UART and JTAG
UART (Universal Asynchronous Receiver/Transmitter) is a serial communication protocol used to provide a debug console on embedded devices. You'll often find UART pads on a PCB — typically three or four solder pads labelled TX, RX, GND, and sometimes VCC. If the firmware exposes a boot loader prompt or a Linux shell over UART, you've got full interactive access to the device without any authentication.
Finding UART: look for sets of three or four exposed pads near the main processor. Measure voltage with a multimeter — TX will pulse between 0V and the logic level (3.3V or 5V) when the device boots. Identify the baud rate (115200 is common for consumer devices, 9600 on older hardware) by watching the signal pattern on a logic analyser or trying common rates until output becomes readable.
screen /dev/ttyUSB0 115200 minicom -D /dev/ttyUSB0 -b 115200 dmesg | grep tty
JTAG (Joint Test Action Group) is a standard for debugging integrated circuits at the boundary-scan level. JTAG access on an embedded device typically gives you: read and write access to flash memory, the ability to halt and resume the CPU, register access, and sometimes a full debugger interface. It's the gold standard for embedded analysis but requires identifying the four pins (TDI, TDO, TMS, TCK) on the board, which may be unlabelled.
Side-Channel Analysis
A side channel is information leaked by the physical implementation of a system rather than by its intended output. The time it takes to compare two values, the power a chip draws while processing cryptographic operations, and the electromagnetic emissions from a CPU are all side channels. They don't require you to break the algorithm — you break the implementation.
Power analysis is the most studied side channel. A processor draws more power when it processes a 1 bit than a 0 bit. When a cryptographic device is performing an AES operation, the power trace reveals information about the key being used. Simple Power Analysis (SPA) reads a single trace. Differential Power Analysis (DPA) statistically analyses thousands of traces to extract the key. Both require physical access to the device and measurement equipment, but no knowledge of the internal state.
Timing Attacks in Software
Timing side channels exist in software too. If a string comparison returns early on the first mismatch, measuring the response time tells you how many characters matched. This is why cryptographic comparisons should use constant-time functions that always compare every byte regardless of where a mismatch occurs.
Fault Injection and Firmware Extraction
Fault injection intentionally disrupts a device's operation at a precise moment to cause it to misbehave in a useful way. Voltage glitching drops the supply voltage for a few nanoseconds during a critical operation — a security check, a boot verification, a decryption step. The processor might skip the check, execute an instruction incorrectly, or expose a debug interface that was otherwise disabled. Clock glitching does the same by perturbing the clock signal.
Firmware extraction is the starting point for software analysis of hardware. If the flash chip is directly accessible on the PCB (look for SPI flash chips in SOIC-8 packages), you can read it with a clip and a programmer without desoldering. The extracted firmware binary can then be analysed statically for hardcoded credentials, weak crypto implementations, and command injection vulnerabilities in the shell command handlers.
binwalk firmware.bin binwalk -e firmware.bin strings firmware.bin | grep -i password strings firmware.bin | grep -iE "admin|root|debug" file firmware.bin