UART
Universal Asynchronous Receiver / Transmitter
Baud rates
Bauds | Bits/s | Bit duration |
---|---|---|
1200 Bd | 1200 bits/s | 833.333 μs |
1800 Bd | 1800 bits/s | 555.556 μs |
2400 Bd | 2400 bits/s | 416.667 μs |
4800 Bd | 4800 bits/s | 208.333 μs |
9600 Bd | 9600 bits/s | 104.167 μs |
19200 Bd | 19200 bits/s | 52.083 μs |
28800 Bd | 28800 bits/s | 34.722 μs |
38400 Bd | 38400 bits/s | 26.042 μs |
57600 Bd | 57600 bits/s | 17.361 μs |
76800 Bd | 76800 bits/s | 13.021 μs |
115200 Bd | 115200 bits/s | 8.681 μs |
230400 Bd | 230400 bits/s | 4.340 μs |
460800 Bd | 460800 bits/s | 2.170 μs |
Calculate Baud
Hover the mouse over the two fastest bits and we find the time between each bit, in the example output it's 8.7 μs (microseconds) per bit. Usually modern software will calculate the baud rate for us, but if that's not the case this is how you do that.
To calculate correct baud we want to find bits per second (not μs per bit), flip the problem. 1 bit per 8.7 μs, or 1 bit / 8.7 * 10^-6 s.
The baud rate is most likely 115200.
Identify unknown pins
Ground
You can easily identify ground by looking on the PCB. A pin without a darker circle around it means it's not connected, it is ground.
Do a continuity test with a multimeter
Power
Do a voltmeter test with a multimeter
Constant value, non-changing
Data
Analyze data pins with a logic analyzer
Analyze analog pins with a oscilloscope
Logic analyzer
Bitmagic Logic Analyzer - use PulseView
, the graphical frontend to the Sigrok logic analyzer suite of tools. Install it with sudo apt install sigrok
Assign protocol analyzer accordingly in the top right, yellow and green button. Press the protocol, UART in this example, to configure RX/TX lines, Baud rate and Data format.
Bypass Login / Escalate Privileges
Boot loader bypass
Connect to the device using
screen /dev/ttyUSB0 115200
,putty
orminicom
Spam
e
or other assigned key to enter edit bootloader modeEdit boot image from
ro
torw
Add
\ init=/bin/bash
at the end of the boot stringSave and exit, if it works you might get a root shell
Recovery mode
Connect to the device and enter recovery mode
Type
mount -o remount,rw /
to get a shellChange password of root user:
passwd root Passw0rd!
U-BOOT boot argument
Connect to the device and enter U-BOOT
Set the boot argument environment variable by typing the following line:
setenv bootargs console=ttyS0,115200 rootfstype=squashfs,jffs2 1
From the bootlog, identify the address at which the kernel is loaded from
Boot the kernel using
bootm <kernel address>
Check the command line the kernel booted with using
cat /proc/cmdline
, usually works on older systems
Failsafe mode
Some systems have a failsafe built-in to give the user an opportunity to interrupt the boot process. Easiest way to identify if a system has a built-in is by looking for "failsafe" in the boot logs.
In this example we find the failsafe script located at /lib/preinit/30_failsafe_wait
on the target system. At the very end of the script we can see that the user is prompted to press the non-presentational ascii character � - how do we do that?
We can accomplish this in several ways:
Copy + Paste, doesn't have to be more complicated then that
Write a program to mirror all data received
Brute force
Last updated