2015 at 20:47 0 comments

    found some images of the board digging through google image search..

    flashairfront

    flashairback

    Chips are as follow:
    Processor : TC90535XBG ?
    Flash Memory : TC58NVG6D2GLAD0E ?
    WIFI : AIROHA AL2238 wifi b/g

    I cannot read the others, but either way I was not able to find any details about the Processor or even the Flash Memory.

    Also, with the help of a friend, I ran the update file through IDA Pro, and he said it appears IDA is detecting it as Armv6 code. We were not able to find the bootloaders load start. Although it may not be in the update file as it may not be a complete firmware image.. More is still needed to be researched, but I wanted to update this.

View all 2 project logs

Enjoy this project?

Share

Discussions

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates