Tag: Hardware Hacking

UART 2

K /

Ok so we think we’ve identified our serial connection, so now let’s have a crack at connecting to it and see what we get.

In order to connect our machine to the device we’re going to need it to ‘speak’ serial,luckily there are a ton of cheap chips that can do this.

The cheapest and simplest method is to use a USB TTM, you can pick these up super cheap on eBay or Amazon.

Once you’ve plugged it in you’ll need to find out which COM port it’s using on your Windows machine, you can do that by brining up device manager.

If you’re using Linux then you’ll need to find the correct device file under /dev.

Next we need to determine the Baud rate, the ‘proper’ way to do this is using an oscilloscope or a logic analyser but we can make do without.

Unfortunately without the correct kit trial and error is the only real way of determining the baud rate, luckily there aren’t that many standard rates to pick from so it shouldn’t take too long to get through the list of possibilities, if you don’t have the correct rate the output will be garbled, as soon as you have the right value you should start seeing some data that makes sense.

A list of standard baud rates is below, the most commonly used are in bold:

  • 110
  • 300
  • 600
  • 1200
  • 2400
  • 4800
  • 9600
  • 14400
  • 19200
  • 38400
  • 57600
  • 115200
  • 128000
  • 256000

The first thing is to physically hook up the wires to the correct spots we identified earlier:
TX to RX

RX to TX

GND to GND

We don’t need to worry about VCC since the device already has voltage from it’s normal power supply.

Hook those up, you can solder on some pins to make life easier, and you should end up with something that looks like this:

And we’re done, it’s quite hard to make out in these images but on the USB side we have GND, RXD, TXD.

On the target, as we determined in the previous post the order, form left to right in the above image is VCC, GND, RX, TX, so when we hook the wires up we need to ensure that RX is connected to TX and vice versa.

Now boot up a tool that is able to speak serial through the USB, in this instance we’re going to use Putty, enter the relevent serial line and baud rate, in Linux we can do essentially the same thing using the screen command:

screen /dev/USB0 115200

Turn the target device on and you should start to see output something like this:

At this point there are a number of potential scenarios, if you’re lucky you may get dropped into a root shell (YAY), alternatively you may get to a username/password prompt (less yay).
TL-MR3020 mips #4 Mon Sep 21 17:19:36 CST 2015 (none)
TL-MR3020 login:

 

In this instance we have a log in prompt so from here we have a few options that we can look into in another post.

UART Basics

K /

UART

What is it?

UART stands for Universal Asynchronous Receiver-Transmitter is a hardware device for communicating over a serial connection.

Universal – That one’s obvious

Asynchronous – Because data is transferred without an external clock

Receiver/Transmitter – Because 2 way communication is possible.

Essentially a UART takes parallel data and turns it into a serial stream sequentially in order to transmit the data, once it arrives it’s then re-ordered back into parallel data, the key here is that it allows data to be sent across a single wire (or whatever medium) rather than setting up parallel communication across multiple wires.

What that means in real terms is that by connecting to a UART you have a way of communicating directly with a device.

How to find it?

The first step is to take a look on the board for some pins that look like they might be a UART, often you’ll be looking for 4 pins in a line.

These will most likely be:

  • VCC
  • GND
  • TX
  • RX

Now we have something that looks like it might be what we’re looking for we can start testing to see whether we’re in luck.

The pin on the right is labelled as pin 1, so from now on we can refer to them in that order, 4321 left to right.

Sometimes a visual inspection can shed some light onto the situation, often you’ll be able to see traces on the pins, as a general rule a thick line indicates power and a thin line indicates data.

In our example it’s pretty hard to see anything although pin 3 does seem to have an ‘X’ shape which may indicate that it’s a GND, we can use a multimeter to help identify the pins to work out whether this is likely to be a UART, and if so what pin is what.

The first step is to find the ground, the easiest way to do this is to use the multimeter’s continuity tester, we’ll place one probe on a metal shield on the board to act as a ground and place the other probe on each pin in turn, if the continuity tester makes a continuous tone then that pin must be GND, it turns out that our hunch was correct and pin 3 is the GND.

 

Next we’ll power the device up and change the multimeter setting to read voltage, with one probe on the ground, either the metal shield or the ground pin we already identified we can probe the other pins.

The VCC pin should have a constant reading of 3.3v or 5v depending on the operating voltage of the device, here we can see the VCC pin has been identified at 3.3v.

Identifying the TX and RX pin is slightly more difficult, and differentiating is harder still. Often it can be done by measuring the voltage, since the TX pin is sending data it is effectively going from 0 to 3.3v over and over again, using a multimeter this will often be represented as an average voltage of something between 1.5 and 2.5v.

Following the same principal, the RX pin should be at 0v effectively waiting for a signal input, in this instance however both remaining pins measure at around 2.5v so we’ll just use some trial and error to determine which is which.

*After some trial and error with the TX/RX it was determined that the order of pins is:

1 – TX

2 – RX

3 – GND

3 – VCC