Rooting the new FLIRs (E76, etc)

[peppy88]

Oh interesting. Didn’t know u could just use a custom hash. How does that work? If the hash can be modified, could you just put back the original hash when done?

Also I have a T530

[KaneTW]

I'm not sure how to do it safely, actually. Would have to dig into it. The naive way would be to just directly replace the string with an equal length one, but I'm not sure if the filesystem would like that.

T530 was the camera that someone reported a 7 character password on, but it was alphanumeric.

[peppy88]

I'm not sure how to do it safely, actually. Would have to dig into it. The naive way would be to just directly replace the string with an equal length one, but I'm not sure if the filesystem would like that.

T530 was the camera that someone reported a 7 character password on, but it was alphanumeric.

Oh interesting. If the password is alphanumeric, wouldn't my hashcat with 7 chars using ?l?d?u would have worked?

If it is indeed 7 characters I might just do the 7 days of hashing on ?a. Gotta calculate how much electricity I will burn tho haha.
(Command I will use: hashcat.exe -m 500 -a 3 hashMD5.txt -O -1 ?a ?1?1?1?1?1?1?1 )

[KaneTW]

Yeah, the ?l?d?u 7-character should've worked. Weird that it didn't.

[peppy88]

yeah it was a bummer. My hope is that this next run with hashcat will work. Since im doing 7 char ?a . If that doesn't work then I might just call it quits haha. I dont even want to know how long an 8character one would take with special characters

[KaneTW]

yeah it was a bummer. My hope is that this next run with hashcat will work. Since im doing 7 char ?a . If that doesn't work then I might just call it quits haha. I dont even want to know how long an 8character one would take with special characters

I'd just do 8 character alphanumeric if special doesn't work.

[peppy88]

yeah it was a bummer. My hope is that this next run with hashcat will work. Since im doing 7 char ?a . If that doesn't work then I might just call it quits haha. I dont even want to know how long an 8character one would take with special characters

I'd just do 8 character alphanumeric if special doesn't work.

K sounds good. Do we know what type of system this is? According to this: https://serverfault.com/questions/129137/what-is-the-longest-password-for-ssh
some systems only look at the first 8 characters of the password.

[KaneTW]

The MD5 hash can theoretically be any length, it isn't truncated. It's just not super likely that a password required for service access is long.

[peppy88]

ok I got a E75 on my hands and was able to crack the hash. It was 6 char ?l?d?u. So it is looking more and more likely that the EXX series is for sure a 6 character password for root.

Also can you just ssh into it to download and change the users.db file or do you have to use the web socket way. I am not sure how to do that

specifically this part:

Code: [Select]

LD_LIBRARY_PATH=/FLIR/usr/lib PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/root/bin:/FLIR/usr/bin sh /FLIR/usr/Service/scripts/start_service_socket.sh

I was able to download the conf.cfc from /FLIR/system/appcore.d/config.d/conf.cfc using scp
I used the two decrypt and reencrypt scripts to create a new conf.cfc

Is this the only file I need to update in order to change the resolution?
Will I be able to ssh back into here if things don't go right and need to replace it with the original conf.cfc?

[peppy88]

The Flir 24 degree lens has a macro mode. It's a paid option only available on the T5xx series, but you can enable it via

Code: [Select]

.caps.config.system.focus.mode entry
.caps.config.system.focus.mode.macro entry
.caps.config.system.focus.mode.macro.enabled bool true

in the conf.cfg

Can these entries just be added to the config and work? Are there no additional files needed from a T-series camera?

P.S. I tried hascat on a T1020's root hash and got the same results. as the T530. They both do not use a 6 or a 7 char alphanumeric pass. Looking more and more likely it is 8 character or even possibly something else.


It looks like an unlocker tools exist for at least the C5. I wonder what is in this tool that allows it to set the root to "Opened": https://github.com/flir-cx/flir-yocto-documentation/blob/master/unlock_tool.md

[peppy88]

@KaneTW Also is there a way to check if the patch was successful? for the libcommon.so file? it ran and outputted the file.

In case I need to revert will I still be able to connect to the camera via ssh

[Bud]

The MD5 hash can theoretically be any length, it isn't truncated. It's just not super likely that a password required for service access is long.

No password in service mode may be required at all, if there is a service connector on a camera, access to which may be somewhere under the cover. I recall this was my conclusion after analysis of E4. Password is bypassed by pulling one of the pins on the connector to ground or Vcc (cant remember the level).

[peppy88]

The MD5 hash can theoretically be any length, it isn't truncated. It's just not super likely that a password required for service access is long.

No password in service mode may be required at all, if there is a service connector on a camera, access to which may be somewhere under the cover. I recall this was my conclusion after analysis of E4. Password is bypassed by pulling one of the pins on the connector to ground or Vcc (cant remember the level).

What does the service connector look like?

And that is very interesting. After pulling the connector to ground/vcc, how does that bypass the password? Also would you just login to the same service portal via ip?

[Bud]

There was a check in the firmware. It made a call to an I/O routine which returned a value, and the firmware examined one of the bits. If it was set, the firmware made a jump bypassing password check. The connector i believe was a Molex type, the early E4 thread may had a photo of it. But that was before WiFi models appeared. Maybe the purpose of the connector was initial programming or factory calibration, noone knows.

[peppy88]

There was a check in the firmware. It made a call to an I/O routine which returned a value, and the firmware examined one of the bits. If it was set, the firmware made a jump bypassing password check. The connector i believe was a Molex type, the early E4 thread may had a photo of it. But that was before WiFi models appeared. Maybe the purpose of the connector was initial programming or factory calibration, noone knows.

I wonder if the connector on the right is it. I've seen it on other models too. The bottom middle connector is just for the keypad and the top one is for the screen. Left JST connector is for microphone and right JST is for speaker.

[peppy88]

The MD5 hash can theoretically be any length, it isn't truncated. It's just not super likely that a password required for service access is long.

Hey just following up on this. Is the libcommon.so and conf.cfc the only two files you need to upgrade it? If so can you still access the camera via ssh if it doesn't boot properly. Wanted to figure that out before I tried uploading the files.

[KaneTW]

Sorry, missed the earlier post.

libcommon.so and conf.cfc are the only two files, and it shouldn't affect SSH access if it's broken. I've had a broken conf.cfc before and it just loaded a default setting. Not sure about libcommon.so, but it should still start SSH.

[peppy88]

alright thanks ill test it out later.

[agiorgitis]

Watching carefully for the outcome peppy88, I have E75, let's see if it works for resolution upgrade...

[agiorgitis]

Hey Kane, I tried doing some testing with the conf.cfc file, but although it decrypts fine (I had tried that in the past), it doesn't seem to encrypt it back properly. The camera does not recognize it and reverts to a default one (it has only some palletes and no MSX, etc)
Strange thing is that when I decrypt it to a txt file, on the bottom I see this:


Are those boxes supposed to be CRs? In your comment for the decrypt script you mention CRC32, but here it says CRC05. Does it have to do anything with this? 

I even tried conf.cfc > decrypt to conf.txt > don't even touch the txt file > encrypt conf.txt to conf.cfc > replace file in camera. Not recognized by camera (E75). 

[agiorgitis]

Also while running the libcommon py script, it comes back with an error:

line 35, in <module>
    func[match.end() - 8 : match.end() - 4] = b'\x01\x00\xa0\xe3'
AttributeError: 'NoneType' object has no attribute 'end'

[Bud]

Make sure you use same version of Python which was used to make the script

[agiorgitis]

Make sure you use same version of Python which was used to make the script

Thanks Bud, I'm using same version as Kane but no luck, still the same message.
installed version 3.8 (3.8.10 to be exact)

[Bud]

Then it could be your version of the libcommon is different and the script is not finding a match (line 33).
You can load the file into a Hex editor and search for a match yourself, then update it manually.

[KaneTW]

Also while running the libcommon py script, it comes back with an error:

line 35, in <module>
    func[match.end() - 8 : match.end() - 4] = b'\x01\x00\xa0\xe3'
AttributeError: 'NoneType' object has no attribute 'end'

This sounds like it failed to find a match. You'll have to find the relevant spot manually.