Poll

Has the hackabiliy of the E4 made you buy one :  

Yes, I was already looking at the competition at a similar price, but the hack swung it to E4
274 (27.9%)
Yes, I'd not considered buying a TIC before, but 320x240 resolution at this price justifies it (as either tool or toy!)
444 (45.3%)
Yes, I was going to buy an E5/6/8 class of unit but will now get the E4
49 (5%)
No, but am looking out for a cheap i3 to hack
50 (5.1%)
Not yet, but probably will if now that a closed-box hack becomes is possible
164 (16.7%)

Total Members Voted: 803

Author Topic: Flir E4 Thermal imaging camera teardown  (Read 3769783 times)

0 Members and 7 Guests are viewing this topic.

Offline amyk

  • Super Contributor
  • ***
  • Posts: 8240
Re: Flir E4 Thermal imaging camera teardown
« Reply #275 on: October 27, 2013, 01:27:52 pm »
Windows' FTP client uses active mode by default, whereas most others use passive - maybe their FTP server only works in active mode.
 

Offline equinoxe

  • Contributor
  • Posts: 23
Re: Flir E4 Thermal imaging camera teardown
« Reply #276 on: October 27, 2013, 01:29:02 pm »
Windows' FTP client uses active mode by default, whereas most others use passive - maybe their FTP server only works in active mode.

+1
 

Offline Psi

  • Super Contributor
  • ***
  • Posts: 9889
  • Country: nz
Re: Flir E4 Thermal imaging camera teardown
« Reply #277 on: October 27, 2013, 01:33:28 pm »
it wouldn't surprise me if they left passive mode code & commands out of a embedded development ftp server
It's not like you're ever going to have NAT between the TIC and the PC.

But i expect Mike probably tried passive/active already, it's really the first things you check whenever FTP doesn't work.
« Last Edit: October 27, 2013, 01:36:47 pm by Psi »
Greek letter 'Psi' (not Pounds per Square Inch)
 

Offline mikeselectricstuffTopic starter

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #278 on: October 27, 2013, 04:32:34 pm »
it wouldn't surprise me if they left passive mode code & commands out of a embedded development ftp server
It's not like you're ever going to have NAT between the TIC and the PC.

But i expect Mike probably tried passive/active already, it's really the first things you check whenever FTP doesn't work.
Nope - don't know much about networky stuff, I do recall a few years ago needing to use passive mode for something.
Actually the Flir A310 Tech note document recommends filezilla - just tried it an seems to work fine ( and appears to be using passive mode).
 
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline mikeselectricstuffTopic starter

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #279 on: October 27, 2013, 05:00:15 pm »
Looks like Marketing went through a few name changes...
Quote
# Default calib for Ex Camera a.k.a. Astra a.k.a. Z3
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 768
Re: Flir E4 Thermal imaging camera teardown
« Reply #280 on: October 27, 2013, 05:18:45 pm »
Quote
BTW is anyone else here actually playing with an E4, or is everyone waiting to see if I manage to brick mine..?
.... as I am on vacation it will have to wait until next week - I will then hack mine, hopefully without bricking. But I know - I will check in here at least once a days to see any Progress.

Mike if you need any files or eeprom file from my E4 then (might be helpful for comparing, as you said some CRC might be serial # related), just send me a PM and I can send you this stuff together with my serial.
OK need to log out - wife is ranting about me sitting at the computer during vacation  ;D

 

Offline ixfd64

  • Frequent Contributor
  • **
  • Posts: 345
  • Country: us
    • Facebook
Re: Flir E4 Thermal imaging camera teardown
« Reply #281 on: October 27, 2013, 05:44:55 pm »
Looks like Marketing went through a few name changes...
Quote
# Default calib for Ex Camera a.k.a. Astra a.k.a. Z3

I think they're the internal code names.

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 5121
  • Country: nl
Re: Flir E4 Thermal imaging camera teardown
« Reply #282 on: October 27, 2013, 05:53:56 pm »
I think they're the internal code names.

They of course have the problem of multiple products with the same hardware, so they can't call an E4 by it's name, and Ex just isn't nice enough.
In the software this model range is referred to as Z3, I'm not sure about Astra but there is a nice picture in the web folder called Z3_Astra:
Keyboard error: Press F1 to continue.
 

Offline ixfd64

  • Frequent Contributor
  • **
  • Posts: 345
  • Country: us
    • Facebook
Re: Flir E4 Thermal imaging camera teardown
« Reply #283 on: October 27, 2013, 07:04:39 pm »
It could be the code name for the entire product line, kind of like how Haswell is the code name for Intel's latest generation of chips.

Offline mikeselectricstuffTopic starter

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #284 on: October 27, 2013, 07:54:33 pm »
I've had a good look through the UI template files, and I'm fairly sure there isn't much more functionality to be had.
The manual shows 2 different box sizes for PiP, but the UI toolbar template only shows one.

There are resource keys apparently related to extra functions, but I strongly suspect these may not be implemented in the code and/or need buttons or hardware that aren't present.

As the FPGA will be specific to this model (I assume Ex0 series have significantly different hardware), I think it's reasonable to assume the 9Hz framerate is baked into the FPGA as there would be no reason for it not to be.

So I'm probably not going to spend much more time on this for the moment, and will wait until looking at doing a definitive file package and batch files to ease installation until someone else has confirmed it all works.

Things that still need looking at to make things easier :
1) Find how to get to the hidden menu
2) Figure out the CRC01 method - if we can do this it will simplify the hack process, as you should be able to just add a CRC for your serial number and replace one .cfg file to make it an E8 without needing to use service mode, and not have the minor issues of running in service mode. (Someone is already working on this with my files.)

I will do some FFC breakouts next time I get some PCBs done, which will be in the next couple of weeks - PM me if interested.

All the info is here, and anyone who's been following closely should be able to work it out - I've prepared a step-by-step guide and file set which I will test on my unit, but will wait for someone else to proofread and test it on another unit before publishing - please PM me.



« Last Edit: October 27, 2013, 08:56:13 pm by mikeselectricstuff »
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline nitroxide

  • Contributor
  • Posts: 26
Re: Flir E4 Thermal imaging camera teardown
« Reply #285 on: October 27, 2013, 09:25:48 pm »
Maybe this is a bit far-fetched but could someone try the following key combinations and see if they have any effect (enabling service settings menu or other functionality?) - I really don't know at what point during program execution and for how long...:
- Option 1: Power Button + Image Archive Button  (pressed together and held?)
- Option 2: Image Archive Button + Cancel Button (pressed together and held?)
- Option 3: Left Joystick Button + Right Joystick Button (pressed together and held?)

I saw these combos defined in bt.exe (handles key press emulation) and I think there might be some functionality tied to them, otherwise I don't see the point of having them specifically defined.
 

Offline mikeselectricstuffTopic starter

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #286 on: October 27, 2013, 09:54:34 pm »
Maybe this is a bit far-fetched but could someone try the following key combinations and see if they have any effect (enabling service settings menu or other functionality?) - I really don't know at what point during program execution and for how long...:
- Option 1: Power Button + Image Archive Button  (pressed together and held?)
- Option 2: Image Archive Button + Cancel Button (pressed together and held?)
- Option 3: Left Joystick Button + Right Joystick Button (pressed together and held?)

I saw these combos defined in bt.exe (handles key press emulation) and I think there might be some functionality tied to them, otherwise I don't see the point of having them specifically defined.
Bear in mind bt.exe probably has functionality for other models
left+right in charge mode shows charge stats.
power + any other buttons just does powerup/down as power button, at least a long press, is probably a hardware power-manager thing
No obvious effect from others
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline mikeselectricstuffTopic starter

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #287 on: October 27, 2013, 10:04:13 pm »
OK just spent the last 2hrs testing my hack files and batchfiles & all OK.
Then I was sent some code to calculate the CRC01, which should make it a lot simpler. Too tired to play now  & work to get done so may be a day or two...
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline dustout

  • Contributor
  • Posts: 24
Re: Flir E4 Thermal imaging camera teardown
« Reply #288 on: October 27, 2013, 10:59:53 pm »
I was finally able to get into the web interface on the i3.  I'm not completely sure but it seemed like plugging the unit into power jump-started things.  The battery was about dead so maybe it spins down those features when low on power / unplugged?

Activating service mode (with user / pass: flir / 3vlig ) did indeed increase resolution.  The larger field of view is absolutely wonderful too.  Much easier to use for short ranges.  Now to get it to stick past reboots... :)
 

Offline mamalala

  • Supporter
  • ****
  • Posts: 777
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #289 on: October 27, 2013, 11:21:22 pm »
While i'm not in the market for any type of TIC, i just wanted to say kudos to Mike and others for spending time on hacking this thing. Great stuff going on here! Brings back some memories when i hacked some overpowered remote-control (Betty) that uses an LPC2220 ARM based chip. Went through all that stuff with IDA-Pro, etc. Too bad that i know absolutely nothing about WinCE internals (or any other Win internals, for that matter), so i guess i'm not of much help here anyways.

Keep up the good work. Hacking stuff is just fun!

Greetings,

Chris
 

Offline mikeselectricstuffTopic starter

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #290 on: October 27, 2013, 11:25:54 pm »
Too bad that i know absolutely nothing about WinCE internals (or any other Win internals, for that matter),
Neither did I before this.... !
Very impressed with what IDA can do - many years ago I spent a lot of time writing disassemblers for many different MCUs and doing manual tracing and cross-referencing with telephone-directory sized  disassembly printouts.
« Last Edit: October 27, 2013, 11:35:07 pm by mikeselectricstuff »
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline olsenn

  • Frequent Contributor
  • **
  • Posts: 993
Re: Flir E4 Thermal imaging camera teardown
« Reply #291 on: October 27, 2013, 11:26:10 pm »
So what is the current state of the E4 --> E8 hack?

             Is it purely a software hack (no opening the case required)?
             Are all functions of the E8 available to the E4 (is the hardware between them identical like the DS1052/DS1102)?
             Does it stick on reboot?
             Any bugs or other info worth mentioning?
 

Offline mikeselectricstuffTopic starter

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #292 on: October 27, 2013, 11:34:10 pm »
So what is the current state of the E4 --> E8 hack?

             Is it purely a software hack (no opening the case required)?
             Are all functions of the E8 available to the E4 (is the hardware between them identical like the DS1052/DS1102)?
             Does it stick on reboot?
             Any bugs or other info worth mentioning?

You need to open the case, but only the first 2 screws and a lightly stuck fascia. No warranty seals on mine.
If someone finds the hidden menu, it will be doable without opening.
All E8 functionality and resolution as far as I can see (I think Ex manual doesn't quite reflect current firmware - only difference is 1 or 2 picture-in-picture sizes).
Only one very minor issue in that the USB must not be plugged in when you cold boot (battery  insert), otherwise it will revert to E4, but only until the next cold boot so not a problem.
 
We don't currently know if the E6/8 has a bigger lens - the spec on E6 and E8 lists a higher sensitivity, which may be explained by this.

« Last Edit: October 27, 2013, 11:37:09 pm by mikeselectricstuff »
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 13148
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #293 on: October 28, 2013, 11:21:30 am »
Dave has likely been watching developments. If I were FLIR I would have been doing the same. It may come to pass that FLIR advise the agent to not supply a 'sample' for review if such would aid the hacking of an E4 in any way, even without opening it. I can't say I blame them  ;)

Mike and the other Forum members working on this 'challenge' have done sterling work. I do not pretend to understand the detail of what they have done with Win CE, but it has been fascinating all the same.

I am left bemused that the manufacturer chose to leave so much plain text commented  information in the firmware, detailing what the function of the various segments was. Understandable during development but not needed for the final release. I suspect FLIR will have learnt some valuable lessons from this investigation as well. They are a mature company, yet they did not take protection of their firmware very seriously at all. They obviously did not count on Mike and others taking a close interest in their product. I suspect the relatively 'open' firmware writing style is replicated across many of their new products.

An excellent example of complacency on the part of the software development team.

This has been/is a most educational investigation for which I thank Mike and the others who are assisting him. It would be interesting to hear Dave's comments on the matter, as with the Rigol Hack.

Sadly, FLIR may learn from this, and when they release the improved firmware with more keypad functionality, the process may need to be repeated to avoid a hard 'reset' to E4 functionality. 
« Last Edit: October 28, 2013, 11:29:15 am by Aurora »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 8240
Re: Flir E4 Thermal imaging camera teardown
« Reply #294 on: October 28, 2013, 12:27:09 pm »
They obviously did not count on Mike and others taking a close interest in their product. I suspect the relatively 'open' firmware writing style is replicated across many of their new products.
They figure that there are going to be very, very few people willing to take apart and fiddle with such a device, not only because of its price, but because of warranty and their usual customer demographic (i.e. people who don't know anything about how embedded systems work, but are "experts" at using TICs).

They could lock down the firmware even more, but that would probably just stifle sales back to their old value (and at extra cost to them to implement these changes), or even lock down the sensor somehow (and probably at even more cost to them) -- in any case, using the raw sensor directly is likely not above Mike's capabilities...
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 13148
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #295 on: October 28, 2013, 01:08:00 pm »
Indeed, very true.

I have used this technology for many years but would never tear down a $40K camera ! I would have lost my job.

Affordability has brought curiosity with it  ;)
« Last Edit: October 28, 2013, 01:09:52 pm by Aurora »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline mikeselectricstuffTopic starter

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #296 on: October 28, 2013, 01:21:00 pm »
They obviously did not count on Mike and others taking a close interest in their product. I suspect the relatively 'open' firmware writing style is replicated across many of their new products.
They figure that there are going to be very, very few people willing to take apart and fiddle with such a device, not only because of its price, but because of warranty and their usual customer demographic (i.e. people who don't know anything about how embedded systems work, but are "experts" at using TICs).

They could lock down the firmware even more, but that would probably just stifle sales back to their old value (and at extra cost to them to implement these changes), or even lock down the sensor somehow (and probably at even more cost to them) -- in any case, using the raw sensor directly is likely not above Mike's capabilities...
There are also a lot of other issues like their manufacturing process, QA, calibration etc. that come into it as well - the cost of making software changes increases sunstantially as a product moves  from development to production.

Although not many people would be willing to open up a £800 product, if it is possible without opening, that changes, and bear in mind with the current software, you could decide to not make any changes to the internal files and just run it in service mode when high-res is needed, as it will stay there until the battery is taken out or it goes very flat - just putting it in sleep mode keeps it in service mode. The only thing you don't get that way is PiP mode.

There is clearly some very heavy profiteering in the 320x240 market segment at the moment, and relatively few players (many others are badged Fluke/Flir products). It only takes one to jump before the others all follow, but any comapnies that can't match the lower price for high res will be dead in the water.
However in the meantime, the low-end TIC market has to be very appealing as the volumes are potentially much higher when products get  within reach for people who wouldn't normally consider buying a TIC, so if your product has a 'hidden' advantage over your competition then this has to be good for sales.
Of course there is also the fact that people love to get a bargain by subverting the system- the Rigol effect....
The question is whether Flir are sufficiently enligtened to realise it. Time will tell.

Something else I wonder about is whether suppliers of sensors maybe have some dodgy agreements in place to supply at reduced price conditional on the end products not being used at full res. 


Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Psi

  • Super Contributor
  • ***
  • Posts: 9889
  • Country: nz
Re: Flir E4 Thermal imaging camera teardown
« Reply #297 on: October 28, 2013, 01:22:11 pm »
Companies only bother to do anything if
- It's required by law
 or
- It makes more money, or prevents money from being lost

The hack will boost E4 sales but will have little to no effect on E5+ sales.
(It will be engineers/hackers/makers who add to E4 sales and these people wouldn't have bought a better model otherwise)
So from a money standpoint there's no reason for Flir to stop the hack in future firmware, it would make more money to leave it.

The legal aspect however is much more of an issue.
If people can buy and modify the E4 unit from something that can be exported into something that cannot (or is more tightly controlled like 60fps) then Flir will be worried about getting in trouble with the US government.
As such, this will be the driving factor for stopping the hack on future firmware.
« Last Edit: October 28, 2013, 01:24:56 pm by Psi »
Greek letter 'Psi' (not Pounds per Square Inch)
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 13148
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #298 on: October 28, 2013, 01:24:22 pm »
Pandoras box may have been opened  >:D   :scared:
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline mikeselectricstuffTopic starter

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #299 on: October 28, 2013, 01:24:54 pm »
Quote
in any case, using the raw sensor directly is likely not above Mike's capabilities...
At some point I will definitely take a look at the raw output, if only out of curiosity about noise etc. Probably not for a while though - too busy!

If someone wanted to add a TIC to a quadcopter or RC aircraft, buying this, stripping out all the surplus weight and tapping the full-res output would be a pretty viable solution and relatively low-cost. 
Converting the 60FPS raw stream to composite video would be not very hard at all - a small FPGA and a DAC
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf