Dacooler Z28[Part 1]: How To obtain a Root Shell Through UART

Recently I was doing a lot of ARM debugging on a large variety of devices. Some of them are extremely expensive and so I decided to have a look at much cheaper devices which might be useful for such a purpose too!

In this initial blog entry I will give you an overview of the Dacooler Z28 Android TV Box and show how you can relatively quickly obtain a root shell on it. Here is a picture of the box which is very cheap (I bought is for around 35 USD):

Let’s have a look at the technical specs of the device:

Hardware:

OS: Android 7.1
CPU: Rockchip RK3328,64-bit cpu, Quad-core Cortex A53
GPU: Mali-450MP2

Storage:

RAM: 1GB
ROM: 8GB
Storage Extension: Support MicroSD(TF) Up to 64GB

Communication:

WIFI: 2.4G WiFi
LAN: 10M/100M

Interfaces:

HDMI Out: 1*HDMI,HDMI2.0 3840x2160Pixels
USB Port: 1*USB 2.0,1*USB 3.0
SPDIF: 1*SPDIF
Card Reader: 1*Micro SD card (TF card) reader
Network: 1*RJ45 LAN Port
Power Supply: 1*5V2A DC

In my opinion a pretty decent hardware! You have an ARM64 Quad CPU + 1GB of RAM. Something we definitively can work with, right ?

This was not the first box I’ve opened so I was in a state between excitement and desperation. Some of the models I have ordered turned out to be more or less unusuable for too many reasons to explain here…

Opening the box is very easy. First you need to remove 4 rubber feets at the backside of the device. Among them you will see 4 screws which need to be removed. After you have removed all of them you can open the case. The PCB board is also secured with two screws which need to be removed as well. Once that is done you can fully remove the PCB board from the case.

Here a picture of the board:

We can see the Rockchip RK3328 in the middle.

Finding the UART interface:

When you start searching for the UART interface on a proprietary system you usually search for 4-PIN connector which seems not to be in use. Sometimes you can find it on the board sometimes the PINs are not soldered or you don’t see anything like that at all. It can happen that you see 3-PIN instead of four but that happend really rarely to me I have to admit. Nevertheless you only need three PINs for the connection:

As the picture shows you need RX, TX and GND. Spending only a view seconds searching the board revealed this here:

Wow, that was easy right !? At the bottom left corner you see a 4-PINed socket which most likely will be our UART-Iface. UPDATE: The pin socket you see on the bottom left corner wasn’t originally there. I soldered it onto the board. Now what you need to establish the connection is a so called Serial-To-USB converter. I have several of them and sometimes one is working and another one is magically not working. Best is you have several of these at hand so you can try what is working with the hardware you want to connect to. I also had to try 3 differenty converters until it worked and I used this one here:

Establishing the UART connection:

Let’s try and see if the interface is working or whether it might be a dead end. You simply have to connect RX -> TX, TX -> RX and GND -> GND and you are good to go like this:

After everthing was connected I fired up PuTTY and check the the serial connection settings. Usually when I try these things I use the following setting which works in most cases without issues:

As I said in most cases….For some reason this is different for  Rockchip R3328! You need to specify 1500000 baud. If you don’t, your output will look like this and you cannot read anything:

▒▒VF^FF^^o/GO▒▒g▒oGWOV^FFF^FfFWfN_OVO▒WWW6FNV^ffVoWC▒GONfw▒GG▒_gE▒gGgS&nJfnFGFNO fFN_▒VfVNonFwvKfGwNOnnfFwVFN^wfFf^NWoFFfOfFFnfFGGFNGFFfFGFOwFNnfFFgWG^.W_SFFNGGF N_OO_off▒F”FF22▒FBFwnOFWOfGOFVFFNo^FFnWn/FVFFVGFFn_?FFVVV^fFNFFFNVFGWnVVFGFVVFGF nFF^VNfFw_fGnfwGfgFfNGWFnOO/NfoVF^ofFofFvOFGffFOnN▒fGnnfFnnovWN▒FFNOOGvNVfWWfF_~ GOvGNfV.~FnNfFNFgOFG▒▒f^GNFnWnFngfFV^Of^Ng_fFfWFNofFfVVgWfFnFnFfnnFnNWnOONWn_gfF FWWFGnG_/FnW_FnGGFfOn^fFgFnFngfFNnFng^Nf_WwNFNGFF&FGNgOFnF&GVfVOvf_FFnw7f~FNFNNF ~^F_VO^f_fFNNNOFF^oFF▒GgOfGNfF_NV__FGNnGf_FGf”bnnG+FFNnnFNnGJ~FF
~GVffWoFNW^FF7FV GfGFGN_WNO”bnsO~nnOwbFNgFf~FNfFnfWwnFF_fFnNGF_nFo_VfVFW.fG~▒FNnFV_OffGVfW_O&~FW? FNNFfnNNNfFfwfFNFvGFFngFfnfFnvfVvfV&njFFfnNo?FN_fFGN?

……..

……..

But don’t be worried if you use the mentioned baud rate you will get clear output like this:

Booting approx. consumes 45 seconds, which is ok I would say. When everthing is loaded you can hit enter in PuTTY and will get a Root Shell for free. Checking the root file system does reveal the following:

At this point you already can start modifying the system as you want. You can activate adb via wifi (which I will show in the second part of the write-up series), install any kind of system application, remove system application or just start reverse engineering the system to find some nice vulnerabilities!

I hope you could see that “hardware hacking” isn’t always complicated as hell. There are a lot of shades and if you just keep trying you will be successful. For me this was fun and it won’t be my last box ;-D

f33l th3 mAtr1X!

mitp0sh of PDX