[{"data":1,"prerenderedAt":259},["Reactive",2],{"blog-post-/blogs/zlt_m30s_debug_interface":3},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"image":11,"alt":12,"ogImage":13,"tags":14,"published":17,"body":18,"_type":251,"_id":252,"_source":253,"_file":254,"_extension":255,"sitemap":256},"/blogs/zlt_m30s_debug_interface","blogs",false,"","TOZED ZLT M30s Information Disclosure via Debug Interface","TOZED ZLT M30S v1.47 - Information Exposure via Debug Interface","9th Nov 2025","https://hacklab.eu.org/blogs-img/step1.jpg","ZLT M30S v1.47 - Information Exposure via Debug Interface","/blogs-img/step1.jpg",[15,16],"CVE","Hardware",true,{"type":19,"children":20,"toc":243},"root",[21,29,36,42,49,55,61,67,72,78,88,96,105,119,128,136,145,153,203,211,216,224,230,238],{"type":22,"tag":23,"props":24,"children":26},"element","h2",{"id":25},"zlt-m30s-v147-information-exposure-via-debug-interface",[27],{"type":28,"value":12},"text",{"type":22,"tag":30,"props":31,"children":33},"h4",{"id":32},"category-cve",[34],{"type":28,"value":35},"Category: CVE",{"type":22,"tag":30,"props":37,"children":39},{"id":38},"researcher-ramon-bello-gr33pp-s33k3r",[40],{"type":28,"value":41},"Researcher: Ramon Bello (gr33pp / S33K3R)",{"type":22,"tag":43,"props":44,"children":46},"h3",{"id":45},"cve-2025-15083",[47],{"type":28,"value":48},"CVE-2025-15083",{"type":22,"tag":43,"props":50,"children":52},{"id":51},"tl-dr",[53],{"type":28,"value":54},"TL; DR",{"type":22,"tag":56,"props":57,"children":58},"p",{},[59],{"type":28,"value":60},"Information exposure vulnerability has been identified in TOZED ZLT M30S firmware verson v1.47. The device's internal Universal Asynchronous Reciever-Transmitter (UART) debugging console, logs the current and factory-set default Wi-Fi credentials in plain text during the boot and factory reset sequences, respectively.",{"type":22,"tag":43,"props":62,"children":64},{"id":63},"poc",[65],{"type":28,"value":66},"POC",{"type":22,"tag":56,"props":68,"children":69},{},[70],{"type":28,"value":71},"Access requirements: Requires Physical Access to the device, a USB-to-TTL serial adapter and some soldering skills :) (I have a bad soldering iron btw )",{"type":22,"tag":30,"props":73,"children":75},{"id":74},"steps",[76],{"type":28,"value":77},"Steps",{"type":22,"tag":79,"props":80,"children":81},"ol",{},[82],{"type":22,"tag":83,"props":84,"children":85},"li",{},[86],{"type":28,"value":87},"Decouple the the mobile router and separate the PCB from the casing.",{"type":22,"tag":56,"props":89,"children":90},{},[91],{"type":22,"tag":92,"props":93,"children":95},"img",{"alt":94,"src":13},"Step 1",[],{"type":22,"tag":79,"props":97,"children":99},{"start":98},2,[100],{"type":22,"tag":83,"props":101,"children":102},{},[103],{"type":28,"value":104},"Locate the UART pads, it is beside the reset button.",{"type":22,"tag":56,"props":106,"children":107},{},[108,113],{"type":22,"tag":92,"props":109,"children":112},{"alt":110,"src":111},"Step 2","/blogs-img/step2.jpg",[],{"type":22,"tag":114,"props":115,"children":116},"em",{},[117],{"type":28,"value":118},"TX GND RX pads identified",{"type":22,"tag":79,"props":120,"children":122},{"start":121},3,[123],{"type":22,"tag":83,"props":124,"children":125},{},[126],{"type":28,"value":127},"Using your soldering skills, attach wires to the three pads. GND pad is quite flexible, I took mine from the negative battery terminal (Remember I have a bad soldering iron TT )",{"type":22,"tag":56,"props":129,"children":130},{},[131],{"type":22,"tag":92,"props":132,"children":135},{"alt":133,"src":134},"Step 3","/blogs-img/step3.jpg",[],{"type":22,"tag":79,"props":137,"children":139},{"start":138},4,[140],{"type":22,"tag":83,"props":141,"children":142},{},[143],{"type":28,"value":144},"Connect the wires to your USB-to-TTL serial adapter. Here, I used a raspberry pico lying around as my serial adapter.",{"type":22,"tag":56,"props":146,"children":147},{},[148],{"type":22,"tag":92,"props":149,"children":152},{"alt":150,"src":151},"Step 4","/blogs-img/step4.jpg",[],{"type":22,"tag":79,"props":154,"children":156},{"start":155},5,[157,184],{"type":22,"tag":83,"props":158,"children":159},{},[160,162,168,170,175,177,182],{"type":28,"value":161},"Using a serial monitor, e.g picocom, minicom. Connect the serial adapter USB to a computer, identify the adapter ",{"type":22,"tag":163,"props":164,"children":165},"code",{"className":7},[166],{"type":28,"value":167},"tty",{"type":28,"value":169}," name. Mine runs at ",{"type":22,"tag":163,"props":171,"children":172},{"className":7},[173],{"type":28,"value":174},"/dev/ttyACM0",{"type":28,"value":176},". Launch picocom to use your serial adapter and the baud rate set to ",{"type":22,"tag":163,"props":178,"children":179},{"className":7},[180],{"type":28,"value":181},"921600",{"type":28,"value":183},". I had to bruteforce to get the working baud rate.",{"type":22,"tag":83,"props":185,"children":186},{},[187,189,194,196,201],{"type":28,"value":188},"If your router is turned on already, reboot it through the button and observe the serial monitor output, search for ",{"type":22,"tag":163,"props":190,"children":191},{"className":7},[192],{"type":28,"value":193},"inputStr",{"type":28,"value":195}," or ",{"type":22,"tag":163,"props":197,"children":198},{"className":7},[199],{"type":28,"value":200},"outputStr",{"type":28,"value":202},", there you will find the current Wi-Fi password set to the router.",{"type":22,"tag":56,"props":204,"children":205},{},[206],{"type":22,"tag":92,"props":207,"children":210},{"alt":208,"src":209},"Step 6","/blogs-img/step7.png",[],{"type":22,"tag":56,"props":212,"children":213},{},[214],{"type":28,"value":215},"The same thing occurs on factory reset through the reset button, the logs reveals the default password to the router.",{"type":22,"tag":56,"props":217,"children":218},{},[219],{"type":22,"tag":92,"props":220,"children":223},{"alt":221,"src":222},"Step6 B","/blogs-img/step6.png",[],{"type":22,"tag":43,"props":225,"children":227},{"id":226},"what-next",[228],{"type":28,"value":229},"What next?",{"type":22,"tag":56,"props":231,"children":232},{},[233],{"type":22,"tag":92,"props":234,"children":237},{"alt":235,"src":236},"lol","https://media2.giphy.com/media/v1.Y2lkPTc5MGI3NjExMWR2OTk5aGZ0dGlnMm9qZTBuazI3MWt3a3o3cjhra3NqdDdnb2hubSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/dl8b48ULQRjBkRcmZZ/giphy.gif",[],{"type":22,"tag":56,"props":239,"children":240},{},[241],{"type":28,"value":242},"I still need proper hardware pentest tools. I'm open to sponsorships. My contact links are in the homepage and footer. Thanks for reading! :)",{"title":7,"searchDepth":98,"depth":98,"links":244},[245],{"id":25,"depth":98,"text":12,"children":246},[247,248,249,250],{"id":45,"depth":121,"text":48},{"id":51,"depth":121,"text":54},{"id":63,"depth":121,"text":66},{"id":226,"depth":121,"text":229},"markdown","content:blogs:ZLT_M30S_debug_interface.md","content","blogs/ZLT_M30S_debug_interface.md","md",{"loc":4,"lastmod":257,"images":258},"2026-04-29T18:26:59.364Z",[],1777487261927]