Flir E4 Thermal imaging camera teardown

[PA0PBZ]

@PA0PBZ: Have you tried to compare your findings with the software from the Exx models? Maybe the software does internally check the camera model number and overwrites the dynamic configured frame rate with the constant in appcore_dll.dll
What is the constant value in this DLL? Can this be modified and set to one? 

I'm sorry, I was not clear enough. In appcore_dll.dll the imageFreq is not initialised, there is just a pointer for a structure that contains a lot of the distrData values:

.rdata:00173518 ; protected: static struct SI_STRUCT_METADATA_T const * const CBasicImageData::mMetaDistrData
.rdata:00173518 _mMetaDistrData_CBasicImageData__1QBUSI_STRUCT_METADATA_T__B DCD aImgname
.rdata:00173518                                         ; DATA XREF: .rdata:off_1856B8o
.rdata:00173518                                         ; "imgName"
.rdata:00173528                 DCD aDistrlive          ; "distrLive"
.rdata:00173538                 DCD aDistrrecalled      ; "distrRecalled"
.rdata:00173548                 DCD aCurglobaloffse     ; "curGlobalOffset"
.rdata:00173558                 DCD aCurglobalgain      ; "curGlobalGain"
.rdata:00173568                 DCD aRegulmethodmas     ; "regulMethodMask"
.rdata:00173578                 DCD aVisualimage        ; "visualImage"
.rdata:00173588                 DCD aFocusdistance      ; "focusDistance"
.rdata:00173598                 DCD aStripeheight       ; "stripeHeight"
.rdata:001735A8                 DCD aStripestart        ; "stripeStart"
.rdata:001735B8                 DCD aImagefreq          ; "imageFreq"

etc.

So the value of imagefreq is not initialised in this dll, I don't know where it happens. Probably something else gets the structure from the dll and uses that to initialise the values, but I don't have a cross ref for all the files yet.

[bernroth]

Looking at the strings of gethwtype.exe:

...
usage: gethwtype [-h] [-v]
       -h   Help, show this text
       -v   verbose, show additional info
Identifies FLIR hardware that this utility runs on
Shows hardware as: <type><subtype>
Known hardwares:
Qx - unknown HW
H1 - Fire camera
Y1 - T-MkII (Ylva) camera
Z3 - ASCO camera
Z2 - IVCO or ZOCO_BLUE camera
Z1 - ZOCO camera
S1 - SART camera
F1 - Liston camera
T1 - PT camera
R1 - A2 camera
X1 - Ixx
G1 - GF
P2 - P-Cam,   BACP2
P1C- P-Cam,   BACP rev >=08, UIP rev>=05
P1B- P-Cam,   BACP rev >=08, UIP rev 03/04
P1A- P-Cam,   BACP rev 07
A5B- A-Cam S, AHCO3 AND SB0601 30 Hz detector
A5A- A-Cam S, AHCO3 AND SB0601 9 Hz detector
A4B- A-Cam R, AHCO AND SB0601 30 Hz detector
A4A- A-Cam R, AHCO AND SB0601 9 Hz detector
A3B- A-Cam S, AHCO AND SB0601 30 Hz detector
A3A- A-Cam S, AHCO AND SB0601 9 Hz detector
A2B- A-Cam R, AHCO AND SB0401 30 Hz detector
A2A- A-Cam R, AHCO AND SB0401 9 Hz detector
A1B- A-Cam S, AHCO AND SB0401 30 Hz detector
A1A- A-Cam S, AHCO AND SB0401 9 Hz detector
Ex - T-Cam, unknown subtype (remote)
E4 - T-Cam, BACT2 AND ULIS detector
E3B- T-Cam, BACT2 AND SB0601 30 Hz detector
E3A- T-Cam, BACT2 AND SB0601 9 Hz detector
E2B- T-Cam, BACT AND SB0601 30 Hz detector
E2A- T-Cam, BACT AND SB0601 9 Hz detector
E1B- T-Cam, BACE rev 04-07 AND SB0401 30 Hz
E1A- T-Cam, BACE rev 04-07 AND SB0401 9 Hz
....

I suspect the appcore executes gethwtype.exe to obtain detailed camera informations.
Is it possible to run this command on the console?
I wonder what it returns on a default E4 cam.

I hope mine will get delivered soon

[bernroth]

appcore* contains some other interesting settings:

distrData.imageMilliFreq
image.sensor.frequency

Maybe distrData.imageMilliFreq correlates with distrData.imageFreq?

9Hz could read 111ms

[Taucher]

Well, the 9Hz investigations told us that the setting must be stored in a really good location - like hardcoded in some binary place - and that's good this way:

Nobody (mentally sane) should want to force Flir to either cancel the product line or totally rework the firmware because some trade of arms law defines that a hack of 9->30 would turn the camera into a military class product, dual use stuff, ITAR etc... there are plenty of names where that stuff runs under. I can just repeat myself: I like my camera legally tradeable and non-mil-spec'ed.

Just compare it to turing a (legal) manual or semi-automatic weapon into a fully-automatic one ... that would cause trouble.

[olsenn]

Nobody (mentally sane) should want to force Flir to either cancel the product line or totally rework the firmware because some trade of arms law defines that a hack of 9->30 would turn the camera into a military class product, dual use stuff, ITAR etc... there are plenty of names where that stuff runs under. I can just repeat myself: I like my camera legally tradeable and non-mil-spec'ed.

I think FLIR was smart to ensure the framerate could not be modified; however, I personally would love to have an illegal, mil-spec, big daddy thermal camera. Plus I don't think it would be illegal to process, just to transport out of its country of origin. I deal with enough ITAR documents at work to know just how stupid the whole system is. I mean, I could have purchased an Exx camera that is 60Hz -- what's the difference?

[mikeselectricstuff]

Well, the 9Hz investigations told us that the setting must be stored in a really good location - like hardcoded in some binary place - and that's good this way:

Nobody (mentally sane) should want to force Flir to either cancel the product line or totally rework the firmware because some trade of arms law defines that a hack of 9->30 would turn the camera into a military class product, dual use stuff, ITAR etc... there are plenty of names where that stuff runs under. I can just repeat myself: I like my camera legally tradeable and non-mil-spec'ed.

Just compare it to turing a (legal) manual or semi-automatic weapon into a fully-automatic one ... that would cause trouble.

I have no doubt that questions will have been asked inside Flir about how well locked down the framerate is, and if it was vulnerable, I think they would have stopped shipping units until it was fixed, as it wouldn't be difficult to nail down an internal FPGA setting. We've been seeing units that have left the factory weeks after they must have been aware of the hack. 

And don't forget that at 60fps with that small lens, the noise level would make the high-framerate performance pretty poor, though there may be some intermediate framerates that might be a useable compromise between noise and image quality.
The lens housing design would make it quite hard to add a bigger lens. If this wasn't the case it may have been worth someone investigating writing a completely new FPGA design, however such efforts would probaby be better directed at the automotive units, which are smaller, available more cheply (used) and have a much better lens. 

[bernroth]

Maybe you will get checked against Anti-Terror database and have to fulfil a security audit in order to receive the 60Hz camera?

[London Lad]

I may be missing the obvious but what exactly is it that 'they' are scared villains may do with a 60fps TIC?

[Taucher]

I think FLIR was smart to ensure the framerate could not be modified; however, I personally would love to have an illegal, mil-spec, big daddy thermal camera. Plus I don't think it would be illegal to process, just to transport out of its country of origin. I deal with enough ITAR documents at work to know just how stupid the whole system is. I mean, I could have purchased an Exx camera that is 60Hz -- what's the difference?

I guess that discussion could end in an analogy to "why would it be illegal to build or posess nuclear weapons", a private M1 tank, fully loaded etc... I guess it would be really cool to own a M1 ... until your neighbour targets it with Hellfire rockets from his Apache...

ok... a bit overdramatization - what I wanted to say: it's the law - if you dislike it, then write to your legal representatives at the government or get some lobbyist funding

[Taucher]

I may be missing the obvious but what exactly is it that 'they' are scared villains may do with a 60fps TIC?

probably the same reasons you're disallowed to sell outer-space-grade climate chambers... build a rocket... (I guess that's another reason for limiting temperature-span - space is pretty cold)... test rocket or weapon parts... hell knows what else...

[BigClive]

Hmm, hopefully just a coincidence, but after following all the instructions and making the .fif file with the tree and camera files in it, I'm getting a (IDS_FILE_FORMAT_ERROR) error.

I take it that while CRC01 is case sensitive it's OK to have the checksum itself with the alpha characters in lower case?
Is there a specific name that should be used for the fif file?
Is it because I'm using notepad to edit the serial and checksum numbers?  (being wary of the CR/LF issue)

I'll maybe try from scratch again later.  I'm still a bit wary of knackering a new and expensive toy.

[London Lad]

Hmm, hopefully just a coincidence, but after following all the instructions and making the .fif file with the tree and camera files in it, I'm getting a (IDS_FILE_FORMAT_ERROR) error.

I take it that while CRC01 is case sensitive it's OK to have the checksum itself with the alpha characters in lower case?
Is there a specific name that should be used for the fif file?
Is it because I'm using notepad to edit the serial and checksum numbers?  (being wary of the CR/LF issue)

I'll maybe try from scratch again later.  I'm still a bit wary of knackering a new and expensive toy.

Notepad is ok, its what I used.

[Taucher]

I'll maybe try from scratch again later.  I'm still a bit wary of knackering a new and expensive toy.

Check out my footer:
Ez-CRC01: https://www.eevblog.com/forum/testgear/flir-e4-thermal-imaging-camera-teardown/msg332090/#msg332090

[mikeselectricstuff]

I may be missing the obvious but what exactly is it that 'they' are scared villains may do with a 60fps TIC?

Night vision gunsights and and heat-seeking missiles

[London Lad]

I may be missing the obvious but what exactly is it that 'they' are scared villains may do with a 60fps TIC?

Night vision gunsights and and heat-seeking missiles

I see. I would have thought that guns, ammunition and rocket fuel would be harder to come by and easier / more practical to control than a 60fps TIC ?

Mind you the Americans have some strange regs. I recently bought a Surefire Helfighter spotlight and the vendor had to remove the IR filter that it was fitted with before shipping it!

[Taucher]

Mike:
I think I managed to identify the compass-chip used in the higher series: HMC5843 or HMC5883 .. is there any free place on the PCB matching that IC?

Honeywell's HMC5843, a 3-axis digital magnetometer designed for low-field magnetic sensing. The sensor has a full-scale range of ±4 gauss and a resolution of up to 7 milli-gauss.
Supplied voltage should be between 2.5 and 3.3VDC.
Communication with the HMC5843 is simple and all done through an I2C interface. All registers and operating modes are well described in the datasheet below.

[BigClive]

Night vision gunsights and and heat-seeking missiles

Yes, but surely that would still work at 9Hz if the missile slowed down to walking pace when it got to within a few metres of its target and instructed the target to remain stationary.

[Taucher]

WLAN Chip: something related to: RT28701 ... P3221 / P3001
but probably needs some wlansettings.exe in FlashFS ... which is not easily available either...

[BigClive]

I've just trimmed this post down to hide my incompetence.

It's worth mentioning that the error (IDS_FILE_FORMAT_ERROR) may indicate that you have inadvertently put a folder containing the two files inside the zipped folder instead of just the files on their own.

[BigClive]

OK, I screwed up.  I didn't realise that I was putting a folder into the zipped folder.  I just applied the modification and my camera is now full resolution.

That was quite a neat little script Taucher.  It was a lot easier than doing it the original way.

So thanks guys.  My apologies if I made anyone think FLIR had already taken measures to prevent the upgrade.

[mtdoc]

I ordered mine from Tequipment.net yesterday (yeah EEVblog discount!).   

At the time I ordered, their web page showed 4 in stock - then 3 in stock after my order.   Today it shows 62 in stock!  New shipment?  Hopefully mine will still be hackable...

[mikeselectricstuff]

Look what showed up in my website log... Might be interesting to do the same filter search Chez Dave....

[jlr134]

Thank you STEFBEER and MR.FLIBBLE for your help. Because of you I have a brand new baby E8.
( I believe I owe you some beers)
And thanks to Mike , Ive been a fan for a long while

[stefbeer]

Mike, can you somehow evaluate the referrer of those hosts / hits? Maybe there's something useful in the URL of the referrer (even if it's just in their Intranet)?

@ jlr134: You're very welcome! Glad to see you made it in the E8 club And for my part you don't owe me a beer, I'm not much of a beer drinker

[Taucher]

Look what showed up in my website log... Might be interesting to do the same filter search Chez Dave....

Long time no visit... maybe when they shipped you the softcase? ...