Wifi SD

So called WiFi SD cards are actually designed to transfer pictures taken with a digital camera to any wifi-enabled device. In fact, such small devices can not only store up to 32GBs in such a tiny space, but are embedded system fully capable of running applications, including a webserver, communicating with other devices over WiFi, and even powering its own wireless network.

There are several vendors of WiFi enabled SD cards: However, it is assumed that moest are based upon the same hardware.
 * Transcend WiFi SD
 * Eye-Fi
 * SanDisk
 * Thoshiba FlashAir
 * PQI Air Card
 * Flucard
 * Spectec SDIO WiFi
 * ... to be extende ...

This page is dedicated to collect information about WiFi SD cards. It is work in progress and any contribution is more than welcome.

= Transcend WiFi SD card =


 * CPU: ARMv5, ARM926EJ-S rev 5 (v5l)
 * RAM: 32MByte
 * Binaries: ELF 32-bit LSB executable, ARM, version 1 (SYSV)
 * Linux Version: 2.6.32
 * Busybox: 1.18.5
 * WiFi: ath65/AR6003
 * 16/32GB Class 10 SDHC
 * Power consumption: ~50mA idle up to ~400mA WiFi @ 3.3V
 * Firmware size: max 3MB

IP-Address
If your card is configured in so called 'internet mode' you might wonder how to discover its IP address. To start all services and to connect to your WiFi takes about 30 seconds. The brute force method is to simply scan your network: nmap -sP 192.168.1.0/24 Well, therefore should be a much more sophisticated method. It is reported that an UDP Broadcast on port 55777 will be sent (see https://forum.openwrt.org/viewtopic.php?pid=209999#p209999).

Hacks
...

Use the web-interface to browse the entire file system
The section "Files" of the web-interface allows you to browse the SD-card's content but not the system's entire file system. However, there is a little trick. Again, the URL http://[IP]/cgi-bin/file_list.pl?dir=%2Fwww%2Fsd%2F does not permit to directly list the root directory. You can move up one level, anyways. '%2F' is the url-encoded form of the slash character "/". Just use '..' to enter the parent directory. http://[IP]/cgi-bin/file_list.pl?dir=%2Fwww%2Fsd%2F..%2F..%2F This navigates to "...?dir=/www/sd/../../" which is the same as "/", the root directory. Voila, there you are.

Firmware
To see what is inside of `initramfs3.gz` you have to take off the first 8-bytes. dd if=initramfs3.gz bs=8 skip=1 of=real_initramfs3.gz Those 8-bytes are representing "KAGZ" + the size of the file (32-bit integer). To interpret the second word as 32-bit integer on little endian machines say hexdump -s4 -n4 -e '"((((0" 4/1 "*256+%d)" "\n"' initramfs3.gz | bc

Lets see what is inside: gzip -d real-initramfs3.gz file real-initramfs3 > real-initramfs3: ASCII cpio archive (SVR4 with no CRC) cpio -it < real-initramfs3 Wow, there is Linux working!

Resources

 * Advanced Transcend WiFiSD hacking
 * Hacking Transcend WiFi SD Cards
 * Modifying Transcend WiFi SD Card Firmware
 * Transcend Wi-Fi SD Card - Technische Details / Hacken? (german)
 * Hacking Transcend Wifi SD Cards
 * [proposal tr_wifi.mo - Transcend WiFi SD driver]
 * Transcend WifiSD / PQI AirCard / FluCard Pro