Flir C5 reverse engineering / firmware hack

[fenugrec]

Just a short writeup on the FLIR C5. I haven't done anything practical, and no clear objective, just spent a few hours looking at the firmware.

The firmware update .fuf file appears to be simply a .tar file, although 7z wasn't able to process it. No problem with "tar -xvf" though.

Partial contents :

Code: [Select]

$ tar -tvf SHLK_comb_v2.10.30.fuf                                                           
....
-rwxr-xr-x uffe/uffe       445 2021-11-30 09:02 .meta/verification.sh
-rwxr-xr-x uffe/uffe  94701985 2021-11-23 08:01 SHLK_rootfs_ec201_v1.46.run                                           
-rwxr-xr-x uffe/uffe  29098080 2021-11-30 08:59 SHLK_appkit-2.0.10-rf92e470.opx                                       
-rwxr-xr-x uffe/uffe   3453376 2021-11-30 09:00 SHLK_prodkit-2.0.10.30-rf92e470.opx
.meta/verification.sh : trivial script; "Check installed swcombination against expected "

SHLK_rootfs_ec201_v1.46.run is a self-extracting Makeself script :

Code: [Select]

# This script was generated using Makeself 2.2.0
# FLIR pingu software
# FLIR target nettan:v1

Don't really want to run that script on my host system, in case I mess up args and throw files all over the place. So I need a chroot.
I never do this; took some fiddling to get it to work. Why is this not automated ? I had to copy these inside the chroot:

Code: [Select]

-bash
-busybox +  create symlinks
-libs for the above
- tr
- mkdir dev ; mount -o bind /dev dev
 this time fakechroot + chroot into it. Better now:

Code: [Select]

$ ./SHLK_rootfs_ec201_v1.46.run --list
Target directory: target
drwxr-xr-x root/root         0 2020-09-11 02:22:42 ./
drwxr-xr-x root/root         0 2021-11-23 07:57:42 ./files/
-rwxr-xr-x root/root  95863726 2021-11-23 07:58:19 ./files/ext4image.tar.gz
-rwxr-xr-x root/root        23 2021-11-23 07:19:42 ./files/version
-rwxr-xr-x root/root      2155 2021-04-09 09:41:08 ./setup
Excellent. An image and another script. Extract but don't run :

Code: [Select]

$ ./SHLK_rootfs_ec201_v1.46.run --noexec
A few errors, but did create the expected files. Exploring that ext4 image :

Code: [Select]

$ sudo mount -o loop flir-image-ec201.ext4 /mnt/test
$ cd /mnt/test
$ cat etc/os-release
ID=flir
NAME=FlirSystem
VERSION=flir-image-ec201-20211123121739
VERSION_ID=ec201_v1.46-0-g40607a8
PRETTY_NAME=FLIR Systems platform ec201 20210124 Yocto 2.5
CPE_NAME=cpe:/o:flir:flir-image-ec201-20211123121739:ec201_v1.46-0-g40607a8
SDK_VERSION=2.5
BUILD_USER=jenkins
BUILD_ID=ec201_v1.46-0-g40607a8
BUILD_HOST=se-esw-36

Ok. So they have some CI build system to generate this with Yocto. Interesting.

Code: [Select]

$ ls boot -l
....
-rwxr-xr-x 1 root root   54048 Nov 15 09:19 imx7ulpm4.bin
-rw-r--r-- 1 root root   25589 Nov 23 07:17 imx7ulp-sherlock-a.dtb
-rw-r--r-- 1 root root   25265 Nov 23 07:17 imx7ulp-sherlock-b.dtb
-rw-r--r-- 1 root root   24578 Nov 23 07:17 imx7ulp-sherlock.dtb
lrwxrwxrwx 1 root root      29 Nov 23 07:17 zImage -> zImage-4.14.98-2.2.0+g5910884
-rw-r--r-- 1 root root 5638824 Nov 23 07:17 zImage-4.14.98-2.2.0+g5910884

Linux 4.14.98;  IMX7ULP is an NXP processor is a dual core Cortex-A7 + Cortex-M4, with GPU, display and camera interfaces, and other stuff.

It may be possible to request some sources and scripts as per GPL.

Back a few steps : those .opx files are still mysterious. A bit of digging on the rootfs reveals /usr/bin/flir-updater.sh !

Code: [Select]

" Script to update system from a .squashfs, .fuf, .opk, .ext4 or a .run file "Then, it runs "fefunpack" to extract those .opx files.


A quick look at fefunpack with IDA reveals interesting imports:

Code: [Select]

Address Ordinal Name Library
00023208 EVP_DecryptInit_ex@@OPENSSL_1.0.2d
00023214 EVP_CIPHER_CTX_new@@OPENSSL_1.0.2d
00023218 EVP_aes_256_cbc@@OPENSSL_1.0.2d
0002322C SHA256_Final@@OPENSSL_1.0.2d
00023234 RSA_verify@@OPENSSL_1.0.2d
00023244 RSA_new@@OPENSSL_1.0.2d
0002326C OPENSSL_config@@OPENSSL_1.0.2d

Actual cryptography ! Luckily, no need to go down there for now. I just found out a similar model was recently hacked  :
https://www.eevblog.com/forum/thermal-imaging/rooting-the-new-flirs-(e76-etc)/

The cfc_unpack.py script posted there required minor mods :

Code: [Select]

* header is 256 bytes from end, not 372

* de-xor applies on range(12,60),  with
 newheader[x] ^=  header[x+48])

* signature is "FEF1", not CFC2

But then ran perfectly

Code: [Select]

$ python cfc_unpack.py 0x614b4e61654e7241  SHLK_prodkit-2.0.10.30-rf92e470
(the 0x614b4e61654e7241 is lifted from fefunpack; found the correct area in the disasm by looking for fseek() calls. )

I believe the output file is an "opkg" package; can be extracted with ar.  Cool :

Code: [Select]

Package: appkit
Version: 2.0.10-rf92e470
Description: Base applications and libraries for the Nettan camera
Section: base
Priority: optional
Maintainer: Byggare Bob <thgbuilder@flir.se>
Architecture: ec201
Homepage: http://www.flir.com/
Source:
Depends:



Package: prodkit
Version: 2.0.10.30-rf92e470
Description: Production applications for the Nettan camera
Section: base
Priority: optional
Maintainer: David Sernelius <david.sernelius@flir.se>
Architecture: ec201
Homepage: http://www.flir.com/
Source:
Depends: appkit


I'm not sure if / how to root this yet, but I notice the rootfs has /etc/shadow that looks similar to the one posted on the E76 thread:

Code: [Select]

$ sudo cat etc/shadow
root:qA7LRQDa1amZM:18954:0:99999:7:::
...
fliruser:m1iiKYIJr63u2:18954:0:99999:7:::

The "hashes" are the same - unclear if that means the passwords are the same.
That's all I have for now.

[KaneTW]

Good work. The /etc/shadow is a default file that gets overwritten by a boot-script with a custom per-device password. You can grab the hash by rooting the device itself like in my thread.

[fenugrec]

It may be possible to request some sources and scripts as per GPL.

If anyone is wondering - no success yet. Teledyne / FLIR is steadfastly refusing to provide any of the GPL source code they use.

[fenugrec]

New development :

https://github.com/flir-cx/flir-yocto-documentation/blob/master/unlock_tool.md

Still haven't obtained the GPL source code, but the above (that was available for some time, never knew about it), in conjunction with a digitally signed file provided on demand via their tech support , should allow to root the device.

[ixfd64]

As a note, some authors of GPL software do dual-license their code. For example, they may offer an alternative license that requires a fee but does not require the source code to be disclosed.

[pozderf]

Thank you for sharing the information. I was able to successfully unbrick my device now.

Here's the background: my device stopped booting normally, so I decided to open it up and found a button on the mainboard. By combining this button with the power button, I was able to trigger the SystemOnChip recovery mode and load the bootloader over the USB recovery (SDP) protocol. However, at the time, I didn't have any bootloader information, so I used a random i.MX 7ULP proto board bootloader for U-boot and fastboot commands. This allowed me to access the eMMC, but I accidentally killed the partition table during the recovery process. I was only able to manually rebuild partition table and some parts of the filesystem based on the information in the FW, but I couldn't get it to boot.

Fortunately, flir-yocto-documentation appeared, which enabled me to compile the missing parts to get the device booting into full recovery mode. From there, I was able to use RNDIS to SSH into the device, load the rootfs, modify the shadow origins to enable passwordless SSH access, and boot it up normally. Now, I have a live running system with root access and can easily unpack FW parts and mess around.

However, I am still in need of the calibration files. Perhaps someone could share the CameraFiles.zip or following files:

Code: [Select]

/FLIR/system/calib.rsc                          CameraFiles/system/calib.rsc
/FLIR/system/maps/ds_we_ap_fi_leFOL2_LCFMap.fff CameraFiles/system/maps/ds_we_ap_fi_leFOL2_LCFMap.fff
/FLIR/system/maps/ds_we_ap_fi_le_LCFMap.fff     CameraFiles/system/maps/ds_we_ap_fi_le_LCFMap.fff
/FLIR/system/DistMap_Lepton160.fff              CameraFiles/system/DistMap_Lepton160.fff
/FLIR/system/RotationMapCCW_Lepton160.fff       CameraFiles/system/RotationMapCCW_Lepton160.fff
/FLIR/system/RotationMapCW_Lepton160.fff        CameraFiles/system/RotationMapCW_Lepton160.fff
/FLIR/system/ZoomMap_Lepton160.fff              CameraFiles/system/ZoomMap_Lepton160.fff

By the way, in case someone need recovery sequence:

Code: [Select]

+/*
+ * Recovery sequence
+ *
+ *  1. Hold trigger and power button while booting, release when screen lights up.
+ *  2. Press trigger button 5 times
+ *  3. Wait until 2 stars appears on screen
+ *  4. Press trigger button 6 times
+ *  5. Camera goes to recovery.
+ *
+ */


[fenugrec]

However, I am still in need of the calibration files. Perhaps someone could share the CameraFiles.zip or following files:

I can check, but if those are per-device calibrations, it may not help you ?