Hardware hacking tutorial: Interfacing with debug ports

August 31, 2017
reversing hardware hacking infosec embedded

The idea

In the past two post, we’ve seen that we can dump firmware directly from the flash chip, or that we can reverse engineer the firmware found online for our devices.

But why bother, if we have a debug port out in the open?

Let’s try it out.

Used gear

CJMCU-232H

FTDI 232H is a chip made by Future Technology Devices International. CJMCU-232H is a breakout board with a 232H chip integrated which allows users easily use the chip via USB. It can be used to communicate via USB to UART (RS232, RS422 or RS485), FIFO, JTAG, SPI, I2C, Bit-Bang and many more. It will be used it for UART and JTAG communication with attacked devices.

CJMCU-232H

Image taken from: Ebay

Target

The target will be the Ubiquiti mFi mPort. It will be disassembled to find possible debug ports, and connected to, using the CJMCU-232H.

Finding the debug ports

First, the housing that holds the mFi mPort needs to be taken apart

Disassembled Ubiquiti mFi mPort

Right away a header can be seen with four pins soldered on the PCB of the device. With a little trial and error, it can be determined which pins are for power, and which are for receiving and transmitting.

Interfacing the UART port with the CJMCU-232H

Unlike SPI, UART is really simple. The receiving pin of the device is connected to the transmitting pin of the CJMCU-232H and vice versa. Then it needs to be connected to common ground, and if the device has to be powered through the CJMCU-232H, or vice versa, the appropriate power pin needs to be connected, in this case 3.3 volts.

CJMCU-232H interfaced to the mFi via UART

In this case, since the mFi needs a lot more ‘juice’ than the CJMCU-232H can provide, and a Power over Ethernet (PoE) adapter along with an ethernet cable needs to be used to provide 24 volts and 0.5 amps to the board. The analog pin 0 and 1 on the CJMCU serve as the dedicated transmit (TX) and receive (RX) pins for serial communication, respectively. After connecting them with the RX and TX pins on the board and the setup is ready to go.

Gaining shell access and exploiting

Now that everything is connected, a terminal window can be opened, along with a serial connection using the GNU/Linux software screen. That can be done by running the command screen /dev/ttyUSB0 115200.

The first parameter is the USB interface of the CJMCU-232H, found at /dev/ttyUSB0. The second is the baud rate, with 115200 bauds being the most common used speed. A baud is a unit of transmission speed, it corresponds to the number of times a signal changes it state per second

mFi mPort shell

After connecting to the serial port, the screen says to press Enter to activate the console, after which it asks for credentials.

The best bet is to try the default credentials, which are easily found online. For Ubiquiti (abbreviated: UBNT), the credentials are very easy to guess even without searching online, they’re ubnt (both username and password, like admin:admin).

And a root shell is available! Since it’s impossible to physically take apart and connect to every router that a malicious a user wants to attack, he/she can look for something that would allow remote control, like private keys or vulnerable points of the system.

Root password found on the mFi

User password found on the mFi

The passwords in the etc/passwd files, both root and user are easily obtained, along with some server private keys and certificates.

Ubiquiti server private key and certificate found on the mFi

Looking up the certificate online, it can be determined that the owner is Ubiquiti Networks.

SSLShoppeer certificate verification

It can also be determined that the private key and the certificate match, and that the private key is actually a private SSL key for Ubiquiti Networks.

SSLShopper private key and certification verification

Tempest attacks using a DVB-T stick

February 6, 2018
sdr infosec tut tempest

Hardware hacking tutorial: Reversing and emulating firmware

September 1, 2017
reversing hardware hacking infosec embedded

Hardware hacking tutorial: Dumping and reversing firmware

September 1, 2017
reversing hardware hacking infosec embedded
comments powered by Disqus