Flir E4 Thermal imaging camera teardown

[Pauloven]

wooooooooooaaaaaah!!!!!     

impresive!!! 

I agree with Aurora, I'm to get 5 flirs and sell them +30€ for the shipping costs and  and credit the blog to explode unfair trading in ebay.
//////////////////////////////////////////////////////////////////////////////////////////////

I was reading and did not whant to interrupt the high level discusion that was going on, but wanted to share a thing.

I "discovered"  probably its known, that stainless steel acts as a perfect mirror for the ir band. Its impressive, If you take an snap of a boiling water stainless steel pot, it simply reflects the temperature of the surrounding elements.

Also its funny how the visible light is so much affected by scratches and the thermal is not.

I wonder if this could be used to build a mirror like lens.
http://img268.imageshack.us/img268/446/mirrornn.jpg

[Artemio]

 E4 and the new firmware conf.cfc here

[mikeselectricstuff]

Thermal resolution:

Have you confirmed this looking at the actual image? - bear in mind resampling is done in the FPGA, and you could have a situation where the software thinks it's 320x240 but actually isn't

Images of sharp diagonal lines are a good way to judge
   

[echen1024]

Wow that was fast. 1.21 hacked.

[pomonabill221]

Just wondering if Flir is watching this thread to see how good their "locked" firmware is and how fast it gets hacked!
Yes, I know they are watching.... just would like to know if they are testing "us" to see what they need to do to create the next "unhackable" firmware/hardware!
Would give almost anything to be a fly on Flir's walls!!!!

[ds]

@Artemio

Thanks for the file.

Appended is a ZIP file with your modified config file. It has the
same "E4->E8" changes like the ones in Rainer's modified file.

Please replace the file "FlashFS\system\appcore.d\config.d\conf.cfc"
with the new file, do a cold-start and report the results. Thanks.

[lewis]

I "discovered"  probably its known, that stainless steel acts as a perfect mirror for the ir band. Its impressive, If you take an snap of a boiling water stainless steel pot, it simply reflects the temperature of the surrounding elements.

I did a similar experiment a while ago, it took lots of convincing for some people! https://www.eevblog.com/forum/blog/eevblog-401-lecroy-9384c-oscilloscope-repair-part-2/msg173654/#msg173654

Regarding the new hack, AWESOME work. Does the new prototype hack completely upgrade the E4 to an E8? If so, I might try upgrading the firmware on my E4+ to unlock some additional functionality!

[Rainer]

For your knowledge: i had install the beta3 from Taucher before i changed the Configfile!


I take a "thermal-only"-pic of my LCD-Monitor-Edge while i hold the cam in about 45°-angle.

[OrBy]

For your knowledge: i had install the beta3 from Taucher before i changed the Configfile!


I take a foto of my Monitor-Edge while i hold the cam in about 45°-angle.

Was that with MSX turned off?

[Rainer]

Yes, i switched it off for a real "thermal-only"-Pic, like Mike requested

[OrBy]

Yes, i switched it off for a real "thermal-only"-Pic, like Mike requested

That looks better then 80x60 to me then. 

[Wann]

Nice!! So how long has this taken to hack? From release of firmware about a month ago to being beaten?
How long til Flir release 1.22.0 with more countermeasures

Flir pulled the plug on 1.21.0 in their download section and upped to 1.22.0

Just in case if you haven't already:
http://cdn.cloud.flir.se/swdownload/assets/cameradownload/flir_ex_pn639_v1.21.0_update_pack.zip

[tom66]

Haha... and I thought I was kidding.
This looks like it could be a fun arms race to watch. I think I'm going to hold back though for now; don't really have a grand to blow on a TIC, yet...!

[mamalala]

Wow, fantastic stuff! Although i don't have TIC (and actually no need for one either), i'm following this thread closely.

@ds: Nice work figuring this stuff out! Hopefully the fine folks here can have a peek at some code of yours soon

All in all, goes to show what happens if "encryption" or "protection" is just an afterthought (or badly implented to boot, like in other things). I think that companies more often than not (still?) underestimate the power that communities on the 'net can have.

Fascinating stuff here, keep on going!

Greetings,

Chris

[veetee]

I would like to do one or two more tests, could a user
with an E4 and the new firmware post the configuration
file "FlashFS\system\appcore.d\config.d\conf.cfc" here ?
(Please not more than two, this should be enough for
further testing).

Attached conf.cfc from new firmware cam.  Great work everyone.

On a side note can anyone tell me how to ftp to the cam in osx10.9, had to use my windows7 vm to grab the config. Thanks.

[Artemio]

I've not been able to update my conf.cfc file, since I've not been able to reestablish an ftp connection to my flir e4.

FLIRInstallNet sees the device, but always times out.

MSD works if changed from the camera.

I had run the Set_RNDIS_permament.fif and cold booting hasn't helped, any ideas on what I should do to restore ftp access?

Thanks

[stefbeer]

Flir pulled the plug on 1.21.0 in their download section and upped to 1.22.0

Unbelievable... I really couldn't believe it until I saw it with my own eyes...
http://cdn.cloud.flir.se/swdownload/assets/cameradownload/flir_ex_pn639_v1.22.0_update_pack.zip

Is it possible that they waited for somebody to hack the 1.21.0 until they release the 1.22.0 ? Or is it just some kind of tidying up?

I compared the two .fif packages and the only "important" change seems to be an updated fpga.bin . The other files are just adjusted version numbers and checksums because of the adjusted version numbers.
Is it a good sign that the fpga.bin got a bit smaller?
The jump in the timestamp of the fpga.bin seems to be a bit big. Did they forgot something? Or did they really prepare it and save it for a second hit?


@Artemio: Do you see the network device of the camera? Has the default gateway of the network device changed? Did you also reboot your computer?
You could also try to reinstall the FLIR network driver, I think that did the job for somebody a while back.

[mikeselectricstuff]

Is it a good sign that the fpga.bin got a bit smaller?

You can't read anything useful into the size of the fpga file. 

[fp]

Great to see that I did not brick in vain 
Congratulations to all !

[ixfd64]

Just curious, how hard is it to reverse-engineer an FPGA binary file?

[ds]

@veetee

Here is your modified config file.

Please replace "FlashFS\system\appcore.d\config.d\conf.cfc" with
the new one, cold-boot and report about the result. Thanks.

[mikeselectricstuff]

Just curious, how hard is it to reverse-engineer an FPGA binary file?

Near impossible.
Format is very undocumented, and even if you could extract the logic, it would be very hard to figure out the high level functionality from it.

[Artemio]

@stefbeer No luck reconencting to my camera here =/ The IP address changes every time, so I guessed the network configuration was bad. I reinstalled drivers, no good. I also used a completely different machine and did eveything from scratch, and it is no good either. I am always getting a different IP address in the network adapter for the Flir device form the PC.

I attach a screenshot.

I did manage to get 192.168.0.2 once, and it responded to ping, however it did not connect via ftp of the FLIRInstallNet.exe even then, from this machine or from the one I just set up. Rebooted the camera and machines several times. Any ideas?

Thanks

[uski]

Hi,

I did manage to get 192.168.0.2 once, and it responded to ping, however it did not connect via ftp of the FLIRInstallNet.exe even then, from this machine or from the one I just set up. Rebooted the camera and machines several times. Any ideas?

I did have this issue too, but only on my laptop.
I work with the camera on another computer inside a Win 7 x64 virtual machine and it works well

The laptop is Win 7 x64 too so I have no idea what is wrong with it, it doesn't receive any packet from the camera exactly like you describe.

I would suggest you try with another computer, I spent hours troubleshooting this issue and I couldn't find any reason why it wouldn't work on that particular computer. Just try another one.

Hope this helps.....
uski

[uski]

Hi

Just wondering if Flir is watching this thread to see how good their "locked" firmware is and how fast it gets hacked!
Yes, I know they are watching.... just would like to know if they are testing "us" to see what they need to do to create the next "unhackable" firmware/hardware!
Would give almost anything to be a fly on Flir's walls!!!!

Speaking of myself I have absolutely, really absolutely no moral problem with this hack.
I was misinformed by the FLIR website itself when purchasing a Exx series camera a few weeks ago.
I contacted FLIR about it so that we could try to find a solution and they didn't want to do anything.
They just didn't care. They sold another TIC and it's all what matters for them. They have bad business practices.

This hacks allows me to get some justice in the end.

But we're not going to start this discussion all over again...