Attacking UART and Serial Consoles on Embedded Devices
A serial console is the door embedded vendors forget to lock. It was there for factory bring-up and debugging, it never got removed, and it often hands you a root shell with no password at all. UART is the first physical interface I look for on any board, and here is how that hunt actually goes.
Why Serial Is the First Door I Try
Universal Asynchronous Receiver/Transmitter, or UART, is the plain serial link engineers use to talk to a board during development. The catch is that development access and production access are the same physical pins. If the console was not disabled before the product shipped, anyone who opens the case gets the same view the firmware team had.
Step 1: Find the Header
Look for a row of three to five pads or a small pin header near the main processor. With a multimeter in continuity mode and the board powered off, you can map the pads: ground rings out to the shield, VCC sits at a steady 3.3V, and the transmit pin idles high and twitches when the device boots.
Step 2: Wire Up and Confirm the Adapter
Connect a USB-to-TTL adapter: device TX to adapter RX, device RX to adapter TX, and ground to ground. Leave VCC alone. The adapter should enumerate as a serial device:
ls /dev/ttyUSB* dmesg | grep ttyUSB
/dev/ttyUSB0 [ 4123.55] usb 1-2: FTDI USB Serial Device converter now attached to ttyUSB0
Step 3: Open the Console
Now attach a terminal at the right baud rate. The flags matter as much as the device node:
# 115200 is the most common embedded baud
picocom -b 115200 /dev/ttyUSB0
U-Boot 2018.03 (Apr 02 2021 - 11:20:14 +0000) DRAM: 128 MiB Hit any key to stop autoboot: 0 Starting kernel ... [ 1.20] Linux version 4.9.198 (build@ci) [ 6.84] VFS: Mounted root (squashfs filesystem) readonly device login: root # id uid=0(root) gid=0(root)
That last block is the finding. The device dropped to a root shell over serial with no password prompt that held.
What a Live Console Hands You
Even when the login is locked down, the console is rarely a dead end. It usually offers at least one of three footholds:
Step 4: Interrupt the Bootloader
If you press a key during the autoboot countdown, you land in the bootloader. From there the device environment is wide open, including the kernel boot arguments:
# at the U-Boot prompt
=> printenv
baudrate=115200 bootargs=console=ttyS0,115200 root=/dev/mtdblock3 rootfstype=squashfs bootcmd=nand read 0x80000000 0x200000 0x400000; bootm Environment size: 612/65532 bytes
Appending init=/bin/sh to those boot arguments hands you a root shell before any login service starts, which sidesteps authentication entirely.
Defending the Serial Port
The fixes are well understood and cheap to apply before production. Disable the console in the production device tree or set the bootloader delay to zero, require a password on the bootloader and the login shell, and where the silicon supports it, blow the debug-disable fuse so the interface is gone for good. None of this slows your own team down if it is built into the release process.
Where This Fits
Serial console review is a standard part of a hardware penetration test. Finding the header is easy; the value is in mapping what the console exposes and proving how far it reaches into the device. That hands-on testing is the kind of work we do at Berkner Tech.