A journey into IoT – Hardware hacking: UART

Hi! Today I will publish the first article of a series (I hope!) of posts focused on various aspects of the Internet of Things world.

These articles will probably not disclose anything new, but they have the purpose of giving an introduction on various different IoT concepts to hackers and penetration testers that approach the topic for the first (or second or third) time, without going too far into electrical circuits details.

The topics that I would like to cover in these articles are many, including serial communication protocols (UART, SPI, I2C) , unknown (SDR) and known (ZigBee, BLE) wireless communication protocols, debugging protocols (JTAG), maybe something on RFID/NFC hacking and so on, showing how to approach the different arguments and what we need for the purpose.

Today we will start with an old ADSL modem of a popular Italian operator. I know, an ADSL modem is not really an IoT device, but it is just as an example of a component usually analyzed in IoT contexts. The particular modem that I will use is an old modem belonging to my colleague Maurizio, no longer used:

ADSL modem – Front
ADSL modem – Back

First, we will disassemble the modem, looking at the various components and searching for something that could be interesting for us:

ADSL Modem – Internals

The internals of the router include numerous chips and components. By searching with our favorite search engine we can find the datasheets of the majority of this items, in order to understand their purpose, their protocols and if/how each chip communicates with other components. For this article we already have too many things to cover but in the next stages of our IoT journey we will see some tricks useful to quickly understand many things about our device.

For now, let’s inspect the internals of the device searching for something that could be a port that can be used for communication, maybe installed by the producer for flashing or debugging purposes. Usually a similar port is composed by 3, 4, 5 pins close to each other, but this is not necessarily true every time! In our device, in the top-left corner we can see something that falls into the description:

Unknown port

This can definitely be a port with the aim of allowing communication with the device or with one of its components, but for now we don’t know how we can interact (IF we can) with it.

The first thing that we have to do is try to understand what is the purpose of each PIN of our port. These PINs can serve a lot of different purposes: they can be GROUND PINs (the reference point in an electrical circuit from which voltages are measured), they can be connected to the power supply of the device (VCC, 5V or 3.3V are the most commons), they can transmit or receive data, they can be coordination PINs used for the synchronization of the components (clock), and so on.

The first tool that we need is a multimeter, an electronic measuring instrument that combines several measurement functions in one unit and can usually measure voltage, current and resistance. There are plenty of them that cost from 5 euros to 500, mine costs about 20 euros and for what I need, it does the job! Good electronic tooling is usually very expensive, but an IoT hacker (especially a novice one) requires very basic functionalities and precision and Chinese inexpensive tools are usually more than enough. There is always time to buy a more expensive tool if see that you need more precision!

With our multimeter, the first thing we have to do is try to identify the GROUND PINs. Usually all the GROUND PINs of every component/chip of a device are connected to each other and are also connected with almost all the metal parts of the hardware. We can easily understand which are the GROUND PINs by connecting every PIN with a metal part and verifying if the current flows. The multimeter offers a tool specifically for this purpose, called ohmmeter, that beeps if the current flows between the connected points. It has this symbol:

Multimeter – Ohmmeter

For this step the device we are inspecting must be DISCONNECTED FROM THE POWER SUPPLY.

By doing this procedure on our ADSL modem we discover that probably PINs 2 and 4 of our unknown port are GROUND PINs, because we hear a BIP from the tool:

Ohmmeter on the device

Then, we have to understand the purpose of the other three PINs. We will use again our multimeter. We want to understand the voltage on each PIN, in order to be able to properly configure the tools that we will use in the next steps AND to be sure to avoid damages on them (some tools can be bricked if supplied with too much voltage). We will use the voltmeter tool of our multimeter. The voltmeter has usually many settings: we will use the 20V step, because for the best result of this measure it is necessary to select the step immediately larger to the voltage that probably we will find on the PIN, and we expect either 3.3V or 5V (the most common values). Furthermore, our ADSL Modem has a 9V adapter and consequently the PIN could not reach 20V: it is important because if we choose the 20V step and we try to measure for example a difference of voltage of 30V, we can damage our multimeter. In situations in which we don’t know the difference of voltage of what we are going to measure, it is better to start with bigger steps of our multimeter (like 200V) and then decrease the value after the first measure, because choosing the step immediately bigger than our difference of voltage gives more accurate measures. For this step we need to power on the device. We connect one of the connectors of the multimeter to a GROUND and the other to the three remaining PINs (1, 3 and 5), one at a time. PAY ATTENTION: MAINTAIN THE CONNECTION ONLY FOR THE TIME NEEDED TO READ THE VALUE AND DO NOT TOUCH DIFFERENT PINS AT THE SAME TIME, because otherwise you can damage the device you are inspecting:

Voltmeter on the device

The value detected on all our three PINs is about 3.28V. Most components are powered with 5V or 3.3V, so we can infer that our port is powered with a 3.3V source. My multimeter detects a fixed 3.28V value in all the three PINs but this may not be true: there may be some voltage fluctuations not detected by the multimeter due to some limitations in the tool. In order to see possible oscillations we need a different tool: the oscilloscope.

The oscilloscope is a tool that graphically displays varying signal voltages. Good oscilloscopes are very expensive, but again, for our analysis we don’t need an expensive one. Our goal is to find PINs with oscillations in the difference of voltage because these oscillations could indicate some sort of data transfer.

In my lab I have three different oscilloscopes:

  • DSO150: a 15 euros Chinese oscilloscope
  • DSO201: a 70 euros Chinese oscilloscope
  • SmartScope by LabNation, a combined oscilloscope/logic analyzer that comes from a kickstarter project backed by Maurizio, more expensive (about 230 euros)

For our purposes, the second one is more than enough. To be honest, also the first one is sufficient, if you want to save money, but the quality of the second is much higher…

Now, let’s have a look at the signals on PINs 1, 3 and 5 with the DSO150 (the cheapest oscilloscope we have). By connecting the GROUND of the oscilloscope to the GROUND of our device and the other connector to PIN 5 of our unknown port we obtain the following result:

Oscilloscope on PIN 5

The oscilloscope has time on X axis and the difference of voltage on the Y axis. As you can see on the display of the oscilloscope there are some oscillations in the difference of voltage that may indicate that some data is flowing in PIN 5. By connecting the oscilloscope to PIN 1 or PIN 3 this is the result:

Oscilloscope on PIN 3

In the display of the oscilloscope we can see a fixed line parallel to the X axis, that indicates a fixed difference of voltage of about 3.3V. Why? PIN1 and/or PIN3 can be VCC (connected to the power supply), but can also be receiving PINs. In fact PIN 5 seems to transmit data, but probably our port will also RECEIVE data, requiring a PIN that fits for the purpose. The receiving PIN can stay fixed at 0V or at 3.3V while it is not receiving (it is not mandatory to stay at 0V).

Thanks to the oscilloscope, we saw the analog signals passing in our PINs. But what is our goal? Our goal is to understand if these oscillations represent data in transit. Consequently, we need to transform the analog signal into a digital one and then transform the digital signal into binary data. For this purpose we will use another tool, named logic analyzer, that helps us to transform our analog signals into binary data. We check the PINs with the oscilloscope before switching to the logic analyzer, because the logic analyzer is more delicate than the oscilloscope and can be easily damaged if connected to PINs with difference of voltage too big. For this reason we connected the oscilloscope to the three PINs of our unknown port in order to understand more precisely the difference of voltage on them.

Now that we are sure that there aren’t difference of voltage stronger than 3.4 volts on our PINs we can use the logic analyzer to try to understand what is flowing on our PINs, especially on PIN 5.

Speaking about logic analyzers, Saleae Logic Analyzer is a super choice! It has a superb software with a lot of features: it tries to understand on its own all the parameters necessary to extract the data from the digital signal. Saleae Log Analyzer’s price currently starts from 350 euros; obviously there are Chinese clones of old models starting from 6 euros that support their software, but if it is possible buy the original one because their product and their software deserve every euro!

This is a pic of the original Saleae Logic Analyzer near a Chinese low cost replica:

Original Saleae Logic Analyzer (top) and Chinese replica (bottom)

Now, let’s connect our Saleae Logic Analyzer to PIN 5 and GROUND PIN of our unknown port:

Saleae Logic Analyzer connected to unknown port

Saleae Logic has a great software that allows to comfortably manually inspect the signal. As with the oscilloscope, we have the time on the X axis and the difference of voltage on the Y axis, but the logic analyzer produces a square wave. The GUI shows various information on the wave and is easily zoom-able. But the best feature of the software is the “Analyzer”, that analyzes the signal and extracts the digital data from the wave.

Let’s see Saleae in action! After the connection, we can start the capture with Saleae software and then power up the device. In the “Channel 0” tab we can see our square wave. We can then add an “Async Serial” analyzer, flagging “Use Autobaud” in order to let Saleae automatically understand the baud rate! We have other parameters (bits per transfer, stop bit, parity bit) but fortunately it worked with the standard values selected by default. And that’s the result:

Saleae sofware . On top and left decoded characters and on center auto-detected parameters

From the output of the analysis of Saleae we can be pretty sure that it has chosen the right parameters, because we can read ASCII characters that form English words of accomplished meaning!

Now, let’s recap:

  • We have two GROUND PINs (2 and 4)
  • PINs 1 and 3 seem to be stuck to 3.3V
  • PIN 5 transmits data

From this information, we can make the following conjecture: this can be a port that employs a UART serial communication protocol. UART stands for Universal Asynchronous Receiver/Transmitter and it is a communication protocol that does not employ a clock to synchronize the chips/components/devices that communicate with each other. Usually it employs only two PINs, a TX PIN that transmits and a RX PIN that receives, besides GROUND and VCC PINs. PIN 5 is our TX PIN and probably one of PIN 1 and PIN 3 is the RX PIN.

To communicate with our device we can use a lot of different hardware tools, but the cheapest is the “USB to TTL“, a device created to connect UART devices to the USB port of a computer:

USB to TTL device

Let’s connect the TX PIN of our device to the RX PIN of the USB to TTL and the GROUND of our device to the GROUND of the USB to TTL. The USB to TTL can also power an external device, but this is a feature that should be used only when working with unsoldered chips and not with full platforms in order to avoid damages to the USB to TTL. For now, we will not connect the RX of our device (that hypothetically can be on PIN 1 or on PIN 3) and consequently our notebook will only receive data and would not be able to transmit on the port of the ADSL modem:

USB to TTL – Connection to GROUND and TX

Now we need a sotware to talk with our device. More specifically a text-based serial port communication program. There are many, like Minicom, screen or moserial. Usually I use moserial, but they are all similar. First, we have to supply the connection parameters, in order to be able to “speak” with the port. This can be done by clicking on “Port setup”. The required information in this case are all supplied to us by Saleae software:

  • Baud rate, the transmission speed (in this case 38400)
  • Data Bits, Stop Bits and Parity are the composition of a single “word of data”, that in this case is 8N1 (8bit of data, no parity, 1 stop bit)
moserial configuration taken from Saleae output

Now, we can click on the “Connect” button, power up our device and we see this output:

moserial – Device output

Great! We comfortably read data transmitted by our ADSL Modem! Now we need only to find the RX port in order to be able to talk TO our ADSL Modem. In fact, after booting up, our modem asks to press any key to abort OS load and then, after the boot, it seems to accept commands. In order to find the RX port let’s simply try to connect the TX PIN of our USB to TTL device first on PIN 1 and then on PIN 3. And the winner is………………….. PIN 3!

USB to TTL – Connection to GROUND, TX and RX

By connecting PIN 3 of the port of our ADSL modem to the TX PIN of the USB to TTL device we can send commands to the device, and this is the result:

moserial – Sending “whoami” command

Recapping, we have an ADSL modem that has a UART port that prints during boot the string “Ported to DSL-30xT by JackTheVendicator” and that after the boot spawns a root shell… Uhm… Yes, Maurizio! You are right! Definitely this is a clean ADSL modem as just sent by the operator! XD

Next time we will see how to communicate with a memory using a SPI communication system!


*** EDIT (2018-03-11): JackTheVendicator read the article and replied to my tweet! It’s a small world! 😀

Tweet reply by JackTheVendicator