Transcend Wi-Fi SD Card 16GB

Teardown - components:

 * KeyASIC SPG101 System-in-Package (SIP),
 * EVM manual, containing:
 * 32-bit ARM926EJ-S controller
 * 32MB DRAM, 8MB NOR Flash


 * Fortune AF-N-31GL Wi-Fi SiP Module, containing:
 * Atheros AR6003G (802.11bgn WiSoC)
 * (Xtensa 32-bit CPU, 256kB RAM, 256kB ROM)


 * SiliconMotion SM2683EN Flash card controller
 * (8051-controller, RAM, ROM), 16GB NAND chip

Links

 * OpenWrt, internal pictures, RX/TX serial pads layout
 * Modifying Transcend WiFi SD Card Firmware
 * Hacker News discussion, Reddit thread
 * Hacking Transcend WiFi SD Cards
 * Transcend-sdhc-wifi (french)
 * Custom kernel and Ubuntu chroot

Running scripts on card:
Create file "autorun.sh" in the root of the SD card. The script will be run on power-up.
 * Perl is included in OS and can be used in scripts. Example autorun.sh:

echo hello > /mnt/sd/hello.txt More scripts examples: PQI AirCard Script
 * 1) !/bin/sh

Running standalone (w/o SD host)
bootloader commands, via serial interface: KA Boot 04240806 scu: 11c33303,00000000,00040404,00009f00,1 Status 20200800

Hit to stop : 2  1  0

KA2000#setenv bootalone 'go 208000' KA2000#setenv bootcmd KA2000#setenv bootcmd 'run set_bootargs; run bootalone' KA2000#saveenv

cat /proc/meminfo
~ # cat /proc/meminfo | head -2 MemTotal: 29824 kB MemFree: 15936 kB

cat /proc/cpuinfo
~ # cat /proc/cpuinfo Processor : ARM926EJ-S rev 5 (v5l) BogoMIPS : 421.06 Features : swp half fastmult edsp java CPU implementer : 0x41 CPU architecture: 5TEJ CPU variant : 0x0 CPU part : 0x926 CPU revision : 5

Hardware : KeyASIC Ka2000 EVM Revision : 0000 Serial : 0000000000000000

uname -a
~ # uname -a Linux (none) 2.6.32.28 #130 PREEMPT Mon Feb 18 13:54:18 CST 2013 armv5tejl GNU/Linux

lsmod
~ # lsmod

ar6000 302800 0 - Live 0xbf07a000 ka2000_sdio 8009 0 - Live 0xbf073000 ka2000_sdhc 62155 0 - Live 0xbf000000 (P)

cat /proc/mtd
dev: size erasesize name mtd0: 00100000 00010000 "SPI NOR Flash Partition1" mtd1: 00300000 00010000 "SPI: kernel" mtd2: 00300000 00010000 "Ramdisk"
 * 1) cat /proc/mtd

fdisk -l
~ # fdisk -l

Disk /dev/mmcblk0: 16.1 GB, 16130244608 bytes 255 heads, 63 sectors/track, 1961 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System /dev/mmcblk0p1 1 1962 15748096 c Win95 FAT32 (LBA)

{{SCollapse|dmesg (192-96-1) console [ttyS0] enabled Mount-cache hash table entries: 512 NET: Registered protocol family 16 bio: create slab  at 0 cfg80211: Calling CRDA to update world regulatory domain NET: Registered protocol family 2 TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered ttyS0 at MMIO 0xa0004000 (irq = 1) is a KA2000 msgmni has been set to 58 loop: module loaded TCP cubic registered NET: Registered protocol family 17 lib80211: common routines for IEEE802.11 drivers lib80211_crypt: registered algorithm 'NULL' ka2000_sdhc: module license 'Proprietary' taints kernel. Disabling lock debugging due to kernel taint (0>0)switch_modules max_blk_size=512, max_blk_count=8, max_req_size=32768 init bomb irq req irq 40 (1000000) req irq 43 (40) req irq 41 (43) ka_sdhc_drv_init bw = 22 mmc0: new SDHC card at address b368 mmcblk0: mmc0:b368 CAR 15.0 GiB mmcblk0:bootsec @ 2000 p1 FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10 FAT sec 20 sz 3c04 #2 rtdir 7828 csz 10 sdio wakeup mmc1: queuing CIS tuple 0x01 length 3 mmc1: queuing CIS tuple 0x1a length 5 mmc1: queuing CIS tuple 0x1b length 8 mmc1: queuing CIS tuple 0x14 length 0 mmc1: queuing CIS tuple 0x80 length 1 mmc1: queuing CIS tuple 0x81 length 1 mmc1: queuing CIS tuple 0x82 length 1 mmc1: new SDIO card at address 0001 AR6000: configuration opcode 7 is only used for RTOS systems, not Linux systems ath6k/AR6003/hw2.1.1/athwlan.bin firmware will be loaded AR6K: ** HIF layer does not support scatter requests (17) wmi_control_rx : Unknown id 0x101e Add Filter 0 = 01:00:5e:00:00:01 Keep Filter 0 = 01:00:5e:00:00:01 Keep Filter 0 = 01:00:5e:00:00:01 (0>1):s18:488480 +20100815 :s18:48a6f8 +20100815 :s18:4adcd8 dcim c 3 @9838, f:2020 (off 404008) Folder: 199_WIFIWSD00003 (5f393931 49464957) Img1: WSD00003 (30445357 33303030 sz 79cdh) user_dir:(5f333231 20505446)(00000000 00000000) ctrlimg c 1c01ff @1c0b7f8, f:5823 (off b047f8)

3 c 1c0203-1c0207 @1c0b838 f:5824(o:3) fat cnt 4, x0, pBuf1 c17d3200, pBuf2 0(1) misc c 1c0200 @1c0b808 bomb reg2 1c0b808 - 1c0b80d bomb reg 2020 - 5c24 st 1c0181, 1:3, 2:0, 3:0, 4:0, 5:0 bomb reg 2020 - 5c24 (1>0):s18:5eadd8 +20100815 :s18:5f3080

ifconfig
lo       Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436  Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

mlan0    Link encap:Ethernet  HWaddr B0:38:29:03:52:9B inet addr:192.168.11.254 Bcast:192.168.11.255  Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1 RX packets:2632 errors:0 dropped:0 overruns:0 frame:0 TX packets:1760 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1425011 (1.3 MiB) TX bytes:233049 (227.5 KiB)

mount
proc on /proc type proc (0) /dev/mtdblock0 on /mnt/mtd type jffs2 (0) none on /dev/pts type devpts (mode=0622) /dev/mmcblk0p1 on /mnt/sd type vfat (shortname=winnt,iocharset=utf8,rw)

serial console
Bootloader menu (via serial console) KA Boot 04240806 scu: 11c33303,00000000,00040404,00009f00,1 Status 20200800

Hit to stop : 2�� 0 KA2000#000000� �� �� �� �� �� � KA2000#help ?      - alias for 'help' base   - print or set address offset bdinfo - print Board Info structure boot   - boot default, i.e., run 'bootcmd' bootd  - boot default, i.e., run 'bootcmd' bootm  - boot application image from memory clk    - Clock Speed cmp    - memory compare coninfo - print console devices and information cp     - memory copy crc32  - checksum calculation dcache - enable or disable data cache echo   - echo args to console editenv - edit environment variable fatinfo - print information about filesystem fatload - load binary file from a dos filesystem fatls  - list files in a directory (default /) go     - start application at address 'addr' help   - print command description/usage icache - enable or disable instruction cache iminfo - print header information for application image imxtract- extract a part of a multi-image itest  - return true/false on integer compare loadb  - load binary file over serial line (kermit mode) loads  - load S-Record file over serial line loady  - load binary file over serial line (ymodem mode) loop   - infinite loop on address range md     - memory display mm     - memory modify (auto-incrementing address) mmc    - MMC sub-system mtest  - simple RAM read/write test mw     - memory write (fill) nm     - memory modify (constant address) printenv- print environment variables reset  - Perform RESET of the CPU run    - run commands in an environment variable saveenv - save environment variables to persistent storage setenv - set environment variables sf     - SPI flash sub-system sleep  - delay execution for some time source - run script from memory sspi   - SPI utility commands version - print monitor version KA2000#version

U-Boot 2010.06-rc1 (Jun 22 2012 - 14:34:53) on KeyAsic KA2000 KA2000# }}