Low Cost PCB's Low Cost Components

Author Topic: FLIR E4 Wifi Resolution and Menu Hack Thread  (Read 13823 times)

joe-c and 2 Guests are viewing this topic.

Offline DaveWB

  • Regular Contributor
  • *
  • Posts: 110
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #100 on: September 12, 2017, 01:34:50 PM »
I know I was having issues getting the right .dll on there which I think might have led to some of the problems. I'll check my files and see what I have.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1798
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #101 on: September 12, 2017, 03:14:24 PM »
I don't have the 3.5.0 update package (neither I could find it on FLIR's site), so can't get the NK.bin for 3.5.0 and dissasemble applauncher.exe to see what exactly doACRC does. If someone knows a way to get it from the camera... I have limited knowledge about embedded device development (WindowsCE even less) or cryptography. I wonder if the code calculates 2 CRC values and somehow closes the loophole, but I can only speculate.

@2lps: if you are still here - here is applauncher.exe extracted from nk.bin from v3.9.0

Or may be someone else could help with disassembling the doACRC routine to see what it does. This is beyond my capabilities and knowledge.

 

Offline DaveWB

  • Regular Contributor
  • *
  • Posts: 110
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #102 on: September 13, 2017, 06:37:31 AM »
Here is how you can switch between encyrpted/decrypted conf files. You can try to decrypt, modify the resolution and encrypt again. I would try to decrypt it again, to verify it is working as expected.

http://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg948898/#msg948898
Thanks 2lps for that, I successfuly decrypted the conf.cfc file by getting the suid. I changed the conf.cfg, and then uses crc03.exe to find the CRC code, was this the correct process? After I added the CRC to the file, re-encrypted with the cfccfg.py, I then lost MSX. I will play around a little more with it later.

The suid for the camera files from the original post is 22C7E4020050281A if anyone wants to play around with the files
This is still the suid when I just ran the same command. I actually haven't messed with the cam in awhile and didn't have menu features. I looked and saw the .cfc was 6436 instead of the 6608 bytes. Anyways, attached is my original backup of the unit which includes the original conf.cfc and common_dll.dll,  Both of which I just applied to the camera which brought the all the stock menu functions back.
Link for backup:https://drive.google.com/file/d/0Bze3DIT8O9h0bzJYVTlIRngzcHM/view?usp=sharing]
[url]https://drive.google.com/file/d/0Bze3DIT8O9h0bzJYVTlIRngzcHM/view?usp=sharing
[/url]
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1798
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #103 on: September 13, 2017, 04:16:02 PM »
Here is some yummy stuff : a copy of the Registry extracted from nk.bin v3.9.0

Of a particular interest are couple sections :

Code: [Select]
[HKEY_LOCAL_MACHINE\init]
"Depend110"=hex:64,00
"Launch110"="autoloadcheck.exe"
"Depend111"=hex:64,00
"Launch111"="timeprint.exe"
"Depend97"=hex:1e,00,3c,00
"Launch97"="timeprint.exe"
"Depend25"=hex:14,00
"Launch25"="timeprint.exe"
"Launch03"="timeprint.exe"
"Depend100"=hex:1e,00,3c,00
"Launch100"="applauncher.exe"
"Depend60"=hex:14,00
"Launch60"="servicesStart.exe"
"Depend30"=hex:14,00
"Launch30"="gwes.dll"
"Launch20"="device.dll"

Gives the sequence of loading of the binaries during autostart. And the other:

Code: [Select]
[HKEY_LOCAL_MACHINE\SOFTWARE\FLIR Systems\Applauncher]
"LaunchFileAlt"="\\FlashBFS\\system\\applaunch.dat"
"LaunchFile"="\\FlashFS\\system\\applaunch.dat"

specifies the startup configuration file .

Yeah baby now we are talking...  You software guru out there please tell if it is possible to tweak the Registry and repackage the nk.bin ?  It seems only have a crc as the integrity check.

Applaunch.dat is the startup configuration file where also CRC checks are performed on critical application files.  Altering applaunch.dat may not be the way to bypass it though, because the file itself is still signed. If we substitute it for a different dat file that new file has no signature, so most likely the boot process will fail.  But perhaps the Init section above may give a clue where to look to patch that signature check.

Calling for coding experts and standing by  :popcorn:

 

Offline 2lps

  • Contributor
  • Posts: 28
  • Country: bg
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #104 on: September 14, 2017, 12:46:17 AM »
Here is some code from applauncher.exe, which deals with doing the CRC verification. It appears that I was right about doACRC in this post: http://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1181686/#msg1181686

applauncher.dat
Code: [Select]
# doCRC FlashBFS\system\common_dll.dll 1276928 1802841112
....
# doACRC FlashBFS\system\common_dll.dll 1276928 639260284


Code: [Select]
signed int __fastcall sub_11B68(const wchar_t *a1)
{
  const wchar_t *v1; // [email protected]
  signed int v2; // [email protected]
  signed int v3; // [email protected]
  DWORD v4; // [email protected]
  size_t v5; // [email protected]
  void *v6; // [email protected]
  FILE *v7; // [email protected]
  FILE *v8; // [email protected]
  const char *v9; // [email protected]
  char *v10; // [email protected]
  DWORD v11; // [email protected]
  int v12; // [email protected]
  const char *v13; // [email protected]
  char *v14; // [email protected]
  DWORD v15; // [email protected]
  int v16; // [email protected]
  size_t v18; // [sp+4h] [bp-34Ch]@7
  int v19; // [sp+8h] [bp-348h]@11
  char v20; // [sp+Ch] [bp-344h]@21
  char v21; // [sp+14h] [bp-33Ch]@12
  char v22; // [sp+30h] [bp-320h]@11
  WCHAR Buffer; // [sp+130h] [bp-220h]@12
  int v24; // [sp+330h] [bp-20h]@1

  v1 = a1;
  v24 = dword_161A0;
  v2 = 0;
  v3 = 0;
  v4 = sub_1181C(a1);
  v5 = v4;
  if ( !v4 )
    goto LABEL_2;
  v6 = operator new(v4 + 1);
  if ( !v6 )
  {
    sub_14994(v24);
    return 3;
  }
  *(_BYTE *)v6 = 0;
  v7 = wfopen(v1, L"rb");
  v8 = v7;
  if ( !v7 )
  {
    NKDbgPrintfW(L"verifyCRC - cannot open %s\r\n", v1);
LABEL_2:
    sub_14994(v24);
    return 1;
  }
  v18 = fread(v6, 1u, v5, v7);
  if ( v18 != v5 )
    v3 = 4;
  fclose(v8);
  v9 = (const char *)v6;
  while ( !v3 )
  {
    v10 = strstr(v9, "# doCRC ");
    if ( !v10 )
      break;
    v9 = v10 + 1;
    if ( sscanf(v10, "# doCRC %s %u %u", &v22, &v18, &v19) == 3 )
    {
      wsprintfW(&Buffer, L"%S", &v22);
      v11 = sub_1181C(&Buffer);
      sub_14250((int)&v21, 1);
      if ( v18 == v11 )
      {
        sub_125BC((int)&v21, &v22);
        v12 = sub_142B4((int)&v21, (int)&v18, 4u);
        if ( v12 != v19 )
        {
          NKDbgPrintfW(L"%S [CRC]\r\n", &v22);
          v3 = 5;
        }
      }
      else
      {
        NKDbgPrintfW(L"%S [size]\r\n", &v22);
        v3 = 6;
      }
      sub_12978(&v21);
    }
  }
  v13 = (const char *)v6;
  if ( v3 )
    goto LABEL_33;
  do
  {
    v14 = strstr(v13, "# doACRC ");
    if ( !v14 )
      break;
    v2 = 1;
    v13 = v14 + 1;
    if ( sscanf(v14, "# doACRC %s %u %u", &v22, &v18, &v19) == 3 )
    {
      wsprintfW(&Buffer, L"%S", &v22);
      v15 = sub_1181C(&Buffer);
      sub_12898((int)&v20, 0x4C11DB7);
      if ( v18 == v15 )
      {
        sub_125BC((int)&v20, &v22);
        v16 = sub_12844((int)&v20, &v18, 4);
        if ( v16 != v19 )
        {
          NKDbgPrintfW(L"%S [CRC]\r\n", &v22);
          v3 = 5;
        }
      }
      else
      {
        NKDbgPrintfW(L"%S [size]\r\n", &v22);
        v3 = 6;
      }
      sub_127AC(&v20);
    }
  }
  while ( !v3 );
  if ( !v2 )
LABEL_33:
    v3 = 7;
  operator delete(v6);
  sub_14994(v24);
  return v3;
}

Here are the functions 2 calls up the stack, where you can see when the integrity check is enforced:

    v18 = CreateFileW(L"FAD1:", 0, 0, 0, 3u, 0x80u, 0);
    if ( DeviceIoControl(v18, 0x800040C0, 0, 0, &OutBuf, 0x18u, 0, 0) )
    {
      if ( v35 )
      {
        // This is one liner, calling sub_11B68, where the CRC check is done.
        v4 = sub_11E1C(v15);
        NKDbgPrintfW(L"Integrity: %d\r\n", v4);
      }
      else
      {
        NKDbgPrintfW(L"No integrity check necessary\r\n");
      }
    }

Code: [Select]

BOOL __fastcall sub_11E1C(wchar_t *a1)
{
  wchar_t *v1; // [email protected]

  v1 = a1;
  return sub_11880(a1) && !sub_11B68(v1);
}

signed int __fastcall sub_11E5C(signed int a1, int a2)
{
  int v2; // [email protected]
  signed int v3; // [email protected]
  BOOL v4; // [email protected]
  bool v5; // [email protected]
  signed int v6; // [email protected]
  int v7; // [email protected]
  int v8; // [email protected]
  int v9; // [email protected]
  int v10; // [email protected]
  signed int v12; // [email protected]
  const char *v13; // [email protected]
  const wchar_t *v14; // [email protected]
  wchar_t *v15; // [email protected]
  FILE *v16; // [email protected]
  const char *v17; // [email protected]
  HANDLE v18; // [email protected]
  DWORD v19; // [email protected]
  HDC v20; // [email protected]
  FILE *v21; // [email protected]
  int v22; // [email protected]
  int v23; // [email protected]
  int v24; // [sp+18h] [bp-A70h]@1
  HKEY hKey; // [sp+1Ch] [bp-A6Ch]@1
  DWORD cbData; // [sp+20h] [bp-A68h]@3
  int v27; // [sp+24h] [bp-A64h]@7
  DWORD dw; // [sp+28h] [bp-A60h]@1
  DWORD Type; // [sp+2Ch] [bp-A5Ch]@22
  CHAR v30[4]; // [sp+30h] [bp-A58h]@51
  struct _PROCESS_INFORMATION v31; // [sp+34h] [bp-A54h]@49
  HANDLE hObjects; // [sp+44h] [bp-A44h]@49
  HANDLE v33; // [sp+48h] [bp-A40h]@51
  char OutBuf; // [sp+4Ch] [bp-A3Ch]@41
  int v35; // [sp+50h] [bp-A38h]@42
  wchar_t pszImageName; // [sp+64h] [bp-A24h]@57
  wchar_t Data[1024]; // [sp+264h] [bp-824h]@17
  int v38; // [sp+A64h] [bp-24h]@1

  v2 = a2;
  v3 = a1;
  v38 = dword_161A0;
  hKey = 0;
  v4 = 1;
  dw = 0;
  if ( !KernelIoControl(16850952, 0, 0, &v24) )
    goto LABEL_76;
  v5 = v24 == 1;
  if ( v24 == 1 )
    v5 = cbData == 4;
  if ( v5 )
    v6 = 1;
  else
LABEL_76:
    v6 = 0;
  v24 = v6;
  v7 = KernelIoControl(16850988, 0, 0, &v27);
  v8 = v24;
  v9 = v7;
  v10 = v7 && v27 && !v24;
  v27 = v10;
  if ( v3 < 2 )
  {
    printf("Usage: applauncher [options]\n-f <filename> Execute commands in file <filename>\n-r Execute file specified by registry setting.\n(number) Automatic mode (OS internal).\n");
    sub_14994(v38);
    return 1;
  }
  if ( v3 != 2 )
  {
    if ( v3 != 3 || wcscmp(L"-f", *(const wchar_t **)(v2 + 4)) )
    {
      v13 = "Bad Argument(s)! Use \"applauncher\" for help.\n";
      goto LABEL_72;
    }
    v14 = *(const wchar_t **)(v2 + 8);
    v12 = 0;
    wcscpy(Data, v14);
    goto LABEL_31;
  }
  if ( !wcscmp(L"-r", *(const wchar_t **)(v2 + 4)) )
  {
    v12 = 0;
  }
  else
  {
    swscanf(*(const wchar_t **)(v2 + 4), L"%[0-9]", &Data[512]);
    if ( wcscmp(&Data[512], *(const wchar_t **)(v2 + 4)) )
    {
      v13 = "Bad Argument! Use \"applauncher\" for help.\n";
      goto LABEL_72;
    }
    swscanf(*(const wchar_t **)(v2 + 4), L"%d", &dw);
    v12 = 1;
  }
  if ( !RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\FLIR Systems\\Applauncher", 0, 0, &hKey) )
  {
    cbData = 510;
    if ( RegQueryValueExW(hKey, L"LaunchFile", 0, &Type, (LPBYTE)Data, &cbData) )
      goto LABEL_39;
    if ( Type != 1 )
      goto LABEL_39;
    cbData = 510;
    if ( RegQueryValueExW(hKey, L"LaunchFileAlt", 0, &Type, (LPBYTE)&Data[256], &cbData) || Type != 1 )
      goto LABEL_39;
    RegCloseKey(hKey);
    v8 = v24;
LABEL_31:
    if ( v12 )
    {
      Sleep(0x64u);
      v8 = v24;
    }
    if ( v8 )
      goto LABEL_77;
    v15 = Data;
    v16 = wfopen(Data, L"r");
    if ( !v16 )
    {
      v15 = &Data[256];
      v16 = wfopen(&Data[256], L"r");
      if ( !v16 )
      {
        if ( !v12 )
        {
          v17 = "Failed to open the launch specification file. Aborting!\n";
LABEL_38:
          printf(v17);
LABEL_39:
          RegCloseKey(hKey);
          goto LABEL_73;
        }
        goto LABEL_40;
      }
    }
    fclose(v16);
    v18 = CreateFileW(L"FAD1:", 0, 0, 0, 3u, 0x80u, 0);
    if ( DeviceIoControl(v18, 0x800040C0, 0, 0, &OutBuf, 0x18u, 0, 0) )
    {
      if ( v35 )
      {
        v4 = sub_11E1C(v15);
        NKDbgPrintfW(L"Integrity: %d\r\n", v4);
      }
      else
      {
        NKDbgPrintfW(L"No integrity check necessary\r\n");
      }
    }
    else
    {
      v19 = GetLastError();
      NKDbgPrintfW(L"FAD call fails:%d hndl:%d err:%d\r\n", 0, v18, v19);
    }
    CloseHandle(v18);
    if ( v24 )
      goto LABEL_77;
    if ( !v9 )
      goto LABEL_78;
    if ( !v4 )
      goto LABEL_54;
    NKDbgPrintfW(L"APPLAUNCHER: Starting usb charge App \r\n");
    hObjects = CreateEventW(0, 0, 0, L"ChargeAppFinished");
    if ( CreateProcessW(L"ChargeApp.exe", 0, 0, 0, 0, 0, 0, 0, 0, &v31) && v27 )
    {
      *(_DWORD *)v30 = 2;
      v20 = CreateDCW(0, 0, 0, 0);
      CreateProcessW(L"cmd.exe", L"/R", 0, 0, 0, 0, 0, 0, 0, &v31);
      v33 = v31.hProcess;
      WaitForMultipleObjects(2u, &hObjects, 0, 0xFFFFFFFF);
      NKDbgPrintfW(L"APPLAUNCHER: Usb charging finished\r\n");
      ExtEscape(v20, 100037, 4, v30, 0, 0);
    }
    CloseHandle(v31.hProcess);
    CloseHandle(v31.hThread);
    if ( v24 )
    {
LABEL_77:
      CreateProcessW(L"cmd.exe", L"/R", 0, 0, 0, 0, 0, 0, 0, &v31);
    }
    else
    {
LABEL_78:
      if ( !v4 )
      {
LABEL_54:
        if ( !v12 )
        {
          v17 = "APPLAUNCHER: Refuses to run launch specification file. Aborting!\r\n";
          goto LABEL_38;
        }
LABEL_40:
        SignalStarted(dw);
        goto LABEL_39;
      }
      v21 = wfopen(v15, L"r");
      while ( !feof(v21) )
      {
        fwscanf(v21, L"%[\t\v\n\r\f]", &pszImageName);
        v22 = fwscanf(v21, L"%[^ #\t\v\n\r\f]", &pszImageName);
        v23 = fwscanf(v21, L"%[^#\t\v\n\r\f]", &Data[768]);
        if ( v22 > 0 && wcslen(&pszImageName) >= 1 )
        {
          if ( !v27 || wcsicmp(&pszImageName, L"cmd") )
          {
            if ( v23 <= 0 )
              CreateProcessW(&pszImageName, 0, 0, 0, 0, 0, 0, 0, 0, &v31);
            else
              CreateProcessW(&pszImageName, &Data[768], 0, 0, 0, 0, 0, 0, 0, &v31);
            continue;
          }
          NKDbgPrintfW(L"APPLAUNCHER: Not starting duplicate cmd.exe \r\n");
        }
        fwscanf(v21, L"%[^\t\v\n\r\f]", &pszImageName);
      }
    }
    if ( v12 )
      SignalStarted(dw);
    goto LABEL_73;
  }
  if ( !v12 )
  {
    v13 = "Failed to open registry settings. Aborting!\n";
LABEL_72:
    printf(v13);
  }
LABEL_73:
  sub_14994(v38);
  return 0;
}

Basically it is doing the old CRC verification (first checks the file size) and then another verification, which appears to be a CRC32, based on this:
sub_12898((int)&v20, 0x4C11DB7);

A quick check with Google for 0x04C11DB7 shows that it is the Normal Polynomial representation for CRC-32 (https://en.wikipedia.org/wiki/Cyclic_redundancy_check).

So in order for the old hack method to work, either the common_dll.dll patch should be made in such a way that it is not detected by both CRC checks (although both have weak points, not sure how easy it is to circumvent both at the same time), or the applauncher.dat is modified to remove the doACRC lines (if can be modified, we could have removed the old doCRC, so I guess this is not an easy option)

I don't have much knowledge and time for this, so this is the best I can do to help.
« Last Edit: September 14, 2017, 12:56:33 AM by 2lps »
 

Offline cricri103

  • Newbie
  • Posts: 4
  • Country: ca
  • Autozone
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #105 on: September 14, 2017, 02:05:44 AM »
Hello
I want to understand you work on the model
E4 2L 3.9.0

it's possible To downgrade model 1.2L Fw3.9.0??

I succeeded My E4 1.2L 3.5.0 to 2.3.9 :-+

I want to know if I can do the same
1.2L 3.9.0 to 2.3.0 is it possible?

 

Offline SamLowryBrazil

  • Newbie
  • Posts: 3
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #106 on: September 14, 2017, 07:56:13 AM »
I got a 2.0L 3.9.0 with WIFI and I am also curious about this.
 

Online Fraser

  • Super Contributor
  • ***
  • Posts: 6310
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #107 on: September 14, 2017, 08:21:14 AM »
Hardware 1.2L seems too early for FW 3.9 from the factory. It suggests maybe the camera had a firmware upgrade at some point in time. In the past, cameras that were upgraded with newer firmware were able to be returned to an older firmware as other countermeasures were not present in their file system. Without knowing the firmware that was originally installed in the HW1.2L camera when it was manufactured, it is hard to know which firmware it could be reverted to.

As has been stated in previous comments on this forum. If an attempt is made to revert the 2017 model E4 to an earlier firmware, it gets bricked ! There appears to be an incompatability between the 2017 bootloader or other software, and earlier firmware versions. A bricked E4 needs to be repaired by FLIR at a cost of approx 400 Euros.

Be careful trying to revert to earlier firmware, it can all go terribly wrong with no path back to where you started. Firmware reflashing is a very risky process, especially between hardware revisions.

Fraser
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1798
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #108 on: September 16, 2017, 02:18:32 PM »
Here is some code from applauncher.exe,

Thanks 2lps. I left you a personal message - can you pls check.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1798
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #109 on: Yesterday at 12:15:42 AM »

Not that I understand it fully (except that CRMD160 is the class that implements the RMD160 hash function (https://en.wikipedia.org/wiki/RIPEMD). I guess FLIR have some implementation of it in the applauncher.exe (I disassembled the code and found it). Also the crc03.exe (found in tools1.zip mentioned above) has some reproduction of it.

@lps Are you capable of lifting that CRMD160  code from applauncher and compile an executable for experimenting (file name in, crc value out) , or just the related code listing so someone else perhaps can help compile into an executable?  I tried different ways but I was unsuccessful to reproduce the crc values from applaunch.dat. The CRC03.exe  produces a different value.
I only need the stuff for the "#do CRC" part of it.  For the second part "#do ACRC" I found a software to generate the same values as in the applaunch.dat
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf