Author Topic: router reverse engineering - might this be a disabled UART? Can I enable it?  (Read 1248 times)

0 Members and 1 Guest are viewing this topic.

Offline PhilipGilmore

  • Newbie
  • Posts: 3

so I have this LTE router and I am interested in extracting the firmware from it.
I found 2 4-pin headers on 2 different PCBs (PCBs connected via cable). The first one I tried was an actual UART, giving me root access to the system (I'll call "wifi" as it seems to provide the wifi).
It turns out that the router consists of two systems, as the system I got UART access to had a different IP than the router advertised via DHCP.
This "wifi" system could communicate with the "main" system via ethernet (it could ping the advertised IP address).

So I assumed the other 4-pin header could be a UART for the "main" system, and pins 1 and 2 match the layout of the "wifi" system (Vcc and GND), but pins 3 and 4 (which were TX and RX on "wifi") seem to be floating (0 volts and not connected to GND).
I have attached a photo of that header, pin 1 is in the right (the label is on the other side of the PCB).

The traces of pin 3 and 4 go up to the solder pads where an 8-pin IC could be placed and seem to end there.
Is there a typical IC that one could insert there to allow UART access? Or does this look like something else?

I can also telnet into the "wifi" system without a password, but on the "main" system, telnet asks for a password which is not the web interface password, so I can't login that way.
I want to keep the device in good working condition, so disassembling it until I get to some flash chip is out of the question. Most of the electronics are hidden under metal covers anyway.


Offline coromonadalix

  • Super Contributor
  • ***
  • Posts: 4747
  • Country: ca
I think you need to populate the missing ic and parts near the connector to make it work ?

Offline PhilipGilmore

  • Newbie
  • Posts: 3
With the 4 soldered pads closest to the 4-pin header I'm not sure. They are, from left to right, pin4, GND, pin3, GND, so might only be good to add small filter capacitors? Or stay unconnected?

And I have no idea what kind of IC might be necessary. I assumed that most microcontrollers powerful to run embedded linux would have their own internal UART, so no external IC would be necessary.
But if the manufacturer chose to not use the internal UART, maybe to make it harder to connect, how would they do it? Something like SPI/I²C to UART? Googling for SPI/I²C - UART converter ICs, the ones I found had more than 8 pins.

I'll keep investigating...

Online tunk

  • Frequent Contributor
  • **
  • Posts: 829
  • Country: no
openwrt and dd-wrt have alternative firmware for many wireless routers.
They may (or not) have some useful information about reverse engineering.

Offline biot

  • Regular Contributor
  • *
  • Posts: 70
Some sort of voltage converter would go there, only needed for debugging and thus not populated in production boards. This is not unusual. You can either figure out which chip matches the pinout and solder one in place, or simple solder some small wires on to the pins where the UART traces end. Presumably not too hard to figure out: tx and rx will both go to the main chip on the board.

If you have a scope, take a look at the voltages on those pins. If they're 1.8v, don't go hooking up a 3.3v uart interface to it.

Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo