Flir E4 Thermal imaging camera teardown

[m4rkiz]

You could still have it shipped to a trusted U.S. resident and have them forward it to you.

there is plenty companies that do parcel forwarding i.e. http://www.viaddress.com/ but there is a good chance that a brand new thermal cam with all accessories in unopened box together with receipts will attract enough attention of customs and one will be charged vat which makes whole operation a bit pointless

it still is worth a shot if price is main factor

[ixfd64]

In that case, it might be an idea to have the forwarder ship the camera separately from the rest of the package.

[Pinkus]

but there is a good chance that a brand new thermal cam with all accessories in unopened box together with receipts will attract enough attention of customs and one will be charged vat which makes whole operation a bit pointless

it still is worth a shot if price is main factor

the E4 is a huge package .... it will almost always be X-rayed and held in customs so you need (in Europe) to add 3.2% customs and your local VAT to your costs. If you are lucky no tax but only VAT will apply, but officially (see EU regulation 314/2011 from March 2011) infrared cameras are taric 90251920 and thus 3.2%.

[tnt]

Not known if framerate is changeable but no reason for it to not be baked into the FPGA, especially due to the ITAR issues.
The only thing I've seen relating to framerate is the  "Allow_30Hz" or similar message in the bootup text, but this may just be a status readout from the FPGA.

The "Is 30 Hz Allowed" message seems to be entirely driven by the "version.hw.det_board.article", "version.hw.mainboard.article" and "version.hw.mainboard.revision" keys. There seem to be several combinations that would result in a "Yes".

Of course it might be easier to just patch the binary to make it return "1" all the time ... becasue those values above could be used somewhere else to configure hw differently or something ...

[tnt]

Interestingly, just after that function is called and if it returns one, 0x1E is written to a HW register with a DeviceIOControl ...

Anybody want to give it a shot ? (I lent mine to a friend for a couple of days ...)

[mikeselectricstuff]

Not known if framerate is changeable but no reason for it to not be baked into the FPGA, especially due to the ITAR issues.
The only thing I've seen relating to framerate is the  "Allow_30Hz" or similar message in the bootup text, but this may just be a status readout from the FPGA.

The "Is 30 Hz Allowed" message seems to be entirely driven by the "version.hw.det_board.article", "version.hw.mainboard.article" and "version.hw.mainboard.revision" keys. There seem to be several combinations that would result in a "Yes".

Of course it might be easier to just patch the binary to make it return "1" all the time ... becasue those values above could be used somewhere else to configure hw differently or something ...

I still think that is about hardware reporting to the software what it can do, rather than controlling anything.
May be interesting to look at differences in teh Ex0 firmware.

[tnt]

Mmm, as I mentionned above, the config seems to trigger an explicit HW/FPGA register write. Of course, that doesn't mean the hw could actually handle it, but at least it's not just doing a print. The result does really trigger a hw action.

[ViciousPest]

Ok going through the video more thoroughly. Where is the FPGA data stored? Is it stored in the same flash chip?

[olsenn]

Assuming that FLIR is on to us, how long do you suspect it would take them to patch the hardware such that it can no longer (easily) be hacked? I mean could the next batch be immune? Or does this kind of hardware/software fix take months to finish and re-test etc?

[tnt]

Assuming that FLIR is on to us, how long do you suspect it would take them to patch the hardware such that it can no longer (easily) be hacked? I mean could the next batch be immune? Or does this kind of hardware/software fix take months to finish and re-test etc?

Adding hw security would take a while.

But patching the fw for the most obvious holes could probably be done fairly quickly (i.e a couple of weeks would be more than enough) if they put the resources to do it.

[ixfd64]

General Tools offers a 160 x 120 camera with a 30 Hz refresh rate for less than $2,000: http://www.generaltools.com/GTI10--predator-Series-Thermal-Imaging-Camera_p_1856.html

They also have two other 160 x 120 cameras that are more expensive but have more features, as well as a 384 x 288 unit for less than $5,500. This might be something to look into if you're seeking a higher frame rate. I wouldn't be surprised if the GTi10 could be hacked in a similar fashion.

[PA0PBZ]

The "Is 30 Hz Allowed" message seems to be entirely driven by the "version.hw.det_board.article", "version.hw.mainboard.article" and "version.hw.mainboard.revision" keys. There seem to be several combinations that would result in a "Yes".

I can't get a value for "version.hw.det_board.article", is that just me?

"version.hw.mainboard.article" returns T198283, "version.hw.mainboard.revision" returns 10 (probably 1.0)

[tnt]

I can't get a value for "version.hw.det_board.article", is that just me?

"version.hw.mainboard.article" returns T198283, "version.hw.mainboard.revision" returns 10 (probably 1.0)

Looking at the code, you probably only get either mainboard or det_board depending on the model ...

You could try setting version.hw.mainboard.article to 1196597  and the revision to 2  (and I mean 2 not 20).
But as I said it might be better to patch the function to return 1 because changing those config could have other effect at other places ...

in appcore.exe, modify the 4 bytes at 0x001016ec from "05 00 a0 e1" to "01 00 a0 e3"

[ViciousPest]

Someone correct me if I'm wrong:

• 2 non volatile storage locations. EEPROM and Flash
• We have verified the sensor outputs the full 60hz signal. If path is, SENSOR -> FPGA -> APP PROCESSOR (with fpga being presented as a video source), has anyone checked if signal being presented to APP PROCESSOR is still 60hz. If not then it is limited in FPGA (more difficult)but if its being limited in APP PROCESSOR (windows) then it might be a boot variable.

I would venture that the bootloader needs to be investigated. Their might be a argument loaded into the kernel that gives it its identity. Can someone please post a text dump of the output mike got in the video. I tried pausing but I couldn't identify the bootloader.

[tnt]

* AFAIK, not easy to check the FPGA -> CPU path because it's all BGA. The sensor output happen to be exported to a test connector.
* The downsampling could be in the FPGA and still be configurable by software.

[ViciousPest]

Hmm. Have you tried killing appcore.exe? When mike put it in "service mode" did the sample rate increase?

[ViciousPest]

Odd. Maybe some sort of watch dog. Its weird because appcore isnt running when the device boots up. Im not home now but will investigate further upon arrival.

[mikeselectricstuff]

Killing appcore doesn't crash, just stops the main app running.
There are stopapp and restartapp batch files to start & stop - they are slightly misleading as they include lines to kill  a bunch of stuff than never runs - presumably leftovers from debugging.
Appcore spawns a number of other processes - FVD is run early but not sure if before or after appcore is launched by applaunch.dat

 

[Scutarius]

Is there anyway FLIR can patch this hack? I want to buy one but, unfortunately,  not this year... 

As mentionned earlier ... yes, plenty of ways. Especially for new camera. But even if you updated the fw on a old one there is plenty of things they could do.

Would it be un-hackable ? Doubtful, but they could make it really painful and then you'd need motivated people that don't already have an hacked one to get to work on it ... Actually now that I think on it, doing it only for new cam might be a good technique ... I'm sure several people (me for eg) wouldn't spend any time looking at bypassing a new protection scheme if the old bypass kept working on my camera ...

Too bad, I can't afford it right now.

   Never mind... I just ordered one   

[ViciousPest]

Mike quick question for further reference.
What methodology did you use to determine whether pin was input or output using pullup/pulldown resistors?

I understand the concept but how did you choose the value (strong vs weak?) or what if it was a GPIO (software configured, can be driven, pulled, high z?)
Just trying to get some insight for future targets  Thank you.

[mikeselectricstuff]

Mike quick question for further reference.
What methodology did you use to determine whether pin was input or output using pullup/pulldown resistors?

I understand the concept but how did you choose the value (strong vs weak?) or what if it was a GPIO (software configured, can be driven, pulled, high z?)
Just trying to get some insight for future targets  Thank you.

First stab is typically to look at how the pin voltage changes when pulled up or down with a 1K resistor - an output won't change much, an input will.

[mikeselectricstuff]

If it remains the same 100% of the time, it's either an input, a voltage supply, or a ground.

Or an output that you've not yet discovered the purpose of, or missed a brief pulse on, or only chnages under circumstances you've yet to discover. Easy enough to see how it reacts to a pullup/pulldown to be more sure.

[mikeselectricstuff]

If it remains the same 100% of the time, it's either an input, a voltage supply, or a ground.

Or an output that you've not yet discovered the purpose of, or missed a brief pulse on, or only chnages under circumstances you've yet to discover. Easy enough to see how it reacts to a pullup/pulldown to be more sure.

First step is usually to find all grounds using continuity tests with power off. If only to eliminate pins.
Then look for continuity to any obvious power supplies, again to narrow down search for interesting stuff.

[manu]

Thank you for the trick!
But, how do you manage to dare opening quite costly optics stuff without being feared of failing?

[TopLoser]

But, how do you manage to dare opening quite costly stuff without being feared of failing?

Feel the fear and do it anyway 

My first thought every afternoon when I wake up lol