Booting process of broadband routers
Last
week, we talk about how to find out the
UART
connections of an Orange router
with a multimeter for getting root access to the device. We
identified the pinout (GND, RX and TX pins) last
week but today
we are going to see how to connect the USB-to-UART converter and how
to find out the baud rate easily for
getting the booting process and accessing the root console. However,
I have another broadband router this time to have fun, a Huawei
EchoLife HG556a, which is an interesting device for my lab.
The
best way to get the pinout is with an oscilloscope, if we don't have
one, we can use a multimeter as we saw in
the last post, and
if we don't have this tools we can use another way
for identifying useless pins and ground
pin. However, this trick is
not as much reliable than oscilloscope and multimeter, but helpful.
The first thing we have to do is flashing a
bright light from the backside of the PCB and look at it from
directly above. This is what that looks like:
 |
| Identifying useless pins and ground pin in a Huawei router |
We
can see that some of the pins have lines meaning they are making
contact with the PCB. For instance, it's easy to see that the forth
pin doesn't have lines meaning it useless. What's more, the second
one has four lines meaining is a power pin, either GND or Vcc.
Finally, all other pins have a single line meaning they
are TX, RX or Vcc. This trick is a little
bit risky because we can break our device but if we don't have the
right tools we can use this trick
connecting
each pin in turn to find out the pinout.
Once
we know the pinout, we have to connect the USB-to-UART converter to
the router. First, we should connect the GND pin between each other.
Second, I would connect the TX pin of the router to the RX pin of the
converter and, in this time, we should be able to see the booting
process but not stop it or send or write
something. At the end, I would connect the
RX pin of the router to the TX pin of the converter and, in this
time, we should be able to send information to the router like, for
instance, username and password for getting root access.
 |
| Connecting converter to the router |
We already
know the pinout and how to connect the converter to the router but,
maybe, we don't see any information yet through our miniterm/minicom
application. This is because we have to configure the baud rate
properly but, first, we should know what baud rate configuration we
have to set. The best way to find out the baud rate configuration of
an unknown serial device is with the Baudrate
tool developed by Craig Heffner. Next, we can see that the
tool allow us to change the baud rate configuration of our host
system's serial por on the fly and with 115200 of baud rate we can
read the output (letters) properly.
 |
| Baudrate tool |
If we have
got the baud rate configuration, we'll be able to see the booting
process, and even stopping the autoboot process, and finally we'll
see the console prompt to have root access.
Regards my
friends, are you ready for doing whatever you want in your router?
Commentaires
Enregistrer un commentaire