Today we will look at one of the most common interfaces of embedded hardware, the universal asynchronous receiver/transmitter (UART). The UART is a hardware serial bus, it is easy to access and very interesting to look at.
Depending on the device and how it was hardened by the manufacture, UART can reveal a lot of useful information or even an unprotected, interactive root shell. It is not uncommon to find open shells in very popular devices. Many modern devices run some embedded Linux systems, UARTs are used as a console port for debugging and development. Have you ever wanted a root shell on a coffeemaker? UART might get you there.
Identification:
The first thing you need to look out for is the typical 4 pin connector on the circuit board of your target device. The pins are the bus lines, VCC (Power), GND (Ground), RX (Receive) and TX (Transmit). In rare cases the connector is even labeled, that gives you plug and play options. Otherwise, you must use a logic analyzer to find out how you can connect to it, but more on this later.
It’s also not uncommon that the connector is not populated on retail devices, but you can see the unpopulated header on the circuit board. If the pins are missing it is very convenient to review the FCC applications of the device and check if an entry “Internal Photos” exists. This can be done via a simple online search. Many vendors submit development boards to the certification process which carry all possible connectors. Just check if you see some pins missing on your retail board and you most likely spotted some debug interfaces.
Another common form of UART connectors is test points. Test points look like little round solder pads, quite often grouped together. These test points are normally used in combination with a test bed. Since you don’t have a matching test bed, just solder thin wires in place to test them. Thin wires such as AWG30 work very well, don’t be afraid of soldering it is very easy in this case.
Logic Analysis:
Back to hacking now. Once you have somehow attached a wire to the possible target interface, by either clipping, soldering or simply using a jump wire, it’s time to enumerate the interface.
First, find the ground (GND) pin. Use a multimeter and measure all pins against a known common low. Easiest a shielding or the ground pin of the power plug. Make sure the board is unplugged during the process.
Once you identified the ground pin, it’s time to setup your logic analyzer. Plug the remaining 3 pins to the Channels 0 to 2 of the logic analyzer and ground to ground. Now start the measuring process for around 10 seconds while turning the target board on.
If your target interface is an UART the result should look the same as below. One of the pins (VCC) will output constant power, the other remaining should show a digital signal. Compared to analog signals which look like a wave, a digital signal is easily identifiable by only switching between two power levels (on/off) to represent binary 1 or 0. Very similar to morse code.
Digital Signals:
These highs and lows come in clusters called frames. These frames consist of start/stop bits, data bits and optional parity bits. Between these clusters a short period of high exists as idle time to separate them from each other. We won’t get too deep into this for now, but this package configuration is very important. If you are using a Terminal software later to connect to the UART you might need to specify this setting. The most common setting is shorthand notated as 8-N-1 (8 data bits – No parity bit – 1 stop bit). It is so common that you rarely encounter any other configuration in the wild, a lot of modern terminal clients default to it.
Another important setting you must identify from the logic analyzer results is the baud rate. The baud rate essentially describes the speed of the bus. There are a lot of common baud rates such as 9600, 57600, 115200 etc. and all of them are used. But luckily modern logic analyzers have a feature to identify the baud rate too. Just add an “Async Serial Analyzer” to one of the data channels and vary the bit rate setting. If you selected the right one the logic analyzer software should start to reveal the correct representation of the signal. If this happened, you found the correct baud rate.
One last thing to do now is to measure the power output of the VCC pin. Use a multimeter to measure it against ground. UART can have different signal levels ranging from 12V to 1.8V, while 5V or 3.3V being the most common levels found in modern devices.
Terminal Access
To get the console output on your PC you need a matching interface device. To connect an UART to a PC, a USB TTL serial adapter is needed. Make sure that the adapter you are using has the correct power level set, required for your device. Otherwise, it’s possible to break it. Commonly used adapters have a jumper to select between different power levels.
Set the power level, wire the UART lines to your TTL serial adapter, RX to RX, TX to TX and GND to GND and plug the USB adapter in your computer. Don’t connect VCC. If you are using Linux, the TTL serial adapter should be detected as a new ttyUSB device. Now use screen as terminal to connect to it. In case you have a 115200 baud rate with common 8-N-1 setting the following command line will work:
$ sudo screen /dev/ttyUSB0 115200
Windows users can use putty instead, just select “Serial” connection on the main screen and enter the correct COM port corresponding to the TTL serial adapter. The baud rate is configured in the connection settings.
Start the device and you should begin to see console output from the device on your screen. In case you get no output on the terminal you might have to switch RX/TX lines as the labeling of TTL serial adapters is not unified. Strange artifacts indicate a wrong baud rate or a bad ground connection. Try to recheck the baud rate with the logic analyzer and check your ground wiring.
One Last Thing
If you want to practice UART detection, simply use a Raspberry PI as your first target. You can easily enable UART and try to correctly identify the interface on pin 6, 8 and 10 (Pi 4).
You hopefully enjoyed this article, yes you will void your guarantee, but it is a lot of fun.
About the Author
My name is Alexander Pick, I am a professional security researcher in the field of mobile, embedded and automotive security. Technical security is not just my work, it is also my hobby and a way of life for me. I started out in the 90s, reading text files from mailboxes and hanging out on IRC. My first CVEs were awarded for bugs I published in 2000/2001. Just for fun, curiosity and purely educational. A lot of time has passed, and the industry changed a lot. More than 20 years later I found the bugcrowd platform and was instantly hooked up. Now I am ranked in the top 100 here. Still slaying bugs, still having fun.
Get Started with Bugcrowd
Every minute that goes by, your unknown vulnerabilities leave you more exposed to cyber attacks.