Hacker's Guide to UART Root Shells
ฝัง
- เผยแพร่เมื่อ 7 พ.ค. 2024
- Learn tricks and techniques like these, with us, in our amazing training courses!
flashback.sh/training
The UART Protocol and Interface is crucial for hacking IoT devices. We explain how to quickly identify a UART interface and connect to it to get a root shell, as well as a trick on how to re-enable a UART connector that has been disabled by the manufacturer.
00:00 Intro
01:00 What is UART?
04:05 Identifying UART
07:56 Connecting to UART
08:52 The UART Protocol
14:42 Re-enabling broken UART
Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.
~ Flashback Team
flashback.sh
/ flashbackpwn - วิทยาศาสตร์และเทคโนโลยี
Keep up the videos very awesome! For someone new to hardware hacking what cheap devices could I try my hands on that has an UART interface?
Thank you for your feedback!
While the techniques we show apply to any IoT / embedded device (TVs, set top boxes, smart speakers, smart home appliances, cameras, enterprise firewalls, car ECU, etc) we really like showing examples on routers.
This is because routers are very cheap and easy to get, share lots with common with most IoT devices.
Not all routers will have UART, but in our experience 90% do.
You could start with TP-Link TL-WR841N. It's quite cheap and could be a good start!
instablaster...
Routers. I find them all the time next to bins 🗑
@@Jimfowler82 that's right, you could use one to that you know a target uses and see if you can make exploits to test on that same brand router? Other than that.....the router is probably in the bin for a reason? Or people just don't care and upgraded to a newer connection that the router doesn't support (because it's branded and locked to a specific network), and in that case....the best you could do is "unlock" the router to use firmware supported on other networks? You can inject features that are supported on the hardware, that are not coded into the firmware interface? You can white list and black list different services& connections as do the OEMs? You can unlock things that your current ISP doesn't want you to get access to, or access is provided through different hardware without the restriction etc? So if you see a router just like yours and you want to hack around with some things; you can do it safely without taking your household off the internet while you try fixing it? Lol
@@Jarmezrocks in the U.K. it seems quite often people change isp companies and just throw the old router away. I found one last year & connected the uart it’s an interesting process that gives you a decent understanding of how the hardware & software work.
I had never considered before that you could take photos of both sides of the PCB and color traces in a photo editor. That's such a great idea!
I'm lazy so I just usually try 9600, 19200 or 115200, works 99% of the time and is faster than reversing the baud rate. Of course for an educational video showing how you can calculate the baud rate is very good. Great video !
In school:
You will need to learn these 10,000 different methods!
In practice:
There's like 3 ways to do it most of the time.
@@joshuamahon260 In youtube comments:
Proving you couldn't find a use for knowledge!
I bet there is a utility to auto find the baud rate. Idgaf about manually calculating transfer speeds.
What is the 3.3 or 5 volt of the uart for? I don't see that they use it and it comes there on the USB! If I do it on a camera as they say in the video, I don't need tftp or is that mandatory? I'm bad at this and I don't understand tftp. I damaged my camera by installing the wrong firmware but it turns on but I can't connect to it anywhere, I only see the infrared LEDs and that's it. Do you think this works with that software in the tutorial?
Hollywood Hacker: "I'm in the mainframe!"
Real world hacker: paperclip bridge
If I wanted to show someone an example of what a well presented, entertaining TH-cam video looks like, I would show them this channel.
In 1990, I built from scratch a few micro controllers and communicated with them using a serial interface and a terminal to configure them. This video brings back old memories and makes me glad that people are using the same technique.
Absolutely amazing! I can totally imagine how satisfying that experience must have been. Ah, those were the days!
@@ulysses_grant
I still have them and the source code. They helped me get a good job at DEC.
I hadn't been born yet😂
This is an example of a perfect tutorial. Great pace, background info, and real-world examples. Thanks so much! Subscribed.
Wow, impressive how you tought me serial communication in 17minutes when I have had quite hard to grasp it before.
Very educational approch with practical example, and problem solving.
Subscribed!
Simply brilliant. Thank you for explaining the concept of calculating the baud rate so beautifully.
excellent video. well explained and visualized. keep up the good work. subscribed.
Never seen anyone teaching something so easily! Love this thank you sir
this is amazing. this is the first video of this kind that I watched and was so educational. thank you very much
Great tutorial. Thanks for sharing your knowledge!
Please keep doing these. I’m trying very hard to learn to do stuff like this, I literally have all the gear. But either I’m slogging through textbooks that are too boring to read, just poking around under the microscope and multimeter or with uart to usb, reading tutorials for already wide open -eg dev boards and generally struggling.
I don’t want to hack hack anything; I just would love to be able to take my old broken smart devices with generally powerful chips and Linux - I can list what I’m working on if interested- and repurpose them. For instance I have a 22 in touch screen used in advertising and ran android it no longer works. I got uart logs, I can even send commmands over uart though unreliably- usually the boot log washes it out but a
Simple “ls” will output in between log lines.
I don’t yet understand what to do next, boot loaders, getting it to boot
My Linux. I don’t understand even a smidge of android- so that’ll have to to
It’s a rock chip rk3288 but I also have several other projects, two with ingenic JZ4775, a very important one I need to fix with a vacuum octeon plus with usb thumb drive rather than spi? And another I have three of mediatek or something. Discarded yi cameras. But I can’t get all the way there like you guys . I have 75% the skills but I neeed the last 25%
Excellent tutorial, thanks a lot for showing us this
keep up the great work!
This video should be what youtube is all about. GREAT WORK teaching!
Thanks again, nice to see you pushing out more videos.
This is the best tutorial i have seen about usb to ttl.
Thank you so much man for the help
Thank you for explaining this thoroughly!
I just purchased a TPLink Archer identical to the one you have just shown in the video. That's handy to know!!!
This helped me. Great work!
Thanks alot! Great video! Keep them coming, please.
Amazing step by step explanation. Thank you very very much.
Awesome video, very informative. Thanks for sharing
Very cool video. I just got my first root shell on an old Wi-fi range extender I had lying around.
Great job! Let us know if you find any vulnerabilities!
how you login ? i mean the username password ?
Amazing explanation!
Thanks for documenting this. I got a root shell on my Archer C9 back in 2016 with the same simple UART interface.
i don't think ill ever use this but i learned a lot about serial. Thanks
very useful video , pls post more videos like that we need more and more
great video and ofcourse great explanation.. thank you so much.
Very informative video..
Love from India
Amazing. Thanks for sharing.
Thank you, it works perfect!
I am surprised that such a good video has less view from researchers.
We don't need videos like this. We have degrees in electronics and already understand UARTs and communication protocols and understand how to use oscilloscopes and logic analysers.
This is for real hackers. Awesome!
Excelente vídeo!
As a beginner, this video is great! May I ask if there are any cheap IOT devices (such as cameras) that I can try to get started with? I want to use UART to complete IOT forensics, but I don't know which models of devices can be used to try.
7:20 - In most cases, which pin is the ground should be readily apparent. Usually all but one of them will have small traces connected. The one that has a large, wide trace is going to be the ground. Some PCBs, however, have a certain degree of protection by making the traces less visible. On those, a multimeter with continuity would be a necessity. This board is not one of those, as you can visibly see the North pin and the 2 South pins have small traces, and the odd one out is connected to the Board Common Ground. This works for simpler PCBs. It is the more complex ones - where the ground is less obvious - where you need to use this method.
This is great, I am trying the same with an IP camera.
By far the best thing on the internet for hardware hacking
Thank you. We are just getting started!
Hey Guys! Thank you very much for this awesome video! It's very informative and it's cool to see how everything comes together at the end. From the bits recorded by the logic analyzer to the baud rate to the connection. Even though it's faster to just guess the baud rate, due to your example it's much clearer what is going on in the background.
Right now I'm trying to connect to a cheap 8 dollar smart watch which works with the Mediatek MT6260 SoC and aparently it's working with 2.8 volts cause it's cmos based. Can i still use an FTDI adapter in 3.3 V mode to connect? I tried to find some information on the internet but wasn't very successful!
Greetings
Vey very cool stuff, thank you for this one!!
Thanks for video
Awesome, thank you
Awesome video!
Awesome video, great explanation!
Glad you liked it!
How about a JTAG video in a similar style??, I've learned quite allot from this video
Awesome inspiring. Do more pls
Your videos are so interesting. I wonder if you had a chance to play with any of the DrayTek products
I was able to revive my tplink AP. Thanks to this
I aspire to be as good as you guys one day.
Nice video, thanks :)
Great video.
One thing to note about baud rate is that the whole number integer values are not the only values you can use. There are fractional rates that are available, depending on the CLK frequency. Look up any of the older UART ICs and you should find the info.
It takes no more than 3 minutes to try the most common settings, if none of them work then you can pull out the oscilloscope but almost always you will save the hassle
@@victornpb Also, from what I've experienced with non standard rates, if you're off by 10-20 hertz, you'll always see recognizable characters to a large extent.
You can usually be off by 1-2%. The UART peripheral will not even notice that. It depends on the sample rate of the peripheral and the number of samples it takes per symbol.
Nice information thank
Wov I am searching you very long thanks God I found at last.
This was interesting and informative. One small nit. I've always heard this called asynchronous serial protocol, and the UART is the hardware component that emits the protocol.
This. Saying "uart protocol" makes the hairs on the back of my neck stick up. Universal Asynchronous Receiver / Transmitter. It's hardware component, used to be a discrete chip but these days it's usually a macrocell in the CPU (or other VLSI chip) design.
You can also use well known 'screen' command instead of 'minicom'. Screen is usually used to create background sessions but also has functionality to support configurable serial connections.
Yes, screen is actually our default but wanted to use minicom in the video as it's more recognizable. Thanks for the heads up.
@@FlashbackTeam Thanks for reply and thanks in general for your whole impressive work. Will you be publishing anything related to HackRFOne device? And one more question - this logic analyzer is original Saleae device? Is it very expensive?
thank you so much!!
Great skills
Muy buena su información
The movie finished before it even started ! 💖 it !
1. What logic analyzer model are you using?
2. What software for analyzing the image traces is that?
You guys rock!!!!!
HW dev here. You are very lucky with the devices you showed. I don't know any device, which my company developed where you can do such attacks.
But nice video!
It's a nice gift to have full UART access and that happens way often as some may think. Also, consider that even if UART is disabled in production there are still ways to enable it as we have done many times, even Tx is very useful already. But if that doesn't work you just adapt your approach.
@@FlashbackTeam you are right! We develop only products or parts which are not consumer grade. For example parts of DNA sequencers etc. We have to protect your IP and that's the reason why we put a lot of effort in protecting mechanisms.
@@FlashbackTeam Some chips allow you to blow a fuze inside them to permanently cut any UART from the pins. However it is not often enough used. Which is why such attacks work relatively often.
Nice video
Thanks guys
Following a trace with digital image software is very clever.
excellent
Excelente video 👌.
Tengo una cámara china yoosee cómo hago para flashear un firmware por uart ? . Gracias
Owesome video
thanks!
well done ;))))
Thanks for a great video! I would like to ask you what components it is at 6:24?
Thanks. I got it from here: www.thingiverse.com/thing:2427726
nice 👍
Good stuff... they don't teach you this in school...
The best video! Thank you for it. Any possibility of a 2024 update?
Working on it!
Hi. Do you think it might be possible to interface with SIP chips like macbook WiFi ICs? Since 2020 apple uses embedded WiFi SIP with onboard SPI ROM which stores MAC and SN. The problem is that it is also bonded to CPU, so there are thousands of macs with signature damage (due to design WiFi chip dies after water damage in very high amount of cases). Unfortunately this causes the device to crash on boot and it wont work with different IC. There are UART testpoints around this IC, so I was wondering if there is a chance that such specific chip might he hacked to work on different board.
What is the 3.3 or 5 volt of the uart for? I don't see that they use it and it comes there on the USB! If I do it on a camera as they say in the video, I don't need tftp or is that mandatory? I'm bad at this and I don't understand tftp. I damaged my camera by installing the wrong firmware but it turns on but I can't connect to it anywhere, I only see the infrared LEDs and that's it. Do you think this works with that software in the tutorial?
Nc sharing, Lods
Damn it looks easy :)
Nice video. however, I have a question. Is the start/stop bit always just one 0? If so just the bits per second define how many bits it will capture per packet so it doesn't "desynchronize"?
Thanks! Synchronization is only determined by the baud rate that sender and receiver need to set to the same value. It ensures synchronization of read and write. Start bit is always a LOW value (logical 0) and Stop bit can be 1, 1.5 or 2 bits HIGH value (logical 1) at the end of the UART frame.
I believe it depends on the idle state of the data line. Start will always be inverse of idle level and stop will be same level as idle. @@FlashbackTeam
Thank you for your content.
Please recommend some devices to get my feet wet. A cheap router and the uart usb.
If for example i use the wrong pins in the uart, can i fry the target?
Congrats once again 🇵🇹
You could start with TP-Link TL-WR841N. It's quite cheap and could be a good start. There are really a lot of UART-USB devices on amazon, just take the one which has good reviews and has a good price for you and you should be fine.
I think the risk of frying the board is quite small if you make sure you discover the ground and vcc pin of the board and you wire things fine.
@@FlashbackTeam thanks for the response. Please keep up with this channel
🇵🇹 🇵🇱
What is the model of the UART comms device shown at 7:59?
Valeu!
Hi there, please made video for mikrotik router board uart thank you very much before
This is exactly the information I needed to see if I can hack a android digital TV box 👍
And that means if I can get a root shell I can imagine a non-branded box via the UART and then write it back on-to my "brained perpetual subscription box" so I can get free digital TV again, perhaps? 🤔
te funciono En que Marca y modelo Lo intentaste??
I have a question what if it has multiple tx and rx ,like tx1 and tx2. Rx1 and rx2 the pins are labelled
Thé most dépressive intro i saw on TH-cam for years, congrats !!
If the router and the USB ports are powered through different source, how do you close the ground loop? Also, is the 3.3 volt logic tolerant with 5V port?
As long as you have an isolated power supply and you are not getting shocked there is no ground voltage and you can join both grounds with no problem, you can connect any 3.3v tx into a 5v rx no problem but the other way 5v tx to 3.3 needs a voltage divider, i usually use a resistor and a led for that as the led will drop the voltage to 3v and give feedback as a bonus.
8:01 what's the name of the board? that can speak UART. great video
Just search for any USB-to-UART adapter. They will register to your computer as a device, i.e. /dev/ttyUSB0. They have FTDI chips that is used to speak UART protocol.
you can use arduino as that device by connecting the reset pin to arduino to gnd and then using its tx rx vcc and gnd pin , same as in ftdi
"UART" is not a protocol, it's a device (here built into the processor) that provides an asynchronous serial port to a system. The easiest way to refer to it is just "serial port", or "RS-232" if you ignore that the voltage levels are wrong.
I have lcd send uart data i try to decode data by usb to serial but data showing vary difficult ... how can i send to you video and contract you ...plz reply
Grazie.
Thank you for your support!
Good
Jest możliwość stworzenia programu, który porównuję języki i szuka podobieńst lustrzanych. Dzięki takiemu programowi byłbyś w stanie napisać nieskończoną piosenkę, na pewno gdzieś tam jest drugi sens. Można skleić dwie istniejące piosenki dwóch artystów poprzez taki program. Tam jest ukryty gad. Wystraczy połączyć wszystkie słowa bez spacji i przetłumaczyć w dwie strony na te języki, które istnieją. Tak samo można zamienić język pisany na cyfry i mówić w tym samym czasie językiem do porozumiewania, a w tle robić działania. Można też zamienić słowa na nuty, znaczy się literki.
This technique will help save IoT hardware from landing in the garbage dump before they should. Imagine if you could take an old Sonos zone player and free it from needing to communicate with Sonos, give it a web interface and let it be a DLNA or AirPlay media target or something... so many good quality products are destined to become garbage the second the manufacturer stops supporting them, or goes belly up. We’re going to need an army of hackers to save the hardware from greedy corporations that think they still own hardware they sold to us like the way China deals with real estate...
I’m more seriously considering purchasing a device that has known terrible firmware that forces you to use their junk cloud service that people have developed alternate firmware for since the hardware is totally decent but requires this type of hack to flash the open source firmware onto it... not so mysterious now.
Hi... Thanks for the amazing video. I physically found a broken UART Port with three pins on an chinese IP camera, and one pin is 'GND' terminal for sure. I really have doubt the other two, terminals on finding which one is TX and RX. By little bit of solder on the other two terminals, I am able to read the bootloader info from Camera to my linux shell via FTDI chip. But the other way communication, i.e., hit any key to stop autoboot (as you mentioned in video @14:48) I am unable to perform. FH8626V100 is the SoC. Unable to get datasheet. I am thinking of pull up resistors also. Can you pls help?
got an oscilloscope? it would probably make the problem apparent
Little late maybe? You can guess by trying RX/TX. Learned that when I stomped with a device that had the wrong pin marking, instead of saying the SoC TX and RX, it said "Here you should comnect your RX (being the SoC TX"
Just takes more time, put the pins one way, try all the common baudrates, reverse and try again.
Also, the autoboot thingy, depends on the bootloader, I've seen devices that only stop booting with a specific key (I'm pointing at you, Dahua devices!) Where only the asterisk key worked. Didn't figure that myself, used to work with the brand haha.
Thanks
Thank you for supporting our channel!
We win!
This shows why most data centers are physically secured.