Reverse engineering a Router – Part 1

Hello every one!

I wanted to go over some reverse engineering today, as a brief introduction to the topic. If I wanted to describe it in one sentence and sound smart at the same time, I would say something like:

Reverse engineering, also called back engineering, is the processes of extracting knowledge or design information from anything man-made and re-producing it or re-producing anything based on the extracted information .

That is the first sentence of the wikipedia article on reverse engineering. I’m not as smart as the combined intellect of the wikipedia editors though, so I would probably describe it more as:

Taking stuff apart to figure out how it works.

Reverse engineering can take on many forms too. We can try to take apart software, or hardware. In this post we will be looking at hardware, but expect a software reverse engineering post at some point in the future.

So now we have an idea of what reverse engineering is, where can we do some? Well fortunately for us, following a lot of hackers on Twitter will leave us exposed to many posts about such stuff. In fact this whole post is me following along a tutorial someone else posted. That person is called Juan Carlos Jimenez, and they deserve credit for their awesome writing and work.

You can find the post they wrote here and you can follow them on Twitter here. This post will be a bit more focused on the stuff I had to learn in order to reproduce the findings in the original post.

So let’s get straight into it. We are going to be reverse engineering a router. The model we are after is a Huawei HG533, but the techniques we will discuss are applicable to many modern electronics. I searched around ebay for a bit for one, and halfway through realised that as it is my first time doing anything like this, I should probably buy two!

They only cost 15 Euro’s each, and the risk mitigation of my fumbling hands was at the time looking like a really good idea. I didn’t want to get halfway through, accidentally drop something, and then find out I would have to wait another 7-14 days to receive another router. This is what they look like.

They have 4 network ports on the back, and “Internet in” port, and are pretty similar to 99% of home routers. So obviously the first thing we are going to do is take this apart.

Once we have unscrewed it, we are left with the circuit board and the outer case.

So at this point, it is useful to explain exactly what it is that we are looking for. What we need to look for is something called a UART port, which stands for Universal asynchronous receiver/transmitter.

It is not a port like the ethernet ports on the circuit board, but usually just a few pins on the board that have this capability. UART is just a way for communication to occur between two pieces of hardware. In this example, one of those pieces of hardware is the router, and the other will be our computer.

On the router board, UART is used to communicate between two bits of hardware, perhaps the main microchip and other bits of the router. UART is also meant for serial communication, which means that only one channel is open, and one piece of information is sent at a time. Parallel communication would be where you had several channels open, and they were sending stuff at the same time.

I mention all these as they are concepts I had a vague idea about, but having no formal education into electronic engineering, have never had fully formed ideas of, or researched.

UART, as a protocol looks very, very complicated to someone like me who does not really know what they are doing. If we take a quick look at the models on the wikipedia page here, we will be completely turned off from learning about it. Or at least that was what happened to me when I scrolled down the page.

I mean it all looks so complicated, has acronyms I have no idea what could be translated to, and generally is a big scary mess of opaque stuff my impostor syndrome refuses to dive into. So I did exactly what anyone would do in this situation, I googled “UART explained”. Here is the gist of what I took away from it.

It is as old as time itself! The 1960’s! If you ever used a Serial connector between two computers, then you used UART to get them to talk to each other. I remember having a Serial cable with my first computer, I can’t remember actually using it at any point though.

It also involves only one pair of wires for communication, one receiver, and one transmitter. The Receiving wire is called Rx and the Transmitting wire is called Tx. Also, as it is asynchronous, that means that there is no need for the sending end of the communication to include a clock so that everything in in sync. Both ends of the conversation know that data is going to be sent, one byte at a time, at a pre-specified speed. What is that speed? No idea.

Literally no idea, as it is configurable when you define the protocol and your hardware, so every different piece of hardware we reverse engineer can run at a different speed (although not the same models of stuff, so two identical routers should run at the same speed).

In fact, as it is so un-agreed-upon, and therefore a really good malleable tool for systems designers, there is even a section in the wikipedia article about “common” speeds. This speed is commonly referred to the baud rate, which you may have heard about if you are old enough to remember when connecting to the internet took minutes, not seconds, tied up the phone line, and was punctuated by staccato screeches from your modem.

If you were not that lucky, then a baud rate of 9600 simply means that 9600 bits of information are transferred every second. This is about 1 Kilobyte per second.

So now we know what all those things are, let’s start looking for them! According to Juan Carlos, the UART ports in commercial devices are usually 4 to 6 pins, sometimes marked in the PCB silkscreen somehow. What is a PCB silkscreen? I also did not know either. It’s basically the text and patterns that are printed (usually in white colour) on top of the circuit board. Kind of like a map.

In fact in this picture we can even see the silkscreen for the UART port shown as RX-I (I’m guessing input) and TX-O (Output?). There is even a GND and VCC for Ground and the boards power line.

Looking around on the router board, we can immediately see a couple of likely looking candidates. In fact if we look on the sides of the microchips, we can see there are a couple of rows of five pins.

This is exactly what we are looking for!

They are not handily marked out on the silkscreen like in the previous picture though, so we will have to figure out which one does what. Juan Carlos has a method for this that I would never have dreamed up in a million years. Shine a torch on the back of the board!

As you can see, not all of these pins are made the same. Some of them have a complete circle lit up, and some of them have either a break in the circle or several. If they have a break, then that means they are connected to something. If they have several (or 4 in this case) then that likely means they are power pins, as a power pin should be resilient against damage. Data pins, not so much.

So we can see that the first pin is connected to something, the second is not, the third has two connections, although in the guide it had none, which means that it is probably connected to a think plane or a trace. This is likely to be a power pin. The fourth pin is connected on all sides, so will probably be the other power pin, and the last one is connected in one place. This means that pins 1 and 5 are likely our Tx and Rx pins, not necessarily in that order. Pins 2, 3 and 4 are could be the power pins.

So now we have identified a bunch of pins, we should also figure out what they do. I started off with a multimeter and turned the router on, and checked how many volts were going through each set. Two of the pins that we suspected are power and ground. One of them has 3.3v running through it, and the other has zero. The two suspected data pins have volts going across one, and almost no volts going across the other. This means that one (which has current) is the Transmitting pin, as it will by default start sending information. The other will be set up to Receive information, so be hovering around zero. We do not want to connect the power pin though, only the GND pin and data pins. Let’s review.

  • Pin 1: Rx
  • Pin 4: GDN
  • Pin 5: Tx

Juan Carlos tells us of his troubles trying to solder the connectors for these pins (obviously we want to work with them, and not have to hold stuff onto the little pads all the time, also we only have 2 hands, not three) and suggests drilling these to get holes instead of soldering directly onto the board. I decided to ignore this awesome advice, and soldered the 5 pins straight on top of the board.

Three things happened when I did this.

  1. I managed to solder the pins onto the board successfully. I was not sure at all that this would work.
  2. I accidentally de-soldered a tiny little resistor somewhere near where the pins met the board. Probably didn’t need it anyway.
  3. I dropped a blob of solder onto the feet of the microchip nearby, thereby soldering together around 5 connectors.

Whoops!

I tried for a while to use my de-soldering pen on the microchip feet, but it was too fiddly. I then invested in some de-soldering wick, which is like a thin copper wire braid that you put on top of the part of solder you want to remove, place the soldering iron on top of it. Using the power of wicking, the solder is absorbed into the de-soldering wick. This also did not work.

I eventually settled on scoring between the feet with a sharp knife to break the connections.

Now it was time to connect this up to what Juan Carlos calls “any UART to USB bridge you have around”. I did not have one of these just around, so after a month of waiting for my AliBaba order to arrive, I connected it up and plugged it into my laptop. Finally we are going to see the inside of a router’s software!

I have a Kali laptop kicking around at home, as it comes with so many useful hacking tools pre-installed, it makes life so much easier. First off I plugged the usb bridge into the laptop, then connected the wires, then connected the wires to the router, but did not turn it on. At this point, its time to visit the /dev/ folder.

The /dev/ folder contains a bunch of things with “tty” in their name. The tty it refers to teletypewriter (probably). This is a legacy term from when you used to have a terminal that connected to a computer, rather than a computer. Yes, I know what you are thinking, exactly like in the film Jumpin’ Jack Flash.

If we do “ls *tty*” we will see a list of all the tty’s. Think of them kind of like ports, or connected devices. One will stick out here, its the ttyUSB0. That is what we want to connect to so we can read data being sent over the serial connection.

In the screenshot above, I did the “ls *tty*” command twice, once before and once after plugging in the USB bridge. As we can see there is a new interface available, so that is what we will try to access.

I used a terminal program written in python called miniterm.py to connect to it, but you could also use the amazing screen program too, with the following syntax:

screen /dev/ttyUSB0 57600

The number at the end is the baud rate we discussed earlier. Fortunately we know what it is thanks to Juan Carlos.

So now we just need to turn on the router, and see what happens!

Holy Guacamole!

It’s spitting out information and everything! Like real information!

I think this is the closest that I have gotten to movie-hacking, so I am going to leave it right here for now. Yes, another cliff-hanger! Don’t worry, it’s not a trend, I just have a lot to get through at the moment, and this post has been months in the making, so wanted to get something out, which will keep me motivated to finish this project.

So for now, I hope you have an awesome week, and I will make sure to post the next section of this very soon!

Leave a Reply

Your email address will not be published. Required fields are marked *