Author Topic: FLIR password list  (Read 10994 times)

0 Members and 1 Guest are viewing this topic.

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
FLIR password list
« on: September 14, 2020, 09:55:12 pm »

I thought it might be a good idea to collect together the passwords that are used in connection with FLIR Cameras.

The best known login and password combination on the forum is likely that used to gain access to the FLIR E4 for upgrading it via an IP link and FTP transfer.

If we could please create a new post for each Login - Password combination to avoid confusion. Please detail which camera it is applicable to, and for what purpose. I will kick it off with the ones I know.

Thank you

Fraser

If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 
The following users thanked this post: firehopper, KD0CAC John, Zucca, SilverSolder

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #1 on: September 14, 2020, 09:56:50 pm »
Camera : Ex series, Exx series ... many others !

Purpose : Accessing camera files via FTP over IP

Login : flir

Password : 3vlig

Additional Notes: None
« Last Edit: September 14, 2020, 10:34:18 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #2 on: September 14, 2020, 10:02:22 pm »
Camera: FLIR One Gen 2 and Gen 3

Purpose : Accessing camera via the serial port

Login : root

Password : indigo

Additional Notes :

Serial Port pinout is : GND TX RX (see attached image)
Serial Port Configuration : 115200 Baud

Attribution: Information provided by forum member : tmbinc
« Last Edit: September 15, 2020, 11:14:17 am by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 
The following users thanked this post: firehopper, agilato

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #3 on: September 14, 2020, 10:19:09 pm »
Camera : Not defined but includes early Exx series

Purpose : Unlocking the EEPROM from the service menu

Login : flir

Password : 1235

Additional Notes : Tread carefully if modifying the eeprom contents !
« Last Edit: September 14, 2020, 10:25:36 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #4 on: September 14, 2020, 10:20:52 pm »
Camera : Not defined but several camera models are known to use this

Purpose : Accessing Camera files via FTP over IP

Login : flir

Password : IRCAM

Additional Notes : None
« Last Edit: September 14, 2020, 10:54:43 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #5 on: September 14, 2020, 10:29:12 pm »
Camera : SC6000 & SC4000 Science cameras

Purpose : Unlocking the hidden Manufacturing mode of the “Big GUI”

Login : None - Password challenge.

Password : indigo

Additional Notes :

Run SC6000 GUI and press Ctrl-Shift-M to activate Password Challenge free text box.
« Last Edit: September 14, 2020, 10:58:06 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #6 on: September 14, 2020, 10:33:51 pm »
Camera : TAU CNV Low light camera (not thermal)

Purpose : Unlocking the hidden Manufacturing mode of the TAU CNV GUI

Login : None - Password challenge

Password : www.flir.com

Additional Notes :

Run TAU CNV GUI and press Ctrl-Shift-M to activate Password Challenge free text box

The FLIR TAU CNV low light camera uses a different GUI to the TAU thermal camera.
« Last Edit: September 14, 2020, 10:57:53 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #7 on: September 15, 2020, 12:08:42 am »
Camera : Ex series and likely many others

Purpose : Camera Recovery - Accessing Camera files via FTP over IP without booting the camera. Limited privileges.

Login : anonymous

Password : NcFTP@

Additional Notes :

This is used to access a FLIR camera without booting it. Detail from “Bud” reproduced here.....

“ Ex cameras can be switched to RNDIS after connecting to USB and without booting the camera by using FLIRInstallNet.exe from Flir Tools software. You launch the exe, select the camera which is in MSC mode and run the attached .fif file, which will switch the camera temporarily to RNDIS until you boot it.
So after you upload the .fif , do ping 192.168.0.2 to make sure it worked, then connect using ftp with the following credentials:

user: anonymous
pass: NcFTP@

this gives access to the filesystem without booting the camera.”

I have attached the RNDIS file in case it is needed.


Attribution: This information was harvested from posts by forum member : Bud


« Last Edit: September 15, 2020, 10:57:47 am by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #8 on: September 15, 2020, 01:34:00 am »
Camera : TAU plus others that use the same GUI

Purpose : Unlocking the hidden Manufacturing mode of the TAU GUI

Login : None - Password challenge

Password : www.flir.com

Additional Notes :

Run TAU GUI and press Ctrl-Shift-M to activate Password Challenge free text box

My thanks to a fellow forum member "VGN" who investigated the password string in the TAU GUI  :-+

UPDATE:

I have been advised that the Manufacturing mode in the TAU GUI has been edited by FLIR to remove the useful functionality :( Maybe a very old version of the GUI retains that functionality. Since the E4 upgrade discovery, FLIR have been removing service modes from cameras and this policy appears to extend to hidden engineering modes in public release utilities.

I have some older GUI’s for the TAU, Photon and OMEGA (FLIR M10) cores and will have to check them for manufacturing mode content.
« Last Edit: September 15, 2020, 10:19:18 am by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline tmbinc

  • Regular Contributor
  • *
  • Posts: 249
Re: FLIR password list
« Reply #9 on: September 15, 2020, 10:26:34 am »
Flir One: "indigo" works on both Gen2 and Gen 3. I have not observed differences between various models. Baudrate is 115200.
 
The following users thanked this post: firehopper, Fraser

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #10 on: September 15, 2020, 10:54:10 am »
Thank you. I have added the additional information  :-+
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #11 on: September 15, 2020, 11:45:27 am »
At this point it may be worth me explaining some of the passwords used in FLIR equipment.

Some are intended to reduce the chances of users accidentally damaging the cameras performance by ‘fiddling’ with settings, whilst others are intended to prevent access for corporate reasons.

“3vlig”

This is a Swedish password that comes from the Ex AGEMA (Sweden) staff of FLIR. The Swedish word is actually Trevlig which means “Nice” in English  :) FLIR bought AGEMA and the rights to its designs. The AGEMA passwords remained in software and products. Later cameras developed by the Ex AGEMA team continued to use The Swedish passwords. It was almost a protest to say AGEMA may have been “Borged” by the American FLIR company, but the Swedish heart still beats within its products ! A sort of in-house joke maybe ? It is no secret that AGEMA, Inframetrics and Indigo staff were less than thrilled at being absorbed into FLIR !

“indigo”

This is a password from the days when Indigo were the manufacturer of very capable and compact thermal imaging cameras. FLIR bought Indigo and absorbed the very knowledgeable staff into FLIR. It is no surprise that “Indigo” is found in software that FLIR now uses. The TAU series of cores are direct descendants of the Indigo Omega and Photon cores.

“www.flir.com”

This password brings me nicely to trying obvious passwords if one is not known. Many manufacturers used to use the company name, or a variant of it, as engineering passwords. It is not uncommon to find that an engineering password is the company name in reverse ! In the case of the Faxitron X-Ray machine I owned, the password fir advanced menu access was NORTIXAF (all upper case) Guessing such a password is not trivial however as a mixture of upper and lower case can be used, plus variations on the company name As FLIR have done in the case of “www.flir.com” ! If you go hunting for plain text entries in software using a Hex editor, you may strike lucky if you see a possible password candidate though  ;)


There is another Swedish password used in a FLIR camera but sadly I have forgotten it  :palm:

FLIR is an amalgamation of several very capable companies so it is no surprise that remnants of those individual companies creep into password usage. AGEMA were a very reputable and capable thermal camera manufacturer. They were based in Sweden so it is no surprise that the engineering team used Swedish words, or variants of such, as engineering passwords. That does make life harder to spot the password in a text search of software though. Inframetrics were a USA based company that FLIR bought. I have not seen any Inframetrics passwords however so no clues as to what format they are or if in some way connected with Inframetrics history. Indigo, as has already been stated, were a very important acquisition fir FLIR. They had a great design team and many still work fir FLIR. Some left to form Seek Thermal. Many of the Indigo camera designs and techniques gave birth to FLIR’s current camera offerings. The roots of the Ex and Exx series are in Indigo technology and knowledge.

It is well worth reading any, and all technical documentation for a manufacturers cameras, especially documents like the ICD or firmware update processes. You sometimes find login and password information ‘hidden’ in such documents as some users need such to configure a camera for their needs. This applies mainly to Industrial cameras however. In the case of FLIR I have found login and password information within Technical Installation guides and amongst Technical Support answers in camera FAQ’s and firmware patching instructions.

Sadly Passwords are never easy to guess without at least some hint as to the format and likely options. There are very clever members of this forum who know far more than me about finding passwords in software or circumventing such protection. This thread is really just a collection of passwords that are already in the public domain.

Fraser
« Last Edit: December 14, 2020, 12:30:07 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 
The following users thanked this post: firehopper

Offline tmbinc

  • Regular Contributor
  • *
  • Posts: 249
Re: FLIR password list
« Reply #12 on: September 15, 2020, 01:31:54 pm »
I guess now is the time to add 'JohanL & LennieA' to the list.
 

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #13 on: September 15, 2020, 06:19:18 pm »
Tmbinc,

“JohanL & LennieA”

Can you add some context to those entries please ?

Fraser
« Last Edit: September 15, 2020, 07:20:11 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline oPossum

  • Super Contributor
  • ***
  • Posts: 1413
  • Country: us
  • Very dangerous - may attack at any time
Re: FLIR password list
« Reply #14 on: September 15, 2020, 06:20:26 pm »
That is the key for the Autoliv NV2
 
The following users thanked this post: Fraser

Offline calel

  • Regular Contributor
  • *
  • Posts: 97
  • Country: ch
Re: FLIR password list
« Reply #15 on: September 15, 2020, 07:59:23 pm »
ok so can someone explain the reason why Flir engineers would put a password on the customer's own camera? (other than being complete aholes)

2nd question: how were those passwords found out: were they public (as in, disclosed by FLIR) in the first place (in which case I take back what I said) or did some hacker figure them out?

last question: if it's meant to be a true password to prevent customer from accessing their own cam, how come it's the same password for all cameras of same model? ie. why do all E4's have same password, instead of a different password for each serial number?  ???
 

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #16 on: September 15, 2020, 08:58:10 pm »
Calel,

Please will you start another thread for such a discussion. This one needs to be kept to just Passwords please, rather than debating why manufacturers use them.

Thank you

Fraser
« Last Edit: September 15, 2020, 09:00:56 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline calel

  • Regular Contributor
  • *
  • Posts: 97
  • Country: ch
Re: FLIR password list
« Reply #17 on: September 15, 2020, 09:50:30 pm »
well my question was about flir passwords so it is still rather ontopic but I'll make a new topic '_'
 

Offline FraserTopic starter

  • Super Contributor
  • ***
  • Posts: 13140
  • Country: gb
Re: FLIR password list
« Reply #18 on: September 15, 2020, 10:39:53 pm »
Nope, this is the “FLIR Password LIST” and not a FLIR password discussion thread  ;)

Thank you for starting a new thread and I have answered your questions there.

Fraser
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline agiorgitis

  • Regular Contributor
  • *
  • Posts: 61
  • Country: 00
Re: FLIR password list
« Reply #19 on: September 16, 2020, 02:18:41 pm »
Flir E75

username: root
password: Z2jciR

I don't know whether this password is specific to my camera (per camera password) or is common on all Ex5 series.

Maybe someone else can try...
 
The following users thanked this post: Fraser

Offline stereoti

  • Newbie
  • Posts: 2
  • Country: fi
Re: FLIR password list
« Reply #20 on: December 14, 2020, 09:56:50 am »
root:Z2jciR does not appear to work on E75 (FW 6.22.68) or at least not on SSH and Web login. I did however manage to login as fliruser with the good old 3vlig and was able to find some bcrypt hashes from users.db inside /home/root

developer$2y$10$LBNcMBC/Bn3VVnhlI1j7huOZ.UOykGaq3VZ.YAgu0mAZXAQ8q36uG
service$2y$10$syAL0yMLBfN/8.sciVnCE.kBto6mtVvjrmyhPQAo7oV3rq8X8pBke
viewer$2y$10$lxA0o325EuUtVAaTItBt.OSpZSfxIrT56ntm7326FQ/fTBc0ODWqq
user$2y$10$O5Ybml6qN9caTjezQR0f8.z230PavQYUwmZCzMVxL6BMeNvLWEr9q
admin$2y$10$/J/KDhh0.UDg5pbwtPG9B.W2gEWrS36qHji1scgxO7uiTk1GuAa.K

UPDATE: The root password hash was world-readable and is $1$T5f7njVX$itbwBbH5SnomehGVWTQ5y/ and according to hashcat the matching password is AjKXT7. I will try this on an actual device before christmas.
« Last Edit: December 21, 2020, 05:26:22 pm by stereoti »
 
The following users thanked this post: nikitasius

Offline Logan

  • Frequent Contributor
  • **
  • Posts: 345
  • Country: us
Re: FLIR password list
« Reply #21 on: December 14, 2020, 02:38:39 pm »
Sorry if it’s a bit off topic here.
But while I’m excited waiting for Ex5 hacking to progress, I just checked Flir’s website for their price. To my surprise, Flir “refreshed” their product name again. All Ex5 pages shows “The product has been discontinued. Recommended replacement: XXX”. Which are E54, E76, E86, E96. Even the E95 they just released less than a month, which enable the full VGA resolution, has been discontinued (or just changed a name?)
Just for reference: https://flir.netx.net/file/asset/32481/original/attachment
 

Offline stereoti

  • Newbie
  • Posts: 2
  • Country: fi
Re: FLIR password list
« Reply #22 on: December 22, 2020, 04:21:40 pm »
Some new findings: It appears that Exx series from model year 2017 onwards do not have the same root passwords for all models. It could be either model related or in the most inconvenient way, serial number dependent. I will continue my research.

Here is the hash for E54: $1$.s9Ja..s$gM4OdlyS9ky05TfsA3qeL0

UPDATE: It is now confirmed that the root passwords for the FLIR Linux models are camera specific. No longer able to hack'em without brute force. The password seems to be however quite short so if you've got some GPU force you could gain root in a matter of hours. At the moment of writing this, it seems to be a six character long uppercase-lowercase-number combination. Now trying to figure out what to do with root in this very limited BusyBox driven command line...
« Last Edit: January 08, 2021, 09:31:17 am by stereoti »
 

Offline agiorgitis

  • Regular Contributor
  • *
  • Posts: 61
  • Country: 00
Re: FLIR password list
« Reply #23 on: May 16, 2021, 12:14:27 pm »
root:Z2jciR does not appear to work on E75 (FW 6.22.68) or at least not on SSH and Web login. I did however manage to login as fliruser with the good old 3vlig and was able to find some bcrypt hashes from users.db inside /home/root

developer$2y$10$LBNcMBC/Bn3VVnhlI1j7huOZ.UOykGaq3VZ.YAgu0mAZXAQ8q36uG
service$2y$10$syAL0yMLBfN/8.sciVnCE.kBto6mtVvjrmyhPQAo7oV3rq8X8pBke
viewer$2y$10$lxA0o325EuUtVAaTItBt.OSpZSfxIrT56ntm7326FQ/fTBc0ODWqq
user$2y$10$O5Ybml6qN9caTjezQR0f8.z230PavQYUwmZCzMVxL6BMeNvLWEr9q
admin$2y$10$/J/KDhh0.UDg5pbwtPG9B.W2gEWrS36qHji1scgxO7uiTk1GuAa.K

UPDATE: The root password hash was world-readable and is $1$T5f7njVX$itbwBbH5SnomehGVWTQ5y/ and according to hashcat the matching password is AjKXT7. I will try this on an actual device before christmas.
The above hashes are the same for all.
viewer:viewer, user:user, admin:admin.

Question is what's the passwords for developer and service, unfortunately bcrypt takes years to be calculated, at least on my pc (6 chars, lower, upper, numbers = 12 years  :-DD )
 

Offline KaneTW

  • Frequent Contributor
  • **
  • Posts: 805
  • Country: de
Re: FLIR password list
« Reply #24 on: February 21, 2022, 06:41:05 pm »
Flir E76 has /etc/shadow no longer world-readable, but you are a member of "disk" as "fliruser". You can use that to access the storage devices directly and extract everything.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf