Rooting the new FLIRs (E76, etc)

[agiorgitis]

E2: Requesting a /dev/mtdblock{0,1} dump from a E75 and E86 please, if someone has access.

How I do that? I just have the files within the /dev folder
Actually just a file named "zero". most others are 0 bytes

PS: have a look at FLIR\usr\ui.d\Resources, it has a bunch of design files for other camera models too, like t1k and axxx

[KaneTW]

`dd if=/dev/mtdblock0 of=/home/root/mtd0_backup` then use e.g. scp to copy /home/root/mtd0_backup over to your host. While you're at it, can you also copy over /FLIR/system assuming you have root?

[agiorgitis]

`dd if=/dev/mtdblock0 of=/home/root/mtd0_backup` then use e.g. scp to copy /home/root/mtd0_backup over to your host. While you're at it, can you also copy over /FLIR/system assuming you have root?

I'll try to get time for this over the next couple of days!

I have root access, yes
(Actually I got root access couple of years ago, and I'm a guy who had 0 (zero) linux knowledge  , I didn't even know what "root" was. If a random guy can just google how to get root access, and succeeds after couple of days of trying, I don't think Flir is doing such a great job on securing their systems  )

[Logan]

E: Checked the datasheets. E76/E86 have 17um pitch, E96 has 12um. This gives a sensor size of 5440, 7888, 7680 respectively. This means that the sensor is, in fact, cropped.

Interesting, I've never heard a sensor of that resolution.  I wonder how many different group of hardware they use across the whole series?
Also, what does the new Exx series's picture quality compare to the older Ex/Exx series?

[fenugrec]

I have reverse engineered the decryption for .cfc; it has changed to AES256. However, unfortunately, it is signed with an RSA key. Modifying the capabilities will require a binary patch to make it accept any signature.

A decryption script is available at https://0bin.net/paste/9Njm5R8m#AJqvDicIqTd7lbL0J4e7szDB+yQpPXYF99azLSYZrpl -- The code is a touch weird, artifact of transcribing from IDA...

Awesome, thanks for sharing that and other info.
I'm looking at a different (poor man's) device, the C5, and much of what you found is applicable to it.  Your decryption script works almost as-is, with minor tweaks :

Code: [Select]

* header is 256 bytes from end, not 372

* de-xor applies on range(12,60),  with
 newheader[x] ^=  header[x+48])

* signature is "FEF1", not CFC2

* suidbytes  : 0x614b4e61654e7241

I haven't made it much farther than this, but wanted to share it here, before I start a new thread focused on the C5 : https://www.eevblog.com/forum/thermal-imaging/flir-c5-reverse-engineering-firmware-hack/

[agiorgitis]

So were are we as for E75?

Is the hack usable for increasing the resolution? I remember last time we spoke we were able to de/encrypt the conf and the dll files via your scripts 

[Psi]

Meanwhile, At FLIR head office....

  "Not again..."

[KaneTW]

So were are we as for E75?

Is the hack usable for increasing the resolution? I remember last time we spoke we were able to de/encrypt the conf and the dll files via your scripts 

To the best of my knowledge, you can increase it to the maximum that the FPGA allows. So 640x480 for E86 and 464x348 for E76. Without reverse engineering the bitstream it's impossible to say what's exactly happening. Could be different sensors, could be a cropped sensor, could be some FPGA-side processing.

[peppy88]

Is there a way to view the file system on windows or Mac OS, im not familiar with linux. I've connected via the web interface (192.168.0.2) but its just the standard web interface and not the service menu

[KaneTW]

Some googling shows a tool called ext2read that might work. Otherwise set up a Linux VM and use that.

[peppy88]

ok decided to go the linux route. How do you connect to the camera initially? Is it via the terminal and I'm guessing the camera is in RNDIS mode.

[KaneTW]

Just SSH into it. 'ssh fliruser@<camera address>'

You can copy the relevant block devices using (off the top of my head) 'ssh fliruser@<camera address> dd if=/dev/... | dd of=dump_file' where '...' is the block device you want to copy. one of them will have the right data

[peppy88]

ok I tried to do: ssh fliruser@192.168.0.1

But I get a connection refused:

ssh: connect to host 192.168.0.1 port 22: Connection refused

Edit: ok nvm I was able to connect via ssh. I was trying to connect via. RNDIS way which doesn't work. The correct way to connect is via first connecting the camera to local wifi network

[peppy88]

ok I was able to copy one of the files using that command: ssh fliruser@192.168.51.211 dd if=/dev/mmcblk0 | dd of=/home/parallels/Desktop/dev/mmcblk0
(This is taking a long time 1.7GB and counting are these suppose to be this big?)

Do you have to copy all of the mmc and mtd files?
These are the files I see:

mmcblk0
mmcblk0boot0
mmcblk0boot1
mmcblk0p1
mmcblk0p2
mmcblk0p3
mmcblk0p4
mmcblk0p5
mmcblk0p6
mmcblk0p7
mmcblk0prpmb
mmcblk1
mmcblk1p1

mtd0
mtd0ro
mtd1
mtd1ro
mtdblock0
mtdblock1


After I do this how do I search for my custom root hash?

I understand the hash.txt part but which part of this command includes input file:

hashcat.exe -m 500 -a 3 -1 ?l?u?d -O ?1?1?1?1?1?1 hash.txt

[peppy88]

ok I think I got it. After letting the data dump run for a little I just decided to stop it.

I just opened it up in a textedit and searched for $1$

I found this: root:$1$ucUReizE$7BNm6Kx48Jes8UPoQKnSj1:17149:0:99999:7:::

Im guessing this is it correct?

[peppy88]

When I try to do:

hashcat -m 500 -O -a 3 -1 "?l?d?u" "?1?1?1?1?1?1" /Users/kerbal/Desktop/hash.txt -D 2

Hash '?1?1?1?1?1?1': Separator unmatched
No hashes loaded.

What format should the hash be in the hash.txt file

Edit:
Nvm got it to work on Mac: hashcat -m 500 -O -a 3 /Users/kerbal/Desktop/hash.txt -1 "?l?d?u" "?1?1?1?1?1?1" -D 1,2

[peppy88]

Just SSH into it. 'ssh fliruser@<camera address>'

You can copy the relevant block devices using (off the top of my head) 'ssh fliruser@<camera address> dd if=/dev/... | dd of=dump_file' where '...' is the block device you want to copy. one of them will have the right data

Hmm After running hashcat it wasn't able to crack it using -1 "?l?d?u" "?1?1?1?1?1?1"
Is it possible it is more than 6 characters?

[KaneTW]

It should be 6 characters, but I've seen some examples of where it had more. That hash looks correct.

I tossed it on my GPU with a larger keyspace, I'll let you know if it works.

[peppy88]

ok I tried both 6 and 7 characters using hashcat.
Even with 8 GPUs would take 21 days. Have you seen examples of 8 characters. I don't really want to run this and waste electricity if its longer.

Code: [Select]

Session..........: hashcat
Status...........: Running
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$ucUReizE$7BNm6Kx48Jes8UPoQKnSj1
Time.Started.....: Mon Jan 02 12:28:00 2023 (13 secs)
Time.Estimated...: Tue Jan 24 05:17:33 2023 (21 days, 16 hours)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?l?d?u, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 21192.4 kH/s (14.37ms) @ Accel:64 Loops:62 Thr:1024 Vec:1
Speed.#2.........: 22862.3 kH/s (2.61ms) @ Accel:128 Loops:15 Thr:512 Vec:1
Speed.#3.........: 15961.3 kH/s (10.56ms) @ Accel:64 Loops:62 Thr:1024 Vec:1
Speed.#4.........: 16659.8 kH/s (10.08ms) @ Accel:1024 Loops:62 Thr:64 Vec:1
Speed.#5.........: 14052.0 kH/s (9.89ms) @ Accel:1024 Loops:62 Thr:64 Vec:1
Speed.#6.........: 10304.9 kH/s (4.87ms) @ Accel:512 Loops:62 Thr:64 Vec:1
Speed.#7.........:  7741.6 kH/s (10.23ms) @ Accel:256 Loops:62 Thr:256 Vec:1
Speed.#8.........:  7604.7 kH/s (10.44ms) @ Accel:256 Loops:62 Thr:256 Vec:1
Speed.#9.........:    75000 H/s (7.05ms) @ Accel:128 Loops:62 Thr:8 Vec:4
Speed.#*.........:   116.5 MH/s
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 1518272512/218340105584896 (0.00%)
Rejected.........: 0/1518272512 (0.00%)
Restore.Point....: 0/3521614606208 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:51-52 Iteration:930-992
Restore.Sub.#2...: Salt:0 Amplifier:5-6 Iteration:690-705
Restore.Sub.#3...: Salt:0 Amplifier:7-8 Iteration:930-992
Restore.Sub.#4...: Salt:0 Amplifier:10-11 Iteration:992-1000
Restore.Sub.#5...: Salt:0 Amplifier:12-13 Iteration:744-806
Restore.Sub.#6...: Salt:0 Amplifier:23-24 Iteration:992-1000
Restore.Sub.#7...: Salt:0 Amplifier:8-9 Iteration:992-1000
Restore.Sub.#8...: Salt:0 Amplifier:7-8 Iteration:992-1000
Restore.Sub.#9...: Salt:0 Amplifier:18-19 Iteration:558-620
Candidate.Engine.: Device Generator
Candidates.#1....: F9rC4523 -> FDioMANA
Candidates.#2....: aBQYFONA -> aQawTONA
Candidates.#3....: pz3ILANA -> prLuyane
Candidates.#4....: ddmcYONA -> dKDpQW12
Candidates.#5....: rSQyxy12 -> rZ3dCANA
Candidates.#6....: 9XafTY12 -> 9wtyFESS
Candidates.#7....: lGiFzone -> lUsOVANA
Candidates.#8....: plLuyane -> pCkAUANA
Candidates.#9....: nv4H5434 -> nM5Yorin
Hardware.Mon.#1..: Temp: 47c Fan:100% Util: 99% Core:1305MHz Mem:9501MHz Bus:1
Hardware.Mon.#2..: Temp: 43c Fan: 95% Util: 93% Core:1845MHz Mem:9251MHz Bus:1
Hardware.Mon.#3..: Temp: 43c Fan: 95% Util: 99% Core:1785MHz Mem:6800MHz Bus:1
Hardware.Mon.#4..: Temp: 43c Fan: 90% Util: 96% Core:1935MHz Mem:6800MHz Bus:1
Hardware.Mon.#5..: Temp: 37c Fan: 95% Util: 98% Core:1920MHz Mem:6800MHz Bus:1
Hardware.Mon.#6..: Temp: 37c Fan: 95% Util: 96% Core:1972MHz Mem:7300MHz Bus:1
Hardware.Mon.#7..: Temp: 38c Fan: 95% Util: 98% Core:1950MHz Mem:6801MHz Bus:1
Hardware.Mon.#8..: Temp: 38c Fan: 95% Util: 98% Core:1860MHz Mem:6801MHz Bus:1
Hardware.Mon.#9..: N/A

[KaneTW]

I've only seen 7. Maybe special characters?

[peppy88]

Ok yeah good point. Let me try running 6 and 7 again with special chars

Also I wonder if it is worth trying to figure out the service password. That hash is common across a lot of the models. T5xx and A4xx, A7xx etc.
I know bcrypt is slower to crack but if we make assumptions that it is only lowercase or something simple it maybe possible? After all admin was admin etc haha

P.S. Im running my hash again with 6 characters in hashcat. But this time with special characters "?a". Hopefully this is it, fingers crossed

[KaneTW]

I thought about cracking the service password but it's much harder. I've done some back of the napkin math and you can probably get decent speeds if you do it on a modern FPGA, but that requires time to code the gateware that I don't have.

[peppy88]

Darn looks like it definitely not 6 characters:

Code: [Select]

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$ucUReizE$7BNm6Kx48Jes8UPoQKnSj1
Time.Started.....: Mon Jan 02 13:18:45 2023 (1 hour, 43 mins)
Time.Estimated...: Mon Jan 02 15:01:47 2023 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Mask.......: ?1?1?1?1?1?1 [6]
Guess.Charset....: -1 ?a, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 20528.4 kH/s (2.58ms) @ Accel:8 Loops:250 Thr:1024 Vec:1
Speed.#2.........: 24639.7 kH/s (9.96ms) @ Accel:512 Loops:62 Thr:128 Vec:1
Speed.#3.........: 15861.2 kH/s (7.47ms) @ Accel:32 Loops:250 Thr:512 Vec:1
Speed.#4.........: 16485.3 kH/s (0.86ms) @ Accel:256 Loops:62 Thr:256 Vec:1
Speed.#5.........: 14038.4 kH/s (3.54ms) @ Accel:64 Loops:250 Thr:256 Vec:1
Speed.#6.........: 10425.0 kH/s (7.02ms) @ Accel:32 Loops:250 Thr:512 Vec:1
Speed.#7.........:  7515.6 kH/s (1.89ms) @ Accel:128 Loops:125 Thr:256 Vec:1
Speed.#8.........:  7559.4 kH/s (1.91ms) @ Accel:128 Loops:125 Thr:256 Vec:1
Speed.#9.........:    75364 H/s (1.46ms) @ Accel:128 Loops:62 Thr:8 Vec:4
Speed.#*.........:   117.1 MH/s
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 735091890625/735091890625 (100.00%)
Rejected.........: 0/735091890625 (0.00%)
Restore.Point....: 7729905664/7737809375 (99.90%)
Restore.Sub.#1...: Salt:0 Amplifier:94-95 Iteration:750-1000
Restore.Sub.#2...: Salt:0 Amplifier:94-95 Iteration:992-1000
Restore.Sub.#3...: Salt:0 Amplifier:94-95 Iteration:750-1000
Restore.Sub.#4...: Salt:0 Amplifier:94-95 Iteration:992-1000
Restore.Sub.#5...: Salt:0 Amplifier:94-95 Iteration:750-1000
Restore.Sub.#6...: Salt:0 Amplifier:94-95 Iteration:750-1000
Restore.Sub.#7...: Salt:0 Amplifier:94-95 Iteration:875-1000
Restore.Sub.#8...: Salt:0 Amplifier:94-95 Iteration:875-1000
Restore.Sub.#9...: Salt:0 Amplifier:94-95 Iteration:992-1000
Candidate.Engine.: Device Generator
Candidates.#1....:  ^O(}? ->   ~}~}
Candidates.#2....:  lEyZ| ->  iw'<~
Candidates.#3....:  J@=`} ->  BAX}?
Candidates.#4....:  H*Y|~ ->  ~89}?
Candidates.#5....:  .@%~} ->  [S,~}
Candidates.#6....:  DAX}? ->  L;?'~
Candidates.#7....:  AJP?} ->  fRt ~
Candidates.#8....:  U5q~} ->  Sv*|~
Candidates.#9....:  4R(q} ->  W.!{~
Hardware.Mon.#1..: Temp: 47c Fan:100% Util:  0% Core:   0MHz Mem: 405MHz Bus:1
Hardware.Mon.#2..: Temp: 54c Fan: 95% Util: 79% Core:1950MHz Mem:9251MHz Bus:1
Hardware.Mon.#3..: Temp: 49c Fan: 96% Util:  0% Core: 210MHz Mem: 405MHz Bus:1
Hardware.Mon.#4..: Temp: 49c Fan: 90% Util:  0% Core: 210MHz Mem: 405MHz Bus:1
Hardware.Mon.#5..: Temp: 44c Fan: 95% Util:  0% Core: 210MHz Mem: 405MHz Bus:1
Hardware.Mon.#6..: Temp: 49c Fan: 96% Util:  0% Core: 210MHz Mem: 405MHz Bus:1
Hardware.Mon.#7..: Temp: 50c Fan: 95% Util:  0% Core: 300MHz Mem: 405MHz Bus:1
Hardware.Mon.#8..: Temp: 45c Fan: 96% Util:  0% Core: 300MHz Mem: 405MHz Bus:1
Hardware.Mon.#9..: N/A

Started: Mon Jan 02 13:18:30 2023
Stopped: Mon Jan 02 15:01:49 2023
I'm gonna try 7. Are there any special characters I can omit. Seems like ?a option has a few that won't be used? (Otherwise it will take 7 days using my setup)

[KaneTW]

Yeah, I think stuff like " " can be omitted. I tried to find the generation script but it seems like it's just a file on the EEPROM.

What model do you have?

[KaneTW]

One thing that could be doable is just replacing the hash with a custom one. It'd be an issue if you need to send it in for repair and their root password doesn't work, though.