Extract Firmware using UART

At this point you should have:

Not all UART interfaces are the same. Infact manufacturers could output actually anything over it. So there is no guarante you can abuse UART to dump firmware or get a shell on the device. But there are common methods, which we want to discuss further:

Some manufacturers build a failsafe mode in their devices, which is designed as a recovery option, if the device is not operating correctly. An example for this is OpenWRT, which will print something like this in the bootlog:

Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level  

Pressing F will give us a root shell:

OpenWrt command command shell

Depending on your device you may have to mount the correct filesystem first:

  • Run ls /dev or blkid to locate storage devices and partitions (e.g., /dev/sda1, /dev/mmcblk0p2).

  • Use these commands to first create a mount point and then mound the filesystem:

    • mkdir /mnt/filesystem

    • mount /dev/<root_partition> /mnt/filesystem

  • Now you may access the filesystem under /mnt/filesystem

From here we can check if the root-filesystem is already been mounted and we can look for:

  • /etc/shadow hashes

  • ssh private keys

  • other credentials

Analyze firmware

  • Using binwalk firmware.bin we can try to analyze the firmware and extract sensitive information

  • check the "Analyze Firmware" chapter

Resources

*Accessing and Dumping Firmware Through UART *Extracting Firmware: Every Method Explained

Last updated

Was this helpful?