[breakingcups]

Most commonly you can find either a RS232 port (not the regular one, a 3.3v one!) or a JTAG port through which you might be able to influence the software running on it.

For example, I managed to flash OpenWRT on my otherwise unflashable router that way.

Another (even more hardware-y) approach is to dump flash chips containing ROMs. With those roms in hand you might be able to find a vulnerability to exploit, or you could replace the rom chip with a socket in which you can place your own modified roms.

Bunnie famously broke the Xbox classic security by building his own hardware to sniff the (until then thought to be unsniffable) HyperTransport bus. He wrote a very interesting book about it and it's free nowadays: http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf

[Vexs]

You can get a lot off rom chips, it's always the second thing I go for after serial ports- and if you run into a password on the serial port, than it's probably (often hardcoded) in the rom.

Sometimes they don't include headers and the like, so looking up a pinout and soldering to the IC helps in that case too- tapping into the serial connections between chips can reveal a lot too.