Close
0%
0%

Reverse Engineering Toshiba Flashair Wifi SD card

My ventures in reverse engineering Flashair Wifi SD Card.

chris-jonesChris Jones
Following
Liked Like project

Just one more thing

To make the experience fit your profile, pick a username and tell us what interests you.

Pick an awesome username
hackaday.io/
Your profile's URL: hackaday.io/username. Max 25 alphanumeric characters.
Pick a few interests
Projects that share your interests
People that share your interests

We found and based on your interests.

Choose more interests.

OK, I'm done! Skip
Similar projects worth following
11.7k views
0 comments
45 followers
View Gallery
After all the interesting things I have been reading lately about wifi sd cards, and my never ending interest in tiny embedded devices/hacking things that were made for one purpose and using them for some other purpose.. I figured I should pick one up and see what was going on. So I perused one of my favorite auction sites, and found some flashair Toshiba Flashair wifi sd cards going for around $20, so I tossed a few bids out, and ended up winning one for under $22 shipped. Later to find out in my further investigation that I had jumped the gun, and that the Flashair cards do not run Linux, but instead a proprietary OS.. unlike the Transcend, Flucard, and PQI Air. That however did not deter me from looking, who knows what still could be done..

After receiving the card I took a look at the website and saw a firmware update utility (FAFWUpdateTool_v10004) and from my previous research this was possibly the key to figuring out more to this device. So I installed it and read through the documentation provided on the site.

Before actually running the utility however I figured I would look at the card as it opens on my Windows 8.1 laptop.
The first thing that I noticed was that it was formatted in FAT32 and it looked like your regular sd card, with one exception.. some hidden folders.sd card root folder ss
Particularly the hidden one named "SD WLAN", which once opened had one file that really intrigued me, the "CONFIG" file. After opening it up I noticed there were many options and after Googling, many more Official Here andMore Here. So I went about editing it to see what would happen. I wanted it to connect as a client on my network, so I didn't have to connect to it, as the default setting is access point, so I changed APPMODE to 5, changed APPSSID to match mine, and changed APPNETWORKKEY to also match. Next, I found that the unofficial sources stated that there was also a COMMAND function, so I figured "help" might be a good start. I then left everything else alone, then saved and safely removed and reinserted.
My config file looked like the following:

CIPATH=/DCIM/100__TSB/FA000001.JPG
APPMODE=5
APPSSID=MYNETWORKSSID
APPNETWORKKEY=NETWORKKEY
VERSION=F24A6W3AW1.00.04
CID=02544d53573038470750031fac00cc01
PRODUCT=FlashAir
VENDOR=TOSHIBA
COMMAND=help

*note that network key will automatically be *'d out on reboot of card.
After rebooting the card I noticed it showed up on my network, at this point I accessed its web page and was greeted
with the webpage, which was useless.. I wanted to know where the command output was being written to, after digging through the files, I went back to Google, which led me back to the unofficial link above for extrud3d.com (thanks for your help guys).

Anyways, after navigating to /IPADDRESSOFFLASHAIR/eva.cgi, I was presented with a list of the commands:

> help
help show help
version show version
mod Modify Memory
dump Dump Memory
stat show status
ip Address Setting
ping ping
reboot reboot system
macsend MAC frame send
setup TELEC command
send TELEC command
stop TELEC command
show TELEC command
deauth deauth command
print console output
srom SPI ROM access
sleep sleep setting
fat file system
wlan Wireless LAN control
dhcpd DHCP server
dhcpc DHCP client
nbios NetBios service
wps Wi-Fi Protected Setup
sd SD Card Access
http HTTP Client
httpd HTTP Daemon
rfic set RF-IC serial data rfic
iperf Measuring performance
sysclk change System clk
ps ps [on/off] pw pw
pio pio
netlog log
d

followed by what looked like a startup log. Now I was getting somewhere..
So I tried a number of the commands, but I had little luck here and there as they appeared to be very limited as I could not see what the arguments/flags were as appending "-h" or "?" almost never returned anything. It is also a pain because you have to edit the CONFIG file, save, safely remove, pull out, put back in, wait for it to reconnect to the network, then refresh the page each time you want to run a command.

From the interesting ones above, what I could get to run and ascertain:
help command showed the above commands.
version command printed version information.
mod command appeared to be a write function. (I believe this and dump is to some flash storage because it returned all 0's)
dump command returned what appeared to be memory addresses and lengths followed by raw binary output.
stat command returned wlan stats, like signal strength, rx and tx packets etc.
ip command appeared it was to setup ipaddress settings.
ping command pinged address in argument.
fat can do mkdir, cp commands etc, so it is access to the sd card flash system.
all the other ones for the most part required arguments and/or flags that I did not know or returned nothing..

Next thing to do was update the firmware and see what would happen, just as I had researched it added a file which gets deleted on...

Read more »

View all details

  • Usage Commands Found!

    Chris Jones05/01/2015 at 21:24 1 comment

    After digging through the data and extracting what I can from the firmware update file I found the following usage data.. It still needs to be cleaned up, but it does help to identify data on the device.

    Usage commands found in no particular order.. (needs to be cleaned up

    usage: fat mkfs drive#
fat cat  [file]
  file : display file
fat mkfs [drive]
  drive : drive  no.(0 or 1)
       0: User, 1: System(Hidden)

fat mkdir [dir]
  dir : create directory name

fat write [file] [size]
  file : write check file
  size : write size(1-65535)

fat read  [file]
  file : read check file

fat mv  [org] [new]
  org  : original file
  new  : new file
  
fat rm  [remove]
  remove : remove file
  
fat cp  [org] [new]
  org  : source file
  new  : destination file
  
fat lsr  <dir>
  dir    : directory
  
fat ls  <dir>
  dir    : directory

usage: test read <file name>

usage: test write <file name> <file size>

usage: test cp <existing file name> <new file name>

usage: test rm <file name>

usage: test mv <source file name> <target file name>

usage: test mkdir <directory name>

srom conf  -f [flow]  -d [val] -s [samp]
  flow   : 0/1 (Invalid / Valid)
  val    : 1-10,16/32/64/128/255
  samp   : 0-63

srom read [addr] -l <length>
  addr   (hex) : 0xXXXXXXXX
  length (dec) : default 4, Max 512  (round 4byte)

srom write [addr] [data] -l <length>
  addr   (hex) : 0xXXXXXXXX
  data   (hex) : 0xYYYYYYYY
  length (dec) : default 4, Max 512  (round 4byte)

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
            [-r count] [-s count] [[-j host-list] | [-k host-list]]
            [-w timeout] target_name
Options:
    -t             Ping the specified host until stopped.
                   To see statistics and continue - type Control-Break;
                   To stop - type Control-C.
    -a             Resolve addresses to hostnames.
    -n count       Number of echo requests to send.
    -l size        Send buffer size.
    -f             Set Don't Fragment flag in packet.
    -i TTL         Time To Live.
    -v TOS         Type Of Service.(AC_BE=0x00,AC_BK=0x20,AC_VI=0xA0,AC_VO=0xE0)
    -r count       Record route for count hops.
    -s count       Timestamp for count hops.
    -j host-list   Loose source route along host-list.
    -k host-list   Strict source route along host-list.
    -w timeout     Timeout in milliseconds to wait for each reply.

setup dump  -m [mode] -f <fil>
  mode    : 0-3
            0 : No Dump
            1 : MAC Header Only
            2 : MAC Header and Frame Header
            3 : All
  fil     : 0-2
            0 : Show only My address
            1 : All
            2 : Broadcast Frame hidden dump
			
setup reg   -r <addr> -v <data>
  NoOption   : display register setting
  addr (hex) : 0xXXXXXXXX
  data (hex) : 0xYYYYYYYY
  
setup ch    -f <freq> -c <channel>
  Argumet freq or ch
  freq    : 2412/2417/2422/2427/2432/2437/2442/2447/2452/2457/2462/2467/2472/2484/
            5180/5200/5220/5240/5260/5280/5300/5320/5500/5520/5540/5560/5580/5600/
            5620/5640/5660/5680/5700/5475/5765/5785/5805/5825
  channel : 1`14,36/40/44/48/52/56/60/64,100/104/108/112/116/120/124/128/132/136/
            140/149/153/157/161/165

setup frame -l <macl> -u <macu> -b <body> -s <size> -t <tid> -r <rate>
            -p <power> -a <ack> -m <mcs>
  NoOption   : display frame setting
  
MAC ADDRESS XX:XX:YY:YY:YY:YY
  macl (hex) : 0xXXXX
  macu (hex) : 0xYYYYYYYY
  body       : 0xZZ   MAC Frame Data
  size       : 0-1500
  tid        : 0-65535
  rate       : 1/2/5/6/9/11/12/18/24/36/48/54(Mbps)
  power      : 0-255
  ack        : 0/1 (Normal/No ack)
  mcs        : 0-7

send pn    -r <rate> -m <mcs> -p <preamble> -g <gi>
  rate     : 1/2/5/6/9/11/12/18/24/36/48/54(Mbps)
  mcs      : 0-7
  preamble : 0/1 (Long Preamble / Short Preamble)
  gi       : 0/1 (Normal GI / Short GI)
  
send frame -n <count> -i <interval>  -s <sifs> -r <rifs> -e <enc>
  count    : 0-65535
  interval : 0-65535 (msec)
  sifs     : 0/1 (SIFS Burst Invalid / SIFS Burst Valid)
  rifs     : 0/1 (RIFS Burst Invalid / RIFS Burst Valid)
  enc      : 0 : None
             1 : WEP
             2 : AES
             3 : TKIP

send help

send frame -n <count> -i <interval>  -s <sifs> -r <rifs> -e <enc>

send pn    -r <rate> -m <mcs> -p <preamble> -g <gi>

sd buffer [-d | -s]
  -s  : Single buffer
  -d  : Dubble buffer

sd clk ???
  ???  : SD_CLK_CTRL
  
sd update [filename]
  filename  : file name


sd fread  [filename]
  filename  : file name

sd gcmd   [number] <arg>
  number   : XX (dec)
 arg...
    Read more »

  • More info

    Chris Jones05/01/2015 at 20:47 0 comments

    found some images of the board digging through google image search..

    flashairfront

    flashairback

    Chips are as follow:
    Processor : TC90535XBG ?
    Flash Memory : TC58NVG6D2GLAD0E ?
    WIFI : AIROHA AL2238 wifi b/g

    I cannot read the others, but either way I was not able to find any details about the Processor or even the Flash Memory.

    Also, with the help of a friend, I ran the update file through IDA Pro, and he said it appears IDA is detecting it as Armv6 code. We were not able to find the bootloaders load start. Although it may not be in the update file as it may not be a complete firmware image.. More is still needed to be researched, but I wanted to update this.

View all 2 project logs

Enjoy this project?

Share

Discussions

Similar Projects

Silly simple GPIB console for U/Linux & Mac OS
Project Owner Contributor

GPIB Instrument Control Console

brian-cornellBrian Cornell

Pocket microcomputer on an Arduino with user input and LCD display. The OS implements a file system and code editor and executor
Project Owner Contributor

Pocket Arduino Microcomputer

nathanNathan

Turn a SMART Response XE terminal into an 80's flavour pocket computer
Project Owner Contributor

SMART Response XE BASIC

fdufnewsfdufnews

A SMB (Samba) and FTP server which is safe against ransomware attacks from the client
Project Owner Contributor

Ransomware safe server: SMB (Samba) and FTP server

elbertElbert

Does this project spark your interest?

Become a member to follow this project and never miss any updates

Going up?

About Us Contact Hackaday.io Give Feedback Terms of Use Privacy Policy Hackaday API

© 2024 Hackaday

Yes, delete it Cancel

Report project as inappropriate

You are about to report the project "Reverse Engineering Toshiba Flashair Wifi SD card", please tell us the reason.

Send message

Your application has been submitted.

Remove Member

Are you sure you want to remove yourself as a member for this project?

Project owner will be notified upon removal.