Page 1 of 1

Reverse engineering the DMM4050

Posted: Sun 31 Mar 31 2019 9:51 pm
by Daniel Wee
Hacking the Tektronix DMM4050 (Fluke 8846A)

1. Get hold of the firmware update installer from:- ... C_ID%3D311
- this is the firmware for Fluke 8846A because it doesn’t appear that the Tektronix ever released any firmware updates for the DMM4050, we’ll have to make do

2. Install the file or extract out of the installer
- in the installed directory “Program Files (x86)/Fluke Precision Measurement”
- subdirectory instruments/884X/bin
- grab the jffs2.bin
- this is the flash image file that contains the root file system

3. On Ubuntu, mount the file as follows:-
du -sk jffs2.bin
- this will give you the filesize in kilobytes (4992) which you will need in the next step
- this assumes you are in the same directory where you put the jffs2.bin

sudo modprobe mtdram total_size=4992 erase_size=128
sudo modprobe mtdblock
sudo mkdir /media/mtdmp
sudo dd if=jffs2.bin of=/dev/mtdblock0
sudo mount -t jffs2 /dev/mtdblock0 /media/mtdmp

4. Now the image is mounted, you can cd into the directory
cd /media/mtdmp/etc
cat shadow
- grab the root password hash

5. Next we use hashcat to brute force the DES hash
- there might be MD5 involved
./hashcat64.bin -m 1500 iYNCcGcvYI0KI -a 3
- this will take quite a while even with GPU acceleration on the Titan X
- after about 2-hours = “Stratts5”
- but as this was for the Fluke 8846A, the password didn’t work for the Tek DMM4050

Re: Reverse engineering the DMM4050

Posted: Sun 31 Mar 31 2019 10:06 pm
by Daniel Wee
Firmware file