- Joined
- May 13, 2023
- Messages
- 13
Introduction
Hello, today I hope to explain to you UART. We will take a shallow dive into the world serial device access and what it may mean from a technological and security perspective.
Hello, today I hope to explain to you UART. We will take a shallow dive into the world serial device access and what it may mean from a technological and security perspective.
I am NOT affiliated, sponsored, represent, or paid by any security firm or corporation. I do not officially represent any entity while posting under my USN.
I am a normal guy that wants to bring as much security information to this forum as I have time to do. I understand that it isn't really the focus of this site but the more eyes and DIYs that can see it the better. We are in an ever growing technological field, and while gaming is fun there are alot of moving parts now from the days of original DOOM.
We will be tackling this in Windows. A Lot of the security field focuses on Linux, with a popular option being Kali. I want to show you that Windows can be used too; and because why not?
I will try to keep this short.
What is UART?
UART stands for "Universal Asynchronous Receiver/Transmitter" or as I like to call it yoU Are RooT. UART is a straight serial bus communication technology. That is to say it is NOT a communications protocol but rather a direct interface to the serial bus.
UART or UART(s) as there may be several on any given device allow us to interface with a particular bus on said device. For example, we may be able to talk to a microprocessor or a controller of some sort. We can sometimes write data. Other times we can see things that can't normally be seen. Depending on the device we have several different option at our disposal.
What is the objective?
Today I am going to attempt to show you some common techniques and some possible outcomes by interfacing with the UART connector on a device. We will go over the various ways this can be accomplished and I really hope you walk away from it with a little more insight in both hardware complexity and security awareness.
- I will show you various ways to check prior to purchasing a device to see if it shows signs of UART interfacing.
- I will show you some cheap hardware (under $30?) you can use to try it yourself.
- We will gain root access to a popular device I bought off of amazon.
- We will explore some of the technological and software dilemmas we are faced with judging by what we find.
Show me the loot
Here we have a list of some parts I will be using for this demonstration. The prices will be in USD as applicable.
- Sparkfun 3.3v FTDI tty to USB (We will use this to talk to the computer and the UART interface) $15.50
- PuTTY (A multipurpose free tool that will allow us to talk to serial COM ports.) $ Free
- Elegoo Breadboard jumper pins in various sex' (We need these to actually plug into or slip onto stuff) $7.00
$22.50 USD
As for the device we will be using to actually test with..
Total cost for everything to reproduce this guide?
$43 USD
You of course, are free to shop around for cheaper stuff. This is all pretty decent quality stuff, but I know you may be able to get usb > TTY devices for only a few dollars and I know cheaper or smaller bundles of wire are available. you can probably easily do this in or under the $15 USD range.
Tools of the trade
We are going to need a few tools to help us. Thankfully the first part of any kind of hardware probing is why waste money if we can look first? Good question. Welcome to the FCC ID database. If you managed to snag a picture of the box or simple google for a products FCC ID and it transmits a signal we can use the below to find it.
It's important to first remember, that FCC applications are generally NOT done with final products. In this case we are looking for signs of UART (3 to 4 pins) next to each other. Now while it's also important to know that UART pins aren't necessarily next to each other for a good % of devices they are.
Now because the final product seldom has the jumpers we are really just looking to see if they give us the options for UART the jumper may not exist anymore, but if they used UART for testing (since UART generally has debug and run info piped too it) we can use the holes are pads to connect too since even if the header is removed functionality (the output) is seldom disabled.
The links in the flesh!
This site is awesome because you can search other FCC-esque databases used/exclusive in/to other countries.
Then we have old reliable
Now here's some links for our specific device.
FCC website only caches searches no direct linking because idk FCC.
With a link to the internal pictures (that must be submitted if your submitting to the FCC) we are after!
Now that I'm pretty sure I'm going to have some luck lets order it and wait 2 days.
Specifically the image that tipped me off was none other than.
Disassembly and examination
Now that we have the device we are going to show some quick candid pictures and I will explain what we are looking for. For this demonstration it's important to note that after purchase I read up on the device and it turns out the market for this device is pretty much experimentation supported by the manufacturer. That's fine though. Other devices iv probed offer similar but unintentional access, so the lessons learned still fit the task at hand.
The router itself comes in a small cardboard box. Nothing of real interest. I was pleasantly surprised by the size however, no doubt it is smaller than the TP-Link TL-MR3020 I've disassembled previously.
Note: The device has a switch on the side and the actual plastic button covering the switch is built into the chassis and has a channel carved into the plastic that allows the nipple to slide in during assembly/disassembly. If you are constantly removing and installing the board take note of the switch position on both the PCB and chassis and line the nipple of the switch up with the channel or you will probably destroy it. For ease on these devices even with other brands the ethernet jacks are the least forgiving. Try to install the ethernet side first, and remove the device ethernet side last (lift from the other direction). This will reduce stress on the board.
Now that we have the device pulled out let's take a look at the other side.
You can probe at this point with something like a Logic Analyzer or even just a multimeter if you want. To try and figure out what the pins are protocol wise and if they are live. You also don't need to hook up both TX and RX. Some devices won't even let you interface but TX (Transmit) will let you see what the device is dumping to the bus. I hook up all to see if I can work with the device so that's what we are going to do.
You would be surprised how many devices still leave pads or holes like the row below. As mentioned earlier however, not all devices will have them clearly marked, and the contacts may not be near each other. Generally speaking, they will share a common name like G1 G2 G3 G4 which will stick out compared to the naming convention of the other devices soldered to the PCB around it. This trick can help you narrow down a device you are digging into.
It should be noted that A LOT of devices actually do leave the UART connections available and active. This will play a big part in the discussion to follow.
All hooked up!
It's important to note how UART works. So I drew up a very crude example of how to wire UART. Put simply, TX and RX (Transmit and Receive) are wired BACKWARDS to your USB device. This in a way works like current networking, or phone systems. Transmit will go to the Receive pin of the other device. Makes sense right? It's like the digital equivalent of playing catch.
Make sense? Awesome. Now let's get ready to go!
PuTTY
Now lets configure putty and figure out the baud rate.
First things first what am I talking about? Well with serial we need to specify a baud rate. I wont be getting into specific serial processes but suffice to say serial is incapable of doing any kind of auto negotiation. So we have to tell in this case putty, how fast the data is being transmitted so it can read it.
Lets get started. First we need to plug in our handy dandy usb to tty. Now we have to find the COM port the device is speaking through. This is thankfully easy, in windows simply open your device manager.
Below is a picture of my device. Yours will say something different. You might even have a few, but just look for something with a name you expect.
In my case you can see my device is on COM3.
Lets get some things out of the way. Baud rate can be set to really a lot of things. Now we can try a logic analyzer or maybe some fancy documentation but you know what? There are only a few that are used a ton. I generally start with those and just try blindly.
They are:
9600, 19200, 38400, 57600, 115200, 230400, 460800, 921600
Now what happens if its wrong? Well you will either get nothing or you will get some scrambled or oddly spaced characters like so.
Enough chatter though lets fire up putty and see.
In this case, I have found through quick trial and error that I get a response using a baud rate of 115200. You can also see that I have selected "Serial" (since this is a serial connection) and I have changed my com port to 'COM3' which we took out of device manager.
If the stars align we get a text output! While leaving the session open I went ahead and restarted the device and we get this!
Sweet! Now that we can re-produce this to a working state since we know the port and baud rate. Lets take a look at one other putty option that's useful.
On the left hand side under Session at the very top click "Logging".
To the right we will now have session logging options. Sometimes the device text will scroll too quickly or we may miss important information that can help us. In this case we can configure putty (per session) to log the console output to a log.
In this case I selected "All session output". Browse for the file location and simply Click "Session" again to go back to the connection panel.
Now when we connect to putty and reboot the device we get a log file that contains this.
Code:
DDR Calibration DQS reg = 00008888
U-Boot 1.1.3 (Apr 26 2018 - 15:30:15)
Board: Ralink APSoC DRAM: 128 MB
relocate_code Pointer at: 87fb0000
******************************
Software System Reset Occurred
******************************
flash manufacture id: ef, device id 40 18
find flash: W25Q128BV
*** Warning - bad CRC, using default environment
======================================================
Ralink UBoot Version: 4.3.0.0
--------------------------------------------------
ASIC 7628_MP (Port5<->None)
DRAM component: 1024 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 128 MBytes
Flash component: SPI Flash
Date:Apr 26 2018 Time:15:30:15
--------------------------------------------------
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768
--------------------------------------------------
##### The CPU freq = 575 MHZ ####
##### Memory size =128 Mbytes ####
======================================================
RESET button is pressed for: 0 second(s)
Catution: RESET button wasn't pressed or not long enough!
Continuing normal boot...
Autobooting in: 2 s (type 'gl' to run U-Boot console)
Device have ART, checking calibration status...
Device have calibrated, checking test status...
Device haven tested, checking MAC info...
Device have MAC info, starting firmware...
## Booting image at bc050000 ...
Image Name: MIPS OpenWrt Linux-4.14.63
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1544570 Bytes = 1.5 MB
Load Address: 80000000
Entry Point: 80000000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 128
Starting kernel ...
[ 0.000000] Linux version 4.14.63 (lancer@gl-inet) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7258-5eb055306f)) #0 Thu Aug 16 07:51:15 2018
[ 0.000000] Board has DDR2
[ 0.000000] Analog PMU set to hw control
[ 0.000000] Digital PMU set to hw control
[ 0.000000] SoC Type: MediaTek MT7628AN ver:1 eco:2
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019655 (MIPS 24KEc)
[ 0.000000] MIPS: machine is GL-MT300N-V2
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] random: get_random_bytes called from start_kernel+0x8c/0x47c with crng_init=0
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32512
[ 0.000000] Kernel command line: console=ttyS0,115200 rootfstype=squashfs,jffs2
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=0005e643
[ 0.000000] Readback ErrCtl register=0005e643
[ 0.000000] Memory: 124832K/131072K available (3565K kernel code, 178K rwdata, 856K rodata, 192K init, 214K bss, 6240K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 256
[ 0.000000] intc: using register map from devicetree
[ 0.000000] CPU Clock: 575MHz
[ 0.000000] timer_probe: no matching timers found
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6647862422 ns
[ 0.000012] sched_clock: 32 bits at 287MHz, resolution 3ns, wraps every 7469508094ns
[ 0.007550] Calibrating delay loop... 380.92 BogoMIPS (lpj=1904640)
[ 0.073454] pid_max: default: 32768 minimum: 301
[ 0.078150] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.084501] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.097206] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.106701] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.112649] pinctrl core: initialized pinctrl subsystem
[ 0.119002] NET: Registered protocol family 16
[ 0.148882] mt7621_gpio 10000600.gpio: registering 32 gpios
[ 0.154492] mt7621_gpio 10000600.gpio: registering 32 gpios
[ 0.160087] mt7621_gpio 10000600.gpio: registering 32 gpios
[ 0.170297] clocksource: Switched to clocksource MIPS
[ 0.176336] NET: Registered protocol family 2
[ 0.181585] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.188277] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.194459] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.200697] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.206295] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.212652] NET: Registered protocol family 1
[ 0.220147] Crashlog allocated RAM at address 0x3f00000
[ 0.226730] workingset: timestamp_bits=30 max_order=15 bucket_order=0
[ 0.238864] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.244485] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.264074] io scheduler noop registered
[ 0.267807] io scheduler deadline registered (default)
[ 0.273744] gpio-export gpio_export: 1 gpio(s) exported
[ 0.278954] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[ 0.288153] console [ttyS0] disabled
[ 0.291646] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 28, base_baud = 2500000) is a 16550A
[ 0.300365] console [ttyS0] enabled
[ 0.300365] console [ttyS0] enabled
[ 0.307363] bootconsole [early0] disabled
[ 0.307363] bootconsole [early0] disabled
[ 0.316138] 10000d00.uart1: ttyS1 at MMIO 0x10000d00 (irq = 29, base_baud = 2500000) is a 16550A
[ 0.325727] cacheinfo: Failed to find cpu0 device node
[ 0.330982] cacheinfo: Unable to detect cache hierarchy for CPU 0
[ 0.337915] spi-mt7621 10000b00.spi: sys_freq: 191666666
[ 0.360208] m25p80 spi0.0: w25q128 (16384 Kbytes)
[ 0.365096] 4 fixed-partitions partitions found on MTD device spi0.0
[ 0.371548] Creating 4 MTD partitions on "spi0.0":
[ 0.376423] 0x000000000000-0x000000030000 : "u-boot"
[ 0.382409] 0x000000030000-0x000000040000 : "u-boot-env"
[ 0.388662] 0x000000040000-0x000000050000 : "factory"
[ 0.394749] 0x000000050000-0x000001000000 : "firmware"
[ 0.473297] 2 uimage-fw partitions found on MTD device firmware
[ 0.479332] 0x000000050000-0x0000001c91ba : "kernel"
[ 0.485320] 0x0000001c91ba-0x000001000000 : "rootfs"
[ 0.491266] mtd: device 5 (rootfs) set to be root filesystem
[ 0.498506] 1 squashfs-split partitions found on MTD device rootfs
[ 0.504866] 0x000000ae0000-0x000001000000 : "rootfs_data"
[ 0.512037] libphy: Fixed MDIO Bus: probed
[ 0.525906] rt3050-esw 10110000.esw: link changed 0x00
[ 0.534222] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5
[ 0.544509] NET: Registered protocol family 10
[ 0.553217] Segment Routing with IPv6
[ 0.557059] NET: Registered protocol family 17
[ 0.561691] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 0.574838] 8021q: 802.1Q VLAN Support v1.8
[ 0.591816] VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
[ 0.600009] Freeing unused kernel memory: 192K
[ 0.604561] This architecture does not have kernel memory protection.
[ 1.887491] init: Console is alive
[ 1.891282] init: - watchdog -
[ 2.310307] random: fast init done
[ 5.793900] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 6.006183] usbcore: registered new interface driver usbfs
[ 6.011896] usbcore: registered new interface driver hub
[ 6.017398] usbcore: registered new device driver usb
[ 6.029093] exFAT: Version 1.2.9
[ 6.068262] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 6.084723] SCSI subsystem initialized
[ 6.094416] ehci-platform: EHCI generic platform driver
[ 6.110020] phy phy-10120000.usbphy.0: remote usb device wakeup disabled
[ 6.116832] phy phy-10120000.usbphy.0: UTMI 16bit 30MHz
[ 6.122166] ehci-platform 101c0000.ehci: EHCI Host Controller
[ 6.128027] ehci-platform 101c0000.ehci: new USB bus registered, assigned bus number 1
[ 6.136186] ehci-platform 101c0000.ehci: irq 26, io mem 0x101c0000
[ 6.170324] ehci-platform 101c0000.ehci: USB 2.0 started, EHCI 1.00
[ 6.177751] hub 1-0:1.0: USB hub found
[ 6.182008] hub 1-0:1.0: 1 port detected
[ 6.189909] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 6.198242] ohci-platform: OHCI generic platform driver
[ 6.203881] ohci-platform 101c1000.ohci: Generic Platform OHCI controller
[ 6.210840] ohci-platform 101c1000.ohci: new USB bus registered, assigned bus number 2
[ 6.218958] ohci-platform 101c1000.ohci: irq 26, io mem 0x101c1000
[ 6.295370] hub 2-0:1.0: USB hub found
[ 6.299640] hub 2-0:1.0: 1 port detected
[ 6.307035] uhci_hcd: USB Universal Host Controller Interface driver
[ 6.321390] usbcore: registered new interface driver usb-storage
[ 6.328719] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 6.338257] init: - preinit -
[ 7.766010] rt3050-esw 10110000.esw: link changed 0x00
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 8.256057] random: procd: uninitialized urandom read (4 bytes read)
[ 11.632275] jffs2: notice: (420) jffs2_build_xattr_subsystem: complete building xattr subsystem, 21 of xdatum (2 unchecked, 18 orphan) and 74 of xref (14 dead, 15 orphan) found.
[ 11.650642] mount_root: switching to jffs2 overlay
[ 11.729288] overlayfs: upper fs does not support tmpfile.
[ 11.747747] urandom-seed: Seeding with /etc/urandom.seed
[ 11.902138] procd: - early -
[ 11.905176] procd: - watchdog -
[ 12.632084] procd: - watchdog -
[ 12.635549] procd: - ubus -
[ 13.066712] random: jshn: uninitialized urandom read (4 bytes read)
[ 13.158182] random: ubusd: uninitialized urandom read (4 bytes read)
[ 13.173886] random: ubusd: uninitialized urandom read (4 bytes read)
[ 13.183609] procd: - init -
Please press Enter to activate this console.
[ 14.914799] kmodloader: loading kernel modules from /etc/modules.d/*
[ 15.060512] ntfs: driver 2.1.32 [Flags: R/O MODULE].
[ 15.123288] tun: Universal TUN/TAP device driver, 1.6
[ 15.158003] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 15.205192] Netfilter messages via NETLINK v0.30.
[ 15.233401] ip_set: protocol 6
[ 15.343818] u32 classifier
[ 15.346574] input device check on
[ 15.350358] Actions configured
[ 15.373285] Mirror/redirect action on
[ 15.391495] nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
[ 15.487398] fuse init (API version 7.26)
[ 16.706662]
[ 16.706662]
[ 16.706662] === pAd = c05fa000, size = 1175584 ===
[ 16.706662]
[ 16.716283] <-- RTMPAllocTxRxRingMemory, Status=0, ErrorValue=0x
[ 16.724063] <-- RTMPAllocAdapterBlock, Status=0
[ 16.728664] RtmpChipOpsHook(748): Not support for HIF_MT yet!
[ 16.734512] mt7628_init()-->
[ 16.737438] mt7628_init(FW(8a00), HW(8a01), CHIPID(7628))
[ 16.742921] e2.bin mt7628_init(1142)::(2), pChipCap->fw_len(63536)
[ 16.749185] mt_bcn_buf_init(289): Not support for HIF_MT yet!
[ 16.755016] <--mt7628_init()
[ 16.831764] usbcore: registered new interface driver cdc_acm
[ 16.837514] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[ 16.869311] usbcore: registered new interface driver cdc_wdm
[ 16.882394] Loading modules backported from Linux version wt-2017-11-01-0-gfe248fc2c180
[ 16.890586] Backport generated by backports.git v4.14-rc2-1-31-g86cf0e5d
[ 16.925156] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 16.942466] usbcore: registered new interface driver ipheth
[ 17.401371] usbcore: registered new interface driver usbserial
[ 17.407389] usbcore: registered new interface driver usbserial_generic
[ 17.414164] usbserial: USB Serial support registered for generic
[ 17.456907] wireguard: WireGuard 0.0.20180718 loaded. See www.wireguard.com for information.
[ 17.465542] wireguard: Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
[ 17.592626] xt_time: kernel timezone is -0000
[ 17.614119] usbcore: registered new interface driver cdc_ether
[ 17.632310] usbcore: registered new interface driver cdc_ncm
[ 17.723555] usbcore: registered new interface driver cp210x
[ 17.729303] usbserial: USB Serial support registered for cp210x
[ 17.751971] usbcore: registered new interface driver huawei_cdc_ncm
[ 17.885199] PPP generic driver version 2.4.2
[ 17.902098] PPP MPPE Compression module registered
[ 17.914247] NET: Registered protocol family 24
[ 17.934102] usbcore: registered new interface driver qmi_wwan
[ 17.949507] usbcore: registered new interface driver rndis_host
[ 18.010215] usbcore: registered new interface driver sierra
[ 18.016068] usbserial: USB Serial support registered for Sierra USB modem
[ 18.043322] usbcore: registered new interface driver sierra_net
[ 18.082712] usbcore: registered new interface driver option
[ 18.088478] usbserial: USB Serial support registered for GSM modem (1-port)
[ 18.147710] usbcore: registered new interface driver rt2800usb
[ 18.234961] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 32.334313] TX_BCN DESC a6fd6000 size = 320
[ 32.338627] RX[0] DESC a6fd8000 size = 2048
[ 32.345840] RX[1] DESC a6fd9000 size = 1024
[ 32.412513] prepare to get e2p access------------
[ 32.417556] E2pAccessMode=2
[ 32.421202] cfg_mode=9
[ 32.423593] cfg_mode=9
[ 32.425988] wmode_band_equal(): Band Equal!
[ 32.434479] APSDCapable[0]=1
[ 32.437400] APSDCapable[1]=1
[ 32.440331] APSDCapable[2]=1
[ 32.443248] APSDCapable[3]=1
[ 32.446164] APSDCapable[4]=1
[ 32.449081] APSDCapable[5]=1
[ 32.452006] APSDCapable[6]=1
[ 32.454923] APSDCapable[7]=1
[ 32.457839] APSDCapable[8]=1
[ 32.460772] APSDCapable[9]=1
[ 32.463689] APSDCapable[10]=1
[ 32.466694] APSDCapable[11]=1
[ 32.469699] APSDCapable[12]=1
[ 32.472711] APSDCapable[13]=1
[ 32.475716] APSDCapable[14]=1
[ 32.478720] APSDCapable[15]=1
[ 32.481734] default ApCliAPSDCapable[0]=1
[ 32.680781] Key1Str is Invalid key length(0) or Type(1)
[ 32.686446] Key2Str is Invalid key length(0) or Type(1)
[ 32.692135] Key3Str is Invalid key length(0) or Type(1)
[ 32.697803] Key4Str is Invalid key length(0) or Type(1)
[ 32.733389] load fw image from fw_header_image
[ 32.737899] AndesMTLoadFwMethod1(2548)::pChipCap->fw_len(63536)
[ 32.743910] FW Version:
[ 32.743915] _
[ 32.746387] e
[ 32.747981] 2
[ 32.749574] _
[ 32.751178] m
[ 32.752773] p
[ 32.754366]
[ 32.755959]
[ 32.757552]
[ 32.759147]
[ 32.760753]
[ 32.763850] FW Build Date:
[ 32.763853] 2
[ 32.766592] 0
[ 32.768184] 1
[ 32.769778] 5
[ 32.771384] 0
[ 32.772977] 6
[ 32.774571] 2
[ 32.776163] 5
[ 32.777758] 2
[ 32.779352] 1
[ 32.780962] 1
[ 32.782556] 4
[ 32.784151] 2
[ 32.785745] 2
[ 32.787337]
[ 32.788933]
[ 33.680408] CmdAddressLenReq:(ret = 0)
[ 33.684944] CmdFwStartReq: override = 1, address = 1048576
[ 33.690604] CmdStartDLRsp: WiFI FW Download Success
[ 33.710352] MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
[ 33.716467] efuse_probe: efuse = 10000012
[ 33.720590] RtmpChipOpsEepromHook::e2p_type=2, inf_Type=4
[ 33.726063] RtmpEepromGetDefault::e2p_dafault=2
[ 33.730669] RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
[ 33.738339] NVM is FLASH mode
[ 33.741409] 1. Phy Mode = 14
[ 33.831446] CmdSlotTimeSet:(ret = 0)
[ 33.934021] Country Region from e2p = ffff
[ 33.940497] tssi_1_target_pwr_g_band = 33
[ 33.944574] 2. Phy Mode = 14
[ 33.948511] 3. Phy Mode = 14
[ 33.951489] NICInitPwrPinCfg(11): Not support for HIF_MT yet!
[ 33.957313] NICInitializeAsic(848): Not support rtmp_mac_sys_reset () for HIF_MT yet!
[ 33.965263] mt_mac_init()-->
[ 33.968181] MtAsicInitMac()-->
[ 34.000454] mt7628_init_mac_cr()-->
[ 34.004016] MtAsicSetMacMaxLen(1842): Set the Max RxPktLen=1024!
[ 34.010101] <--mt_mac_init()
[ 34.013204] WTBL Segment 1 info:
[ 34.016562] MemBaseAddr/FID:0x28000/0
[ 34.020477] EntrySize/Cnt:32/128
[ 34.023924] WTBL Segment 2 info:
[ 34.027280] MemBaseAddr/FID:0x40000/0
[ 34.031177] EntrySize/Cnt:64/128
[ 34.034620] WTBL Segment 3 info:
[ 34.037976] MemBaseAddr/FID:0x42000/64
[ 34.041966] EntrySize/Cnt:64/128
[ 34.045410] WTBL Segment 4 info:
[ 34.048766] MemBaseAddr/FID:0x44000/128
[ 34.052869] EntrySize/Cnt:32/128
[ 34.056395] AntCfgInit(3591): Not support for HIF_MT yet!
[ 34.062015] MCS Set = ff ff 00 00 01
[ 34.065642] MtAsicSetChBusyStat(1146): Not support for HIF_MT yet!
[ 34.071958] [PMF]ap_pmf_init:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[ 34.078058] [PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
[ 34.084376] MtAsicSetRalinkBurstMode(4061): Not support for HIF_MT yet!
[ 34.091094] MtAsicSetPiggyBack(1081): Not support for HIF_MT yet!
[ 34.230347] MtAsicSetTxPreamble(4040): Not support for HIF_MT yet!
[ 34.240441] MtAsicAddSharedKeyEntry(1909): Not support for HIF_MT yet!
[ 34.247166] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0
[ 34.253386] Main bssid = e4:95:6e:40:d1:ea
[ 34.257617] <==== rt28xx_init, Status=0
[ 34.316015] mt7628_set_ed_cca: TURN OFF EDCCA mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
[ 34.324218] WiFi Startup Cost (ra0): 1.990s
[ 34.405654] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0x0
[ 34.411849] MtAsicSetPiggyBack(1081): Not support for HIF_MT yet!
[ 35.835526] tx_kickout_fail_count = 0
[ 35.839252] tx_timeout_fail_count = 0
[ 35.843003] rx_receive_fail_count = 0
[ 35.846714] alloc_cmd_msg = 35
[ 35.849808] free_cmd_msg = 35
[ 35.894412] TX_BCN DESC a6fd6000 size = 320
[ 35.898726] RX[0] DESC a6fd8000 size = 2048
[ 35.905930] RX[1] DESC a6fd9000 size = 1024
[ 35.943271] prepare to get e2p access------------
[ 35.948314] E2pAccessMode=2
[ 35.951972] cfg_mode=9
[ 35.954363] cfg_mode=9
[ 35.956757] wmode_band_equal(): Band Equal!
[ 35.965256] APSDCapable[0]=1
[ 35.968178] APSDCapable[1]=1
[ 35.971120] APSDCapable[2]=1
[ 35.974039] APSDCapable[3]=1
[ 35.976955] APSDCapable[4]=1
[ 35.979872] APSDCapable[5]=1
[ 35.982802] APSDCapable[6]=1
[ 35.985719] APSDCapable[7]=1
[ 35.988635] APSDCapable[8]=1
[ 35.991562] APSDCapable[9]=1
[ 35.994479] APSDCapable[10]=1
[ 35.997482] APSDCapable[11]=1
[ 36.000499] APSDCapable[12]=1
[ 36.003505] APSDCapable[13]=1
[ 36.006510] APSDCapable[14]=1
[ 36.009514] APSDCapable[15]=1
[ 36.012529] default ApCliAPSDCapable[0]=1
[ 36.211507] Key1Str is Invalid key length(0) or Type(1)
[ 36.217171] Key2Str is Invalid key length(0) or Type(1)
[ 36.222850] Key3Str is Invalid key length(0) or Type(1)
[ 36.228519] Key4Str is Invalid key length(0) or Type(1)
[ 36.264102] load fw image from fw_header_image
[ 36.268612] AndesMTLoadFwMethod1(2548)::pChipCap->fw_len(63536)
[ 36.274653] FW Version:
[ 36.274658] _
[ 36.277134] e
[ 36.278727] 2
[ 36.280333] _
[ 36.281925] m
[ 36.283519] p
[ 36.285114]
[ 36.286707]
[ 36.288300]
[ 36.289895]
[ 36.291498]
[ 36.294595] FW Build Date:
[ 36.294599] 2
[ 36.297336] 0
[ 36.298931] 1
[ 36.300537] 5
[ 36.302129] 0
[ 36.303723] 6
[ 36.305318] 2
[ 36.306911] 5
[ 36.308504] 2
[ 36.310099] 1
[ 36.311703] 1
[ 36.313296] 4
[ 36.314888] 2
[ 36.316483] 2
[ 36.318077]
[ 36.319672]
[ 36.322855] CmdReStartDLRsp: WiFI FW Download Success
[ 36.720457] CmdAddressLenReq:(ret = 0)
[ 36.724940] CmdFwStartReq: override = 1, address = 1048576
[ 36.730580] CmdStartDLRsp: WiFI FW Download Success
[ 36.740357] MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
[ 36.746467] efuse_probe: efuse = 10000012
[ 36.750542] RtmpChipOpsEepromHook::e2p_type=2, inf_Type=4
[ 36.756014] RtmpEepromGetDefault::e2p_dafault=2
[ 36.760620] RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
[ 36.768288] NVM is FLASH mode
[ 36.771362] 1. Phy Mode = 14
[ 36.973642] Country Region from e2p = ffff
[ 36.990364] tssi_1_target_pwr_g_band = 33
[ 36.994446] 2. Phy Mode = 14
[ 36.998369] 3. Phy Mode = 14
[ 37.001319] NICInitPwrPinCfg(11): Not support for HIF_MT yet!
[ 37.007143] NICInitializeAsic(848): Not support rtmp_mac_sys_reset () for HIF_MT yet!
[ 37.015087] mt_mac_init()-->
[ 37.018003] MtAsicInitMac()-->
[ 37.051404] mt7628_init_mac_cr()-->
[ 37.054963] MtAsicSetMacMaxLen(1842): Set the Max RxPktLen=1024!
[ 37.061082] <--mt_mac_init()
[ 37.064161] WTBL Segment 1 info:
[ 37.067520] MemBaseAddr/FID:0x28000/0
[ 37.071414] EntrySize/Cnt:32/128
[ 37.074857] WTBL Segment 2 info:
[ 37.078214] MemBaseAddr/FID:0x40000/0
[ 37.082111] EntrySize/Cnt:64/128
[ 37.085554] WTBL Segment 3 info:
[ 37.088911] MemBaseAddr/FID:0x42000/64
[ 37.092892] EntrySize/Cnt:64/128
[ 37.096334] WTBL Segment 4 info:
[ 37.099690] MemBaseAddr/FID:0x44000/128
[ 37.103781] EntrySize/Cnt:32/128
[ 37.107305] AntCfgInit(3591): Not support for HIF_MT yet!
[ 37.112923] MCS Set = ff ff 00 00 01
[ 37.116549] MtAsicSetChBusyStat(1146): Not support for HIF_MT yet!
[ 37.122868] [PMF]ap_pmf_init:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[ 37.128969] [PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
[ 37.135280] MtAsicSetRalinkBurstMode(4061): Not support for HIF_MT yet!
[ 37.141998] MtAsicSetPiggyBack(1081): Not support for HIF_MT yet!
[ 37.237937] MtAsicSetTxPreamble(4040): Not support for HIF_MT yet!
[ 37.248047] MtAsicAddSharedKeyEntry(1909): Not support for HIF_MT yet!
[ 37.254780] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0
[ 37.260988] Main bssid = e4:95:6e:40:d1:ea
[ 37.265217] <==== rt28xx_init, Status=0
[ 37.269124] mt7628_set_ed_cca: TURN OFF EDCCA mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
[ 37.277268] WiFi Startup Cost (ra0): 1.380s
[ 37.281723] IPv6: ADDRCONF(NETDEV_UP): ra0: link is not ready
[ 37.287664] IPv6: ADDRCONF(NETDEV_CHANGE): ra0: link becomes ready
[ 38.716386] br-lan: port 1(eth0.1) entered blocking state
[ 38.722127] br-lan: port 1(eth0.1) entered disabled state
[ 38.727978] device eth0.1 entered promiscuous mode
[ 38.732979] device eth0 entered promiscuous mode
[ 38.751830] br-lan: port 1(eth0.1) entered blocking state
[ 38.757339] br-lan: port 1(eth0.1) entered forwarding state
[ 38.763314] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[ 39.065459] br-lan: port 2(ra0) entered blocking state
[ 39.070761] br-lan: port 2(ra0) entered disabled state
[ 39.076448] device ra0 entered promiscuous mode
[ 39.081173] br-lan: port 2(ra0) entered blocking state
[ 39.086388] br-lan: port 2(ra0) entered forwarding state
[ 39.272799] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0x0
[ 39.278903] MtAsicSetPiggyBack(1081): Not support for HIF_MT yet!
[ 41.792821] tx_kickout_fail_count = 0
[ 41.796547] tx_timeout_fail_count = 0
[ 41.800256] rx_receive_fail_count = 0
[ 41.803988] alloc_cmd_msg = 36
[ 41.807081] free_cmd_msg = 36
[ 41.814203] br-lan: port 2(ra0) entered disabled state
[ 41.921171] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[ 42.004589] TX_BCN DESC a6fd6000 size = 320
[ 42.008900] RX[0] DESC a6fd8000 size = 2048
[ 42.016079] RX[1] DESC a6fd9000 size = 1024
[ 42.073326] prepare to get e2p access------------
[ 42.078367] E2pAccessMode=2
[ 42.082015] cfg_mode=9
[ 42.084405] cfg_mode=9
[ 42.086800] wmode_band_equal(): Band Equal!
[ 42.095300] APSDCapable[0]=1
[ 42.098221] APSDCapable[1]=1
[ 42.101150] APSDCapable[2]=1
[ 42.104065] APSDCapable[3]=1
[ 42.106981] APSDCapable[4]=1
[ 42.109896] APSDCapable[5]=1
[ 42.112820] APSDCapable[6]=1
[ 42.115736] APSDCapable[7]=1
[ 42.118651] APSDCapable[8]=1
[ 42.121574] APSDCapable[9]=1
[ 42.124490] APSDCapable[10]=1
[ 42.127495] APSDCapable[11]=1
[ 42.130511] APSDCapable[12]=1
[ 42.133515] APSDCapable[13]=1
[ 42.136517] APSDCapable[14]=1
[ 42.139522] APSDCapable[15]=1
[ 42.142537] default ApCliAPSDCapable[0]=1
[ 42.341547] Key1Str is Invalid key length(0) or Type(1)
[ 42.347209] Key2Str is Invalid key length(0) or Type(1)
[ 42.352888] Key3Str is Invalid key length(0) or Type(1)
[ 42.358555] Key4Str is Invalid key length(0) or Type(1)
[ 42.394138] load fw image from fw_header_image
[ 42.398645] AndesMTLoadFwMethod1(2548)::pChipCap->fw_len(63536)
[ 42.405667] FW Version:
[ 42.405673] _
[ 42.408153] e
[ 42.409745] 2
[ 42.411368] _
[ 42.412962] m
[ 42.414556] p
[ 42.416151]
[ 42.417744]
[ 42.419338]
[ 42.420940]
[ 42.422536]
[ 42.425633] FW Build Date:
[ 42.425637] 2
[ 42.428375] 0
[ 42.429968] 1
[ 42.431574] 5
[ 42.433167] 0
[ 42.434760] 6
[ 42.436352] 2
[ 42.437946] 5
[ 42.439539] 2
[ 42.441143] 1
[ 42.442736] 1
[ 42.444330] 4
[ 42.445924] 2
[ 42.447516] 2
[ 42.449109]
[ 42.450710]
[ 42.453883] CmdReStartDLRsp: WiFI FW Download Success
[ 43.702033] CmdAddressLenReq:(ret = 0)
[ 43.706639] CmdFwStartReq: override = 1, address = 1048576
[ 43.712288] CmdStartDLRsp: WiFI FW Download Success
[ 43.804814] MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
[ 43.810974] efuse_probe: efuse = 10000012
[ 43.815039] RtmpChipOpsEepromHook::e2p_type=2, inf_Type=4
[ 43.820518] RtmpEepromGetDefault::e2p_dafault=2
[ 43.825111] RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
[ 43.832822] NVM is FLASH mode
[ 43.835885] 1. Phy Mode = 14
[ 44.116361] Country Region from e2p = ffff
[ 44.122100] tssi_1_target_pwr_g_band = 33
[ 44.126176] 2. Phy Mode = 14
[ 44.130108] 3. Phy Mode = 14
[ 44.133078] NICInitPwrPinCfg(11): Not support for HIF_MT yet!
[ 44.138902] NICInitializeAsic(848): Not support rtmp_mac_sys_reset () for HIF_MT yet!
[ 44.146846] mt_mac_init()-->
[ 44.149765] MtAsicInitMac()-->
[ 44.224376] mt7628_init_mac_cr()-->
[ 44.227935] MtAsicSetMacMaxLen(1842): Set the Max RxPktLen=1024!
[ 44.234079] <--mt_mac_init()
[ 44.237158] WTBL Segment 1 info:
[ 44.240528] MemBaseAddr/FID:0x28000/0
[ 44.244415] EntrySize/Cnt:32/128
[ 44.247858] WTBL Segment 2 info:
[ 44.251221] MemBaseAddr/FID:0x40000/0
[ 44.255106] EntrySize/Cnt:64/128
[ 44.258550] WTBL Segment 3 info:
[ 44.261913] MemBaseAddr/FID:0x42000/64
[ 44.265886] EntrySize/Cnt:64/128
[ 44.269329] WTBL Segment 4 info:
[ 44.272724] MemBaseAddr/FID:0x44000/128
[ 44.276787] EntrySize/Cnt:32/128
[ 44.280325] AntCfgInit(3591): Not support for HIF_MT yet!
[ 44.285939] MCS Set = ff ff 00 00 01
[ 44.289563] MtAsicSetChBusyStat(1146): Not support for HIF_MT yet!
[ 44.295885] [PMF]ap_pmf_init:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[ 44.301995] [PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
[ 44.308300] MtAsicSetRalinkBurstMode(4061): Not support for HIF_MT yet!
[ 44.315013] MtAsicSetPiggyBack(1081): Not support for HIF_MT yet!
[ 44.730385] MtAsicSetTxPreamble(4040): Not support for HIF_MT yet!
[ 44.740452] MtAsicAddSharedKeyEntry(1909): Not support for HIF_MT yet!
[ 44.747173] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0
[ 44.753381] Main bssid = e4:95:6e:40:d1:ea
[ 44.757613] <==== rt28xx_init, Status=0
[ 44.761530] mt7628_set_ed_cca: TURN OFF EDCCA mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
[ 44.769645] WiFi Startup Cost (ra0): 2.760s
[ 44.774078] IPv6: ADDRCONF(NETDEV_UP): ra0: link is not ready
[ 44.780545] IPv6: ADDRCONF(NETDEV_CHANGE): ra0: link becomes ready
[ 44.787037] br-lan: port 2(ra0) entered blocking state
[ 44.792302] br-lan: port 2(ra0) entered forwarding state
[ 89.000371] random: crng init done
[ 89.003840] random: 6 urandom warning(s) missed due to ratelimiting
BusyBox v1.28.3 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 18.06.1, r7258-5eb055306f
-----------------------------------------------------
root@GL-MT300N-V2:/#Cool right?
Touching the naughty bits
Now that we have connectivity and we have a read out Let's break it down.
If we take a look at the log we can pull some interesting tidbits; Specifically.
Code:
Autobooting in: 2 s (type 'gl' to run U-Boot console)
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug levelAlso significant
Code:
root@GL-MT300N-V2:/#During the boot sequence we learn that the machine is running U-Boot. We can not only enter the U-Boot console but if we allot the machine to boot kernel we are given two more options. We can enter failsafe mode. Which in this case exposes a few more commands and mounts a few things as RW. Super important assuming this was a black box is we can select a debug operation level.
Finally, assuming we ignore all attempts to seduce our fingers thus far we are greeted with a root shell on the device.
From either of the 3 boot modes uboot, failsafe and normal root we can make persistent changes to the device. Meaning that when the machine is rebooted changes stay with it.
On top of this the FW includes 'vi' text editor. Why is this important? It allows us to view modify and otherwise analyze the manufacturers scrips and configs. We can also modify the various HTML pages and web server.
Reflecting
There are a few points I would like to make regarding hardware access via UART.
First, the ending was pretty anticlimactic. I did this on purpose. You have 3 different root shells to 3 different function modes in this specific device. If you have any inclination of what that means then it doesn't warrant any further explination.
Let's be fair though. This device unbeknownst to me appears to have been designed with this intended. You should be proud of what you have accomplished and give yourself a pat on the back for doing something not a lot of people take time to venture into.
All things considered though we walk into our next problem.
Second, this is not uncommon. From IP Cameras, baby monitors, other travel routers. A Lot of these devices allow arbitrary root access. This can pose a security risk to you and others. Now are people connecting microcontrollers with pre-loaded scripts to your Samsung fridge (has already been hacked, no guide by me sorry and there like 3 grand) UART port and hacking you? Probably not, and even if they wanted too there are easier tools to use.
HOWEVER
Third, these devices are not always updated quickly. More importantly a lot of these configurations scripts or even entire FW revisions with just a device ID change are used across multiple models of similar devices, allowing the kernel to pick up the hardware changes.
So what does this mean for you?
Well this method has a bit of a double edged sword. You see if you get a mystery device, like a game system, or your an IT manager and find some random device plugged into your network, having shell access provided by a serial bus is great for reversing. Instead of black boxing and throwing commands or probing for ages on a device that has no obvious purpose and an even less obvious function, serial gives us a looking glass into the workings of devices. Even if as I mentioned previously they do not allow input, seeing how a system reacts to a surprise reboot or seeing a scan for a specific FW file when booted with a random USB drive plugged in helps us understand the unknown.
When these things are found however, and more so when write and root access are given allow us to have intimate knowledge into a devices functionality and in a lot of cases allow us to find breaches bugs or attack vectors that can be used on devices that can span models and years. Some without updates.
I think the regularity of this is enough to pose enough risk, it might be a good idea for manufacturers to think about bus safeguards before releasing devices at least maybe a proper password to remove some of the low hanging fruit. In this case setting a password or creating a user in the actual web interface of the device in no way prevented any kind of root access in any of the shells, and this is pretty common.
That's it! I hope you learned something and had fun. The costs associated with preparing yourself to dive into the world of serial isn't a lot and who knows what you might find!