UART Essential for Pentester

PREAMBLE

The content of this blog post was originally a mini-talk with demonstration about UART in the context of pentesting. I therefore decided to transcribe the contents of the slides and add a practical demonstration.

INGREDIENTS (tools)

Before starting with the theory, here is a list of the tools:

UART

Universal Asynchronous ReceiverTransmitter (UART) Is one of the simplest serial protocols mainly used for debug by vendors (threat vector for getting a shell). Could be find in many embedded and IoT devices /post/img/netgear-g5230e6e56_640.jpg /post/img/arduino-g72f3edee7_640.jpg

UART transmit data asynchronously, which means there is no clock signal to synchronize the output of bits from the transmitting UART to the sampling of bits by the receiving UART. Instead of a clock signal, the transmitting UART adds start and stop bits to the data packet being transferred.

HOW IT WORKS

/post/img/UART_Frame.svg_.png

The line is held high (at a logical 1 value) while UART is in the idle state. The transmitter sends a start bit to the receiver, during which the signal is held low (at a logical 0 value). The transmitter then sends five to eight data bits containing the actual message, followed by an optional parity bit and one or two stop bits (with a logical 1 value), depending on the configuration. The parity bit, used for error checking, is rarely seen in practice. The stop bit (or bits) signify the end of transmission. The most common configuration is often referred as 8N1: eight data bits, no parity bit, and one stop bit. Now let’s go into practice

PIN ON THE BOARD

If you don’t have the datasheet of the board, they could be marked as “UART” or could be find single pin “TX” “RX” “GND” “VCC” or similar… Sometimes UART is provided through GPIO pins. It is also common not to have any identifying lettering. In any case try to look for exposed pins or four through-hole pads next to each other.

img/board.jpg img/board_pin1.jpg

If you don’t have any information about what PIN is what, you have to find by yourself. Let’s do it!

WARNING

Remember to disconnect the router from the power initially. Do not touch the board and its components directly or with driver material.

IDENTIFY THE GROUND

Start by identifying the ground PIN. This could be done with a continuity test. So take a multimeter and test every pin. Keep one probe (conv. black) on a metallic surface, since those are usually shorted as ground. With the other probe (conv. red) start testing every PIN.

/post/img/probe.jpg

NOTE: I just said that “usually” internal metal surfaces are grounded. That it’s true but in my experience I found some devices that doesn’t have every piece of metal grounded. I highly suggest to test different metal surfaces. You can also try to touch 2 different pieces of metal and see if they are connected, if so they are probably grounded.

IDENTIFY THE TRANSMITTER

There are several ways to identify the transmitter PIN. The basic idea is that the device will almost certainly write debugging information during boot. An oscillation will then occur on the PIN. We can measure it with a multimeter or with an oscilloscope as described for example in the book “Practical IoT Hacking The Definitive Guide to Attacking the Internet of Things”. Here it is shown how to do it directly by connecting and interacting through Minicom.

Wrong board “TX” pin:

/post/img/rx_wrong.jpg

Starting the device doesn’t print nothing:

/post/img/wrong_pin.jpg


Correct board “TX” pin but wrong baud rate:

/post/img/rx_ok.jpg

/post/img/wrong_baud.jpg


Change baud rate (in this case the correct was 115200):

/post/img/change_baud.jpg

Restart the device:

/post/img/correct.jpg

IDENTIFY THE RECEIVER

At this point we just need to connect the TX PIN of the FT232RL with one of the 2 remaining pins and try to write. Otherwise, you can identify it because it has the lowest voltage fluctuation and lowest overall value of all the UART pins.

img/board.jpg

SHELL

img/board.jpg

REFERENCES