Hi, everyone today I thought why I not writing about hardware hacking with UART. So I made it now 😃
Introduction
Hardware hacking is an interesting topic, to understand how hardware works and how to get access to the installed firmware, or hack the hardware. Nowadys most hardware have an interface for those purposes and one of them is UART.
What is hardware hacking?
In shorthardware hacking means try the alteration of a piece of existing hardware, by uncover flaws in it. The goal could be utilizing it in a way that was not intended for example, extract information from it, hack some functions, or take over the entire hardware or installed firmware, also uncovering flaws in hardware. Another interesting point is gaining some basic knowledge about electronics.
What is UART?
UART stands for Universal Asynchronous Receiver-Transmitter which is a protocol for asynchronous serial communication. The data is sends data bits one by one and the data formation and the transmission speeds are configurable. UART is widely used for serial communication for example in industry e.g. RS-232. Protocols lie SPI and I2C has widely replaced UART as binding element between components. But UART is still used because it is easy to implement, cheap to implement, an very good for applications and devices which low speed and throughtput.
Well, a great advantage is UART, works asynchronly which means sender and receiver do not share a clock signal. This means that because of simplicity of this protocol there must a initial speed set for acheive the same bit duration, which is called baudrate, during communication.
What is baud rate?
Baud rate, which has the unit bd and means the measurement of symbol rate per second. For example a baud rate of 1000 bd means 1000 symbols per second or bits per second because of symbols in a system which is typically 0 and 1.
The bit duration is defined as follows, let and the bit duration time or symbol duration per second, then it would be
The byte rate is defined as follows, let the total bit rate of a transmission and the byte rate so:
and the real byte rate is defined as follows:
and the real byte duration is defined as follows:
Here an small overview of baud rates with durations and so on:
Baud Rate | Bit Rate | Byte Rate | Bit Duration | Real Byte Rate | Real Byte Duration |
---|---|---|---|---|---|
50 bd | 50 bit/s | 6,25 byte/s | 20,0 ms | 5 byte/s | 200ms |
110 bd | 110 bit/s | 13,75 byte/s | 9,09 ms | 11 byte/s | 90,9ms |
150 bd | 150 bit/s | 18,75 byte/s | 6,67 ms | 15 byte/s | 66,7 ms |
300 bd | 300 bit/s | 37,5 byte/s | 3,33 ms | 30 byte/s | 33,3 ms |
1200 bd | 1200 bit/s | 150 byte/s | 833 µs | 120 byte/s | 8,33 ms |
2400 bd | 2400 bit/s | 300 byte/s | 417 µs | 240 byte/s | 4,17 ms |
4800 bd | 4800 bit/s | 600 byte/s | 208 µs | 480 byte/s | 2,08 ms |
9600 bd | 9600 bit/s | 1200 byte/s | 104 µs | 960 byte/s | 1,04 ms |
19200 bd | 19200 bit/s | 2400 byte/s | 52,1 µs | 1920 byte/s | 521 µs |
38400 bd | 38400 bit/s | 4800 byte/s | 26,0 µs | 3840 byte/s | 260 µs |
57600 bd | 57600 bit/s | 7200 byte/s | 17,4 µs | 5760 byte/s | 174 µs |
115200 bd | 115200 bit/s | 11400 byte/s | 8,68 µs | 11520 byte/s | 86,8 µs |
230400 bd | 230400 bit/s | 28800 byte/s | 4,34 µs | 23040 byte/s | 43,4 µs |
460800 bd | 460800 bit/s | 57600 byte/s | 2,17 µs | 46080 byte/s | 21,7 µs |
921600 bd | 921600 bit/s | 115200 byte/s | 1,08µs | 92160 byte/s | 10,8µs |
2000000 bd | 2000000 bit/s | 250000 byte/s | 500 ns | 200000 byte/s | 5 µs |
3000000 bd | 3000000 bit/s | 375000 byte/s | 300 ns | 300000 byte/s | 3 µs |
Important to know is, baud rate and bitrate are not the same. Bit rate means the measurement of bits per second not symbol per second. Bit rate and baud rate are only in a sepcial case equal, when the transition of states only one bit is, in our case here 0 and 1, therefore baud and bit rate are equal.
Transmission Frame
Another thing is about UART is each transmission is constructed as frame which consists of:
- Start Bit which is the transition for high to low or 1 to 0
- Data Bits or payload from LSB to MSB
- Parity Bit
- Stop Bit which is the transition for low to high (0 to 1) or it is always high
The parity bit is used for error detection and correction, and follows these rules:
- If there is an even count of 1's then the parity bit is 0
- If there is an odd number of 1s, the parity bit is set to 1 so that the odd number of 1s in the payload is retained.
The example transmission frames would look like this:
Frame 1:
IDLE | Start Bit | Payload Bit | Payload Bit | Payload Bit | Parity Bit | Stop Bit |
---|---|---|---|---|---|---|
1 | 0 | 1 | 0 | 1 | 0 | 1 |
Frame 2:
IDLE | Start Bit | Payload Bit | Payload Bit | Payload Bit | Parity Bit | Stop Bit |
---|---|---|---|---|---|---|
1 | 0 | 0 | 1 | 0 | 1 | 1 |
Frame 3:
IDLE | Start Bit | Payload Bit | Payload Bit | Payload Bit | Parity Bit | Stop Bit |
---|---|---|---|---|---|---|
1 | 0 | 1 | 1 | 0 | 0 | 1 |
Prerequisites
To begin with hardware hacking with UART following things are needed:
- Hardware which is not used anymore for example a router in my case.
- UART-TTL to USB Converter which an be found on Amazon
- A USB hub for proteting your computer if you do some mistakes
- A computer with Minicom, Putty or other tool for serial communcation capability installed.
Disclaimer: When doing this, it could happen that you fuck up your hardware (device or your computer). I accept no liability for any damage which could occur.
How I can find UART interfaces?
Well, findung those interfaces could be hard for the first time. When opening the device, you may see many connectors, resistors, capacitors etc... Some manufacturers have soldered a connector for UART on it, which is mostly a 4-pin jack. If not may you see unsoldered 4-pin connectors.
Which could look like in these examples:
On the left, we see an pcb which has a UART interface labelled J1
. Each pin of this interface is well labelled, and we see what each pin is used for. On the middle we see the UART interface which is labelled with J1
only. the last pcb has only the UART interface witout any label or any hints that it could be an UART interface. Some manufacturers also removed the labels to avoid marking it as UART, as security measure for their products.
Which pin does what?
Well, if no pin is labeled, a way to find out which pin is used for, could be using a multimeter. The multimeter can be used for determining the pinout.
GND (Ground):
Finding ground should be easy, making a circuit continuity test. This can be made, by connecting one of ith test leads of your multimeter to the power plug ground, and test each pin which the other test lead of the UART interface until it beeps.
VCC:
If the GND pin is found, you should determine which one is the VCC pin. This can be done by turning on the device and set the multimeter in volgate mode. The next thing what you should do is put the negative test lead to GND and test with the positive test lead each pin if you find a constant voltage. Contstant voltage of either 3.3V or 5V should be pin VCC.
TX:
If you found the VCC pin, you should search for the TX pin, this can be done by set the multimeter in voltage mode, and putting the negative test lead to pin GND. Then test each of the both remaining pins. If you see the voltage is fluctuating on the display of your multimeter, this is your TX pin which transmits data.
RX:
If you have found the TX pin, then the last remaining pin must be your RX pin.
Connecting to the device via UART
When all pins are determined, and noted down, it's time to solder the header pins if not already done. Then we have only to connect the USB-TTL UART adapter with some wires like in the table below.
Device | USB-TTL UART |
---|---|
GND | GND |
TX | RX |
RX | TX |
The target device is my old router, which is an TP-Link TD-W8970B.
On the computer when you running linux on it it should be the device /dev/ttyUSB0
, and it's time to fire up minicom or an other tool which can be used for serial communication. The only thing is to set the baud rate which could be a bit handy, because auf we have to find out which baud the target device is using. This could be done by googling it or try brute forcing each baud rate it by turn the device of and on until you get an proper output.
In my case the router has an baudrate of 115200 which I have to set in minicom.
I hope you liked it, and could see how hardware hacking via UART works 😄