phasenoise (phasenoise) wrote,
phasenoise
phasenoise

OpenWrt in a WiFi card reader

The Zsun Wifi card reader is cheap tiny USB to MicroSD card reader with an integrated wifi chip running Linux, In a nutshell, it is a WiFi access point with more flash (16MB) and RAM (64 MB) than most OpenWrt supported routers. Polish hardware hacker q3k from Warsaw Hackerspace, is a recent and proud owner, it allows him to transfer his pictures to any WiFi-enabled device in a matter of seconds. As he suspected that some kind of Linux was running on it, he began to see if he could get a root access on it… and succeeded. The original firmware is full of easter eggs, including an always on telnet server on port 11880.


While people managed to access the device serial console a few weeks ago, the plan was to eventually run OpenWrt since it’s based on the popular Atheros AR9331 WiSoC combined with 64MB RAM and 16MB SPI Flash. It would also be one the smallest OpenWrt capable device with dimensions of 30 x 33 mm.
It turns out the card reader uses u-boot, q3k was able to create his own openwrt binary image for the 16MB  flash and load it on the reader.

Q3k OpenWrt port, based on the 15.05 “Chaos Calmer” release:

https://code.hackerspace.pl/emeryth/openwrt_zsun/

Compiled images and image builder:

https://owncloud.hackerspace.pl/index.php/s/7s5c5RDS7Njgwpv
His clear and detailed write-up at hackerspace.pl wiki explains how to flash your zsun reader. q3k enumerate all posibilities with this really small OpenWrt router.

  • Use it for its intended purpose of serving files, duh

  • Use as a tiny and pretty good WiFi AP/client/repeater (the hardware supports multiple simultaneous wireless interfaces!)

  • Play around with OpenWrt

  • Use it as the brains of your IoT project

  • Buy a dozen and play around with mesh networking

  • Use it for distributed WiFi activism like PirateBox or OccupyWiFi, or run a minimal Tor hidden service (with addition of being easily hidden in public places)

  • Host Node.js on it and take your apps to your favorite coffee shop :^)

Zsun WiFi card reader can be purchased for as low as $14 on DealExtreme from china, and can be found on others shops like Amazon or GearBest at 20$ from USA.
.

You can reflash the firmware from the original firmware using mtd_write ,  it's easy but if you brick your zsun you will need to solder on an Ethernet jack and flash from the original uboot.

How-to mtd_write install (by cnxsoft)

Download OpenWrt for Zsun binary images

Start a TFTP server on your computer. If you use a Linux computer, you can use dnsmasq as follows:

sudo dnsmasq -p0 --enable-tftp --tftp-root=`pwd` -d --user=`whoami`
# serves files off your current directory, remember to chmod o+r files you'd like to use
sudo dnsmasq -p0 --enable-tftp --tftp-root=`pwd` -d --user=`whoami`

# serves files off your current directory, remember to chmod o+r files you'd like to use
Login to the board, and download the necessary files to zsun’s /tmp directory:

$ socat - TCP4:10.168.168.1:11880
(none) login: root
Password: zsun1188

[...]

# cd /tmp
# tftp -g 10.168.168.100 -r openwrt-ar71xx-generic-zsun-sdreader-kernel.bin
# tftp -g 10.168.168.100 -r openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin
$ socat - TCP4:10.168.168.1:11880
(none) login: root
Password: zsun1188

[...]

# cd /tmp
# tftp -g 10.168.168.100 -r openwrt-ar71xx-generic-zsun-sdreader-kernel.bin
# tftp -g 10.168.168.100 -r openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin

You may also want to copy mtd_write to /tmp, and kill all unnecessary process to be extra safe.
Now you can flash the firmware to “uImage” and “rootfs” partitions:

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00010000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00e90000 00010000 "rootfs"
mtd3: 00130000 00010000 "uImage"
mtd4: 00010000 00010000 "NVRAM"
mtd5: 00010000 00010000 "ART"
# mtd_write write openwrt-ar71xx-generic-zsun-sdreader-kernel.bin /dev/mtd3
Unlocking /dev/mtd3 ...
Writing from openwrt-ar71xx-generic-zsun-sdreader-kernel.bin to /dev/mtd3 ... [w]
# mtd_write write openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin /dev/mtd2
Unlocking /dev/mtd2 ...
Writing from openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin to /dev/mtd2 ...  [w]
Bus error

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00010000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00e90000 00010000 "rootfs"
mtd3: 00130000 00010000 "uImage"
mtd4: 00010000 00010000 "NVRAM"
mtd5: 00010000 00010000 "ART"

# mtd_write write openwrt-ar71xx-generic-zsun-sdreader-kernel.bin /dev/mtd3
Unlocking /dev/mtd3 ...
Writing from openwrt-ar71xx-generic-zsun-sdreader-kernel.bin to /dev/mtd3 ... [w]
# mtd_write write openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin /dev/mtd2
Unlocking /dev/mtd2 ...
Writing from openwrt-ar71xx-generic-zsun-sdreader-rootfs-squashfs.bin to /dev/mtd2 ...  [w]
Bus error

“Bus error” looks like an error, but in this case it just indicates flashing is complete.

Restart the device, and after a longer than usual very first boot, you should have access to OpenWrt. Have fun
Tags: openwrt, wifi, zsun
Subscribe

Recent Posts from This Journal

Comments for this post were disabled by the author