So inspired by a talk at Defcon about how to hack 20 devices in 45 minutes (or something along those lines), Iv’e decided to create a INTRODUCTORY post on UART hacking. I am completely new to hardware however I find the topic interesting and was drawn to write a post on this subject so here we are.
I don’t have a decent device so I am writing this post on an extremely slow mac book air (very chunky).
During this talk, GTVHacker talked about how its possible to gain root access by exploiting the UART protocol so this is what this post is going to focus on.
What is UART?
UART ports are found on the hardware of the device. UART stands for Universal Asynchronous Receiver/ Transmitter. They are not for end users and are primarily used by the manufacturer for debugging and technical support purposes. They are not designed to be tampered with by the end user (sorry not sorry). Most ports have between 4 to 6 pins and are located on the motherboard.
The UART protocol is as follows:
- Tx (transmitting pin, connects to Rx)
- Rx (receiving pin, connects to Tx)
- GND (connects to GND)
- VCC (boards power line, usually 5v or 3.3v – do not connect)
3 pins in the header are likely to be connected to anything, that is Tx,Rx and Gnd. The Tx will be transmitting data. There is a lot more info regarding the hardware aspect of this, however I am coming from the realm of software and this post is meant to be a brief introduction to UART not a demonstration of encyclopaedic knowledge.
How to spot the UART port?
The best way to spot the UART port is to look for 3 to 4 pins on the motherboard. The next step after identifying these pins is to discover which pins relate to Tx,Rx,Gnd and VCC (this is usually done using a multimeter). See images below for examples:
So after identifying the port and connecting the relevant cables, the device is potentially ready to be hacked. For the purposes of this post, assume that the serial port is connected via USB to a laptop. Ideally a USB to TTL cable is used to connect the laptop to the serial port. More info here.
Next open a terminal and type:
screen /dev/ttyUSB0 115200
(when the device is connected through the USB)
This command is to connect to a Winkhub specifically and is based on this video:
The 115200 figure at the end of the command is based on the baud rate. To explain this further is beyond the scope of the post but know that baud rate refers to the speed in which data gets transmitted between Rx and Tx.
After the Winkhub is on, then data should be visible on the laptop terminal. A boot prompt should appear in the terminal. There are further actions to do (seen in the video) which enable you to gain root however this post is brief to show what is possible with exploiting the UART functionality.
GTVhacker talks about how they are able to gain root access to an Epson printer by exploiting the UART protocol. This is done by booting with UART and enabling the user to access a special console. This console automatically has root control execution.
I hope you found this post interesting and you don’t use this information to make the world any worse than it already is!