Just a short writeup on the FLIR C5. I haven't done anything practical, and no clear objective, just spent a few hours looking at the firmware.
The firmware update .fuf file appears to be simply a .tar file, although 7z wasn't able to process it. No problem with "tar -xvf" though.
Partial contents :
$ tar -tvf SHLK_comb_v2.10.30.fuf
....
-rwxr-xr-x uffe/uffe 445 2021-11-30 09:02 .meta/verification.sh
-rwxr-xr-x uffe/uffe 94701985 2021-11-23 08:01 SHLK_rootfs_ec201_v1.46.run
-rwxr-xr-x uffe/uffe 29098080 2021-11-30 08:59 SHLK_appkit-2.0.10-rf92e470.opx
-rwxr-xr-x uffe/uffe 3453376 2021-11-30 09:00 SHLK_prodkit-2.0.10.30-rf92e470.opx
.meta/verification.sh : trivial script; "Check installed swcombination against expected "
SHLK_rootfs_ec201_v1.46.run is a self-extracting Makeself script :
# This script was generated using Makeself 2.2.0
# FLIR pingu software
# FLIR target nettan:v1
Don't really want to run that script on my host system, in case I mess up args and throw files all over the place. So I need a chroot.
I never do this; took some fiddling to get it to work. Why is this not automated ? I had to copy these inside the chroot:
-bash
-busybox + create symlinks
-libs for the above
- tr
- mkdir dev ; mount -o bind /dev dev
this time fakechroot + chroot into it. Better now:
$ ./SHLK_rootfs_ec201_v1.46.run --list
Target directory: target
drwxr-xr-x root/root 0 2020-09-11 02:22:42 ./
drwxr-xr-x root/root 0 2021-11-23 07:57:42 ./files/
-rwxr-xr-x root/root 95863726 2021-11-23 07:58:19 ./files/ext4image.tar.gz
-rwxr-xr-x root/root 23 2021-11-23 07:19:42 ./files/version
-rwxr-xr-x root/root 2155 2021-04-09 09:41:08 ./setup
Excellent. An image and another script. Extract but don't run :
$ ./SHLK_rootfs_ec201_v1.46.run --noexec
A few errors, but did create the expected files. Exploring that ext4 image :
$ sudo mount -o loop flir-image-ec201.ext4 /mnt/test
$ cd /mnt/test
$ cat etc/os-release
ID=flir
NAME=FlirSystem
VERSION=flir-image-ec201-20211123121739
VERSION_ID=ec201_v1.46-0-g40607a8
PRETTY_NAME=FLIR Systems platform ec201 20210124 Yocto 2.5
CPE_NAME=cpe:/o:flir:flir-image-ec201-20211123121739:ec201_v1.46-0-g40607a8
SDK_VERSION=2.5
BUILD_USER=jenkins
BUILD_ID=ec201_v1.46-0-g40607a8
BUILD_HOST=se-esw-36
Ok. So they have some CI build system to generate this with Yocto. Interesting.
$ ls boot -l
....
-rwxr-xr-x 1 root root 54048 Nov 15 09:19 imx7ulpm4.bin
-rw-r--r-- 1 root root 25589 Nov 23 07:17 imx7ulp-sherlock-a.dtb
-rw-r--r-- 1 root root 25265 Nov 23 07:17 imx7ulp-sherlock-b.dtb
-rw-r--r-- 1 root root 24578 Nov 23 07:17 imx7ulp-sherlock.dtb
lrwxrwxrwx 1 root root 29 Nov 23 07:17 zImage -> zImage-4.14.98-2.2.0+g5910884
-rw-r--r-- 1 root root 5638824 Nov 23 07:17 zImage-4.14.98-2.2.0+g5910884
Linux 4.14.98; IMX7ULP is an NXP processor is a dual core Cortex-A7 + Cortex-M4, with GPU, display and camera interfaces, and other stuff.
It may be possible to request some sources and scripts as per GPL.
Back a few steps : those .opx files are still mysterious. A bit of digging on the rootfs reveals /usr/bin/flir-updater.sh !
" Script to update system from a .squashfs, .fuf, .opk, .ext4 or a .run file "
Then, it runs "fefunpack" to extract those .opx files.
A quick look at fefunpack with IDA reveals interesting imports:
Address Ordinal Name Library
00023208 EVP_DecryptInit_ex@@OPENSSL_1.0.2d
00023214 EVP_CIPHER_CTX_new@@OPENSSL_1.0.2d
00023218 EVP_aes_256_cbc@@OPENSSL_1.0.2d
0002322C SHA256_Final@@OPENSSL_1.0.2d
00023234 RSA_verify@@OPENSSL_1.0.2d
00023244 RSA_new@@OPENSSL_1.0.2d
0002326C OPENSSL_config@@OPENSSL_1.0.2d
Actual cryptography ! Luckily, no need to go down there for now. I just found out a similar model was recently hacked :
https://www.eevblog.com/forum/thermal-imaging/rooting-the-new-flirs-(e76-etc)/The cfc_unpack.py script posted there required minor mods :
* header is 256 bytes from end, not 372
* de-xor applies on range(12,60), with
newheader[x] ^= header[x+48])
* signature is "FEF1", not CFC2
But then ran perfectly
$ python cfc_unpack.py 0x614b4e61654e7241 SHLK_prodkit-2.0.10.30-rf92e470
(the 0x614b4e61654e7241 is lifted from fefunpack; found the correct area in the disasm by looking for fseek() calls. )
I believe the output file is an "opkg" package; can be extracted with ar. Cool :
Package: appkit
Version: 2.0.10-rf92e470
Description: Base applications and libraries for the Nettan camera
Section: base
Priority: optional
Maintainer: Byggare Bob <thgbuilder@flir.se>
Architecture: ec201
Homepage: http://www.flir.com/
Source:
Depends:
Package: prodkit
Version: 2.0.10.30-rf92e470
Description: Production applications for the Nettan camera
Section: base
Priority: optional
Maintainer: David Sernelius <david.sernelius@flir.se>
Architecture: ec201
Homepage: http://www.flir.com/
Source:
Depends: appkit
I'm not sure if / how to root this yet, but I notice the rootfs has /etc/shadow that looks similar to the one posted on the
E76 thread:
$ sudo cat etc/shadow
root:qA7LRQDa1amZM:18954:0:99999:7:::
...
fliruser:m1iiKYIJr63u2:18954:0:99999:7:::
The "hashes" are the same - unclear if that means the passwords are the same.
That's all I have for now.