#02 - How To Find The UART Interface - Hardware Hacking Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this is the second episode of the series our dragon tutorial we will talk about the are tracking process based on information gathering of our brand software from our device building an emulation environment were to run interesting binaries understanding how the device works and then acting the device and modify is firmer in this episode we will talk about one of the first steps in the UH tracking process and it is the finding the position of the word interface the word interface is the serial console of our system and we will explain also how it is so essential to find the position of the word interface and we will show how it is possible to find the word interface using very simple tool like for example a multimeter I am evaluation Pietro I have a background in digit electronics and information technology infrastructure and I wish to be your friendly Italian hacker neighbor willing to share with you tools and techniques for a tracking that I learned by myself acting many devices so let's start word stands for universal a synchronous receiver transmitter and it is the serial interface of our device where to attach our savior console it is a shame essential in our tracking to find the position of the word interface because in these ways you can attach a terminal emulator into C and you will be able to see what is printed on the serial console during the boot cycle it is the similar information that is printed on your personal computer before the start of the graphical interface of your operating system a terminal emulator attached to a word interface allows you to see what is printed on the serial console during boot this allows you to understand what kind of boot roller you have in this version but the kind of operating system you have in this version information on the pew is architectural instruction set often you have information on other peripherals the amount of RAM that you have the amount of their prom often also how the Abram is partitioned and a lot more often also a lot more information and also you can see what is printed on serial console during the upgrade cycle and if you want to modify the firmware this can be a really useful information often it is also possible to interact with the savior console interacting with the bootloader or getting the login prompt for from the operating system and maybe also to login locally on your device there are professional equipment that have standard serial interface according to the rs-232 standard this means that they have a standard connector usually usually a 25-pin connector or a nine pin connector and they also ever standardized the voltage level at each pin in logical 0 in this case is between 3 volts and 15 volts logical 1 is between minus 15 volt and minus 3 volt and also each pin tolerates a shortage with any other pin of the interface without permanent damage in this professional equipment internally some driver chip is used to convert TTL logic level where 0 is 0 volt and 1 is at BCC to rs-232 levels in the device we are interested in usually the second interface the word interface is included because it is used during the development phase and often it is also used for testing purposes but there are no external connector and also there are no driver chip to to drive levels to the rs-232 standard the level so they have internal logic level where zero is zero volt and one is BCC in this case we say that to our interface use the TTL transistor to transistor level logic to our interface in our device also EV the minimum number of of pins usually they have only ground Rx and TX and sometimes the VCC pin is voltage reference the rs-232 standard dictates and larger number opens with some additional signals following the easiest path principle we start searching on internet to see if someone else is already find the position of the word interface for our device but in the case of our sample link mm tech router I wasn't able to find anything but if you search now you will find a lot of information because what I found I shared on the internet and also on my github repository sometimes the serial leaders are easy to find because they are clearly market on the printed circuit board like for example in T's excellent is board that it is not our sample board but in our device that we are using is a simple device we can see that we don't have any EDS market s serious word interface if we are not able to find anything on internet and if we are not able to find the cereal eaters with label on our printed circuit board we have to find potential serial headers candidates usually they are three or four feet or four pins they are the pins are ground TX Rx and optionally VCC as a reference we can use a multimeter to identify potential serial leaders candidates because it's easy to identify ground and VCC TX pin usually is a pull-up resistor the rx pin can add a pull-up resistor or can be an impedance input later we will see how to use a multimeter to find what interface in our sample router if we have identified system-on-a-chip device and if we have is data sheet we can identify the position of the worth interface in each pin and try to follow the PCB traces to find the worth connector but this is usually almost impossible because quite often the system on a chip has pins below the package and it is impossible to identify the spin on the printed circuit board and also when this is possible often we have PCB that are multi-layer boards it is very very difficult to follow traces in a multi-layer board we can also use tools like integrator to identify the word position Dre Dominator is a fantastic tool it is aboard with a lot of pin errors that we can attach to potential who are two or three tagged pin candidates and it will run some automatic scanning logic and will identify the pin out of our word interface or the pin out of our radar interface later we will see how to use the trader you later to identify the pin out of our word interface on our same old router we can also use an oscilloscope or a logic analyzer to identify the TX pin because for sure during a boot something will be written on the serial console and the TX pin will oscillate between 0 and BCC but maybe this is a bit overkill first of all we able to identify potential serial areas candidates on our simple rotor board we can see that there is an unlabeled connect with four pins that seems the perfect who worked candidate so we can try to use a multimeter to try to identify and to understand if this is the our worth interface we start with the router board power and off we know that according to data sheet our 74 HC 164 chip is the pin 7 at ground and the pin 14 at VCC we can confirm the T's metal grids on the board are connected to ground with the voltage measurements in this K now that we've found that this are ground we can attach the black multi meter probe that is ground to the metal grid with the board powered off we select resistance measurements on our multimeter and we can start measuring resistance against the ground of each pin on our potential word connector and we can see that pin 1 is about 30 kilo inst ground pin qu is about 5 kilo means pin 3 is a very high out-of-scale resistance against ground and P 4 is at ground so probably pin 4 is the ground on this connector we can repeat the same measurements but this time against BCC we can take the pin 14 of the 74 HC 164 is VCC reference and we can see that pin 1 is zero resistance against VCC so probably pin 1 on this connector is VCC pin qu is about 30 kilo ohm I guessed VCC pin 3 is a very eye out of scale resistance against VCC a pin 4 is about 30 kilo against BCC we can now power up the device I take voltage measurements on each pin Obi's connector so we switch the multimeter to the voltage measurement and connect the black probe to ground and start taking measurements on these pins on this connector we can see that pin 1 is at 3.3 volt or logical 1 pin 2 is at about 3.3 volt or logical 1 pin 3 is also at about 3.3 volt or logical 1 and pin 4 is at zero volt with this voltage measurement and the resistance measurement that we have already taken we can confirm that pin 1 is VCC on this connector and pin 4 is ground we know that during boot a lot of information will be printed with the serial console this means that the TX pin will oscillate between 0 and 1 or between 0 and VCC so we can take measurements on a pin 2 during a boot to see if we are able to spot something with a multimeter so we can take measurements on pin to during boot and we can see that it oscillates between 3.3 volt and some lower voltages the multimeter will make an average measurements over a few hundred milliseconds for this reason the TX pin will oscillate between 3.3 volt and lower voltages if we take the same measurement during boot on pin 3 we can see that the pin 3 remains at about 3.3 volt without oscillating this means that probably the pin 2 is the TX pin and the pin 3 by exclusion is the rx pin but we can confirm only attaching the a serial emulator to T's who are to this part to confirm that we have correct we identified the pinout of the word interface on this board we have to connect his word interface to our PC using a terminal emulator to the soul we need a USB TTL serial adapter is the one shown here this detailed serial adapter should be able to operate at 5 volt as a logical 1 or 3 point revolt because if we attach a TTL serial adapter are at 5 volt to our board and if our board is 3.3 volt we can damage our port and vice versa if we attach a 3.3 voltage TTL serial adapter to a 5 volt board we can damage the TTL serial adapter in this case we have a TTL several dr. where we can select 5 volt or 3.3 volt in our case our simple router use 3.3 volts ooh so we select 3.3 volt aunty's serial adapter we connect ground from an adapter to ground of the board then we connect the TX of the adapter to the rx of the board because what the adapter will transmit the board will receive then we connect the RX of an adapter to the TX of the board we don't connect the VCC pin because it's not needed and it is used only as VCC reference then we connect the adapter to the PC with an USB cable now are ready to fire our terminal emulator we are on Linux and be able to know the name of the device adapter to the soul we can do an LS USB as a route to check for USB devices and then we can execute an LS - L a RT selection EV - list of the all of the device files and the newer files with these options are at the end of the list in this way it easy to understand the device name over the serial adapter because this should be one over the last because we just attached the TTL Sorel aptitude USB port and the device file was just created in this case device file is TT y USB 0 it is also important to note that to access this device on Linux we must be root or better we must belong to the dial out Grau group on Windows the device name would be something like come 4 comma 5 comma 6 and so on we can now fire our preferred terminal emulator put in our case but one problem is to know the Buddha rate or the speed of the serial interface we could use a logic analyzer or an oscilloscope attached to the TX pin to measure the length of one beat or one bar or of one byte to understand the speed of this interface but following the easiest part first it is much easier just to try one of the common speed speed of this interface the most common baud rate on modern embedded devices is by far one hundred fifty thousand two hundred bits per second the other popular speeds are 9,600 bits per seconds or five 57600 bits per seconds or thirty-eight thousand four hundred bits per seconds or 19200 bit per seconds all other spins that you can see on to the chart are rarely used so we try the most popular speed and bingo it's the correct one anyway if we put a wrong speed no problem we will simply see gibberish on the terminal or nothing if we power cycle the router and set our terminal emulator to say save everything on a log file we can see what is printed to the serial console during the boot cycle and as you can see it is a lot a lot of information and a lot of useful and interesting information another possibility to more easily identify the pin out of the word interface is to use it to like it read a greater jtagulator is an open source hardware it is able to use some scanning logic to automatically identify the pin out of the word or the JTAG interface it is 24 programmable IO pins that can be attached to the JTAG or worth pin candidates and it runs some automatic scanning logic to identify the pin out of the interface obviously the interface pins must be included in the pin candidates attach it to jtagulator it is also able to identify the speed of the serial interface this board will be attached to the PC using a USB cable and it will be powered on by this USB cable it will be controlled by a terminal emulator like Putin you can find this board on various sources for example on other fluid for about $175 you can also find this board on other sources maybe also with the lower price anyway being an open source project you are able to find on internet and you will find link below the schematics the PCB drawing below materials and you can build this board by yourself first of all we connect the jtagulator board to a PC using it the USB interface and T's will power up the board we able to use a terminal emulator like putti to talk to the jtagulator interface we can type H for help to print available comments and we can say see that we have three types of comments general comments to set the target the system voltage to read all channels as input or to write all channels as us output then we have comments to identify the earth port or told directly to the word from our terminal emulator and we have commands to identify the JTAG interface pin out we will see in much more detail this part on the next episode of these are tracking tutorial series now we can collect the jtagulator board to our router board first of all we power up the router we will use these cables with female female connectors to connect our jtagulator to the routers connector first of all we connect the jtagulator ground to the router board ground then we connect the jtagulator channel one to the routers connector pin 1 then the jtagulator channel 2 to the routers connector pin 2 and at the end the jtagulator channel 3 to the routers connector pin 3 now we can go to our terminal emulator we can press H for the list of comments and then we can press B to set up the target voltage pad 3.3 volt because our router use 3.3 volt this must be done before any other command then we press you to enter the word pin out identification menu then we can press again H for help about this menu and then we can press you to identify the word pin out as a text string to output on the serial interface to do this kind of test we accept the default digit is carriage return is starting channel we enter 1 because we start the we started connecting channel 1 to pin 1 is ending channel when the tree because we connected 3 channels 1 2 & 3 we accept the default of high ignoring non-printable characters and then we press the spacebar to start scanning it will take a few seconds to do some automatic scan to identify the TX data pin is channel 3 RX that the pin is channel 2 and that the serious speed is 150 thousands 200 bit per second this confirms what we have found with the multimeter so we have successfully identified the worked position and pin out on our sample router board if you have found this video interesting please subscribe help this channel grow share this video with your friends interested in our tracking and don't forget to click the subscribe button and the notification bell to be notified when new episodes will be released and not forget to click the thumbs up icon and also I will appreciate your feedback in the comments below feedback but positive or negative please tell me what you think about this series about this episode what kind of suggestion do you have for me thank you for watching see you again on this channel
Info
Channel: Make Me Hack
Views: 15,583
Rating: undefined out of 5
Keywords: Locating UART, UART, Identifying UART, Finding Serial Interface, How to find UART, Finding UART, UART Hacking, Serial Console, Find UART, Find UART pins, Find UART port, Find UART baud rate, Find UART pinout, Hardware Hacking Tutorial, Hardware Hacking, How To Do Hardware Hacking, Practical Hardware Hacking, Hardware Hacking for beginners, Reverse Engineering, Practical Hacking, Hacking Tutorial, Hacking for beginners, Router Hacking, How To Do Router Hacking
Id: 6_Q663YkyXE
Channel Id: undefined
Length: 23min 46sec (1426 seconds)
Published: Wed Mar 18 2020
Related Videos
#03 - How To Find The JTAG Interface - Hardware Hacking Tutorial
Make Me Hack
24K
Hacker's Guide to UART Root Shells
Flashback Team
9.3K
PROTOCOLS: UART - I2C - SPI - Serial communications #001
Electronoobs
761K
#01 - Identifying Components - Hardware Hacking Tutorial
Make Me Hack
15K
Intro to Hardware Reversing: Finding a UART and getting a shell
Tony Gambacorta
395K
Samy Kamkar's Crash Course in How to Be a Hardware Hacker
HACKADAY
174K
Why I teach people how to hack | Ýmir Vigfússon | TEDxReykjavík
TEDx Talks
1.8M
The Big Misconception About Electricity
Veritasium
9.9M
#04 - How To Get The Firmware - Hardware Hacking Tutorial
Make Me Hack
25K
Flashing via serial interfaces - FIX bricked router #1
Echobox
24K
#05 - How To Get The Root File System - Hardware Hacking Tutorial
Make Me Hack
9.1K
how does UART work??? (explained clearly)
Continuous Load
184K
Proxmox vGPU Gaming Tutorial - Share Your GPU With Multiple VMs!
Craft Computing
78K
Control ANY COMPUTER with these Pi KVMs!
Jeff Geerling
427K
Explaining File Systems: NTFS, exFAT, FAT32, ext4 & More
ExplainingComputers
1M
EEVblog #977 - Keysight 1000X Hacking - Part 1
EEVblog
85K
Exploiting Network Printers
Black Hat
36K
#09 - How To Build QEMU Images With Buildroot - Hardware Hacking Tutorial
Make Me Hack
5.9K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.