Welcome to the first module in TrainSec’s Hardware Hacking Expert Level 2 series. This is where we take the solid foundations from Level 1 and push them into the real world of device exploitation. You have already learned how to recognize and handle hardware interfaces. Now it is time to weaponize those skills.
This module is all about UART. We will strip away the theory and go hands-on with real devices, building tools, capturing data, breaking protections, and developing working exploits. By the end of this journey, UART will no longer be just another debugging port. It will be an attack vector you can confidently own.
Module 01 introduces students to one of the most widely available yet underestimated hardware interfaces: UART (Universal Asynchronous Receiver-Transmitter). The training combines theoretical background with extensive hands-on practice, guiding you from the basics of pin identification to advanced exploitation in both embedded and industrial (OT/ICS) systems.
The journey begins with the fundamentals. You will understand why UART remains a critical backdoor left by engineers and how it exposes valuable system information. From there, you will locate and validate UART connections, capture debug logs, and bypass weak login protections. By the end of this stage you will have mastered the essential reconnaissance and access methods that form the gateway to deeper exploitation.
Once the basics are in place, you extend into the operational technology world where UART underpins protocols like RS232, RS422, and RS485. You will practice tapping into live OT lines, distinguishing communication wires from power or sensor lines, and translating OT signals back into UART for analysis. With custom-built RS485-to-UART adaptors you will capture and reverse engineer OT traffic, mapping packet structures and uncovering protocol logic. At this level you also build your own Python-based man in the middle relay and inject crafted commands, learning how attackers move from passive listening to active control.
The final stage is where UART exploitation becomes a complete offensive workflow. You will develop brute-force methods to break authentication, extract entire firmware images for offline analysis, and challenge secure boot protections to expose weaknesses. The training culminates in advanced exploitation techniques including man in the middle on OT traffic, fault injection, and bypassing hardware kill-switch protections. By the end of Module 01 you will have a complete toolkit for identifying, analyzing, and exploiting UART in both consumer and industrial environments, establishing a strong foundation for advanced hardware hacking.
Basic Techniques
Why UART is one of the most valuable hardware attack surfaces
How to identify and validate UART pins on real devices
Capturing and interpreting boot logs and debug messages
Bypassing weak or misconfigured UART login prompts
Advanced Techniques
Understanding how UART underpins OT protocols such as RS232, RS422, and RS485
Tapping into live OT communication lines and distinguishing data wires from power or sensors
Using custom RS485-to-UART adaptors to capture traffic
Reverse engineering OT protocol frames and mapping logic
Building a Python-based man in the middle relay to intercept and modify traffic
Injecting crafted commands into live OT systems
Expert Techniques
Developing brute-force approaches to break UART authentication
Extracting complete firmware images for offline analysis
Challenging and bypassing secure boot protections
Performing advanced UART exploitation including MITM, fault injection, and hardware kill-switch bypass
Creating and executing a custom exploit that ties together the full workflow
Completion of Hardware Hacking Expert – Level 1 - (at least classes 1-8) or equivalent.
Basic electronics (voltage, current, ground) - class 1 in Hardware Hacking Expert – Level 1.
UART fundamentals (RX, TX, baud rate) - class 7 in Hardware Hacking Expert – Level 1.
Soldering and hardware handling experience.
Familiarity with logic analyzers and USB-to-UART tools - class 5 in Hardware Hacking Expert – Level 1.
Basic knowledge of RS232/422/485 - class 8 in Hardware Hacking Expert – Level 1.
Linux shell usage.
Python programming basics.
Safe lab practices with circuits and OT devices - class 5 in Hardware Hacking Expert – Level 1.
This class explains why UART is one of the most valuable entry points in hardware hacking. Students learn that UART, as a universal asynchronous receiver-transmitter, is embedded in almost every device to provide debugging and development support. The instructor highlights how engineers often leave UART ports active and unprotected, unintentionally creating backdoors. By tapping into UART, attackers can retrieve logs, interact with bootloaders, or even gain administrative shells. The lesson also connects UART to its industrial counterparts (RS232, RS422, RS485), showing how the same concept spans from consumer electronics to critical infrastructure. By the end of the class, students see UART not just as a protocol but as a direct, low-level attack vector. This sets the stage for the rest of the module, which progressively builds from identifying pins to performing advanced exploitation.
Learning Objective
Understand the significance of UART as an attack surface and its application in embedded and OT environments.
Training Outcomes
Recognize UART in embedded systems.
Understand how exposed UART interfaces create security risks.
Map UART to higher-level OT communication standards.
Hands-On Experience
Inspect real device boards for UART presence.
Connect to UART outputs to observe debug messages.
Identify UART’s role in system boot processes.
This session provides the practical skill of identifying UART pins on unknown devices. Because manufacturers rarely label these pins, students must apply systematic techniques to locate RX, TX, and GND. The instructor demonstrates using a multimeter to find ground, measuring idle voltages to spot transmit lines, and validating signals with oscilloscope or USB-to-UART converters. Common pitfalls, such as mistaking power lines for data pins, are discussed in detail to avoid hardware damage. This class connects to the module by ensuring students can reliably establish a physical UART connection, which is a prerequisite for all later exploitation techniques. Without proper pin identification, UART attacks cannot proceed.
Learning Objective
Learn reliable methods for identifying UART pins on target hardware.
Training Outcomes
Trace and confirm ground lines.
Differentiate between RX and TX pins.
Interpret voltage levels (3.3V vs 5V).
Validate UART communication safely.
Hands-On Experience
Use a multimeter and oscilloscope to identify pins.
Connect USB-to-UART converters for live testing.
Validate UART output on unknown boards.
In this class, students learn to capture debug logs and system messages broadcast over UART. Many devices output boot sequences, error logs, or kernel diagnostics through UART even when user interaction is blocked. By passively connecting to the TX line, students can collect valuable intelligence about firmware versions, hardware components, and potential weak points. This reconnaissance step is crucial before any attempt at active exploitation. The instructor demonstrates how logs reveal device configurations, sometimes including credentials or debug flags left by engineers. This class ties into the module by establishing how UART serves not only as an interactive shell but also as a transparent window into system internals.
Learning Objective
Use UART as a reconnaissance tool by capturing logs and debug output.
Training Outcomes
Capture boot and runtime messages.
Identify sensitive information in logs.
Recognize firmware details leaked through UART.
Hands-On Experience
Connect to devices during boot and capture output.
Use terminal software for log collection.
Analyze logs for exploitable insights.
In this class, students learn how UART shell access can be turned into a direct bypass of the router’s administrative login screen. By navigating the file system exposed through UART, the instructor demonstrates how to identify user entries, and extract the stored password hashes. Students then see how to analyze the hash format and apply brute force or dictionary attacks to reverse the credentials. This exercise highlights how engineers often rely on a GUI login for protection while leaving the true keys to the system exposed in plain sight through UART.
Learning Objective
Use UART root shell access to bypass application-level logins by extracting and cracking stored password hashes.
Training Outcomes
Locate and interpret the password hash file through UART
Identify and analyze password hash structures
Apply brute force or dictionary attacks to recover login credentials
Understand how UART access undermines higher-layer authentication mechanisms
Hands-On Experience
Use UART shell to browse the router file system
Extract password hashes
Run brute force and dictionary attacks to recover valid login credentials
This class marks the transition point from consumer hardware exploitation into the industrial OT domain. The instructor explains how UART is embedded not only in small devices but also in PLCs, controllers, and other industrial systems, often forming the backbone of RS232, RS422, and RS485 communication. Students learn how UART access on OT devices can expose process logic, control flows, and critical system logs, with the potential to impact production lines and safety mechanisms.
This session also serves as the entry point to Classes 05–11, a continuous track where students progressively build the capabilities required to execute a full real-world ICS/OT (industrial control systems / Operational Technology) penetration test. From here onward, each class layers new exploitation techniques on top of the last, taking students from reconnaissance on OT lines all the way to active manipulation and command injection in live control systems.
Learning Objective
Understand UART’s role in OT environments and its exploitation potential.
Training Outcomes
Identify UART presence in OT devices.
Understand how UART maps to OT protocols.
Recognize the risks of UART exploitation in ICS.
Hands-On Experience
Inspect PLCs or OT hardware for UART headers.
Capture UART messages from industrial devices.
Document connections between UART and process control.
Students now practice connecting to live OT communication lines safely. Unlike small devices, OT setups often involve RS485/422 buses with multiple clients. The instructor demonstrates how to tap into these lines without causing signal disruption or system crashes. Emphasis is placed on non-invasive tapping, using proper adaptors, and avoiding collisions when inserting sniffers. The class strengthens the module by giving students the confidence to handle real-world OT wiring while preventing operational downtime or damage.
Learning Objective
Gain skills for safely tapping into OT communication lines.
Training Outcomes
Apply safe practices when connecting to live lines.
Use adaptors for RS485/422 environments.
Avoid disrupting industrial signals.
Hands-On Experience
Tap OT lines using pushdown connectors.
Connect UART sniffers to multi-device buses.
Validate signals with serial software.
OT environments often contain dense cable harnesses carrying power, sensors, and communication signals. This class teaches students how to differentiate between these wire types and locate the correct communication lines. Using systematic probing and measurement, students avoid dangerous mistakes such as connecting to power instead of data lines. This class connects to the full module by preparing students for field scenarios, where correct identification of communication lines is essential before any sniffing or exploitation attempt.
Learning Objective
Develop the ability to identify communication lines in complex OT wiring.
Training Outcomes
Distinguish between power, sensor, and data wires.
Apply safe probing methods.
Recognize OT wiring hazards.
Hands-On Experience
Use probing tools on industrial harnesses.
Validate suspected communication wires.
Prepare clean taps for UART exploitation.
This class explains how OT protocols like RS485 and RS422 are built on UART concepts. Students learn how these differential signaling systems can be bridged back into UART, enabling attackers to exploit them with the same tools used on embedded devices. The instructor demonstrates how RS485/422 wiring maps to RX/TX-level UART, making exploitation possible once the correct adaptors are used. This bridges OT communication to the rest of the module, showing how UART-level exploitation applies universally.
Learning Objective
Understand how to translate OT communication into UART signals.
Training Outcomes
Recognize RS485/422 as UART-based.
Configure adaptors to bridge signals.
Distinguish between half- and full-duplex communication.
Hands-On Experience
Connect RS485/422 lines to adaptors.
Capture UART-level data from OT buses.
Interpret communication in terminal software.
With adaptors built, students move to live OT traffic sniffing. This class demonstrates capturing communication between PLCs and clients on RS485 buses. Students learn how to log traffic, identify request/response patterns, and begin protocol reverse engineering. This connects to the full module by expanding from simple UART logs to complex multi-device industrial communication.
Learning Objective
Capture and analyze OT traffic through UART tools.
Training Outcomes
Safely connect to active OT buses.
Capture request/response sequences.
Recognize protocol structures.
Hands-On Experience
Deploy DIY adaptors into OT setups.
Log traffic with serial software.
Annotate and interpret captured packets.
This session focuses on reverse engineering OT traffic. Students learn to decode captured packet formats, recognize timing intervals, and map client-server interactions. The instructor demonstrates how UART-level sniffing reveals the logic of industrial processes, preparing students for active injection and manipulation. This class ties into the module as the transition from reconnaissance to exploitation.
Learning Objective
Reverse engineer OT communication flows and packet structures.
Training Outcomes
Break down captured packets into fields.
Recognize timing patterns in transactions.
Map functional behavior from traffic.
Hands-On Experience
Document request/reply sequences.
Reverse engineer protocol fields.
Build functional maps of OT communication.
Students escalate into full man-in-the-middle attacks on OT networks. The instructor demonstrates designing a device with relays and MAX485 modules that intercepts all traffic between PLCs and clients. Unlike simple sniffers, this device can modify, inject, or block packets in real time. Emphasis is placed on timing challenges, avoiding collisions, and synchronizing injection with GPIO controls. This class connects to the module by moving students from passive observers to active manipulators of OT processes.
Learning Objective
Build and operate a man-in-the-middle device for OT exploitation.
Training Outcomes
Understand MITM hardware design.
Control direction of RS485 communication.
Modify and relay traffic safely.
Hands-On Experience
Assemble MITM devices with relays.
Intercept and alter live traffic.
Test MITM on PLC-client communication.
This advanced session introduces fault injection to bypass hardened UART protections. Students learn how controlled glitches in voltage or timing can disrupt authentication checks or secure boot processes. The instructor explains safe glitching practices and demonstrates bypassing login or firmware protections through induced faults. This class connects the entire module by showing how UART exploitation extends even to modern devices with countermeasures.
Learning Objective
Apply fault injection techniques to exploit UART-protected devices.
Training Outcomes
Understand glitching and fault induction.
Learn how faults bypass authentication.
Apply safe glitching practices.
Hands-On Experience
Use glitchers to inject faults.
Perform reset and voltage glitch tests.
Record outcomes and refine parameters.
This class explores defeating advanced hardware protections, such as kill switches that disable devices upon tampering. Students learn how to identify these mechanisms and bypass them using UART, MITM, and glitching techniques. The instructor demonstrates real-world scenarios where kill switches were overcome to maintain system access. This class ties together all prior lessons pin identification, sniffing, reversing, MITM, and fault injection into a comprehensive exploitation strategy.
Learning Objective
Develop methods to bypass kill-switch protections through UART exploitation.
Training Outcomes
Identify kill switch mechanisms.
Apply Fault injection UART-based bypass techniques.
Understand risks of tampering with destructive defenses.
Hands-On Experience
Trigger and observe kill switches.
Use fault injector and UART to override or disable protections.
Document bypass results in test scenarios.
In this advanced class, students examine secure boot as both a defensive measure and an exploitable weakness. The instructor first explains the purpose and flow of secure boot, showing how cryptographic checks are meant to prevent unauthorized code execution. From there, the weaknesses of real implementations are exposed. Students learn three practical bypass strategies: inducing faults to disrupt validation, forcing single-user mode to escalate privileges, and manipulating firmware images directly to subvert checks. This class makes clear that secure boot, while marketed as bulletproof, is often vulnerable to precise hardware-level intervention.
Learning Objective
Understand secure boot’s protections and apply multiple bypass techniques.
Training Outcomes
Describe the secure boot process and its intended protections
Identify weaknesses in implementation that open attack surfaces
Execute bypass techniques including fault injection, single-user login forcing, and firmware manipulation
Hands-On Experience
Trigger secure boot faults and observe validation failures
Alter boot parameters to drop into single-user mode
Manipulate firmware components to disable or weaken secure boot enforcement
This class teaches how to extract complete firmware images from devices once UART access has been gained. The instructor first demonstrates leveraging built-in MCU bootloaders, showing how vendors like STMicroelectronics, NXP, TI, Espressif, and others expose UART-based programming interfaces that can be repurposed for firmware dumping. The second technique uses captured UART logs: a firmware hexdump streamed to the terminal can be reconstructed into a binary file using a simple Python script. By the end, students will know how attackers recover entire firmware images for offline reverse engineering, analysis, and implant development.
Learning Objective
Perform firmware extraction from MCUs and embedded devices using UART access.
Training Outcomes
Use built-in UART bootloaders of popular MCUs to dump firmware
Capture firmware hexdumps via UART logs and reconstruct them into binaries
Apply extracted firmware for vulnerability research and exploit development
Hands-On Experience
Connect to MCU bootloaders (STM32, ESP32, MSP430, AVR, etc.) and dump firmware images
Capture UART log hexdumps and rebuild them into binary firmware with the provided Python script
Analyze recovered binaries as a foundation for reverse engineering and further exploitation