Today we are going to take apart an old router and see what the insides look like. Then hopefully we will find something like JTAG or UART that we can connect to over USB and read some data off the router.
JTAG, named from the Joint Test Action Group, is used for computer interaction with circuit boards. Developers will use this to interact with the board during development to test new features or various versions of firmware. Typically these ports are destroyed during the production build of the boards. This can be done a few ways, one is to just never populate the ports. Another way is to ensure that there are no traces from the pins to the processor. This is done by not drawing those traces during the manufacturing of the board. You can also remove the code in the firmware, and just never reference a way to talk to the pins. It’s most effective to just never populate them on the board in the first place on your production boards.
Another common protocol when interacting with hardware is known as UART, or Universal asynchronous receiver-transmitter. This allows you to use different speeds to talk to the device. Each device can communication over a different speed, so usually you just reference the device manual to see what speeds you should talk to it with. Another way is to just try a few common rates ones to see if you can connect to it or brute force the rates until you see visible data.
The router we will look at today is the Tenda Wireless N300. This is a cheap router you can get for around $30 on amazon. It says it supports 2ghz and 5ghz and has speeds of up to 300Mbps, must be one of the reasons it’s the N300. Visiting the website, we can find some firmware files available for download. We will explore this later on, in another post. (https://www.tendacn.com/us/product/download/N301.html)
I have these really nice opening picks that come with the Pro Tech Toolkit. I use this kit all the time at home and at work, when working on devices. I highly recommend getting this kit for all your needs. (https://www.ifixit.com/Store/Tools/Pro-Tech-Toolkit/IF145-307).
Start by sliding the picks around your router, slowly popping the inner clips away from the device. Eventually once you have a enough of them lifted you can pop off the top of the router.
Now we can see the inside. It just has one board, that provides the 4 Ethernet ports, power, a reset switch, 3 antennas, the processor, the WiFi chip and more.
I wanted to see what the various items are on the board were and most importantly, the 4 pins in a row. You want to look for either 4 pins in a row, or a set of 8 or 10 pins. This is usually a sign of JTAG or UART, which can be used to interact with the device.
In this case looking at our board diagram we have UART.
This has all the pins mapped out. Pin 1 is VDD3_3 is for voltage, and it looks to be 3.3 volts. Pin 2 is for TX which stands for transmit. Pin 3 has RX which is for receive. Pin 4 is most likely a ground pin. You can ground to anything that has metal on it. In this case if we wanted to we could ground to the metal around the push button on the top left of the board. Our next step is to solder some wires to the pins. You won’t need to solder to the power pin, because we will just use our normal power supply for power. If you wire it up wrong to the USB to Serial adapter the power can shoot back into the USB and cause issues with the computer, so BE CAREFUL.
Let’s measure the various pins currents to verify we have the right pins soldered to.
Grab your multimeter and connect the black cord to the COM port and the Red to VOmegaMA.
Now let’s first find ground, so set your multimeter to the Ohms section (Horseshoe), and then touch to something that would be grounded, like a piece of metal with your black cord. In this instance I will touch the metal on the reset button. Now touch the red to the various pins and look for one that doesn’t trigger the screen to say OL (Overload). In this instance the top pin is the ground pin because it gives us an output of 0, instead of OL.
Now a voltage test, setting the multi meter the 20 V option. Touch the black to the metal casing on the reset switch and touch the red probe to one of the UART pins. We see that the top pin is 0, and everything else is 3.3 volts, which is strange. We will have to take some guesses since we don’t have a logic analyzer. According to our diagram the middle pins should be transmit and receive. So looking above it appears the UART diagram is just being looked at from a different angle. In this case the pin with the square pad on the pin is our VCC port (power).
Something that I didn’t think about when I first started to solder, was to get a fan that will filter all the air that comes from melting the solder. Please be sure to do this as it will help you avoid breathing in all the bad chemicals. I used to cough a lot from soldering without a fan, so do yourself a favor and buy one! There’s a ton of different ones, and I think most of them will do the trick, but this is the one I use at home and work.
Next up we will solder some wires to the 3 ports, leaving the power (top port) without a wire. Any wire will do, I have some left over from HackerBoxes so I will be using those. If you don’t have any you can buy pre-built ones, or ones you can cut yourself. You will need to stripe the wire, so get a tool for that too.
Pre-Built Wiring
For the next step we will solder the wires and connect to the USB to serial cable. You can get one off Amazon for around $15. Here is a diagram of what pins would go where. I reference this non-stop at work, so it’s handy to print one off and keep close. Mine is a little simpler and had GND (Ground), TRX (Transmit), RTX(Receive) and VCC (power).
Solder your wires on. For this one I put a ball of solder into the holes and let it dry. Then I melted it with the soldering iron, and while it was melted stuck the wire into the melted solder and took the iron off letting solder dry. Test the wire to make sure it is not going to come off by lightly pulling it. Ensure that you have space between your solder points. If you connect the solder it will cause an issue with the circuit and it won’t work properly. If you do accidentally connect them, reheat the solder, and then try to swipe it away with the soldering iron. You can also buy a device that will suck up the solder, but that’s not necessary for this kind of use.
So on our board we will connect the RXD to Pin2 and the TXD to Pin3. Pin 1 is our ground pin. Don’t connect to Pin 4 that’s the power and we are supplying power via the power source. Connect the USB to the wires that you just solder like pictured above.
Now plug in your USB to serial, windows will hopefully pull down the drivers for you. Open up device manager and check that you don’t have an unknown device. You should now see something under PORTS (COM & LTP). Mine is listed as COM4.
One thing we need to need to know is the baud rate. A great tool for this is the Saleae logic analyzer. These can be pretty expensive but they do offer student and enthusiast pricing for half the price for a Logic 8. They note that you can contact them for the Pro 8 and 16 discounts. Https://blog.saleae.com/saleae-discounts
Another option is to brute force the baud rate using a python tool. https://github.com/devttys0/baudrate/blob/master/baudrate.py
Looking through the code we need to determine if this is python2 or python3. A quick way is to look at the print statements that are in the program. python3 will be print(“test”), where python2 will just be print “test”
Looking at line 207 we have
print “Error saving minicom config file:”, str(e)
so now we can say this is python2.
Open notepad, paste in the code and save it as Brute_BaudRate.py. Be sure the change that save as parameter to all files to avoid this being saved as a text tile.
I haven’t set up any aliases for python2, so I just call it with the full path in double quotes, and then Brute_BaudRate.py
We get an error saying no module named serial. This is used to help python interact with the serial connection, so we need to install it.
Run “python.exe” -m pip install serial. Ignore the first double quote and backslash in the picture, mistake on my echo statement
Then try to run it again, there’s another error here.
/dev/ttyUSB0 does not exist on Windows where I am running it from. Let’s list out our ports.
run python.exe -m pip install pyserial
Now we can query which ports are available.
python -m serial.tools.list_ports
Now run with the -h flag to see the help menu
So let’s try specifying our port with the -p flag.
Plug in power to the device and let’s run this program.
It starts off with 115200 as the rate, which looks like the right rate, because we can see readable ascii.
Now we can use putty to establish a serial connection with 115200 set as the baud rate.
You should see visible data on the screen and we have successfully connected to the UART port!
There’s some interesting information we can get from this screen. You can see the various places in memory where the Data, Heap, Stack, and other information lives. One thing that’s great is that it shows us the hardware address and the IP address. If you forgot what your IP address for the router was, now we can see it.
The Starting Program says it’s at memory address 0x80001000. This is useful if we try to dump the current firmware off the device.
Thanks for checking out this blog post! Let me know what you think! This is just a short post around how you can connect your hardware devices to your computer and see what information available.