تبلیغات اینترنتیclose
Hacking USB Serial Ports
 
شنبه 9 دی 1391 :: نويسنده : dr.koderz

An unnamed bonus of this dual-port setup is if you would like to eavesdrop on some system’s internal RS-232 communication .   By splicing both the USB and the DB9 ports into that system, you can force it to talk to your PC who then retransmits the data to where it was originally going.   The system you’re attacking has no idea, but you can now record all the communications between them, modify the communications, or pipe in your own commands.   Very useful if you need to get into a trusted system that requires handshaking or other authentication to proceed.

Details:

As was previously mentioned, the device you are looking for is a two-chip system.   There are some adapters on the market that have the usb controller and level shifter integrated into a single chip – these are no good for us.   I don’t know what device you may happen to encounter, but the hack process is the same.

1) Disassemble the device and identify the controller and level shifter.   This is usually pretty easy because the controller is fairly large, but you can also use the following clues.

  • Controller is connected to USB side (and usually physically located there) and the level shifter is connected to the DB9 side.
  • Controller usually has a metal can crystal connected to it in close proximity.

2) Identify the RxD, TxD lines running from the controller to the level shifter.

  • Easiest way is to use the datasheet for one or both of the devices.
  • More difficult way is to trace the circuit, either by physical observation or by using a multimeter on “beep” mode to find which pins (other than VDD and GND) are connected between the two devices.

3) Cut the TxD and RxD lines between the controller and level shifter, and install jumpers or ports for connecting to your own project.

  • NOTE: If you’re tracing by hand, you will still need to determine which one is TxD and which one is RxD.   After cutting the lines between the chip, you can apply 3.3v or 0v to the level shifter inputs and watch the voltage on the DB9 port to see which pin goes high and low.   Pin 2 on the DB9 is the PC’s RxD (PC Receive, controller transmit) and pin 3 is the PC’s TxD (PC transmit, controller receive).

Examples:

We will use the example of the Keyspan HS-19HS, which contains the Texas Instruments TUSB3410 microcontroller as the USB controller, and a no-name RS232 chip as the level shifter.

The first thing we do is download the TUSB3410 datasheet and look at the pinout.   This is the easiest way to identify the pins, obviously.   We see from the pinout diagram that pin 17 is “SIN” (Serial in, TUSB RxD) and pin 19 is “SOUT” (Serial out, TUSB TxD).


Fig 3 – TUSB3410 Pinout

 

By checking these pins with a DMM on “beep” mode, we can verify that they are really connected to the level shifter as a sanity check before doing any cutting.   In our case, the traces were VERY small so it was much easier to carefully pry up the pins with tweezers while heating the pin with a soldering iron.   Carefully is the operative word here, break the pin off and you might as well trash the adapter – you’re down one port.   For our device, we soldered a yellow wire onto SIN and a red wire onto SOUT.   Please note that you must also connect the GND of this board to the GND of the board you’re working on (or else it won’t know what’s 3.3v and what’s 0v!) so you can see a third wire, black, also soldered to the board.   For GND, you can usually find a large copper area of ground plane and just scratch off the green solder mask with an x-acto knife.


Fig 4 – View of the completed hack

 

And that’s pretty much it.   From start to finish, this hack will probably take you an hour or so including the time required to research an unknown device.   As a special bonus, here’s a device that didn’t even have any markings on the controller chip so it was impossible to look up the pinout online.   We used the steps outlined above to trace it out, applied a few toggles to each of the pins on the level shifter to determine RxD and TxD, and boom – another device hacked.   This one was cheaper than the keyspan – $10 vs $20 if memory serves, but just as hackable.


Fig 5 – Hacked No-Name USB Serial Adapter with Unknown Chipset

 

Bonus #2:

Some of you may be wondering about taking over the microcontroller in the adapter.   Sure you can!   It’s a topic for another article so I won’t discuss all the details here, but you can freely download the TUSB3410 development tools from TI.   By forcing the device to use the TI driver instead of the generic RS232 port driver, you gain access to the flash memory and are free to write new applications and upload them to the device.   Enjoy!




نوع مطلب : امنیت,آموزش,هکینگ, بازدید : 742
برچسب ها : ,




وبگاه جامع امنیت شبکه و تست نفوذ
نویسنده : Dr.Koderz
درباره وبلاگ

ارایه مطالب و ابزارهای سودمند برای شما

آمار کاربران
نام کاربری :
رمز عبور :
ثبت نام عضو جدید
فراموشي رمز عبور

تعداد اعضای آنلاین : 0
اعضای جدید امروز : 1
اعضای جدید دیروز : 0
تعداد کل اعضا : 2
اعضای آنلاین:

آرشيو وبلاگ
خبرنامه
جعبه پیام



جستجو
آمار وبلاگ
آنلاین : 2
بازدید امروز : 1
بازدید دیروز : 0
بازدید هفته گذشته : 1
بازدید ماه گذشته : 1
بازدید سال گذشته : 1
کل بازدید : 1
کل مطالب : 62
نظرات : 13
رنک گوگل :

                    
 
 
  طراحی: مای تم - قدرت : وبلاگدهی ایران