Gaining a Root Shell on the Device

A project log for Hacking an Iris 3000 Videophone

This project has to do with my attempt of gaining full access to an ACN Iris 3000 videophone.

The SycoraxThe Sycorax 12/11/2020 at 20:510 Comments

[Continued from previous log entry]

While scouring through the forum thread that AUTUIN provided in his Blogspot Article, I found a lot of information and resources for gaining full access to the ACN Iris 3000. The forum thread is pretty long so I'm not going to go into to much detail on it. However, by reading through the thread, it seems that at one point the ACN Iris 3000 had a pretty active but small community of people who we're dedicated to tinkering around with it. Unfortunately it seems that there hasn't been much activity since 2017, with only a few posts from users since then.   

As I read through the thread I discovered that the user Joshoa was one of the main contributors of information, resources, and methods for gaining a root shell on the device. One of the methods he provides is a way to update the flash storage of phone by using an SD card loaded with some files that he put together. I decided to use that method because it seemed to be the most easiest one. 

As discussion on the thread went on, Joshoa would provided updated versions of his SD card method. All versions of it an be found at this archive The archive also includes an in depth PDF titled "Tinkering with Iris-3000 aka CU776" which provides a wealth of information, much more then what the forum thread provides in my opinion. So it became the main resource that I used for gaining a root shell on the phone.

By following the steps outlined in the PDF, everything for the most part was a simple and straight forward process. I downloaded Joshoa's and extracted the files from it. I then formatted an SD card to FAT32 and copied the extracted files to it. After I did that I inserted the SD card into the phone, turned the phone on, and watched as the update process took place. Once the update was complete I turned off the phone, ejected the SD card, then turned the phone back on again in order to prevent it from going through the update process again. According to the PDF, once the phone is updated and booted up I should then be able to log in through SSH and gain a root shell to the phone.

By using Windows PowerShell I was able to use the following command so that I could log into the phone through SSH.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc -t root@ -p 7022

*Replace the IP Address with the one for your ACN Iris 3000.*

After successfully logging into the device using the password "1234"  I was greeted with a low level, bare bones Linux shell, lacking many of the advanced feature that you would usually find in a standard Linux OS. Despite this, I was able to have a lot of control over the internals of the device.  

Now that I had full access to the phone, The next step was to do what the user AUTUIN did by getting Debian Linux running on it. 

[To be continued in next log entry...]