FOOD FOR THOUGHT ACN Iris 3000 Videophone

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
iris3000

Hi!
It turns out that you need to Factory Reset this phone one more time after 1+# trick. And after that you will be able to telnet or ssh with root/root.
Now my next move will me firmware upgrade, cause my 0.2.55.3.1-US is NOT very stable. I found this page https://bitbucket.org/emex/mx27/wiki/Home
It looks promising, but there is no files to download and no one answers to my e-mail.
J
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
Progress

Sooooo look what i found. When you press 1+# it runs from internal rescue partition and do ROOT NFS MOUNT! Thats why it needs DHCP and internet access! And next what i did was to try to connect to this NFS by myself and i was succseed! Next command will mount this rescue ROOT to your /mnt/net Right now i am downloading whole this filesystem including everything that is into.
mount -t nfs -o nolock,vers=2,rsize=1024,wsize=1024,hard,proto=tcp,timeo=600,retrans=2,sec=sys,ro 8.5.244.17:/var/umec/code /mnt/net
Thus from my currrent knowladge there is no longer will be a problem to unlock this phones. No more.
Even if ACN turns off this NFS (i am sure that they wont, cause this trick is used by working phones) you still be able to do a fake NFS server with this rescue filesystem by youself.
Cheers, J
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
news about 0.20

So with help my friend who owns one of those 0.20 version phones we are able to gain access into ssh.
If somebody cares here is the line from original /etc/shadow
root:$1$$MLbGbas4WUlfDunWKTUTZ1:11851:0:99999:7:::
I am unable to hack this hash right now. So any help will be appretiated.
Next i choose another way to brake in - SD-card test program.
During strart up process phone looks for file named "sltp" on SD-card, and runs it if it exist.
So i wrote simple script that just replaces root line in /etc/shadow to known one.

-------sltp------------
#! /bin/sh
/mnt/sd/run-u.sh &
exit 0

-------run-u.sh--------
#! /bin/sh
sleep 20
cp /etc/shadow /mnt/sd/shadow
echo "root:\$1\$L5iDqrQT\$M9BSvL6zRbo3ASpl9WtW80:11851:0:99999:7:::">/etc/shadow.new
awk -F: -v OFS=: '!/^root:/ { print }' /etc/shadow >>/etc/shadow.new
rm /etc/shadow
cp /etc/shadow.new /etc/shadow
exit 0

Not that perfect but it works. Get SD card, create this 2 files on it (BE CAREFUL WITH LineFeed, DONT USE windows, or convert files to unix text standart after that), turn phone off, put sd, turn phone on. Wait until it fully boots. Wait 1 minute after that. Try to ssh on port 7022 with root/1234
Cheers, J
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
iris3000 v20

Hi!
Latest news.
I am finaly able to reflash my phone to v20 with pre-edited /etc/shadow
Now i am inside of it, but i cant find how to unlock Phone GUI Admin menu.
And WEB admin menu wont let me in either(I find out several web admin passwords in config files but any of them works).
J
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
root pass

Litle update
password for root on ssh port 7022 in phone v20 "A1exV37!"
 

tp1936

New Member
Joined
Oct 27, 2011
Messages
3
Reaction score
0
Joshoa,
Thanks for the research. I have been following your efforts. I tried the root password, it does not work. I did notice the same password in the dump file and had tried it. Another password I noticed was acnum3c but that does not work either.
Stuck at the same spot, not able to get into the admin menu. However, there are a lot of settings in the Home directory, take a look maybe setting the networks, proxies etc in one of those cfg files will help.
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
Joshoa,
Thanks for the research. I have been following your efforts. I tried the root password, it does not work. I did notice the same password in the dump file and had tried it. Another password I noticed was acnum3c but that does not work either.
Stuck at the same spot, not able to get into the admin menu. However, there are a lot of settings in the Home directory, take a look maybe setting the networks, proxies etc in one of those cfg files will help.
I cook special sd-card for reflash on v20 with pre-known root password.
Tell me if you need it.
J

PS did you done hard reset, and try root ssh AFTER than?
 

tp1936

New Member
Joined
Oct 27, 2011
Messages
3
Reaction score
0
If you can give me the sd-card contents so I can reflash with known password that would be helpful.
I think I reset the phone and still wouldnt work.
Thanks
I cook special sd-card for reflash on v20 with pre-known root password.
Tell me if you need it.
J

PS did you done hard reset, and try root ssh AFTER than?
 

tp1936

New Member
Joined
Oct 27, 2011
Messages
3
Reaction score
0
Joshoa,
For Ver. 0.2.55.3.1-US telnet into the unit, root password is acnum3c - it works for me.
What is the latest firmware version, is it 0.2.55-3.1-US or the other 20.x. versions??

Thanks

Hi!
If somebody still interested in this phones, like me, i can tell some of results of my investigation.
During 1+# process you are able to ssh to phone using root/root, moreover it is possible to download firmware image from it. Phone saves several old firmware versions in /oldversion in .jffs2 and .tgz
So i was able to scp rootfs.tgz and .jffs2
Strange thing is that after reflashing process you are able to connect to telnet:23 but it does not accept root/root.
But the password for root is realy root (based on /etc/shadow hash)
So any help would be appretiated.
J
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
Warn

Guys!
I need to warn you about 1+# trick. This procedure reflash your unit to 0.2.55 from internet. BUT!
0.2.55 is not very stable and there is to few options to configure. So if somebody have a recent 0.20.xx firmware - i can cook it to autoflash from SD-CARD. My current 0.20.xx is much better than 0.2.xx (i have bunch of them 0.2.54 55 57 64) but it has several flaws too. First, Picture-in-picture selfview is moved down half own height. There is an option to choose position in WEB admin but it doesnt work. Second i am still unable to find out password from WEB admin. I use a trick to disable password check at all, and surely this is not a good thing to have in your own phone. So i repeat, if somebody has 0.20.xx please contact me, i`ll do my best to share the results.
J
PS Here is my v20.
http://www.mediafire.com/file/4k8wd7zrph6wf0q/iris3000-v20-update-TEST.zip
You need an FAT formatted SD-card, unpack files to root of it. Turn pfone of. Put the card in. Turn the phone on. If update process starts you will see red progress bar (same as 1+# pocedure). Wait for 5-10 minutes. Turn phone off. Take SD-card out, or it may start update process again. Now you will have a v0.20 with root password "1234" on port 7022. This is my early TEST SD-CARD, so use it on your own RISK. I warned you.
Or just wait for me while i finish more safe and foolproof version of update card.
J
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
Redboot

Hi
Latest news.
Did you now that there is 2 HW version of iris3000?
Now i know.
v1 - usualy with 0.2.9.xx SW
v2 - most common with 0.2.54-64 and 0.20.xx
Differences - v2 with NAND flash(rootfs on /dev/mtd/4) v1 with usb flashdrive(rootfs on /dev/sda1)
My SD-card surely wont work with v1
But i was able to figure out the way to reflash it to my v20 FW
In short - i found how to put this phone to RedBoot and gain control of everything that in flash
So right now i am in REAL need of WORKING v20. If anybody has it please contact me, i`ll explane how to extrack it.
J
 

bi_weiss

New Member
Joined
Oct 27, 2011
Messages
1
Reaction score
0
Hello joshoa thanks for your good work on the iris 3000 phone.

Now I know the root telnet password ( acnum3c ) and I can access to the SIP configuration files.

Actually my goal is differently from yours. I think that acn firmware is not very stable and I would like to use acn sip credentials in other device or maybe in a softphone like x-lite....

Do you think it's possible?

I found my settings and a password and I put in x-lite but without success...
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
Hi

Hmmm
It depends of what kind of version do you have.
If 0.2.xx - you will find your password in /tmp/tmp_config.tmp
If 0.20.xx - password is in files located in /release_hifi_v2ip_640X480_mx27_fs_r3/resource/system.cfg
J
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
appweb password

Soooo, latest news.
I was kinda busy last days, but still pay some attension to my IRIS.
For some unknown reason my preview window became normal. Dont now why but right now its position is ok, and i can see myself normally, not only the upper half as last times.
I am still unable to find out AppWebPassword
3261174353261545
227a57735227a575
First one is default pass hardcoded in application.
Second is most usualy used in this units.
Problem is in fact that this is NOT CLEARTEXT password.
This 2 strings is some kind of HASH of real password.
I loaded executable in IDA Pro and find functions that change, compare, validate load and store password.
Sooo i am not that big pro in ARM assembler, my knowledge was only enough to understand that right before compare, password dtring readed from web form takes some mutation. Thus i am unable to go further.
I know how to breake in to WEB admin, but this is not the best way to patch phone to configure it and to un-patch it to work normally after.
Advice needed.
J
PS Still waiting for anybody with v0.20.xx ......
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
Acn Nfs

It looks like some stupid a**hole used previously mentioned by me command to mount NFS repair rootfs and DAMAGED it. I received several phones today and tryed to downgrade them by 1+# trick with no luck. Further examination discovered that the script inside of /etc/rc.d is broken.
Thus DO NOT TRY to reflash your phone using 1+# cause in best case it just do nothing in wors - you will brick you device. If you allready done it - dont be afraid, it can be helped, but...
Based on this situation i WILL NOT POST here any valuable information regarding this phones cause i dont want to make things worse than they are.
In case you want to ask me something, or you brick your phone i can help you, but only in PM.
I now how to un-brick this phones from almost every state, i figure out how to use my 3G-USB stick inserted in USB port of my IRIS3000 to get video calls in the middle of field.
I figured out how to configure ASTRISK to work flawesly with it.
And i MAD on this f**king someone.
So see you in PM.
J
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
!!!

I don`t know who you are and i dont understand why do you trying to do such a thing.

Ok.
So right now someone EDITING emergency NFS rootfs.
This someone replace rootfs.jffs2 to 4ro.20.
This is NOT my 4ro.20.
I is possible that ther is some kind of MALWARE in this image.
So i repeat DO NOT USE 1+# on your phones!
It updates firmware of you phone to this UNKNOWN 4ro.20
J
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
2nd part

I downloaded those 4ro.20.
I did not digg too deep, but the first thing that i saw was an emptyness of /release_hifi_v2ip_640X480_mx27_fs_r3
So this firmware contains NO videophone software.
After updating you will receive an empty device. With some network capabilities but without actual phone functionality.
J
 

shade_emry

New Member
Joined
Dec 29, 2011
Messages
5
Reaction score
0
I downloaded those 4ro.20.
I did not digg too deep, but the first thing that i saw was an emptyness of /release_hifi_v2ip_640X480_mx27_fs_r3
So this firmware contains NO videophone software.
After updating you will receive an empty device. With some network capabilities but without actual phone functionality.
J
I have a hardware rev 2, with the firmware your looking for. How do I pull it off the phone and more importantly how do I modify the configuration files to use my sip name? I tried getting into the admin section on the phones GUI, I can even ssh into it and browse the directory structure, but I can't use vi, which is the editor built into the dropbear, the distro of Linux the phone uses, how to I go about accessing the admin menu? I select it and push enter nothing happens, I put the code in after pushing enter, nothing. Tried it with and without the net work cable in. If you still need the firmware images, I have them.
 

Joshoa

Member
Joined
Oct 24, 2011
Messages
48
Reaction score
1
Hi

Pls contact me via private. I`ll help you, there is no hard things to do, but i need to know several details.
J
 

iulius

New Member
Joined
Dec 17, 2011
Messages
6
Reaction score
0
Hi!
I also have 2 IRIS 3000, and that I would like use it for Asterisk SIP server. Receive calls but can not forward them. Looking on some sites ... youtube ... I saw several people replacing the firmware could make it work.
You are to arrive by chance at a good point?
Thanks in advance!
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,514
Messages
138,531
Members
14,644
Latest member
goseph