Finding UART and Getting a Root Shell on a Linux Router
ฝัง
- เผยแพร่เมื่อ 8 ก.พ. 2025
- In this video, we will discuss how to find UART debug interfaces on an embedded linux device. We will then leverage UART to get a root shell on the device.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nma...
Flux (and even pre-cleaning) is your friend for soldering. A little isopropyl alcohol and a Q-tip is useful for cleaning up flux residue, even if you didn't use flux (because there is flux in the solder core), since it can produce unwanted resistive paths later.
A resistor (say, 1K+/-) attached across your meter probes (say, with clip leads) can help to identify the RX pin, since the current through 1K to ground won't significantly effect the power pin voltage, but will move the RX pin significantly (maybe even almost to ground).
I'm happy that I have an oscilloscope since I can look for a serial signal during boot even before I have soldered anything. But scopes aren't free (though the ones built in to some of the fancier meters are more than adequate for this purpose.
Nice exposition.
Do you ever read forwhat IPA is used for? Probably not... IPA isn't suitable for cleaning residue after soldering, especacially rosin-based flux.... Try sth Cleanser PCC-15-style, I guaartee that you will never use IPA, because you'll understand that ther's much better stuff on the market for cleaning after soldering then IPA, which only makes more mess then it supose to...
Use of button size neodymium magnet can hold the pin header while you solder the one end of the pins. I enjoyed watching this video and I was able to look at the WD-Streaming box that I have laying around for a while and I was unable to login to gain root access because of password, but I will do a little research to see if others have been able to guess what the password is.
Very nice video. I thought your process description was very good and very relatable. Keep it up, information like this is great to get out to help beginners!
Can we see a video where you don't have access to root shell directly through UART, and how you work around that to get shell access, especially in the case of U-Boot?
awesome idea. I'll look into finding a device with a uboot bootloader so I can demo this! great feedback!
@@mattbrwn Definitely subscribed! Glad you came up on my recommended
@@Beterr me too hoping he come through. I'm not doubting his technical ability but rather his values. Besides, I haven't played this game in a few years since windows11 and the prolific driver B.S. That was my FAV tty and worked everytime, 60 percent of the time. Now I have ftdi chips all over and it's simply not the same.
Loved the video! I would like to see more of this style video but next time show could you show us what happens when things go wrong and what tricks you've learned to deal with it?
This was a lot of fun. Subscribed. There are numerous devices like multi-meters and stud finders that have coms built in that I'd like to explore. Thanks for bringing us along.
really appreciate it! there are so many devices out there that make good hardware hacking projects!
I recently started with hardware hacking so this type of experience sharing helps me a lot. Explanation was very clean, analyse of the chip could have been a little zoomed in. Would love to see your setup with some explanation of what you use it for. Looking foreword for more content, keep it up mate. 💪🏻
thanks for the feedback! yeah I really need to get a better overhead camera setup.
Electrolytic capacitors have ground marked on them, and there are a few on this board, which connect to a large ground plane.
Something like that is a good starting point, as well as the shields on connectors like USB and ethernet..
If you know the barrel-jack is center-positive then the solder point at the rear of the barrel-jack is positive, since the center pin is crimped to it, so use the side solder joint first.
awesome! this is super helpful stuff :D
@@mattbrwn You can also focus your search for something connected to ground from the solder pads around a "complex" of chips, where an EMI shield would be placed (two on the bottom of this thing - at 3:21 the fingers on your left hand are covering the bottom-left corner of one) and as well, if the board has large swathes where the copper hadn't been etched away (lighter green) that is usually grounded as well. That's both convenient for manufacturing, but can help shield from EMI.
..this is more advanced than a normal windows user...only had experience working with UART on arduinos.. interesting!...got to learn these Linux commands..if the geeks are united they will never be divided..!
Great video, and I appreciate your explanation of the pin outs. Need to go to my local Goodwill for some learning on my own! Thanks for posting!
goodwill and other thrift stores are the best for finding fun stuff like that to hack on :) and then if you brick it you aren't stressed since you aren't out much money.
well done, thanks. I just had the same experience with a Grandstream modem. It just booted right into a shell.
Great video man! Would like to see more content!
"Blue-tac" or whatever brand of sticky poster putty you get locally. Take a blob of it and stuff it onto the pin headers, it will stick well enough for soldering and doesn't melt (much) onto the pins! Shouldn't be an issue.
I love doing this too dude. So much fun
thank you straight to the point
I'd love a course on hardware hacking. I have not been able to find one on coursera or the others
Very interesting, thanks for your video
Electrolytic capacitors are in practice always polarized, so the pin on the side of the capacitor can with stripes are always ground.
Nice tutorial Bro. Hope more contents are coming. 👌
man you using dwm or i3... ?? interesting.. to see people using those for development.. i tried but lot of issues.. then moved to ubuntu (i mean i got issue with gazebo and other simulations)
anyway..
i am loving this.. you get new sub bro.
Bluetack to hold header and flux to clean the pads, I usually dip the header into flux liberally, push thru and be enough to do the pads that way neatly. But can never have too much flux. But the main tip in soldering would be, well-tinned iron to start with and lots of flux.
What you need is a pogo clamp, alas most you can get short and will also need vertical and horizontally lined pogo pins. But worth hacking something together as I don't know about you, soldering shows why I'm not a brain surgeon 😁
More videos like this please!!
Hello, just found your channel and find it interesting.
Do you use software to do this or are you simply using terminal in linux?
yes it works brother ! many thanks
Thank you for your video. Any chance you make one for JTAG?
I'm actually just learning JTAG myself but that's a great idea to do a basic video about what I've explored. We are all on a learning journey. it never ends!
Hi. Check this channel. Make me hack on TH-cam.
Hey @Matt Brown, a nice educational video as always. Just happened to ask, what's the windows manager you are using at the host machine. And also the bar at bottom? It's nice that you have a notification indicator as well. :)
Thanks! I use the i3 window manager running on Arch Linux. wiki.archlinux.org/title/I3
The bar is just the default i3status bar, but there are lot of cooler replacements for that. I just like to keep it simple. wiki.archlinux.org/title/I3#i3status
@@mattbrwn thanks mate. Good to see a great arch setup.
I'm a polybar man and need to find a nice indicator like that.
you are really good!
I find a lot of "hacking" videos are a bit like:
Q: "Wow, you managed to steal all their jewelery, how did you do that?"
A: "Well, while I was in there living room I found their door key and cloned it. So I could let myself in later and steal."
It's like.... oh.... ah..... not exactly a hack then.
While is very, very interesting from the point of view of "hacking" a device that doesn't want to you to mess with it's hardware etc... but as to "hacking" a user it's irellevant. Which I'm sure it was intended to be.
I mean, if you want a root shell on that rooter, just hard reset it and flash your own firmware to it. 5 minutes, done.
This is something I get asked a lot at work. You are correct that this is not a "hack" or an "exploit" of a vulnerability unless physical access is in scope.
The main thing I use UART or other physical access methods for is to search for those vulnerability in a given device that can be exploited over the network. UART gives me access to the firmware which aids in my research process. UART access isn't a vulnerability in itself, its a stepping stone to further analysis.
@@mattbrwn I suppose. You can make a catalog of modules and libs and go collect a list of exploits to see if any are juicy.
I just got the video and you are awesome. I have two quistions
1-since i got control, Can in clone the firmware ?
2- how to login in case there's a password?
Great video thank you
I think I may have fried my board, I touched two pins with my multimeter while the thing was powered on and suddenly all the lights went out on the board😬
Thank you for the video! Do you know any trick kind of this, how to find eMMC NAND Flash pinout to read a dump without BGA removal???
Pretty cool for a beginner like me
The UART-USB adapter linked in the description is a 5V variant, in Amazon there ist also a 3.3V variante. I read UART works with 3.3V, can you explain this?
Matt, .look for ground on electrolitic capacitor ;-)
Thanks it helped me install it
Please keep making videos
Not a perfect method, but a piece of tape will hold pin headers to the board long enough for you to solder.
Blu tac may also work, though it'll probably flex too much before it melts.
If using pliers insulate the tips (thermally) so they don't act as a giant heatsink. Vinyl tape will work.
good hack, good job man
What are the extra two pins on the USB to UART cable?
Just curious in the pin pitch you have there is 0.1" (2.54mm) or 2.00mm. I found a board in my basement and the pin pitch is 2.00mm, so i had to get that size pin headers and associated dupont wires.
The metal case of SMD crystals is usually connected to ground so that's my favorite place to start checking for ground connections
tudo bem matt bom video jovem : como voce fez para parar o kernel qual tecla voce apertou para parar o u-boot ? para obter o sistema de arquivos ?
I just hit enter right at boot time to stop uboot. However, if uboot is locked this will not work.
Liked the video but your microphone was peaking a lot, just something to keep in mind for future videos
thanks for this! I've turned my mic down in OBS for my next videos coming soon. hopefully that makes things better.
Can we use the Shell to troubleshoot the board?
yes you can!
Worked, thx
Loved it! Now what can we do with it?
i would love a follow up video of what we can do now that we are in
can I use an arduino for usb to uart, or can I make it myself?
Thanks
Awesome vid
liked it bro
god bless ur heart
Can I solder dupont wire directly to the UART pads?
I suppose you could do that. Note the pin pitch. Most pin headers are 0.1"(2.54mm), and a board I'm looking at connecting up has 2.00mm pin pitch.
It’s continuity mode not connectivity mode.
Please make videos on smart lock firmware hacking
Explain what you saw in the boot log in a bit more detail so people know what sorts of things to expect and research further. Some of the stuff is unexpected and not obvious.
Find a router that you can load OpenWRT into. Something that is well supported, not a nightmare low memory unit.
Thank you for a great video! Nevertheless, I will NOT patronize Goodwill in any fashion since they announced they were 'woke'...Friends don't let friends do those things...
I feel you on that. Any thrift stores that haven't gone woke?
@@mattbrwn I haven't heard anything like that from Goodwill. So, they sometimes get my business. Don't pay my previous statement any mind, I was just complaining in the middle of the night. I probably should delete it...
Mlk, se pá que o canal foi hackeado
Someone needs to learn the difference between the English words bare and bear!
Its kind of disgusting, you picking things up at good will to break them apart on the cheap.
Goodwill exists to serve the needy, not your hardware hobby.
😂😂😂