Finding UART and Getting a Root Shell on a Linux Router
Рет қаралды 31,424
Жыл бұрынIn this video, we will discuss how to find UART debug interfaces on an embedded linux device. We will then leverage UART to get a root shell on the device.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
@KeepEvery1Guessing Жыл бұрын
Flux (and even pre-cleaning) is your friend for soldering. A little isopropyl alcohol and a Q-tip is useful for cleaning up flux residue, even if you didn't use flux (because there is flux in the solder core), since it can produce unwanted resistive paths later. A resistor (say, 1K+/-) attached across your meter probes (say, with clip leads) can help to identify the RX pin, since the current through 1K to ground won't significantly effect the power pin voltage, but will move the RX pin significantly (maybe even almost to ground). I'm happy that I have an oscilloscope since I can look for a serial signal during boot even before I have soldered anything. But scopes aren't free (though the ones built in to some of the fancier meters are more than adequate for this purpose. Nice exposition.
@RobertBranch-FL Жыл бұрын
Very nice video. I thought your process description was very good and very relatable. Keep it up, information like this is great to get out to help beginners!
@abdultairu 9 ай бұрын
Use of button size neodymium magnet can hold the pin header while you solder the one end of the pins. I enjoyed watching this video and I was able to look at the WD-Streaming box that I have laying around for a while and I was unable to login to gain root access because of password, but I will do a little research to see if others have been able to guess what the password is.
@surenbono6063 Жыл бұрын
..this is more advanced than a normal windows user...only had experience working with UART on arduinos.. interesting!...got to learn these Linux commands..if the geeks are united they will never be divided..!
@Beterr Жыл бұрын
Can we see a video where you don't have access to root shell directly through UART, and how you work around that to get shell access, especially in the case of U-Boot?
@mattbrwn Жыл бұрын
awesome idea. I'll look into finding a device with a uboot bootloader so I can demo this! great feedback!
@Beterr Жыл бұрын
@@mattbrwn Definitely subscribed! Glad you came up on my recommended
@PBRichfield Жыл бұрын
@@Beterr me too hoping he come through. I'm not doubting his technical ability but rather his values. Besides, I haven't played this game in a few years since windows11 and the prolific driver B.S. That was my FAV tty and worked everytime, 60 percent of the time. Now I have ftdi chips all over and it's simply not the same.
@davidhammond5437 Жыл бұрын
Loved the video! I would like to see more of this style video but next time show could you show us what happens when things go wrong and what tricks you've learned to deal with it?
@MickMcMadder Жыл бұрын
Electrolytic capacitors have ground marked on them, and there are a few on this board, which connect to a large ground plane. Something like that is a good starting point, as well as the shields on connectors like USB and ethernet.. If you know the barrel-jack is center-positive then the solder point at the rear of the barrel-jack is positive, since the center pin is crimped to it, so use the side solder joint first.
@mattbrwn Жыл бұрын
awesome! this is super helpful stuff :D
@draeath Жыл бұрын
@@mattbrwn You can also focus your search for something connected to ground from the solder pads around a "complex" of chips, where an EMI shield would be placed (two on the bottom of this thing - at 3:21 the fingers on your left hand are covering the bottom-left corner of one) and as well, if the board has large swathes where the copper hadn't been etched away (lighter green) that is usually grounded as well. That's both convenient for manufacturing, but can help shield from EMI.
@brucewilliams6292 Жыл бұрын
This was a lot of fun. Subscribed. There are numerous devices like multi-meters and stud finders that have coms built in that I'd like to explore. Thanks for bringing us along.
@mattbrwn Жыл бұрын
really appreciate it! there are so many devices out there that make good hardware hacking projects!
@MrMactoshi Жыл бұрын
Great video man! Would like to see more content!
@gajeelsomugba3785 Жыл бұрын
thank you straight to the point
@mathewrtaylor Жыл бұрын
Great video, and I appreciate your explanation of the pin outs. Need to go to my local Goodwill for some learning on my own! Thanks for posting!
@mattbrwn Жыл бұрын
goodwill and other thrift stores are the best for finding fun stuff like that to hack on :) and then if you brick it you aren't stressed since you aren't out much money.
@longtran12345678 10 ай бұрын
Very interesting, thanks for your video
@numberiforgot Жыл бұрын
I love doing this too dude. So much fun
@shygrammer Ай бұрын
I'd love a course on hardware hacking. I have not been able to find one on coursera or the others
@mshabanian 7 ай бұрын
well done, thanks. I just had the same experience with a Grandstream modem. It just booted right into a shell.
@braapit3246 Жыл бұрын
I recently started with hardware hacking so this type of experience sharing helps me a lot. Explanation was very clean, analyse of the chip could have been a little zoomed in. Would love to see your setup with some explanation of what you use it for. Looking foreword for more content, keep it up mate. 💪🏻
@mattbrwn Жыл бұрын
thanks for the feedback! yeah I really need to get a better overhead camera setup.
@luciusbektisulistyo6469 Жыл бұрын
yes it works brother ! many thanks
@ofsanjay Жыл бұрын
Nice tutorial Bro. Hope more contents are coming. 👌
@1over137 Жыл бұрын
"Blue-tac" or whatever brand of sticky poster putty you get locally. Take a blob of it and stuff it onto the pin headers, it will stick well enough for soldering and doesn't melt (much) onto the pins! Shouldn't be an issue.
@jimlundborg Жыл бұрын
More videos like this please!!
@ddruckmu Жыл бұрын
Thanks it helped me install it
@GrenPara Ай бұрын
Hello, just found your channel and find it interesting. Do you use software to do this or are you simply using terminal in linux?
@wl4131 Жыл бұрын
Awesome vid
@josjuarlister1059 9 ай бұрын
Great video thank you
@josjuarlister1059 9 ай бұрын
I think I may have fried my board, I touched two pins with my multimeter while the thing was powered on and suddenly all the lights went out on the board😬
@PaulGrayUK Жыл бұрын
Bluetack to hold header and flux to clean the pads, I usually dip the header into flux liberally, push thru and be enough to do the pads that way neatly. But can never have too much flux. But the main tip in soldering would be, well-tinned iron to start with and lots of flux. What you need is a pogo clamp, alas most you can get short and will also need vertical and horizontally lined pogo pins. But worth hacking something together as I don't know about you, soldering shows why I'm not a brain surgeon 😁
@noureddineghoul2932 Жыл бұрын
Worked, thx
@dvfilmpk Жыл бұрын
good hack, good job man
@satoshiborishi6898 5 ай бұрын
Pretty cool for a beginner like me
@nhoenderop 7 ай бұрын
Please keep making videos
@johanngambolputty5351 Жыл бұрын
What are the extra two pins on the USB to UART cable?
@hackwithprogramming7849 Жыл бұрын
liked it bro
@bertblankenstein3738 7 ай бұрын
Just curious in the pin pitch you have there is 0.1" (2.54mm) or 2.00mm. I found a board in my basement and the pin pitch is 2.00mm, so i had to get that size pin headers and associated dupont wires.
@mohammedmariff9034 5 ай бұрын
Thanks
@stephanhan.8390 Жыл бұрын
Hey @Matt Brown, a nice educational video as always. Just happened to ask, what's the windows manager you are using at the host machine. And also the bar at bottom? It's nice that you have a notification indicator as well. :)
@mattbrwn Жыл бұрын
Thanks! I use the i3 window manager running on Arch Linux. wiki.archlinux.org/title/I3 The bar is just the default i3status bar, but there are lot of cooler replacements for that. I just like to keep it simple. wiki.archlinux.org/title/I3#i3status
@stephanhan.8390 Жыл бұрын
@@mattbrwn thanks mate. Good to see a great arch setup. I'm a polybar man and need to find a nice indicator like that.
@WWFYMN Жыл бұрын
can I use an arduino for usb to uart, or can I make it myself?
@fuzzs8970 Жыл бұрын
Thank you for your video. Any chance you make one for JTAG?
@mattbrwn Жыл бұрын
I'm actually just learning JTAG myself but that's a great idea to do a basic video about what I've explored. We are all on a learning journey. it never ends!
@fuzzs8970 Жыл бұрын
Hi. Check this channel. Make me hack on KZbin.
@1over137 Жыл бұрын
I find a lot of "hacking" videos are a bit like: Q: "Wow, you managed to steal all their jewelery, how did you do that?" A: "Well, while I was in there living room I found their door key and cloned it. So I could let myself in later and steal." It's like.... oh.... ah..... not exactly a hack then. While is very, very interesting from the point of view of "hacking" a device that doesn't want to you to mess with it's hardware etc... but as to "hacking" a user it's irellevant. Which I'm sure it was intended to be. I mean, if you want a root shell on that rooter, just hard reset it and flash your own firmware to it. 5 minutes, done.
@mattbrwn Жыл бұрын
This is something I get asked a lot at work. You are correct that this is not a "hack" or an "exploit" of a vulnerability unless physical access is in scope. The main thing I use UART or other physical access methods for is to search for those vulnerability in a given device that can be exploited over the network. UART gives me access to the firmware which aids in my research process. UART access isn't a vulnerability in itself, its a stepping stone to further analysis.
@1over137 Жыл бұрын
@@mattbrwn I suppose. You can make a catalog of modules and libs and go collect a list of exploits to see if any are juicy.
@gersonsoares6628 Жыл бұрын
tudo bem matt bom video jovem : como voce fez para parar o kernel qual tecla voce apertou para parar o u-boot ? para obter o sistema de arquivos ?
@mattbrwn Жыл бұрын
I just hit enter right at boot time to stop uboot. However, if uboot is locked this will not work.
@spelerkeerik4483 Жыл бұрын
god bless ur heart
@waelbadr4724 9 ай бұрын
I just got the video and you are awesome. I have two quistions 1-since i got control, Can in clone the firmware ? 2- how to login in case there's a password?
@daviddavidson2357 Жыл бұрын
Not a perfect method, but a piece of tape will hold pin headers to the board long enough for you to solder. Blu tac may also work, though it'll probably flex too much before it melts. If using pliers insulate the tips (thermally) so they don't act as a giant heatsink. Vinyl tape will work.
@ahsamahi4385 Жыл бұрын
Can we use the Shell to troubleshoot the board?
@mattbrwn Жыл бұрын
yes you can!
@indian3197 Жыл бұрын
Can I solder dupont wire directly to the UART pads?
@bertblankenstein3738 7 ай бұрын
I suppose you could do that. Note the pin pitch. Most pin headers are 0.1"(2.54mm), and a board I'm looking at connecting up has 2.00mm pin pitch.
@charlesbiggs7735 Жыл бұрын
Loved it! Now what can we do with it?
@enzanto Жыл бұрын
i would love a follow up video of what we can do now that we are in
@neb_setabed Жыл бұрын
Liked the video but your microphone was peaking a lot, just something to keep in mind for future videos
@mattbrwn Жыл бұрын
thanks for this! I've turned my mic down in OBS for my next videos coming soon. hopefully that makes things better.
@sundarlal12 Жыл бұрын
Please make videos on smart lock firmware hacking
@beninaskaria Жыл бұрын
It’s continuity mode not connectivity mode.
@emmerad Ай бұрын
The metal case of SMD crystals is usually connected to ground so that's my favorite place to start checking for ground connections
@KallePihlajasaari Жыл бұрын
Explain what you saw in the boot log in a bit more detail so people know what sorts of things to expect and research further. Some of the stuff is unexpected and not obvious. Find a router that you can load OpenWRT into. Something that is well supported, not a nightmare low memory unit.
@herbertlee2673 Жыл бұрын
Mlk, se pá que o canal foi hackeado
@lilblackduc7312 Жыл бұрын
Thank you for a great video! Nevertheless, I will NOT patronize Goodwill in any fashion since they announced they were 'woke'...Friends don't let friends do those things...
@mattbrwn Жыл бұрын
I feel you on that. Any thrift stores that haven't gone woke?
@lilblackduc7312 Жыл бұрын
@@mattbrwn I haven't heard anything like that from Goodwill. So, they sometimes get my business. Don't pay my previous statement any mind, I was just complaining in the middle of the night. I probably should delete it...
@SpeccyMan Жыл бұрын
Someone needs to learn the difference between the English words bare and bear!
QAZSPORT TV / ҚАЗСПОРТ TV
Рет қаралды 4,5 МЛН
Linux.conf.au 2012 -- Ballarat, Australia
Рет қаралды 799 М.
business Us
Рет қаралды 11 МЛН