Serial Connections

During product development, developers need debugging access to the system. This debugging access often happens over a serial console. Frequently, this serial debugging access isn't disabled, or isn't fully disabled once the system goes into production. Using a logic analyzer to find these unused serial ports is often a productive early step when hacking hardware.

You should complete this exercise on a Windows computer.

Learning Objectives

In this exercise, you will learn to:

  • connect a logic analyzer to a serial port, and
  • use debugging information to gather system information.

Software Setup

  • Download and install the Saleae Logic software using this link. Note that this is not the latest software, but it works well with our hardware.
  • Accept all of the installation defaults.
  • Click Install when prompted to install the Saleae LLC Universal Serial Bus controller.
  • Launch Logic 1.2.18 from your Windows start menu.

Hardware Setup

  • Connect the line labeled RX to pin 1 of the logic analyzer and connect the line labeled GND to the GND pin.
    • The RX cable should be a yellow cable.
    • The GDN cable should be a black cable.
  • Use the mini USB cable to attach the logic analyzer to the computer as pictured.

Serial Adapter

  • Plug the power supply into the infotainment system, but do not turn the infotainment system on, yet.

Watch the Boot Process

  • Turn the infotainment unit off if it is on.
  • Press the down arrow next to the Start button to configure the capture properties.
  • Collect the data for 30 seconds at a rate of 1 MS/s.

Start Parameters

  • Start collecting data from the Logic Analyzer by pressing the Start button.

Salae 1

  • Power on the infotainment system. Wait for the data collection to finish.

Salae 2

  • When the capture has finished, data will appear in Channel 0 (pin 1 on the logic analyzer corresponds to Channel 0 in the software).
  • You can zoom in and out of the data collection by using two fingers to scroll up and down on your touchpad. If you zoom in far enough, you can see the individual signals.

Salae

  • The individual signals will not make much sense until the signals are analyzed. Essentially, you want to turn raw signals into usable data.
  • Press the + arrow in the Analyzers section on the right and add the Async Serial analyzer with a bit rate of 115200. You can also experiment with using the Autobaud setting to try to automatically guess the bit rate.

Add Analyzer

  • In the bottom right corner of the screen, you should see the decoded serial signal. It should look like boot messages from a Linux system. You can scroll through this text and try to read from top to bottom.
  • Click the gear icon next to the analyzer.

Export Text

  • Save the file to your desktop. Open the file in Notepad. It may be easier to read in Notepad rather than scrolling in the Decoded Properties section of the logic analyzer software.
  • Find information that tells you about the system. Can you find the word "linux" in the output?

Take Turns

  • Let each group member attach the serial-to-USB adapter and capture the data.
  • Each group member should have a log file exported to their computer.

Format the Log File

There are a number of ways to format the log file for easier data analysis. This section will guide you through the use of Notepad++ find and replace text using regular expressions.

  • You can install Notepad++ using winget. Open a PowerShell prompt and run the following command.
winget install notepad++
  • Open your text file in Notepad++. You should see data like the following. Each line represents an individual data signal. You might have 200,000+ lines in your file.
Time [s],Value,Parity Error,Framing Error
0.609909000000000,0,,
0.609996000000000,0,,
0.610083000000000,:,,
0.610169000000000,0,,
0.610256000000000,0,,
  • Open the Notepad++ Search menu and choose Replace.
  • In Search Mode, choose Regular Expression.
  • First, you will delete the timestamps and the first comma.
  • In the Find what box, type:
^\d*\.\d*,
  • The regular expression looks for lines starting with one or more digits (\d*), a period (\.), more digits (\d*), and a comma (,.)
  • Leave the Replace with field empty. (Delete any text that might already be in there.)
  • Click Replace All.
  • Next, you will delete the last two commas.
  • Edit the Find what box and type:
,,$
  • The regular expression looks for two consecutive commas (,,) at the end of the line ($)
  • Click Replace All again.
  • Next, convert ' ' to spaces without the single quotes.
  • Edit the Find what box and type:
' '
  • The expression ' ' just looks for those three specific characters in a row.
  • Change the Replace with field to a single space.
  • Click Replace All a third time.
  • Next, combine all of the lines of text into a single line.
  • Edit the Find what box and type:
\r\n
  • The regular expression checks for carriage returns (\r) and newline characters (\n). In Windows, the default end of each line in a text file has those two characters.
  • Delete the text in the Replace with field so that it is empty.
  • Click Replace All a fourth time. This will take a long time to run. Just be patient.
  • Next, separate the lines by the carriage returns in the text.
  • Edit the Find what box and type:
\\r
  • This regular expression looks for the slash symbol (\\) followed by an r.
  • Change the Replace with box to:
\r
  • In a regular expression, \r represents a carriage return.
  • Click Replace all a fifth time.
  • Next, convert the newline characters.
  • Edit the Find what box and type:
\\n
  • This regular expression checks for a slash (\\) followed by the letter n.
  • Change the Replace with box to:
\n
  • This will replace the text \n with an actual newline character.
  • Click Replace all the last time.
  • You should now see complete log entries on each line. Below is an example of a few sample log file entries. You will have a few thousand log entries, but it will be much easier to read. Instead of 200,000 characters displayed vertically in the initial log output, you should have about 2,000 lines of independent log entries.
00:00:01,000 lvds_service: (Defaulting) Speed Restriction: Enabled
00:00:01,000 lvds_service: (Defaulting) Visteon Display,
00:00:01,000 lvds_service: Disabling HDCP initially,
00:00:01,000 lvds_service: Enable DECERR Auto reset done,
00:00:01,000 lvds_service: Main is done

What can you find in the log file that would help your investigation?

Reflection

Which of the following concepts did this exercise involve? How?

  • Defense in Depth
  • Confidentiality
  • Integrity
  • Availability
  • Think Like an Adversary
  • Keep It Simple

Conclusion

Logic analyzers are useful tools for investigating unknown signals and determining what they are. Now that you know that the system is running Linux, you can use this information in subsequent investigations (including attacks).