Root Shell Access on NETGEAR AC1000 R6080 through UART Debug Interface

I decided to check out my local Goodwill for old routers that I might be able to get a shell on. By looking at the device’s FCC ID, I was able to review the internal photos and identify exposed UART pins.

https://fcc.report/FCC-ID/PY316400359/3312277.pdf

Internal

With the device set up in the lab, the next step is to enumerate each pin and align it with the corresponding pin on the adapter.

1. Find the Ground Pin

Power off the device and use your multimeter to check each pin for ground. Make sure your meter is set to the same configuration as mine.

multimeter

On my device, the ground pin was the furthest left from the power button. If you’ve set everything correctly, you should hear a beep when testing. Ensure the black probe is connected to ground.

finding ground

2. Find the RX Pin

The RX pin is the receive line of the UART interface. It accepts incoming data from the connected device. RX is usually easy to identify because it should remain at 0V.

Set your multimeter to 20V DC mode.

20v DC

With the device powered on, probe each pin while monitoring for a constant value of 0V. On my device, this was the pin marked with an arrow.

Finding RX

3. Identify the Power Pin (VCC)

The VCC pin should hold a steady 3.3V. This is easy to confirm—on my device, it was labeled JP1.

Finding the Power Pin

4. Identify the TX Pin

The TX pin is very noisy during startup. To locate it, reboot the device while monitoring each pin’s voltage—the one with the most frequent spikes and dips is TX. On my device, it was the second pin from the left, next to the power cable.

Finding TX