Getting Root Access via UART

In this post I attempt to gain root access on the Netvue indoor camera via the UART interface. The Netvue indoor camera used in this project was approximately ~$25 and can be found here.

What is UART?

Universal asynchronous receiver-transmitter (UART) is a hardware serial communication interface that is commonly found on embedded devices and is typically used for debugging purposes during development.

To put it in layman terms, a UART interface allows humans to be able to get shell access to the underlying operating system on these embedded devices, often with root privileges.

Why is this important?

Many times, developers mistakenly leave this interface "unlocked" in production devices, allowing hackers an easy opportunity to get a root shell on the device. This opens the door to all kinds of additional attacks ranging from the ability to enumerate the underlying software and general innerworkings of the device to backdooring the device and then reselling it to unsuspecting victims.

Disassembling the Hardware

Luckily, taking apart the Netvue indoor camera and getting access to the underlying PCB was very easy. This for the most part only required unscrewing two screws towards the top-back part of the camera.

Unfortunately, in the process of taking the camera apart, I accidentally rotated the bottom portion of the base too much and tore some of the internal wiring apart. Most of these wires were for the motor to rotate the camera to different angles, but one of the wires broken included the wire that provided the PCB with external power from a USB-C plug. This resulted in me having to saw the plastic part of the base and reconnecting it manually.

Hardware Enumeration

After getting physical access to the underlying PCB, the operator was able to identify some key parts.

I identified the SoC as a Fulhan FH8626V100. Unfortunately, I was not able to find a datasheet online for this SoC.

More importantly though, I was able to quickly and easily identify potential UART pins which can be seen in the above image towards the bottom right. I went ahead and soldered some makeshift wires into the pin holes since even my 2mm header pins would not fit into these pin holes.

I decided to utilize my Jtagulator to further verify that I soldered the wires correctly and that it was in fact a valid UART connection. For those unaware, the Jtagulator is a tool used to safely brute force a number of pins to figure out the correct combination to get a serial connection. This works on JTAG and UART connections and will even identify the correct baud rate. For more information about the Jtagulator, Joe Grand, the creator has a YouTube chbrute forcing with jtagulator

annel with in depth tutorials on how to operate the device.

For this example, there were only 3 pins that were clearly labeled RX, TX, and Ground, so the Jtagulator was largely unnecessary for this project. However, in an effort to become more familiar with the tool, I opted to use it.

After connecting the Jtagulator to the 3 pins soldered onto the PCB, the Jtagulator was able to correctly identify a UART connection which can be seen below.

The Jtagulator was able to successfully identify the baud rate as 115200 and the correct pin combination.(Even though it was labeled on the board) I then used pass through mode to get a UART shell.

As expected, this dropped me straight into a root shell, with very limited commands. The operator was able to reboot the device and observe the U-boot logs as the device started up which revealed a lot of useful information regarding the device.

I was able to locate the main binary and extract it from the host using my own busybox binary that was downloaded onto the device.