Author Topic: FLIR E75 Upgrade to E95  (Read 1885 times)

0 Members and 1 Guest are viewing this topic.

Offline DaveWB

  • Regular Contributor
  • *
  • Posts: 133
FLIR E75 Upgrade to E95
« on: March 03, 2018, 06:25:39 am »
Currently have an E75 on loan, man is it sweet compared to an upgraded E4, using this was my first time hearing about/using the UltraMax feature. Only downside to the camera is it's 7x the price of the E4.(Unless the E53 can be upgraded to E95, which is around $5k),

I was able to get the camera to get to RNDIS mode via the hidden menu and it shows up as 192.168.0.1 under ipconfig /all(screenshot attached), however when trying to FTP into the camera with FileZilla it says
Code: [Select]
Status: Connecting to 192.168.0.1:21...
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Error: Could not connect to server

I tried both connecting anonymously and flir:3vlig and received the same error for both.

I would like to upload a backup of the camera to see if there is a remote possibility of these cameras being upgraded before I have to give it back.
 

Offline Chanc3

  • Frequent Contributor
  • **
  • Posts: 393
  • Country: gb
Re: FLIR E75 Upgrade to E95
« Reply #1 on: March 03, 2018, 06:32:12 am »
I had the same problem when connecting to the T1030sc I had on demo. Perhaps try admin|admin admin|password or even root. Not that familiar with Linux, but try the default ones for that.
 

Offline Spirit532

  • Frequent Contributor
  • **
  • Posts: 275
  • Country: by
Re: FLIR E75 Upgrade to E95
« Reply #2 on: March 03, 2018, 07:26:35 am »
The Ex5 and the E53 cameras run a brand new, in-house, completely unknown(to us) Linux firmware, rather than using the WinCE firmware that has roots in AGEMA, which was acquired by FLIR(the PM and P-series cameras).
It would likely require a direct flash dump(or internal serial) to get the new FTP server passwords, sadly. And even then, it's a completely different OS with(likely) better security, since the entire Ex5 lineup and the E53 have a full-sized 640x480 30Hz detector inside them.
 

Offline railrun

  • Contributor
  • Posts: 43
Re: FLIR E75 Upgrade to E95
« Reply #3 on: March 03, 2018, 08:17:16 am »
Hi Dave,

192.168.0.1 is your PC. You have to try 192.168.0.2


Currently have an E75 on loan, man is it sweet compared to an upgraded E4, using this was my first time hearing about/using the UltraMax feature. Only downside to the camera is it's 7x the price of the E4.(Unless the E53 can be upgraded to E95, which is around $5k),

I was able to get the camera to get to RNDIS mode via the hidden menu and it shows up as 192.168.0.1 under ipconfig /all(screenshot attached), however when trying to FTP into the camera with FileZilla it says
Code: [Select]
Status: Connecting to 192.168.0.1:21...
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Error: Could not connect to server

I tried both connecting anonymously and flir:3vlig and received the same error for both.

I would like to upload a backup of the camera to see if there is a remote possibility of these cameras being upgraded before I have to give it back.
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 7524
  • Country: gb
Re: FLIR E75 Upgrade to E95
« Reply #4 on: March 03, 2018, 08:32:38 am »
Spirit523,

A very interesting comment from you here. I thought the PM series cameras ran Linux but it was only a suspicion. I thought the WinCE usage came from the FLIR purchase of Extech and Indigo ?

Have you had any experience accessing the operating system on a PM or P series camera please.

I ask because I am interested n delving inside both a PM and P series cameras OS.

Fraser
 

Offline Spirit532

  • Frequent Contributor
  • **
  • Posts: 275
  • Country: by
Re: FLIR E75 Upgrade to E95
« Reply #5 on: March 03, 2018, 09:05:12 am »
Spirit523,

A very interesting comment from you here. I thought the PM series cameras ran Linux but it was only a suspicion. I thought the WinCE usage came from the FLIR purchase of Extech and Indigo ?

Have you had any experience accessing the operating system on a PM or P series camera please.

I ask because I am interested n delving inside both a PM and P series cameras OS.

Fraser

The PM cameras are visibly screaming "I AM RUNNING NATIVE WINDOWS CE UI" when you run it, I don't know how you can miss it.
You'll find that it's extremely similar to the new Ex series.
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 7524
  • Country: gb
Re: FLIR E75 Upgrade to E95
« Reply #6 on: March 03, 2018, 09:43:44 am »
I am a specialist hardware tech, not a coder and definitely not knowledgeable on WinCE 😄
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 7524
  • Country: gb
Re: FLIR E75 Upgrade to E95
« Reply #7 on: March 03, 2018, 09:54:13 am »
Likely showing my ignorance here, but I always thought Win CE was an X86 / ARM OS

The PM series cameras are MC68K based devices. The MC68340 to be precise. I shall have to investigate the firmware further in light of your comments.

Thanks

Fraser
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 7524
  • Country: gb
Re: FLIR E75 Upgrade to E95
« Reply #8 on: March 03, 2018, 10:07:50 am »
Wow I see WinCE was only released in late 1996 and the PM570 was a 1997 release as I tested the first one in the UK. That means the PM570 would be running WinCE 1.0 aka Pegasus. The very first release. AGEMA were pretty brave to base their latest ground breaking camera on one of Microsofts very early software releases  :o

Sorry, I have dragged this thread off topic. It was just that Spirits's comment grabbed my attention.

Fraser
 

Offline DaveWB

  • Regular Contributor
  • *
  • Posts: 133
Re: FLIR E75 Upgrade to E95
« Reply #9 on: March 03, 2018, 10:20:01 am »
Whoops, my bad. I did try both 192.168.0.1 and 192.168.0.2 to connect to the camera using a bunch of combinations including admin/admin, root/ , root/toor, admin/password, etc... no go. :(
 

Offline Spirit532

  • Frequent Contributor
  • **
  • Posts: 275
  • Country: by
Re: FLIR E75 Upgrade to E95
« Reply #10 on: March 03, 2018, 12:50:07 pm »
Likely showing my ignorance here, but I always thought Win CE was an X86 / ARM OS

The PM series cameras are MC68K based devices. The MC68340 to be precise.

Correct, that means my knowledge is wrong.
The UI definitely does look like CE though.
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 542
Re: FLIR E75 Upgrade to E95
« Reply #11 on: March 03, 2018, 07:33:52 pm »
I am sure Flir's product manager of the Exx line almost got a heart attack  :scared: when he first read the subject/topic in the thread list. You better add a question mark behind for their easement :phew:
 

Offline railrun

  • Contributor
  • Posts: 43
Re: FLIR E75 Upgrade to E95
« Reply #12 on: March 03, 2018, 07:51:05 pm »
I am sure Flir's product manager of the Exx line almost got a heart attack  :scared: when he first read the subject/topic in the thread list. You better add a question mark behind for their easement :phew:
:-DD
 

Offline BOGET

  • Contributor
  • Posts: 26
  • Country: tw
Re: FLIR E75 Upgrade to E95
« Reply #13 on: March 14, 2018, 01:23:30 am »
I don't have enough $ to burden a new Exx for test anymore,

The price is too high for me, but I still want to see someone who can hack Linux-based systems.

@Dave

you should try to login first using by a brute-force attack tool, (e.g. Hydra)

Specified the username and use dictionary to find the password out.

like:
Code: [Select]
# hydra -t 1 -l flir -P /your/password_dictionary's/path/password.txt -vV 192.168.as.yours ftp
Here has some tutorial :
 

Offline tomas123

  • Frequent Contributor
  • **
  • Posts: 832
  • Country: de
Re: FLIR E75 Upgrade to E95
« Reply #14 on: March 14, 2018, 08:36:24 am »
Whoops, my bad. I did try both 192.168.0.1 and 192.168.0.2 to connect to the camera using a bunch of combinations including admin/admin, root/ , root/toor, admin/password, etc... no go. :(

really doesn't work the good old login?
user: flir
pass: 3vlig

there is a simple hack to get the password:
Connect the camera with the IOS/Android app and get the ftp password by record the wifi traffic (wireshark)

Offline railrun

  • Contributor
  • Posts: 43
FLIR E75 Upgrade to E95
« Reply #15 on: March 14, 2018, 08:46:01 am »
I tried both connecting anonymously and flir:3vlig and received the same error for both.

@tomas123: Maybe they changed the login, and/or password and/or use a other port...
 

Offline tomas123

  • Frequent Contributor
  • **
  • Posts: 832
  • Country: de
Re: FLIR E75 Upgrade to E95
« Reply #16 on: March 14, 2018, 07:26:22 pm »
as I described above, I got the FTP password for my Exx some years ago with wireshark.
it's easy

Offline BOGET

  • Contributor
  • Posts: 26
  • Country: tw
Re: FLIR E75 Upgrade to E95
« Reply #17 on: March 14, 2018, 08:24:08 pm »
@tomas

I read lots of your post before,

that was really awesome and very professionally,

I think you're the one who can easily hack into new linux-based systems.
 

Offline DaveWB

  • Regular Contributor
  • *
  • Posts: 133
Re: FLIR E75 Upgrade to E95
« Reply #18 on: March 17, 2018, 07:50:35 am »
Sorry, haven't been watching this lately. Was just about to return the camera but will try both BOGET's and tomas123's suggestions
 

Offline DaveWB

  • Regular Contributor
  • *
  • Posts: 133
Re: FLIR E75 Upgrade to E95
« Reply #19 on: March 17, 2018, 01:19:03 pm »
I am not finding an iphone or android app for wireshark, are there special instructions to get it to work?
 

Offline tomas123

  • Frequent Contributor
  • **
  • Posts: 832
  • Country: de
Re: FLIR E75 Upgrade to E95
« Reply #20 on: March 17, 2018, 08:20:54 pm »
wireshark is a PC Software.
https://en.m.wikipedia.org/wiki/Wireshark

there are  some variants to record the wifi traffic:
a) catch traffic with a wifi router e.g. fritz.box in germany :-)
b) use a notebook with a lan and wlan port as man in the middle (or two wlan ports as wifi subnet)

google this topic, it's easy
the ftp password is uncrypted plain text

Offline DaveWB

  • Regular Contributor
  • *
  • Posts: 133
Re: FLIR E75 Upgrade to E95
« Reply #21 on: March 25, 2018, 07:52:54 am »
wireshark is a PC Software.
https://en.m.wikipedia.org/wiki/Wireshark

there are  some variants to record the wifi traffic:
a) catch traffic with a wifi router e.g. fritz.box in germany :-)
b) use a notebook with a lan and wlan port as man in the middle (or two wlan ports as wifi subnet)

google this topic, it's easy
the ftp password is uncrypted plain text

I created a wifi network on the camera, and connected to it from my PC. unfortauntely I was unable to find a plain text ftp username and password
 

Offline tomas123

  • Frequent Contributor
  • **
  • Posts: 832
  • Country: de
Re: FLIR E75 Upgrade to E95
« Reply #22 on: March 25, 2018, 11:36:03 am »
great :-+
Do you have recorded the traffic between the flir tools app and your Exx camera (load an image)?
see this sample for decoding the stream:
http://www.freekb.net/Article?id=133
https://blog.packet-foo.com/2016/07/how-to-use-wireshark-to-steal-passwords/comment-page-1/


Offline DaveWB

  • Regular Contributor
  • *
  • Posts: 133
Re: FLIR E75 Upgrade to E95
« Reply #23 on: April 13, 2018, 03:07:39 pm »
great :-+
Do you have recorded the traffic between the flir tools app and your Exx camera (load an image)?
see this sample for decoding the stream:
http://www.freekb.net/Article?id=133
https://blog.packet-foo.com/2016/07/how-to-use-wireshark-to-steal-passwords/comment-page-1/

I attempted following this however I was unable to see any ftp data within Wireshark. I have a Ubiquiti Accesspoint in which this is connected to, I connected my computer to the secondary port of this access poin. The camera was connected to the access point and I could see the camera connection within Wireshark but when I went on my phone and imported images over wifi, nothing showed up. The only protocol the FLIR seems to be triggering within Wireshark seems to be TCP and MDNS.
 

Offline tomas123

  • Frequent Contributor
  • **
  • Posts: 832
  • Country: de
Re: FLIR E75 Upgrade to E95
« Reply #24 on: April 14, 2018, 11:03:08 pm »
Hi DaveWB,

I looked in my old notes from June 2013.
With Flir Tools for IOS, my E40, WiFi and Wireshark I got this FTP protocol snippet after taking an "instant picture" with the Flir tools app :

USER anonymous / PASS cfnetwork@apple.com  :-DD

Code: [Select]
WireShark FTP

220 Service ready for new user.
USER anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
PASS cfnetwork@apple.com
230 User logged in, proceed.
SYST
215 Windows_CE version 6.0.
PWD
257 "/".
TYPE I
200 Command okay.
CWD /Temp/
250 Requested file action okay, completed.
PASV
227 Entering Passive Mode (192,168,16,70,192,22).
RETR irviewerimg.jpg
125 Data connection already open; transfer starting.
226 Closing data connection.

With this steps, Flir Tools loaded the last image irviewerimg.jpg from my E40.

here is the wireshark TCP snippet, which shows how the Exx get the single Telnet commands from the app to take an image
user: root / pw: 3vlig
Quote
WireShark TCP

.......................................................5..
root.3vlig.................).........5G..
image.services.store.overlay........H.......<.........5.........5..........
image.services.store.overlay...................'.........5G..
image.services.store.irCut........H.......:.........5.........5..........
image.services.store.irCut...................+.........5G..
image.services.store.overwrite........H.......>.........5... .....5..........
image.services.store.overwrite...................+.........5G..
image.services.store.filenameW........H.......7.........5...........
image.services.store.filenameW.....................-.........5G!.
image.services.store.stage.start........H.......9.........5.........!.
image.services.store.stage.start.....................*.........5G..
image.services.store.bgActive........H.......+.........5..
image.services.store.bgActive.........6..)....B...........................................F........&.........5G..
image.services.store.busy........H.......2.........5...........
image.services.store.busy..................... .........5G..
image.state.channel........H.......!.........5..
image.state.channel.........8..)....B..........................................IR..........(.........5G..
image.services.store.format........H.......?.........5.........5..........
image.services.store.format.JPEG..................*.........5G..
image.services.store.filename........H.......R.........5.........5..........
image.services.store.filename./Temp/irviewerimg.jpg..................(.........5G..
image.services.store.commit........H.......;.........5.........5..........
image.services.store.commit...................,.........5G .
image.services.store.bgStoreNow........H.......?.........5...!.....5..........
image.services.store.bgStoreNow............

maybe this helps...


Additional information that i have not seen yet in this thread:

When camera is in RNDIS permanent mode, you can FTP to it even if it is turned off but is connected to USB. However the login  is not flir/3vlig. The login credentials in this case are:

user:   anonymous
psw:    NcFTP@



Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf