Ads 468x60px

26 de diciembre de 2016

Happy New Year 7E1

Writing in Christmas to say thanks and to make a review of the year is already an habit since I decided to write in this blog five years ago. On the whole, this year has been exciting, like every last years, with many project, with ups and downs, with stressful time and relaxing time, with bad times and good times, but I think with the aim, always, of improving in each moment, with the aim of improving professionally and personally, being this last thing, “personally”, the most important fact for improving in a good professional relationship.

Working in many projects with lots of engineers, and not only in the same customer for the same project, make me happy because I can take in touch with many IT professionals and knowing many IT infrastructures at the same time to take the best things of each of them for improving the IT infrastructure of customers. Speaking with many people, younger or older, technical staff or chief or manager people is a pride and experience that has led me to work in multi-disciplinary teams abroad when I have been in Turkey, Russia or Czech Republic on holidays. In addition, this allow me to make interviews like what I did this summer to Jesús Corrales.

Speaking about studying and certifications, I passed the CISM (Certified Information Security Manager) exam and I took the CCNP re-certification where I review many concepts and I learnt many others like Hot potato and cold potato routing, Elephants or Long Fat Networks, SACK, or the Nagle's Algorithm. On the other hand, I applied for the F5 Certified BIG-IP Administrator which was two exams for getting this certification. In the meantime, you will have seen I keep writing in English language for improving my writing skill, of course, I started writing very bad at the beginning of the year but I think I'm writing with greater fluidity right now. Therefore, I have started to learn the French language this year and I hope keep studying this new language for the next years.

With regard to projects, I have been in many projects about security and networking. I started the year in the north of Spain (Oviedo) teaching about Virtual Private Networks (VPN) and Metro Ethernet, I also taught about Alcatel-Lucent Switching to the National Police of Spain and I have finished in Valladolid teaching about the Web Application Firewall of F5 Networks called ASM or Application Security Manager. In the meantime, I have had the luck to advise, install, configure and support load balancer solutions under F5 Networks and Radware, and Firewalls deployments under Fortinet for the public and private sector. I have also helped to deliver, support and maintain the Ariolo Cloud Services and I have installed probes and SIEM systems where I learnt about Traffic Direction Systems (TDS), I analysed that Telegram uses HTTP over HTTPS or when the Endesa ransomware was hunted by our SIEM.

Moreover, I have had the opportunity to give some speeches to civil servants of Extremadura and to a high school of Extremadura about security awareness, professional training and the private sector, and also about Bluetooth Security, Wireless Sensor Networks – WSN or Web Application Firewalls.

For the next year, I want to keep my CISA and CISM certification and to keep studying the French language. From time to time I'll read some books but what I want the most will be to share experiences and knowledge with other professionals and growing up in this amazing cyberworld.

Merry Christmas and Happy New Year.

19 de diciembre de 2016


I'm not a developer but if we want to protect our web services, we should understand how they work. This is why I'm reading, learning and studying about web services lately because I think there should be a narrow line between a Web Security Engineer and a Network Security Engineer. Both should speak the same language. Therefore, this is mandatory when we are installing for example a Web Application Firewall and we have to choose or configure an XML or JSON profile for protecting our web services.

HTML5 is a markup language with a lot of improvements regards HTML 4 and XHTML 1. For instance, we can forget flash and their upgrades, we have to change the way we know cookies thanks to the new Web Storage feature in HTML5, better multimedia interaction, and the new WebSocket feature, which we are going to write here today.

If we connect to some web application like those hosted in the website, we can test and capture network traffic to analyse HTTP headers and the handshake process. In a WebSocket, we'll see new headers like Upgrade, Connection, Sec-WebSocket-Key, Sec-WebSocket-Version or Sec-WebSocket-Accept and others optional headers as well. In addition, we'll see the WebSocket protocol defines a ws:// and wss:// prefix to indicate a WebSocket and a WebSocket Secure connection, respectively.

WebSocket Headers
The handshake process is a little bit different from what we know with HTML 4. In a WebSocket, we'll have the Upgrade and Connection headers with the websocket and Upgrade values, respectively, for establishing a connection. Moreover, the web server will send a 101 code to the client for switching protocols. During data transfer, there will be a two-way and full-duplex communication with persistent connections between client and server. In the end, client and server can close the connection and it can be initiated by either peer.

WebSocket Handshake
We have new protocols, new methods and new standards but threats are still there. A variation of Cross Site Scripting Attack (XSS) is the Cross Site WebSockets Scripting Attack (XSWS) or the Cross Site WebSocket Hijacking Attack (CSWSH). For instance, we can find an Online Cross Site WebSocket Hijacker Tester from, which is an online tool to easily check for CSWSH issues. There are more tools like a WebSocket Message Analyzer or a WebSocket Client in the IronWASP application for WebSocket Security Testing.

Online Cross-Site WebSocket Hijacking Tester
Internet is full of pentesting tools to learn about it and getting fun. Another tool for testing vulnerabilities in WebSockets is the socket_io_client developed by Krzysztof Kotowicz, which is a simple malicious Socket.IO client written in Python.

Malicious Socket.IO script
Technology are evolving increasingly faster and we have to adapt our appliances, tools and knowledge at the same speed for protecting our services and our information.

Regards my friends, don't forget to keep studying!!

12 de diciembre de 2016

XML and Web Services

Who was going to say that I was going to study about Language Processors again? My teacher Antonio Polo at Polytechnic School of Cáceres would kill me but it's truth, I'm reading about Web Services and studying concepts like WSDL, SOAP, AJAX or JSON. Why? Because web services are moving from HTTP/1.1 to HTTP/2 and the Web is moving from TCP to UDP then I need to upgrade my knowledge and remember all these stuff for protecting web services properly with Web Application Firewalls (WAFs).

I have written about Web Application Vulnerabilities and the importance of teaching OWASP at University but there is also a Web Service Security Testing Cheat Sheet by OWASP to protect our services against WSDL enumeration/scanning, parsing exploits, XML injections, XPath injection attacks or XML manipulation that we should know about it. However, first, we have to know which technologies and protocols web services use for mitigating these vulnerabilities.


The HyperText Markup Language (HTML) is not as extensible and versatile as Extensible Markup Language (XML) is due to the fact that tags for XML is unlimited and customizable, this is a great advantage of XML against HTML. However, JavaScript Object Notation (JSON) has objects with names and values inside arrays which is faster for parsing than XML when we have to send information to a web service.


We need a design or an API to send information to a web server. Simple Object Access Protocol (SOAP) uses XML, which needs to be parsed with an schema, for sending SOAP messages that they are defined in the WSDL specification. However, SOAP is more rigid than the RESTful standard where we request an URI with an HTTP method (e.g. GET, PUT, POST, DELETE) and it returns the representation of an object. In addition, REST can use anything to represent data, even XML and JSON, and this is a reason why REST is the largest implementation in the WWW.

SOAP Message

REST Message

Whether we use DTD or XSD schemas, there are two ways of parsing an XML document. Simple API for XML (SAX) which events are triggered while the XML is being parsed or Document Object Model (DOM) which events are not triggered while parsing. Therefore, the DOM standard parses the entire XML and a DOM tree is generated and returned. As a result, DOM is easier to use but has an overhead of parsing the entire XML before we can start using it.


This has been my revision and developing lessons for today with the goal of knowing about web services for protecting our organization.

Regards my friends, drop me a line with the first thing you are thinking!!!

5 de diciembre de 2016

Preventing Web Scraping

When we have a full proxy between Internet and our LAN we can do everything, even protect our servers, ;-) this is what a WAF does, protecting against Web Application Vulnerabilities, Web Scraping or DoS Attacks. This time, I want to write about Web Scraping which is a technique to download automatically the whole web site for extracting competitor price tracking, email addresses, directory listings for obtaining leads and marketing information, search competitors' web sites for images, financial information, or other product data, and also for copying the web site for phishing attacks.

There are many tools to extract data from websites for cloning it or analysing it like the simple cURL or Wget or another more advanced like HTTrack. For instance, I used the Social-Engineer Toolkit (SET) two summers ago in a speech called “Innovation, yes but with Security” for making a PoC of Phishing Attack where I copied the Gmail and websites.

Although there are still few companies worried about this threat, they are becoming more and more aware about protecting their public data for competitive reasons. Next, we are going to see some Web Scraping mitigation techniques to protect our websites.

Bot detection

This is a method where the preventing web scraping system applies several checks for bot detection. For instance, a check for detecting rapid surfing where counts how many different URLS the client has loaded and unloaded from the application within a defined period. Another check is to ensure the client accepts cookies and processes JavaScript. And another check could use JavaScript again to determine if the client behaves like a human being or a bot.

Bot detection configuration in BIG-IP ASM
Session Anomaly detection

This is a method for detecting clients who open a large number of new sessions. One check is counting the new sessions per second rate and another check is detecting a spike in the number of new sessions. This method could also use the IP reputation database for detecting malicious IP addresses which is an indicator as well for triggering a violation.

Session Anomaly detection configuration in BIG-IP ASM

This is a method of collecting browser attributes to detect malicious users. Some attributes are browser APIs like JavaScript API supported by the browser, expressions, localization information from the browser, fonts installed in the browser, screen parameters, time and plugins.

Fingerprinting configuration in BIG-IP ASM
Web scraping was a concept unknown for me a year ago but preventing web scraping today can be done and it's a fact for many organization who are worried about their public information.

Regards my friends, drop me a line with the first thing you are thinking!!!

28 de noviembre de 2016

Web Application Vulnerabilities

I'm working with Web Application Firewalls (WAF) lately where I have to interact closely with developer teams to know how applications work to apply security policies for protection of the layer 7 against XSS attacks, SQL injection attacks or CSRF attacks. Actually, it's important to know how web application work to allow the maximum length of the URI, the amount of bytes sent for each request/response, the kind of encoding, the parameters' value, etc.

Web Application Firewalls are appliances, physical or virtual, which should be full proxies to analyse traffic in both direction (requests and responses) for blocking malicious patterns. In fact, this is a Benefit of Layer 7 Load Balancing, that along with attack signatures, they are able to block the most Top 10 Critical Web Application Security Risks of OWASP. Thanks to the Hack-it-yourself auction website of F5 Networks and my last Ethical Hacking course, I'm going to show you some Web Application Vulnerabilities.

Parameter Tampering

This is an Insecure Direct Object Reference Attack where the attacker can access to internal objects like URLs, parameters, files, directories, hidden fields, and database keys without authorization. For instance, the attacker can change the account number of the next URL and he can access to another account without authorization:

Hidden Field Manipulation

This is another Insecure Direct Object Reference Attack where the attacker can get and modify hidden fields from the HTML for skipping steps in application wizards, modifying dynamic parameters, changing the access controls profile in a web application, etc. For instance, the attacker can change the price of a product in the client-side with a Web Proxy to buy cheaper in e-commerce applications.

Forceful Browsing

This is a Missing Function Level Access Control where there are security misconfigurations which can be used for sensitive data exposure by attackers. For example, the attacker can jump from to the unauthorized resource for reading old or backup files in a website compromising passwords.

Cross Site Scripting (XSS)

This is a common attack that runs the hacker's JavaScript in the client-side. For example, the attacker can use this kind of attack for redirecting the browser to a malicious website, stealing cookies and passwords, or even scanning the internal network. The JavaScript can be uploaded to our website inside forms or other text inputs and when clients visit our website, or click the resource, they will run the malicious script.

Injection attacks

This is another common attack where the attacker injects sentences against an interpreter like SQL, OS or LDAP. The most common attack is SQL injection (SQLi) where the attacker queries directly to the database engine for stealing/reading the whole database, tables and even write or delete data. It can be also used for bypassing the authentication process in the login form, for instance, with the next sentence:

SELECT * FROM users WHERE username = `admin` OR 1=1 `

These are some Web Application Attacks which are easy to block with a WAF but very difficult with an IPS or a layer 4 firewall.

Regards my friends, I'm wondering, should we learn about OWASP at University?

21 de noviembre de 2016

National ForoCiber Summit - Cáceres

I was in the first cybersecurity summit about technological law and IT security last Friday in Cáceres. It has been a good place to take in touch with workmates and experts about the IT and law field to exchange experiences and security knowledge. Therefore, this time, I'm going to write about what I learnt or what the speakers talked and my thought in this summit organized by the law firm called “Picado Abogados” and the University of Extremadura.

The first speaker was Enrique Ávila, who works as a Manager at Spanish National Centre of Excellence on Cybersecurity (CNEC). At the beginning, he said that lawyers don't want to know anything about IT and this is dangerous, but it's most dangerous an IT engineer who has read a law and thinks that he is doing something right, when, maybe, he hasn't understood the law. This is a shout for collaboration between IT engineers and lawyers against cybercrime. He really spoke about many things like international law, crime as a service, cyberintelligence and counterintelligence, right to be forgotten, threat against industrial systems, IoT, University, etc. Many things, yes, many things.

Next speaker was Silvia Barrera, who works as an Inspector at the Spanish National Police. She spoke about social networks (RRSS) and its dangers. She highlighted that complaints against sextortion, bullying, etc isn't the solution, but security awareness, because it lasts too many time since someone complains about something till it is resolved. In addition, social networks companies don't have to save records like ISPs do, as a result, this is another reason for delaying investigations. Sometimes, it's late, the victim doesn't want to bear for more time, and she/he commits suicide. Therefore, she showed us many examples about bad practices in social networks, and she told us to be careful on the net because there are many people - teenagers and adults - who don't know how to use it.

After the social networks talk, we went for a coffee to continue thereafter with a debate between Andrés Caro, Juan Luis Picado, José Luis González and Josep Albors.
Andrés works as a professor at University of Extremadura and he admited that the security field isn't in the IT engineer curriculum at the University of Extremadura. In addition, he emphasized about penalties against a murderer and a cybercriminal, it isn't the same, and sometimes a murderer has less penalties than the cybercriminal.

Juan Luis works as a lawyer at the law firm “Picado Abogados” and he spoke about the necessity of working together the University and private companies for teaching the real world to students.

José Luis works as a manager at COMPUTAEX-Cénits and he highlighted about the danger of HPC if it is used for cracking passwords. He also said that many small companies can't afford to have security people in their small companies and this is a risk that they are willing to accept.

Josep works as a chief communications officer at ESET of Spain and he scared a little bit to students because he told them that the University is the beginning and they have to keep studying to be updated. This is a big truth, I haven't stopped of learning new things after finishing my degree.

Regards my friends, drop me a line with the first thing you are thinking!!!

14 de noviembre de 2016

Who is who in the EU Security Directives?

I have finished reading the Security Directives for the European Union last week, but I would like to highlight this time the group of people and organizations that have to work together to achieving a high common level of security of network and information systems (NIS) within the Union. Mainly, I have drawn the main actors that play an important role in the European Union when an incident takes place within the Union, as this is a significant fact that involves incident reports from the bottom to up.

Reporting Hierarchy


The first thing that Member States have to do is to make a list of operators of essential services to ask them for notifying incidents to the CSIRT. What are essential sectors? Energy like electricity, oil and gas; Transport; Banking; Financial market infrastructures; Health sector; Drinking water supply and distribution; and Digital Infrastructure like IXPs, DNS service providers and TLD name registries. This list should be done by 9 November 2018.


As operators of essential services, Member States have to identify digital service providers as well, and these should report incidents to the CSIRT too. What types of digital services they have to identify? Online marketplace, online search engines and cloud computing services. This list, along with the operators of essential services, should be done by 9 November 2018.


Each Member State shall designate one or more CSIRTs (Computer Security Incident Response Team) with adequate resources to effectively carry out their tasks. CSIRT can use the CSIRT Networks for cooperation and to be able to do their tasks efficient and effective. This team should be done, and performing their tasks, by 9 February 2017.


The CSIRTs Network is composed of representatives of the Member States' CSIRTs and CERT-EU, where the Commission and ENISA also participate. Their tasks are exchanging information, discussing and identifying a coordinated response to an incident within the EU; provinding Member States with support in addressing cross-border incidents; discussing, exploring and identifying further forms of operational cooperation; informing the Cooperation Group of its activities; discussing lessons learnt; issuing guidelines in order to facilitate the convergence of operational practices, etc.


Each Member State shall designate a national single point of contact who exercise a liaison function to ensure cross-border cooperation. In addition, this single point of contact should be able to consult and cooperate with the relevant national law enforcement authorities and national data protection authorities. By 9 August 2018, and every year thereafter, the single point of contact shall also submit a summary report to the Cooperation Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken.


The European Network and Information Security Agency helps Member States in developing national strategies on the security of NIS and in developing national CSIRTs. Moreover, ENISA collaborates with the Cooperation Group to exchange best practice between Member States and helps them in building capacity to ensure the security of networks and information systems.


The Cooperation Group will support, facilitate strategic cooperation and exchange information among Member States with the goal of developing trust and confidence with a view of achieving a high common level of security of network and information systems in the Union. By 9 August 2018, and every year and a half thereafter, the Cooperation Group shall also prepare a report assessing the experience gained with the strategic cooperation. In addition, this group, along with the CSIRTs networks, shall begin to perform their tasks by 9 February 2017.


The Commission will submit a report to the European Parliament and to the Council assessing the consistency of the approach taken by Member States in the identification of the operators of essential services by 9 May 2019. Moreover, the commission will also take into account the reports of the Cooperation Group and the CSIRTs network on the experience gained at a strategic and operational level for reporting to the European Parliament and to the Council by 9 May 2021.

And this is all we have till now. Next step? Developing the Cooperation Group and CSIRTs by next February. We'll wait for it.

Regards my friends, drop me a line with the first thing you are thinking!!!

7 de noviembre de 2016

Security Directives for the European Union

I read the Cybersecurity Strategy of the European Union and the Cybersecurity Strategy of Spain three years ago to apply for the ISACA Challenge for Young Professionals. However, this summer, the European Parliament and the Council of the EU have published measures for a high common level of security of network and information systems (NIS) across the Union, which are interesting and I wanted to read to discuss in this blog.

The goal of this document is to have a minimum security threshold for the Member States to have the same security level of network and information systems in the whole European Union due to the fact that, today, the existing capabilities aren't sufficient and each country has his own security measures. For instance, reporting and notification of all incidents is one of the main measures of cooperation.

Reading the Directives, I have remembered when we implemented the ISO 27001 in Ariadnex S.L. and it's amazing how processes and tasks referenced in this document of the European Union are the same than in a small company but in a huge context. For example, we can read the next processes or domains:

While we identified assets like servers, firewalls, software, etc the European Union has to identify operators of essential services, like gas and water suppliers or air transport operators, and digital service providers like cloud computing operators. Therefore, the first task is to make a list of operators of essential services.

In addition, once we have identified the operators of essential services, we have to give an indication of the importance of each sector. For that, Member States should take into account the number and the size of those operators.

Another process that we should take into account is the risk management, where we have to think about incidents that would have a significant disruptive effect on the provision of an essential service, or as we called it “Risk assessment”, to make measures and mitigate risks.

After writing the Cybersecurity Strategy of the EU, Member States should write their own Cybersecurity Strategy. Once it is done, they have to write concrete policy actions.

This is an important process within these Directives where CSIRTs play an essential role because Member States should report all incidents to a single point of contact for sharing incidents information with the whole EU. Therefore, international cooperation is a must and to do this, cooperation between the public and private sectors is essential.

If we want to know how well we are doing it, we have to test ourself with exercises to simulate real-time incident scenarios. For example, the biggest ever European cyber-security exercise organized by ENISA concluded recently.

There are two fundamental groups, operators of essential services and digital service provides, but we should take into account hardware manufactures and software developers as well due to the fact that their product have to enhance the security of network and information systems.

When we outsource some service, we have to ensure that service providers offer the same security level as we have. Therefore, security requirements should be written as contractual obligations.

This Directive must respect all other laws in the European Union and this is done referring in the next paragraph.

As we can see, a information security framework, like the ISO 27001, always includes main processes that we should take into account to implement security to our organization.

Regards my friends, drop me a line with the first thing you are thinking!!!

31 de octubre de 2016

Benefits of Layer 7 Load Balancing

Some time ago, I'm working with load balancer appliances where I have had to apply for the Radware Certified Application Specialist on Alteon (RCAS-AL) and the F5 Certified BIG-IP Administrator (F5-CA). Meanwhile, I have written some posts about Global Server Load Balancing and DNS Load Balancing and I have also had to reply about the benefits of a Layer 7 Load Balancing against the traditional Layer 4 Load Balancing. Therefore, I want to highlight in this post some advantages of this kind of load balancers.

First of all, it's important to know that if we want to install a layer 7 load balancer successfully we should have knowledge about networking and development because it is an appliance which is in the middle of the two worlds, networking for routing, nating, tagging, etc and development for load balancing applications. As a result, two teams should be in the installation and management of this kind of devices, the networking team and the development team.

The traditional layer 4 load balancer could load balancing applications based in TCP/UDP ports while the layer 7 load balancer is much more intelligent because it can make decisions based in the requests and responses of applications. For example, it can read HTTP headers for balancing by the User-Agent field, which could be useful for delivering a mobile web page to smartphones and the normal web page to computers or we can read the Accept-Language field to deliver the English web page to the English spoken people and the Spanish version to Spanish people. We can also read the URL/URI, allowing us to have an only public IP and many applications behind that IP, or we can even read de SSL ID, any data inside HTML files … all to make decisions, modify information, redirections, show messages, etc.

HTTP Headers

Other advantages of the layer 7 load balancing are the caching, compression and encrypting features which, if they are implemented properly and with hardware ASICs, can increase significantly the performance of applications. For example, we can manage all SSL certificates in an unique and centralized store inside the load balancer appliance and we can also configure SSL offloading to reduce CPU load in real servers.

SSL Offloading

A layer 7 load balancer is a full proxy which delivers better security, performance and adaptability than a traditional load balancer. For instance, they are able to block DDoS Attacks, SQLi and XSS Attacks analysing TCP sessions, HTML and XML files. On the other hand, better performance is delivered through the modification and configuration of the TCP stack like the TCP Express by F5 Networks, and we'll get better adaptability through scripts and APIs like iRules by F5 Networks.

Full Proxy Security

Last, but not less important, this kind of appliances can able to accelerate applications through new protocols and standards like Multipath TCP and HTTP/2. In addition, we can even deliver our services in a high availability worldwide through GSLB. As always, everything depend of our necessity.

Global Server Load Balancing

Regards my friends, drop me a line with the first thing you are thinking and balance your load!!

24 de octubre de 2016

Inverter Circuit with an 74HC04 Chip

Lately, you'll have realised I'm writing about electronics like UART connections of an Orange router or how to see the booting process of broadband routers. Therefore, I have used words like multimeter, oscilloscopio, ground, volts, etc in previous posts. However, this time, I want to go beyond and I have bought a couple of inverters with some leds and a breadboard to make some experimental circuits. At first, in this post, we'll see how the 74HC04 inverter works and how to test it.

An inverter is a chip that it's be able to change the logic state of an input to the opposite state. For example, if the input is a HIGH logic signal, the output is a LOW logic signal, and if the input is a LOW logic signal, the output is a HIGH logic signal. This is a basic and necessary chip when we want the opposite state of an input state.

The 74HC04 hex inverter chip has 6 gates where the logic signal output by an inverter gate is the opposite of the logic signal fed into the gate. In addition, we can see in the 74HC04 datasheet that the A's of each gate are the inputs and the Y's of each gate are the outputs, meaning Y is the opposite logic signal of A.

Once we know how it works, it's time to test it. I've built a small circuit with an inverter chip and two leds. One led is connected to the input (A) and the second led is connected to the output (Y) with the goal of testing the first gate. Therefore, one led is connected between the first pin (A) and the seventh pin (GND) and the other led is connected between the second pin (Y) and the seventh pin (GND). I've also fed the inverter chip through the 14 pin with 5 volts and I've connected it to the ground as well through the seventh pin. What should there be the result? The led number 1 turned off because it's not being fed and the led number 2 turned on because the opposite of a LOW logic signal in the first pin is a HIGH logic signal for the second pin, where the led number 2 is connected. It is represented in the next diagram:

Led 1 turned off and Led 2 turned on

On the other hand, if the first pin (A) has a HIGH logic signal with 5V, we'll see that the led number 1 is turned on while the led number 2 is turned off. Why? Because the led number 1 is being fed and the led number 2 has the opposite, not being fed, as a result, turned off. It is represented in the next diagram:

Led 1 turned on and Led 2 turned off

This is an easy way to test each gate of our inverter chips and especially to understand how it works. Next, we have a video I recorded.

Regards my friends, drop me a line with the first thing you are thinking.

17 de octubre de 2016

Booting process of broadband routers

Last week, we talk about how to find out the UART connections of an Orange router with a multimeter for getting root access to the device. We identified the pinout (GND, RX and TX pins) last week but today we are going to see how to connect the USB-to-UART converter and how to find out the baud rate easily for getting the booting process and accessing the root console. However, I have another broadband router this time to have fun, a Huawei EchoLife HG556a, which is an interesting device for my lab.

The best way to get the pinout is with an oscilloscope, if we don't have one, we can use a multimeter as we saw in the last post, and if we don't have this tools we can use another way for identifying useless pins and ground pin. However, this trick is not as much reliable than oscilloscope and multimeter, but helpful. The first thing we have to do is flashing a bright light from the backside of the PCB and look at it from directly above. This is what that looks like:

Identifying useless pins and ground pin in a Huawei router

We can see that some of the pins have lines meaning they are making contact with the PCB. For instance, it's easy to see that the forth pin doesn't have lines meaning it useless. What's more, the second one has four lines meaining is a power pin, either GND or Vcc. Finally, all other pins have a single line meaning they are TX, RX or Vcc. This trick is a little bit risky because we can break our device but if we don't have the right tools we can use this trick connecting each pin in turn to find out the pinout.

Once we know the pinout, we have to connect the USB-to-UART converter to the router. First, we should connect the GND pin between each other. Second, I would connect the TX pin of the router to the RX pin of the converter and, in this time, we should be able to see the booting process but not stop it or send or write something. At the end, I would connect the RX pin of the router to the TX pin of the converter and, in this time, we should be able to send information to the router like, for instance, username and password for getting root access.

Connecting converter to the router

We already know the pinout and how to connect the converter to the router but, maybe, we don't see any information yet through our miniterm/minicom application. This is because we have to configure the baud rate properly but, first, we should know what baud rate configuration we have to set. The best way to find out the baud rate configuration of an unknown serial device is with the Baudrate tool developed by Craig Heffner. Next, we can see that the tool allow us to change the baud rate configuration of our host system's serial por on the fly and with 115200 of baud rate we can read the output (letters) properly.

Baudrate tool

If we have got the baud rate configuration, we'll be able to see the booting process, and even stopping the autoboot process, and finally we'll see the console prompt to have root access.

Regards my friends, are you ready for doing whatever you want in your router?

10 de octubre de 2016

UART connections of an Orange router

This summer, I was building cross compilations Apps for broadband commercial routers. It is not an easy task for me but after hours and hours of working I got to install and run a “Hello world” application in my router. However, Apps and remote access services didn't remain after rebooting thus I wanted to go further because my goal is to have root access to do whatever. For this reason, this time, I wanted to have access by serial port connector to see the booting process. Let's try with an Orange broadband router.

First, surfing on Internet, I found that most routers have a serial port connector called UART and/or JTAG which are for programming and access to the console. It is like the RS232 connectors of computers but it isn't exactly the same, instead, it is a TTL serial, where a logic high ('1') is represented by Vcc, often 5V or 3.3V, and a logic low ('0') is 0V. Therefore, I disassembled the router to look for this connectors and I was looking the way to connect my laptop to the router, where I found two options, an USB-to-UART converter and the BusPirate electronic device, which is more professional and more expensive too, thus I bought the cheapest one, the converter.

USB-to-UART converter

Next step was to identify the pinout to know which pin is ground (GND), which pin is transmiting information (TX) and which pin can receive information (RX). This is important if we don't want to break/burn the mainboard (PCB) connecting pines in a wrong way. Let's begin with the easiest one, the ground pin.

The first pin that we have to identify is the ground (GND) pin. What tools we need? A multimeter. What more we need to know? We have to identify a ground place too in the mainboard which is easy because most mainboards have empty places ready for connecting capacitors, where we can see the minus symbol meaning ground. Next, connecting ground to each pin in turn with the multimeter we should look for 0V.

Identifying the ground pin

Once we know which pin is ground (GND), the next step is to identify the TX pin. This is a little more difficult because this pin is going to fluctuate between the Vcc value (3.3 volts) and ground (0 volts). Why? Because when it is transmiting bits of data, we'll see 3.3V, and when it is transmiting “spaces”, we'll see 0V. Therefore, we need a good multimeter because if it isn't so, the multimeter will do the average and it will be difficult to identify the TX pin. Another way to meter is with an oscilloscope, which is more expensive than a multimeter, or you can even make your own oscilloscope with your's computer sound card.

Identifying the TX pin

Finally, we have to identify the RX pin, which is the most difficult one. Why? Because there isn't a pattern. Therefore, the best way will be by process of elimination and connecting the serial converter to all possible receive pins individually, presssing a few keys in our terminal emulator and seeing what happens until we find out which one is the RX pin.

Arcadyan ARV7519RW22-A-LT pinout

This time, I have fun with an Arcadyan ARV7519RW22-A-LT router, we'll see in next posts how to connect the USB-to-UART converter for seeing the booting process and get the root access in other router as well.

Regards my friends and remember, test your thought and test whatever you are thinking.
Related Posts Plugin for WordPress, Blogger...

Entradas populares