Gaining a Root Shell on the Device

A project log for Hacking an Iris 3000 Videophone

This project is centered around repurposing the ACN Iris 3000 videophone, with an aim to unlock its full capabilities.

the-sycoraxThe Sycorax 12/11/2020 at 20:510 Comments

[Continued from previous log entry]

While exploring the PXBinaFlash forum thread that AUTUIN shared in their Blogspot post, I found plenty of useful information for getting full access to the ACN Iris 3000. The thread is long and I won't cover all of its details here. But it's clear that at one point, a small group of people were actively tinkering with the ACN Iris 3000. However, it seems the activity dropped off around 2017, with only a few posts since then.

One of the main contributors to the thread was a user named Joshoa. He shared lots of information, resources, and methods for getting a root shell on the device. One of his methods involved updating the phone's flash storage using an SD card loaded with files he provided. This method seemed to be the easiest one, and it would let you access the phone's root shell through SSH, so I decided to use it.

As the thread continued, Joshoa kept sharing updated versions of his SD card method. You can find some versions of it at this archive: The archive also has a detailed PDF document titled "Tinkering with Iris-3000 aka CU776," which provides even more useful information.

The steps in the PDF were mostly straightforward. I downloaded Joshoa's and extracted the files out of it. Then, I formatted an SD card to FAT32 and copied the files onto it. I put the SD card into the phone, turned the phone on, and watched the update happen.

*Very Important: Please note that there are two versions of the Iris 3000: the SDA and the MTD versions. The distinction of these two versions are outlined in the PDF document. The aforementioned SD card upgrade method is specifically designed for the MTD model. If applied to an SDA model, this method may cause the device to malfunction or become inoperable (Soft brick). However, this condition is not permanent and recovery is possible. Importantly, a separate SD card upgrade process exists specifically for SDA models, which should be used to avoid any potential issues.

After the update finished, I turned the phone off, took out the SD card, and turned the phone back on. This way, the phone wouldn't try to update again. The PDF explained that once the phone is updated and restarted, I should be able to log into it through SSH and get to the phone's root shell.

Using Windows PowerShell, I used the following command to log into the phone through SSH:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc -t root@ -p 7022

If Windows PowerShell dose not work then using a third party ssh client is recommended. 

If you are using a linux machine you might have to include a message authentication code option to the ssh command:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc -o MACs=hmac-sha1 root@ -p 7022

*Remember to replace the IP Address with the one for your ACN Iris 3000.*

Once I logged into the device using the password "1234," I found myself in a basic Linux shell. It didn't have many of the features you'd usually find in a standard Linux OS, but it did give me a lot of control over the device's internals.

With full access to the phone, I was ready for the next step: getting Debian Linux running on it.

[To be continued...]