The UART interface is a powerful tool for troubleshooting and configuring embedded systems. It provides direct access to the firmware and is a primary target for attackers. But how secure are common protective measures really?
Access to the firmware: Connecting the UART TX pin and the eMMC Data0 pin to an oscilloscope of type DS1180A.
(Image: Keysight Technologies)
UART (Universal Asynchronous Receiver-Transmitter) is widely used in device hardware as a debugging interface. Communication is remarkably simple, relying on just three lines: Transmit (TX), Receive (RX), and Ground (GND). For attackers, however, UART represents the ultimate 'Golden Ticket,' as the interface frequently provides unauthorized low-level access—in extreme cases, even to an unauthenticated root shell. Consequently, manufacturers face the challenge of securing UART in a way that allows authorized personnel to use it while locking out malicious actors. The following analysis of a real-world case demonstrates that even a highly secured implementation is not an insurmountable obstacle.
The Physical Trace Search
Image 1: Four-pin connector next to the eMMC flash chip.
(Image: Keysight Technologies)
The first step is to establish a physical connection to the target device. This involves searching for test pads on the circuit board, which are usually arranged in groups of three or four pins. On the examined device (Image 1), there was a promising connection area for a four-pin connector located near an eMMC chip. Identifying the pins is a classic measurement process. Ground (GND) can be quickly determined using a continuity test against a known ground plane (e.g., a grounded screw or shielding). The supply voltage (VCC) is often identifiable by a thicker trace leading away from the pin. In this case, the testing revealed: Pin 1 carries voltage, and Pin 4 is ground.
Signal Analysis on the Oscilloscope
Image 2: The oscilloscope displays a very clear rectangular signal.
(Image: Keysight Technologies)
Image 3: Measurement of a single pulse in the rectangular signal.
(Image: Keysight Technologies)
To differentiate between TX and RX, an oscilloscope is the most efficient tool. Since the TX pin transmits data, it displays an irregular rectangular signal during the boot process. The RX pin, on the other hand, remains passive as it only waits for incoming data. Connecting the oscilloscope probe to pin 2 of the mysterious connector confirmed the data flow: Pin 2 is TX, and consequently, pin 3 is RX.
The next challenge is decoding the data. Since UART does not use a clock signal for synchronization, the baud rate must be known. This can be determined from the square wave signal: the smallest pulse (a single data bit) is measured. As shown in Image 2, the amplitude (ΔY) was approximately 3.3 V, which is a standard voltage for UART. The measured frequency (ΔX) was about 116,280 Hz. Considering standard baud rates, a target value of 115,200 baud was determined. With these parameters, a USB-to-UART adapter was connected to monitor the device's communication via a laptop.
The Security Barriers of the Firmware
Image 4: The UART output with boot messages, specifically "bootdelay" and "bootstopkeysha256".
(Image: Keysight Technologies)
After establishing the hardware connection, there’s initial disappointment: the device's boot messages do not lead to a shell prompt or an interactive interface. A standard attack involves interrupting the automatic boot process with keyboard combinations like Ctrl+C to access the bootloader's configuration environment. Here, boot parameters could be modified to make the system launch an interactive shell (/bin/sh) instead of the standard script. However, the examined device was protected against such attempts.
The analysis of the boot messages (Image 4) revealed two key security mechanisms:
bootdelay = -3: This value completely disables the time window for interrupting the boot process. Even massive data floods at the RX pin, a common trick to catch the boot process, prove ineffective here.
bootstopkeysha256: Even with a successful interruption, the system requires a password. The corresponding password hash was output in the log. Although the password in this case was identified through brute-force as "password12345," the path for entry was blocked due to the missing boot delay.
Disrupting the eMMC Memory
When access is denied on the software level, manipulation must target the hardware level. A well-known method by Brad Dixon (Carve Systems) involves disrupting the firmware loading process by grounding the data line of the storage medium (in this case, the data0 pin of the eMMC) at the right moment [1]. The aim is to cause the system to abort the automatic boot process due to a read error, hoping it will fall back into a recovery bootloader shell.
Here too, the device's design proved resilient. Extensive validation checks were performed during booting:
A Shmoo plot validation checked the functionality of the entire eMMC.
Encryption certificates were read and verified.
Any error during these sensitive phases did not cause a fallback to a shell but instead led to an immediate system halt with the prompt: ERROR ### Please RESET the board ###. Precise timing was therefore crucial.
Automated Fault Injection
Image 5: The automatic boot process is interrupted, and the bootloader password is requested.
(Image: Keysight Technologies)
After closely examining the boot messages, an extremely short time window was identified between the completion of validation and the kernel's attempt to load the operating system. To precisely hit this window, a glitch pattern generator (Keysight DS1180A) was used [2]. This tool monitors the UART data stream in real-time. As soon as a predefined text phrase appears in the boot messages, the device automatically triggers a glitch (shorting the data0 line to ground). The standout feature: the timing is adjustable to within microsecond precision.
The analysis revealed that the time window during which the glitch can successfully stop the boot process without crashing the system is approximately four seconds. In the highly precise world of fault injection, where glitches often need to be set within nanoseconds between individual CPU instructions, this is an unusually long timeframe. Nevertheless, this automated trigger proved to be the key to success: the automatic boot process was interrupted, and access to the protected configuration was unlocked.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
A Conclusion
The case highlights that UART interfaces remain vulnerable despite restrictive software configurations and password protection. The combination of classic signal analysis with an oscilloscope and modern fault injection demonstrates the limitations of purely software-based security concepts. For embedded system developers, this means that security must not only be addressed in the code but also through physical hardening of the hardware. This can be achieved, for example, by deactivating debug pins during mass production. (heh)
:quality(80)/p7i.vogel.de/wcms/f6/00/f600595a08e48199b2651e483946b8fe/0131257153v1.jpeg "The digital platform Laserhub reduces the effort for procuring laser and bent parts at KHB. (Image: KHB)")
:quality(80)/p7i.vogel.de/wcms/ee/cc/eecca60904ee64e41a1f1f47215584a6/0131664748v1.jpeg "With the help of SSAB Zero steel from Sweden, Toyota Material Handling Europe is already reducing its carbon footprint in series production. (Image: Toyota Material Handling)")
:quality(80)/p7i.vogel.de/wcms/fc/2e/fc2ead680a610e0f276d61f89c2ff7cc/0131658794v1.jpeg "The Laser-Zentrum Hannover (LZH) has developed innovative fiber optic components that can be used to boost the power of two-micrometer fiber lasers. The whole thing is based on so-called \"triple-clad\" fibers ... (Image:LZH)")
:quality(80)/p7i.vogel.de/wcms/8a/7a/8a7af51f9062e9c40116d1455e290290/0131490789v1.jpeg "With NXD tupH, Nord makes its aluminum drive solutions particularly resistant to corrosive and harsh influences. (Image:Nord Drivesystems)")
:quality(80)/p7i.vogel.de/wcms/c0/84/c084fef6805d6256644e2a85847fadae/0131652645v1.jpeg "The fanless industrial embedded PC named Rocksmart RSX1000 (Image:Werock)")
:quality(80)/p7i.vogel.de/wcms/61/4a/614aa5816dcfc72ecb01032b2bb85255/igus-20iggy-20rob-20home-3507x1973v1v1.jpeg "Specifically designed for use in the service sector, igus has developed a new cost-effective and CE-compliant humanoid robot called Iggy Rob Home. (Image: Igus SE & Co. KG)")
:quality(80)/p7i.vogel.de/wcms/b0/24/b024e79381e1e57cb9f26a9d6d019306/0113143253v1.jpeg "In our China Market Insider, we regularly provide you with relevant information directly from China. (Image:© Eisenhans - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/ce/9e/ce9e57f345deb8a932eacf7b54305887/0131657178v1.jpeg "The mechanical engineering industry is facing major challenges: rising operating costs, a shortage of skilled workers, global competition and new trade barriers. The solution: energy-efficient, digitally networked and user-friendly systems. (Image:Eaton)")
:quality(80)/p7i.vogel.de/wcms/82/d0/82d0bd8c5a88bba17f6e6cf6b5be1061/0131595228v1.jpeg "At the Fraunhofer Institute for Industrial Mathematics, various simulation methods are used to make battery production more productive and economical. For instance, they can predict how the insulation foam between the cells behaves—but that's not all ... (Image: Fraunhofer ITWM)")
:quality(80)/p7i.vogel.de/wcms/96/6d/966d7a9c45d729e2f3b718718831da81/0131646887v1.jpeg "This could become the future of protective work clothing! Because at DTFI in Denkendorf (Germany), together with partners, they have managed to equip it with an autonomous air conditioning system. This not only significantly increases wearing comfort during physical exertion ... (Image: DITF)")
:quality(80)/p7i.vogel.de/wcms/a2/aa/a2aa1683d3149632ec8b99244de6010c/0131643886v1.jpeg "You can't see very much, but according to FH Aachen, this is a glimpse of an entirely new way of producing carbon fibers. Because at the university, they are relying on innovative plasma technology, as explained in the article ... (Image: FH Aachen / Chr. Schopp)")
:quality(80)/p7i.vogel.de/wcms/a6/22/a62248e696413ee6cd822d5b31e2566b/0131640732v1.jpeg "Image1: Here you can see additively manufactured demonstrators made of a high-temperature superconductor material. At the Chair of Digital Additive Production at RWTH Aachen, they aim to develop more cost-effective superconductors from YBCO that are, for example, more stable than previous ones. (Image: RWTH DAP)")
:quality(80)/p7i.vogel.de/wcms/64/36/6436bb13a536279839c63f837e4c5075/0131633563v1.jpeg "Polestar is bringing its sportiest electric car yet, the \"5 Performance,\" to the market. (Image: Polestar)")
:quality(80)/p7i.vogel.de/wcms/bf/21/bf21b8bbe35f83530635cc13e2d54428/0131662432v1.jpeg "Cost and time factor: Failed flash operations in predevelopment often cause high downtimes and analysis times. (Image:© Gorodenkoff – stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/dd/e5/dde56214ed85f63a2ae16d947ce7e2bb/download-1232x693v1v1.jpeg "ZF and the Chinese company XCMG are manufacturing power shift transmissions for the Chinese market in a joint venture. (Image: ZF Friedrichshafen)")
:quality(80)/p7i.vogel.de/wcms/8f/d3/8fd391219cb077482213830dd67a39fa/0131663233v2v1.jpeg "In Spain, production of the Volkswagen ID.Polo and the Cupra Raval has begun. (Image: Volkswagen)")
:quality(80)/p7i.vogel.de/wcms/8d/56/8d56d6479fa2b7ea3431670ea12e95f0/0131648353v1.jpeg "Access to the firmware: Connecting the UART TX pin and the eMMC Data0 pin to an oscilloscope of type DS1180A. (Image:Keysight Technologies)")
:quality(80)/p7i.vogel.de/wcms/d9/31/d931a47a9083b403f1a4afb59304b022/0131658794v1v1.jpeg "At the Laser Center Hannover (LZH), novel fiber optic components have been developed that can enhance the power of two-micron fiber lasers. The whole thing is based on so-called \"triple-clad\" fibers ... (Image: LZH)")
:quality(80)/p7i.vogel.de/wcms/cb/e2/cbe264cd5842f25f264e6fa75c0fefd8/0131628144v1v1.jpeg "Humanoid robotics places high demands on compact actuator designs: motor control, power electronics, sensors, and edge AI must work together efficiently in a confined space. (Image:Texas Instruments (edited))")
:quality(80)/p7i.vogel.de/wcms/18/5f/185f50b4a96889e23ff2215a24e14b61/0131645247v1.jpeg "The increasing use of AI applications is increasing the energy requirements of modern data centers and posing new challenges for power grids and energy infrastructures. (Image:Dall-E / AI-generated)")
:fill(fff,0)/p7i.vogel.de/companies/69/de/69de1b7403b0d/simtos-logo.jpeg "simtos-logo (SIMTOS)"){kind=logo}
:quality(80)/p7i.vogel.de/wcms/93/35/93354e6e7dafff6c2ac30e46dc57b52b/0125206135v1.jpeg "(Image:Thundercomm)")
:quality(80)/p7i.vogel.de/wcms/36/ec/36ec46b311c3fb2cf9759ba4843047c5/0129831604v1.jpeg "Keysight and Ericsson enable validation of pre-6G interoperability with real network infrastructure and devices. (Image:Keysight)")