There are many means to extract file system from the firmware. One of the way is to use tools like binwalk, firmware analysis toolkit (FAT). But what, if you don’t have the firmware?
Well, in that case the physical access to the device can be fruitful. Interfaces available in the device can be used for directly getting the filesystem without even requiring the firmware. UART (Universal Asynchronous Receiver Transmitter) is one of the popular interfaces that transmits serial data. And much of the iot devices such as routers, smart plug etc uses uart as one of their serial interfaces. This uart interfacing can be used up by tools like bus pirate for device communication, debugging and hardware hacking.
In this post i would be getting the shell out of the router through the uart interfacing and using bus pirate for communication.
I am using bus pirate v4 , having firmware version :- Community Firmware v7.0 – goo.gl/gCzQnW [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO]
DEVID:0x1019 REVID:0x0004 (24FJ256GB106 UNK)
And a D-Link DIR-600L router for this overall experimentation.
The headers that are boxed show the UART ports.
But important is to identify, which one of the four is transmitter(Tx), receiver(Rx), ground(GND), VCC.
The ground can be found out using the continuity test in multimeter. One of the pin of the multimeter is connected to the metallic surface and the other pin is kept on these broken headers. The header that produces beep sound on being touched is the ground.
The VCC can be found out using the voltage test. One of the pin is kept on the identified ground and other on any of the 3 pins. If you get a constant high voltage means that it is a VCC pin . The other 2 headers can be identified by just hit and trial method.
When all the 3 uart ports( TX, RX, GND) are identified connect these with bus pirate as
Router——> Bus Pirate
GND ——–> GND
TX ———–> MISO
RX ———–> MOSI
And connect the bus pirate to the PC using . The serial communication to the bus pirate can be done using putty .Change the COM port as is initialized in your computer, and set the baud rate to 115200 (recommended).
Under the serial tab, change the Flow control to none and click open. This opens up a terminal where default mode is HiZ i.e. High Impedance. Now follow the commands as are executed in the screenshot below:
m is the mode on which to work. When a particular mode is set, the mode led in the bus pirate lights up. In baud rate, Auto-baud detection is selected so that the output terminal comes in a readable format. Rest all options are set to default.
In UART, the power supply is turned ON using the command line and can be done by just pressing W. If you don’t get the message clutch engaged, then try out restarting the router at that moment. Then in the macro menu, transparent bridge is used that takes us to the shell of the router, even without any user name password. The awesome thing is that we get a root shell.
The above screenshot shows the booting process of the router.
The above screenshot shows the whole filesystem of the router.
In this way, we can shell full access to the linux filesystem just by the interfacing ports such as UART (as in this case).
You can also go through the various files in the system to get some important information regarding the device such as the password file shows that there are only 2 users.
I also write on technology and security blogs on My personal website