Who am I? (this slide again? every
Research Assistant at Deakin University.
Resercher at Volvent security (Rux party sponsor!).
Just passed my PhD thesis examination (on
Pics by DNZ.
UART is like an embedded version of RS232.
Pretty much the same, except the voltage level.
You can attach a serial console.
Interfacing with UART
Serial console access give us:
shells on occasion.
More verbose logging, E.g. When a daemon crashes.
The ability to interact with the bootloader to upload
Removing the case
Make sure to have screwdrivers.
And jewellers screwdrivers.
And a Torx screwdriver set.
Screws can be hidden in rubber feet or behind
Sometimes the cases are clipped in.
A small flathead screwdriver is good for prying.
Look for header pins.
Sometimes just pads – you will need to solder
4 pins are very typical, sometimes more.
If you have 10 or more pins, then it’s probably
Finding the Ground Pin and Voltage
Use “continuity test” feature of multimeter.
Attach one probe to metal shielding.
is commonly grounded
Test each pin with other probe.
Beeps when continuity (GND) is found.
Measure voltage on other pins.
Most are 3.3v, but sometimes more or less.
Finding the Transmit Pin
Connect GND to oscilloscope GND
Test each pin with scope
Reboot device while doing it
Should see square waves (data) on scope when TX
Interfacing to a PC
to USB cable
Need to know the voltage levels that you measured
Just attach each identified pin.
Using a serial console
In Linux, use Minicom.
Pretty much everything is 8N1.
Use baudrate program to try different baudrates.
And you’ll get data!
Finding the Receive Pin
Brute force remaining pins
each pin to RX.
Try typing something in the serial console.
If you get an echo, then you’ve found the right pin.
Otherwise you’ll get nothing.
Copy the password file and start cracking.
Sometimes /usr/bin/nc is present, so pipe a netcat
listener to /bin/sh.
Fuzz the server, look for crash logs.
silvio@silvio:~$ cat passwd-router
nobody:gNafYeKkdwPC2:0:0:nobody for ftp:/:/bin/sh
silvio@silvio:~$ john -show passwd-router
nobody:admin:0:0:nobody for ftp:/:/bin/sh
4 password hashes cracked, 0 left
Final thoughts on UART
It’s actually not that hard once you know the
A JTAGulator should make things easy.
Every ADSL router I own has a UART port.
It’s a good entry point into hw hacking.
Sometimes it’s useful to have the firmware.
Finding static strings, usernames, or passwords.
silvio@silvio:~$ ls -la spi.rom
-rw-r--r-- 1 root root 4194304 Sep 19 13:02 spi.rom
silvio@silvio:~$ strings spi.rom|egrep 'ass|sername'
passing 'arg' as arguments
passing arguments 'arg ...'; when booting a Linux kernel,
Most things are surface mount packages.
Part numbers are typically on the IC.
Use a small magnifying lamp to read the part
Look up the datasheet on google.
Sometimes you need to remove the IC to read or
write to it.
One way is to use desolder braid.
A better way is with a hot air rework station that
can heat up the solder.
Remove IC with tweezers or vacuum pickup tool.
SPI Serial Flash
Flash memory, that doesn’t require block access.
Can be executed-in-place.
need to copy into memory.
Often see things like bootloaders on it.
Common in SOIC-8 package.
You can use an expensive device programmer.
Or cheaper methods..
Reading SPI Flash incircuit
These can be read with a GoodFET or Bus Pirate.
If using BP, then you can use flashrom.
IC can be read incircuit.
Use IC test clips.
Or SMD hooks.
SPI Serial Flash Desoldering
SOIC can be desoldered.
If desoldered, use a SOIC DIP adapter and
Using a GoodFET to read SPI Flash
Look at datasheet for IC.
Attach GoodFET to IC.
Some IC pins may need to go to VCC with a
Final thoughts on ripping firmware
Top of the line programmers are expensive.
A GoodFET or a Bus Pirate is affordable.
Once you rip the data from the IC, you have to
reconstruct the data.
is not that trivial.
Making it easy.. The USB Infared Toy
Sold for $20.
Can capture and replay IR signals.
Final thoughts on IR alarms
You get what you pay for.
Try to get an RF alarm with a “rolling code”.
is what your car probably uses.
RF opens up a whole new world of fun.
Gardening with Arduino
Make your backyard irrigation system computer
Arduino activates relay.
Relay controls water solenoid/valve.
PC activates Arduino.
Cron job to start and stop the watering.
What does a relay do?
A small voltage and/or current can switch on a
much larger voltage and/or current.
The solenoid needs 24VAC.
That can be powered by a small wallwart.
The Arduino can activate the relay using one of its
low voltage/current GPIO pins.
I used a solid state relay.
How do I connect the Arduino to a PC?
By a USB serial!
The Arduino listens for commands over the
If the command is start, then it turns on the pin
connected to the relay.
I wrote a small network daemon on the PC that
takes commands and relays them to the Arduino.