# UART Firmware Acquisition Research
AI Summary
Purpose:
- Record the owner's 2019 conference paper on acquiring embedded-device firmware via UART, including the defenses encountered and the connection methods proposed.
Key points:
- Paper: "임베디드 장비 펌웨어 획득을 위한 UART 연결 방법 연구" / "A Study on the UART Connection Method for Acquiring Embedded Equipment Firmware".
- Authors: 김현욱 (Hyunwook Kim), 윤주범 (Joobeom Yun), Sejong University. Venue: 2019 정보보호 하계학술대회 (KIISC Summer Conference 2019).
- Contribution: 5 vendor UART defenses + 7 UART connection/bypass methods; validated on a D-Link DIR-842 router.
Relevant when:
- Describing the owner's hands-on firmware-acquisition / hardware-security work; portfolio academic section.
Do not read full document unless:
- You need exact method wording or the equipment list (in source extract).
Linked documents:
- [[iotfirmfuzz]]
- [[iothybridfuzzer]]
- [[../../sources/academic/patents-uart-extract]]
Open Questions
- Exact page numbers / proceedings citation details — Needs confirmation.
Details
Problem:
- IoT/embedded devices proliferate and each ships firmware with potential vulnerabilities. To analyze firmware you must first acquire it, which requires physically connecting the embedded system to a PC. UART is the most accessible connection method, but vendors increasingly lock it down.
UART basics (paper Sec. II):
- UART (Universal Asynchronous Receiver/Transmitter) converts parallel data to serial. Four pins: TX, RX, VCC, GND. PCB RX must meet the adapter's TX. Required gear: USB-to-TTL module, jumper cables, terminal software (Xshell, PuTTY, Screen).
Vendor UART defenses (Sec. III):
- Ship PCB without a UART port, or Disable UART in admin settings.
- Block/hide the RX pin (relocate it, or require bridging two pins to enable RX).
- Use a non-standard Baud rate so captured data appears garbled.
- Require a per-device secret key after connecting (noted as common on ipTime routers).
- License matching — connection only works if device license and host license match (used by large vendors to protect product secrecy).
Seven UART connection / bypass methods (Sec. IV):
- Direct: PCB has a UART port — connect USB-to-TTL and verify in terminal software.
- Unlabeled pins: identify RX/TX/GND with a multimeter (VCC = the square solder pad) after powering the board.
- Via Audio port: an Audio port carries RX/TX/GND; use an Audio-type USB-to-TTL cable.
- Via micro-USB port: use a USB connector to bridge USB-to-TTL to UART (worked on an older smartphone).
- Via CPU pins: find the CPU's RX/TX pins from its datasheet and solder USB-to-TTL jumpers to them.
- Re-enable a blocked RX: bridge specific PCB pads to activate the UART RX pin, or find a separate RX pin elsewhere on the board and connect to it.
- Voltage matching: use a Level Converter to raise/lower voltage so UART communicates correctly (mismatched voltage corrupts data or can damage the device).
Experiment (Sec. V):
- Target: D-Link DIR-842 router. USB-to-TTL module: SZH-CVBE-004. Terminal: XShell 6.0.0024.
- Steps: confirm a UART port exists on the PCB; distinguish RX/TX/VCC/GND; connect to USB-to-TTL; set protocol to Serial and match the Baud Rate to the device; establish the connection.
Conclusion (Sec. VI):
- UART is the easiest physical route to obtain firmware. Vendors increasingly block UART in hardware and software, but many embedded systems still expose shell access over UART and many lock-downs can be bypassed, so further research on UART connection methods is warranted.
Relation to the patents:
- This work is the firmware-acquisition front end of the same research line that produced [[iotfirmfuzz]] (fuzzing acquired/emulated firmware) and [[iothybridfuzzer]] (hybrid fuzzing).