Flir E4 Thermal imaging camera teardown

[mikeselectricstuff]

Okay,

I'm not good enough to make heads or tails of a lot of what I'm seeing here.  I don't have a full version of IDA Pro so I can't disassemble for ARM, but I can as a generic binary.  I'm still learning but maybe this will mean something to someone else.  Attached are the results of IDA's disassembly and code generation.

Not really useful unfortunately - it really needs a disassembler that knows the instruction set, even if it doesn't understand the .EXE structure

[mikeselectricstuff]

I've been silently following the E4 related threads for some time. Must say, juicy information

I don't have an E4 (yet... -  that may change ) but I've tried to put together some bits of information that I've found around in this thread. IMHO the simple way to go is using the Web Interface (you can access most, if not all, camera settings from there - including a special Service Menu) - all menus conveniently listed in FlashBFS/system/web/ and sub-folders

..and if you send a <space> to the UART during boot....
SETTINGS:
0) IP address: 0.0.0.0
1) Subnet Mask: 0.0.0.0
2) Boot delay: 1 seconds
3) DHCP: Enabled
4) Reset to factory default configuration
5) Autoboot: NK from NOR
6) MAC address: 00:40:7F:0B:91:39
7) Host connection: (USB MSD)
Option 7 may be intersting - options are USB BSD, ETHERNET and USB RNDIS, which provides virtual ethernet over USB - fairly sure the latter is what enabled the i7 hack

As Mike said, if 7) is changed to USB RNDIS (and may be that IP address and subnet mask also need to be set manually and DHCP disabled - if the PC doesn't assign them automatically over USB), the web service can be accessed.

Now, as for the A310 FLIR (the attached PDF with Technical Notes), it must be password protected, but I see that the password is already known: webpasswd "IRCAM"

Therefore (stating the obvious) the login info should be:
Username: flir
Password: IRCAM

Could someone try this?

P.S. With the risk of being Cpt. Obvious, I just want to be involved in this and help if I can do so

Is there something you need to do to get a PC (XP or Win7) to recognise and talk to a RNDIS device ? I tried setting this option but the PC didn't show anything other than the normal MSD and camera USB devices.

I am fairly convinced there is a secret menu that allows access to this setting without needing to access the serial port, probably a a magic key combination.

[nitroxide]

Yes, it appears there's a FLIR provided IP over USB driver. I'm digging up for that now.

[mikeselectricstuff]

This looks useful http://carolos.za.net/software.html

   

ABOUT ChARMeD:
ChARMeD is a Windows Mobile / Pocket PC /  Win CE (for ARM CPUs) Disassembler and Assembler

The name ChARMeD stands for:
  Carolo's Hexadecimal ARM Editor and Disassembler

FEATURES:

·    Disassemble a Windows CE Executable for ARM CPUs.
·    Assemble instructions in ARM Assembler.
·    Upload modified file to Windows CE Device.

[mikeselectricstuff]

Rats! ChARMed doesn't seem to understand this flavour of ARM... Anyone have access to a full version of IDA PRO?

[BravoV]

I am fairly convinced there is a secret menu that allows access to this setting without needing to access the serial port, probably a a magic key combination.

Not an expert, thinking of that since now there is a possibly working dis-assembler + with that believe, maybe it might be a time saver to focus only at the IO related routines/code section than handles the keys and it's keys lookup table ? 

[equinoxe]

Rats! ChARMed doesn't seem to understand this flavour of ARM... Anyone have access to a full version of IDA PRO?

Jups, I have an old IDA Pro 6.2.1 running on my Mac and I found an even older 6.1.0 on my windows laptop.
Not that I am anywhere good at disassembling ARM code, but drop me a PM with a link to these files and I'll give it a shot.

Regards,

EqX

[mikeselectricstuff]

 I think I've now worked out all the I2C devices :
0x92 Temperature sensor
0xD0 Realtime clock
0xAE EEPROM
0xAA BQ27510 battery manager

Only just figured out the last one as the device marking was only a partial number. This has the capability of hiding data so not impossible that it might be involved in more than battery management  - not looked at what it's reading from it & when yet.

The visible camera will also have an I2C interface but it's not directly connected to the main I2C bus - may be via a level shifter as these modules are usually on 1.8v levels, or on a different bus.

[amyk]

Rats! ChARMed doesn't seem to understand this flavour of ARM... Anyone have access to a full version of IDA PRO?

It's a mix of Thumb mode and regular. ChARMed only supports regular ARM.

Anyway I took a look with an old version of IDA (not all ARM instructions supported so there's valid code mixed with bits of rubbish) and it looks like it might be reading resolution etc. from the sensor itself over I2C...

[nitroxide]

I'm sorry it took some time (I still have to work on other stuff meantime). I've found the drivers! I can clearly confirm these contain the FLIR RNDIS driver (I've studied the drivers MSI content and found among other drivers the RNDIS driver).

Mike, could you please install the Device Drivers, do the USB RNDIS setting and see if you get the device discovered in Windows? You find the drivers at FLIR support page on Download Software tab (Product: PC Software (Thermography) -> FLIR Device Drivers).

[mikeselectricstuff]

Anyway I took a look with an old version of IDA (not all ARM instructions supported so there's valid code mixed with bits of rubbish) and it looks like it might be reading resolution etc. from the sensor itself over I2C...

That's the next thing on my list to look at when I get time - I saw some I2C traffic I couldn't figure out which turned out to be the power manager, but there is almost certainly another I2C bus used by the visible cam, which I'll find and probe to see if there are any other devices on it, and if it's connected to the sensor connector.

[nitroxide]

From the Ex firmware, using the resources in the web folder and some fiddling around I was able to make the index.asp run on PC  just to have an overview of the menu items available in the web interface. See attached image.

I'm pretty sure the EEPROM->Edit Camera Information menu allows changing the 'Camera part number' to the one of E8 for instance. There seems to be a locking mechanism in place for EEPROM editing (protected by password) - I don't know yet how it's implemented but it may have to do with Mike's attempt to directly modify the EEPROM content: Mike: Hmmm - changed eeprom and it changed it back....! See also attached a picture of the EEPROM->Edit Camera Information.

[mikeselectricstuff]

I'm pretty sure the EEPROM->Edit Camera Information menu allows changing the 'Camera part number' to the one of E8 for instance. There seems to be a locking mechanism in place for EEPROM editing (protected by password) - I don't know yet how it's implemented but it may have to do with Mike's attempt to directly modify the EEPROM content: Mike: Hmmm - changed eeprom and it changed it back....! See also attached a picture of the EEPROM->Edit Camera Information.

My guess is the lock/unlock is a simple mechanism to prevent accidental changes - either a value in EEPROM or a password in the firmware.

Had a very quick scan trhough a disassembly of FVP.DLL, and there is some code that does a 16 bit checksum of an area of memory under certain circumstances puts 80 and 60 in specific locations, so probably some default behaviour if anything isn't correct. Need to look in more detail at what gets read from eeprom when..

[nitroxide]

Thanks for the insight on that! I'll try to do some disassemblying too, maybe I can find anything useful.

What's your opinion on the web interface -> EEPROM -> Edit Camera Information -> Camera part number, edit to E8 part number? Do you think that would work? While some dissasebly work could shed a light on how that info is used (I'll try to find out), what's your guess?

[mikeselectricstuff]

I have tried changing E4 to E8 in the eeprom with no effect.

I have found code (100033AC for those following along) that reads 16 bytes from the EE, checksums it and if sums OK, stores the EEPROM values somewhere , and if not stores 80 and 60 in the same locations. Still looking at other eeprom related code. I think the 6 near the resoltion data is also significant - seems to correlate with the "downsampling setting" vales displayed at boot.

I only had a very quick try at changing the ee so could be I got the sum wrong.

[mamalala]

I have tried changing E4 to E8 in the eeprom with no effect.

I have found code (100033AC for those following along) that reads 16 bytes from the EE, checksums it and if sums OK, stores the EEPROM values somewhere , and if not stores 80 and 60 in the same locations. Still looking at other eeprom related code. I think the 6 near the resoltion data is also significant - seems to correlate with the "downsampling setting" vales displayed at boot.

I only had a very quick try at changing the ee so could be I got the sum wrong.

Assuming that you made a backup of the EEProm: Did you try to erase the thing? Just speculating here, but maybe the contents will be built from the config files you had fiddled with earlier.

Greetings,

Chris

[Pinkus]

I will be on vacation now for a week ..... hoping that you guys find a solution in the meantime.
If not; I can offer to lend an E8 for a day or two and read out the eeprom for you, assuming that it will help.
I can of course readout even more from the E8, but will need some help. If there is no progress here when I return, I will write a PM to Mike then.
I keep my fingers crossed.

Peter

[mikeselectricstuff]

I will be on vacation now for a week ..... hoping that you guys find a solution in the meantime.
If not; I can offer to lend an E8 for a day or two and read out the eeprom for you, assuming that it will help.
I can of course readout even more from the E8, but will need some help. If there is no progress here when I return, I will write a PM to Mike then.
I keep my fingers crossed.

Peter

Info from an E8 would certainly be very useful - it can all be read out with a serial connection after removing 2 screws, unless we can find the hidden menu and get the USB stuff happenning and get a console prompt over it..!

[mikeselectricstuff]

Hmmm. found code that looks for the string "T198389" from I2C address 0XA0, and if found "SB0801 detector   found " else "ULIS detector found"

Don't have the bootup text to hand to see which the E4 returns

[mikeselectricstuff]

Interesting snittet...

FLIR::CObfuscatedStringResource::Obfuscate(class FLIR::CResourceValue const &, class FLIR::CResourceValue   &, enum    FLIR::CObfuscatedStringResource::OBFUSCATE_MODE_T)
.idata:0005B364   IMPORT

[mikeselectricstuff]

Looking at the USB RNDIS stuff.
Installed FLIR drivers as mentioned earlier.
No joy changing the USB mode in the boot menu, but at the console,
usbfn RNDIS
appears to do the trick - the PC popped up a USB driver prompt, and "install automatically" made it happy.
This setting is volatile.
usbfn Mass_Storage_Class
switches back to a PC-accessable drive,  can't see a way to run both at the same time.

IP address was 192.168.0.2 ( not what I had set in boot menu), as shown by ipconfig at boot menu
Web browser pointed at 192.168.0.2 gives this screen.

Telnet takes you to the console, and appears to allow access to everything that the serial console does, e.g. the I2C command to fiddle with eeprom. 

There is an FTP client, but the flir/3vlig login doesn't work

[nitroxide]

Heh, that's good news Mike! Now if we only knew what needs to be changed to make it an E8

Meanwhile I've spent some time trying to find out how to get in the Hidden Service Settings menu (to be able to enable USB RNDIS without opening the camera). I think "facet_Z3.rcc" is the file to check for key-combination parsing. I'm still trying to find out a way to decode parts of it.

 

[mikeselectricstuff]

Heh, that's good news Mike! Now if we only knew what needs to be changed to make it an E8

Meanwhile I've spent some time trying to find out how to get in the Hidden Service Settings menu (to be able to enable USB RNDIS without opening the camera). I think "facet_Z3.rcc" is the file to check for key-combination parsing. I'm still trying to find out a way to decode parts of it.

Bear in mind it may also be a magic key combination during startup that enables the menu in the UI - this was the case with the i7 .

[nitroxide]

Another thing. It would be really interesting (at least for me if not for others also) what would happen if you enable the UVC mode for USB. Does this result in a USB video stream of thermographic video (basically like webcam)? 

[nitroxide]

Heh, that's good news Mike! Now if we only knew what needs to be changed to make it an E8

Meanwhile I've spent some time trying to find out how to get in the Hidden Service Settings menu (to be able to enable USB RNDIS without opening the camera). I think "facet_Z3.rcc" is the file to check for key-combination parsing. I'm still trying to find out a way to decode parts of it.

Bear in mind it may also be a magic key combination during startup that enables the menu in the UI - this was the case with the i7 .

I would say it has to be in this file as all QMLs (including SettingsPage.qml) and menu navigation are generated from this .rcc file.