1 (edited by pixelk 2013-10-12 14:23:55)

Topic: Transcend WifiSD / PQI AirCard / FluCard Pro

Hello,

As I didn't see any topic mentioning this nice little piece of hardware, I decided to create my own.
Those three products and their variants are all SD Card with a wifi AP/Client running an embedded Linux. Some very interesting work has already been done on them :
- FluCard Pro in japanese
- PQI AirCard in french
- Hacking Transcend WiFi SD Cards in english - Reddit thread
- Modifying Transcend WiFi SD Card Firmware in english
- Transcend SDHC wifi in french
- Cross-compile for FluCard in japanese - Google translate
- Advanced Transcend WiFiSD hacking

Here are my photos of the inside of the Transcend WifiSD 16G :

Front
http://stuff.knackes.com/dld/201308/Transcend-WifiSD-16Go-512px_805434CD.jpg
High resolution

Back
http://stuff.knackes.com/dld/201308/Transcend-WifiSD-16Go-Pads-512px_8C3CB7EC.jpg
High resolution

SD Pin name according to Wikipedia on SD Card
RX & TX serial console (38400 8N1) discovered by cnovus


the PQI AirCard :

Front
http://stuff.knackes.com/dld/201310/PQI-Front-500_D5EF5F76.jpg
High resolution

Back
http://stuff.knackes.com/dld/201310/PQI-Back-500_32B9A9DC.jpg
High resolution

and the Trek FluCard Pro :

Front
http://stuff.knackes.com/dld/201310/Front-500_CBDB2A1B.jpg
VERY High resolution (15Mo)

Back
http://stuff.knackes.com/dld/201310/Bottom-500_3A46C351.jpg
VERY High resolution (9Mo)


Enable passwordless telnet & ftp by creating a file named autorun.sh in the root of the sd card and putting inside it

rcS6
tcpsvd -vE 0.0.0.0 21 ftpd -w /mnt/sd/ &

Thanks go to Pablo & Sebastien Colas for discovering it

Some commands in telnet :

# dmesg
(192-96-1)
console [ttyS0] enabled
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
cfg80211: Calling CRDA to update world regulatory domain
NET: Registered protocol family 2
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
ttyS0 at MMIO 0xa0004000 (irq = 1) is a KA2000
msgmni has been set to 58
loop: module loaded
TCP cubic registered
NET: Registered protocol family 17
lib80211: common routines for IEEE802.11 drivers
lib80211_crypt: registered algorithm 'NULL'
ka2000_sdhc: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
(0>0)switch_modules
max_blk_size=512, max_blk_count=8, max_req_size=32768
init bomb irq
req irq 40 (1000000)
req irq 43 (40)
req irq 41 (43)
ka_sdhc_drv_init
bw = 22
mmc0: new SDHC card at address b368
mmcblk0: mmc0:b368 CAR 15.0 GiB
 mmcblk0:bootsec @ 2000
 p1
FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10
FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10
sdio wakeup
mmc1: queuing CIS tuple 0x01 length 3
mmc1: queuing CIS tuple 0x1a length 5
mmc1: queuing CIS tuple 0x1b length 8
mmc1: queuing CIS tuple 0x14 length 0
mmc1: queuing CIS tuple 0x80 length 1
mmc1: queuing CIS tuple 0x81 length 1
mmc1: queuing CIS tuple 0x82 length 1
mmc1: new SDIO card at address 0001
AR6000: configuration opcode 7 is only used for RTOS systems, not Linux systems
ath6k/AR6003/hw2.1.1/athwlan.bin firmware will be loaded
AR6K: ** HIF layer does not support scatter requests (17)
wmi_control_rx() : Unknown id 0x101e
Add Filter 0 = 01:00:5e:00:00:01
Keep Filter 0 = 01:00:5e:00:00:01
Keep Filter 0 = 01:00:5e:00:00:01
(0>1)dcim c 3 @9838, f:2020 (off 404008)
Folder: 199_WIFIWSD00003 (5f393931 49464957)
Img1: WSD00003 (30445357 33303030 sz 79cdh)
user_dir:(5f333231 20505446)(00000000 00000000)
ctrlimg c 1c01ff @1c0b7f8, f:5823 (off b047f8)

3 c 203-207 @b838 f:2024(o:3)
misc c 1c0200 @1c0b808
bomb reg2 1c0b808 - 1c0b80d
bomb reg 2020 - 5c24
st 1c0181, 1:3, 2:0, 3:0, 4:0, 5:0

3 c 1c0203-1c0207 @1c0b838 f:5824(o:3)
fat cnt 4, x0, pBuf1 c17e5200, pBuf2 0(1) [0]:001c0204  [1]:001c0205  [2]:001c0206  [3]:0fffffff
Undel img1
bomb reg 2020 - 5c24
restore 3-6 to 22564 (001c0204)
m1_cmd = 1
Img #1 del
(1>0)
channel hint set to 0
iwioctl: cmd=0x8b03 not allowed in this mode
iwioctl: cmd=0x8b1d not allowed in this mode
wext_ioctl: cmd=0x8b29 not allowed in this mode
iwioctl: cmd=0x8b23 not allowed in this mode
iwioctl: cmd=0x8b25 not allowed in this mode
channel hint set to 0
Keep Filter 0 = 01:00:5e:00:00:01
debug_hdr_ptr: 0x5429a0
 Attempting to reset target on instance destroy....
Sdio trans timeout
AR6000: configuration opcode 7 is only used for RTOS systems, not Linux systems
ath6k/AR6003/hw2.1.1/athwlan.bin firmware will be loaded
AR6K: ** HIF layer does not support scatter requests (17)
wmi_control_rx() : Unknown id 0x101e
iwioctl: cmd=0x8b03 not allowed in this mode
iwioctl: cmd=0x8b1d not allowed in this mode
iwioctl: cmd=0x8b23 not allowed in this mode
iwioctl: cmd=0x8b25 not allowed in this mode
Add Filter 0 = 01:00:5e:00:00:01
Keep Filter 0 = 01:00:5e:00:00:01
Keep Filter 0 = 01:00:5e:00:00:01
WMM params
AC 0, ACM 0, AIFSN 3, CWmin 4, CWmax 10, TXOPlimit 0
AC 1, ACM 0, AIFSN 7, CWmin 4, CWmax 10, TXOPlimit 0
AC 2, ACM 0, AIFSN 2, CWmin 3, CWmax 4, TXOPlimit 94
AC 3, ACM 0, AIFSN 2, CWmin 2, CWmax 3, TXOPlimit 47
Keep Filter 0 = 01:00:5e:00:00:01
channel hint set to 0
iwioctl: cmd=0x8b03 not allowed in this mode
iwioctl: cmd=0x8b1d not allowed in this mode
iwioctl: cmd=0x8b23 not allowed in this mode
iwioctl: cmd=0x8b25 not allowed in this mode

# cat /proc/meminfo
MemTotal:          29824 kB
MemFree:            8256 kB
Buffers:            7720 kB
Cached:             9036 kB
SwapCached:            0 kB
Active:            10260 kB
Inactive:           7392 kB
Active(anon):        896 kB
Inactive(anon):        0 kB
Active(file):       9364 kB
Inactive(file):     7392 kB
Unevictable:           0 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:           920 kB
Mapped:              660 kB
Shmem:                 0 kB
Slab:               2236 kB
SReclaimable:       1224 kB
SUnreclaim:         1012 kB
KernelStack:         320 kB
PageTables:          152 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       29824 kB
Committed_AS:       8824 kB
VmallocTotal:     825344 kB
VmallocUsed:         324 kB
VmallocChunk:     824240 kB

# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/mtdblock0            1.0M    764.0K    260.0K  75% /mnt/mtd
/dev/mmcblk0p1           15.0G     88.0K     15.0G   0% /mnt/sd

# mount
proc on /proc type proc (0)
/dev/mtdblock0 on /mnt/mtd type jffs2 (0)
none on /dev/pts type devpts (mode=0622)
/dev/mmcblk0p1 on /mnt/sd type vfat (shortname=winnt,iocharset=utf8,rw)

# cat /proc/cpuinfo
Processor       : ARM926EJ-S rev 5 (v5l)
BogoMIPS        : 421.06
Features        : swp half fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant     : 0x0
CPU part        : 0x926
CPU revision    : 5

Hardware        : KeyASIC Ka2000 EVM
Revision        : 0000
Serial          : 0000000000000000

# iwconfig
lo        no wireless extensions.

mlan0     AR6000 802.11g  ESSID:""  Nickname:""
          NWID:off/any  Mode:Managed  Frequency:2.462 GHz
          Access Point:    Bit Rate:24 Mb/s   Tx-Power=12 dBm  
          Sensitivity=0/3
          Retry:on   RTS thr=0 B   Fragment thr=0 B
          Encryption key:   Security mode:open
          Power Management:on
          Link Quality:11/94  Signal level:-84 dBm  Noise level:-96 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:45  Invalid misc:0   Missed beacon:0

# stty
speed 38400 baud; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0;
-brkint -imaxbel
tab3

Downloads

Transcend WifiSD Official Firmware 1.8
Transcend WifiSD Official Firmware 1.7
Transcend WifiSD Official Firmware 1.6
Transcend WifiSD Official Firmware 1.5
Transcend WifiSD Official Firmware 1.4
Transcend WifiSD GPL Release
Transcend WifiSD GPL Release with uboot source

PQI Air Card Firmware V1.47

FluCard pro 3.70 firmware
FlashAir PRO 1.15 firmware

Dmitry Grinsburg firmware (bottom of the page)

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

Woops, I lost the Read/write tab while opening the card, now most card reader won't allow me to write on the card hmm

I circumvented this by adding a solder bridge within the SD slot R/W detection pin on the SD reader given by Transcend.

http://stuff.knackes.com/dld/201308/IMG_20130817_084228-512_EBE53DCE.jpg

The standard busybox is quite limited in the number of applet it delivers, so I used the one Pablo found on the official busybox repository

I made my own root filesystem under the /NCFL directory and copies it at startup using this autorun.sh :

rcS6
tcpsvd -vE 0.0.0.0 21 ftpd -w /mnt/sd/ &

cp -fR /mnt/sd/NCFL/* /
chmod a+x /sbin/busybox
mount -t devpts /dev/pts
#/sbin/busybox telnetd -l /bin/bash &

rm /bin/vi
ln /sbin/busybox /bin/vi

ln /sbin/busybox /bin/uname
ln /sbin/busybox /bin/tar
ln /sbin/busybox /bin/uptime
ln /sbin/busybox /bin/gzip

You can of course add the other busybox applets.


I also found out how the Android (and possibly iOS) app comunicate with the WifiSD :

First they send an UDP Broadcast on port 55777 (pcap capture of the packet sent from my phone at 192.168.0.150)

Then all the configuration is done through the unencrypted HTTP server running on the WifiSD

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

I updated to firmware 1.7 (shipped as 1.6), wich reseted my settings but didn't wipe my data from the sd part.

The 1.7 version supports raw files natively (cr2, srw, rwl, rw2, raw, pef, nrw, nef, kdc, k25, dcr, srf, sr2, arw, orf).

here is a list of the applets natively supported by the busybox within the 1.7 version :

        ash, bash, boa, boa_indexer, bootchartd, bunzip2, buzzer, bzcat, cat,
        chmod, cmd_server, cp, date, df, dhcprelay, diff, dirname, dmesg, dnsd,
        dnsdomainname, dumpleases, echo, egrep, env, fgrep, find, fs_info,
        ftpd, ftpget, ftpput, gen_filelist, get_authfile, grep, halt, hostname,
        ifconfig, inetd, init, insmod, instant_setupd, instant_upload,
        instant_upload_clean, iu_progressd, iwconfig, iwevent, iwlist, iwpriv,
        kcard_app, kcard_cmd, kcard_startup, kill, linuxrc, ln, logger,
        logread, ls, lsmod, macaddr, mkdir, mount, mv, nslookup, perl, ping,
        pkill, poweroff, ps, pwd, readahead, reboot, rm, rmdir, rmmod, route,
        sh, sleep, sync, syslogd, tcpsvd, telnetd, thumbNail, thumbnail_video,
        touch, tscmd, tslist, udhcpc, udhcpd, udpsvd, umount, unzip, wget,
        wifi_connect_router, wifi_download, wifi_filelist, wifi_ftp_server,
        wifi_ftp_upload, wifi_get_apconfig, wifi_get_config,
        wifi_get_config_real, wifi_quick_send, wifi_set_config, wifi_upload,
        xargs

Compared with the ones with the downloaded busybox :

        [, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping, ash,
        awk, base64, basename, beep, blkid, blockdev, bootchartd, brctl,
        bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp, chmod,
        chown, chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm,
        conspy, cp, cpio, crond, crontab, cryptpw, cttyhack, cut, date, dc, dd,
        deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff,
        dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap,
        dumpleases, echo, ed, egrep, eject, env, envdir, envuidgid, ether-wake,
        expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat,
        fdisk, fgconsole, fgrep, find, findfs, flock, fold, free, freeramdisk,
        fsck, fsck.minix, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty,
        grep, groups, gunzip, gzip, halt, hd, hdparm, head, hexdump, hostid,
        hostname, httpd, hush, hwclock, id, ifconfig, ifdown, ifenslave,
        ifplugd, ifup, inetd, init, insmod, install, ionice, iostat, ip,
        ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, iptunnel,
        kbd_mode, kill, killall, killall5, klogd, last, less, linux32, linux64,
        linuxrc, ln, loadfont, loadkmap, logger, login, logname, logread,
        losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat,
        lzma, lzop, lzopcat, makedevs, makemime, man, md5sum, mdev, mesg,
        microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.minix,
        mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more,
        mount, mountpoint, mpstat, mt, mv, nameif, nanddump, nandwrite,
        nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od,
        openvt, passwd, patch, pgrep, pidof, ping, ping6, pipe_progress,
        pivot_root, pkill, pmap, popmaildir, poweroff, powertop, printenv,
        printf, ps, pscan, pstree, pwd, pwdx, raidautorun, rdate, rdev,
        readahead, readlink, readprofile, realpath, reboot, reformime,
        remove-shell, renice, reset, resize, rev, rm, rmdir, rmmod, route, rpm,
        rpm2cpio, rtcwake, run-parts, runlevel, runsv, runsvdir, rx, script,
        scriptreplay, sed, sendmail, seq, setarch, setconsole, setfont,
        setkeycodes, setlogcons, setserial, setsid, setuidgid, sh, sha1sum,
        sha256sum, sha3sum, sha512sum, showkey, slattach, sleep, smemcap,
        softlimit, sort, split, start-stop-daemon, stat, strings, stty, su,
        sulogin, sum, sv, svlogd, swapoff, swapon, switch_root, sync, sysctl,
        syslogd, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp,
        tftpd, time, timeout, top, touch, tr, traceroute, traceroute6, true,
        tty, ttysize, tunctl, udhcpc, udhcpd, udpsvd, umount, uname, unexpand,
        uniq, unix2dos, unlzma, unlzop, unxz, unzip, uptime, users, usleep,
        uudecode, uuencode, vconfig, vi, vlock, volname, wall, watch, watchdog,
        wc, wget, which, who, whoami, whois, xargs, xz, xzcat, yes, zcat, zcip

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

I extracted the lastest 1.7 firmware files and am in the process of reading through it. There are several mention of "FLUCARD" within the WifiSD firmware. The two devices are clearly linked now (before we "only" knew they shared the same hardware).

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

Very interested in all this... Please keep us updated!

OpenWrt since 2005: WRT54G , WL-500gX, WL-500gP, WL1043ND.... to be continued.

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

Here's some interesting bits I found while poking around:

> cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00010000 "SPI NOR Flash Partition1"
mtd1: 00300000 00010000 "SPI: kernel"
mtd2: 00300000 00010000 "Ramdisk"

So it looks like mtd1 holds the kernel and mtd2 holds the initrd.  The 0x300000 = 3MB size limit on the initrd corresponds to what fernjager found.  I'm not sure what mtd0 holds - possibly part of the bootloader?  Unfortunately I get an error when I try to dump the contents:

cat: can't open '/dev/mtd0': No such device or address

(Pretty sure I'm doing something wrong here - let me know if you figure out the trick.)

I'm also interested in how the flashing process works.  To flash the firmware, you put 'program.bin' and some other files on the root of the SD card and reboot, and somehow 'program.bin' gets executed.  But there's no reference to program.bin in the 1.7 kernel image, and the only references in the 1.7 initrd are for deleting the files after a successful upgrade.  So it must be running directly from the bootloader somehow.  This seems to agree with the boot log in Kazu-zamasu's github repo, which has a reference to program.bin before the first kernel messages appear.  Compare:

....reading program.bin
.................<mmc1>go 208000
<4>(192-96-1)
console [ttyS0] enabled

vs.

> dmesg
(192-96-1)
console [ttyS0] enabled
Mount-cache hash table entries: 512

By the way, the same repo has a kernel config, which (if it works) might be useful since there doesn't seem to be one with the official GPL release (available here - click on "Wireless and Multimedia Products" / "Wi-Fi SD Card" / "Wi-Fi SD Card" / (either model), and it's listed under "Driver/Firmware" as "WiFiSD_GPL".)

It seems like there is something useful in this blog post, but it's in French and I haven't tried reading a translated version yet.  I see some references to U-Boot though, which is interesting because program.bin seems to be able to flash that along with the kernel/initrd if it's present:

$ strings program.bin | grep program
# snip
found u-boot.bin, start program.
found image3, start program.
found image, start program.

Though there is no u-boot.bin in the official 1.7 firmware release.

7 (edited by pixelk 2013-08-20 18:10:43)

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

Here is my translation of the part you're talking about :

Lemoidului wrote:

A – Study of the boot sequence

Thanks to the serial console (detailed on chapter III) you have access to the card bootloader. Press any key after the start of the boot sequence in the console to stop it (you have something like 3 seconds after the KeyAsic Booloader). This booloader (KA Boot 04240806) lives in the SoC ROM. It works lika a stage 1 and its duty is (among other things) to call program.bin (like a stage 2) as, how we saw in chapter II, is based on U-Boot.

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

Has anyone figured out a way to get one of these to boot in a stand-alone fashion, only connected to a 3.3V power supply?  I have a PQI Aircard and thought I read somewhere of some success making it boot standalone.   My card doesn't seem to boot (no Wifi anyway) when it is inserted in a SD Card breakout board (Parallax 32313).  With the 16 GB MicroSD card installed it takes about 31 mA.  Interestingly when the MicroSD card is pulled it, the devices takes around 90 mA for a few seconds before settling to a constant 66 mA current consumption.  But still no wifi.  I haven't cut it open yet and attached wires to the serial port.  That will probably tell something.

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

I have seen no successful description of a stand-alone (without a full, running, SD host) setup.
I tried connecting the 3.3V & GND pin to a stable supply with no luck.
I also tried powering an external USB SD-Card reader (5V & GND) and it didn't even light up.
I didn't try a SPI-mode host yet, it might be our best chance to get a running WifiSD/PQI Air/FluCard with minimal hardware.
I don't know about any "light" setup which would init one bit or four-bit mode, but didn't do any research on that. Maybe a simple bit-banged init sequence would be enough ?

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

Hello all
I have PQI Air card busybox and Linux kernel sorce.
if you need, you can easy DL following address. this is DropBox.

https://www.dropbox.com/sh/wlj7wzsdu7t8ahg/xbyX2fRl_V

Discription
Aircard firm:  PQI original firmware.
Inotify: AIrcard linux image with inotify fs.
PQI_Configs: i get from PQI TAIWAN(PQI is Taiwan company), Busybox and Linux configs.
busybox_KA_20130702.tar.bz2: this is with out boa server.
busybox-1.18.5.tar.gz: This is original PQI Aircard Busybox source file.
KA_SDIO_SD_EVB_Manual_v03.pdf: KeyASIC base bord manuals.
Linux_KA_2_6_20130702.tar.bz2: This is Original Linux source.

u-boot source code is waiting from PQI. I think just like any wifi-SDcard devices. All devices use the Key-ASIC solution.

If, fruitful information with you. I am so happy.
https://github.com/Kazu-zamasu

yours sinceary goog hakkinng lol

11 (edited by pixelk 2013-08-20 22:52:24)

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

Woaw, what a leap forward ! Thank you !

From the KA_SDIO_SD_EVB_Manual_v03.pdf, we can now be assured that the Wifi chip (bottom left on my photo) is a
AF-N-31G Atheros AR6003

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

I tested it and can confirm, IT DOES NOT start when connected in SPI mode sad

13 (edited by pixelk 2013-08-22 15:54:39)

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

Here is a simple tool to find your WifiSD on your network : Win32 - Source (Delphi 7)
http://stuff.knackes.com/dld/201308/ScreenCap-20130822-165408_7E3CAFB1.png

Tested only with my Transcend WifiSD so far.

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

hello
for me it looks like rxd is on pad 10 and txd is on pad 14.

15 (edited by pixelk 2013-08-23 20:53:10)

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

cnovus wrote:

hello
for me it looks like rxd is on pad 10 and txd is on pad 14.

Thank you for your find !
I'll try that and modify the picture accordingly. Any though about the other pins' assignment ?
I think there is at least the buzzer (mentioned in the scripts and SDK) GPIO available, but it's just a wish so far

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

I tried the pads 10-15 (i damaged 16) for the buzzer, but had no luck. For GPIO the file Linux_KA_2_6\arch\arm\mach-ka2000\gpio.c of the GPL package may lead to something, but it seems it's not included in Transcendt firmware or maybe it's a wrong file anyway

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

pixelk wrote:

Here is a simple tool to find your WifiSD on your network : Win32 - Source (Delphi 7)

Tested only with my Transcend WifiSD so far.

I tested with PQI Air Card and can confirm that it does not work. The Transcend is much more elegant with the network than the PQI is. The PQI does the following when used with the Android App:

Repetitively broadcasts ARP request on the entire subnet, ie.
Who has 192.168.x.1? Tell 192.168.x.zzz
...
Who has 192.168.x.254? Tell 192.168.x.zzz

This seemed to repeat even after the connection from the app to the air card was established, of course it did not re-request the address of the known air card.

I was connecting WiFi phone to WiFi Air Card, so unable to sniff the packets to see what everyone responded with and what actions the phone app took upon receiving a response.

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

I have a PQI Air Card and I would like to know if there's any progress on OpenWRT being ported or any other distros either?

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

got the serial output at boot time:

KA Boot 04240806
scu: 11c33303,00000000,00040404,00009f00,1
Status 20200804

Hit to stop :  0
Status 20200804
RCA0 68, RCA1 b3
....reading program.bin
.....<mmc1>go 208000
<4>(192-96-1)
console [ttyS0] enabled
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
cfg80211: Calling CRDA to update world regulatory domain
NET: Registered protocol family 2
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
ttyS0 at MMIO 0xa0004000 (irq = 1) is a KA2000
msgmni has been set to 58
loop: module loaded
TCP cubic registered
NET: Registered protocol family 17
lib80211: common routines for IEEE802.11 drivers
starting pid 27, tty '/dev/console': '/etc/init.d/rcS'
KeyASIC WifiSD console ...
Sun Jan  1 00:00:00 UTC 2012
ka2000_sdhc: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
(0>0)switch_modules
max_blk_size=512, max_blk_count=8, max_req_size=32768
init bomb irq
req irq 40 (1000000)
req irq 43 (40)
req irq 41 (43)
ka_sdhc_drv_init
bw = 22
mmc0: new SDHC card at address b368
mmcblk0: mmc0:b368 CAR 15.0 GiB
 mmcblk0:bootsec @ 2000
 p1
FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10
wsd to sd
wsd to sd
FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10
run autorun.sh
start telnetd server
tcpsvd: listening on 0.0.0.0:21, starting
cid = CID:5dd500801b0000102020434453454a74
Transcend Card
Transcend Card
gen_boa_passwd.sh - USER=admin PASS=admin
rcS done
start boa

-----------------------------------------------
  Production mode-VER. version_147_FEB192013_TE.
-----------------------------------------------

mount: mounting none on /dev/pts failed: Device or resource busy
sleep disable
[01/Jan/2012:00:00:05 +0000] boa: server version Boa/0.94.14rc21
[01/Jan/2012:00:00:05 +0000] boa: server built Feb 25 2013 at 15:18:57.
[01/Jan/2012:00:00:05 +0000] boa: starting server pid=81, port 80
..setup AP mode start
/usr/bin/auto_off.sh: stop
rmmod: can't unload 'ar6000': unknown symbol in module, or unknown parameter
ifconfig: SIOCGIFFLAGS: No such device
sdio wakeuplo        no wireless extensions.

rm: can't remove '/tmp/iwconfig_maln0.txt': No such file or directory
mmc1: new SDIO card at address 0001

ifconfig: SIOCGIFFLAGS: No such device
AR6000: configuration opcode 7 is only used for RTOS systems, not Linux systems
ath6k/AR6003/hw2.1.1/athwlan.bin firmware will be loaded
AR6K: ** HIF layer does not support scatter requests (17)
wmi_control_rx() : Unknown id 0x101e
channel hint set to 0
commit
Add Filter 0 = 01:00:5e:00:00:01
Keep Filter 0 = 01:00:5e:00:00:01
Keep Filter 0 = 01:00:5e:00:00:01
Limit maximum connection count to 3
/usr/bin/auto_off.sh: start
/usr/bin/kcard_app.sh: start
kcard_startup: Set call interval 10
KCARD: Notify driver about pid 139
(0>1)KCARD: Log = 0, Diff Disable, Path /tmp/filediff
Auto OFF 0 seconds
KCARD: Debounce = 1, WiFi Hide Disable, Skip Disable
WiFi 0 can't less then 60 seconds
KCARD: waitting for sig
dcim c 3 @9838, f:2020 (off 404008)
Folder: 199_WIFIWSD00003 (5f393931 49464957)
Img1: WSD00003 (30445357 33303030 sz 79cdh)
user_dir:(5f333231 20505446)(00000000 00000000)
ctrlimg c 1c01ff @1c0b7f8, f:5823 (off b047f8)

3 c 1c0203-1c0207 @1c0b838 f:5824(o:3)
fat cnt 4, x0, pBuf1 c17e5200, pBuf2 0(1)
misc c 1c0200 @1c0b808
bomb reg2 1c0b808 - 1c0b80d
bomb reg 2020 - 5c24
st 1c0181, 1:3, 2:0, 3:0, 4:0, 5:0
bomb reg 2020 - 5c24
(1>0)Decompress libcrypto ...

Please press Enter to activate this console.

20 (edited by pixelk 2013-08-24 11:56:58)

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

my soldering skills aren't that great so I only manage to get the connection some times, enough to get the same-ish boot time log.

KA Boot 04240806
scu: 11c33303,00000000,00040404,00009f00,1
Status 20200804

Hit to stop :  0
Status 20200804
RCA0 68, RCA1 b3
....reading program.bin
.............<mmc1>go 208000
<4>(192-96-1)
console [ttyS0] enabled
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
cfg80211: Calling CRDA to update world regulatory domain
NET: Registered protocol family 2
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
ttyS0 at MMIO 0xa0004000 (irq = 1) is a KA2000
msgmni has been set to 58
loop: module loaded
TCP cubic registered
NET: Registered protocol family 17
lib80211: common routines for IEEE802.11 drivers
starting pid 27, tty '/dev/console': '/etc/init.d/rcS'
KeyASIC WifiSD console ...
Sun Jan  1 00:00:00 UTC 2012
ka2000_sdhc: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
(0>0)switch_modules
max_blk_size=512, max_blk_count=8, max_req_size=32768
init bomb irq
req irq 40 (1000000)
req irq 43 (40)
req irq 41 (43)
ka_sdhc_drv_init
bw = 22
mmc0: new SDHC card at address b368
mmcblk0: mmc0:b368 CAR 15.0 GiB
 mmcblk0:bootsec @ 2000
 p1
FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10
run autorun.sh
start telnetd server
tcpsvd: listening on 0.0.0.0:21, starting
mount: mounting none on /dev/pts failed: Device or resource busy
cid = CID:2fd5003b1c0000102020434453454a74
Transcend Card
Transcend Card
gen_boa_passwd.sh - USER=admin PASS=admin
rcS done
start boa

-----------------------------------------------
  Production mode-VER. version_150_APR172013_TE.
mount: mounting none on /dev/pts failed: Device or resource busy
-----------------------------------------------

sleep disable
[01/Jan/2012:00:00:05 +0000] boa: server version Boa/0.94.14rc21
[01/Jan/2012:00:00:05 +0000] boa: server built Apr 17 2013 at 18:28:52.
[01/Jan/2012:00:00:05 +0000] boa: starting server pid=90, port 80
/usr/bin/auto_off.sh: stop
ifconfig: SIOCGIFFLAGS: No such device
rmmod: can't unload 'ar6000': unknown symbol in module, or unknown parameter
ifconfig: SIOCGIFFLAGS: No such device
sdio wakeup
mmc1: new SDIO card at address 0001
AR6000: configuration opcode 7 is only used for RTOS systems, not Linux systems
ath6k/AR6003/hw2.1.1/athwlan.bin firmware will be loaded
AR6K: ** HIF layer does not support scatter requests (17)
wmi_control_rx() : Unknown id 0x101e
lo        no wireless extensions.

iwioctl: cmd=0x8b03 not allowed in this mode
iwioctl: cmd=0x8b1d not allowed in this mode
iwioctl: cmd=0x8b23 not allowed in this mode
iwioctl: cmd=0x8b25 not allowed in this mode
mlan0     AR6000 802.11ng  Nickname:""
          NWID:off/any  Mode:Managed  Bit Rate:1 Mb/s   Tx-Power=0 dBm
          Sensitivity=0/3
          Retry:on   RTS thr=0 B   Fragment thr=0 B
          Encryption key:off
          Power Management:on
          Link Quality:255/94  Signal level:-96 dBm  Noise level:-96 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Add Filter 0 = 01:00:5e:00:00:01
Keep Filter 0 = 01:00:5e:00:00:01
Keep Filter 0 = 01:00:5e:00:00:01
Power Saving = Yes
auto connect available router
WIFI_CONN: size 3126
WIFI_CONN: Append list from index 0, get_all_essid 0 -> 3126
WIFI_CONN: ESSID  [SFR_5970], cell 68 -> 970
WIFI_CONN: WPA Version
WIFI_CONN: Cipher: TKIP
WIFI_CONN: PairCipher: CCMP
WIFI_CONN: ESSID  [Unknown Device], cell 970 -> 2068
WIFI_CONN: WPA Version
WIFI_CONN: Cipher: TKIP
WIFI_CONN: PairCipher: TKIP
WIFI_CONN: ESSID  [Unknown Device], cell 2068 -> 3126
WIFI_CONN: WPA Version
WIFI_CONN: Cipher: TKIP
WIFI_CONN: PairCipher: TKIP
WIFI_CONN: size 3126
WIFI_CONN: Append list from index 3, get_all_essid 0 -> 3126
WIFI_CONN: size 5239
WIFI_CONN: Append list from index 3, get_all_essid 0 -> 5239
WIFI_CONN: ESSID  [Livebox-e005], cell 3166 -> 4582
WIFI_CONN: WPA Version
WIFI_CONN: Cipher: TKIP
WIFI_CONN: PairCipher: CCMP
WIFI_CONN: ESSID  [orange], cell 4582 -> 5239
WIFI_CONN: size 6095
WIFI_CONN: Append list from index 5, get_all_essid 0 -> 6095
WIFI_CONN: ESSID  [SFR WiFi Mobile], cell 5279 -> 6095
WIFI_CONN: WPA2 Version
WIFI_CONN: Cipher: CCMP
WIFI_CONN: PairCipher: CCMP
AP:ssid=<MYSSID>, key=<MYKEY>, mode=0, enc_type=1 group 2 pair 2
WMM params
AC 0, ACM 0, AIFSN 3, CWmin 4, CWmax 10, TXOPlimit 0
AC 1, ACM 0, AIFSN 7, CWmin 4, CWmax 10, TXOPlimit 0
AC 2, ACM 0, AIFSN 2, CWmin 3, CWmax 4, TXOPlimit 94
AC 3, ACM 0, AIFSN 2, CWmin 2, CWmax 3, TXOPlimit 47
udhcpc (v1.18.5) started

configure IP address -> deconfig

Sending discover...
Sending select for 192.168.0.45...
Lease of 192.168.0.45 obtained, lease time 86400

configure IP address -> bound

nameserver 192.168.0.128
Keep Filter 0 = 01:00:5e:00:00:01
interface: mlan0
ip: 192.168.0.45
netmask: 255.255.255.0
router: 192.168.0.128
hostname: WifiSD
channel hint set to 0
iwioctl: cmd=0x8b03 not allowed in this mode
iwioctl: cmd=0x8b1d not allowed in this mode
iwioctl: cmd=0x8b23 not allowed in this mode
iwioctl: cmd=0x8b25 not allowed in this mode
script /etc/wevent.script
/usr/bin/auto_off.sh: start
Waiting for Wireless Events from interfaces...
/usr/bin/kcard_app.sh: start
Auto OFF 0 seconds
kcard_startup: Set call interval 10
KCARD: Notify driver about pid 167
WiFi 0 can't less then 60 seconds(0>1)
KCARD: Log = 0, Diff Disable, Path /tmp/filediff
KCARD: Debounce = 1, WiFi Hide Disable, Skip Disable
KCARD: waitting for sig
dcim c 3 @9838, f:2020 (off 404008)
Folder: 199_WIFI (5f393931 49464957)
user_dir:(5f333231 20505446)(00000000 00000000)
img folder deleted
bomb reg 2020 - 5c24
no image
m1_cmd = f
all 4 images missing
KCARD: get_Kcard_app cmd 8 - KCARD: KCARD_SIG_NO_IMGS(1>0)
KCARD: kcard_app_act - KCARD: KCARD_SIG_NO_IMGS
FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10
mmcblk0p1 mounted
KCARD: check_ctrl_folder_exist: Recovery dir /mnt/sd/DCIM/199_WIFI/
Control folder create
FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10
Decompress libcrypto ...
KCARD: check_ctrl_folder_exist: Recovery 1
kcard_app: can't stat '/home/sd/DCIM/199_WIFI/WSD00003.JPG': No such file or directory
chmod: /mnt/sd/DCIM/199_WIFI/*: No such file or directory
KCARD: check_ctrl_folder_exist umount & mount
FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10
argc 1, argv[0] = instant_upload_clean
INUP_CLEAN: Log Level = 0
dcim c 3 @9838, f:2020 (off 404008)
Folder: 199_WIFI (5f393931 49464957)
user_dir:(5f333231 20505446)(00000000 00000000)
img folder deleted
(0>4)KCARD: waitting for sig

misc c 1c0200 @1c0b808
bomb reg2 1c0b808 - 1c0b80d
KCARD: get_Kcard_app cmd 6 - KCARD: KCARD_SIG_DPOF(4>0)
KCARD: kcard_app_act - KCARD: KCARD_SIG_DPOF
FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10

Please press Enter to activate this console. KCARD: waitting for sig

I modified the pin picture accordingly

I'm sure I did something wrong because now my console stops after outputing this (but the card works, pings, telnets, etc...) :

KA Boot 04240806

scu: 11c33303,00000000,00040404,00009f00,1
Status 20200804
              
Hit to stop :  2 1 0
Status 20200804
RCA0 68, RCA1 b3
....reading program.bin
.............<mmc1>go 208000
<4>(192-96-1)
console [ttyS0] enabled
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
cfg80211: Calling CRDA to update world regulatory domain
NET: Registered protocol family 2
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
ttyS0 at MMIO 0xa0004000 (irq = 1) is a KA2000
msgmni has been set to 58
loop: module loaded
TCP cubic registered
NET: Registered protocol family 17
lib80211: common routines for IEEE802.11 drivers

starting pid 27, tty '/dev/console': '/etc/init.d/rcS'
KeyASIC WifiSD console ...
Sun Jan  1 00:00:00 UTC 2012
ka2000_sdhc: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
(0>0)switch_modules
max_blk_size=512, max_blk_count=8, max_req_size=32768
init bomb irq
req irq 40 (1000000)
req irq 43 (40)
req irq 41 (43)
ka_sdhc_drv_init
bw = 22
mmc0: new SDHC card at address b368
mmcblk0: mmc0:b368 CAR 15.0 GiB 
 mmcblk0:bootsec @ 2000
 p1
FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

smbgaiden wrote:

I was connecting WiFi phone to WiFi Air Card, so unable to sniff the packets to see what everyone responded with and what actions the phone app took upon receiving a response.

On android you can use tcpdump or Shark for root

That discovery method is indeed not very elegant. I ordered an AirCard, will try to find an alternative discovery once I receive my packet.

22 (edited by cnovus 2013-08-24 17:03:32)

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

pixelk wrote:

my soldering skills aren't that great so I only manage to get the connection some times, enough to get the same-ish boot time log.

...

I'm sure I did something wrong because now my console stops after outputing this (but the card works, pings, telnets, etc...) :

how does your setup look like.
i'm using an arduino micro for uart with this sketch:

void setup()
{
  Serial.begin(38400);
  Serial1.begin(38400);  
}

void loop()
{
  byte data = 0;
  
  if(Serial.available()>0)
  {
    data = Serial.read();
    Serial1.write(data);
  }
  if(Serial1.available()>0)
  {
    data = Serial1.read();
    Serial.write(data);
  }  
}

it's electrical connected like this:

arduino            wifisd
GND -------------- GND
RX --------------- TX
TX -[4k1]---[8k2]- GND
          '------- RX

23 (edited by pixelk 2013-08-24 17:50:02)

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

I used a USB/Serial 3.3V board (in fact 3 of them, only one worked), but now I'm using your solution (with a teensy 2.0) and it now works every time, thank you.
Do you also receive garbage after the boot sequence until you press enter ? Like if the Serial console changed speed after the

Please press Enter to activate this console.

But stty remains on 38400 bauds
Are you able to send anything with the console after the boot sequence ? I can't.

# echo Hello world > /dev/ttyS

works from telnet.
Apparently the operation on the SD memory output a log on the console too

X+20170807 :s24:2000
W+20170816 :s25:a418
W+20170816 :s25:9848
W+20170816 :s25:9848

appeared after I copied some files on the SD

http://stuff.knackes.com/dld/201308/IMG_20130824_181606_cr_98197973.jpg
(you can ignore the white opto and resistor network in the middle and the usb/serial adpter on the right)

http://stuff.knackes.com/dld/201308/Wires_BE2DBA12.jpg
I used 0.1mm enamel coated wires to be able to close the SD while piping through the RX/TX/GND. Not my best job, but it seems my soldering wasn't at fault after all.

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

I just received my PQI Aircard and I can confirm that its discovery method is horrible. The client launches ARP request for all /24 of your network (regardless of your netmask) then asks

GET /cgi-bin/get_config.pl HTTP/1.1

Which answers with the full configuration stored in wsd.conf (and passwords in plaintext).

The default firmware on the WifiSD is far from perfect, but it's better by any metric.

Re: Transcend WifiSD / PQI AirCard / FluCard Pro

the console works fine, but when i press a key to enter the bootloader i get problems. i can receive the output, but when i try input something i'm only getting garbage... by the way i've examined program.bin a little bit and it looks like it includes a build of u-boot