UART- Shell Access to Router
So, it was my birthday, but I was alone, so there was no celebration or cake cutting. I was bored, I looked around me and saw a router hanging on the wall in my PG room. I became curious, and since I am just started getting into hardware hacking, I thought why not start with it.
I immediately took it out and disassembled it. And then I can clearly see that there is UART. We can easily identify it by looking at 4 pins together. Okay, let me try to explain UART for you simply.
UART:
UART(Universal Asynchronous Receiver-Transmitter) is one of the most often used communication protocols in embedded devices. It converts the parallel data it receives into a serial bit stream of data that may possibly be interacted with more easily. The transmitting UART translates parallel data from a controlling device, such as a CPU, into serial data, which it then sends in serial to the receiving UART. Which turns the serial data back into parallel for the receiving device.
UART sends data asynchronously, which means there is no clock signal to sync the transmitting UART’s output of bits with the receiving UART’s sampling of bits. The transmitting UART inserts start and stop bits to the data packet, allowing the receiving UART to know when to begin reading the bits.
Let The Game Begin:
As I already have identified the pins, I proceed further. But in order to connect through it, a USB to TTL dongle is required. I took out my “CP2102-Module-Serial-Converter” and wired RX to TX, TX to RX, and GND to GND with jumper wires.
Please keep in mind that UART pins are not always labeled, like in my case. In that situation, you can identify the pins with a multimeter or logic analyzer.
Next, I used “screen” in the terminal to communicate by typing screen /dev/ttyUSB0 9600 and turning on the router. My terminal began receiving some random characters as soon as it was powered. But wait, there is something missing because it’s giving me garbage, that is baud rate. My baud rate(9600) was absolutely incorrect. Trying all of the typical UART baud rates is a simple technique to get the proper baud rate or use baudrate.py .
Common Rates: 600, 1200, 2400, 4800, 9600, 11400, 19200, 38400, 57600, 115200, 128000 and 256000.
I had tried 9600 first, then 115200, and when I powered the router back on again, I saw readable texts in my terminal. I wait for a few minutes to finish the booting process then pressed Ctrl+C, and it got me into the shell.
This is how I acquired shell access to the router, I reassembled it and kept it there as it was without trying further exploitation because it is not mine haha! ;).
This was my short write-up on how I gained shell access to my PG room’s router through UART. I hope you enjoyed it reading. Thank you!
