Hack the UART: Dumping Firmware

UART firmware dumps don’t need creds—they just need a prompt and a plan

So you've popped open a device and found a UART header just begging for attention. Maybe it's a router, a camera, or some random IoT trash with questionable security. If you're serious about firmware-level hacking, UART is your golden ticket — and in this post, we’ll walk you through how to dump the firmware entirely over serial.

Let’s get into it.

Phase 1: UART Recon & Shell Access

First, identify and connect to the UART pins:

• Use a multimeter or logic analyzer if pins aren’t labeled, to help identify the correct UART pins

• Typical UART layout: GND, TX, RX, sometimes VCC (DO NOT connect VCC unless you know what you're doing)

• Connect with a USB-UART adapter (e.g., FTDI, CP2102, CH340)

  
  

  

  
  

• Use a terminal like minicom

• Try common baud rates: 115200, 57600, 38400, etc.

Once you're in, interrupt boot if possible to drop into U-Boot (or similar). If the device boots to a Linux shell? Even better.

Phase 2: Extracting Firmware via UART

From Linux Shell (Root Access)

In many cases root access may drop you into a limited shell environment, such as busybox. It is desirable to utilise native utilities specific in each case.

Dumping the firmware using the linux shell, requires further knowledge of the MTD (Memory Technology Subsystem).

The MTD is a linux device file which abstracts details about the systems flash devices. This abstraction allows kernel interaction with these flash devices. It typically describes the starting memory address and size of the relative flash device and can be found in /proc/mtd

You can now use this information to extract the firmware of the appropriate device partition, in the above case mtd3, using the DD utility:

The exfiltration of the firmware can be conducted slow and steady using a combination of the HEXDUMP utility and the MINICOM, logging function.

1. Run the following hexdump command:

   
   

   

Breakdown:

• -v: Verbose mode — prevents hexdump from collapsing identical lines (which it does by default).

• -e '1/1 "%02x"': Format string that tells hexdump to:

  • Process 1 byte at a time (1/1)

  • Print each byte as two lowercase hex characters ("%02x")

  • Without spaces, newlines, or offsets

2. Start the Logging Feature:

3. Use the CAT utility:

   
   

   1. At this stage output of the cat command will be captured within the chosen fw.hex log file

      
      

      

4. Stop the Logging Feature, once output has stopped

5. Rebuilding the binary on host machine

   
   

   

   
   

6. Analyze Firmware using binwalk

   
   

   

   
   

Final Thought

Dumping flash over UART might feel like hacking in slow motion—but don’t underestimate it. Quite often embedded systems utilise encrypted OTA updates and hardened bootloaders, UART remains the quiet backdoor most vendors forget to lock. It’s the hacker’s stethoscope, letting you hear the heartbeat of the device—and sometimes even whisper back.

At the end of the day, when everyone’s patching over-the-air, you’re patching under-the-radar.