Accessing Hidden Serial Consoles - Overview - Hardware Hacking Series #1

Подписаться 28 тыс.

Просмотров 15 тыс.

50% 1

In this video I talk about the tools required to modify a router slightly, so that the serial console can be accessed. The serial console is basically a backdoor, sometimes "locked", into the heart of the router.
Having serial console access enables you to find out what's going on when your router boots up (i.e. starts), which may provide information about misconfigurations or other interesting information, because even if you can't modify the boot parameters without reflashing the device, and it prompts you with a login screen that cannot easily be guessed, then you still have access to the entire bootlog which can provide useful in many cases.
Safety Disclaimer: Soldering irons are tools that should be handled properly as they can easily cause injury. Soldering thread containing lead is toxic and should not be exposed to open wounds. If you do a lot of soldering, then you should consider wearing some thin gloves. (Not plastic!)
Always wash your hands after handling lead. If you're going to eat something while soldering, then wash your hands first. Keep food and drinks away from your working table too.
Lead-free solder thread is not without risks too, as it's harder to use, and the increased fumes it may produce are in return more toxic.
Warranty Disclaimer: By opening and modifying your router you forfeit/nullify all warranties. If you break your router while modifying it like I do in my videos, then it is your own fault. Soldering on equipment is not without risks. (I haven't managed to break my routers yet though.)
Topics Covered:
- Tools required
- Router specifications (brief)
- Serial console (UART) location
- DD-WRT notes about router vulnerabilities
- Solder bridges
- Basic theory about connecting to serial consoles (in relation to power, etc.)
- JTAG port location
Hardware:
- Multimeter (The one I have with a "beep" sound is Velleman DVM821. Link: www.velleman.e...)
- Oscilloscope (Velleman EDU09. This is not an easy kit to assemble. Link: www.vellemanpro...)
- USB to TTL Serial Cable (www.adafruit.c...)
- Bus Pirate - v3.6a (dangerousprotot...)
- TP Link Router (TL-WA801ND)
- D-Link Router (DIR-842 - Revision B)
Stay tuned and subscribe for more upcoming videos showing actual hacks!
Twitter: @CrazyDaneHacker
Facebook: / crazydanishhacker
Patreon: / crazydanishhacker

Опубликовано:

7 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 20

@CrazyDanishHacker 6 лет назад

In lower resolution there seems to be a few issues with this video (audio playing but video stopping). If you watch the video in 1080p this issue should not happen.

@fathomisticfantasy2681 4 года назад

Where is Morpheus?!!! I think he wants to buy your glasses. LOL

@reedbrousseau5884 4 года назад

@Crazy Danish Hacker I find that it’s easiest to create a short bend in the end of a cut off resistor lead just long enough to bridge two points and then trim the bridge with a pair of flush cutters afterwards. It’s less fiddly and more precise than trying to get the solder to bridge the gap itself. I keep an empty pill bottle in my soldering kit to hold all of the leads I cut off from soldering projects, and another for short lengths of wire.

@CrazyDanishHacker 4 года назад

Excellent advice!

@reedbrousseau5884 4 года назад

Crazy Danish Hacker I recently bought two on AliExpress for less than $10USD shipped each (one was ($6 shipped, and the other $8 shipped), just search for “24MHz Logic Analyzer” and you’ll be inundated with options. Cheers!

@s7acktrac35 5 лет назад

My wife say's why you laughing so much. I say it's nothing. She says tell me .. I said the BestBuy employee was trying to ask about internet speed when the guy solely brought the router to take it apart lol you wouldn't understand! Man when you said you didn't think that was an intelligent question have mercy lol!

@Veso266 7 лет назад

did you ever try to modify firmware for TP-Link Routers?

@CrazyDanishHacker 7 лет назад

I will get to that, it should be very easy to overwrite it, but I might try some other stuff first with the originally installed firmware.

@triularity 3 года назад

This looked to have a lot of potential, but the audio was horribly out of sync with the video, making what was being talked about not very useful.

@rajjad 6 лет назад

can we modify incoming and outgoing packets?

@CrazyDanishHacker 6 лет назад

From and to the UART interface? Sure, but you will either just have the same functionality that you already have with UART, or, you could find a buffer overflow vulnerability maybe.

@xelionizer 7 лет назад

JTAG har en masse gnd kontakter, men interfacing kræver kun 6 signallinjer mener jeg;)

@CrazyDanishHacker 7 лет назад

Jeg tror man muligvis kan nøjes med mindre ( dangerousprototypes.com/docs/Bus_Pirate_I/O_Pin_Descriptions ). Har dog ikke prøvet endnu, men jeg kan tydeligt huske fra nogle andre resourcer at en af de ting der kan tage længere tid, er at finde de rigtige kontakter, medmindre man køber en JTAGulator (som er forholdsvist dyr i forhold til hvad den egentlig kan). Der findes også hjemmelavede JTAGulator alternativer som man kan lave med en Arduino mener jeg. ( p16.praetorian.com/blog/jtagulator-vs-jtagenum-tools-for-identifying-jtag-pins-in-iot-devices )

@xelionizer 7 лет назад

Jeg har en af de gode gamle AVR Dragon boards, men har faktisk kun brugt SPI- og HVSP-delen. Er der nogle fordele ved JTAG fremfor UART (med undtagelse af hastighed selvfølgelig) til den opgave vi står med i dette tilfælde?

@CrazyDanishHacker 7 лет назад

Interessant, har ikke leget så meget med hardware debugging endnu men har hørt om SPI og andre metoder (1-Wire, I2C), dog ikke HVSP som jeg dog lige læste kort om. Med SPI havde jeg tænkt mig at reflashe den flash chip som indeholder firmwaren i en senere video. Så burde jeg dog nok også købe sådan en her i stedet for at lave en hjemmelavet: www.digikey.com/product-detail/en/pomona-electronics/5250/501-1311-ND/745102 eller www.sparkfun.com/products/13153 xD I de fleste tilfælde ville jeg generelt foretrække UART adgang samt en firmware fil jeg kan downloade fra f.eks. udviklerens hjemmeside eller evt. "dumpe" via en UART kommando hvis det er bygget ind i bootloaderen, da man så hurtigt kan analysere diverse sikkerhedsproblemer hvis man altså kan logge ind :-) I forbindelse med JTAG, så får man f.eks. adgang til flere muligheder som at dumpe firmware, som de har vist i slutningen af den her video : ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-jK1NWglhpWI.html Jeg kan dog se man evt. også kunne prøve SPI, det kræver dog at man desolder den flash chip: reverseengineering.stackexchange.com/questions/2337/how-to-dump-flash-memory-with-spi Så UART er mest fordi man har "console access" imens enheden kører (medmindre JTAG interfacet også understøtter UART?), og JTAG er hvis der ikke er et UART interface. På de enheder jeg har kigget på, ser det ud til at der dog oftere er UART end JTAG. Som jeg tidligere har nævnt / hinted, så er jeg ikke ekspert i hardware debugging, da det egentlig bare er en side-hobby jeg tænkte det kunne være sjovt at lære om og vise andre i et forståeligt og interessant format, imens jeg også lærer andre ting indenfor SDR, og selvfølgelig det jeg allerede ved en masse om, web app sec og pentesting generelt. Det sjoveste jeg har leget med indtil videre var dog UART adgang til min Samsung telefon via Micro USB kabel. (Hjemmelavet Samsung Anyway med en variabel resistor (10 turns), protoboard, Micro-USB connector, pin header, og ethernet kabel til "forbindelserne". Til pin headeren har jeg så forbundet en USB-to-TTL adapter eller en BusPirate. Den er dog ret skrøbelig, men den virker. Jeg har optaget noget af materialet til den video men har ikke gennemset det endnu da det er flere timers optagelser.)

@alpercinar5330 7 лет назад

jtag kræver 4 pins: tdi,tdo,tms og tck og optional reset pin hvis test logic understøtter. UART er bare en seriel konsol men som kan være restricted lidt ligesom jailed ssh. Med JTAG kan du halte CPU'en inden bootloaderen er færdig og så kan du i princippet alt. Dumpe firmwaren fra flashet, modificere RAM en, debugger kernel etc..

@CrazyDanishHacker 7 лет назад

Gode tips Alper Cinar, thumbs up fra mig :-)