Flir C5 reverse engineering / firmware hack

[fenugrec]

Just a short writeup on the FLIR C5. I haven't done anything practical, and no clear objective, just spent a few hours looking at the firmware.

The firmware update .fuf file appears to be simply a .tar file, although 7z wasn't able to process it. No problem with "tar -xvf" though.

Partial contents :

Code: [Select]

$ tar -tvf SHLK_comb_v2.10.30.fuf                                                           
....
-rwxr-xr-x uffe/uffe       445 2021-11-30 09:02 .meta/verification.sh
-rwxr-xr-x uffe/uffe  94701985 2021-11-23 08:01 SHLK_rootfs_ec201_v1.46.run                                           
-rwxr-xr-x uffe/uffe  29098080 2021-11-30 08:59 SHLK_appkit-2.0.10-rf92e470.opx                                       
-rwxr-xr-x uffe/uffe   3453376 2021-11-30 09:00 SHLK_prodkit-2.0.10.30-rf92e470.opx
.meta/verification.sh : trivial script; "Check installed swcombination against expected "

SHLK_rootfs_ec201_v1.46.run is a self-extracting Makeself script :

Code: [Select]

# This script was generated using Makeself 2.2.0
# FLIR pingu software
# FLIR target nettan:v1

Don't really want to run that script on my host system, in case I mess up args and throw files all over the place. So I need a chroot.
I never do this; took some fiddling to get it to work. Why is this not automated ? I had to copy these inside the chroot:

Code: [Select]

-bash
-busybox +  create symlinks
-libs for the above
- tr
- mkdir dev ; mount -o bind /dev dev
 this time fakechroot + chroot into it. Better now:

Code: [Select]

$ ./SHLK_rootfs_ec201_v1.46.run --list
Target directory: target
drwxr-xr-x root/root         0 2020-09-11 02:22:42 ./
drwxr-xr-x root/root         0 2021-11-23 07:57:42 ./files/
-rwxr-xr-x root/root  95863726 2021-11-23 07:58:19 ./files/ext4image.tar.gz
-rwxr-xr-x root/root        23 2021-11-23 07:19:42 ./files/version
-rwxr-xr-x root/root      2155 2021-04-09 09:41:08 ./setup
Excellent. An image and another script. Extract but don't run :

Code: [Select]

$ ./SHLK_rootfs_ec201_v1.46.run --noexec
A few errors, but did create the expected files. Exploring that ext4 image :

Code: [Select]

$ sudo mount -o loop flir-image-ec201.ext4 /mnt/test
$ cd /mnt/test
$ cat etc/os-release
ID=flir
NAME=FlirSystem
VERSION=flir-image-ec201-20211123121739
VERSION_ID=ec201_v1.46-0-g40607a8
PRETTY_NAME=FLIR Systems platform ec201 20210124 Yocto 2.5
CPE_NAME=cpe:/o:flir:flir-image-ec201-20211123121739:ec201_v1.46-0-g40607a8
SDK_VERSION=2.5
BUILD_USER=jenkins
BUILD_ID=ec201_v1.46-0-g40607a8
BUILD_HOST=se-esw-36

Ok. So they have some CI build system to generate this with Yocto. Interesting.

Code: [Select]

$ ls boot -l
....
-rwxr-xr-x 1 root root   54048 Nov 15 09:19 imx7ulpm4.bin
-rw-r--r-- 1 root root   25589 Nov 23 07:17 imx7ulp-sherlock-a.dtb
-rw-r--r-- 1 root root   25265 Nov 23 07:17 imx7ulp-sherlock-b.dtb
-rw-r--r-- 1 root root   24578 Nov 23 07:17 imx7ulp-sherlock.dtb
lrwxrwxrwx 1 root root      29 Nov 23 07:17 zImage -> zImage-4.14.98-2.2.0+g5910884
-rw-r--r-- 1 root root 5638824 Nov 23 07:17 zImage-4.14.98-2.2.0+g5910884

Linux 4.14.98;  IMX7ULP is an NXP processor is a dual core Cortex-A7 + Cortex-M4, with GPU, display and camera interfaces, and other stuff.

It may be possible to request some sources and scripts as per GPL.

Back a few steps : those .opx files are still mysterious. A bit of digging on the rootfs reveals /usr/bin/flir-updater.sh !

Code: [Select]

" Script to update system from a .squashfs, .fuf, .opk, .ext4 or a .run file "Then, it runs "fefunpack" to extract those .opx files.


A quick look at fefunpack with IDA reveals interesting imports:

Code: [Select]

Address Ordinal Name Library
00023208 EVP_DecryptInit_ex@@OPENSSL_1.0.2d
00023214 EVP_CIPHER_CTX_new@@OPENSSL_1.0.2d
00023218 EVP_aes_256_cbc@@OPENSSL_1.0.2d
0002322C SHA256_Final@@OPENSSL_1.0.2d
00023234 RSA_verify@@OPENSSL_1.0.2d
00023244 RSA_new@@OPENSSL_1.0.2d
0002326C OPENSSL_config@@OPENSSL_1.0.2d

Actual cryptography ! Luckily, no need to go down there for now. I just found out a similar model was recently hacked  :
https://www.eevblog.com/forum/thermal-imaging/rooting-the-new-flirs-(e76-etc)/

The cfc_unpack.py script posted there required minor mods :

Code: [Select]

* header is 256 bytes from end, not 372

* de-xor applies on range(12,60),  with
 newheader[x] ^=  header[x+48])

* signature is "FEF1", not CFC2

But then ran perfectly

Code: [Select]

$ python cfc_unpack.py 0x614b4e61654e7241  SHLK_prodkit-2.0.10.30-rf92e470
(the 0x614b4e61654e7241 is lifted from fefunpack; found the correct area in the disasm by looking for fseek() calls. )

I believe the output file is an "opkg" package; can be extracted with ar.  Cool :

Code: [Select]

Package: appkit
Version: 2.0.10-rf92e470
Description: Base applications and libraries for the Nettan camera
Section: base
Priority: optional
Maintainer: Byggare Bob <thgbuilder@flir.se>
Architecture: ec201
Homepage: http://www.flir.com/
Source:
Depends:



Package: prodkit
Version: 2.0.10.30-rf92e470
Description: Production applications for the Nettan camera
Section: base
Priority: optional
Maintainer: David Sernelius <david.sernelius@flir.se>
Architecture: ec201
Homepage: http://www.flir.com/
Source:
Depends: appkit


I'm not sure if / how to root this yet, but I notice the rootfs has /etc/shadow that looks similar to the one posted on the E76 thread:

Code: [Select]

$ sudo cat etc/shadow
root:qA7LRQDa1amZM:18954:0:99999:7:::
...
fliruser:m1iiKYIJr63u2:18954:0:99999:7:::

The "hashes" are the same - unclear if that means the passwords are the same.
That's all I have for now.

[KaneTW]

Good work. The /etc/shadow is a default file that gets overwritten by a boot-script with a custom per-device password. You can grab the hash by rooting the device itself like in my thread.

[fenugrec]

It may be possible to request some sources and scripts as per GPL.

If anyone is wondering - no success yet. Teledyne / FLIR is steadfastly refusing to provide any of the GPL source code they use.

[fenugrec]

New development :

https://github.com/flir-cx/flir-yocto-documentation/blob/master/unlock_tool.md

Still haven't obtained the GPL source code, but the above (that was available for some time, never knew about it), in conjunction with a digitally signed file provided on demand via their tech support , should allow to root the device.

[ixfd64]

As a note, some authors of GPL software do dual-license their code. For example, they may offer an alternative license that requires a fee but does not require the source code to be disclosed.

[pozderf]

Thank you for sharing the information. I was able to successfully unbrick my device now.

Here's the background: my device stopped booting normally, so I decided to open it up and found a button on the mainboard. By combining this button with the power button, I was able to trigger the SystemOnChip recovery mode and load the bootloader over the USB recovery (SDP) protocol. However, at the time, I didn't have any bootloader information, so I used a random i.MX 7ULP proto board bootloader for U-boot and fastboot commands. This allowed me to access the eMMC, but I accidentally killed the partition table during the recovery process. I was only able to manually rebuild partition table and some parts of the filesystem based on the information in the FW, but I couldn't get it to boot.

Fortunately, flir-yocto-documentation appeared, which enabled me to compile the missing parts to get the device booting into full recovery mode. From there, I was able to use RNDIS to SSH into the device, load the rootfs, modify the shadow origins to enable passwordless SSH access, and boot it up normally. Now, I have a live running system with root access and can easily unpack FW parts and mess around.

However, I am still in need of the calibration files. Perhaps someone could share the CameraFiles.zip or following files:

Code: [Select]

/FLIR/system/calib.rsc                          CameraFiles/system/calib.rsc
/FLIR/system/maps/ds_we_ap_fi_leFOL2_LCFMap.fff CameraFiles/system/maps/ds_we_ap_fi_leFOL2_LCFMap.fff
/FLIR/system/maps/ds_we_ap_fi_le_LCFMap.fff     CameraFiles/system/maps/ds_we_ap_fi_le_LCFMap.fff
/FLIR/system/DistMap_Lepton160.fff              CameraFiles/system/DistMap_Lepton160.fff
/FLIR/system/RotationMapCCW_Lepton160.fff       CameraFiles/system/RotationMapCCW_Lepton160.fff
/FLIR/system/RotationMapCW_Lepton160.fff        CameraFiles/system/RotationMapCW_Lepton160.fff
/FLIR/system/ZoomMap_Lepton160.fff              CameraFiles/system/ZoomMap_Lepton160.fff

By the way, in case someone need recovery sequence:

Code: [Select]

+/*
+ * Recovery sequence
+ *
+ *  1. Hold trigger and power button while booting, release when screen lights up.
+ *  2. Press trigger button 5 times
+ *  3. Wait until 2 stars appears on screen
+ *  4. Press trigger button 6 times
+ *  5. Camera goes to recovery.
+ *
+ */


[fenugrec]

However, I am still in need of the calibration files. Perhaps someone could share the CameraFiles.zip or following files:

I can check, but if those are per-device calibrations, it may not help you ?

[MichaelG]

Hello. Flir issued an update for the C5 that caused some cameras to brick on install.
Flir's response was "Buy a new one." Surprise.
Ive been trying to get it to fastboot or recovery or even SSH, but dispite obtaining "Recovery" screen with USB RNDIS connection, it still denies connection via SSH.
It displays the recovery code on that screen, and I suspect the code is for generating an SSH key.
How have you guys been able to obtain a connection to view and push files?
I want to keep and even backup the calibration files before rewriting the firmware to the emmc.
I suspect I will be able to normally reload the latest firmware if i could get it to reboot. I did obtain an unlocker code, but that only works if its currently working properly.
Thanks all.