Hardware Hacking Box. Serial Access to Routers
HACKING
Hardware Hacking Box. Serial Access to Routers
2016-12-03
By
David "DeMO" Martínez Oliveira

I have announced a few weeks ago that I will try to build a Hardware Hacking Lab. So this is the first instalment for my journey into hardware hacking. Looks like that the simplest interface we can deal with is a Serial port so, let's start.
As I mentioned, my idea is to build a Hardware Hacking Lab in the cheap using some of the most popular SBC out there: BeagleBone Black, Raspberry Pi, Arrietta G25, Olinuxino,.... A first analysis shows that it is possible to do a lot of things using these little guys and I want to explore how far I can get before having to buy more professional equipment. In this post I will explore the use of those SBCs to access Wifi routers using serial the serial port that many of them exposes.

Mandatory Disclaimer
Please keep in mind the following:
  • Once you dismount/open any of those devices you are voiding their warranty.
  • I'm not responsible of any damage you may cause to your devices.
  • Finally, I'm not responsible of any damage you can do to yourself. Routers have to be connected to the mains power. Usually you get low voltage to the router board and all the dangerous stuff stays behind the transformer, but be always cautious when working with mains power and disconnect the devices whenever you manipulate them.

In my test I'm using three different wifi devices:

  • TP-Link WR841N. This is a well-know device with a lot of on-line information. I've already flashed it with a Open Firmware and using it as my reference platform. It has a serial port in the board and also a JTAG connector, both of them not populated.
  • Eminent EM4551 (wLINK 300 PRO). This is another wifi router a friend gave to me. It also has a populated serial on the board (more on this in a sec) and another connector that could be a JTAG interface... But I haven't got that far yet. This is my target 1 device
  • Dymond WR03 wifi repeater. I found this in a local shop and I wondered if there was something in of interest, so I got one. I will also talk a bit about this in the post.

I will be using a Rpi3. to connect to those devices This is the latest SBC I acquired and I'm still testing it and therefore everything is already setup, so it was easier to just use it instead of using one of my other SBC and get more stuff on my workbench :).

Let's start wit a quick look to my reference platform.

TP-link WR841N

I acquired this some time ago because it looked pretty hackable and easy to find. This is how it looks like:

TP-Link WR841N. Reference model
TP-Link WR841N. Reference model

There are some on-line resources with useful information I have found and used for this post:

https://wiki.openwrt.org/toh/tp-link/tl-wr841nd
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=627915
https://giannoug.gr/unbricking-a-tp-link-tl-wr841nd/

This router is easy to open it. Just remove some screws in the bottom part of the router hidden behind those black soft cylinders. Then you need to apply some force. I actually broke one of the small platic pieces inside the box that keeps the thing together.

TP-Link WR841N. Internal View
TP-Link WR841N. Internal View

Inside we easily find two connectors. According to the information available in the internet, the 4 pin on the left side is the serial port and the 14 pins connector on the right side is the JTAG.

TP-Link WR841N. Connectors Location
TP-Link WR841N. Connectors Location

As you can all the holes in the JTAG connectors are covered with solder, so we will have to remove it later. For now, I will just concentrate on the serial port that does not have that problem and let us solder some pins in there. You may want to use some tape to hold the pins header right while soldering them. It may be a bit tricky and my header is actually a bit tilted.

TP-Link WR841N. Serial Header
TP-Link WR841N. Serial Header

Accessing the Router

Now that we have soldered in the pin header we can easily connect the router to a computer. Here you have many options. For the TP-Link-WR481N, the serial port uses 3.3V and it works at a speed rate of 115200 8N1. The easiest way to access the router is using a 3.3V USB-TTL-serial adaptor and minicom. But as I'm exploring the use of SBC computers as equipment for a Hardware Hacking lab, we are going to use the Rpi UART port.

This is very convenient especially if you have a SBC (what is pretty likely) but you do not have a USB-TTL-serial adaptor.

It is a lot easier to do this with the Beaglebone. The Rpi comes configured by default to use the serial port as a console to the device and therefore, the serial device is locked by the getty, the program that shows you the login prompt and ask you for a password. So, first thing to do is to disable this connection of the serial port to the local Linux console.

The latest Rpi images have changed to systemd but most of the information on the internet (at the time of this writing) covers the modification of /etc/inittab... that is no longer there.

The way I manage to get the UART pins working was as follow:

  • Using the Rpi configuration tool, in the advanced sub-menu, select serial and when the program ask you if you want to have shell access through the serial port answer no.
  • It may happen (it happened to me), that once you disable the serial shell access the UART device disappear. In that case edit the config.txt file (in the boot) folder and make sure there is a line towards the end saying:

    enable_uart=1

    You may need to reboot

After those steps you should be able to access the serial port on device /dev/ttyS0.

Wiring to our Reference Platform

Wiring is pretty straight forward. We need to connect the Ground pin, Tx and Rx. In the Rpi header Tx and Rx are pins 8 and 10. Pin 6 is GND, so you can use that.

In the router, considering top the side of the router with the ethernet connectors, the pins on the boards are:

ROUTERRPI
PIN 1 Vcc Nc
PIN 2 GND PIN 6 GND
PIN 3 Rx PIN 8 Tx
PIN4 Tx PIN 10 Rx
Table 1. PIN assignement between RPI/ROUTER

Now we should be good to go

Software to Access the Serial Port

To access the serial port we can use different options. I usually use the following programs:
  • Minicom. This is a proper terminal emulator, reliable and providing all options (serial-wise) you could ever need. Just lunch it as:
    minicom -D /dev/YOURDEVICE
    and then use the menus to configure your port

  • Screen. We can also use screen to interact with our serial port. Just run:
    screen /dev/ttyS0 115200

  • NetKitty. My beloved NetKitty also supports serial ports. The advantage of using NetKitty is that you can connect the serial port devices with network connections and interact remotely with your device without using ssh. Actually you can even do that over Bluetooth. The command line would be:

    nk -c S,/dev/ttyS0,115200

    To enable remote access to the serial port run something like:

    nk -hub -s T,5000 -c S,/dev/ttyS0,115200

    With this last command you can connect to the Rpi on port 5000 and get directly into the serial connection. Check the NetKitty Tutorial to learn how to use this awesome tool :).

This is a small video showing the access to my reference platform (the TP-Link router) with NetKitty and the Rpi3 as described above. The upper console is a ssh session to the Rpi. The lower console runs on my laptop.

Lessons Learnt

I have had a couple of problems while trying to access the serial port on my router. This is a summary of them:

In principle my router model requires to connect the Vcc pin in the header in order to work. That was the case during the first test that worked fine, but at some point, one of the pins in the headers become loose. It was actually the GND pin and, as it usually happens with that one, you start to get all kind of funny results.

Eventually I figured out that the pin was loose, and I solder again the header. Looks like I applied to much heat and I burned some component in the board. After re-soldering the header, when I connect the VCC pin from the Rpi or my USB-TTL adapter, the router started getting power from them and switching on automatically everything I plugged the Vcc pin.

After that, I thought I have broken the board. Fortunately, the router still worked fine (I just ssh into it via the cable), but the Rx pin was not responding any more. So, I tried to add a 10K pull-up resistor, as that seems to be the case for many serial interfaces like this (according to the Internet) and the I got access again to the serial console as you can see in the video above.

Enough for this First Part

In the next part I will show how to access the other devices I'm testing providing some details on how to find out the Serial pins in the router board. I'm still trying to sort out some issues... I may ask for some help in the next posts :)

Stay tuned!

RELATED POSTS
Hardware Hacking Box. HELP
Having Fun with your Home Router
Building Portable Devices