Getting At Serial Ports In Embedded Devices by Paul Marsh

right morning afternoon everyone um so this talk is about getting at uh debug and serial ports inside uh bits of hardware that you might have laying around and it is um uh i suppose aimed at those of you that are not necessarily hardware types so if you're a software developer or a pen tester that doesn't really crack open bits of hardware to play with them um this talk is uh aimed exactly at you a bit about me um i was in the ibm pen testing team um for a while left to run my own business really interested in satcoms and generally um anything that's got a cpu in it um and a clock uh love

hardware and breaking it and tinkering with it and i really like finding embedded tty and serial ports in uh bits of hardware i've got a twitter page as well for no related stuff so embedded here reports not going to read everything on these slides you can read them but we'll talk a little bit about why you might be interested in the serial port if you find a thing it could be a vsat terminal a um a wireless access point um from a manufacturer that doesn't want you to have access to command line or another thing which is connected to a network often the ethernet interface or the wi-fi interface is well protected so it's firewalls you can't get to the ssh

service etc and for us that's really annoying we want a root shell on a particular thing so in embedded serial ports offer that possibility bypass the need to type in the username and password boot the device connect to the particular port and you are automatically root in 99 of our cases typically the electrical interface is very simple three wires are needed ground tx rx picture shows a typical embedded device with a debug header where i happen to find a serial port you have to open the thing you have to have the thing powered up while it's open um there is obviously a small risk that you could die if you touch the one thing but uh it's not really anything to be

afraid of it generally only happens once delicate electronics can be um broken uh here at probe short resulted in a crater in the top of an ic which is not the best because it generally breaks twice right history the rs232 and the serial port so the serial port is literally as old as dirt um it was designed a long time ago in the 60s the original are these terms probably not too familiar nowadays data terminal equipment was mechanical teleprinters like the old creek things and data connecting equipment was uh modem so points point um isdn or box standard modems lots of revisions of rs232 but the one that is mostly used is rs22c and that is zero

volts and five volts to represent the one and zero level typical board rates back in the day were up to a whopping 1200 bits per second nowadays every pc is um those pieces i should say that do have proper serial ports on them um is compatible with viruses you see so that's zero and five volts um you can integrate a lot of stuff to that lots of connections original rs22 ports 25 and nine way um on the nine wave pin five two and three we used um on the 25 way pin two and three views for tx rx and there's numerous grounds but you don't really see this stuff on computers nowadays because we've gone to this uh

universal serial bus stuff typical rs232 signaling format so whenever you see a serial data discussed and you see a number of characters like that 7e2 that is describing the protocol on the wire seven bits of data even parity to stop bits and you can see the diagram a101 which is pretty much what most embedded devices are eight data bits no parity one stop bit lsb is transmitted uh first down the light auto parity a little bit about parity um the parity is is there to determine whether or not there is an error in the data that is transmitted bear in mind when rs2 first was around people would have miles of cable with a 1200 board

signal going down it and electrical interference could cause data to be corrupted so the solution was parity if a byte was received with an odd number of ones but the parity bit said that it was uh even then you know that the bit is an error most things nowadays have no parity because error correction over the cable is really too much of a problem so a couple of hardware implementations um we just talked about things that were in my junk box so when you pick a um a piece of hardware apart you know the first thing you should always do is take the lid off and work out what is going on inside you can there's two ways you can do it

you can look at all the chips under a microscope and then google for the data sheets i would highly recommend that or you can just guess what the parts do quite where they are on the board and that that's actually that that's that's a valid technique you can see for example the toshiba um it's probably a ram chip just by the form factor where it's on board the samsung chip is near the hdmi interface and that is probably a graphics processor and then the broadcom is probably um the cpu and that's probably power management something like that uh oh in fact it's an audio back but you can read the data sheets but the most

important thing to do is to look at the cpu in this case the broadcom get the data sheet and look for particularly interesting functions in that device um here is a couple of excerpts from the datasheet you know these things are several hundred pages long but reads them and the bits that you're really interested in is where it says two high-speed uarts so a you are um universal asynchronous receiver transmitter is a serial interface embedded in the micro and usually these are used for one thing and that is debug ports so looking at your pcb you can see our test interfaces they're highlighted in the yellow boxes test interface next to the hdmi processor may not necessarily have

serial um a test interface somewhere near the main cpu probably has a ur on it test interface down here near um static ram or the hdmi processor is probably another test interface specific to that processor not quite enough pins for jtag but there are methods that you can use easily to determine whether or not a port has uh synchronous async data on it before we look at that we have to discuss the delicate topic of magic smoke um this is basically stuff that comes out of electronics when you do bad things to it and believe it or not you can actually you can either smell the smoke or look at the color and that generally tells

you how bad the folders are or if something is on fire um i did find this on amazon which i thought was quite interesting it's rojos compliant and it's a magic smoke refill kit so if you do end up with a crater and a processor you can buy this and uh it will fix it so it's uh always worth having in your junk box so most devices um this is the uh the device which um is the victim of the hack later um it's a wireless access point from cisco there is nothing wrong with prodding around within this device when it is connected up you won't hurt yourself or get burned or catch fire or

die because it only runs from 12 volts the difference um if you if you're looking at a device that has a mains power supply built into it then you have to be really careful obviously if you touch heat sensing switch mode power supply um you will be uh woken up quickly and you will probably won't do it again so you you just have to bear in mind what it's powered from if the device uses a wall walk type power supply you are fairly safe unless it's a really cheap chinese power supply in which case the negative rail is probably floating at half mains voltage so 110 volts check with a meter so put it between the

ground any metal work on the thing that you're about to look at and a ground socket you know poke it into the ground pin on the main socket and just measure sometimes it will show 120 volt ac it will be a very low current you could probably feel it if you put your fingers between the two but what you don't want to do is put a pc interface between them because magics might come out of the pc you will be annoyed um if in doubt get a dvm digi voltmeter measure put it in ac and measure the um voltage and the most important bit about fiddling with hardware don't let your own magic smoke release because there's

no real way back from that so tricks for locating serial ports there's a few ways you can do it you can get a scope and prod around on pins and look at the waveform for something which looks like a classic asynchronous signal so start bit eight eight bits and i stop it um i like the audio amplifier and scope probe method so you can build this with um minimum cost and components use a you know a 99p sound card which has a mic input to your pc if it goes pop while you're connecting main to one side who cares it costs 9p but you can listen to the data and with practice you can say

oh yeah that's 576 71 or that's one more five two hundred eight and one and you can estimate the baud rate but you do need to practice that you can buy a ttl to usb um bridge such as a small uh you know a few pounds um interface which has a five volt logic on one side usb output will be seen for example like slash dev substituted by usb 0 and then you can iterate through board rates parity uh number of um stock bits number of data bits that is a little bit annoying you can use a logic analyzer to measure the bit length once you've got the length of one bit you can work out

how long it takes that uh how long that takes to transmit very simple uh sum to work out the number of bits per second and therefore the uh bit rate and the um speed of the data um listen for asynchronous database so i don't know whether this will um work if i tap it no it won't uh but i'll play you the audio it uh in a minute just so you can hear what it sounds like um lots of as you know lots of things when they boot up particularly within externals you get lots of dots saying loading linux kernel and that is something that really sticks out when you use the audio port method because as

the thing is booting up you can hear tick tick tick tick followed by a burst of noise when the kernel loads and starts to do um stuff once you've found a particular pin this is an example of a really cheap ttl to usb uh interface you to start with only two connections the ground connection and the data input connection to are here so you connect it to the rxd pin and then use something like minicom to estimate the baud rate or the cyberbaud rating and look at the um the data to see if you've guessed correctly um typically if you guess a baud rate incorrectly you'll get garbage like this so if the baud rate is low uh 1200 2500

something like that and you've taken 115 200 every bit that comes out the thing the pc is going to try to interpret that as a single bit but in fact it's dozens of bits that of the high speed when you eventually find the correct speed usually you get ascii printable text out the back side of it you do occasionally find manufacturers that have thought about the embedded uart attack and so at a point in the kernel they will remove the module so you can't actually do anything but the number of manufacturers that do that you probably count on one hand um a logic analyzer so ika logic this is a again a cheap and general logic

analyzer you can connect the pins um up to ports that you think are tty or um an internal uart and do basic measurement of them to work out bit length and see whether the data is something recognizable um the ika logic analyzer which is one of the ones i have has a spd code in it and you can see here it says uh booting space the space and it will take her not etc and then the thing would uh load but this is typically what you would expect to see on the output for logic analyzer and you can see the gaps between each character which is so a demo this is not a live demo and

i have done live demos before but they are live that way um so this is the thing that this is a cisco meraki access point i'm sure some of you are familiar with these they're um an access point which you really have no control over apart from if you pay cisco money to access the portal to manage these um the actual device has a vpn endpoint in it it chats over the internet connects to cisco their portal pushes config data to your access point um there is an embedded url in this device so you can see on the picture um areas where you might start investigating so lots of pins you can see the the ram the power management stuff for

power over ethernet and the main bug and then the main cpu and then under here are the wi-fi transceivers so for me the main area to start will be pins nearest the micro so it is the main micro um there was four blank pins here and which i fitted headers to so you can get a scope pro around it so when listening to these pins you could hear something which sounded very characteristically like 115 200 8m1 serial data and of course the next step is to connect that to minicom and see whether or not you can uh find something um what i've got here is just a quick photo of it on the bench so there's a

scope probe connected to a scope so i can see the waveform and the red wire is a single wire that's connected to the rxd input offer um serial uart uh right i just need to escape out of powerpoint and go to the um there video go so here um this is minicom under linux

so you can hear some noise and that noise was an audio tap from the pin um and this is the meraki uh kernel booting i'm doing a sha one hash check i don't have a whole video where it comes to a hash prompt with root but you get the idea if you were to wait a few minutes you would see this um scrolling up with as you know boggs down the kernel boot in this particular case they have a a protection mechanism in to stop people um playing with a tsp console and that is um a warning which says um [Music] don't play with this via the serial console really yeah um get back needless to say somebody who was of a

nefarious character might log into that or might connect to that terminal and realize that there is a um a vpn interface with an address assigned and perhaps explore that um etc but there's you know i would say lots of devices have these internal debug ports you can do a lot of cool stuff with it um vsats so a vsat modem is a modem which connects to satellite antenna they're one of my favorite things to play with especially things like national lottery terminals because they are really um they are well secured and from the ethernet interface you can't actually do much however there's an internal ui interface um that gives you a vx works root user and of course from there you

can delete the firewall you can do all the things that you need to do to then be able to get a web uh interface over http etc so that is a whistle stop tour it is very easy to do i would encourage you to you know when you get home to look at um in your junk box for stuff that's got an ethernet interface get your screwdriver out take the lid off have a look at the board and just probe around make a very simple interface literally a bit of wire that connects to a mic in partner on a cheap usb sound pad and just have a play with this stuff start with things that are powered via

wall warts so um uh plug in power supplies in the wall because you've got less chance of killing yourself through contact remains um but just play with the stuff and see what you can find if you've got uh managed switches or routers and stuff like that that you know are chucked in jump box get get the lid open have a look at it google the part numbers find the async course and you know get on there as a group um user and see what you can do but you can have a lot of fun with this and it does save an awful lot of time you know on the router can you find that command

executions through a i don't know an input field or a conflict form that they haven't properly bangs checked um you can save all that hassle by using the internal debug form that is it so a really quick uh um talk i will have the stuff out on the table with the access point and the um audio stuff and the tty interface so you can see this and play around with it and hopefully not blow yourselves up or um my board is there any questions so in the first picture first you had a resistor soldered to one

um so i this i picked a 1k resistor because it just happened to be on the bench and all it is for is some current limiting so sometimes if you pull down a particular port you might find that um bug moans about that and it won't boot properly so the current requirement for um a usb to ttl is you know microamps really and you've got a currently listing resistor um in series to prevent you loading the pin down the other thing is if you accidentally touch a 12 volt pin magics might won't escape from anything because you've got a current inventory so that's all it's for just a bit of protection it's lazy and some white part because i

didn't measure it with the scope first but anyway yeah i also said that listening to raw cereal uh is side how long did it take you i mean i appreciate there's a finite number of options how long did it take you to figure out like to be able to guess what option it was so stuff above 1.5 200 i struggle with because at that point it's just burst and noise but you know stuff the low speed stuff is quite simple um 1575 board by year is a little bit difficult to tell the difference but it takes 20 years if you just drip backwards specific messages we can't talk about that any problem you set it in your room

uh my current ringtone is a modem negotiation um

yeah so the so the majority of debug interfaces in embedded stuff uh for example the meraki ap um it is the same as being able to essentially tell that internet so the answer is the same as what would happen if you were to send characters over terminal ssh um but you know the the attraction is when you you know instead of ssh or television where you've got stuff in the way so like tables or something else that will prevent you accessing the service behind it with the serial or the embedded you are you know you're talking directly to the um to the the end surface so the kernel or whatever it happens to be um at hardware

level but fuzzy i don't know you you you would break it as you would break it over tell us actually any other questions yep

talk um ten dollar sailing clothes and i saw something recently [Music] yeah so in the um you can use uh raspberry pi you know um there's gpio pins that you can read quickly and that will do exactly the same as logic analyzer um but you know this thing is cheap so if you accidentally connect one thing to there's pop fight do you want to destroy a pie i mean i know the only top ones but of course you can't get them anywhere but um no that the ico logic analyzer i think they only sell on their website but you can probably go to aliexpress and find a copy um but it might have a free gift

[Applause]

online to get familiar with this level of hardware interaction um i can barely solder a radio together that's fine yeah you you only need soldering skills to fix it once you've broken something um but the the main thing to do is find cheap or free hardware um ideally you want something low voltage that has ethernet and a bug in a micro net some sort and take them apart and just learn by doing if half of them you destroy it doesn't matter because it's free stuff but i would pick um old wireless access points old routers anything that you know that has a ui and you get the impression that there's a kernel of some sort

running in it take the lid off google the part numbers look through the data sheets but learn by doing and it you know you will you can spend weeks reading a book or you can spend a weekend messing around with the stuff and honing your skills but google i suppose is

um so vx works you see quite often in phones um i had a vsat modem with vx um in it which was painful because they've done a really good job uh boiling it down but i mean there's nothing that can be undone it just took longer than it would have done if it was linux um you get the odd thing um i can't remember the name of the product but it's a thing that controls likes and corporates and these things are pick processor and it's an operating system they've written and you can't really do much of it i mean it was designed to do you know turn the light on and off and make it flash

different colors and there's not really anything you can do under the covers um and plus it's a pic you can't even read the code because it protects it but it's rare most stuff um is has been put together with um a bug that supports linux and of course they just chuck a kernel on and write some shopping code and leave the ui exposed so i would say most of these