Thank you for your feedback! While the techniques we show apply to any IoT / embedded device (TVs, set top boxes, smart speakers, smart home appliances, cameras, enterprise firewalls, car ECU, etc) we really like showing examples on routers. This is because routers are very cheap and easy to get, share lots with common with most IoT devices. Not all routers will have UART, but in our experience 90% do. You could start with TP-Link TL-WR841N. It's quite cheap and could be a good start!
@@Jimfowler82 that's right, you could use one to that you know a target uses and see if you can make exploits to test on that same brand router? Other than that.....the router is probably in the bin for a reason? Or people just don't care and upgraded to a newer connection that the router doesn't support (because it's branded and locked to a specific network), and in that case....the best you could do is "unlock" the router to use firmware supported on other networks? You can inject features that are supported on the hardware, that are not coded into the firmware interface? You can white list and black list different services& connections as do the OEMs? You can unlock things that your current ISP doesn't want you to get access to, or access is provided through different hardware without the restriction etc? So if you see a router just like yours and you want to hack around with some things; you can do it safely without taking your household off the internet while you try fixing it? Lol
@@Jarmezrocks in the U.K. it seems quite often people change isp companies and just throw the old router away. I found one last year & connected the uart it’s an interesting process that gives you a decent understanding of how the hardware & software work.
I'm lazy so I just usually try 9600, 19200 or 115200, works 99% of the time and is faster than reversing the baud rate. Of course for an educational video showing how you can calculate the baud rate is very good. Great video !
What is the 3.3 or 5 volt of the uart for? I don't see that they use it and it comes there on the USB! If I do it on a camera as they say in the video, I don't need tftp or is that mandatory? I'm bad at this and I don't understand tftp. I damaged my camera by installing the wrong firmware but it turns on but I can't connect to it anywhere, I only see the infrared LEDs and that's it. Do you think this works with that software in the tutorial?
In 1990, I built from scratch a few micro controllers and communicated with them using a serial interface and a terminal to configure them. This video brings back old memories and makes me glad that people are using the same technique.
Please keep doing these. I’m trying very hard to learn to do stuff like this, I literally have all the gear. But either I’m slogging through textbooks that are too boring to read, just poking around under the microscope and multimeter or with uart to usb, reading tutorials for already wide open -eg dev boards and generally struggling.
I don’t want to hack hack anything; I just would love to be able to take my old broken smart devices with generally powerful chips and Linux - I can list what I’m working on if interested- and repurpose them. For instance I have a 22 in touch screen used in advertising and ran android it no longer works. I got uart logs, I can even send commmands over uart though unreliably- usually the boot log washes it out but a Simple “ls” will output in between log lines. I don’t yet understand what to do next, boot loaders, getting it to boot My Linux. I don’t understand even a smidge of android- so that’ll have to to
It’s a rock chip rk3288 but I also have several other projects, two with ingenic JZ4775, a very important one I need to fix with a vacuum octeon plus with usb thumb drive rather than spi? And another I have three of mediatek or something. Discarded yi cameras. But I can’t get all the way there like you guys . I have 75% the skills but I neeed the last 25%
Wow, impressive how you tought me serial communication in 17minutes when I have had quite hard to grasp it before. Very educational approch with practical example, and problem solving. Subscribed!
You can also use well known 'screen' command instead of 'minicom'. Screen is usually used to create background sessions but also has functionality to support configurable serial connections.
@@FlashbackTeam Thanks for reply and thanks in general for your whole impressive work. Will you be publishing anything related to HackRFOne device? And one more question - this logic analyzer is original Saleae device? Is it very expensive?
7:20 - In most cases, which pin is the ground should be readily apparent. Usually all but one of them will have small traces connected. The one that has a large, wide trace is going to be the ground. Some PCBs, however, have a certain degree of protection by making the traces less visible. On those, a multimeter with continuity would be a necessity. This board is not one of those, as you can visibly see the North pin and the 2 South pins have small traces, and the odd one out is connected to the Board Common Ground. This works for simpler PCBs. It is the more complex ones - where the ground is less obvious - where you need to use this method.
A lot of the times, the manufacturer will have vcc connected to ground on the board which is what locks hart down and makes it read only. By disconnecting them with a small tear (micro grinder works well for this so you can do repairs later) you open it up to read/write. This is not for all of them, but it is a cheap and effective way that they do, do it.
One thing to note about baud rate is that the whole number integer values are not the only values you can use. There are fractional rates that are available, depending on the CLK frequency. Look up any of the older UART ICs and you should find the info.
It takes no more than 3 minutes to try the most common settings, if none of them work then you can pull out the oscilloscope but almost always you will save the hassle
@@victornpb Also, from what I've experienced with non standard rates, if you're off by 10-20 hertz, you'll always see recognizable characters to a large extent.
You can usually be off by 1-2%. The UART peripheral will not even notice that. It depends on the sample rate of the peripheral and the number of samples it takes per symbol.
This was interesting and informative. One small nit. I've always heard this called asynchronous serial protocol, and the UART is the hardware component that emits the protocol.
This. Saying "uart protocol" makes the hairs on the back of my neck stick up. Universal Asynchronous Receiver / Transmitter. It's hardware component, used to be a discrete chip but these days it's usually a macrocell in the CPU (or other VLSI chip) design.
We don't need videos like this. We have degrees in electronics and already understand UARTs and communication protocols and understand how to use oscilloscopes and logic analysers.
As a beginner, this video is great! May I ask if there are any cheap IOT devices (such as cameras) that I can try to get started with? I want to use UART to complete IOT forensics, but I don't know which models of devices can be used to try.
You also need to take a note of the max voltage. The adapter used in this video support 5v and 3.3v and 3.3v was selected. Makse sure your adaptor support the voltage appropriate voltage level or you can fry something up.
HW dev here. You are very lucky with the devices you showed. I don't know any device, which my company developed where you can do such attacks. But nice video!
It's a nice gift to have full UART access and that happens way often as some may think. Also, consider that even if UART is disabled in production there are still ways to enable it as we have done many times, even Tx is very useful already. But if that doesn't work you just adapt your approach.
@@FlashbackTeam you are right! We develop only products or parts which are not consumer grade. For example parts of DNA sequencers etc. We have to protect your IP and that's the reason why we put a lot of effort in protecting mechanisms.
@@FlashbackTeam Some chips allow you to blow a fuze inside them to permanently cut any UART from the pins. However it is not often enough used. Which is why such attacks work relatively often.
This technique will help save IoT hardware from landing in the garbage dump before they should. Imagine if you could take an old Sonos zone player and free it from needing to communicate with Sonos, give it a web interface and let it be a DLNA or AirPlay media target or something... so many good quality products are destined to become garbage the second the manufacturer stops supporting them, or goes belly up. We’re going to need an army of hackers to save the hardware from greedy corporations that think they still own hardware they sold to us like the way China deals with real estate... I’m more seriously considering purchasing a device that has known terrible firmware that forces you to use their junk cloud service that people have developed alternate firmware for since the hardware is totally decent but requires this type of hack to flash the open source firmware onto it... not so mysterious now.
What you should do first is identify the target chip and get your hands on any data sheets: especially those regarding the boot- or programming mode. Many chips have strap pins to tie to gnd or whatever to enter almighty programming modes.
Often the root shell is way more useful than any programming mode because the device has all the needed driver software installed. E.g. you can just run "ping" instead of writing a TCP/IP stack
Is the protocol called UART now? I've only ever known it as RS-232. UART is short for universal asynchronous receiver/transmitter, the piece of physical hardware that handled the serial data transmission. In some of the earliest PCs, a UART was a discrete chip.
That bugged me too. "UART" is *not* the name of the protocol. :) I've always called it "asynchronous serial" or RS-232 (although the voltage levels are wrong here, of course), or in this context, simply "serial console" or "serial console port".
@@JeffCaplan313 "RS-232" is the name of the full protocol, including signaling levels, timing, stop bits, parity handling and all that, as well as the connector types (usually DB-25 or DE-9) and their pinouts. In this context, unless you want to be precise, "RS-232" actually does work as a reasonable name for the protocol even when using the wrong connectors and at 5V (TTL) or 3V signaling levels. The voltage levels are usually explicitly mentioned, and the connectors tend to be fairly unimportant in this context as long as the pinouts are documented. It's more precise than just saying "serial", since that will include I2C, SPI and other serial protocols that do not conform to RS-232 signaling.
What is the 3.3 or 5 volt of the uart for? I don't see that they use it and it comes there on the USB! If I do it on a camera as they say in the video, I don't need tftp or is that mandatory? I'm bad at this and I don't understand tftp. I damaged my camera by installing the wrong firmware but it turns on but I can't connect to it anywhere, I only see the infrared LEDs and that's it. Do you think this works with that software in the tutorial?
This is exactly the information I needed to see if I can hack a android digital TV box 👍 And that means if I can get a root shell I can imagine a non-branded box via the UART and then write it back on-to my "brained perpetual subscription box" so I can get free digital TV again, perhaps? 🤔
If the router and the USB ports are powered through different source, how do you close the ground loop? Also, is the 3.3 volt logic tolerant with 5V port?
As long as you have an isolated power supply and you are not getting shocked there is no ground voltage and you can join both grounds with no problem, you can connect any 3.3v tx into a 5v rx no problem but the other way 5v tx to 3.3 needs a voltage divider, i usually use a resistor and a led for that as the led will drop the voltage to 3v and give feedback as a bonus.
Hey Guys! Thank you very much for this awesome video! It's very informative and it's cool to see how everything comes together at the end. From the bits recorded by the logic analyzer to the baud rate to the connection. Even though it's faster to just guess the baud rate, due to your example it's much clearer what is going on in the background. Right now I'm trying to connect to a cheap 8 dollar smart watch which works with the Mediatek MT6260 SoC and aparently it's working with 2.8 volts cause it's cmos based. Can i still use an FTDI adapter in 3.3 V mode to connect? I tried to find some information on the internet but wasn't very successful! Greetings
Hi. Do you think it might be possible to interface with SIP chips like macbook WiFi ICs? Since 2020 apple uses embedded WiFi SIP with onboard SPI ROM which stores MAC and SN. The problem is that it is also bonded to CPU, so there are thousands of macs with signature damage (due to design WiFi chip dies after water damage in very high amount of cases). Unfortunately this causes the device to crash on boot and it wont work with different IC. There are UART testpoints around this IC, so I was wondering if there is a chance that such specific chip might he hacked to work on different board.
I'm not experienced with this but just an idea, is it possible to modify the firmware and add a backdoor to firmware and rebuild again, when upload the firmware, we have shell??
That's a trick we also commonly use :) But in many cases, this is very hard to achieve, as the firmware might be signed, encrypted, have some protection and if it goes wrong you can brick the device. This UART method should be your first approach, as it can be very quick and easy, and give you an instant root shell. If that doesn't work then you should explore alternatives like the one you described!
@@selimeneskaraduman6935 Sure, but keep in mind that even if the device's firmware is available to download and unencrypted, the device itself might only accepted signed firmware. Even if it's not signed, it expects a certain layout or checksum or something like that which might be very hard to pull off in practice. But you're thinking right, it can be done and we have done it. We might show it in a future video too!
Sort of experience. The more you work with embedded the faster you are able to identify various elements of it. Hence we have shown different types of UART interfaces in the video to emphasize on it. Normally a special connector would be needed for that interface. But if we didn't have it we would simply solder wires into it.
Nice video. however, I have a question. Is the start/stop bit always just one 0? If so just the bits per second define how many bits it will capture per packet so it doesn't "desynchronize"?
Thanks! Synchronization is only determined by the baud rate that sender and receiver need to set to the same value. It ensures synchronization of read and write. Start bit is always a LOW value (logical 0) and Stop bit can be 1, 1.5 or 2 bits HIGH value (logical 1) at the end of the UART frame.
I believe it depends on the idle state of the data line. Start will always be inverse of idle level and stop will be same level as idle. @@FlashbackTeam
Great insightful video with lots of very useful tips. However I have a couple of points. Why use a paper clip? A proper 0 ohm SMD "resistor" is easy to scavenge, or just use the old electronic engineer's trick of solder bridging, or using a piece of desolder braid, cut and soldered to the pads already present. A paper clip seems such a clumsy way. I'm not sure if it's just the way you pronounce it but I didn't catch what you meant by baud rate initially as it sounded like "band" rate. I know the German pronunciation is "bawd" rate (roughly) but most native English speakers would expect to hear "bord" rate. This is not meant as a criticism but more of an observation.
Hi Bob. Thanks a lot for your comments. The reason we have used a paper clip was because we were on a trip and we didn't have easy access to any soldering equipment so we had to be creative. All your suggestions are valid and with access to a lab that would be much better option. You can actually see our another video where we present our exploit on this target: th-cam.com/video/zjafMP7EgEA/w-d-xo.html Thanks for the info about pronunciation of baud rate. :) As you have noticed we are not native speakers but we include edited subtitles so it's easier to understand.
I’m looking to find a way to get the voltage off of a DJIFPV flight pack. It consist of six cells. The cells are tied to a BMS. It’s my understanding that there are three wires on the main battery connector one ground one TX one RX. Does that mean it’s possible to create a code to receive voltages of each individual cell?
Do you have those connectors labeled? If not, you can use multi-meter to find ground and connect logic analyzer to the remaining 2 pins and take a trace. Because it could also be used for a different protocol, for example I2C. With a logic analyzer you can apply some auto-discovery.
Yes, I have the breakdown and I did take a voltmeter to the pins. One side had a constant 3.16 V and the other side had a constant .5 V. There was no fluctuation in voltage. The total voltage of the pack was 22.6 V.
Just search for any USB-to-UART adapter. They will register to your computer as a device, i.e. /dev/ttyUSB0. They have FTDI chips that is used to speak UART protocol.
"UART" is not a protocol, it's a device (here built into the processor) that provides an asynchronous serial port to a system. The easiest way to refer to it is just "serial port", or "RS-232" if you ignore that the voltage levels are wrong.
Thank you for your content. Please recommend some devices to get my feet wet. A cheap router and the uart usb. If for example i use the wrong pins in the uart, can i fry the target? Congrats once again 🇵🇹
You could start with TP-Link TL-WR841N. It's quite cheap and could be a good start. There are really a lot of UART-USB devices on amazon, just take the one which has good reviews and has a good price for you and you should be fine. I think the risk of frying the board is quite small if you make sure you discover the ground and vcc pin of the board and you wire things fine.
Jest możliwość stworzenia programu, który porównuję języki i szuka podobieńst lustrzanych. Dzięki takiemu programowi byłbyś w stanie napisać nieskończoną piosenkę, na pewno gdzieś tam jest drugi sens. Można skleić dwie istniejące piosenki dwóch artystów poprzez taki program. Tam jest ukryty gad. Wystraczy połączyć wszystkie słowa bez spacji i przetłumaczyć w dwie strony na te języki, które istnieją. Tak samo można zamienić język pisany na cyfry i mówić w tym samym czasie językiem do porozumiewania, a w tle robić działania. Można też zamienić słowa na nuty, znaczy się literki.
Keep up the videos very awesome! For someone new to hardware hacking what cheap devices could I try my hands on that has an UART interface?
Thank you for your feedback!
While the techniques we show apply to any IoT / embedded device (TVs, set top boxes, smart speakers, smart home appliances, cameras, enterprise firewalls, car ECU, etc) we really like showing examples on routers.
This is because routers are very cheap and easy to get, share lots with common with most IoT devices.
Not all routers will have UART, but in our experience 90% do.
You could start with TP-Link TL-WR841N. It's quite cheap and could be a good start!
instablaster...
Routers. I find them all the time next to bins 🗑
@@Jimfowler82 that's right, you could use one to that you know a target uses and see if you can make exploits to test on that same brand router? Other than that.....the router is probably in the bin for a reason? Or people just don't care and upgraded to a newer connection that the router doesn't support (because it's branded and locked to a specific network), and in that case....the best you could do is "unlock" the router to use firmware supported on other networks? You can inject features that are supported on the hardware, that are not coded into the firmware interface? You can white list and black list different services& connections as do the OEMs? You can unlock things that your current ISP doesn't want you to get access to, or access is provided through different hardware without the restriction etc? So if you see a router just like yours and you want to hack around with some things; you can do it safely without taking your household off the internet while you try fixing it? Lol
@@Jarmezrocks in the U.K. it seems quite often people change isp companies and just throw the old router away. I found one last year & connected the uart it’s an interesting process that gives you a decent understanding of how the hardware & software work.
I'm lazy so I just usually try 9600, 19200 or 115200, works 99% of the time and is faster than reversing the baud rate. Of course for an educational video showing how you can calculate the baud rate is very good. Great video !
In school:
You will need to learn these 10,000 different methods!
In practice:
There's like 3 ways to do it most of the time.
@@joshuamahon260 In youtube comments:
Proving you couldn't find a use for knowledge!
I bet there is a utility to auto find the baud rate. Idgaf about manually calculating transfer speeds.
What is the 3.3 or 5 volt of the uart for? I don't see that they use it and it comes there on the USB! If I do it on a camera as they say in the video, I don't need tftp or is that mandatory? I'm bad at this and I don't understand tftp. I damaged my camera by installing the wrong firmware but it turns on but I can't connect to it anywhere, I only see the infrared LEDs and that's it. Do you think this works with that software in the tutorial?
I wonder how many people here remember 9600 baud modem?!? :)
I had never considered before that you could take photos of both sides of the PCB and color traces in a photo editor. That's such a great idea!
In 1990, I built from scratch a few micro controllers and communicated with them using a serial interface and a terminal to configure them. This video brings back old memories and makes me glad that people are using the same technique.
Absolutely amazing! I can totally imagine how satisfying that experience must have been. Ah, those were the days!
@@ulysses_grant
I still have them and the source code. They helped me get a good job at DEC.
I hadn't been born yet😂
Hollywood Hacker: "I'm in the mainframe!"
Real world hacker: paperclip bridge
Please keep doing these. I’m trying very hard to learn to do stuff like this, I literally have all the gear. But either I’m slogging through textbooks that are too boring to read, just poking around under the microscope and multimeter or with uart to usb, reading tutorials for already wide open -eg dev boards and generally struggling.
I don’t want to hack hack anything; I just would love to be able to take my old broken smart devices with generally powerful chips and Linux - I can list what I’m working on if interested- and repurpose them. For instance I have a 22 in touch screen used in advertising and ran android it no longer works. I got uart logs, I can even send commmands over uart though unreliably- usually the boot log washes it out but a
Simple “ls” will output in between log lines.
I don’t yet understand what to do next, boot loaders, getting it to boot
My Linux. I don’t understand even a smidge of android- so that’ll have to to
It’s a rock chip rk3288 but I also have several other projects, two with ingenic JZ4775, a very important one I need to fix with a vacuum octeon plus with usb thumb drive rather than spi? And another I have three of mediatek or something. Discarded yi cameras. But I can’t get all the way there like you guys . I have 75% the skills but I neeed the last 25%
Wow, impressive how you tought me serial communication in 17minutes when I have had quite hard to grasp it before.
Very educational approch with practical example, and problem solving.
Subscribed!
If I wanted to show someone an example of what a well presented, entertaining TH-cam video looks like, I would show them this channel.
Simply brilliant. Thank you for explaining the concept of calculating the baud rate so beautifully.
This is an example of a perfect tutorial. Great pace, background info, and real-world examples. Thanks so much! Subscribed.
This video should be what youtube is all about. GREAT WORK teaching!
Never seen anyone teaching something so easily! Love this thank you sir
Very cool video. I just got my first root shell on an old Wi-fi range extender I had lying around.
Great job! Let us know if you find any vulnerabilities!
how you login ? i mean the username password ?
You can also use well known 'screen' command instead of 'minicom'. Screen is usually used to create background sessions but also has functionality to support configurable serial connections.
Yes, screen is actually our default but wanted to use minicom in the video as it's more recognizable. Thanks for the heads up.
@@FlashbackTeam Thanks for reply and thanks in general for your whole impressive work. Will you be publishing anything related to HackRFOne device? And one more question - this logic analyzer is original Saleae device? Is it very expensive?
By far the best thing on the internet for hardware hacking
Thank you. We are just getting started!
7:20 - In most cases, which pin is the ground should be readily apparent. Usually all but one of them will have small traces connected. The one that has a large, wide trace is going to be the ground. Some PCBs, however, have a certain degree of protection by making the traces less visible. On those, a multimeter with continuity would be a necessity. This board is not one of those, as you can visibly see the North pin and the 2 South pins have small traces, and the odd one out is connected to the Board Common Ground. This works for simpler PCBs. It is the more complex ones - where the ground is less obvious - where you need to use this method.
Sure, but... testing the connection takes just a few seconds. Turn the multimeter on, tap each of the four connections, done :D
A lot of the times, the manufacturer will have vcc connected to ground on the board which is what locks hart down and makes it read only.
By disconnecting them with a small tear (micro grinder works well for this so you can do repairs later) you open it up to read/write.
This is not for all of them, but it is a cheap and effective way that they do, do it.
This is the best tutorial i have seen about usb to ttl.
Thank you so much man for the help
One thing to note about baud rate is that the whole number integer values are not the only values you can use. There are fractional rates that are available, depending on the CLK frequency. Look up any of the older UART ICs and you should find the info.
It takes no more than 3 minutes to try the most common settings, if none of them work then you can pull out the oscilloscope but almost always you will save the hassle
@@victornpb Also, from what I've experienced with non standard rates, if you're off by 10-20 hertz, you'll always see recognizable characters to a large extent.
You can usually be off by 1-2%. The UART peripheral will not even notice that. It depends on the sample rate of the peripheral and the number of samples it takes per symbol.
1. What logic analyzer model are you using?
2. What software for analyzing the image traces is that?
Thanks for documenting this. I got a root shell on my Archer C9 back in 2016 with the same simple UART interface.
This was interesting and informative. One small nit. I've always heard this called asynchronous serial protocol, and the UART is the hardware component that emits the protocol.
This. Saying "uart protocol" makes the hairs on the back of my neck stick up. Universal Asynchronous Receiver / Transmitter. It's hardware component, used to be a discrete chip but these days it's usually a macrocell in the CPU (or other VLSI chip) design.
I just purchased a TPLink Archer identical to the one you have just shown in the video. That's handy to know!!!
I am surprised that such a good video has less view from researchers.
We don't need videos like this. We have degrees in electronics and already understand UARTs and communication protocols and understand how to use oscilloscopes and logic analysers.
excellent video. well explained and visualized. keep up the good work. subscribed.
As a beginner, this video is great! May I ask if there are any cheap IOT devices (such as cameras) that I can try to get started with? I want to use UART to complete IOT forensics, but I don't know which models of devices can be used to try.
this is amazing. this is the first video of this kind that I watched and was so educational. thank you very much
Amazing step by step explanation. Thank you very very much.
i don't think ill ever use this but i learned a lot about serial. Thanks
This is for real hackers. Awesome!
Great tutorial. Thanks for sharing your knowledge!
You also need to take a note of the max voltage. The adapter used in this video support 5v and 3.3v and 3.3v was selected. Makse sure your adaptor support the voltage appropriate voltage level or you can fry something up.
Very informative video..
Love from India
HW dev here. You are very lucky with the devices you showed. I don't know any device, which my company developed where you can do such attacks.
But nice video!
It's a nice gift to have full UART access and that happens way often as some may think. Also, consider that even if UART is disabled in production there are still ways to enable it as we have done many times, even Tx is very useful already. But if that doesn't work you just adapt your approach.
@@FlashbackTeam you are right! We develop only products or parts which are not consumer grade. For example parts of DNA sequencers etc. We have to protect your IP and that's the reason why we put a lot of effort in protecting mechanisms.
@@FlashbackTeam Some chips allow you to blow a fuze inside them to permanently cut any UART from the pins. However it is not often enough used. Which is why such attacks work relatively often.
Following a trace with digital image software is very clever.
Amazing explanation!
This technique will help save IoT hardware from landing in the garbage dump before they should. Imagine if you could take an old Sonos zone player and free it from needing to communicate with Sonos, give it a web interface and let it be a DLNA or AirPlay media target or something... so many good quality products are destined to become garbage the second the manufacturer stops supporting them, or goes belly up. We’re going to need an army of hackers to save the hardware from greedy corporations that think they still own hardware they sold to us like the way China deals with real estate...
I’m more seriously considering purchasing a device that has known terrible firmware that forces you to use their junk cloud service that people have developed alternate firmware for since the hardware is totally decent but requires this type of hack to flash the open source firmware onto it... not so mysterious now.
Thank you for explaining this thoroughly!
Wov I am searching you very long thanks God I found at last.
The movie finished before it even started ! 💖 it !
How about a JTAG video in a similar style??, I've learned quite allot from this video
I aspire to be as good as you guys one day.
Excellent tutorial, thanks a lot for showing us this
keep up the great work!
very useful video , pls post more videos like that we need more and more
Thanks again, nice to see you pushing out more videos.
This is great, I am trying the same with an IP camera.
What you should do first is identify the target chip and get your hands on any data sheets: especially those regarding the boot- or programming mode.
Many chips have strap pins to tie to gnd or whatever to enter almighty programming modes.
Often the root shell is way more useful than any programming mode because the device has all the needed driver software installed. E.g. you can just run "ping" instead of writing a TCP/IP stack
I was able to revive my tplink AP. Thanks to this
This helped me. Great work!
Good stuff... they don't teach you this in school...
Thanks alot! Great video! Keep them coming, please.
Thank you, it works perfect!
The best video! Thank you for it. Any possibility of a 2024 update?
Working on it!
Vey very cool stuff, thank you for this one!!
great video and ofcourse great explanation.. thank you so much.
Awesome video, great explanation!
Glad you liked it!
Amazing. Thanks for sharing.
Is the protocol called UART now? I've only ever known it as RS-232. UART is short for universal asynchronous receiver/transmitter, the piece of physical hardware that handled the serial data transmission. In some of the earliest PCs, a UART was a discrete chip.
That bugged me too. "UART" is *not* the name of the protocol. :) I've always called it "asynchronous serial" or RS-232 (although the voltage levels are wrong here, of course), or in this context, simply "serial console" or "serial console port".
RS-232 is the connector type for serial comms...not the same as the UART chip which processes the comms.
@@JeffCaplan313 "RS-232" is the name of the full protocol, including signaling levels, timing, stop bits, parity handling and all that, as well as the connector types (usually DB-25 or DE-9) and their pinouts. In this context, unless you want to be precise, "RS-232" actually does work as a reasonable name for the protocol even when using the wrong connectors and at 5V (TTL) or 3V signaling levels. The voltage levels are usually explicitly mentioned, and the connectors tend to be fairly unimportant in this context as long as the pinouts are documented. It's more precise than just saying "serial", since that will include I2C, SPI and other serial protocols that do not conform to RS-232 signaling.
Hi, how are the cables that you are using to connect to the pcb call?, I´m trying to get some, but i just cant not find them.
What is the 3.3 or 5 volt of the uart for? I don't see that they use it and it comes there on the USB! If I do it on a camera as they say in the video, I don't need tftp or is that mandatory? I'm bad at this and I don't understand tftp. I damaged my camera by installing the wrong firmware but it turns on but I can't connect to it anywhere, I only see the infrared LEDs and that's it. Do you think this works with that software in the tutorial?
This is exactly the information I needed to see if I can hack a android digital TV box 👍
And that means if I can get a root shell I can imagine a non-branded box via the UART and then write it back on-to my "brained perpetual subscription box" so I can get free digital TV again, perhaps? 🤔
te funciono En que Marca y modelo Lo intentaste??
This shows why most data centers are physically secured.
Awesome inspiring. Do more pls
Awesome video, very informative. Thanks for sharing
Nice video, thanks :)
If the router and the USB ports are powered through different source, how do you close the ground loop? Also, is the 3.3 volt logic tolerant with 5V port?
As long as you have an isolated power supply and you are not getting shocked there is no ground voltage and you can join both grounds with no problem, you can connect any 3.3v tx into a 5v rx no problem but the other way 5v tx to 3.3 needs a voltage divider, i usually use a resistor and a led for that as the led will drop the voltage to 3v and give feedback as a bonus.
Hey Guys! Thank you very much for this awesome video! It's very informative and it's cool to see how everything comes together at the end. From the bits recorded by the logic analyzer to the baud rate to the connection. Even though it's faster to just guess the baud rate, due to your example it's much clearer what is going on in the background.
Right now I'm trying to connect to a cheap 8 dollar smart watch which works with the Mediatek MT6260 SoC and aparently it's working with 2.8 volts cause it's cmos based. Can i still use an FTDI adapter in 3.3 V mode to connect? I tried to find some information on the internet but wasn't very successful!
Greetings
Hi. Do you think it might be possible to interface with SIP chips like macbook WiFi ICs? Since 2020 apple uses embedded WiFi SIP with onboard SPI ROM which stores MAC and SN. The problem is that it is also bonded to CPU, so there are thousands of macs with signature damage (due to design WiFi chip dies after water damage in very high amount of cases). Unfortunately this causes the device to crash on boot and it wont work with different IC. There are UART testpoints around this IC, so I was wondering if there is a chance that such specific chip might he hacked to work on different board.
I'm not experienced with this but just an idea, is it possible to modify the firmware and add a backdoor to firmware and rebuild again, when upload the firmware, we have shell??
That's a trick we also commonly use :)
But in many cases, this is very hard to achieve, as the firmware might be signed, encrypted, have some protection and if it goes wrong you can brick the device.
This UART method should be your first approach, as it can be very quick and easy, and give you an instant root shell.
If that doesn't work then you should explore alternatives like the one you described!
@@FlashbackTeam Thanks for the answer, as you said I mentioned about the devices firmware available to download and unencrypted
@@selimeneskaraduman6935 Sure, but keep in mind that even if the device's firmware is available to download and unencrypted, the device itself might only accepted signed firmware. Even if it's not signed, it expects a certain layout or checksum or something like that which might be very hard to pull off in practice.
But you're thinking right, it can be done and we have done it. We might show it in a future video too!
@@FlashbackTeam Look forward to see that :)
Thanks guys
Awesome video!
Excelente video 👌.
Tengo una cámara china yoosee cómo hago para flashear un firmware por uart ? . Gracias
At 6:40? How did you know that it is a UART interface? How do we connect to that sort of interface?
Sort of experience. The more you work with embedded the faster you are able to identify various elements of it. Hence we have shown different types of UART interfaces in the video to emphasize on it.
Normally a special connector would be needed for that interface. But if we didn't have it we would simply solder wires into it.
Thank you, Lucifer, for bringing light to mankind!
Thé most dépressive intro i saw on TH-cam for years, congrats !!
Great Video
Excelente vídeo!
thank you so much!!
My device has 8 pin header with a Kill SSD pin. Do you know what this pin could be for??
Thanks for video
Nice video. however, I have a question. Is the start/stop bit always just one 0? If so just the bits per second define how many bits it will capture per packet so it doesn't "desynchronize"?
Thanks! Synchronization is only determined by the baud rate that sender and receiver need to set to the same value. It ensures synchronization of read and write. Start bit is always a LOW value (logical 0) and Stop bit can be 1, 1.5 or 2 bits HIGH value (logical 1) at the end of the UART frame.
I believe it depends on the idle state of the data line. Start will always be inverse of idle level and stop will be same level as idle. @@FlashbackTeam
Could you use an arduino instead of an FTDI chip?
Great insightful video with lots of very useful tips. However I have a couple of points.
Why use a paper clip? A proper 0 ohm SMD "resistor" is easy to scavenge, or just use the old electronic engineer's trick of solder bridging, or using a piece of desolder braid, cut and soldered to the pads already present. A paper clip seems such a clumsy way.
I'm not sure if it's just the way you pronounce it but I didn't catch what you meant by baud rate initially as it sounded like "band" rate. I know the German pronunciation is "bawd" rate (roughly) but most native English speakers would expect to hear "bord" rate. This is not meant as a criticism but more of an observation.
Hi Bob. Thanks a lot for your comments. The reason we have used a paper clip was because we were on a trip and we didn't have easy access to any soldering equipment so we had to be creative. All your suggestions are valid and with access to a lab that would be much better option. You can actually see our another video where we present our exploit on this target: th-cam.com/video/zjafMP7EgEA/w-d-xo.html
Thanks for the info about pronunciation of baud rate. :) As you have noticed we are not native speakers but we include edited subtitles so it's easier to understand.
I’m looking to find a way to get the voltage off of a DJIFPV flight pack. It consist of six cells. The cells are tied to a BMS. It’s my understanding that there are three wires on the main battery connector one ground one TX one RX. Does that mean it’s possible to create a code to receive voltages of each individual cell?
Do you have those connectors labeled? If not, you can use multi-meter to find ground and connect logic analyzer to the remaining 2 pins and take a trace. Because it could also be used for a different protocol, for example I2C. With a logic analyzer you can apply some auto-discovery.
Yes, I have the breakdown and I did take a voltmeter to the pins. One side had a constant 3.16 V and the other side had a constant .5 V. There was no fluctuation in voltage. The total voltage of the pack was 22.6 V.
8:01 what's the name of the board? that can speak UART. great video
Just search for any USB-to-UART adapter. They will register to your computer as a device, i.e. /dev/ttyUSB0. They have FTDI chips that is used to speak UART protocol.
you can use arduino as that device by connecting the reset pin to arduino to gnd and then using its tx rx vcc and gnd pin , same as in ftdi
"UART" is not a protocol, it's a device (here built into the processor) that provides an asynchronous serial port to a system. The easiest way to refer to it is just "serial port", or "RS-232" if you ignore that the voltage levels are wrong.
Nice information thank
Awesome, thank you
Muy buena su información
Thanks for a great video! I would like to ask you what components it is at 6:24?
Thanks. I got it from here: www.thingiverse.com/thing:2427726
Great skills
Supurb explanation on how to tell which pin is which using the multimeter starting near the 7 minute mark.
It's really cool seeing this as an electronic engineer, it looks like a western chef learning an Asian recipe
That’s a fantastic analogy!
Thank you for your content.
Please recommend some devices to get my feet wet. A cheap router and the uart usb.
If for example i use the wrong pins in the uart, can i fry the target?
Congrats once again 🇵🇹
You could start with TP-Link TL-WR841N. It's quite cheap and could be a good start. There are really a lot of UART-USB devices on amazon, just take the one which has good reviews and has a good price for you and you should be fine.
I think the risk of frying the board is quite small if you make sure you discover the ground and vcc pin of the board and you wire things fine.
@@FlashbackTeam thanks for the response. Please keep up with this channel
🇵🇹 🇵🇱
The logic analyzer (400€ Ouch) phase is basically useless. You can just bruteforce to find the baud rate.
Your videos are so interesting. I wonder if you had a chance to play with any of the DrayTek products
You guys rock!!!!!
Nice video
Owesome video
Jest możliwość stworzenia programu, który porównuję języki i szuka podobieńst lustrzanych. Dzięki takiemu programowi byłbyś w stanie napisać nieskończoną piosenkę, na pewno gdzieś tam jest drugi sens. Można skleić dwie istniejące piosenki dwóch artystów poprzez taki program. Tam jest ukryty gad. Wystraczy połączyć wszystkie słowa bez spacji i przetłumaczyć w dwie strony na te języki, które istnieją. Tak samo można zamienić język pisany na cyfry i mówić w tym samym czasie językiem do porozumiewania, a w tle robić działania. Można też zamienić słowa na nuty, znaczy się literki.
excellent