- Part 1: Enumerating Components and Finding Serial Ports
Part 2: Coming soon!
Some time ago I decided to learn how to attack, gain privilege access and perform modifications to hardware such as routers or IoT devices. In these collection of posts, I will be doing a walkthrough on how to reverse engineer a router, in concrete the following one:
Enumerating Components and Finding Serial Ports
The first we are going to do is analyzing the PCB and gather information about the components and find if there is any visible debug port. Debug ports were designed by the engineers and left in the PCB for debugging the systems and physical connections between the pins.
Looking at the board we can see the following components and debug ports:
- Broadcom BCM6328
- BMIPS4350 @ 320 MHz
- BMIPS4350 @ 320 MHz
- BCM43225 802.11b/g/n (2x2)
- RF Transceiver
- ProMOS V59C1512164QDJ25
- SDRAM DDR2-800
Maybe you are wondering how I got the UART pinout. The best way to do this, is using a multimeter and checking the voltage behavior in the pins just after the router is switched on:
- Vcc: 3.3 V
- Tx: Is pulled high (same as Vcc) and dropped 2-1 V when sending data
- Rx: Is pulled high (same as Vcc)
In case you still don’t know which is Tx and which one is Rx, you can use a logic analyzer and sniff the serial communication. I am using this simple logic analyzer:
And it looks like this after attaching it to the UART:
And Logic program from Saleae.
In the program, you will need configure the baudrate so it can decode the serial communication. I used baudrate tool from devttys0 to get the baudrate, but you can get this value by seeing the symbols and the Tx time of them to get this value.
Now that we have everything ready, lets start sniffing communication in the UART:
The logic analyzer was able to decode some data from the UART, and we can see clearly:
CFE version 1.0.37-110.11-2 for BCM96328 (32bit,SP,BE).
Getting shell via UART
We will be using a FT232H, which is a chip from FTDI that works like an USB to serial converter but includes many serial protocols such as UART, SPI, I2C, JTAG, SWD…
From the datasheet, we know
AD0 (Tx) and
AD1 (Rx) are the pins for the Async serial communication.
We connect the
Tx pin from router to the
Rx pin in the
FT232H and the
Rx from the router to the
Tx from the
FT232H. Now its time to connect to port:
And switch the router on!
We haven”t accessed shell yet, but we can see relevant information:
Boot Address: 0xb8000000 Default PSK key: 8859C2E7kC46F2842C2k # Default WiFi Key! Booting from latest image (0xb8010000) ... Code Address: 0x80010000, Entry Address: 0x802935a0 Determined physical RAM map: memory: 03f00000 @ 00000000 (usable)
PreSharedKey matches with router sticker:
The router is using Busybox:
BusyBox v1.00 (2011.09.13-03:40+0000) Built-in shell (msh)
Wait a minute or so until the system has boot up and type
help or whatever:
Unfortunately, the commands are limited but we can still obtain some credentials:
You can use tools like JohnTheRipper to crack these passwords:
It was obvious:
We still haven’t access to shell. We will try doing command injection to get it:
cat | sh worked! We are in!
And lets check our privileges in the system:
Hope you have enjoyed this brief post. Part 2 will come soon! :)