Poll

Has the hackabiliy of the E4 made you buy one :  

Yes, I was already looking at the competition at a similar price, but the hack swung it to E4
277 (28.1%)
Yes, I'd not considered buying a TIC before, but 320x240 resolution at this price justifies it (as either tool or toy!)
444 (45.1%)
Yes, I was going to buy an E5/6/8 class of unit but will now get the E4
49 (5%)
No, but am looking out for a cheap i3 to hack
51 (5.2%)
Not yet, but probably will if now that a closed-box hack becomes is possible
164 (16.6%)

Total Members Voted: 807

Author Topic: Flir E4 Thermal imaging camera teardown  (Read 4077146 times)

0 Members and 11 Guests are viewing this topic.

Offline mikeselectricstuffTopic starter

  • Super Contributor
  • ***
  • Posts: 14032
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #4150 on: March 07, 2014, 02:37:50 pm »

I'd hardly call the Ex a consumer model - it's clearly aimed at professionals in the HVAC, building and  and electrical markets.
professional thermographers may scoff at it but I suspect at least some of that is fear that their clients will buy one and stop calling them.

FlirOne is of course clearly aimed at the consumer

I sincerely hope thermographers are not using the E4 for building inspections, bearing in mind the standards state you need at least a 320x240 detector size.
There are plenty of building applications outside producing formal inspection reports.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 2051
  • Country: nl
Re: Flir E4 Thermal imaging camera teardown
« Reply #4151 on: March 07, 2014, 02:52:09 pm »
There are plenty of building applications outside producing formal inspection reports.
Indeed. Like informally checking the house for any huge thermal differences for fun and isolation material induced profit.
 

Offline fp

  • Contributor
  • Posts: 24
Re: Flir E4 Thermal imaging camera teardown
« Reply #4152 on: March 07, 2014, 03:46:05 pm »
@OrBy: you are most likely right. What is slightly ennoying is that we are probably heading toward the point where we realize that xoring the config files was the easy stuff, and that the nasty one is in the bootloader. This being said, I understand from earlier messages in the thread that even the new version can do the better resolution when calibrating or something. If it can do it for its own purposes, no reason that it couldn't be forced to do it for *our* purposes.

@tomas123: I'll decode my own cfc files and tell you if your version is faster than the matlab one  >:D

@aurora&mike: enlightening discussion you guys are having. I am not a professional, and such a tool is still quite a bit above the price range I would shell out under normal circonstances. Still, I needed one for various reasons and indeed, even with the low resolution, the MSX is quite good at providing a clear picture. On the long run, I suppose that even if we defeat the current hack, they will come up with better and better solutions. How often should such a toy be recalibrated by a professional ? (I mean, this recalibration is what gives them the edge, at the end, because you get a choice of "enhanced" abilities or good calibration...)
 

Offline Rainer

  • Regular Contributor
  • *
  • Posts: 54
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4153 on: March 07, 2014, 03:52:28 pm »
Today, i unzipped the 1.21-FW-Upgrade-Package from FLIR, rename the fif to zip and clicking thru the files.

All the files are marked as CRC-32 instead of CRC-03 in the crypted config-file.

And there is an nk.crc-Textfile:
Code: [Select]
FILE NK.bin 10463367 720767253What is the usage of this numbers in the update-package?

And FLIRLaunch.dat-Textfile:
Code: [Select]
# Optional check - HW type. HW type indicates camera the same
# way as resource .version.hwtype (or camera cmd "gethwtype")
TargetHwType:Z3

# Optional info - update type  (combination, OS, kit, option...)
UpdateType:swcombination

# Optional info - version of this update
TargetVersion:1.21.0

# Optional internal consistency check command[s]
CheckIntCommand:battPercent:20

# Optional external check command[s] (of type 0)
CheckExtCmd0:kitcrc -m \FlashIFS\FLIRUpdate\Z3comb_v1.21.0 -c NK.crc:Consistency check - OS crc error
CheckExtCmd0:kitcrc -m \FlashIFS\FLIRUpdate\Z3comb_v1.21.0 -c FlashBFS\system\kits.d:Consistency check - filekits crc error

# Commands that will be run in specified order provided that all
# CheckIntCommand and/or CheckExtCmdX has indicated OK
# (and CRC32 of this file is OK)
Command:\FlashIFS\FLIRUpdate\eFLIRInstall -c \FlashIFS\FLIRUpdate\Z3comb_v1.21.0\eFLIRInstall_MSD.dat

# The checksum below (including #) has been added by fixcrc on this file.
# Parser (AppServices or "gui") should verify this checksum initially and
# possibly report error; typically "remount launcher checksum error"
# CRC32 23b08a6e


and in system/appcore.d/factory.d are some textfiles

But there is no config-File anywhere. Is it possible, that flir create this file in the system? And when all systems(E4 to E8) are on the same hardware, how do they separate them to set the correct factory settings? 
« Last Edit: March 07, 2014, 03:55:48 pm by Rainer »
 

Offline fp

  • Contributor
  • Posts: 24
Re: Flir E4 Thermal imaging camera teardown
« Reply #4154 on: March 07, 2014, 04:31:09 pm »
the crc are there for consistency checks before starting the upgrade. Like you don't want to flash a file that has been corrupted over transfers.

As for your other question (where do they differentiate between E4 -> E8), I was wondering myself but I did not look very deeply into the fif.

I think answering this question might shed some light on various issues. I understand that in the previous firmware, basically all the functionnality was there, and some were crippled through the config files. This time, some binaries where removed, so understanding how the corresponding functions are performed for the higher end models could be interesting ?
 

Offline Rainer

  • Regular Contributor
  • *
  • Posts: 54
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4155 on: March 07, 2014, 05:53:57 pm »
...
To me, as a user of the more complex cameras, I see the E4 as a relatively simple camera which is easy to use, but limited in functionality, especially in that it has no manual control over span and centre temperature.

Espacially the manual temperature span works absolutely fine since the Beta3 on the 1.21-E4. And Temperature analysis in the full Image can be done after download the files to pc. The only thing, i think could be handy is: to auto-spot the hottest or coldest point in the Thermal field and show the temperature of the spot. Next to this, i think, it could be handy to snapshot 3 files, a clean thermal image, a digital image and a textfile or csv with all the in-picture-data(scaling, spot temperature and Pixel-coordinates of hottest and coldest points with its temperature) 

So for me it is the Fully Auto 'Compact' of the thermal imaging world  :) After upgrade, it becomes a far more 'professional' camera in terms of capabilities and I like it a lot. It's only negative throwback to its original form is the small fixed focus lens that cannot be easily changed.
But with the running Beta3 on the 1.21-E4, you can modify the linear shift between digital and thermal an so, you can use the device easy for the most of the jobs like a good 75mm-equivalent on SLR. Here just two things: some serial commands over usb could be fine to Power up a LED-Foto-Light without open the TIC. And the second thing is a tripod-connector(somebody has already done this modification with the battery) 

 

Offline Rainer

  • Regular Contributor
  • *
  • Posts: 54
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4156 on: March 07, 2014, 05:59:50 pm »
the crc are there for consistency checks before starting the upgrade. Like you don't want to flash a file that has been corrupted over transfers.

As for your other question (where do they differentiate between E4 -> E8), I was wondering myself but I did not look very deeply into the fif.

I think answering this question might shed some light on various issues. I understand that in the previous firmware, basically all the functionnality was there, and some were crippled through the config files. This time, some binaries where removed, so understanding how the corresponding functions are performed for the higher end models could be interesting ?

I think, when they have a crc-32-checkroutine in the cam, why should they use an other crc for files, they create on the system?

The question about separating the different TICs could be a question about an other way to get the new functions. If you reflash a premodified update-container, you can get a crypted, closed, unhackable but full functional E4-device  :-+ ( or a brick |Ok)
 

Offline tomas123

  • Frequent Contributor
  • **
  • Posts: 832
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4157 on: March 07, 2014, 06:10:17 pm »
But there is no config-File anywhere. Is it possible, that flir create this file in the system? And when all systems(E4 to E8) are on the same hardware, how do they separate them to set the correct factory settings?

up to now, config files are untouched while firmware update
Flir wrote this files while calibration of camera
-> in this case E4/E5/E6 gets the same update files

I several times ask in this forum what happens if a user makes a manual update from 1.19 to 1.21.
We know, that 1.21 boots successful without conf.cfc in native mode (80x60 without msx)
first i put the e8cfg in the folder, reset to factory-> no changes
next i delete the old conf.cfc-file, reset to factory->no changes
Code: [Select]
.caps.config: (3)
rw--r--------- 0 root   root   <e> image                           
r---r---r----- 0 root   root   <a> name                          ""    // empty configuration name!!!

.caps.config.image.settings: (4)
r---r--------- 0 root   root   <i> IRheight                      60 //no high res mode
r---r--------- 0 root   root   <i> IRwidth                       80

It's possible, that a manual update without new conf.cfc from 1.19 to 1.21 results in a slightly bricked cam (80x60 without msx) and the TIC needs a flir service  ;D

Anybody knows, whether Flir Tools offers a (automatic) update from  1.19 to 1.21. for the E4/E5?
I do not expect it...


There are many hackable Flir TIC on the market (we know ix, Ex, Exx and possibly more series like Kxx).
Flir until now never delivers upgrades for old series.
Let's wait and see the strategy. Ebay will push the old cams  :)

Offline ixfd64

  • Frequent Contributor
  • **
  • Posts: 345
  • Country: us
    • Facebook
Re: Flir E4 Thermal imaging camera teardown
« Reply #4158 on: March 07, 2014, 07:00:20 pm »
So if what I'm reading is correct, applying the original hack to the newer cameras will brick them?
« Last Edit: March 07, 2014, 07:03:35 pm by ixfd64 »
 

Offline Rainer

  • Regular Contributor
  • *
  • Posts: 54
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4159 on: March 07, 2014, 07:02:48 pm »

There are many hackable Flir TIC on the market (we know ix, Ex, Exx and possibly more series like Kxx).
Flir until now never delivers upgrades for old series.
Let's wait and see the strategy. Ebay will push the old cams  :)

You give up? :--

What did "Taucher" said to the CRC-03?
 

Offline Rainer

  • Regular Contributor
  • *
  • Posts: 54
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4160 on: March 07, 2014, 07:03:47 pm »
So if what I'm hearing is correct, applying the original hack to the newer cameras will brick the device?

I have a "half-hacked" device, which working fine
 

Offline fp

  • Contributor
  • Posts: 24
Re: Flir E4 Thermal imaging camera teardown
« Reply #4161 on: March 07, 2014, 07:36:14 pm »
@Rainer: btw, I was wondering exactly what config you are running now ? the old UI binary with the added menus ? or the added menus only which work with the new binaries ?
 

Offline Rainer

  • Regular Contributor
  • *
  • Posts: 54
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4162 on: March 07, 2014, 07:59:01 pm »
@Rainer: btw, I was wondering exactly what config you are running now ? the old UI binary with the added menus ? or the added menus only which work with the new binaries ?

I run a E4-FW1.21

I tested the e8.config, but it didnĀ“nt work. Then i deleted my crypted config with no effect and restored them.

Later i tested the i2c.exe and the prodapp.exe from the old FW1.19 to sample some information for cracking the crypted files. All the things i have done for tomas as he instructed me working fine, but no HighResMode was possible.

Then i tested the old appcore. This also working fine on my TIC.

Later i installed the BETA3 from Taucher and now, i have a couple of new options, which makes a significant upgrade in usability.




I found in the backup of my TIC two interesting files. There a two parameters behind each file-entry. Did flir precalculates the CRCs? Or did the TIC check them anyways?
Quote
# prodkit.rev
# This file contains revision information for all loaded
# files in a kit
# Do not edit

NAME prodkit
VERSION 0
DATE 12-Feb-2014

# format: FILE <filename> <size> <CRC32>
#     or: FILE <filename> undefined
FILE flashbfs\system\combtabs.d\combtab.prodkit 2705 2812783919
FILE flashbfs\system\kits.d\prodkit.rev undefined
FILE flashbfs\system\web\ctrlcam.asp 4298 2777764764
FILE flashbfs\system\web\images\flirtrans.gif 9560 3471597168
FILE flashbfs\system\web\inc\camtype.inc undefined
FILE flashbfs\system\web\inc\restree.inc 4596 441201453
FILE flashbfs\system\web\inc\sitewidgets.inc 3239 2505186734
FILE flashbfs\system\web\inc\usermenu.inc 717 1894527103
FILE flashbfs\system\web\inc\versions.inc 2092 419951093
FILE flashbfs\system\web\index.asp 6601 2223685810
FILE flashbfs\system\web\rtp.asp 4043 3107314533
FILE flashbfs\system\web\smallcam.asp 4183 713538584
FILE flashbfs\system\web\styles\flirweb.css 5565 1492719729
FILE flashbfs\system\web\sysinfo.asp 6601 2223685810
FILE flashbfs\system\web\webcam.asp 901 922760025
FILE flashbfs\system\web\webpopup.asp 4043 3480063023
Quote
# appkit.rev
# This file contains revision information for all loaded
# files in a kit
# Do not edit

NAME appkit
VERSION 1.0.16
DATE 10-Jan-2014

# format: FILE <filename> <size> <CRC32>
#     or: FILE <filename> undefined
FILE flashbfs\system\appcore.d\factory.d\default_params.rsc 1472 2185293074
FILE flashbfs\system\appcore.d\factory.d\ui_archive.rsc 284 623741465
FILE flashbfs\system\appcore.d\factory.d\ui_control.rsc 467 2239378611
FILE flashbfs\system\appcore.d\factory.d\ui_display.rsc 191 3867561398
FILE flashbfs\system\appcore.d\factory.d\ui_fusion_always.rsc 111 1935031912
FILE flashbfs\system\appcore.d\factory.d\ui_pipfusion.rsc 512 2840232353
FILE flashbfs\system\appcore.d\factory.d\ui_remove_uicore_gui.rsc 273 2790243335
FILE flashbfs\system\appcore.d\factory.d\ui_start_facet.rsc 818 3146439369
FILE flashbfs\system\appcore.exe 1760768 3442989494
FILE flashbfs\system\appcore_dll.dll 686592 3206292197
FILE flashbfs\system\applaunch.dat 544 4248174058
FILE flashbfs\system\appservices.exe 325120 131577177
FILE flashbfs\system\battery.icons\battery_frame.bmp 77878 4000596581
FILE flashbfs\system\battery.icons\flash_graybackground.bmp 2086 1990763675
FILE flashbfs\system\battest.exe 5120 2251393597
FILE flashbfs\system\bootlogo.bmp 77878 4263985570
FILE flashbfs\system\bootlogo_legal.bmp 77878 3836861670
FILE flashbfs\system\bt.exe 8192 4071575274
FILE flashbfs\system\bw.pal 3192 1681767566
FILE flashbfs\system\cecompat6.dll 4608 4045365591
FILE flashbfs\system\chargeapp.exe 32768 3564829563
FILE flashbfs\system\combtabs.d\combtab.appkit 2705 2812783919
FILE flashbfs\system\common_dll.dll 1193984 3567384037
FILE flashbfs\system\dbtest.exe 24576 1092980507
FILE flashbfs\system\defaultusr.exe 5120 784976136
FILE flashbfs\system\distmap.fff 1480 3055981799
FILE flashbfs\system\facet_core.dll 1257472 2511314107
FILE flashbfs\system\facet_exe.exe 5120 1233506562
FILE flashbfs\system\facet_ui_qml.dll 1472000 621186924
FILE flashbfs\system\fpga.bin 632704 1351741304
FILE flashbfs\system\freeze.exe 9728 936245703
FILE flashbfs\system\ftest.exe 41984 1024639405
FILE flashbfs\system\fvd.dll 106496 1515716869
FILE flashbfs\system\gethwtype.exe 19456 3088389631
FILE flashbfs\system\imageformats\qgif4.dll 33792 3417464108
FILE flashbfs\system\iron.pal 3112 2828306868
FILE flashbfs\system\kitcrc.exe 301056 3540060692
FILE flashbfs\system\kits.d\appkit.rev undefined
FILE flashbfs\system\kits.exe 7168 632656675
FILE flashbfs\system\level.exe 9728 2628187395
FILE flashbfs\system\nuc.exe 10240 2610821507
FILE flashbfs\system\palette.exe 10752 464184973
FILE flashbfs\system\progressapp.exe 27648 3868968713
FILE flashbfs\system\qtcore4.dll 2864640 1978210823
FILE flashbfs\system\qtdeclarative4.dll 3403264 334871801
FILE flashbfs\system\qtgui4.dll 5570560 724646993
FILE flashbfs\system\qtnetwork4.dll 516608 2292488155
FILE flashbfs\system\qtscript4.dll 1650688 203428169
FILE flashbfs\system\rainbow.pal 3093 2536627832
FILE flashbfs\system\rclone.exe 9216 2084543743
FILE flashbfs\system\rcreate.exe 10752 164634856
FILE flashbfs\system\rdelete.exe 9728 1668963676
FILE flashbfs\system\rdump.exe 10240 1070406349
FILE flashbfs\system\recall.exe 11264 2982293392
FILE flashbfs\system\resmon.exe 188928 3444402641
FILE flashbfs\system\restree.dll 40960 536197024
FILE flashbfs\system\rfind.exe 10752 1267375240
FILE flashbfs\system\rls.exe 14336 1413714667
FILE flashbfs\system\rotationmapccw.fff 1480 1632318203
FILE flashbfs\system\rotationmapcw.fff 1480 395212282
FILE flashbfs\system\rpatch.exe 10240 2548461096
FILE flashbfs\system\rreload.exe 8704 4201028577
FILE flashbfs\system\rset.exe 13824 408260706
FILE flashbfs\system\rverify.exe 9216 1383441815
FILE flashbfs\system\services.d\factory.d\dcf.rsc 118 2354299725
FILE flashbfs\system\services.d\factory.d\dcim.rsc 119 4038415784
FILE flashbfs\system\services.d\sql.d\default.sql 8781 149868454
FILE flashbfs\system\services.d\sql.d\defaulttextfield.sql 1015 1102409983
FILE flashbfs\system\span.exe 9728 3398018886
FILE flashbfs\system\sqlite.dll 423936 4250343061
FILE flashbfs\system\stopapp.bat 304 2940831057
FILE flashbfs\system\store.exe 22528 4280939406
FILE flashbfs\system\suid.exe 3584 221334787
FILE flashbfs\system\supv.exe 9728 240560634
FILE flashbfs\system\syslog.exe 73728 1044482548
FILE flashbfs\system\taskmgr.exe 22016 1515231995
FILE flashbfs\system\tprls.exe 8192 152830205
FILE flashbfs\system\treeproxy.dll 84480 2464225402
FILE flashbfs\system\ui.d\design_ui_z3.xml 31678 2143429451
FILE flashbfs\system\ui.d\facet_z3.rcc 206587 3061843404
FILE flashbfs\system\ui.d\fonts\gulim.ttf 119696 4124050443
FILE flashbfs\system\ui.d\fonts\mingliu.ttf 167904 3264670505
FILE flashbfs\system\ui.d\fonts\msgothic.ttf 103768 3656814746
FILE flashbfs\system\ui.d\fonts\simsun.ttf 126448 4072330505
FILE flashbfs\system\ui.d\languages\strings_cs.qm 37425 3797833529
FILE flashbfs\system\ui.d\languages\strings_da.qm 36531 940902589
FILE flashbfs\system\ui.d\languages\strings_de.qm 38735 2009213114
FILE flashbfs\system\ui.d\languages\strings_el.qm 39393 1110818361
FILE flashbfs\system\ui.d\languages\strings_en.qm 35999 2585439826
FILE flashbfs\system\ui.d\languages\strings_es.qm 38621 2531747438
FILE flashbfs\system\ui.d\languages\strings_fi.qm 36777 2410128193
FILE flashbfs\system\ui.d\languages\strings_fr.qm 38843 1667692400
FILE flashbfs\system\ui.d\languages\strings_hu.qm 37522 1947279460
FILE flashbfs\system\ui.d\languages\strings_it.qm 38567 3452599217
FILE flashbfs\system\ui.d\languages\strings_ja.qm 30692 205294168
FILE flashbfs\system\ui.d\languages\strings_ko.qm 30290 4041748703
FILE flashbfs\system\ui.d\languages\strings_nb-no.qm 36767 3806744485
FILE flashbfs\system\ui.d\languages\strings_nl.qm 38131 3178141702
FILE flashbfs\system\ui.d\languages\strings_pl.qm 37819 4188141756
FILE flashbfs\system\ui.d\languages\strings_pt.qm 38209 2950374436
FILE flashbfs\system\ui.d\languages\strings_ru.qm 38426 3463078458
FILE flashbfs\system\ui.d\languages\strings_sv.qm 36407 4057731832
FILE flashbfs\system\ui.d\languages\strings_tr.qm 36688 825758328
FILE flashbfs\system\ui.d\languages\strings_zh-chs.qm 28366 2850435286
FILE flashbfs\system\ui.d\languages\strings_zh-cht.qm 28602 899181547
FILE flashbfs\system\ui.d\retailmodeimages\building\building.png 233457 4087367693
FILE flashbfs\system\ui.d\retailmodeimages\building\building2.png 233457 822441740
FILE flashbfs\system\ui.d\retailmodeimages\building\building3.png 233457 1211929052
FILE flashbfs\system\ui.d\retailmodeimages\building\building4.png 233457 1901681265
FILE flashbfs\system\ui.d\retailmodeimages\building\building5.png 233457 1387997691
FILE flashbfs\system\ui.d\retailmodeimages\building\building6.png 233457 3053286244
FILE flashbfs\system\ui.d\retailmodeimages\building\building7.png 233457 4142162705
FILE flashbfs\system\ui.d\retailmodeimages\building\building8.png 233457 3719195114
FILE flashbfs\system\ui.d\retailmodeimages\building\building9.png 233459 4106347948
FILE flashbfs\system\ui.d\retailmodeimages\electrical\electrical.png 233457 3561065053
FILE flashbfs\system\ui.d\retailmodeimages\electrical\electrical2.png 233457 3624618999
FILE flashbfs\system\ui.d\retailmodeimages\electrical\electrical3.png 233457 3150106711
FILE flashbfs\system\ui.d\retailmodeimages\electrical\electrical4.png 233457 3171029511
FILE flashbfs\system\ui.d\retailmodeimages\electrical\electrical5.png 233457 2189150432
FILE flashbfs\system\ui.d\retailmodeimages\electrical\electrical6.png 233457 2651767234
FILE flashbfs\system\ui.d\retailmodeimages\electrical\electrical7.png 233457 4214428961
FILE flashbfs\system\ui.d\retailmodeimages\electrical\electrical8.png 233457 2159425733
FILE flashbfs\system\ui.d\retailmodeimages\electrical\electrical9.png 233459 4106347948
FILE flashbfs\system\ui.d\toolbar-config_z3.xml 1121 2108642323
FILE flashbfs\system\usbpower.bat 240 2721728187
FILE flashbfs\system\version.exe 13312 3974754876
FILE flashbfs\system\zeromap.fff 1480 2529221937
« Last Edit: March 07, 2014, 08:02:32 pm by Rainer »
 

Offline tomas123

  • Frequent Contributor
  • **
  • Posts: 832
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4163 on: March 07, 2014, 08:43:53 pm »
You give up? :--

What did "Taucher" said to the CRC-03?
no,
I'm also waiting on Taucher and the results from ida disassembler ...

you asked for many details, which are already decoded
sorry for my short answer

p.s.: I hove no hope, that a correct crypted conf.cfc with key
.caps.config.image.settings.IRwidth int32 320
works fine. The E4 will ignore in 1.21 this key like already all keys for setting the frequency

Offline Taucher

  • Frequent Contributor
  • **
  • Posts: 456
  • Country: de
  • 1DsaYDGWXEYhEKL rfrbFyYsehaAtfBWawf
Re: Flir E4 Thermal imaging camera teardown
« Reply #4164 on: March 07, 2014, 08:54:59 pm »
@waiting: I'm currently very very busy with other stuff - will take some time - plus I'm not the greatest IDA/ASM guy -> maybe TNT can help out?
@XOR - I took some looks at the "key finder" and were a bit puzzled by the keysize and the fact that the config date is the same ... I'd check for known ".conf." parts and use them for computing a key... but again - way too little time ATM.

Offline Chorleybloke

  • Contributor
  • Posts: 23
Re: Flir E4 Thermal imaging camera teardown
« Reply #4165 on: March 07, 2014, 09:04:56 pm »
Hi all, forgive my lack of tech know how, but I have E4 with 1.21.0. I can get to various screen just with button presses, I have managed to get to a screen <Version information. This lists the following:

IRDM                       0.0.1.0
POLLUX                   0.1.0.0
POLLUX_FPGA         8.1.25.0
camcore                  T198304-01-63813827
detector                  *-*-*
mainboard               T198283-11-20127538
appkit                      1.0.16
confkit                      E4 1.1L
osimgkit                   16.0.12
prodkit                      0
Appcore                    22.0.0.1
AppServices              22.0.0.1
Bootloader                16.1.5.0
ResMon                     22.0.0.1
WinCE                       6.0.0.0
appcore_dll               1.9.0.1
common_dll               1.9.0.7
facet_core                 22.0.0.1
facet_ui_qmi              22.0.0.1
fvd                             16.0.47.0


I can scroll down any of the above and hold right key for about 10 seconds then it takes you to a blank screen headed as per selection.

Not a clue if any of that helps, just thought I would throw it in.

Chorleybloke




« Last Edit: March 07, 2014, 09:16:56 pm by Chorleybloke »
 

Offline Rainer

  • Regular Contributor
  • *
  • Posts: 54
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4166 on: March 07, 2014, 09:38:56 pm »
In "Settings/Device Settings/Camera Information/Software/" is the hidden menue(10s right-Button) with "USB-Mode", "Export information" and "Version information".

In "USB-Mode" you can select the RNDIS and now the cam has a USB-Virtual Network Interface. You need the driver and then you can do some networking things(Filezilla-FTP for upload and download, Putty-telnet for remote control, network device instead of USB-Device for the picture-Filesystem)

Device-Mount is an option of the flir Network-Driver. You can only access to the IFS-Folder

For FTP call 192.168.0.2 with user: flir and pass: 3vlig. Here you get access to the complete filesystem.
Please make a complete download and zip and upload it here. Attention on your private fotos in the IFS-Folder. And have a look to "TaucherĀ“s" Beta3. There is a couple of good working Menues like manual scale setting and the flir logo becames invisible.

For Telnet call 192.168.0.2 and you get a WIN CE-Prompt on the TIC .
« Last Edit: March 07, 2014, 09:44:01 pm by Rainer »
 

Offline tomas123

  • Frequent Contributor
  • **
  • Posts: 832
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4167 on: March 08, 2014, 12:20:11 am »
I'm not the greatest IDA/ASM guy -> maybe TNT can help out?

I found the post
I'm the one that reverse engineered the CRC01 function and wrote CRC01.

wow, I thought you wrote CRC01  :-[

unfortunately is TNT since November 18, 2013 offline  :(

Offline Taucher

  • Frequent Contributor
  • **
  • Posts: 456
  • Country: de
  • 1DsaYDGWXEYhEKL rfrbFyYsehaAtfBWawf
Re: Flir E4 Thermal imaging camera teardown
« Reply #4168 on: March 08, 2014, 01:01:32 am »
I'm not the greatest IDA/ASM guy -> maybe TNT can help out?

I found the post
I'm the one that reverse engineered the CRC01 function and wrote CRC01.

wow, I thought you wrote CRC01  :-[

unfortunately is TNT since November 18, 2013 offline  :(
My contributions were mainly the menu-"hack" (just re-adds dormant functions, method to edit RCC files) and later on EzCRC01 (got fed up by ppl asking for how to press enter (CRLF) in an editor + wanted to have someting to quickly re-generate the CRC01 - due to time constraints the whole .exe didn't reach my internal goal of a really foolproof one-click-to-fixup-.conf-tool, but got stuck in a rather "hacky" state (anyway - 80% is better than 0%) ... it's basically the original crc01 exe with some additional code to detect and cut away portions that don't belong into the computation of the crc01 (removing the not-to-checksum bytes seemed to be the hardest part for newbies - not everyone does instal a hex-ed as one of his first tools to a new machine *G*).

Also there's the whole part of early analysis of the 1.21.0 firmware where my toolset of unpacking, diffing, string-extraction and some IDA work went into.
But I won't risk my good old E4+ by doing something stupid like "upgrading" it to 1.21.0 ... that's the reason why the CFC mechanism went undetected in the first analysis.
The greatest thing would be a way to emulate the NK.bin file ... but my attempts to use the MS emulator failed (unfortunately like expected) without any logs etc.

 @CRC01: I was a bit amazed how precise TNT's code solved the algo-problem... there's a lot of computational "goodness" that I can just imagine to be horrible when looked upon in ASM... my IDA skills are present, but not to an extend of complex decompilation (note difference to disassembly). Note to myself: lookup where the CRC01 is actually residing inside the old firmware

Well, gotta get some sleep - this night will be very short for me (again)...

Offline tomas123

  • Frequent Contributor
  • **
  • Posts: 832
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4169 on: March 08, 2014, 10:58:41 am »
@CRC01: I was a bit amazed how precise TNT's code solved the algo-problem... there's a lot of computational "goodness" that I can just imagine to be horrible when looked upon in ASM

Sylvain Munaut <tnt@246tNt.com> used this code as template
https://code.google.com/p/aarni/source/browse/tags/0.1.5/ripemd160.cpp?spec=svn5&r=5
but only the "minor changes" are incredible to find

Offline Rasz

  • Super Contributor
  • ***
  • Posts: 2617
  • Country: 00
    • My random blog.
Re: Flir E4 Thermal imaging camera teardown
« Reply #4170 on: March 08, 2014, 02:09:40 pm »
I disassembled 1.21 appcore earlier in the thread and found few places where it looks like it checks CRC sig version and does goto fail (:P) when its not high enough, It would be trivial to put a nop in there , or change bne to beq/b
Who logs in to gdm? Not I, said the duck.
My fireplace is on fire, but in all the wrong places.
 

Offline equinoxe

  • Contributor
  • Posts: 23
Re: Flir E4 Thermal imaging camera teardown
« Reply #4171 on: March 08, 2014, 08:37:53 pm »
I disassembled 1.21 appcore earlier in the thread and found few places where it looks like it checks CRC sig version and does goto fail (:P) when its not high enough, It would be trivial to put a nop in there , or change bne to beq/b


Most often I am just lazy and I never call the checking subroutine or put a return on the first line of the routine in that call, this works on most x86 programs, but should work with arm equally well.

Just played with the new IDA Pro demo for mac, wow, that has evolved big time, the graphical flow add-on (proximity view) is awesome!
*Checks price for full version.. Nope, ain't going to happen..
 

Offline ebnelson

  • Newbie
  • Posts: 1
Re: Flir E4 Thermal imaging camera teardown
« Reply #4172 on: March 09, 2014, 02:23:44 am »
So if what I'm reading is correct, applying the original hack to the newer cameras will brick them?

The 1.21.0 firmware seems to just ignore the original hack fif.  I think I read on this thread that it falls back to the original 1.21 configuration.  It happens so fast it seems like a normal boot.  I'm not aware of any loss in functionality from my failed attempt to enable full resolution.  Luck of the draw when purchasing the camera I guess.  :palm:
 

Offline Rasz

  • Super Contributor
  • ***
  • Posts: 2617
  • Country: 00
    • My random blog.
Re: Flir E4 Thermal imaging camera teardown
« Reply #4173 on: March 09, 2014, 04:12:22 am »
im the way to go is to
-xor old crc01 config with recovered xor key
-upload patched appcore with nop'ed crc version check (it first reads checksum and then later checks if its high enough  version of crc routine)
Who logs in to gdm? Not I, said the duck.
My fireplace is on fire, but in all the wrong places.
 

Offline tomas123

  • Frequent Contributor
  • **
  • Posts: 832
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #4174 on: March 09, 2014, 12:18:36 pm »
-upload patched appcore with nop'ed crc version check (it first reads checksum and then later checks if its high enough  version of crc routine)

don't forget, since 1.21 in applaunch.dat are checksums for major binaries
Code: [Select]
# Show intro bootlogo and start progress
progressapp -f \flashbfs\system\bootlogo.bmp -g flashbfs\system\bootlogo_legal.bmp -d
# Start command shell on the RS-232 port
cmd /R
# Register a default user
defaultusr
# Start appcore. Appcore starts other necessary processes
appcore

# doCRC FlashBFS\system\appcore.exe 1760768 3442989494
# doCRC FlashBFS\system\common_dll.dll 1193984 3567384037
# doCRC FlashBFS\system\progressapp.exe 27648 3868968713
# doCRC FlashBFS\system\defaultusr.exe 5120 784976136
# ID all
# CRC03 aad87665

but you can kill the appcore.exe and start a patched  appcore1.exe over a new menu entry in Tauchers menu system :-)

a sample
Code: [Select]
> rset appl.supv.exec "cmd /c date /T"
Sat 2/15/2014

//the same as script
> echo date /T > \flashifs\1.cmd
> rset appl.supv.exec "cmd /c \flashifs\1.cmd"
    \>date /T
    Sat 2/15/2014

in this way we don't need a crc03 keygen and any patched original files with the risk of building a paperweight

ps: I haven't checked, whether a cmd-script (shell) started over the menu state machine survive a "ps -k appcore".


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf