Hacker's Guide to UART Root Shells

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Related (didn't see it used in scrubbing video) if you're a person who owns a JTagulator, a lot of people are not aware that beyond JTAG PIN enumeration, it actually supports UART enumeration where it will try RX/TX combinations for your leads and different baud rates. Can save a bit of time, especially for a non-standard baud rate or where your analysis is leading to more pins than a simple example silkscreened or somewhat obvious from traces, etc.

👍︎︎ 11 👤︎︎ u/CharacterOk1569 📅︎︎ Jan 21 2021 🗫︎ replies

Any questions let me know guys. Also looking for some honest feedback on the video, what is good and what could be improved?

👍︎︎ 4 👤︎︎ u/ChoiceGrapefruit0 📅︎︎ Jan 21 2021 🗫︎ replies
Captions
in our previous video we showed you how we hacked the tp-link router and got a win in the 0.1 competition one of the most frequent questions we got asked was how did we get initial access to the device to perform recon today we will show you the exact techniques we used and how we can do the same to get a root shell in many iot devices so sit back and enjoy the ride hey guys this is pedro from the flashback team and i am radek and today we are here to show you what is uart and what you can do with it from a hacker's point of view so have fun and if you enjoy the video please like please subscribe but more importantly please share with friends colleagues or whoever might be interested in it so let's get going uart is extremely important protocol that is used in many devices it allows components to speak to each other and you'll find almost any embedded device like routers cameras phones or even cars but for us we are the most interested in the uart as a debug interface so what can we do with uart so most embedded devices will have this serial console which is used for various purposes during manufacturing for debugging etc and if we're lucky when we connect to it we get a root shell so this will help us do recon on the device debug exploits etc can also use it to explore the file system to dump the firmware and in some cases even perform attacks such as attacking the bootloader accessing an encrypted memory etc of course not all that glitters is gold sometimes some device manufacturers they disable the uart console the serial console before shipping a device so sometimes we can bypass restrictions there's a certain secret key combination we have to enter at boot to activate the console they also might have a login this login might have an easy to guest password or a very hard randomized per device password we might also land in a sort of restricted shell that allows us to run some commands but not many and then we have to find a way to bypass it or in some cases we only get a read-only console this is just showing a bootlog showing what's happening and there's nothing we can do we cannot interact with it so the good news is that we're hackers right so we can always find a way so we can use command injection or other tricks to bypass some shell restrictions and execute the command we want we can also try to guess the login password either by cracking it or by inspecting the firmware in some cases we can even dump the firmware over a uart restricted serial shell we can also try to interrupt the bootloader and use some other tricks to get a root shell and the thing is even if you just get a read-only console and there's no way to bypass it it can still be very useful for example we can use it the the boot bootlog to see what's happening on device what services are being started you know what components are there in the board where is the memory where's the file system and in some cases we've seen this in the past we have passwords echoed into this bootlog which we can use to enter ssh or some services like that but also very importantly we also have crash logs from our exploitation attempts so let's say you only have read-only access to a console you can only see what's happening but you know there's a service and you're attacking it you're fuzzing it or you're sending network packets and if there's a crash very likely that this boot log will contain the crash dump so show you what's on the registers what's happening at crash time etc which can be very useful to debug and exploit okay good intro pedro let's continue and try to understand how a uart communication works we know that uart is a serial communication protocol between two devices in this case a device a which is us wants to speak to device b which is our target so we use the connection from our transmission line tx to a receiver line on target arx and the same goes in the opposite direction target will send its data on its tx line and the data will end up on our end on the rx line and both devices have to be grounded but how do we really find a physical uart interface on the target well in most of the cases we'll be looking for a sequence of paths or pins we know that we need three pins to connect to an rx a dx on the ground we can ignore the vcc pin which is usually also there it is where the power line from the target's device is routed but we don't really need it in our purpose if we additionally find a mark for the pin number one then it's even better as it might confirm that we're looking on some sort of interface but remember the mark only informs us which side of the pins should be referenced from but uart interface does not always look the same you will need some experience to quickly narrow down your candidates so let's take a quick look on some examples here we have a netgear router the uart interface is marked with a red square in this case we are super lucky that pins are already soldered and labeled it could not be easier than this on this device uart interface is a row of four pins with a triangle marking pin number one we might have to solder our own pin header and identify the rx tx and the ground and here we don't have the pin headers but the pins are labeled not too bad still saves us some time oh that's a good one it's a security camera you can see it has an interface that is so called edge connector vendor most likely has a special connector for it but you can do without just find the rx tx and ground and you're good to go another camera sample but this time there are no through holes but a pad notice a very tiny marks of rx and tx if you want to connect to this one the best will be to use articulated arms that i have showed you in the previous video or just solder wires into it and the last example it's a tesla ecu with a card edge connector so now you can see that there are many variants how the uart interface could be implemented on a device but this is not a complete list in some cases the pins might be hidden or removed completely as we now know how to find a candidate for the uart interface let's go to the next step how to find out the purpose of each of the pins i would start off with the multimeter and the ground pin simply switch a multimeter into a continuity mode find a grounded element on the router and move a probe one by one when you hear the beep sound that is your ground now you are ready to find tx and rx you could use a logic analyzer for that or continue the multimeter with the router power on test the remaining pins a pin with a constant 3.3 volts is most likely a power pin you don't need it now a pin with 0 volts is probably a rx as it would expect data from you a pin that has a floating voltage is a tx as that's the data that the router is sending as we have found out the purpose of each pins we can try to communicate with it for this we need a device that can speak uart like this one i connect it to my computer via usb port and wire it up with the target remember the rx goes to tx and tx goes to rx ground goes to ground okay everything wired up now we need a software that can use the uart device and actually speak with the target i like to use screen linux tool but let's use the minicom this time as probably more people are familiar with it for a serial communication power up the target oh snap what is that well i must have messed up something in the settings let's take a quick look into that damn that's a lot of things that can go wrong ok it's time to dig more into the uart protocol itself uart sends data in a form of well-defined frames the frame always starts with a start bit to indicate the beginning of the frame then the data follows in most of the cases it will be 8 bits of data but protocol specifies it can be from 5 to 9 bits after that a priority becomes the purpose of parity bit is to indicate the potential errors in the transmission depending on the mode it counts the number of ones and by adding or well not adding a parity bit it tries to make them odd or even but the parity bit is really an optional field and actually it is very rarely used the frame end is indicated with a stop bit it can be one one and a half or two bits in size but again in most of the cases it will be just one bit in size let's assume we would like to send the data with a letter capital a which is hex 41. we have a high line that indicates a positive voltage for example 3.3 volts and the low line zero volts by default the line idles in high so that means if you want to start transmission of our frame we have to pull it down to zero volts to indicate as target which is zero now data comes in it is sent with the least significant bit first as in you know in hex 41 the first bit is one the voltage has to rise to indicate it then the bunch of zeros comes a one and the most significant bit zero and that's the end of the data part in this example i have also included a parity bit but for completeness only as said before it is rarely used in our targets the frame is closed with a stop bit and the last thing that you need to know is the bound rate the bandwidth indicates how fast the data will be sent over the wire so this is crucial that the receiver and the transmitter have set the same bound rate there are a few defined rates in the protocol but most common are 9600 for some older or you know less powerful devices and 115 200 bits per second okay now with all that information we can simply try to see what happened that our target didn't want to speak properly with us let's look into the wire and see what uart frames have been transmitted and we'll find out we can use a logic analyzer for it such as this one it's salia it is a 4 channel version which means i can intercept traffic on 4 wires at the same time it will help us to understand how the voltage changes on the wire which we can interpret as logical one or zero on the reverse you can see it spin out g stands for ground and the channels so i use the pin headers to hook the logic analyzer to the ground and the dx pin on the router now connect the logic analyzer to the computer wait for it to be discovered by the software power up the router and let's find out what is sent on the wire this is an interface for the salia we'll see what is happening on the wire of channel 0 for both digital and analog inputs let's hit that play button and intercept the data oh yes baby something is coming up let's dig into it when i zoom in you can see individual changes in the voltage that will represent logical data of course as we assume we are looking at the uart let's find some more occurring waves to calculate the boundary or you know how fast the bits are sent on the wire if we measure the width of the logical one wave we can use the calculator to get the rate it's quite easy you just take one and divide the one by the width of the bit and we are just for the units as we are working with seconds and microseconds now we know we need to use one one one five two hundred pound rate let's add the analyzer of the async serial and confirm our assumption input channel 0 now we know the bit rate 8 bits of data per frame 1 stop bit no priority bit basically all standards okay let's quickly look at the beginning of the communication we can see the idle which is pulled down that would indicate the start bit then 8 bits of data and the stop bit so far so good let's change the data according to ascii oh that looks like a proper data i think i have figured out the bound right now let's confirm with the minicon again but i have a good feeling we're gonna win this one minicom here we come let's pop that help window i'm interested in configure minicom so i press o now press e so i can set the speed of the device and again e so we set it to 1 1 5 200. notice the remaining settings we say 8 bits of data no parity and 1 stop bit power up the target finally this is the boot lock of the router we win let's stop that autoboot why it doesn't react i guess do you remember from the previous video we had to use that super neat hug to connect the rx line of the router let me quickly explain you how we could deal with that problem i took a picture of the target and loaded it to i am sorry it might look small but i didn't find a way to increase the font in the on the picture we see a main cpu and a lot of traces that go from it and some of the traces are going to the area of the uart interface that is usually already a good sign so this is our busted rx pin notice a connection to that r24 pad maybe it was a resistor that typically decided to remove to disable the uart i don't know but then i measure it and i knew there is no connection between the pin and the rest of the line and if you would be tracing the line you would notice that it disappears at some point it's because the pcbs are multi-layered which means that trace is run on various levels however for simpler pcbs we can try to visually connect them let me show you how i colored both traces the tx with pink and rx with red then if i use the settings for the transparent level and align pictures of front and back you can trace them kind of end to end we can even remove the green color that could help us visualize it better so now we can see that both rx and tx2 terminate on the main cpu you could try to find a data sheet for that chip and confirm it but i will skip it for now to recap we know that our rx line is broken that's why we count some data to it so all we have to do is to reconnect it again and we did it by placing that paperclip bridge so now the line is connected and we have a very high probability that we can send data over it and eventually get root shells via uart please share this video and subscribe to the channel if you haven't seen our previous video where we present a complete walkthrough how to gain a remote code execution on this router please check it out you'll be able to understand this much better make sure to visit our website flashback.sh where we upload more technical documents and secure advisories take care
Info
Channel: Flashback Team
Views: 7,228
Rating: 4.9890108 out of 5
Keywords: UART, UART Protocol, Saleae, IoT, UART hacking, root shell, hardware hacking, hacking, router hacking, IoT exploit, hardware reversing, intro to hardware hacking, serial console, UART introduction, UART intro, serial communication, understanding uart, Universal asynchronous receiver-transmitter, ft232, FTDI, what is uart
Id: 01mw0oTHwxg
Channel Id: undefined
Length: 17min 40sec (1060 seconds)
Published: Thu Jan 21 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.