Extract Firmware using UART
After finding a UART connector on a PCB we can try to extract firmware over it.
Steps to Extract Firmware Over UART
1. Identify UART Pins
Locate the UART pins (TX, RX, GND, and possibly VCC) on the target device. The device’s documentation or datasheet may provide this information.
Typically, the pins are labeled as follows:
TX (Transmit) [fluctuate Voltage, when data is transmitted]
RX (Receive) [may look like VCC pin, when not connected: 3.3V]
GND (Ground) [0V]
VCC (Power, optional) [common to have: 3.3V or 5V]
2. Connect the UART Adapter
You need an USB-to-UART Adapter: FTDI FT232, CP2102, CH340, etc.
Use jumper wires to connect the UART adapter to the target device as follows:
TX (Adapter) → RX (Device)
RX (Adapter) → TX (Device)
GND (Adapter) → GND (Device)
VCC (Optional, Adapter) → VCC (Device) (if powering the device through the adapter)
3. Configure Serial Terminal
Open your serial terminal software and configure the following settings:
Baud Rate: Common values are 9600, 115200, or as specified in the device’s documentation (picocom also has a feature to adjust the baud rate on the fly (check docs)).
Data Bits: 8
Parity: None
Stop Bits: 1
Flow Control: None
4. Establish Connection
Open the connection in the serial terminal software. Depending on the device and its bootloader, there are many different options how the UART is implemented. It is a good sign if you see a terminal interface that may display boot messages or a command prompt from the target device.
If you see something like this: you may adjust the baud rate as it is probably wrong
If you see a boot log:
Restart the device again and capture the full bootlog, as it can contain important information
The MTD partition for example can tell us where the root filesystem is stored
Not all UART interfaces are the same. Infect manufacturers could output actually anything over it. But there are common methods, which we want to discuss further:
Some manufacturers build a failsafe mode in their devices, which is designed as a recovery option, if the device is not operating correctly. An example for this is OpenWRT, which will print something like this in the bootlog:
Pressing F
will give us a root shell:
From here we can check if the root-filesystem is already been mounted and we can look for:
/etc/shadow hashes
ssh private keys
other credentials
Analyze firmware
Using
binwalk firmware.bin
we can try to analyze the firmware and extract sensitive informationcheck the "Analyze Firmware" chapter
Resources
https://www.cyberark.com/resources/threat-research-blog/accessing-and-dumping-firmware-through-uart https://slava-moskvin.medium.com/extracting-firmware-every-method-explained-e94aa094d0dd
Last updated