Intro to Hardware Reversing: Finding a UART and getting a shell

Hello friends Tony, here today it's all about

hardware

, let's buy this d-link 931 L, crack the case, find a serial port and use it to gain access to the

shell

. Now the 931 is almost identical to the 932 in my last video. one we extracted the filesystem from a firmware binary, it was fun, hopefully informative, but it was static and there's only so much you can do with the firmware laid out like that, dead on the table, don't get me wrong, you can learn something. Very cool stuff when you hit dead things with sticks, but sometimes that lack of interaction can be limiting and that's why our goal today is to leave you with

shell

access on the 931 so you can watch it and, more importantly, interact. with him from the inside as if live.

While you're doing your camera work, if you've never touched

hardware

before, don't worry, this is a very easy goal and the idea here is to help you get exposure, reverse concepts, not master them, so don't be intimidated. All of this will eventually be super fun, if you want to try this on your own, check out the description for a list of tools and equipment. One of the things on that list will be the camera itself, but before we buy it, we have to ask ourselves how we know this thing even has a serial port. Those things are rarely displayed on consumer devices, so if you have one, it's inside the case and I don't see any internal photos in this listing here, so kind of blown away.

Blindly instead of just buying it with our fingers crossed, we need to take a look inside the 931 before spending any money. There are a few ways to take a look, but one of my favorites is courtesy of the FCC. Here's how it works in the US - any device that transmits radio signals like Wi-Fi must be licensed by the FCC. The applications submitted for those licenses are for the most part a matter of public record, so we can search through them all we want. When we do, we can usually find it. Internal photos like these that I found for the 9:31 elf, I'll go through them by searching the FCC and doing all that fancy OHS stuff and such, is a topic for another day, so for now let's just take a look at these photos. bat, we can see that the form factor lines up with what we saw on Amazon, same size, same shape, that's great, it tells us we're in the right place.

I can also see that the board is super well labeled, each component has a little identifier, all the way down on each capacitor, that's awesome, the chip markings are still present, that's cool, let's take a look at the other side, a camera lens, prettier labels, ooh, okay, that little eight-legged guy that's probably where the firmware lives, not a serial port, yeah, but a good lens for another day, but what really catches my eye Attention here it's just these little jst connectors, especially that little 1, 2, 3, 4 pin one, that kind of design that suggests you're a serial port. Now these are photos of a test unit, there is no guarantee.

That thing will be there in production, like we bought it in the store, but based on what we're seeing here, I feel pretty good about it, at least it'll be good enough, you know, although I'm not crossing my fingers. more, so I'll buy it and we'll see, so Amazon delivered the camera, it's time to break the case. To do this, we'll use some fancy tools, a piece of aluminum cut from a can and a 1 millimeter guitar. Choose only things that I have but that I have at home. You can definitely buy professional tools, but I don't need them.

I'm going to start here by sliding the aluminum piece trying anyway between the pieces of the box to decide the box. Now sometimes these things are glued or screwed on, but usually it's for cheap things like this, you just have to click once it hangs on its own, you can go ahead with the guitar pick, just try to get it in there, it's very cool, pop, get rid of it. that aluminum and now we just walk it through making sure we don't go too deep because we don't want to scratch any of the components inside and cause any damage, but also remember we're not taking apart a nuclear bomb here so don't do it. be afraid to give it a little push every once in a while if that's what you need it feels like we're cool free stuff there's the back of the dash that looks an awful lot like what it was in the FCC picture there's attached with a single Phillips head screw, but go ahead and try to get that little guy out right now and with it off we should be able to do it, yeah there's the other side, pretty cool, pretty easy, the next step is I'm going to go and put this in this vise here, this little one just to make it a little bit easier for us to do our thing.

It's not necessary, but it will be easier, especially for me, trying to get the camera to work on this thing, I should give myself a second to line this whole sucker up and I'll be back to you okay, I've got it in the vise, I have the power here connected to a switch that is off so there is no power to this board but there is something else that is not on the board either and those are the little jst connectors that we saw in the FCC pictures they decided not including them in production units, which makes sense if you don't plan to expose that functionality to your consumer, including the connector on each one. of these cameras would simply be a waste of money, but the absence of that connector does not mean that they also chose to disable the functionality of that port, so we want to test what was under the connector and they are these four plated through holes in three circles. a square which they very kindly labeled G R T and V ground received transmitted voltage.

I guess to do that we're going to get out our handy little multimeter here, now stick it in and hope it stays. I'm going to taste the earth. first going to continuity and that just means that when there is a circuit between the probes we get a little chirp. I'm going to place one of the probes where I think it's round and I'm going to put the other one where I think it is. the ground plane for this device which is a big fat test pad here, great, I get a chirp telling me that yes, G does indeed mean ground and now we need to see if our T and V have voltage and at what levels a once the device is running, so I'm going to move to DC volts here.

I'm going to turn it on, put one of the probes on ground and the other on volts and see what we get so that V is at 3.3 1, okay, so if this is a port, it's a 3.3 port, let's go to T, it's in 3.27, so I guess that's where the serial information is written and, oh yeah, look at that, look at how it moves down and comes back up. I guess that's because 3.26 indicates that it is actively writing information to the serial port and when it doesn't print anything, the voltage drops and finally we see R, which should be silent because it's just there waiting for us to write something. and it's cool, so everything we just saw turn this off indicates that we're dealing with a 3.3 volt series connection, that means we need something that they can talk to. 3.3 volt series connection like this little guy, an FTDI, so stick with that.

This way this works, one end goes to the laptop here with the USB, the other end we connect to the board through these little capture probes and cables, well, call the capture probes because they grab, you can see that very well right now. We could take these grip probes and try hooking them into each of the plated through holes, but it's a miserable experience and they fall out a lot, so what I'm going to do is just not solder them. I'm just going to place these little pins here, nothing special. You could do this with paperclips if you wanted, but let's place them in the holes like this, maybe we'll have continuity problems.

Well, I think we might have a problem. The connection is nice, we like to be, but let's try. The first thing I'm going to do is connect the ground of my FTDI to the ground pin of this device, it's that cool. The next thing I'm going to do is Take the TX, so this is where I'm talking and I'm going to put it somewhere where I think this device is listening like this, our pin is fine and finally I'm going to put my pin, my receive, where it's talking. Alright, I'm going to put that on this pin and if you've done everything right and I don't have any of them touching, it looks pretty good, then when we fill the board, we can connect the other side of the laptop.

You should be able to hear and hopefully talk with this device. We're going to try it. We can start by opening my Kali BM. I have the FTDI connected via USB, so just to make sure Kali sees it, I'll check the output of an LS USB and yeah, it's cool there, so Callie knows she's there now to connect. I'm going to need to specify that device and to do that I need to know the tty. I'll get it by LS in my development directory and render it. for USB it looks like USB 0z in the game in the city so it's easy cool so ready to talk to this thing.

I'm going to use the screen utility. I'll say screen, do me a favor, open a connection to the device in dev TTY USB. 0 with a baud rate of, we don't actually know the baud rate and will have to specify it. That's fine, although there are a few different ways to get it. We could connect an oscilloscope or logic analyzer to the UART. raw sample like this here, armed with it we could calculate the baud rate manually, that process is really fun, but it's slower than what we want to do here. A viable alternative would be to have a tool that does this automatically at work, but I'm personally a big fan of door number 3, which is just to start with some guesswork, it's easier and faster than it sounds.

Look, there are only a handful of standard baud rates. Here is a quick list of these. I only find one. subset of them very regularly, these ones here in green, are quite common, if we start guessing from this short list, they can usually come in handy within a few tries and of course if it doesn't work we can always resort to those other methods. do it, let's start with 115 200, which is a super common serial connection, open up, turn on the camera and oh, okay, that's ugly, although not everyone can be a winner, let's turn off the camera with a control announcement and now we can try the next one. down on the list uh 57600 turn it on and it worked fine, we get you booted and watch the menus ask us to choose, the bootloader seems unlocked, almost guaranteed we can get a shell, I mean assuming it doesn't drop us. on one, okay, it defaulted to number 3, so it's doing its thing, it's unzipping the firmware image, it's booting up, that's cool, Wow, it's about to appear, it's going to be very talkative, right, we'll see a lot of things moving around here.

That's great, it'll be a goldmine if you slash when you try this on your own, don't go crazy trying to catch everything as it comes, just make sure you write the result to a log file or at least a buffer moving backwards like us. What we're doing here, so you can read it, you know, it's nice and easy to see because we're trying to type a lot of commands when the front bar of the console is like this, it's just not worth the pain, they won't calm down in two or three minutes. Anyway, you know what, for the sake of time, I'm going to fast-forward this until it looks like it's done popping, it looks like it's relaxed, we can check the shell now just remember it's still a console, so things are going to function. print here from time to time, but once the boot process is done, it will be quite manageable, super fast, let's see where we are.

PWD says root, what is here. Linux file system, correct configurations, scripts, binaries and a lot of fun directories to explore, but we could. Examining the contents of the file system after doing our static analysis work in the last video today is about what's squirming when it's running, so let's make sure we can see all of that with AP EF and yeah, those are the writing processes as expected in some Linux classics. there, but also some things that are specific to this device, like that watchdog, cool, with which we have achieved our goal for the day when we have shell access to the camera, so now you can explore it and interact with it while she's alive and well, hopefully. this was fun and made the concept of exploring a piece of hardware like this at least a little less foreign for those looking to try this out for themselves, check the description for a link to a tutorial and in case you bother, you will get this.

Period, I'll also include some troubleshooting ideas, thanks for watching.