Finding UART and Getting a Root Shell on a Linux Router

Подписаться 29 тыс.

Просмотров 29 тыс.

50% 1

In this video, we will discuss how to find UART debug interfaces on an embedded linux device. We will then leverage UART to get a root shell on the device.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/

Наука

Опубликовано:

6 сен 2022

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 74

@KeepEvery1Guessing Год назад

Flux (and even pre-cleaning) is your friend for soldering. A little isopropyl alcohol and a Q-tip is useful for cleaning up flux residue, even if you didn't use flux (because there is flux in the solder core), since it can produce unwanted resistive paths later. A resistor (say, 1K+/-) attached across your meter probes (say, with clip leads) can help to identify the RX pin, since the current through 1K to ground won't significantly effect the power pin voltage, but will move the RX pin significantly (maybe even almost to ground). I'm happy that I have an oscilloscope since I can look for a serial signal during boot even before I have soldered anything. But scopes aren't free (though the ones built in to some of the fancier meters are more than adequate for this purpose. Nice exposition.

@abdultairu 7 месяцев назад

Use of button size neodymium magnet can hold the pin header while you solder the one end of the pins. I enjoyed watching this video and I was able to look at the WD-Streaming box that I have laying around for a while and I was unable to login to gain root access because of password, but I will do a little research to see if others have been able to guess what the password is.

@surenbono6063 Год назад

..this is more advanced than a normal windows user...only had experience working with UART on arduinos.. interesting!...got to learn these Linux commands..if the geeks are united they will never be divided..!

@Beterr Год назад

Can we see a video where you don't have access to root shell directly through UART, and how you work around that to get shell access, especially in the case of U-Boot?

@mattbrwn Год назад

awesome idea. I'll look into finding a device with a uboot bootloader so I can demo this! great feedback!

@Beterr Год назад

@@mattbrwn Definitely subscribed! Glad you came up on my recommended

@PBRichfield Год назад

@@Beterr me too hoping he come through. I'm not doubting his technical ability but rather his values. Besides, I haven't played this game in a few years since windows11 and the prolific driver B.S. That was my FAV tty and worked everytime, 60 percent of the time. Now I have ftdi chips all over and it's simply not the same.

@MickMcMadder Год назад

Electrolytic capacitors have ground marked on them, and there are a few on this board, which connect to a large ground plane. Something like that is a good starting point, as well as the shields on connectors like USB and ethernet.. If you know the barrel-jack is center-positive then the solder point at the rear of the barrel-jack is positive, since the center pin is crimped to it, so use the side solder joint first.

@mattbrwn Год назад

awesome! this is super helpful stuff :D

@draeath Год назад

@@mattbrwn You can also focus your search for something connected to ground from the solder pads around a "complex" of chips, where an EMI shield would be placed (two on the bottom of this thing - at 3:21 the fingers on your left hand are covering the bottom-left corner of one) and as well, if the board has large swathes where the copper hadn't been etched away (lighter green) that is usually grounded as well. That's both convenient for manufacturing, but can help shield from EMI.

@RobertBranch-FL Год назад

Very nice video. I thought your process description was very good and very relatable. Keep it up, information like this is great to get out to help beginners!

@davidhammond5437 Год назад

Loved the video! I would like to see more of this style video but next time show could you show us what happens when things go wrong and what tricks you've learned to deal with it?

@braapit3246 Год назад

I recently started with hardware hacking so this type of experience sharing helps me a lot. Explanation was very clean, analyse of the chip could have been a little zoomed in. Would love to see your setup with some explanation of what you use it for. Looking foreword for more content, keep it up mate. 💪🏻

@mattbrwn Год назад

thanks for the feedback! yeah I really need to get a better overhead camera setup.

@brucewilliams6292 Год назад

This was a lot of fun. Subscribed. There are numerous devices like multi-meters and stud finders that have coms built in that I'd like to explore. Thanks for bringing us along.

@mattbrwn Год назад

really appreciate it! there are so many devices out there that make good hardware hacking projects!

@mathewrtaylor Год назад

Great video, and I appreciate your explanation of the pin outs. Need to go to my local Goodwill for some learning on my own! Thanks for posting!

@mattbrwn Год назад

goodwill and other thrift stores are the best for finding fun stuff like that to hack on :) and then if you brick it you aren't stressed since you aren't out much money.

@MrMactoshi Год назад

Great video man! Would like to see more content!

@mshabanian 6 месяцев назад

well done, thanks. I just had the same experience with a Grandstream modem. It just booted right into a shell.

@ofsanjay Год назад

Nice tutorial Bro. Hope more contents are coming. 👌

@numberiforgot Год назад

I love doing this too dude. So much fun

@longtran12345678 8 месяцев назад

Very interesting, thanks for your video

@gajeelsomugba3785 Год назад

thank you straight to the point

@jimlundborg Год назад

More videos like this please!!

@1over137 Год назад

"Blue-tac" or whatever brand of sticky poster putty you get locally. Take a blob of it and stuff it onto the pin headers, it will stick well enough for soldering and doesn't melt (much) onto the pins! Shouldn't be an issue.

@GrenPara 19 дней назад

Hello, just found your channel and find it interesting. Do you use software to do this or are you simply using terminal in linux?

@luciusbektisulistyo6469 Год назад

yes it works brother ! many thanks

@stephanhan.8390 Год назад

Hey @Matt Brown, a nice educational video as always. Just happened to ask, what's the windows manager you are using at the host machine. And also the bar at bottom? It's nice that you have a notification indicator as well. :)

@mattbrwn Год назад

Thanks! I use the i3 window manager running on Arch Linux. wiki.archlinux.org/title/I3 The bar is just the default i3status bar, but there are lot of cooler replacements for that. I just like to keep it simple. wiki.archlinux.org/title/I3#i3status

@stephanhan.8390 Год назад

@@mattbrwn thanks mate. Good to see a great arch setup. I'm a polybar man and need to find a nice indicator like that.

@josjuarlister1059 7 месяцев назад

Great video thank you

@josjuarlister1059 7 месяцев назад

I think I may have fried my board, I touched two pins with my multimeter while the thing was powered on and suddenly all the lights went out on the board😬

@PaulGrayUK Год назад

Bluetack to hold header and flux to clean the pads, I usually dip the header into flux liberally, push thru and be enough to do the pads that way neatly. But can never have too much flux. But the main tip in soldering would be, well-tinned iron to start with and lots of flux. What you need is a pogo clamp, alas most you can get short and will also need vertical and horizontally lined pogo pins. But worth hacking something together as I don't know about you, soldering shows why I'm not a brain surgeon 😁

@fuzzs8970 Год назад

Thank you for your video. Any chance you make one for JTAG?

@mattbrwn Год назад

I'm actually just learning JTAG myself but that's a great idea to do a basic video about what I've explored. We are all on a learning journey. it never ends!

@fuzzs8970 Год назад

Hi. Check this channel. Make me hack on RU-vid.

@ddruckmu Год назад

Thanks it helped me install it

@satoshiborishi6898 3 месяца назад

Pretty cool for a beginner like me

@wl4131 Год назад

Awesome vid

@bertblankenstein3738 6 месяцев назад

Just curious in the pin pitch you have there is 0.1" (2.54mm) or 2.00mm. I found a board in my basement and the pin pitch is 2.00mm, so i had to get that size pin headers and associated dupont wires.

@waelbadr4724 7 месяцев назад

I just got the video and you are awesome. I have two quistions 1-since i got control, Can in clone the firmware ? 2- how to login in case there's a password?

@dvfilmpk Год назад

good hack, good job man

@gersonsoares6628 Год назад

tudo bem matt bom video jovem : como voce fez para parar o kernel qual tecla voce apertou para parar o u-boot ? para obter o sistema de arquivos ?

@mattbrwn Год назад

I just hit enter right at boot time to stop uboot. However, if uboot is locked this will not work.

@johanngambolputty5351 Год назад

What are the extra two pins on the USB to UART cable?

@noureddineghoul2932 Год назад

Worked, thx

@nhoenderop 6 месяцев назад

Please keep making videos

@hackwithprogramming7849 Год назад

liked it bro

@charlesbiggs7735 Год назад

Loved it! Now what can we do with it?

@enzanto Год назад

i would love a follow up video of what we can do now that we are in

@daviddavidson2357 Год назад

Not a perfect method, but a piece of tape will hold pin headers to the board long enough for you to solder. Blu tac may also work, though it'll probably flex too much before it melts. If using pliers insulate the tips (thermally) so they don't act as a giant heatsink. Vinyl tape will work.

@WWFYMN Год назад

can I use an arduino for usb to uart, or can I make it myself?

@1over137 Год назад

I find a lot of "hacking" videos are a bit like: Q: "Wow, you managed to steal all their jewelery, how did you do that?" A: "Well, while I was in there living room I found their door key and cloned it. So I could let myself in later and steal." It's like.... oh.... ah..... not exactly a hack then. While is very, very interesting from the point of view of "hacking" a device that doesn't want to you to mess with it's hardware etc... but as to "hacking" a user it's irellevant. Which I'm sure it was intended to be. I mean, if you want a root shell on that rooter, just hard reset it and flash your own firmware to it. 5 minutes, done.

@mattbrwn Год назад

This is something I get asked a lot at work. You are correct that this is not a "hack" or an "exploit" of a vulnerability unless physical access is in scope. The main thing I use UART or other physical access methods for is to search for those vulnerability in a given device that can be exploited over the network. UART gives me access to the firmware which aids in my research process. UART access isn't a vulnerability in itself, its a stepping stone to further analysis.

@1over137 Год назад

@@mattbrwn I suppose. You can make a catalog of modules and libs and go collect a list of exploits to see if any are juicy.

@mohammedmariff9034 4 месяца назад

Thanks

@ahsamahi4385 Год назад

Can we use the Shell to troubleshoot the board?

@mattbrwn Год назад

yes you can!

@indian3197 Год назад

Can I solder dupont wire directly to the UART pads?

@bertblankenstein3738 6 месяцев назад

I suppose you could do that. Note the pin pitch. Most pin headers are 0.1"(2.54mm), and a board I'm looking at connecting up has 2.00mm pin pitch.

@spelerkeerik4483 Год назад

god bless ur heart

@neb_setabed Год назад

Liked the video but your microphone was peaking a lot, just something to keep in mind for future videos

@mattbrwn Год назад

thanks for this! I've turned my mic down in OBS for my next videos coming soon. hopefully that makes things better.

@beninaskaria Год назад

It’s continuity mode not connectivity mode.

@sundarlal12 Год назад

Please make videos on smart lock firmware hacking

@KallePihlajasaari Год назад

Explain what you saw in the boot log in a bit more detail so people know what sorts of things to expect and research further. Some of the stuff is unexpected and not obvious. Find a router that you can load OpenWRT into. Something that is well supported, not a nightmare low memory unit.

@emmerad 13 дней назад

The metal case of SMD crystals is usually connected to ground so that's my favorite place to start checking for ground connections

@herbertlee2673 Год назад

Mlk, se pá que o canal foi hackeado

@lilblackduc7312 Год назад

Thank you for a great video! Nevertheless, I will NOT patronize Goodwill in any fashion since they announced they were 'woke'...Friends don't let friends do those things...

@mattbrwn Год назад

I feel you on that. Any thrift stores that haven't gone woke?

@lilblackduc7312 Год назад

@@mattbrwn I haven't heard anything like that from Goodwill. So, they sometimes get my business. Don't pay my previous statement any mind, I was just complaining in the middle of the night. I probably should delete it...