Flir E4 Thermal imaging camera teardown

[DaveWB]

Received an E4 from Amazon today with version 1.22. The hack worked nicely. I did not make a copy of the original menu files (wasn't included in the YouTube video). Is there any way to get those in case I need to restore the camera to the factory configuration?

I eventually will create a video on setting the camera back to factory along with those files but until there is an urgent need it will not be a high priority.

[Iphone_hack]

Received an E4 from Amazon today with version 1.22. The hack worked nicely. I did not make a copy of the original menu files (wasn't included in the YouTube video). Is there any way to get those in case I need to restore the camera to the factory configuration?

Have anyone bought new E4 lately?
Are they still shipping units with 1.2L and 2.1.0?
Any news?

Bought two from Grainger a week ago. 1.1L and 1.22 on both

What day are the calibration dates?

Also is there any solution to record streaming video from E4?
Or it is only flir tool+ ?

[jjmmss00]

I have hw version 1.1L, calibrated May 2, 2014 in Estonia.

Thanks to the people who created the hack. Will stand by for the video to restore factory defaults.

[bookaboo]

Does anyone have an old version of Flir Tools saved in a zip type format?
The other day I installed the most recent version and successfully opened images on a colleagues V2.1 version camera. Today when I try to look at images with my own V1.18 camera I can't get it to connect at all, it's not in Flir Tools, not in device manager and I cant connect with Filezilla.
Maybe I have a camera issue but Id like to check an old version of Flir Tools as they have obviously been doing weird things with it.

In slightly better news my colleague has agreed to a teardown of his V2.1 unit, hopefully he will be able to loan it to me this week. I will post pictures and report once I get a hold of it.

[joe-c]

Hello,

my repaired E4 Camera was arrived. And it's a
Model: E4 1.1L
Software: 2.1.0
(new Entry) Lens: 45°
(new Entry) Power: 79%

From this menu you could still get to the submenu like early Cameras.
But if you change one of the USB modes, the camera goes instantly back to UVC-MSD. So no RNDIS could activate from this point.
Well... I will try later something more.

To the other changes. The Blending seems to be just a 50% Transparent IR image overlay over the Visual image.
And the Alignment is not a image mode, but it is found there. Here you could easily change the Distance for MSX and Blending.

Now I have to do other things... I will be back if have worked on this more.

[Iphone_hack]

Bought two from Grainger a week ago. 1.1L and 1.22 on both

What day are the calibration dates?

The newest one has a cal date of May 5

I see,
My last unit E4 arrived on June 4
Calibration date was May 6th
So I guess if order new unit these day it will be depend if they ship you new unit or old stock.

Now joe-c has his repaired e4 back with 1.1L and 2.1.0
Flir has new firmware 2.3.0

I Guess better to wait and see before taking risk to order new unit

Thanks to the people who created the hack. Will stand by for the video to restore factory defaults.

I attached fif files for use with FlirInstallNet.exe. addmenu_v1.22.0.fif to add tauchers addmenu-beta3, restoremenu_v1.22.0.fif to remove the changes and restore original menu files from fw 1.22.0.
I have tested both files and they work really well.

Thanks freak_ge
I was waiting something like this for the menu hack
But just to be clear, this is only for menu hack for 1.22.0
It does nothing for the resolution hack. Right?

[Iphone_hack]

Do I need to use USB RNDIS MODE in order to use flir instalment.exe to use the .fif for the menu hack? Or no need to change the mode

Thanks

[peo007]

Hello
If you open a photo in Flir Tools, from an unhacked E4, what will the IR resolution box say?    80x60  or  320x240.

[peo007]

I got hold of an E4, and when I open the pictures in Flir tool so it says 320x240,
so then it is hacked already.   

[ixfd64]

It looks like FLIR may have disabled RNDIS access in an effort to stop the hack. Has anyone managed to upgrade a 2.1.0 or 2.3.0 device using FLIRInstallNet?

[Iphone_hack]

Do I need to use USB RNDIS MODE in order to use flir instalment.exe to use the .fif for the menu hack? Or no need to change the mode
Thanks

You can use Flirs standard settings (MSD and UVC). RNDIS mode also possible but not needed. Your camera device must shown in FlirInstall Camera Selection.

when i connect my E4, windows explorer will connect my E4 i can download pic from my E4.
however, i start flirinstallnet.exe from bin at flir tools
i cant see any camera in selection.

[Iphone_hack]

you mean livestream?
it is greyed out, i cant seem to connect for live picture feed
but i can import the pictures from the camera
i am missing some drivers?

[joe-c]

Hello,

Version 2.1.0 RNDIS Mode:
-from menu no possible
-from "FLIRInstallNet.exe" with Set_RNDIS_permament.fif will not work
-from "FLIRInstallNet.exe" with Set_RNDIS_temporary.fif will work

Tried to open config.cfc in CFC Editor (GuiTool), but failed with error code:
Error: Tail part 2 invalid
Tried with ftool directly result the same error.

Tried an cfc file from another camera with changed serial and CRC01... camera starts like a E4 but no measurements possible and MSX was not shown.

Tried to flash firmware 1.22 with Z3comb_v1.22.0.fif (original from FLIR Download), but says no by the Question "Update prodapp/OS...".
This brings no results.
Tried to flash firmware 1.22 with yes by both questions.

Dammit! The same as before the Repair...
Camera shows only FLIR logo and was found as ASCO Volume.
So there is to note... better make no Firmware change over "FLIRInstallNet.exe".

[Iphone_hack]

you mean livestream?
it is greyed out, i cant seem to connect for live picture feed
but i can import the pictures from the camera
i am missing some drivers?

I think so.

well i tried to reinstall flir tools
also tried to install flir drivers
still the same, i can download the pictures from camera no problem
but i still cant not connect for live streaming from flir tools

i dont know what else i can do.
btw i am using windows 7 64bit
flir tools the newest version i think
E4 1.22

[Fraser]

@joe-c

So to be clear, you received your camera back from FLIR repaired and the attempt to flash it with FW 1.22 killed it ? 

If so, this is not good news for you, and is a warning to others about trying to flash to a lower FW version. Decent firmware updaters, that have the potential to do damage, normally check the Hosts revision to establish whether an install is safe to continue. If an incompatible host is found, they abort before any overwriting is done. FLIR do not appear to include such sensible safeguards, so their firmware upgrades are risky.

What now Joe ?, are you sending it back again ? If so, I see nothing wrong with you stating that you attempted to load a legitimate FLIR firmware as your camera was supplied with an unstable firmware, namely 2.1.0. Hopefully they will not charge you to rebuild the firmware.

Aurora 

[Iphone_hack]

well i tried to reinstall flir tools
also tried to install flir drivers
still the same, i can download the pictures from camera no problem
but i still cant not connect for live streaming from flir tools

i dont know what else i can do.
btw i am using windows 7 64bit
flir tools the newest version i think
E4 1.22

I have to enable both MSD+UVC. MSD is needed to see the flir as a drive and UVC is needed to stream, from what I've found.

thanks that works

[Paulio]

In theory it should be possible to dump the (Toshiba NAND E2PROM??) memory from a working unit, and flash it to a bricked unit of the same HW rev.  A lot of trial/error and solder work though!

[Paulio]

If cloning a camera, the SN must also cloned.

Is this not stored on a separate I2C eeprom? I thought it would just be a matter of updating the .CFC file to match the bricked camera.

Obviously on version 2.x this would be a problem 

[mikeselectricstuff]

In theory it should be possible to dump the (Toshiba NAND E2PROM??) memory from a working unit, and flash it to a bricked unit of the same HW rev.  A lot of trial/error and solder work though!

Not easily as unless you're very lucky, the bad-block map won't be right. You'd need to get access at the filesystem level, either in situ, or mounted on another compatible system -  this may be possible via the serial console boot menu which AFIAK nobody has exploted yet.

[ixfd64]

I'm sure there has to be some sort of backdoor that FLIR uses for calibration or maintenance purposes. But I wouldn't be surprised if future hacks require opening up the device.

[schneider]

To any German readers: We've got an E4 from Reichelt last Friday. Came with firmware 1.22 and a calibration certificate from end of March.

Edit:
Just to be clear: There was no problem applying the resolution hack as well as the menu hack .

[joe-c]

@joe-c

So to be clear, you received your camera back from FLIR repaired and the attempt to flash it with FW 1.22 killed it ? 

The Camera is now only shown as a ASCO Volume. In "FLIRInstallNet.exe" was "No Camera" selectable.

It seems to be clear, that FLIR want this state for flashing an older firmware to bring the device in a state, that only they could revoke.

I probably will send the Camera back... FLIR can see here System was safe on this way.
Well... I have tried it and lost... but it were great, if this have worked right?

[Fraser]

@ Joe-c

You never know until you try. Sadly the fact that FLIR are reading this forum means that they will likely have compiled a list of possible vulnerabilities that members previously suggested, including the firmware downgrading, As a forum we have effectively documented what FLIR needed to fix to counter hacking. That is the down side of a public forum discussing attack vectors.

If FLIR have done their job properly, I would have expected them to close the door on every discussed hacking approach, including attempts to change the identity of an E4 to an E8 to fool the firmware. The new hardware could be innocent progression of the platform but I would expect some countermeasures to have formed part of that development.

As you say, hacking would likely have to step up a level and take a path not previously discussed in this thread. OS's and Firmware cannot easily defend themselves against direct analysis of the code if such were possible to access, but the reverse engineering effort would likely outweigh the ability and benefit for the casual user scenario. Hackers are very determined people however, so I will never say 'never' 

I have said it before but will repeat it here..... readers who want an Ex series camera to use and not spend months waiting for a hack, should hunt down a supplier of one with 1.22.0 firmware, or earlier. They are still out there if you look. The other, more expensive, options are to buy from someone on e*ay who has collected stock of hackable units and pay a premium for the 'service' or buy an older stock E5 that is very likely to have stayed on the shelf due to the E4 hack. Such an E5 may also be hacked as it is no different to an E4 HW and will likely be much earlier firmware if it has been lying around a while 

Aurora

[Paulio]

Not easily as unless you're very lucky, the bad-block map won't be right. You'd need to get access at the filesystem level, either in situ, or mounted on another compatible system -  this may be possible via the serial console boot menu which AFIAK nobody has exploted yet.

Ah ok, I assumed that would be done transparently by the flash chip and not at the processor. But in any case it would be a lot of work even if possible (and all locations of the serial number corrected), probably better for now just to find a used 1.22 or E5 as previously mentioned.

[ds]

joe-c's conf.cfc has a new size (112 byte bigger) and ftool outputs an error. 

That's expected. The 16-byte MD5 hash has been replaced by a 128-byte Public-Key signature (RSA 1024-Bits). So unless you have the private key or are able to factorize the public key, you can't create a new, valid signature for a modified configuration file.

Patching this signature check in the software is most certainly only possible if you manage to circumvent the CRC check of certain files in "applaunch.dat" which is probably also protected by a Public-Key signature (file "applaunch.sgn").

I expect that it is still possible to hack the camera, but researching this would probably require quite some time and effort.