Skip to main content

Hardware hacking - UART

· 8 min read
Strider

Hi, everyone today I thought why I not writing about hardware hacking with UART. So I made it now 😃

Introduction

Hardware hacking is an interesting topic, to understand how hardware works and how to get access to the installed firmware, or hack the hardware. Nowadys most hardware have an interface for those purposes and one of them is UART.

What is hardware hacking?

In shorthardware hacking means try the alteration of a piece of existing hardware, by uncover flaws in it. The goal could be utilizing it in a way that was not intended for example, extract information from it, hack some functions, or take over the entire hardware or installed firmware, also uncovering flaws in hardware. Another interesting point is gaining some basic knowledge about electronics.

What is UART?

UART stands for Universal Asynchronous Receiver-Transmitter which is a protocol for asynchronous serial communication. The data is sends data bits one by one and the data formation and the transmission speeds are configurable. UART is widely used for serial communication for example in industry e.g. RS-232. Protocols lie SPI and I2C has widely replaced UART as binding element between components. But UART is still used because it is easy to implement, cheap to implement, an very good for applications and devices which low speed and throughtput.

Well, a great advantage is UART, works asynchronly which means sender and receiver do not share a clock signal. This means that because of simplicity of this protocol there must a initial speed set for acheive the same bit duration, which is called baudrate, during communication.

What is baud rate?

Baud rate, which has the unit bd and means the measurement of symbol rate per second. For example a baud rate of 1000 bd means 1000 symbols per second or bits per second because of symbols in a system which is typically 0 and 1.

The bit duration is defined as follows, let fs=9600bd/sf_{s} = 9600bd/s and TsT_{s} the bit duration time or symbol duration per second, then it would be

Ts=1fs19600bd0.00010416ˉs104.167µs104µsT_{s} = \frac{1}{f_{s}} \Leftrightarrow \frac{1}{9600bd} \Leftrightarrow 0.0001041\bar{6}s \Leftrightarrow 104.167µs \approx 104µs

The byte rate is defined as follows, let Rs=9600bit/sR_{s} = 9600 bit/s the total bit rate of a transmission and TbsTb_{s} the byte rate so:

Tbs=9600bit/s81200bytes/sTb_{s} = \frac{9600 bit/s}{8} \Leftrightarrow 1200 bytes/s

and the real byte rate is defined as follows:

Bs109600bit/s10960byte/s\frac{B_{s}}{10} \Leftrightarrow \frac{9600 bit/s}{10} \Leftrightarrow 960 byte/s

and the real byte duration is defined as follows:

10×Ts10×104µs1040µs1,04ms10 \times T_{s} \Leftrightarrow 10 \times 104µs \Leftrightarrow 1040µs \Leftrightarrow 1,04ms

Here an small overview of baud rates with durations and so on:

Baud RateBit RateByte RateBit DurationReal Byte RateReal Byte Duration
50 bd50 bit/s6,25 byte/s20,0 ms5 byte/s200ms
110 bd110 bit/s13,75 byte/s9,09 ms11 byte/s90,9ms
150 bd150 bit/s18,75 byte/s6,67 ms15 byte/s66,7 ms
300 bd300 bit/s37,5 byte/s3,33 ms30 byte/s33,3 ms
1200 bd1200 bit/s150 byte/s833 µs120 byte/s8,33 ms
2400 bd2400 bit/s300 byte/s417 µs240 byte/s4,17 ms
4800 bd4800 bit/s600 byte/s208 µs480 byte/s2,08 ms
9600 bd9600 bit/s1200 byte/s104 µs960 byte/s1,04 ms
19200 bd19200 bit/s2400 byte/s52,1 µs1920 byte/s521 µs
38400 bd38400 bit/s4800 byte/s26,0 µs3840 byte/s260 µs
57600 bd57600 bit/s7200 byte/s17,4 µs5760 byte/s174 µs
115200 bd115200 bit/s11400 byte/s8,68 µs11520 byte/s86,8 µs
230400 bd230400 bit/s28800 byte/s4,34 µs23040 byte/s43,4 µs
460800 bd460800 bit/s57600 byte/s2,17 µs46080 byte/s21,7 µs
921600 bd921600 bit/s115200 byte/s1,08µs92160 byte/s10,8µs
2000000 bd2000000 bit/s250000 byte/s500 ns200000 byte/s5 µs
3000000 bd3000000 bit/s375000 byte/s300 ns300000 byte/s3 µs

Important to know is, baud rate and bitrate are not the same. Bit rate means the measurement of bits per second not symbol per second. Bit rate and baud rate are only in a sepcial case equal, when the transition of states only one bit is, in our case here 0 and 1, therefore baud and bit rate are equal.

Transmission Frame

Another thing is about UART is each transmission is constructed as frame which consists of:

  • Start Bit which is the transition for high to low or 1 to 0
  • Data Bits or payload from LSB 00 to MSB nn
  • Parity Bit
  • Stop Bit which is the transition for low to high (0 to 1) or it is always high

The parity bit is used for error detection and correction, and follows these rules:

  • If there is an even count of 1's then the parity bit is 0
  • If there is an odd number of 1s, the parity bit is set to 1 so that the odd number of 1s in the payload is retained.

The example transmission frames would look like this:

Frame 1:

IDLEStart BitPayload Bit 0_{0}Payload Bit _{\dots}Payload Bit n_{n}Parity BitStop Bit
1010101

Frame 2:

IDLEStart BitPayload Bit 0_{0}Payload Bit _{\dots}Payload Bit n_{n}Parity BitStop Bit
1001011

Frame 3:

IDLEStart BitPayload Bit 0_{0}Payload Bit _{\dots}Payload Bit n_{n}Parity BitStop Bit
1011001

Prerequisites

To begin with hardware hacking with UART following things are needed:

  • Hardware which is not used anymore for example a router in my case.
  • UART-TTL to USB Converter which an be found on Amazon
  • A USB hub for proteting your computer if you do some mistakes
  • A computer with Minicom, Putty or other tool for serial communcation capability installed.
info

Disclaimer: When doing this, it could happen that you fuck up your hardware (device or your computer). I accept no liability for any damage which could occur.

How I can find UART interfaces?

Well, findung those interfaces could be hard for the first time. When opening the device, you may see many connectors, resistors, capacitors etc... Some manufacturers have soldered a connector for UART on it, which is mostly a 4-pin jack. If not may you see unsoldered 4-pin connectors.

Which could look like in these examples: img1

On the left, we see an pcb which has a UART interface labelled J1. Each pin of this interface is well labelled, and we see what each pin is used for. On the middle we see the UART interface which is labelled with J1only. the last pcb has only the UART interface witout any label or any hints that it could be an UART interface. Some manufacturers also removed the labels to avoid marking it as UART, as security measure for their products.

Which pin does what?

Well, if no pin is labeled, a way to find out which pin is used for, could be using a multimeter. The multimeter can be used for determining the pinout.

GND (Ground):

Finding ground should be easy, making a circuit continuity test. This can be made, by connecting one of ith test leads of your multimeter to the power plug ground, and test each pin which the other test lead of the UART interface until it beeps.

VCC:

If the GND pin is found, you should determine which one is the VCC pin. This can be done by turning on the device and set the multimeter in volgate mode. The next thing what you should do is put the negative test lead to GND and test with the positive test lead each pin if you find a constant voltage. Contstant voltage of either 3.3V or 5V should be pin VCC.

TX:

If you found the VCC pin, you should search for the TX pin, this can be done by set the multimeter in voltage mode, and putting the negative test lead to pin GND. Then test each of the both remaining pins. If you see the voltage is fluctuating on the display of your multimeter, this is your TX pin which transmits data.

RX:

If you have found the TX pin, then the last remaining pin must be your RX pin.

Connecting to the device via UART

When all pins are determined, and noted down, it's time to solder the header pins if not already done. Then we have only to connect the USB-TTL UART adapter with some wires like in the table below.

DeviceUSB-TTL UART
GNDGND
TXRX
RXTX

img2 The target device is my old router, which is an TP-Link TD-W8970B. On the computer when you running linux on it it should be the device /dev/ttyUSB0, and it's time to fire up minicom or an other tool which can be used for serial communication. The only thing is to set the baud rate which could be a bit handy, because auf we have to find out which baud the target device is using. This could be done by googling it or try brute forcing each baud rate it by turn the device of and on until you get an proper output.

In my case the router has an baudrate of 115200 which I have to set in minicom.

img3

I hope you liked it, and could see how hardware hacking via UART works 😄