Reverse Engineering Toshiba Flashair Wifi SD card

After digging through the data and extracting what I can from the firmware update file I found the following usage data.. It still needs to be cleaned up, but it does help to identify data on the device.

Usage commands found in no particular order.. (needs to be cleaned up

usage: fat mkfs drive#
fat cat  [file]
  file : display file
fat mkfs [drive]
  drive : drive  no.(0 or 1)
       0: User, 1: System(Hidden)

fat mkdir [dir]
  dir : create directory name

fat write [file] [size]
  file : write check file
  size : write size(1-65535)

fat read  [file]
  file : read check file

fat mv  [org] [new]
  org  : original file
  new  : new file
  
fat rm  [remove]
  remove : remove file
  
fat cp  [org] [new]
  org  : source file
  new  : destination file
  
fat lsr  <dir>
  dir    : directory
  
fat ls  <dir>
  dir    : directory

usage: test read <file name>

usage: test write <file name> <file size>

usage: test cp <existing file name> <new file name>

usage: test rm <file name>

usage: test mv <source file name> <target file name>

usage: test mkdir <directory name>

srom conf  -f [flow]  -d [val] -s [samp]
  flow   : 0/1 (Invalid / Valid)
  val    : 1-10,16/32/64/128/255
  samp   : 0-63

srom read [addr] -l <length>
  addr   (hex) : 0xXXXXXXXX
  length (dec) : default 4, Max 512  (round 4byte)

srom write [addr] [data] -l <length>
  addr   (hex) : 0xXXXXXXXX
  data   (hex) : 0xYYYYYYYY
  length (dec) : default 4, Max 512  (round 4byte)

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
            [-r count] [-s count] [[-j host-list] | [-k host-list]]
            [-w timeout] target_name
Options:
    -t             Ping the specified host until stopped.
                   To see statistics and continue - type Control-Break;
                   To stop - type Control-C.
    -a             Resolve addresses to hostnames.
    -n count       Number of echo requests to send.
    -l size        Send buffer size.
    -f             Set Don't Fragment flag in packet.
    -i TTL         Time To Live.
    -v TOS         Type Of Service.(AC_BE=0x00,AC_BK=0x20,AC_VI=0xA0,AC_VO=0xE0)
    -r count       Record route for count hops.
    -s count       Timestamp for count hops.
    -j host-list   Loose source route along host-list.
    -k host-list   Strict source route along host-list.
    -w timeout     Timeout in milliseconds to wait for each reply.

setup dump  -m [mode] -f <fil>
  mode    : 0-3
            0 : No Dump
            1 : MAC Header Only
            2 : MAC Header and Frame Header
            3 : All
  fil     : 0-2
            0 : Show only My address
            1 : All
            2 : Broadcast Frame hidden dump
			
setup reg   -r <addr> -v <data>
  NoOption   : display register setting
  addr (hex) : 0xXXXXXXXX
  data (hex) : 0xYYYYYYYY
  
setup ch    -f <freq> -c <channel>
  Argumet freq or ch
  freq    : 2412/2417/2422/2427/2432/2437/2442/2447/2452/2457/2462/2467/2472/2484/
            5180/5200/5220/5240/5260/5280/5300/5320/5500/5520/5540/5560/5580/5600/
            5620/5640/5660/5680/5700/5475/5765/5785/5805/5825
  channel : 1`14,36/40/44/48/52/56/60/64,100/104/108/112/116/120/124/128/132/136/
            140/149/153/157/161/165

setup frame -l <macl> -u <macu> -b <body> -s <size> -t <tid> -r <rate>
            -p <power> -a <ack> -m <mcs>
  NoOption   : display frame setting
  
MAC ADDRESS XX:XX:YY:YY:YY:YY
  macl (hex) : 0xXXXX
  macu (hex) : 0xYYYYYYYY
  body       : 0xZZ   MAC Frame Data
  size       : 0-1500
  tid        : 0-65535
  rate       : 1/2/5/6/9/11/12/18/24/36/48/54(Mbps)
  power      : 0-255
  ack        : 0/1 (Normal/No ack)
  mcs        : 0-7

send pn    -r <rate> -m <mcs> -p <preamble> -g <gi>
  rate     : 1/2/5/6/9/11/12/18/24/36/48/54(Mbps)
  mcs      : 0-7
  preamble : 0/1 (Long Preamble / Short Preamble)
  gi       : 0/1 (Normal GI / Short GI)
  
send frame -n <count> -i <interval>  -s <sifs> -r <rifs> -e <enc>
  count    : 0-65535
  interval : 0-65535 (msec)
  sifs     : 0/1 (SIFS Burst Invalid / SIFS Burst Valid)
  rifs     : 0/1 (RIFS Burst Invalid / RIFS Burst Valid)
  enc      : 0 : None
             1 : WEP
             2 : AES
             3 : TKIP

send help

send frame -n <count> -i <interval>  -s <sifs> -r <rifs> -e <enc>

send pn    -r <rate> -m <mcs> -p <preamble> -g <gi>

sd buffer [-d | -s]
  -s  : Single buffer
  -d  : Dubble buffer

sd clk ???
  ???  : SD_CLK_CTRL
  
sd update [filename]
  filename  : file name


sd fread  [filename]
  filename  : file name

sd gcmd   [number] <arg>
  number   : XX (dec)
  arg      : Command dependent

sd dcmd   [number] <arg> <size>
  number   : XX (dec)
  arg      : Command dependent
  size     : XX (hex)

sd clear  [sector] [count]
  sector  : clear sector
  count   : sector count


sd acmd    [number] <arg>
  number   : XX (dec)
  arg      : Command dependent

sd cmd    [number] <arg>
  number   : XX (dec)
  arg      : Command dependent
  
sd write  [sector] <count>
  sector  : write sector (over 0x100)
  count   : sector count (If no <count> continue writing until you issue CMD12)

sd read   [sector] <count>
  sector  : read sector
  count   : sector count (If no <count> continue reading until you issue CMD12)

wlan rate <rate>
  NoOption : display rate setting
  rate     : 0  auto
             1/2/5/6/9/11/12/18/24/36/48/54 (Mbps:11bg)             0-7 (MCS:11n)

wlan obss <0/1>

wlan ap [ssid] [channel] [mode]
  ssid     : 32 strings(max)
  channel  : 1-14
  mode     : 11a/11b/11g/11bg/11n
  
wlan ibss [bssid] [channel] [mode]
  bssid    : 32 strings(max)
  channel  : 0-14 (0:Auto)
  mode     : 11a/11b/11g/11bg/11n

wlan scan -s <ssid> -c <channel> -t <bsstype>
  NoOption : full scan
  ssid     : 32 strings(max)
  channel  : 0-14 (0:Auto)
  bsstype  : 1-3
             1 : access point
             2 : adhoc
             3 : any scan
			 
wlan channel <channel>
  NoOption : display channel
  channel  : 0-14 (0:Auto) channel
  
wlan enc <mode> <key> <keystring>
  NoOption  : display encrypt setting
  mode      : 0-4
              0 : Open
              1 : WEP40
              2 : WEP104
              3 : WPA
              4 : WPA2
  key       : 0-3
              0 : index / TKIP
              1 : index / AES
              2 : index
              3 : index
  keystring : encrypt key(max 63 strings)
     WEP40    :  5 character fixed(ascii) / 10 character fixed(binary)
     WEP104   : 13 character fixed(ascii) / 26 character fixed(binary)
     WPA      : 8-63 strings
     WPA2     : 8-63 strings
	 
wlan ssid [ssid]
  NoOption : display ssid
  ssid     : 32 strings(max) ssid
  
wlan mac [macaddr] {-r}
  NoOption : dispaly MAC ADDRESS
  macaddr  : MAC ADDRESS (XX:XX:XX:XX:XX:XX)
  {-r}     : after MAC ADDRESS FlashROM save and reboot
  
wlan start   <channel>
  channel : 0-14

wlan slottime <0..7>
  0: station 11a/n short slot
  1: station 11g/n short slot
  2: station 11g/n long slot
  3: station 11b long slog
  4: ap 11a/n short slot
  5: ap 11g/n short slot
  6: ap 11g/n long slot

perf udp tx   [ipaddr] <count> <size> {burst}

perf udp rx
  ipaddr : X.X.X.X
  count  : Xs/Xm/Xh/X  (sec/min/hour/num)
  size   : def/big/num (num<=14600)
  burst  : Non-Blocking only
  cl   : TCP client
  clnb : TCP client Non-Blocking
  sv   : TCP server
  svnb : TCP server Non-Blocking
  cs   : TCP client & server
  csnb : TCP client & server Non-Blocking

wps credential {-c} <select>
  NoOption : display Credential
  {-c}     : Credential clear
  select   : 0-5

wps assoc  <mode>
  NoOption : display Association mode
  mode     : auto / manual

wps pincheck  <pin>
  NoOption : display PIN code
  pin      : PIN code (8 character fixed)

wps pin  <pin> <ssid>
  pin      : PIN code (8 character fixed)
  ssid     : 32 strings(max)

show help

show reg -r <addr>

show ch

show mac

show mep

show time

TELEC commands
show
stop help
stop frame
stop pn
stop
send frame -n <count> -i <interval>  -s <sifs> -r <rifs> -e <enc>
send pn    -r <rate> -m <mcs> -p <preamble> -g <gi>
setup frame -l <macl> -u <macu> -b <body> -s <size> -t <tid> -r <rate>
            -p <power> -a <ack> -m <mcs>
setup ch    -f <freq> -c <channel>
setup reg   -r <reg:hex> -v <val:hex>
setup dump  -m [mode] -f <fil>
macsend r <rate> -c <cipher> -a <ack> -n <count> -t <tid> -h <channel> [macaddr:hex]
  rate    : 0 auto
            1/2/5/6/9/11/12/18/24/36/48/54 (Mbps)
  cipher  : no/wep/aes/tkip
  ack     : ack/no
  count   : 1-65535
  tid     : 0-65535
  channel : 1-14
  macaddr : XX:XX:XX:XX:XX:XX
  
MAC frame send
macsend
reboot system
reboot

ping [ipaddr] <count> <size>
  ipaddr : X.X.X.X
  count  : 1-65535
  size   : 1-2920
  
ip [ipaddr] {mask [m_addr]} {gw [gw_addr]}
  NoOption : display ip setting
  ipaddr   : X.X.X.X
  m_addr   : X.X.X.X
  gw_addr  : X.X.X.X
  
stat <NoOpt/clear/stack>

show status

stat

dump [addr] {-l length} (round 4byte)
  addr  (hex) : 0xXXXXXXXX
  length(hex) : 0xYYYYYYYY

mod [addr] [data:hex] {-l length:hex} (round 4byte)
  addr  (hex) : 0xXXXXXXXX
  data  (hex) : 0xYYYYYYYY
  length(hex) : 0xZZZZZZZZ
  
print [onoff]
  onoff    : on / off

sleep {-bb <bb>} {-host <host>} {-rxen <rxen>} {-rfshdn <rfshdn>} {-deep <deep>} {-clk <clk>}
  bb     : 0/1/2
           0 : MAC layer reset
           1 : MAC layer normal
           2 : MAC layer clock stop
  host   : 0/1
           0 : host clock stop
           1 : host clock normal
  rxen   : 0/1
           0 : RX control off
           1 : RX control on
  rfshdn : 0/1
           0 : RF control off
           1 : RF control on
  deep   : 1-65535
  clk    : 0/1
           0 : External clock off
           1 : External clock on

factory -mac <mac address> -code <manufacture code> -f0 <Traceability-0> -f1 <Traceability-1>
        -agcuse <1:use, 0:Unuse> -agcdsss <ch1agc ch2agc..ch11agc> -agcofdm <ch1agc ch2agc..ch11agc>
        -agcofdm <ch1agc ch2agc..ch11agc> -tbase <ch1TSSIbase ch2TSSIbase..ch11TSSIbase>
        -toffset <DSSSoffset OFDMoffset MCSoffset> -e(erase information)
        -iquse <1:use, 0:Unuse> -txiq <OFDMI OFDMQ DSSSI DSSSQ>

pw <bboff/bbon/anaoff/anaon/rfoff/rfon>

ps [on/off]

ftpscert [filename]

ftpsdel [-p <port>] -m <mode> <address> <user> <password> <filename>
  mode: 0:Implicit 1:Explicit

ftpsren [-p <port>] -m <mode> <address> <user> <password> <source> <destination>
  mode: 0:Implicit 1:Explicit

ftpsls [-p <port>] -m <mode> <address> <user> <password> <directory>
  mode: 0:Implicit 1:Explicit

ftpsput [-p <port>] -m <mode> <address> <user> <password> <server file> <local file>
  mode: 0:Implicit 1:Explicit

ftpsget [-p <port>] -m <mode> <address> <user> <password> <server file> <local file>
  mode: 0:Implicit 1:Explicit

ftpdel [-p <port>] <address> <user> <password> <filename>

ftpren [-p <port>] <address> <user> <password> <source> <destination>
ftp rename

ftpls [-p <port>] <address> <user> <password> <directory>

ftpput [-p <port>] <address> <user> <password> <server file> <local file>
ftp upload

ftpget [-p <port>] <address> <user> <password> <server file> <local file>
ftp download

nbios [opt]
  opt    : start / stop / stat
  
dhcpc [opt]
  opt    : start / stop
  
dhcpd [opt]
  opt    : start / stop / stat

level <arg>
  arg  : NoOption : display mode setting
         1048     : developer
         2        : factory
         1        : enduser


		

found some images of the board digging through google image search..

Chips are as follow:
Processor : TC90535XBG ?
Flash Memory : TC58NVG6D2GLAD0E ?
WIFI : AIROHA AL2238 wifi b/g

Also, with the help of a friend, I ran the update file through IDA Pro, and he said it appears IDA is detecting it as Armv6 code. We were not able to find the bootloaders load start. Although it may not be in the update file as it may not be a complete firmware image.. More is still needed to be researched, but I wanted to update this.