Flir E4 Thermal imaging camera teardown

[pomonabill221]

@Artemio: One possibility would be to disable or disconnect every network connection of your machine and only reconnect the camera. Then the camera should setup it's default IP address.
Another possibility is to do things step by step.
- Enable RNDIS via the hidden menu
- Connect the camera to the computer
- Look for the FLIR network interface
- Look at the details of the FLIR network interface, especially its default gateway. This is the address you have to connect to. I've never paid attention to the IP address of my computer but I think it's possible that it changes, but that doesen't matter. You only need the address of the default gateway. Maybe you could post a screenshot of the network interface details.
- Try to connect to the default gateway from one step earlier. I've never tried to ping the camera so I have no idea if it's even possible.

The fact that FLIRInstallNet shows the camera as "Local Area Connection 6" is a bit confusing. Also the IP range shown in your screenshot doesen't look right. 169.254.109.244 seems to be an automatic assigned address by the client because it didn't receive an IP address from the DHCP server. Maybe some security software blocking the communication?
And do you have FLIRInstallNet opened while you try to connect via FTP? I also never tried that, so I don't know if it works or not.

OOPS... ya beat me to it!  plus I didn't read the whole thread... thanks for verifying this for me also!

[tomas123]

Anybody checked the changes in version 1.22.0?

http://support.flir.com/SwDownload/app/RssSWDownload.aspx?ID=196

FLIR Ex (1.22.0) Update Pack   
Last Updated: March 10, 2014

if Flir can fast update the version, we should wait some time before publish the new hack
edit:
winmerge differences in new version see here
https://www.eevblog.com/forum/testgear/flir-e4-thermal-imaging-camera-teardown/msg403163/#msg403163

[cboles]

Here is another conf.cfc along with its xor'd version from a 1.21 E4 I just picked up.

[Rainer]

Big question is: is the new firmware done for disable the new patched firmware or is this done for some new features and bugfixing? It is possible to get a new hardwarebased encryption method, but: i have sometimes a rotating display when startup with usb on the device. So i think, if this is a software-bug, this could happen to many other users of this new Firmware and flir changed some startup-setting in the fpga-"display-unit" to fix this.


(since the actual patch, i had this effect not anymore. But i tested only one day...)

[ds]

So far there are two confirmations that the modified config files work.
I would like to have two more, just to be sure, before releasing
the code.

@Viss

Here is your modified config file.

Please replace "FlashFS\system\appcore.d\config.d\conf.cfc" with
the new one, cold-boot and report about the result. Thanks.

[ds]

@cboles

And here is your modified config file.

Please replace "FlashFS\system\appcore.d\config.d\conf.cfc" with
the new one, cold-boot and report about the result. Thanks.

[Artemio]

You said the port is closed does that mean you tried it or are just using portscan info? If you click on my name and then view my posts and answers that where given you may find the answer to your problem.  Whatever you try after each time pull the battery and reconnect the usb cable before you try something else or you will miss whatever it is.

I did both, and on several machines. Now including the one at home that makes it 4, and three of them were new installations, the last one tested with no network connection at all.

Every time reconnecting and taking the battery away, this last time for several hours.

I am afraid it is simply that the camera is not starting any network service.

Do you use the RNDIS-only setting or the combined MSD_UVC_RNDIS-Mode? The combined Mode don´t work well and can cause your problem. Best is to use the RNDIS-only-Mode and in the driver, you can set the TIC-Storage(the IFS-PArt) as a network-Drive.

In the TIC-Menue(Storage Settings) you can set the TIC back to Factory-Settings.

Yes, rndis-only, I ended up testing the other modes out of desperation.

I did access the reset that is under "Settings->Device Settings->Reset Options->Reser device settings" and it does nothing to help me out. I can't find a storage settings option, where is that located?

[cboles]

It works! The resolution change was immediately noticeable. Is there anything else you would like me to check specifically?

@cboles

And here is your modified config file.

Please replace "FlashFS\system\appcore.d\config.d\conf.cfc" with
the new one, cold-boot and report about the result. Thanks.

[Artemio]

It worked!

I finally got ftp running again. After writing the last post, I did a reset again, rebooted teh camera and changed the USB mode to RNDIS+MSD, and it recognized it and worked again!

I updated and finally can see the resolution change, thanks a lot for your help.

[ds]

@cboles

Thanks for trying it out, I think if the resolution change worked everything
else should be fine.

-----------------------------------------------------------------------

Appended is a ZIP file with the tools (source code plus Windows binaries)

The tools are for Windows and have to be used from the command line.

First of all there is no guarantee and you have to know what you
are doing. Please also be aware that I won't give support for any
problems you might have when trying it out or if it does not work
for you.

The ZIP file contains tnt's slightly modified CRC tool to calculate
the new CRC03. There is another tool to "unprotect" and "protect" the
configuration file.

Here are the steps:

- "unprotect" the protected configuration file:

   ftool.exe -d conf.cfc conf_plain.txt

   You will get the plain config file in "conf_plain.txt". The tool
   will display the SUID, you will need it later for protecting
   the plain config again. The output looks like this (this is just
   an example):

  SUID: 0x181A8800 0x02D54B2A 


- Apply any modification you need to the plain config file "conf_plain.txt".

  If you don't know what to modify you could use the configuration template
  "conf_template.cfg" from the ZIP file and replace "xxxxxxxx" with the ID
  of your device.
 

- Calculate the new CRC03, be sure to first remove the last line in
  "conf_plain.txt" beginning with "# CRC03" before calculating the new
  CRC03:

  crc03.exe conf_plain.txt

  The output looks like this:

  Add the following line to the .cfg file :
  # CRC03 a78cd4f5

  Add the new CRC03, be sure to take care of the final CR+LF.


- Protect the modified config file, you need the SUID displayed when
  unprotecting the original config file:

  ftool.exe -e conf_plain.txt conf_new.cfc 0x181A8800 0x02D54B2A   

  Be sure to take your SUID displayed when unprotecting your configuration
  file and not the one above, it won't work otherwise.

  Rename the new, protected config file "conf_new.cfc" to "conf.cfc",
  and replace "FlashFS\system\appcore.d\config.d\conf.cfc", cold-start
  and you are done.


If anyone wants to take the source code and create a more user-friendly
GUI tool feel free to do so. The code of the (un)protection tool is not optimized
or especially cleaned up to make it more readable, however there are some comments
inside and it should not be too hard with some C knowledge to understand how it
works.

[Viss]

Worked like a champ!

[tsg]

wow! You guys are cool.
I am still waiting for my 1.21(suposed to be delivered today/tomorrow) but guess there is no need for additional data..
FLIR guys must be chewing their hats

[informer]

Hello everyone,

please keep in mind, that the user JAKAMIL is one of cunning boys which benefits from this hack. His name is Kamil Psenicka (alias Jakamil) www.termoelektro.cz, from the Czech republic. He takes about 730 EUR (1013 USD) for this 5 min modification and it is for him a big business. Is possible to add a license agreement, that this hack is only for personal and non-commercial use?
It is sad that someone such benefits from the knowledge of anyone else who provides free hack. Have a nice day,

John

[stefbeer]

Regarding the new 1.22.0 firmware:

If you compare the 1.21.0 and the 1.22.0 , the only major difference is the fpga.bin . As mike stated earlier, it's not really a possibility to reverse engineer the file. So what would be the easiest thing to do? Just trying it out and see what it does.

My initial thought was to take a camera with firmware 1.21.0 and just switch the fpga.bin . But then I remembered that FlashBFS/system/kits.d/appkit.rev contained the size and a CRC32 checksum of the file. So that file also needs to be adjusted.
And now, while writing this, I also noticed something. The appkit.rev from above also contains the file size and a CRC32 checksum of FlashBFS/system/ui.d/facet_z3.rcc which we already modified for Tauchers menu hack. And nothing complained about the non-matching size or checksum. So maybe this could be ignored?

Anyway, my question is now: Would it be safe to take a camera with firmware 1.21.0 and switch the fpga.bin to the one from firmware 1.22.0, reboot the thing and check if the hack still works?
I hardly know anything about FPGAs, so I don't know what it could do (like modifying the bootloader, setting a flag in the EEPROM, ... Might sound a bit exteme but I really don't know or understand much about the internal structure). And would it be possible to switch back to the original one if it doesn't behave as we expected?


@ds: Really awesome work! 

[tom66]

Don't really see the problem with people doing this for money.
Just make it as easy and fast as possible so people can cut out the middlemen.
If they want to pay these middlemen that's their prerogative.

Alternatively, if a bootloader/applauncher mod is required, forcefully include a link to eevblog forum and "Easy/Free E4 hacking by <authors>"

[mikeselectricstuff]

Regarding the new 1.22.0 firmware:


Anyway, my question is now: Would it be safe to take a camera with firmware 1.21.0 and switch the fpga.bin to the one from firmware 1.22.0, reboot the thing and check if the hack still works?
I hardly know anything about FPGAs, so I don't know what it could do (like modifying the bootloader, setting a flag in the EEPROM, ... Might sound a bit exteme but I really don't know or understand much about the internal structure). And would it be possible to switch back to the original one if it doesn't behave as we expected?

Hard to say without knowing what the differences are. IMO any permanent issues are unlikely.
Bear in mind that most of what the FPGA is doing is signal processing of the image data, and as we know that it is being loaded by the processor at boot time, so it is not doing anything that would stop it booting, however the firmware will be interacting with it to some extent, and it is probable that it will be doing a version check for compatibility, and apart from that, if the interface to the host has changed it may fail to work or crash. 

[informer]

Alternatively, if a bootloader/applauncher mod is required, forcefully include a link to eevblog forum and "Easy/Free E4 hacking by <authors>"

Yes, this is certainly one way - to highlight the deceived people paying for something that is free. Maybe other forum members can find more effective ways out of the game these immoral people.

[tsg]

I would suggest that modding tools are not to be put on the open thread.
I would setup a MOD group that could supply the files for each camera on request against a donation/fee that would benefit the forum or the MOD group. That way any commercial activity can be identified and dealt with at MOD's discretion.

I can only speak for myself and I am not associated with any of the developers on this forum or FLIR nor I am involved in sale of FLIR devices.

[bookaboo]

I'm not sure what the final outcome but was, but wasn't there someone who got a unit bricked while helping out? I think they should get a few donations if they cant get their unit repaired under warranty.

Also agree those that put in the work should have some form of recognition or at least a means whereby people can chip in a donation to them or their chosen charity.

[Pauloven]

I think that the easyest way to destroy the thermal upgrade business in ebay is that we massively post adds  "selling" the info posted in the offer at 1ct. Pointing to this thread or forum and explaining that they can upgrade their cams by investing 1-3 hours.  Explaining that if they buy a 2000€ thermal upgraded e4 once sent for recalibration will be downgraded  etc...

[tom66]

It's free to list on eBay below £1.00 so that could work, but eBay might frown upon it.

[Nemonic]

There's nothing anyone can do about some guy on the street offering the upgrade for a fee to someone who doesn't know any better. I strongly disagree with being deceptive and charging people for a service you know is free and simple, but if they're not being dishonest and everyones aware and they still want to do it for a small fee, don't see the issue.

Restricting access to the tools and information will if anything breed a "for a fee" upgrade business. The info and tools will leak but less people will have access to avoid the "for a fee". It would also make the accomplishments achieved in this thread more difficult or impossible.

I don't really see why this is the forums concern either. This forum seems to be based on the principle of helping get information out there, publicly available and its members helping each other. Based on everything i've seen in this thread that's exactly what is happening and its great to see such an open helpful community achieving such great things.

@ds
Looked at your code, seems pretty straight forwards to port to me. Regarding the

Code: [Select]

#define XOR_SECRET  "Any probable_VAL!" Is this of no consequence or should some constant val be inserted here before compilation?

[uski]

Hi,

For those of you with an E30(bx) (not E4) PN 40xxx-xxxx with firmware 2.23.14, you can add Bluetooth by :
- Adding a cheap USB bluetooth dongle (there's the bluetooth USB driver in the OS), see the attached picture
- Modify the \FlashFS\system\services.d\config.d\conf.cfg to enable Bluetooth :

--------------------
#
# Appservices wlan configuration
#
.caps entry
.caps.config entry
.caps.config.name text "srvs E60"
.caps.config.revision text "0.10"
.caps.config.wlan entry
.caps.config.wlan.enabled bool true
.caps.config.bluetooth entry
.caps.config.bluetooth.enabled bool true
# ID 49xxxxxx
# CRC01 xxxxxxxx
--------------------

And voila it should work. I say it should because I don't have any MeterLink compatible device to test. But it shows the Bluetooth icon, allows me to turn it off/on and the LED pattern on the Bluetooth dongle changes accordingly, and I can start a scan.
The Bluetooth feature allows you to link some MeterLink compatible meters to add data directly into the IR images OSD (current, humidity, ...). http://www.extech.com/meterlink/

About Wifi ? Well I found out that the chipset used must be 88W8688 (it's a combination bluetooth/wifi chip).
The bad news is that it's SDIO only, which means a module most be soldered onto the PCB. I didn't open the camera yet but I suspect the module is not there (or if it's there it's disabled either by hardware of software).

If I have an opportunity to open the camera, I'll try to see if the module is there and if no, I'll try to find where to buy it.
I think it's extremely likely that FLIR is using an off the shelf module.

---

Another option is to add the driver of a USB Wifi dongle. Several manufacturers publish compatible drivers. But I'm not familiar with WinCE enough to do that. Can anyone help me out with this ? Thanks.

[all_repair]

....

Restricting access to the tools and information will if anything breed a "for a fee" upgrade business. The info and tools will leak but less people will have access to avoid the "for a fee". It would also make the accomplishments achieved in this thread more difficult or impossible.

I don't really see why this is the forums concern either. This forum seems to be based on the principle of helping get information out there, publicly available and its members helping each other. Based on everything i've seen in this thread that's exactly what is happening and its great to see such an open helpful community achieving such great things.

First, it is not a small Fee.

And is it ok or not, is not for you or me to say.  It is for those who have put in the time and efforts doing the hack to say.  And they have spoken loudly. 

[mrflibble]

It's free to list on eBay below £1.00 so that could work, but eBay might frown upon it.

Who the hell cares, I frown upon ebay. Perfect symmetry. I like the idea.