Products > Thermal Imaging

Rooting the new FLIRs (E76, etc)

(1/7) > >>

KaneTW:
The new FLIR cameras no longer have a world readable /etc/shadow, so rooting them is a bit harder. However, you can access the /dev/mmc* and /dev/mtd* files as fliruser (password 3lvig). This contains *all* information on the drive, and one of them will have your custom root hash "$1$...", NOT "qA7LRQDa1amZM".

You can then crack it in a short amount of time using a modern GPU with hashcat. Take the $1$.. string, put it in e.g. hash.txt, and run hashcat:

--- Code: ---hashcat.exe -m 500 -a 3 -1 ?l?u?d -O ?1?1?1?1?1?1 hash.txt

--- End code ---

On my RTX A6000 this took about 25 minutes.

Once you have this, you have root access to the camera. Now you can access the service menu as follows:
1. Run the service websocket using

--- Code: ---LD_LIBRARY_PATH=/FLIR/usr/lib PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/root/bin:/FLIR/usr/bin sh /FLIR/usr/Service/scripts/start_service_socket.sh

--- End code ---
2. Log in as service in the web interface after connecting via WLAN. I couldn't guess the service password and bcrypt is very slow to crack, so...
a. Download /home/root/users.db
b. Run sqlite3 and change the password hash to 'admin' (or whatever you desire):

--- Code: ---UPDATE users SET user_password_hash='$2y$10$/J/KDhh0.UDg5pbwtPG9B.W2gEWrS36qHji1scgxO7uiTk1GuAa.K' where user_id=4;

--- End code ---
c. Upload users.db back to /home/root. Don't forget to do a backup.
Now you can log in as 'service' / 'admin' and get access to the service menu.

NB: You can also get access to 'developer' mode by  doing the same for user_id=5 and logging in as 'developer'.

KaneTW:
After updating to 7.8.77, the regular web interface is giving me "404 not found", but the rest still works. Going to try and figure out what's going on with the web if.

E:
I was able to reinstall the web interface by grabbing it from Axxx and decrypting it, then `opkg install` the .opk as root.

The new users.db is in /var/www/users.db!

KaneTW:
The tool `fefunpack` can decrypt .opx files from the firmware updates.

KaneTW:
The sensor in my E76 is a 464x348 sensor, according to the new web interface:

KaneTW:
I have reverse engineered the decryption for .cfc; it has changed to AES256. However, unfortunately, it is signed with an RSA key. Modifying the capabilities will require a binary patch to make it accept any signature.

A decryption script is available at https://0bin.net/paste/9Njm5R8m#AJqvDicIqTd7lbL0J4e7szDB+yQpPXYF99azLSYZrpl -- The code is a touch weird, artifact of transcribing from IDA...


E: I have successfully upgraded my camera to its stated detector resolution of 464x348.
As this is highly experimental, I will not provide a script yet, but describe the steps instead.
1. Decrypt the cfcs with the script, and do whatever changes you want.
2. Back up every file that you change on the device!!
3. Analyze CCfc::verifySign and make it always return 1. This depends on your firmware version, but in 7.8.44 it was sufficient to change the final MOV R0, R4 to MOV R0, #1 at byte 0x9867C
4. Re-encrypt the CFC, changing the length in the new header. You can reuse the rest of the header itself, but you also need to re-XOR it.
5. Replace the files (remember the backup!)

E2: hm, seems like some things are not working. Maybe a CRC check of some kind.

E3: Yep, new CRC algorithm. It can be computed by 'zlib.crc32(<data without the CRC line>, 0x71941268 ^ 0xffffffff)'

E4: Camera is now running at 484x348!

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version