Intro to hardware security: UART access and SPI firmware extraction
Vložit
- čas přidán 17. 05. 2024
- This is an introduction to hardware security for beginners. I will show you how to connect to the Linux terminal of a TP-Link wireless router using UART, and also how to dump its firmware using a SPI programmer. My aim has been to use the most affordable and accessible tools, so everyone can start without breaking the bank.
As promised in the video, here’s the list of tools that I used or mentioned:
The target: www.tp-link.com/us/home-netwo...
The advanced UART adapter that I mentioned: www.crowdsupply.com/pylo/muart
Programmer I used to dump the firmware: github.com/boseji/CH341-Store
Software I used to dump the firmware: flashrom.org/Flashrom
Software used to extract the firmware contents: github.com/ReFirmLabs/binwalk
For the UART you can use any USB-UART adapter (sometimes called USB to TTL). I used an adapter based on PL2303, but FT232 is more common (the one with the 3.3/5v switch was based on FT232)
If you need more guides, check these out:
www.thezdi.com/blog/2019/9/2/...
nvisium.com/blog/2019/08/07/e...
jcjc-dev.com/2016/04/08/rever...
blog.rapid7.com/2019/02/20/io...
I had to cut some corners to prepare a short and easy to understand video. For example I skipped the part on detecting the UART pins on the boards using an oscilloscope or logic analyzer.
If you have questions or comments, you can reach me via Twitter: / mehdi0x61 - Věda a technologie
Damn. We only get one video from you? I’m sad now, such a great job
Very well done. Clearly explained, step-by-step.
So grateful, it's a good tutoring video with so much detailed explanation.
it was so good , grateful for this tutorial
just as a suggestion: first introduce the devices in video and mention them by typing their name beside them in the first scene of video,i enjoyed it ThanX
From the UK. Hi
Mehdi good introduction I need to go over the video again but it's a good start!!
Thank you very much😘. Looking forward to more practice hank-on work video.
that was a complete tutorial. thanks in advanced
Thx you Mehdi, I learned a lot
BROTHER, YOU ARE THE BEST!!! You oooh really helped me!! THANK YOU VERY
Thx Mahdi jaan. Would u please upload more videos like this? Amazing bro.
Merhaba, izlediğim en faydalı video bu oldu diyebilirim. Detaylı ve dolu dolu içerikle hazırladığınız bu video için Allah sizden razı olsun. Çok çok çok sağolun, elinize sağlık.
Need more details video about this topic. You are great ❤. Love from Bangladesh.
Gee, this is very interesting and great way for troubleshooting a lot devices... thanks...:)
Legend Mehdi! Thanks for this
Very well explained
bahut badhiya dost.. great video,
Thank you Mr Mehdi so helpful
Thanks you (خیلی ممنون آقا مهدی)
It was alot helpfull.
Thank you man
This is great, thanks a lot.
13:29 "3: System Boot system code via Flash" - this is option 3 in the uboot boot menu. It is possible to send a different option via serial keyboard input - like boot to root shell. But this may not be always possible. But in this case, you get to a shell from the get-go.
PL2303 has the right voltage? I meaning 3.3 by default.
I get confused about the right voltage, do you have another video about the voltage?
If you test the PL2303 pins, what voltage do you get?
Great video . Can you give other vulnerable devices list to practice
Great information in this video. Louder audio would be great, as I struggled to hear everything when the volume was set to maximum value.
Great video! Thanks a lot!
dunno if anyone cares but if you guys are bored like me during the covid times then you can watch all of the latest movies and series on instaflixxer. Been streaming with my girlfriend recently =)
@Drew Sam Definitely, have been watching on Instaflixxer for since november myself :D
Plz make more thank u for making this type video
I will try my best. 👍 Please subscribe to get notified of my upcoming videos
I already subscribed you
Hi
How can i reverse engineering dump any eeprom for example s2943 i try ghidra but iam not get any thing
Thank you for information. I have LPC1778 I i tried to read with Flash magic . And i get massage, security violation in device. What i can do ?! I Wann get the firmware.
Thank you
Hello, to to extract firmware from MCU with builtin flash memory such as Atmel ATSAMD21J?
wow, this is the exact router I have. I'm actually surprised it works so well for such a cheap price
its cheap because it has zero security lol
@@myname-mz3lo and zero functionalities 😅
It would be nice to have a video where you edit the firmware and you flash it back to the device!
Great tutorial, thanks for sharing... just a question... I do not have the UART pins on the PCB. What options do I have?
Finding them is not very difficult. Do you have any pin headers on the board at all?
i also not have. how do i know what connect to what? and the usb i bought from adafruit doesnt says which is what
can CH341 also be used for UART?
hello, is it possible to flash firmware in UART mode?
Hey guys by any chance does anyone know how I can pipe all the output from the terminal into a txt file on Linux. I've tried tee, >, >>, and script and still have yet to get the terminal output into a txt file.
آفرین مهندس
using UART access, if the device have telnet, but disabled, can we enable it !
can we extract the firmware of tplink td-w8961n v3 ?
I liked it :)
what if i wanna save a project but i use free trial? can soone help
thanks a lot.
how we can extract portable wireless modems firmware? (4G or TD/LTE)
for example modems which is locked. i mean they restricted to work only with specific SIM Cards.
Well it depends on the modem. I don't know about your modem, but I have seen some that save all the required info on a config file. If you access it via UART, you can edit the file and bypass the limitations.
Hi, I used 115200 Baud rate for UART, which is connected to the IP camera board, but as soon as I give the power, the putty window displays garbage values, need your inputs/suggestion
Sounds like you may have the baud rate wrong, there are not many standard baud rates so it should not take too long to bruteforce the right one.
@@JordanPlayz158I second this for anybody reading this for future reference.
I'm new at this but have seen that the wrong baudrate will give you garbage.
Flash file of other modems
From which site should I get it?
Free . Safe file .
Nice video, pal!!
I have this question rolling in my mind: why is it so important to work on the firmware?Can we "attack" another thing?
Because the firmware contains the actual code, and it might be possible to find remote vulnerabilities and therefore attack other similar devices remotely. Another thing that you can try locally, is hardware fault injection (including voltage glitching, electromagnetic fault injection, etc)
@@MehdiHacks Thank you for replying!. Dude, how can i contact you?. I need to ask you some more questions about UART and firmware! :)
@@toncho1986 You're welcome. You can reach me via Twitter: twitter.com/mehdi0x61
@@MehdiHacks Dude, have you got any email?. I do not use Twitter :/
@@toncho1986 DF2HF[at sign]pm.me
hallo bro can help me for my TPLINK re 450 v3 ..it briked ... thanks bro video
can i cahnge the ip address of this retour using this method?
impressive from Republic of Korea.
سلام ضمن تشکر از آموزش و اطلاعاتی که منتشر کردید . من بخوام با ماژول uart از یک مودم 4g دامپ تهیه کنم و سپس این دامپ و برگردونم رو یک مودم دیگه از همین مدل آیا امکانش هست ؟ یا نیاز به پروگرامر مثل اونی که شما تو فیلم استفاده کردید دارم ؟ با تشکر
سلام. بسته به مدل فلش ممکنه بشه با UART روش بازنویسی کرد ولی سرراست ترین روش استفاده از پروگرمر هست.
I am undable to enter into the shell, it keeps saying cmd is “echo “” > /etc/TZ”
How do you identify which pin hole is for gnd, rx, tx, when there's nothing write on the pcb?
Usually ground is the easiest to identify (simply using a multimeter's continuity mode, with other known grounds). RX and TX can be identified using multiple methods: one is to simply try (there's no harm in using them in the wrong order), second is to use a logic analyzer to "see" what's happening on the wire. I think some UART tools also can auto-discover it. Usually one has lots of data/activity going on, while the other is simply quiet, which means even a voltmeter can be used to identify RX (using fluctuations in the voltage)
Great video, Mr electroboom
More content about this
pues el firmware de tp-link se puede bajar sin compilar
Dump or Extract U-Boot from the running board.
OR
Dump memory to a file from the U-Boot console using the Memory Display command.
This will be helpful in debugging in the situation like you have a board with U-Boot running and don't have the same version of U-Boot binary and want to test on another board.
czcams.com/video/yDFMcBNGW3U/video.html
Why not read the firmware via UART?
Is it possible to repair mi stick tv software with this method?
Hmmm. What do you mean? You can (re)write the firmware using SPI, if that's what you meant.
Is there a universal usb thing that supports jtag,spi,uart,rs232,i2c?
Yes. Bus pirate, Hydrabus, Shikra, Tigard, ...
plz upload more videos
Pretty sure eeprom isn't even a ROM. Its and can be erased and flashed many times. Data can be modified by the device itself, so its also used in microcontrollers to store data after power off.
Plz make more videos
Hi sir do you have dump file ac23 english ver?
Hey. Unfortunately not.
Cute ^-^
Is python installed on that WiFi router terminal??? Plz anyone reply 🥺🥺🥺🥺🥺🥺🥺🥺🥺😭😭😭😭😭😭😭plz ?
To my knowledge, no.
@@MehdiHacks ok than tell me one thing which default programming language is there in that linux shell there. like in windows we have .VBS as default....... Except bash script
why not use V pin in UART?
I could be wrong but the VCC pin from UART is only needed if the device doesn't have its own means of providing power.
Nice video.....u sound like electroboom
اینتر کیبوردت سالمه هنوز؟
آقا مهدی توییتر نداری فالو کنیم؟ توی about چنل چیزی نبود
سلام. انتهای متن ویدیو لینک توییترم رو گذاشتم (mehdi0x61)
@@MehdiHacks اع چه جالب. فالوتون داشتم از قبل. متشکرم
We found Electroboom's younger brother 🤣
That made me smile :D
bro sounds like electrobooooooooooom
IS THIS ELECTROBOOM ??? whats bro doing here
Haha. My name is Mehdi and I sound like him, but I'm not ElectroBOOM
@@MehdiHacks but youre still sus!! and also keep uploading vids
You talk for long time out side the core of the address
خب ویدئو فارسی هم بذار☹️
derka derka
SIMlock code of Huawei B5318-42