Rooting the new FLIRs (E76, etc)

[KaneTW]

The new FLIR cameras no longer have a world readable /etc/shadow, so rooting them is a bit harder. However, you can access the /dev/mmc* and /dev/mtd* files as fliruser (password 3lvig). This contains *all* information on the drive, and one of them will have your custom root hash "$1$...", NOT "qA7LRQDa1amZM".

You can then crack it in a short amount of time using a modern GPU with hashcat. Take the $1$.. string, put it in e.g. hash.txt, and run hashcat:

Code: [Select]

hashcat.exe -m 500 -a 3 -1 ?l?u?d -O ?1?1?1?1?1?1 hash.txt

On my RTX A6000 this took about 25 minutes.

Once you have this, you have root access to the camera. Now you can access the service menu as follows:
1. Run the service websocket using

Code: [Select]

LD_LIBRARY_PATH=/FLIR/usr/lib PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/root/bin:/FLIR/usr/bin sh /FLIR/usr/Service/scripts/start_service_socket.sh
2. Log in as service in the web interface after connecting via WLAN. I couldn't guess the service password and bcrypt is very slow to crack, so...
a. Download /home/root/users.db
b. Run sqlite3 and change the password hash to 'admin' (or whatever you desire):

Code: [Select]

UPDATE users SET user_password_hash='$2y$10$/J/KDhh0.UDg5pbwtPG9B.W2gEWrS36qHji1scgxO7uiTk1GuAa.K' where user_id=4;
c. Upload users.db back to /home/root. Don't forget to do a backup.
Now you can log in as 'service' / 'admin' and get access to the service menu.

NB: You can also get access to 'developer' mode by  doing the same for user_id=5 and logging in as 'developer'.

[KaneTW]

After updating to 7.8.77, the regular web interface is giving me "404 not found", but the rest still works. Going to try and figure out what's going on with the web if.

E:
I was able to reinstall the web interface by grabbing it from Axxx and decrypting it, then `opkg install` the .opk as root.

The new users.db is in /var/www/users.db!

[KaneTW]

The tool `fefunpack` can decrypt .opx files from the firmware updates.

[KaneTW]

The sensor in my E76 is a 464x348 sensor, according to the new web interface:

[KaneTW]

I have reverse engineered the decryption for .cfc; it has changed to AES256. However, unfortunately, it is signed with an RSA key. Modifying the capabilities will require a binary patch to make it accept any signature.

A decryption script is available at https://0bin.net/paste/9Njm5R8m#AJqvDicIqTd7lbL0J4e7szDB+yQpPXYF99azLSYZrpl -- The code is a touch weird, artifact of transcribing from IDA...


E: I have successfully upgraded my camera to its stated detector resolution of 464x348.
As this is highly experimental, I will not provide a script yet, but describe the steps instead.
1. Decrypt the cfcs with the script, and do whatever changes you want.
2. Back up every file that you change on the device!!
3. Analyze CCfc::verifySign and make it always return 1. This depends on your firmware version, but in 7.8.44 it was sufficient to change the final MOV R0, R4 to MOV R0, #1 at byte 0x9867C
4. Re-encrypt the CFC, changing the length in the new header. You can reuse the rest of the header itself, but you also need to re-XOR it.
5. Replace the files (remember the backup!)

E2: hm, seems like some things are not working. Maybe a CRC check of some kind.

E3: Yep, new CRC algorithm. It can be computed by 'zlib.crc32(<data without the CRC line>, 0x71941268 ^ 0xffffffff)'

E4: Camera is now running at 484x348!

[agiorgitis]

WOW 
Any idea if the same thing apply to E75 as well? (Ps: Users.db is in home/root too)
Because it may help liberate E75 into E95 too

edit: It works on users.db on E75 too! (Just used a DB Browser instead of command line to make the changes)
 

[KaneTW]

The fundamental method of access should be possible, but some details esp. about modifying the .cfc's might be different.
I'd recommend gaining access and investigating. I'd offer to take a look but I don't think I can in a reasonable timeframe right now.

[agiorgitis]

The fundamental method of access should be possible, but some details esp. about modifying the .cfc's might be different.
I'd recommend gaining access and investigating. I'd offer to take a look but I don't think I can in a reasonable timeframe right now.

Great, thanks for your time mate. No worries!

As I edited above, the users.db trick works on E75 too.

I'll try the rest on my own, although my skills are not near close to a programmer.

PS: What's the difference between logging into the 192.168.x.x to access the camera settings, and using the LD_LIBRARY_PATH=/FLIR/usr/lib PATH=/usr/loc etc path?
(How do you use it anyway?)

[KaneTW]

Not sure, I haven't tried the 192.168.x.x method. Does it have a service menu with calibration, EEPROM, etc?

I'm digging deeper into the sensor data and found that the sensor in my camera is cropped on the FPGA. I wonder if this is hackable...

Code: [Select]

CameraPlatform::CCameraPlatform(): pcb = PCB_MODULE_EVIO and ir = IR_MODULE_MEDIUM_640 module detected
appcore[821]: FVD_Init: Downsampling setting: 0x00
appcore[821]: Detector resolution according FPGA:464x348 (Croppped:1)


[agiorgitis]

Not sure, I haven't tried the 192.168.x.x method. Does it have a service menu with calibration, EEPROM, etc?

Just connect camera to the network and use a web browser like mozilla to access it. Yes it has calibration, eeprom, info, lenses etc.
How can I use your way to test things, through service websocket?

Flir Ex was using the same 640x480 sensor for all models, so probably they're doing the same here.

[KaneTW]

It's a bit different from previous iterations where the detector is downsampled. Here there's something more happening I think.

That's a similar menu, just accessible over Wifi. The key improvement for hacking would be the new cfc decryption algorithm I think. Are you able to use the instructions to get root and get the config.d/*.cfc? You can check if these are using the new AES256 method then.

[agiorgitis]

It's a bit different from previous iterations where the detector is downsampled. Here there's something more happening I think.

That's a similar menu, just accessible over Wifi. The key improvement for hacking would be the new cfc decryption algorithm I think. Are you able to use the instructions to get root and get the config.d/*.cfc? You can check if these are using the new AES256 method then.

LOL it works! 
File(s) decrypted!

.caps entry
.caps.config entry
.caps.config.name text "app E75"
.caps.config.revision text "1.0"

.caps.config.image.settings.IRheight int32 240
.caps.config.image.settings.IRwidth int32 320

.caps.config.image.targetNoise entry
.caps.config.image.targetNoise.enabled bool false
.caps.config.image.targetNoise.targetNoiseMk int32 0

[Bud]

That is quite a breakthrough after E4 golden times 

[KaneTW]

Here's my script to re-encrypt it https://0bin.net/paste/VCrcwO7h#oM5D-Z+Xco7tWb4WxeYAdV4pLk1BgcQ4E1H37d4iKJs

Needs the old cfc to get the header from it (don't want to mess it up by accident), takes the new cfg, recomputes the CRC05, encrypts it and puts the (now incorrect) signature and (corrected for length etc) header back in place.

Can definitely be way cleaned up but I figured I'd rather get it out there.

For patching the libcommon_dll.so, I'll see if I can make a patcher utility.

[agiorgitis]

OK I'll test it later today, although I can't know it works unless I send it to camera.

And problem here is that I'm not sure what, and what not, can brick my camera. I remember that for E4 Bud had a bunch of files and instructions, along with the libcommon dll.
Not sure which settings I can change in the conf.cfc without any risk...

[kaz911]

arghhhh stop it - 2nd prices on the new E series is already high enough...

Please wait until I have purchased one...

[KaneTW]

OK I'll test it later today, although I can't know it works unless I send it to camera.

And problem here is that I'm not sure what, and what not, can brick my camera. I remember that for E4 Bud had a bunch of files and instructions, along with the libcommon dll.
Not sure which settings I can change in the conf.cfc without any risk...

Right now without the libcommon_dll.so, it'll just fail and boot a fallback mode. Working on a patcher for the libcommon_dll.so so it works across versions.

[agiorgitis]

encryption works fine on my cfc too, at least decryption>encryption without making any changes within the cfc, produces a file with the exact same bytes are the original one.
 

One step closer to E75/E76 liberation

[KaneTW]

Here's the patcher utility: https://0bin.net/paste/Ddbip0Rm#Fzpl1DBN+O8g8j5HCp438RLPM0iM9YUMCYsLva6+T+p

It's not the most elegant approach, but I believe it should work. Finds the function symbol, looks for a matching string, patches it.

[Bud]

Are these Python scripts ? Which version of Python you use ?

[KaneTW]

Python3.8 (but any 3.x version should work).

 The first two require PyCryptodome, the last one pyelftools to be installed.

[KaneTW]

The Flir 24 degree lens has a macro mode. It's a paid option only available on the T5xx series, but you can enable it via

Code: [Select]

.caps.config.system.focus.mode entry
.caps.config.system.focus.mode.macro entry
.caps.config.system.focus.mode.macro.enabled bool true

in the conf.cfg

Here are some shots (freehand, so a bit blurry):


No macro mode, for reference:

[KaneTW]

Seems like the FPGA is pretty stubborn about outputting the reduced resolution.
The code indicated that it's cropped, but wouldn't that mess with viewing angles? Hm.

The bitstream is in one of the accessible SPI flashes, but reversing that is a pain.

E: Checked the datasheets. E76/E86 have 17um pitch, E96 has 12um. This gives a sensor size of 5440, 7888, 7680 respectively. This means that the sensor is, in fact, cropped.

However, it's unclear how it manages to maintain the FOV.

E2: Requesting a /dev/mtdblock{0,1} dump from a E75 and E86 please, if someone has access.

[agiorgitis]

I assume that for some hidden/disabled functions we may need the conf files from E95/E96. Is it possible to grab those from the flir update files, or do we need someone with a E95/E96 to post the files?

[KaneTW]

Unfortunately they're not in the firmware update from what I can tell.