Author Topic: FLIR E4 Wifi Resolution and Menu Hack Thread  (Read 28878 times)

0 Members and 6 Guests are viewing this topic.

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1933
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #100 on: September 12, 2017, 03:14:24 PM »
I don't have the 3.5.0 update package (neither I could find it on FLIR's site), so can't get the NK.bin for 3.5.0 and dissasemble applauncher.exe to see what exactly doACRC does. If someone knows a way to get it from the camera... I have limited knowledge about embedded device development (WindowsCE even less) or cryptography. I wonder if the code calculates 2 CRC values and somehow closes the loophole, but I can only speculate.

@2lps: if you are still here - here is applauncher.exe extracted from nk.bin from v3.9.0

Or may be someone else could help with disassembling the doACRC routine to see what it does. This is beyond my capabilities and knowledge.

EDIT: I now feel comfortable to retract the last statement.  ::)

« Last Edit: October 04, 2017, 05:22:18 PM by Bud »
 

Offline DaveWB

  • Regular Contributor
  • *
  • Posts: 118
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #101 on: September 13, 2017, 06:37:31 AM »
Here is how you can switch between encyrpted/decrypted conf files. You can try to decrypt, modify the resolution and encrypt again. I would try to decrypt it again, to verify it is working as expected.

http://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg948898/#msg948898
Thanks 2lps for that, I successfuly decrypted the conf.cfc file by getting the suid. I changed the conf.cfg, and then uses crc03.exe to find the CRC code, was this the correct process? After I added the CRC to the file, re-encrypted with the cfccfg.py, I then lost MSX. I will play around a little more with it later.

The suid for the camera files from the original post is 22C7E4020050281A if anyone wants to play around with the files
This is still the suid when I just ran the same command. I actually haven't messed with the cam in awhile and didn't have menu features. I looked and saw the .cfc was 6436 instead of the 6608 bytes. Anyways, attached is my original backup of the unit which includes the original conf.cfc and common_dll.dll,  Both of which I just applied to the camera which brought the all the stock menu functions back.
Link for backup:https://drive.google.com/file/d/0Bze3DIT8O9h0bzJYVTlIRngzcHM/view?usp=sharing]
[url]https://drive.google.com/file/d/0Bze3DIT8O9h0bzJYVTlIRngzcHM/view?usp=sharing
[/url]
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1933
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #102 on: September 13, 2017, 04:16:02 PM »
Here is some yummy stuff : a copy of the Registry extracted from nk.bin v3.9.0

Of a particular interest are couple sections :

Code: [Select]
[HKEY_LOCAL_MACHINE\init]
"Depend110"=hex:64,00
"Launch110"="autoloadcheck.exe"
"Depend111"=hex:64,00
"Launch111"="timeprint.exe"
"Depend97"=hex:1e,00,3c,00
"Launch97"="timeprint.exe"
"Depend25"=hex:14,00
"Launch25"="timeprint.exe"
"Launch03"="timeprint.exe"
"Depend100"=hex:1e,00,3c,00
"Launch100"="applauncher.exe"
"Depend60"=hex:14,00
"Launch60"="servicesStart.exe"
"Depend30"=hex:14,00
"Launch30"="gwes.dll"
"Launch20"="device.dll"

Gives the sequence of loading of the binaries during autostart. And the other:

Code: [Select]
[HKEY_LOCAL_MACHINE\SOFTWARE\FLIR Systems\Applauncher]
"LaunchFileAlt"="\\FlashBFS\\system\\applaunch.dat"
"LaunchFile"="\\FlashFS\\system\\applaunch.dat"

specifies the startup configuration file .

Yeah baby now we are talking...  You software guru out there please tell if it is possible to tweak the Registry and repackage the nk.bin ?  It seems only have a crc as the integrity check.

Applaunch.dat is the startup configuration file where also CRC checks are performed on critical application files.  Altering applaunch.dat may not be the way to bypass it though, because the file itself is still signed. If we substitute it for a different dat file that new file has no signature, so most likely the boot process will fail.  But perhaps the Init section above may give a clue where to look to patch that signature check.

Calling for coding experts and standing by  :popcorn:

 

Offline 2lps

  • Contributor
  • Posts: 28
  • Country: bg
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #103 on: September 14, 2017, 12:46:17 AM »
Here is some code from applauncher.exe, which deals with doing the CRC verification. It appears that I was right about doACRC in this post: http://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1181686/#msg1181686

applauncher.dat
Code: [Select]
# doCRC FlashBFS\system\common_dll.dll 1276928 1802841112
....
# doACRC FlashBFS\system\common_dll.dll 1276928 639260284


Code: [Select]
signed int __fastcall sub_11B68(const wchar_t *a1)
{
  const wchar_t *v1; // [email protected]
  signed int v2; // [email protected]
  signed int v3; // [email protected]
  DWORD v4; // [email protected]
  size_t v5; // [email protected]
  void *v6; // [email protected]
  FILE *v7; // [email protected]
  FILE *v8; // [email protected]
  const char *v9; // [email protected]
  char *v10; // [email protected]
  DWORD v11; // [email protected]
  int v12; // [email protected]
  const char *v13; // [email protected]
  char *v14; // [email protected]
  DWORD v15; // [email protected]
  int v16; // [email protected]
  size_t v18; // [sp+4h] [bp-34Ch]@7
  int v19; // [sp+8h] [bp-348h]@11
  char v20; // [sp+Ch] [bp-344h]@21
  char v21; // [sp+14h] [bp-33Ch]@12
  char v22; // [sp+30h] [bp-320h]@11
  WCHAR Buffer; // [sp+130h] [bp-220h]@12
  int v24; // [sp+330h] [bp-20h]@1

  v1 = a1;
  v24 = dword_161A0;
  v2 = 0;
  v3 = 0;
  v4 = sub_1181C(a1);
  v5 = v4;
  if ( !v4 )
    goto LABEL_2;
  v6 = operator new(v4 + 1);
  if ( !v6 )
  {
    sub_14994(v24);
    return 3;
  }
  *(_BYTE *)v6 = 0;
  v7 = wfopen(v1, L"rb");
  v8 = v7;
  if ( !v7 )
  {
    NKDbgPrintfW(L"verifyCRC - cannot open %s\r\n", v1);
LABEL_2:
    sub_14994(v24);
    return 1;
  }
  v18 = fread(v6, 1u, v5, v7);
  if ( v18 != v5 )
    v3 = 4;
  fclose(v8);
  v9 = (const char *)v6;
  while ( !v3 )
  {
    v10 = strstr(v9, "# doCRC ");
    if ( !v10 )
      break;
    v9 = v10 + 1;
    if ( sscanf(v10, "# doCRC %s %u %u", &v22, &v18, &v19) == 3 )
    {
      wsprintfW(&Buffer, L"%S", &v22);
      v11 = sub_1181C(&Buffer);
      sub_14250((int)&v21, 1);
      if ( v18 == v11 )
      {
        sub_125BC((int)&v21, &v22);
        v12 = sub_142B4((int)&v21, (int)&v18, 4u);
        if ( v12 != v19 )
        {
          NKDbgPrintfW(L"%S [CRC]\r\n", &v22);
          v3 = 5;
        }
      }
      else
      {
        NKDbgPrintfW(L"%S [size]\r\n", &v22);
        v3 = 6;
      }
      sub_12978(&v21);
    }
  }
  v13 = (const char *)v6;
  if ( v3 )
    goto LABEL_33;
  do
  {
    v14 = strstr(v13, "# doACRC ");
    if ( !v14 )
      break;
    v2 = 1;
    v13 = v14 + 1;
    if ( sscanf(v14, "# doACRC %s %u %u", &v22, &v18, &v19) == 3 )
    {
      wsprintfW(&Buffer, L"%S", &v22);
      v15 = sub_1181C(&Buffer);
      sub_12898((int)&v20, 0x4C11DB7);
      if ( v18 == v15 )
      {
        sub_125BC((int)&v20, &v22);
        v16 = sub_12844((int)&v20, &v18, 4);
        if ( v16 != v19 )
        {
          NKDbgPrintfW(L"%S [CRC]\r\n", &v22);
          v3 = 5;
        }
      }
      else
      {
        NKDbgPrintfW(L"%S [size]\r\n", &v22);
        v3 = 6;
      }
      sub_127AC(&v20);
    }
  }
  while ( !v3 );
  if ( !v2 )
LABEL_33:
    v3 = 7;
  operator delete(v6);
  sub_14994(v24);
  return v3;
}

Here are the functions 2 calls up the stack, where you can see when the integrity check is enforced:

    v18 = CreateFileW(L"FAD1:", 0, 0, 0, 3u, 0x80u, 0);
    if ( DeviceIoControl(v18, 0x800040C0, 0, 0, &OutBuf, 0x18u, 0, 0) )
    {
      if ( v35 )
      {
        // This is one liner, calling sub_11B68, where the CRC check is done.
        v4 = sub_11E1C(v15);
        NKDbgPrintfW(L"Integrity: %d\r\n", v4);
      }
      else
      {
        NKDbgPrintfW(L"No integrity check necessary\r\n");
      }
    }

Code: [Select]

BOOL __fastcall sub_11E1C(wchar_t *a1)
{
  wchar_t *v1; // [email protected]

  v1 = a1;
  return sub_11880(a1) && !sub_11B68(v1);
}

signed int __fastcall sub_11E5C(signed int a1, int a2)
{
  int v2; // [email protected]
  signed int v3; // [email protected]
  BOOL v4; // [email protected]
  bool v5; // [email protected]
  signed int v6; // [email protected]
  int v7; // [email protected]
  int v8; // [email protected]
  int v9; // [email protected]
  int v10; // [email protected]
  signed int v12; // [email protected]
  const char *v13; // [email protected]
  const wchar_t *v14; // [email protected]
  wchar_t *v15; // [email protected]
  FILE *v16; // [email protected]
  const char *v17; // [email protected]
  HANDLE v18; // [email protected]
  DWORD v19; // [email protected]
  HDC v20; // [email protected]
  FILE *v21; // [email protected]
  int v22; // [email protected]
  int v23; // [email protected]
  int v24; // [sp+18h] [bp-A70h]@1
  HKEY hKey; // [sp+1Ch] [bp-A6Ch]@1
  DWORD cbData; // [sp+20h] [bp-A68h]@3
  int v27; // [sp+24h] [bp-A64h]@7
  DWORD dw; // [sp+28h] [bp-A60h]@1
  DWORD Type; // [sp+2Ch] [bp-A5Ch]@22
  CHAR v30[4]; // [sp+30h] [bp-A58h]@51
  struct _PROCESS_INFORMATION v31; // [sp+34h] [bp-A54h]@49
  HANDLE hObjects; // [sp+44h] [bp-A44h]@49
  HANDLE v33; // [sp+48h] [bp-A40h]@51
  char OutBuf; // [sp+4Ch] [bp-A3Ch]@41
  int v35; // [sp+50h] [bp-A38h]@42
  wchar_t pszImageName; // [sp+64h] [bp-A24h]@57
  wchar_t Data[1024]; // [sp+264h] [bp-824h]@17
  int v38; // [sp+A64h] [bp-24h]@1

  v2 = a2;
  v3 = a1;
  v38 = dword_161A0;
  hKey = 0;
  v4 = 1;
  dw = 0;
  if ( !KernelIoControl(16850952, 0, 0, &v24) )
    goto LABEL_76;
  v5 = v24 == 1;
  if ( v24 == 1 )
    v5 = cbData == 4;
  if ( v5 )
    v6 = 1;
  else
LABEL_76:
    v6 = 0;
  v24 = v6;
  v7 = KernelIoControl(16850988, 0, 0, &v27);
  v8 = v24;
  v9 = v7;
  v10 = v7 && v27 && !v24;
  v27 = v10;
  if ( v3 < 2 )
  {
    printf("Usage: applauncher [options]\n-f <filename> Execute commands in file <filename>\n-r Execute file specified by registry setting.\n(number) Automatic mode (OS internal).\n");
    sub_14994(v38);
    return 1;
  }
  if ( v3 != 2 )
  {
    if ( v3 != 3 || wcscmp(L"-f", *(const wchar_t **)(v2 + 4)) )
    {
      v13 = "Bad Argument(s)! Use \"applauncher\" for help.\n";
      goto LABEL_72;
    }
    v14 = *(const wchar_t **)(v2 + 8);
    v12 = 0;
    wcscpy(Data, v14);
    goto LABEL_31;
  }
  if ( !wcscmp(L"-r", *(const wchar_t **)(v2 + 4)) )
  {
    v12 = 0;
  }
  else
  {
    swscanf(*(const wchar_t **)(v2 + 4), L"%[0-9]", &Data[512]);
    if ( wcscmp(&Data[512], *(const wchar_t **)(v2 + 4)) )
    {
      v13 = "Bad Argument! Use \"applauncher\" for help.\n";
      goto LABEL_72;
    }
    swscanf(*(const wchar_t **)(v2 + 4), L"%d", &dw);
    v12 = 1;
  }
  if ( !RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\FLIR Systems\\Applauncher", 0, 0, &hKey) )
  {
    cbData = 510;
    if ( RegQueryValueExW(hKey, L"LaunchFile", 0, &Type, (LPBYTE)Data, &cbData) )
      goto LABEL_39;
    if ( Type != 1 )
      goto LABEL_39;
    cbData = 510;
    if ( RegQueryValueExW(hKey, L"LaunchFileAlt", 0, &Type, (LPBYTE)&Data[256], &cbData) || Type != 1 )
      goto LABEL_39;
    RegCloseKey(hKey);
    v8 = v24;
LABEL_31:
    if ( v12 )
    {
      Sleep(0x64u);
      v8 = v24;
    }
    if ( v8 )
      goto LABEL_77;
    v15 = Data;
    v16 = wfopen(Data, L"r");
    if ( !v16 )
    {
      v15 = &Data[256];
      v16 = wfopen(&Data[256], L"r");
      if ( !v16 )
      {
        if ( !v12 )
        {
          v17 = "Failed to open the launch specification file. Aborting!\n";
LABEL_38:
          printf(v17);
LABEL_39:
          RegCloseKey(hKey);
          goto LABEL_73;
        }
        goto LABEL_40;
      }
    }
    fclose(v16);
    v18 = CreateFileW(L"FAD1:", 0, 0, 0, 3u, 0x80u, 0);
    if ( DeviceIoControl(v18, 0x800040C0, 0, 0, &OutBuf, 0x18u, 0, 0) )
    {
      if ( v35 )
      {
        v4 = sub_11E1C(v15);
        NKDbgPrintfW(L"Integrity: %d\r\n", v4);
      }
      else
      {
        NKDbgPrintfW(L"No integrity check necessary\r\n");
      }
    }
    else
    {
      v19 = GetLastError();
      NKDbgPrintfW(L"FAD call fails:%d hndl:%d err:%d\r\n", 0, v18, v19);
    }
    CloseHandle(v18);
    if ( v24 )
      goto LABEL_77;
    if ( !v9 )
      goto LABEL_78;
    if ( !v4 )
      goto LABEL_54;
    NKDbgPrintfW(L"APPLAUNCHER: Starting usb charge App \r\n");
    hObjects = CreateEventW(0, 0, 0, L"ChargeAppFinished");
    if ( CreateProcessW(L"ChargeApp.exe", 0, 0, 0, 0, 0, 0, 0, 0, &v31) && v27 )
    {
      *(_DWORD *)v30 = 2;
      v20 = CreateDCW(0, 0, 0, 0);
      CreateProcessW(L"cmd.exe", L"/R", 0, 0, 0, 0, 0, 0, 0, &v31);
      v33 = v31.hProcess;
      WaitForMultipleObjects(2u, &hObjects, 0, 0xFFFFFFFF);
      NKDbgPrintfW(L"APPLAUNCHER: Usb charging finished\r\n");
      ExtEscape(v20, 100037, 4, v30, 0, 0);
    }
    CloseHandle(v31.hProcess);
    CloseHandle(v31.hThread);
    if ( v24 )
    {
LABEL_77:
      CreateProcessW(L"cmd.exe", L"/R", 0, 0, 0, 0, 0, 0, 0, &v31);
    }
    else
    {
LABEL_78:
      if ( !v4 )
      {
LABEL_54:
        if ( !v12 )
        {
          v17 = "APPLAUNCHER: Refuses to run launch specification file. Aborting!\r\n";
          goto LABEL_38;
        }
LABEL_40:
        SignalStarted(dw);
        goto LABEL_39;
      }
      v21 = wfopen(v15, L"r");
      while ( !feof(v21) )
      {
        fwscanf(v21, L"%[\t\v\n\r\f]", &pszImageName);
        v22 = fwscanf(v21, L"%[^ #\t\v\n\r\f]", &pszImageName);
        v23 = fwscanf(v21, L"%[^#\t\v\n\r\f]", &Data[768]);
        if ( v22 > 0 && wcslen(&pszImageName) >= 1 )
        {
          if ( !v27 || wcsicmp(&pszImageName, L"cmd") )
          {
            if ( v23 <= 0 )
              CreateProcessW(&pszImageName, 0, 0, 0, 0, 0, 0, 0, 0, &v31);
            else
              CreateProcessW(&pszImageName, &Data[768], 0, 0, 0, 0, 0, 0, 0, &v31);
            continue;
          }
          NKDbgPrintfW(L"APPLAUNCHER: Not starting duplicate cmd.exe \r\n");
        }
        fwscanf(v21, L"%[^\t\v\n\r\f]", &pszImageName);
      }
    }
    if ( v12 )
      SignalStarted(dw);
    goto LABEL_73;
  }
  if ( !v12 )
  {
    v13 = "Failed to open registry settings. Aborting!\n";
LABEL_72:
    printf(v13);
  }
LABEL_73:
  sub_14994(v38);
  return 0;
}

Basically it is doing the old CRC verification (first checks the file size) and then another verification, which appears to be a CRC32, based on this:
sub_12898((int)&v20, 0x4C11DB7);

A quick check with Google for 0x04C11DB7 shows that it is the Normal Polynomial representation for CRC-32 (https://en.wikipedia.org/wiki/Cyclic_redundancy_check).

So in order for the old hack method to work, either the common_dll.dll patch should be made in such a way that it is not detected by both CRC checks (although both have weak points, not sure how easy it is to circumvent both at the same time), or the applauncher.dat is modified to remove the doACRC lines (if can be modified, we could have removed the old doCRC, so I guess this is not an easy option)

I don't have much knowledge and time for this, so this is the best I can do to help.
« Last Edit: September 14, 2017, 12:56:33 AM by 2lps »
 

Offline SamLowryBrazil

  • Contributor
  • Posts: 21
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #104 on: September 14, 2017, 07:56:13 AM »
I got a 2.0L 3.9.0 with WIFI and I am also curious about this.
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 6663
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #105 on: September 14, 2017, 08:21:14 AM »
Hardware 1.2L seems too early for FW 3.9 from the factory. It suggests maybe the camera had a firmware upgrade at some point in time. In the past, cameras that were upgraded with newer firmware were able to be returned to an older firmware as other countermeasures were not present in their file system. Without knowing the firmware that was originally installed in the HW1.2L camera when it was manufactured, it is hard to know which firmware it could be reverted to.

As has been stated in previous comments on this forum. If an attempt is made to revert the 2017 model E4 to an earlier firmware, it gets bricked ! There appears to be an incompatability between the 2017 bootloader or other software, and earlier firmware versions. A bricked E4 needs to be repaired by FLIR at a cost of approx 400 Euros.

Be careful trying to revert to earlier firmware, it can all go terribly wrong with no path back to where you started. Firmware reflashing is a very risky process, especially between hardware revisions.

Fraser
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1933
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #106 on: September 16, 2017, 02:18:32 PM »
Here is some code from applauncher.exe,

Thanks 2lps. I left you a personal message - can you pls check.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1933
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #107 on: September 23, 2017, 12:15:42 AM »

Not that I understand it fully (except that CRMD160 is the class that implements the RMD160 hash function (https://en.wikipedia.org/wiki/RIPEMD). I guess FLIR have some implementation of it in the applauncher.exe (I disassembled the code and found it). Also the crc03.exe (found in tools1.zip mentioned above) has some reproduction of it.

@lps Are you capable of lifting that CRMD160  code from applauncher and compile an executable for experimenting (file name in, crc value out) , or just the related code listing so someone else perhaps can help compile into an executable?  I tried different ways but I was unsuccessful to reproduce the crc values from applaunch.dat. The CRC03.exe  produces a different value.
I only need the stuff for the "#do CRC" part of it.  For the second part "#do ACRC" I found a software to generate the same values as in the applaunch.dat
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1933
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #108 on: October 04, 2017, 05:45:30 PM »
Pwned !!!

 v3.5.0 is now history  :box:

There is first successfully updated camera out there. Someone may post pictures soon.  :popcorn:
 

Offline Chanc3

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #109 on: October 04, 2017, 06:04:15 PM »
Pwned !!!

 v3.5.0 is now history  :box:

There is first successfully updated camera out there. Someone may post pictures soon.  :popcorn:
Great news! I can start keeping an eye out for a new version for cheap then!

Well done all!
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 6663
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #110 on: October 04, 2017, 09:47:19 PM »
Does the new approach permit the addition of the extended menu's as well as the upgrade of the resolution ? I can certainly recommend the added menu's that provide some very useful functionality in the E8+ configuration.

Fraser
« Last Edit: October 04, 2017, 09:49:07 PM by Fraser »
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1933
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #111 on: October 05, 2017, 12:47:17 AM »
Do not know yet about extending the menu, i do not have a 2017 camera to work with. The res work was done in blind mode with test information sent to an other person who had one.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1933
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #112 on: October 05, 2017, 02:39:00 PM »
Based on your earlier post you downgraded from 3.5.0 to 2.3.0. You are not running 3.5.0 firmware.
 

Offline BOGET

  • Contributor
  • Posts: 23
  • Country: tw
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #113 on: October 07, 2017, 01:20:08 AM »
Downgrade will NOT work.

It will brick the camera !!! It is because of hardware 2.0. The camera will than be stuck in bootloader mode.

so DO NOT try to downgrade on hardware 2.0.


regards

Pwned !!!

 v3.5.0 is now history  :box:

There is first successfully updated camera out there. Someone may post pictures soon.  :popcorn:


Ooh! is that real?

Sorry that I have a little doubts.

Are you sure that you can actually downgrade the FW 3.x 2.0L to 2.x 1.2L ?
« Last Edit: October 07, 2017, 03:16:53 PM by BOGET »
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1933
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #114 on: October 07, 2017, 01:59:19 AM »
No i am not sure, because this is not what iam doing. I am not downgrading the fw version, i am working with the 3.5.0 itself.
 

Offline BOGET

  • Contributor
  • Posts: 23
  • Country: tw
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #115 on: October 07, 2017, 02:27:52 PM »
Hi,

So you mean that your camera FW version is original 3.5.0 2.0L,

and the Res has been succeeded hack, right?   :clap:
 

Offline cricri103

  • Newbie
  • Posts: 4
  • Country: ca
  • Autozone
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #116 on: October 07, 2017, 04:30:25 PM »
Hello Bud
you can confirm the hack fw 3.5.0
 with a picture !!!
 

Offline BOGET

  • Contributor
  • Posts: 23
  • Country: tw
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #117 on: October 07, 2017, 09:30:16 PM »
I'm trying to hack wifi version via eeprom at service menu, but the password is not 1235 anymore.
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 6663
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #118 on: October 08, 2017, 12:34:03 AM »
BOGET,

Just as well.... you really do not want to mess with that EEPROMS contents. It has not previously needed any changes as it does not enable hacking, just unit serial number and model details. Messing with its contents can seriously effect your cameras health !

Fraser
 

Offline BOGET

  • Contributor
  • Posts: 23
  • Country: tw
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #119 on: October 08, 2017, 05:47:01 AM »
It ain't that bad,

If you can modify the camera part number to E8,

you might be able to upgrade it's resolution to E8 in normal way by using(deceive) flir tools,

you don't even to hack it.
« Last Edit: October 08, 2017, 05:49:02 AM by BOGET »
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 6663
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #120 on: October 08, 2017, 06:04:00 AM »
Note normal firmware upgrades do not modify the key configuration files so FLIRTools would not upgrade the configuration files for you. The configuration files would hold the camera at E4 resolution.

Previous, very knowledgeable, hackers of the camera have warned against messing around with the contents of the EEPROM. They had concerns, though I know not what they are.

Fraser
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 1933
  • Country: ca
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #121 on: October 11, 2017, 07:16:30 PM »
I think I did a little better and went after v3.9.0  ::)

I am still working on it but a proof of concept is attached. The 2017 version has joined the club  :-+

Those who want to give themselves a nice Christmas present may want to go and grab the 3.9.0 update pack (a link was posted somewhere in this or E4 teardown thread) in case it gets pulled from the Net.
« Last Edit: October 12, 2017, 08:49:30 AM by Bud »
 
The following users thanked this post: SamLowryBrazil, Squawk

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 6663
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #122 on: October 11, 2017, 09:22:00 PM »
Excellent work  :-+

Fraser
 

Offline JanHenrik

  • Contributor
  • Posts: 13
  • Country: de
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #123 on: October 11, 2017, 10:22:49 PM »
Very nice!  :-+
 

Offline SamLowryBrazil

  • Contributor
  • Posts: 21
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #124 on: October 12, 2017, 12:15:43 AM »
I gather this is great news, but I don't know how great because I am a noob!
Does it mean that my 2017 Wifi E4 can be hacked?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf