From d62ea1bdeb555bc7e317cd0ab80b60b2a83046d8 Mon Sep 17 00:00:00 2001 From: Liodeus Date: Sun, 9 Oct 2022 12:40:06 +0200 Subject: [PATCH 1/8] Update uart.md --- docs/debug-interfaces/uart.md | 132 +++++++++++++++++++++------------- 1 file changed, 84 insertions(+), 48 deletions(-) diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md index 6814849..9828ee8 100644 --- a/docs/debug-interfaces/uart.md +++ b/docs/debug-interfaces/uart.md @@ -1,16 +1,19 @@ # UART +## Table of contents -### Summary - -* What is it ? -* Identifying UART Ports -* Connect to serial port - * Detect baudrate - * Interact with the /dev/ttyUSB0 -* UART over BLE -* Examples +* [UART](#uart) + * [Table of contents](#table-of-contents) + * [What is it ?](#what-is-it) + * [Identifying UART ports](#identifying-uart-ports) + * [Using a multimeter](#using-a-multimeter) + * [Using a logic analyzer](#using-a-logic-analyzer) + * [Connect to serial port](#connect-to-serial-port) + * [WARNING](#warning) + * [Examples](#examples) + * [UART over BLE](#uart-over-ble) ## What is it ? + UART stands for Universal asynchronous receiver transmitter. Used for serial communications over a computer or peripheral device serial port. UART peripherals are commonly integrated in many embedded devices. UART communication makes use of baud rate to maintain synchronism between two devices. The baud rate is the rate at which information is transferred in a communication channel. @@ -19,73 +22,111 @@ With access to the UART, a user can see bootloader and operating system logs. Generaly, the line is held high (at a logical 1 value) while UART is in idle state. -We call the most common configuration 8N1 : eight data bits, no parity, and 1 stop bit. +We call the most common configuration **8N1** : eight data bits, no parity, and 1 stop bit. -## Identifying UART Ports +## Identifying UART ports -A UART pinout has four ports : -- TX (Transmit) -- Rx (Receive) -- Vcc (Voltage) -- GNR (Ground) +A UART pinout has **four** ports : +* **TX** (Transmit) +* **RX** (Receive) +* **Vcc** (Voltage) +* **GNR** (Ground) + +![](https://re-ws.pl/wp-content/uploads/2017/09/pinout.jpg) To find UART multiple solution : -- Search on Internet -- Labeled on PCB -- Find candidates - - Use a multi-meter -- Follow PCB traces (almost always impossible) +* Search on Internet +* Labeled on PCB +* Find candidates + * Using a multimeter + * Using a logic analyzer +* Follow PCB traces (almost always impossible) -Keep in mind that some devices emulate UART ports by programming the Generla-Purpose Input/Output (GPIO) pins if there isn't enough space on the board for dedicated hardware UART pins. - -### Use a multimeter +Keep in mind that some devices **emulate** UART ports by programming the General-Purpose Input/Output (GPIO) pins if there isn't enough space on the board for dedicated hardware UART pins. +### Using a multimeter #### GNR pin First identify the GRN pin, by using the multimeter in continuity mode. Place the black probe on any grounded metallic surface, be it a part of the tested PCB or not. Then place the red probe on each of the ports. When you hear a beeping sound, you found a GND pin. -#### VCC pin +#### Vcc pin Turn the multimeter to the DC voltage mode in and set it up to 20V of voltage. Keep the black probe on a grounded surface. Place the red probe on a suspeted pin and turn on the device. -If the multimeter measures a constant voltage of either 3.3V or 5V, you've found the VCC pin. +If the multimeter measures a constant voltage of either 3.3V or 5V, you've found the Vcc pin. -#### Tx pin -Keep the multimeter mode at DC voltage of 20V or less, and leave the black probe in a grounded surface. Move the red probe to the suspected pin and power cycle the device. If the voltage fluctuates for a few seconds and then stabilizes at the Vcc value, you've most likely found the Tx pin. +#### TX pin +Keep the multimeter mode at DC voltage of 20V or less, and leave the black probe in a grounded surface. Move the red probe to the suspected pin and power cycle the device. If the voltage fluctuates for a few seconds and then stabilizes at the Vcc value, you've most likely found the TX pin. -This behavior happens because, during bootup, the device sends serial data through that Tx pin for debugging purposes. Once it finishes booting, the UART line goes idle. +This behavior happens because, during bootup, the device sends serial data through that TX pin for debugging purposes. Once it finishes booting, the UART line goes idle. #### Rx pin -If you've already identified the rest of the UART pins, the nearby fourth pin is most likely the Rx pin. +If you've already identified the rest of the UART pins, the nearby fourth pin is most likely the RX pin. Otherwise, you can identify it because it has the lowest voltage fluctuation and lowest overall value of all the UART pins. -### Connect to serial port +### Using a logic analyzer + +!!!!!!!!!!!!!!!DO THIS PART!!!!!!!!!! + +To find the UART pins we will connect the pins to a logic analyzer and look for data being transmitted. In the case of this device, bootloader and kernel logs are printed to this interface on startup, so we will expect to see data come across the transmit line of the UART device.2 This is what we will be looking for. + +https://medium.com/@shubhamgolam10/reverse-engineering-uart-to-gain-shell-de9019ae427a + + +!!!!!!!!!!!!!!!DO THIS PART!!!!!!!!!! + +## Connect to serial port +### WARNING +It's not a big deal if you confuse the UART RX and TX ports with each other, because you can easily swap the wires connecting to them without any consequences. But confusing the Vcc with the GND and connecting wires to them incorrectly **might fry the circuit**. + +### Examples +![](http://remotexy.com/img/help/help-esp8266-firmware-update-usbuart.png) + +![](https://vanhunteradams.com/Protocols/UART/uart_hardware.png) + +!!!!!!!!!!!!!!!REDO THIS PART!!!!!!!!!! Connect to UART using an USB to TTL, then find the `/dev/ttyUSB0` device in the `dmesg` command output. You need to create the `dialout` group for Debian or `uucp` for Manjaro : * `sudo usermod -a -G dialout username` * `sudo gpasswd -a username uucp` -#### Detect baudrate +!!!!!!!!!!!!!!!REDO THIS PART!!!!!!!!!! -Standard baud rate are `110`, `300`, `600`, `1200`, `2400`, `4800`, `9600`, `14400`, `19200`, `38400`, `57600`, `115200`, `128000` and `256000`.\ -Auto-detect baud rate using the script : [devttys0/baudrate/baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py) +#### Detect baud rate +##### Most common baud rate +The most common baud rates for UART are `9600`, `19200`, `38400`, `57600` and `115200`. -#### Interact with the /dev/ttyUSB0 +A table of other used but less common baud rates can be found here : [Here](https://lucidar.me/en/serialib/most-used-baud-rates-table/) -```powershell -cu -l /dev/ttyUSB0 -s 9600 -screen port_name 115200 -minicom -b 115200 -o -D Port_Name # to exit GNU screen, type Control-A k. -microcom -d -s 9600 -p /dev/ttyUSB0 -microcom -d -s 19200 -p /dev/ttyUSB0 +##### Auto-detect the baud rate using a script +Link : [baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py) +```bash +# Download +wget https://raw.githubusercontent.com/devttys0/baudrate/master/baudrate.py + +# Install serial +pip2.7 install serial + +# Run the script on "/dev/ttyUSB0" +python2.7 baudrate.py -p /dev/ttyUSB0 ``` +#### Interact with UART +Different command line tools to interract with UART : +```powershell +cu -l /dev/ttyUSB0 -s 115200 +microcom -d -s 115200 -p /dev/ttyUSB0 +minicom -b 115200 -o -D /dev/ttyUSB0 # To exit GNU screen, type Control-A k +screen /dev/ttyUSB0 115200 +``` + +Script to brute force a password protected UART : ```python import serial, time port = "/dev/ttyUSB0" -baud = 9600 +baud = 115200 s = serial.Serial(port) s.baudrate = baud @@ -100,7 +141,7 @@ with open('/home/audit/Documents/IOT/passwords.lst', 'r') as f: time.sleep(10) ``` -### UART over BLE +## UART over BLE It’s an emulation of serial port over BLE. The UUID of the Nordic UART Service is `6E400001-B5A3-F393-E0A9-E50E24DCCA9E`. This service exposes two characteristics: one for transmitting and one for receiving. @@ -114,8 +155,3 @@ Example with Micro::bit : * [https://makecode.microbit.org/v1/98535-28913-33692-07418](https://makecode.microbit.org/v1/98535-28913-33692-07418) * [Using the micro:bit Bluetooth Low Energy UART (serial over Bluetooth)](https://support.microbit.org/support/solutions/articles/19000062330-using-the-micro-bit-bluetooth-low-energy-uart-serial-over-bluetooth-) - -### Examples - -![](https://developer.android.com/things/images/raspberrypi-console.png) -![](http://remotexy.com/img/help/help-esp8266-firmware-update-usbuart.png) From e1363b2a24e7bbb8f13067ecccfedcc7d5641aac Mon Sep 17 00:00:00 2001 From: Liodeus Date: Sun, 9 Oct 2022 12:41:57 +0200 Subject: [PATCH 2/8] Update uart.md --- docs/debug-interfaces/uart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md index 9828ee8..c490002 100644 --- a/docs/debug-interfaces/uart.md +++ b/docs/debug-interfaces/uart.md @@ -3,7 +3,7 @@ * [UART](#uart) * [Table of contents](#table-of-contents) - * [What is it ?](#what-is-it) + * [What is it ?](#what-is-it-) * [Identifying UART ports](#identifying-uart-ports) * [Using a multimeter](#using-a-multimeter) * [Using a logic analyzer](#using-a-logic-analyzer) From 97387c7a26385990bab55b76f94c1db2ee3c29b6 Mon Sep 17 00:00:00 2001 From: Liodeus Date: Sun, 9 Oct 2022 16:06:51 +0200 Subject: [PATCH 3/8] Update uart.md --- docs/debug-interfaces/uart.md | 71 ++++++++++++++++++++--------------- 1 file changed, 41 insertions(+), 30 deletions(-) diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md index c490002..fee502b 100644 --- a/docs/debug-interfaces/uart.md +++ b/docs/debug-interfaces/uart.md @@ -2,7 +2,7 @@ ## Table of contents * [UART](#uart) - * [Table of contents](#table-of-contents) + * [Table of contents](#table-of-contents) * [What is it ?](#what-is-it-) * [Identifying UART ports](#identifying-uart-ports) * [Using a multimeter](#using-a-multimeter) @@ -10,7 +10,10 @@ * [Connect to serial port](#connect-to-serial-port) * [WARNING](#warning) * [Examples](#examples) - * [UART over BLE](#uart-over-ble) + * [Connection using a USB to TTL](#connection-using-a-usb-to-ttl) + * [Detect the baud rate](#detect-the-baud-rate) + * [Interact with UART](#interact-with-uart) + - [UART over BLE](#uart-over-ble) ## What is it ? @@ -18,15 +21,15 @@ UART stands for Universal asynchronous receiver transmitter. Used for serial com UART peripherals are commonly integrated in many embedded devices. UART communication makes use of baud rate to maintain synchronism between two devices. The baud rate is the rate at which information is transferred in a communication channel. -With access to the UART, a user can see bootloader and operating system logs. +With access to the UART, a user can see bootloader and operating-system logs. -Generaly, the line is held high (at a logical 1 value) while UART is in idle state. +Generally, the line is held high (at a logical 1 value) while UART is in idle state. -We call the most common configuration **8N1** : eight data bits, no parity, and 1 stop bit. +We call the most common configuration **8N1**: eight data bits, no parity, and 1 stop bit. ## Identifying UART ports -A UART pinout has **four** ports : +A UART pinout has **four** ports: * **TX** (Transmit) * **RX** (Receive) * **Vcc** (Voltage) @@ -34,7 +37,7 @@ A UART pinout has **four** ports : ![](https://re-ws.pl/wp-content/uploads/2017/09/pinout.jpg) -To find UART multiple solution : +To find UART multiple solution: * Search on Internet * Labeled on PCB * Find candidates @@ -51,7 +54,7 @@ First identify the GRN pin, by using the multimeter in continuity mode. Place the black probe on any grounded metallic surface, be it a part of the tested PCB or not. Then place the red probe on each of the ports. When you hear a beeping sound, you found a GND pin. #### Vcc pin -Turn the multimeter to the DC voltage mode in and set it up to 20V of voltage. Keep the black probe on a grounded surface. Place the red probe on a suspeted pin and turn on the device. +Turn the multimeter to the DC voltage mode in and set it up to 20V of voltage. Keep the black probe on a grounded surface. Place the red probe on a suspected pin and turn on the device. If the multimeter measures a constant voltage of either 3.3V or 5V, you've found the Vcc pin. @@ -66,10 +69,16 @@ If you've already identified the rest of the UART pins, the nearby fourth pin is Otherwise, you can identify it because it has the lowest voltage fluctuation and lowest overall value of all the UART pins. ### Using a logic analyzer +A logic analyzer is an electronic instrument that captures and displays multiple signals from a digital system or digital circuit. -!!!!!!!!!!!!!!!DO THIS PART!!!!!!!!!! +To find the UART pins we will connect the pins to a logic analyzer and look for data being transmitted. -To find the UART pins we will connect the pins to a logic analyzer and look for data being transmitted. In the case of this device, bootloader and kernel logs are printed to this interface on startup, so we will expect to see data come across the transmit line of the UART device.2 This is what we will be looking for. + +Make sure any system you're testing is **powered off** when you connect the logic analyzer's probes to it **to avoid short-circuiting**. + +In the settings, change the **Speed (Sample Rate)** to 50 kS/s and the **Duration** to 20 seconds. As a rule, you should sample digital signals **at least four times faster than their bandwidth**. With serial communications, which are generally very slow, a 50 kS/s sampling rate is more than enough, although sampling faster than this does no harm. As for the duration, 20 seconds is enough time for the device to power on and start transmitting data. + +In the case of this device, bootloader and kernel logs are printed to this interface on startup, so we will expect to see data come across the transmit line of the UART device.2 This is what we will be looking for. https://medium.com/@shubhamgolam10/reverse-engineering-uart-to-gain-shell-de9019ae427a @@ -85,36 +94,37 @@ It's not a big deal if you confuse the UART RX and TX ports with each other, bec ![](https://vanhunteradams.com/Protocols/UART/uart_hardware.png) -!!!!!!!!!!!!!!!REDO THIS PART!!!!!!!!!! +### Connection using a USB to TTL +Once the ports are connected, plug the adapter into your computer. You now need to find the **device file descriptor**. To do that enter the following command : `sudo dmesg`. -Connect to UART using an USB to TTL, then find the `/dev/ttyUSB0` device in the `dmesg` command output. You need to create the `dialout` group for Debian or `uucp` for Manjaro : +Typically, it will be assigned to `/dev/ttyUSB0` **if you don't have any other peripheral devices attached**. -* `sudo usermod -a -G dialout username` -* `sudo gpasswd -a username uucp` +Under Ubuntu or Debian, a non-root user cannot have access to serial ports such as ttyS0 or ttyUSB0 if he is not a member of the **dialout** group ! The equivalent group on Arch based distributions is **uucp**. In other words, you just have to add yourself to this group to have access. -!!!!!!!!!!!!!!!REDO THIS PART!!!!!!!!!! +Ubuntu or Deiban: `sudo usermod -a -G dialout $USER` +Arch based: `sudo usermod -a -G uucp $USER` -#### Detect baud rate -##### Most common baud rate +### Detect the baud rate +#### Most common baud rate The most common baud rates for UART are `9600`, `19200`, `38400`, `57600` and `115200`. -A table of other used but less common baud rates can be found here : [Here](https://lucidar.me/en/serialib/most-used-baud-rates-table/) +A table of other used but less common baud rates can be found here: [Here](https://lucidar.me/en/serialib/most-used-baud-rates-table/) -##### Auto-detect the baud rate using a script -Link : [baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py) +#### Autodetect the baud rate using a script +Link: [baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py) ```bash -# Download +# Download the script wget https://raw.githubusercontent.com/devttys0/baudrate/master/baudrate.py -# Install serial +# Install serial dependency pip2.7 install serial # Run the script on "/dev/ttyUSB0" python2.7 baudrate.py -p /dev/ttyUSB0 ``` -#### Interact with UART -Different command line tools to interract with UART : +### Interact with UART +Different command line tools to interact with UART: ```powershell cu -l /dev/ttyUSB0 -s 115200 microcom -d -s 115200 -p /dev/ttyUSB0 @@ -122,7 +132,7 @@ minicom -b 115200 -o -D /dev/ttyUSB0 # To exit GNU screen, type Control-A k screen /dev/ttyUSB0 115200 ``` -Script to brute force a password protected UART : +Script to brute force a password protected UART: ```python import serial, time port = "/dev/ttyUSB0" @@ -145,13 +155,14 @@ with open('/home/audit/Documents/IOT/passwords.lst', 'r') as f: It’s an emulation of serial port over BLE. The UUID of the Nordic UART Service is `6E400001-B5A3-F393-E0A9-E50E24DCCA9E`. This service exposes two characteristics: one for transmitting and one for receiving. -* **RX Characteristic** (UUID: 6E400002-B5A3-F393-E0A9-E50E24DCCA9E) : The peer can send data to the device by writing to the RX Characteristic of the service. ATT Write Request or ATT Write Command can be used. The received data is sent on the UART interface. -* **TX Characteristic** (UUID: 6E400003-B5A3-F393-E0A9-E50E24DCCA9E) : If the peer has enabled notifications for the TX Characteristic, the application can send data to the peer as notifications. The application will transmit all data received over UART as notifications. +* **RX Characteristic (UUID: 6E400002-B5A3-F393-E0A9-E50E24DCCA9E)** : + * The peer can send data to the device by writing to the RX Characteristic of the service. ATT Write Request or ATT Write Command can be used. The received data is sent on the UART interface. +* **TX Characteristic (UUID: 6E400003-B5A3-F393-E0A9-E50E24DCCA9E)** : + * If the peer has enabled notifications for the TX Characteristic, the application can send data to the peer as notifications. The application will transmit all data received over UART as notifications. + +### Examples * [nRF UART 2.0 - Nordic Semiconductor ASA](https://play.google.com/store/apps/details?id=com.nordicsemi.nrfUARTv2) * [UART/Serial Port Emulation over BLE](https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v14.0.0%2Fble_sdk_app_nus_eval.html) * [UART Over Bluetooth Low Energy](https://thejeshgn.com/2016/10/01/uart-over-bluetooth-low-energy/) - -Example with Micro::bit : - * [https://makecode.microbit.org/v1/98535-28913-33692-07418](https://makecode.microbit.org/v1/98535-28913-33692-07418) * [Using the micro:bit Bluetooth Low Energy UART (serial over Bluetooth)](https://support.microbit.org/support/solutions/articles/19000062330-using-the-micro-bit-bluetooth-low-energy-uart-serial-over-bluetooth-) From 2937e7148f5be4dc5c0c69be12b852d4f2557108 Mon Sep 17 00:00:00 2001 From: Liodeus Date: Sun, 9 Oct 2022 16:07:55 +0200 Subject: [PATCH 4/8] Update uart.md --- docs/debug-interfaces/uart.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md index fee502b..0f12281 100644 --- a/docs/debug-interfaces/uart.md +++ b/docs/debug-interfaces/uart.md @@ -1,8 +1,5 @@ # UART ## Table of contents - -* [UART](#uart) - * [Table of contents](#table-of-contents) * [What is it ?](#what-is-it-) * [Identifying UART ports](#identifying-uart-ports) * [Using a multimeter](#using-a-multimeter) From 77fed97040ee4556d3dc4ce052420f231660401f Mon Sep 17 00:00:00 2001 From: Liodeus Date: Sun, 9 Oct 2022 16:13:44 +0200 Subject: [PATCH 5/8] Update uart.md --- docs/debug-interfaces/uart.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md index 0f12281..b314ed2 100644 --- a/docs/debug-interfaces/uart.md +++ b/docs/debug-interfaces/uart.md @@ -99,6 +99,7 @@ Typically, it will be assigned to `/dev/ttyUSB0` **if you don't have any other p Under Ubuntu or Debian, a non-root user cannot have access to serial ports such as ttyS0 or ttyUSB0 if he is not a member of the **dialout** group ! The equivalent group on Arch based distributions is **uucp**. In other words, you just have to add yourself to this group to have access. Ubuntu or Deiban: `sudo usermod -a -G dialout $USER` + Arch based: `sudo usermod -a -G uucp $USER` ### Detect the baud rate From 985260191b18d8f48c4a7aabc7f2e796d0e1a8b1 Mon Sep 17 00:00:00 2001 From: Liodeus Date: Sun, 9 Oct 2022 16:33:56 +0200 Subject: [PATCH 6/8] Update uart.md --- docs/debug-interfaces/uart.md | 38 +++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md index b314ed2..3526919 100644 --- a/docs/debug-interfaces/uart.md +++ b/docs/debug-interfaces/uart.md @@ -10,7 +10,8 @@ * [Connection using a USB to TTL](#connection-using-a-usb-to-ttl) * [Detect the baud rate](#detect-the-baud-rate) * [Interact with UART](#interact-with-uart) - - [UART over BLE](#uart-over-ble) + * [UART over BLE](#uart-over-ble) + * [Examples](#examples) ## What is it ? @@ -29,7 +30,7 @@ We call the most common configuration **8N1**: eight data bits, no parity, and 1 A UART pinout has **four** ports: * **TX** (Transmit) * **RX** (Receive) -* **Vcc** (Voltage) +* **VCC** (Voltage) * **GNR** (Ground) ![](https://re-ws.pl/wp-content/uploads/2017/09/pinout.jpg) @@ -50,13 +51,13 @@ First identify the GRN pin, by using the multimeter in continuity mode. Place the black probe on any grounded metallic surface, be it a part of the tested PCB or not. Then place the red probe on each of the ports. When you hear a beeping sound, you found a GND pin. -#### Vcc pin +#### VCC pin Turn the multimeter to the DC voltage mode in and set it up to 20V of voltage. Keep the black probe on a grounded surface. Place the red probe on a suspected pin and turn on the device. -If the multimeter measures a constant voltage of either 3.3V or 5V, you've found the Vcc pin. +If the multimeter measures a constant voltage of either 3.3V or 5V, you've found the VCC pin. #### TX pin -Keep the multimeter mode at DC voltage of 20V or less, and leave the black probe in a grounded surface. Move the red probe to the suspected pin and power cycle the device. If the voltage fluctuates for a few seconds and then stabilizes at the Vcc value, you've most likely found the TX pin. +Keep the multimeter mode at DC voltage of 20V or less, and leave the black probe in a grounded surface. Move the red probe to the suspected pin and power cycle the device. If the voltage fluctuates for a few seconds and then stabilizes at the VCC value, you've most likely found the TX pin. This behavior happens because, during bootup, the device sends serial data through that TX pin for debugging purposes. Once it finishes booting, the UART line goes idle. @@ -70,21 +71,36 @@ A logic analyzer is an electronic instrument that captures and displays multiple To find the UART pins we will connect the pins to a logic analyzer and look for data being transmitted. - +#### Hardware setup Make sure any system you're testing is **powered off** when you connect the logic analyzer's probes to it **to avoid short-circuiting**. -In the settings, change the **Speed (Sample Rate)** to 50 kS/s and the **Duration** to 20 seconds. As a rule, you should sample digital signals **at least four times faster than their bandwidth**. With serial communications, which are generally very slow, a 50 kS/s sampling rate is more than enough, although sampling faster than this does no harm. As for the duration, 20 seconds is enough time for the device to power on and start transmitting data. + * Connect the suspected TX pin to any channel of the logic analyzer. + * Connect one of your logic analyzer's GND pins to the PCB that you're testing GND pins so they **share a common ground**. -In the case of this device, bootloader and kernel logs are printed to this interface on startup, so we will expect to see data come across the transmit line of the UART device.2 This is what we will be looking for. +#### Software setup +This setup is for **Saleae based logic analyzer**, if you use a different one referer to the constructor documentation. -https://medium.com/@shubhamgolam10/reverse-engineering-uart-to-gain-shell-de9019ae427a +* Open the saleae software +* Create a new analyzer entry by pressing a plus (+) icon and select Async Serial (this is for UART). +* Select a serial channel (8 channels on Logic Analyser) and keep the default settings. +* Try with popular baud rates used in IoT devices (9600, 19200, 38400, 57600, 115200). Note that when you don't know the bit rate, you can select "**Use Autobaud**" and let the software work its magic. +* Save the configurations. +If you want to modify the speed and the duration: +* As a rule, you should sample digital signals **at least four times faster than their bandwidth**. +* With serial communications, which are generally very slow, a **50 kS/s** sampling rate is more than enough, although sampling faster than this does no harm. +* As for the duration, **20 seconds** is enough time for the device to power on and start transmitting data. + +Now try with the popular baud rates with both the suspected pins and try to compare the results. If you find any readable text with one of the pins and the text makes some sense then that’s the TX pin. + +![](https://miro.medium.com/max/640/1*_7i8gbB0Sw2I0QxCMQ6gRw.png) + +![](https://miro.medium.com/max/640/1*1Ku2G160NBczbgM-USi8kQ.png) -!!!!!!!!!!!!!!!DO THIS PART!!!!!!!!!! ## Connect to serial port ### WARNING -It's not a big deal if you confuse the UART RX and TX ports with each other, because you can easily swap the wires connecting to them without any consequences. But confusing the Vcc with the GND and connecting wires to them incorrectly **might fry the circuit**. +It's not a big deal if you confuse the UART RX and TX ports with each other, because you can easily swap the wires connecting to them without any consequences. But confusing the VCC with the GND and connecting wires to them incorrectly **might fry the circuit**. ### Examples ![](http://remotexy.com/img/help/help-esp8266-firmware-update-usbuart.png) From 209b92219e1d74a6803e43956d152678c50784ba Mon Sep 17 00:00:00 2001 From: Liodeus Date: Sun, 9 Oct 2022 16:38:53 +0200 Subject: [PATCH 7/8] Update uart.md Rework the documentation, added some images, logic analyzer part, warnings, correct some typos. --- docs/debug-interfaces/uart.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md index 3526919..338c491 100644 --- a/docs/debug-interfaces/uart.md +++ b/docs/debug-interfaces/uart.md @@ -14,7 +14,6 @@ * [Examples](#examples) ## What is it ? - UART stands for Universal asynchronous receiver transmitter. Used for serial communications over a computer or peripheral device serial port. UART peripherals are commonly integrated in many embedded devices. UART communication makes use of baud rate to maintain synchronism between two devices. The baud rate is the rate at which information is transferred in a communication channel. @@ -26,7 +25,6 @@ Generally, the line is held high (at a logical 1 value) while UART is in idle st We call the most common configuration **8N1**: eight data bits, no parity, and 1 stop bit. ## Identifying UART ports - A UART pinout has **four** ports: * **TX** (Transmit) * **RX** (Receive) From 181c34f628f530b5c5c8f118dd0d421ccbf70674 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:31:22 +0200 Subject: [PATCH 8/8] Update uart.md --- docs/debug-interfaces/uart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md index 338c491..7b8f5be 100644 --- a/docs/debug-interfaces/uart.md +++ b/docs/debug-interfaces/uart.md @@ -112,7 +112,7 @@ Typically, it will be assigned to `/dev/ttyUSB0` **if you don't have any other p Under Ubuntu or Debian, a non-root user cannot have access to serial ports such as ttyS0 or ttyUSB0 if he is not a member of the **dialout** group ! The equivalent group on Arch based distributions is **uucp**. In other words, you just have to add yourself to this group to have access. -Ubuntu or Deiban: `sudo usermod -a -G dialout $USER` +Ubuntu or Debian: `sudo usermod -a -G dialout $USER` Arch based: `sudo usermod -a -G uucp $USER`