One of the most common interfaces in embedded hardware is the universal asynchronous receiver/transmitter (UART). The UART is a hardware serial bus; it’s easy to access and very interesting to look at.
Depending on the device and how it was hardened by its manufacturer, the UART can reveal a lot of useful information or even an unprotected, interactive root shell. This is because many modern devices run on embedded Linux systems. UARTs are used as a console port for debugging and development. Have you ever wanted a root shell on a coffeemaker? The UART might get you there.
The first thing to look out for when identifying a UART connector is the typical 4-pin connector on the circuit board of your target device. The pins are the bus lines: VCC (power), GND (ground), RX (receive), and TX (transmit). In rare cases, the connector is even labeled. When this happens, it’s now as simple as plug and play. If the labels aren’t present, a logic analyzer is required to distinguish between each line and how to connect to them.
Often, the connector may not be populated on retail devices. In this case, you can find the unpopulated header on the circuit board. If the pins are missing from a circuit board, they may be conveniently found in the FCC application of the device. Once there, check for an entry called “Internal Photos.” To find the FCC application for your device, simply search online for the device, its type number, and the corresponding online services. Many vendors submit development boards to a certification process. Through their submissions, you will find all possible connectors and their labeling. If pins are missing from your retail board and the header is unpopulated, you most likely have spotted some debug interfaces.
Another common form of UART connector is test points. Test points look like little round solder pads and are usually grouped together. These test points are normally used in combination with a test bed during the development process. Since you don’t have a matching test bed, you can solder thin wires in place to test them. Thin wires such as AWG30 work very well. Don’t be afraid to solder; it’s very easy in this case.
Once you have attached a thin wire to the potential target interface by clipping, soldering, or simply using a jump wire, it’s time to enumerate the interface.
First, find the ground (GND) pin. Use a multimeter and measure all pins against a common ground. The easiest way to find GND is to use a shielding or the ground pin of the power plug. Make sure the board is unplugged during the process.
Once you have identified the ground pin, you can now set up your logic analyzer. Plug the remaining three pins into Channels 0 to 2 of the logic analyzer and then ground to ground. Now start the measuring process (around 10 seconds) while turning the target board on.
If your target interface is a UART, the result should look the same as below. One of the pins (VCC) will output constant power, and the other remaining pins should show a digital signal. In comparison to analog signals that look like a wave, a digital signal is easily identifiable because it only switches between two power levels (on/off). This represents a binary 1 or 0. It’s very similar to morse code.
These highs and lows come in clusters called frames. These frames consist of start/stop bits, data bits, and optional parity bits. Between these clusters, a short period of high exists as idle time to separate them from each other. We won’t spend too much time on this for now, but this package configuration is very important. Later, if you are using terminal software to connect to the UART, you may need to specify this setting. The most common setting is shorthand notated as 8-N-1 (8 data bits – No parity bit – 1 stop bit). It is so common that you rarely encounter any other configuration in the wild, and many modern terminal clients default to it.
Another important setting to identify from the results of the logic analyzer is the baud rate. The baud rate describes the speed of the bus. There are a lot of common baud rates, such as 9600, 57600, or 115200. All of them are used. Luckily, modern logic analyzers have a feature for easily identifying the baud rate so you don’t have to. Simply add an “Async Serial Analyzer” to one of the data channels on your logic analyzer and vary the bit rate setting. If you selected the right one, the logic analyzer software should start to reveal the correct representation of the signal. If this happens, you have found the correct baud rate.
The last thing to do is measure the power output of the VCC pin. Use a multimeter to measure it against GND. Often, a UART has different signal levels ranging from 12 V to 1.8 V, with 3.3 V or 5 V being the most common levels found in modern devices.
To receive the console output on your PC, you need a matching interface device. To connect a UART to a PC, you need a USB transistor-transistor-logic (TTL) module serial adapter. Make sure that the adapter you are using has the correct power level set required by your device. Otherwise, the device and the adapter might break. Commonly used adapters have a jumper to select between different power levels.
Set the power level and wire the UART lines to your TTL serial adapter as follows: RX to RX, TX to TX, and GND to GND. Then plug the USB adapter into your computer. Don’t connect the VCC yet. If you are using Linux, the TTL serial adapter should be detected as a new ttyUSB device. Now use the screen as a terminal application to connect to the TTY provided by the USB serial adapter (*Note: This requires some familiarity with a *nix system and the concept of TTY). If you have a 115200 baud rate with a common 8-N-1 setting, the following command line will work:
$ sudo screen /dev/ttyUSB0 115200
Windows users can use PuTTY instead of the above command line. Simply select the “Serial” connection on the main screen and enter the correct COM port corresponding to the TTL serial adapter. The baud rate is configured in the connection settings.
Once you have started the device, you should see the console output from the device on your screen. In the event that you receive no output on the terminal, you might need to switch the RX/TX lines because the labeling of TTL serial adapters is not unified. Strange artifacts indicate a wrong baud rate or a bad ground connection. Try rechecking the baud rate with the logic analyzer and recheck your ground wiring.
If you want more practice on UART detection, simply use Raspberry PI as your first target. Raspberry PI is a tiny computer that is typically used for educational purposes. You can easily enable the UART and practice correctly identifying the interface on Pin 6, 8, and 10 (Pi 4).
Hopefully, you enjoyed this article. Yes, you will void your warranty on your devices, but you’ll have a lot of fun doing so.
My name is Alexander Pick. I am a professional security researcher in the fields of mobile, embedded, and automotive security. Technical security is not just my work but also my hobby and way of life. I started out in the 90s, reading text files from mailboxes and hanging out on IRC. My first CVEs were awarded for bugs I published in 2000/2001. A lot of time has passed, and the industry has changed a ton. More than 20 years later, I found the Bugcrowd platform and was instantly hooked. Now, I am ranked in the top 100—still slaying bugs, still having fun.