Over the past couple weeks, I've been spending a lot of timehacking on various embedded devices to figure out how they work and perhaps identify a couple vulnerabilities in the process. One of the fun parts about thisexperimentation has been exploring how to get terminal access to these devices,seeing what type of software they are running and interacting directly with theunderlying operating system. Once youhave access to the operating system via the terminal, most of the sametechniques for vulnerability assessment still apply.
I recently read an article on the /DEV/TTYS0 blog aboutreversing serial ports and found the process described there to be verypractical for getting terminal access to a variety of different devices. Today I'll be sharing my recentexperience of getting terminal access to the Cisco Linksys E-1000 platform, oneof the more popular home routers in use today, and the process I took to getterminal access to the device. I won'tbe talking about any vulnerabilities in this platform, but I'm hoping thatin the not too distant future, myself or one of my team members will be able toshare some of our findings on devices in this space once the necessary vendorshave been notified and patched accordingly.
Before we get started, it is really important to point outthat the process described below can easily be translated beyond just homerouters and the Cisco Linksys E-1000 platform. In fact, many devices in your home or even on your person includesimilar interfaces, which allow you to obtain terminal access to assess thesecurity of these platforms. Some other examplehardware platforms that fall into this category include iPhones, Androids,Arduinos, MiFis, IP Cameras, Video Cameras, RaspberryPi and many other others.
Getting Access to theCircuit Board
When attempting to get terminal access on an embedded devicelike a home router, the interfaces that you will often need access to will notbe directly accessible. This means thatyou're going to need to open the outer shell of the device and interfacedirectly with the circuit board. This alsoinherently means that you're likely going to void the warranty on the device,which should be considered carefully if the device is expensive and you stillhave a service contract. As for small home routers, they are relatively cheap and in the rare case that you manageto "brick" it, you're only out about $20 USD or so.
When trying to remove the outer shell from an embeddeddevice you'll want to give the device a good look over and understand how it'sbeing held together. Most of the time,this process includes removing a handful of screws and then splitting thedevice open. If you cannot find anyscrews on the device, it's possible that they've been concealed under therubber pads on the bottom of the device. These rubber pads can easily be lifted up with a small screwdriver.In the case of the E-1000, which I haven't seenon many others, security screws were used to hold the device together. Security screws are simply non-standard screwheads that will prevent the casual consumer from opening the device. Here is a look at the security screws on theE-1000 along with a better picture of what the head looks like.
The bits that drive these types of security pins are muchless popular than say a Phillips or other bit sets. However, you can still buy them ata specialty electronics store or Amazon for less than $5. Here is a look at the bits that I purchased at a local electronicsstore.
After removing the security screws from the E-1000, it didrequire a little force to remove the cover fully. This is a common occurrence with devices inthis class in that they usually have additional plastic snaps or clips thathold them together. If you are removinga cover for the first time, it will likely require some force, but be carefulnot to pull too hard and break important bits on the device.
Here is a look is what the inside of the E-1000 looks likeonce you've got the cover removed:
On embedded platforms, you are likely to find two commoninterfaces that can be used; JTAG and Serial. JTAG is a very powerful interfaceand allows you to do really low-level tasks on the device including programmingthe chips on the board, inspecting memory and variety of other privileged tasks. Serial, relative to JTAG, is a very simpleinterface, but if you're looking to get terminal access to a device, the serialinterface is what you are looking for.
In many cases you can quickly identify the JTAG interface byits form factor, which is typically a double row of pins or unused sockets onthe board. Often times, vendors will notsolder pins into the JTAG slots because they are typically only used duringproduct development and there is a cost benefit in not having to install themfor each consumer device.
On the E-1000, the JTAG pins are left empty, like so:
Finding the serial interface on the E-1000 was a little morechallenging, which made it more interesting. The other devices we explored recently all had either an empty socket ora soldered pin set that you can tie into directly. For the E-1000, the serial interfaceconsisted of 5 test points (TP12 – T16) on the circuit board.
The /dev/ttys0 blog post I noted above was very helpful inidentifying ground, receive and transmit pins that made up the serial interface. The challenge with having flat test pointsdirectly on the board is that it makes it more difficult to connect a wire tothe device and reliably talk to its serial interface.
As a solution to this problem, we took a really fine tippedsoldering iron and placed solder balls down on each test point. Each test point was then wired using 30 AWGwire to a custom pin set that was fashioned from a spare electronics board and thenhot glued to the E-1000 circuit board. Here is a look at some of the modifications that were made to the board.
In many cases these modifications will not be required, but in other cases it may be one of the only waysto obtain a stable connectivity point to the serial interface.
Once reliable connectivity points are established to theserial interface, the next step is to figure out what voltage the serialinterface is using. With the addition ofthese pins, it makes the process quite trivial with a couple hook cables and amulti-meter.
Like seen above, many of these devices will use 3.3v forserial communication. In limited testing,nearly every model tested used 3.3.v for it's serial voltage. This matters because you don't want to use a5v cable on a 3.3v device. When youmismatch the voltage on a serial interface the best-case scenario is that you won'tbe able talk to the device. In the worst-casescenario, you could actually damage components on the board and end up"bricking" the device, which means you're going to have a bad time.
USB to Serial cables can be purchased from a number ofsources, including Amazon, in both 5v and 3.3v. If you do end up buying one, I would highly recommend getting one withthe FTDI FT232QR chipset, which has support for most operating systems, includingWindows, Linux and Mac.
Once you've got your new shiny USB to serial cable, the nextstep is to connect everything together. I prefer using breadboard M-F jumper wires, which are great forprototyping. You'll want to slide thefemale end over the pin sets that were either on the board or that you createdyourself and then put the male end into the connector on the serial end of theUSB to serial cable. You will then wantto plug the USB end into your computer to complete the hardware setup.
After getting everything plugged in, the next piece isinstalling the drivers and figuring out what the name of your new device iscalled. On Windows, you can learn the devicename by visiting device manager and on Linux and Mac you can simply list thefiles within /dev and look for something with usb or serial in the name untilyou find the right one. (Example: ls /dev/usb*)
Once you've determined the device name, the next step isdetermining the baudrate settings. Manyof these device types operate at 115200 8-N-1, but not all of them. In order to figure out the baudrate settingsof a device you can either try to look it up from the manufacturer spec sheetor take a brute force approach and start guessing the limited number ofcommonly used settings. Keep in mindthat brute forcing the baudrate setting is a pretty easy and fast way todetermine the what's required to talk to the device.
The last part is firing up your favorite terminal emulationtool, like Putty, Screen, Minicom, etc. and talking to the terminal directly. Here is a screenshot of talking to the E-1000via it's terminal interface as it boots:
Now that you have access to the internal OS for the targetdevice, you can explore the operating system much like as if you sitting at theconsole of any other system. This alsomeans that if you're hunting for bugs in products of this style, you have muchmore detailed information about what's going on behind the scenes. In the case of the Cisco Linksys E-1000, itwas running BusyBox, which is pretty common for devices in this class, but youcan still navigate around in the operating system and learn more about how itworks. Another interesting tid-bit aboutthis device was that whenever a configuration change was made, it was echo'd asa debug message onto the serial interface allowing a much richer feedback loopfor further vulnerability analysis.
In my opinion, the best way to understand something new,especially when it comes to hardware, is to have someone show me in person. Since I can't be there to show you all inperson, I've put together a little video to demonstrate the above describedprocess from my point of view. Pleasenote that this is my first time using iMovie and my mom says I have awesometaste in music, so please be gentle.
Also, if you're interested in the Ruby-based serial tools Ishowed in this video, I've decided to open source them here so you can have funwith them too. If you have other ideason how to improve the tools or techniques I've shown for evaluating serialinterfaces on embedded devices, please send me a note or a pull request.
PS - I want specifically thank Craig for his work over atthe /dev/ttys0 blog which acted as an excellent resource of information as I was working with and learning about various embedded devices over the past coupleweeks.