After reading recently about how someone had hacked the Transcend WiFi SD cards, I thought I’d get one and see what I could do with it. Following the instructions and getting a login-shell on the card was easy enough. It was kinda surreal though that an SD-card was running a complete WiFi networking enabled embedded Linux (SoC FTW!) and being able to telnet onto it.
Taking advantage of what has already been discovered by other people, I’ve placed an
autorun.sh file in the root of the SD card via the PC to enable access via password-less telnet and ftp:
#!/bin/bash rcS6 tcpsvd -vE 0.0.0.0 21 ftpd -w /mnt/sd/ & # Optionally install the latest busybox binary with more applets enabled # cp /mnt/sd/busybox* /sbin/busybox # chmod a+x /sbin/busybox #### Obsolete # /sbin/busybox telnetd -l /bin/bash &
The next time you insert the WiFi SD-card into the SD-card reader and connect to the WIFISD network, you’ll be able to telnet directly to the card. If you haven’t changed any settings on the card that’s as simple as:
For my own record:
# cat /proc/cpuinfo Processor : ARM926EJ-S rev 5 (v5l) BogoMIPS : 421.06 Features : swp half fastmult edsp java CPU implementer : 0x41 CPU architecture: 5TEJ CPU variant : 0x0 CPU part : 0x926 CPU revision : 5 Hardware : KeyASIC Ka2000 EVM Revision : 0000 Serial : 0000000000000000 # cat /proc/meminfo MemTotal: 29824 kB MemFree: 15940 kB Buffers: 16 kB Cached: 10388 kB SwapCached: 0 kB Active: 3280 kB Inactive: 7840 kB Active(anon): 716 kB Inactive(anon): 0 kB Active(file): 2564 kB Inactive(file): 7840 kB Unevictable: 0 kB Mlocked: 0 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 0 kB Writeback: 0 kB AnonPages: 740 kB Mapped: 796 kB Shmem: 0 kB Slab: 1224 kB SReclaimable: 364 kB SUnreclaim: 860 kB KernelStack: 272 kB PageTables: 120 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 29824 kB Committed_AS: 6568 kB VmallocTotal: 825344 kB VmallocUsed: 324 kB VmallocChunk: 824240 kB # cat /proc/mtd dev: size erasesize name mtd0: 00100000 00010000 "SPI NOR Flash Partition1" mtd1: 00300000 00010000 "SPI: kernel" mtd2: 00300000 00010000 "Ramdisk"
The next challenge of course was to get my own binary running on the card. I’m running an Ubuntu 12.04 system. YMMV depending on what distro you use.
Download and install CrossTool. It greatly simplifies setting up your cross-compiler toolchain. Once you have CrossTools up and running create an empty directory and build the config for the ARM/ucLibC combo:
You can optionally configure the generated config via menu-config:
Now start the actual build:
This last step is time-consuming as it’ll download sources for several packages and does the actual compile of everything. When it completes you’ll have a new cross-compiler toolchain at
Try compiling your first hello world program:
~/x-tools/arm-unknown-linux-uclibcgnueabi/bin/arm-unknown-linux-uclibcgnueabi-gcc -Os -s -DNDEBUG hello.c -o hello.out
I prefer to fetch the file from a web-server which serves out the compiled file which I can then fetch via wget from within the SD-card as I don’t have to deal with running
/usr/bin/refresh_sd had I copied the file directly onto the SD-card from my PC instead.
# cd /tmp # wget http://192.168.11.11:8080/hello.out # chmod +x hello.out # ./hello.out Hello, world! #
And there you go. The binary is a 6kb dynamically linked executable. You can statically link it too of course with a jump in file size to 72kb.
There are some folks working on getting OpenWRT to run on the card. Also noteworthy is that they’ve managed to compile a completely new kernel, but they seem to be having issues with the WiFi driver.