Flir E4 Thermal imaging camera teardown

[mardaso]

I must have one with the last `hackable` firmware:

S/N: 63905xxx
Site: FLIR Systems OU, Estonia
Firmware: 1.19.8
Date: 28 october 2013

Arrived 8 november.

[mrflibble]

I must have one with the last `hackable` firmware:

S/N: 63905xxx
Site: FLIR Systems OU, Estonia
Firmware: 1.19.8
Date: 28 october 2013

Arrived 8 november.

Could you or anyone with that firmware version do the following on the telnet interface:

Code: [Select]

version
rls -r .version

Be aware of serial numbers in the first 5 lines and then every line containing the string "serial".

[sipo75]

Greedy bastards! Instead of thinking, "look at all these E4 sales, thanks to this hack we are making a fortune", they are thinking, "look at all these E4 sales, no thanks to this hack we are losing a fortune"!

I get your unsubstantiated disappointment but your feelings are getting in the way of your logic.

Your E4 will be great and most probably worth an E8 considering the skills and motivation of the people working on this. Worst case it will be a great E4, highly recommended by your first or second favorite teardown master.

[H.O]

FWIW I placed my order with PASS last Friday after having them confirm that they actually had units IN stock. After sending them the money I've heard absolutely nothing.
I sent them an email this morning asking for a status update, no response what so ever. I'm not impressed...

[MrSquirrel]

The supply chain appears very short with these cameras less than 2 weeks old arriving with customers.

It looks like the supply chain has been short for a while, the calibration of Mike's one was not long before he recieved it and that was before all this kicked off. By all accounts (hack or not) they have been selling very well since launch - and no wonder, with MSX it's a great product.

The way i look at it, with a such a new product there would always be a future situation where a bug fix or compelling new feature or return (for service/calibration situation) which closed the door on this.

[mrflibble]

Is it possible the 1.20 firmware is just on the E5 cameras by default?

Doubtful since firmware appears to be unified across an entire product family. Not just for the Ex, but also for <collect_the_entire_set/>. But if you want to be 100% sure, who knows? 

[ixfd64]

I think the most important factor is whether the firmware could be downgraded. If so, someone might want to upload the 1.19.* firmware to a mirror just in case.

[MrSquirrel]

FWIW I placed my order with PASS last Friday after having them confirm that they actually had units IN stock. After sending them the money I've heard absolutely nothing.
I sent them an email this morning asking for a status update, no response what so ever. I'm not impressed...

Same here, not terribly surprised or bothered though - i'm used to this sort of behaviour with online retail.

Confirmed in stock and ordered on Monday 9am. At the end of the day i wondered why i hadn't got any notification, order number etc. Called back and was told (by someone in fulfilment) they were expecting some "maybe late this week". Fair enough, they are in demand. Hack or not, i am not spending that sort of money buying one from anywhere other than an authorised channel.

[0xdeadbeef]

Ah, this will end just I feared it would. I canceled my 1st order because the first seller lied about availability, ordered at a more reliable shop for 15€ more but assured availability. Then some hours after I ordered, availability changed to 14th and nothing was sent yet. Damn it, I already received the soft case for it I ordered days later and lucky as I am, I will get an E4 with non-hackable firmware and have to send it back. Refund of the 1st order is stuck in PayPal's greedy throat btw. 

[tnt]

There isn't going any such thing as a "unhackable" firmware. phone vendors and console vendors have been trying for more than a decade and still aren't there yet, so FLIR isn't going to achieve that in 2 weeks.

The question is more : Who among the people that would get a newer firmware will have the skill to achieve a new hack and the willingness to risk bricking his camera while attempting so.

[olsenn]

There isn't going any such thing as a "unhackable" firmware. phone vendors and console vendors have been trying for more than a decade and still aren't there yet, so FLIR isn't going to achieve that in 2 weeks.

The question is more : Who among the people that would get a newer firmware will have the skill to achieve a new hack and the willingness to risk bricking his camera while attempting so.

Noone! So yup... it's unhackable!

[mardaso]

I must have one with the last `hackable` firmware:

S/N: 63905xxx
Site: FLIR Systems OU, Estonia
Firmware: 1.19.8
Date: 28 october 2013

Arrived 8 november.

Could you or anyone with that firmware version do the following on the telnet interface:

Code: [Select]

version
rls -r .version

Be aware of serial numbers in the first 5 lines and then every line containing the string "serial".

Attached the telnet output.

[H.O]

Aurora,
No, not David. This was before you posted his details.
I registered at their website, within one hour I recieved no less than two emails from a guy there, they seemed keen to sell....
I emailed him asking for a quote and actual stock status last Wednesday. He promptly replied with a quote but it took 3(!) more emails back and forth before he actually answered my question on whether or not they had units in stock (as the web-shop claimed) - which they didn't. He said units was due in stock that Friday. I told him I'm not going to send any money before he has a TIC to send me.

Friday came, I asked and he promptly confirmed (again via email) that units now was in stock and ready to ship  (which I suspect was not actually the case), I sent them my money and that's it.

I'm not in the UK but I'll probably give them a call in the morning.

[_Sin]

Focus adjust tool - the emergency version (for UK folks):

If you don't have anything better to hand, and want to adjust the focus on your E4, I found that a UK 5p coin (used carefully!) works ok...

[mrflibble]

Code: [Select]

version
rls -r .version

Be aware of serial numbers in the first 5 lines and then every line containing the string "serial".

Attached the telnet output.

Thanks! 

[ViciousPest]

As stated before PANIC SLOWLY


From a purely statistical analysis of firmware as I dont have unit in hand, any short term mitigation by FLIR will be futile. Why?
1. Almost unrestricted access to HW via programming interface.
2. The use of a well documented application processor (iMX257 series) that doesn't have many security features enabled/available.
3. Haven't seen any mention of FLIR restricting downgrades.

Im looking forward to to the 1.20.x FW and will gladly sacrifice my TIC 

After taking a deeper look at the FW and Mikes videos here are some notes for others (or maybe need corrections by others with actual camera to test)

• Mike's hack works on the premise of enabling certain features "post personality check" (see next point) such as the increased resolution. I think somewhere it was mentioned of finding other strings to put in the .cfg file but would need the .cfg from an E8 to be sure. While this hack is awesome to begin with I still think there is a better hack to be found/developed
• Keeping in mind that one FW pack (1.18.7) is used across all Ex models. That means your using a vanilla install (run-time image + rootfs) that is combined with something else (onboard not in FW update) that produces the final FW that contains the cfg we modify. This "something else" is the personality check I'm referring to. Where is this? Given the clues I have (i2c calls early in boot and exposed taps on the connector) I believe its on the smaller of the two non-volatile storages (EEPROM in the video). It would make sense to store the personality here as its small and can be configured easily. The larger flash device more than likely contains your rootfs and run-time image. Has anyone performed a protocol analysis at boot (better yet, while doing a stock fw upgrade)?

For anyone interested. Freescale has really good documentation on setting up a development environment. At this point I wont post specifics (to stunt any patching attempts) but from a high level overview. The FPGA is manipulated by the WinCE host. The WinCE host plays "interface manager" for the FPGA device. Adjusting characteristics such as view, zoom, etc. How these functions are mapped is what Im currently working on. Very interesting thing to do if someone wants to be daring. Put the fpga.bin from the Exx series into the fw of the Ex series. I highly doubt the function mappings would be consistent but its worth a shot. If we can RE how the WinCE host manipulates the FPGA maybe we could develop our own host OS (Linux). Just a thought. Dont know how feasible this is until I have actual unit to test.

[mikeselectricstuff]

As stated before PANIC SLOWLY


From a purely statistical analysis of firmware as I dont have unit in hand, any short term mitigation by FLIR will be futile. Why?
1. Almost unrestricted access to HW via programming interface.

We don't know for sure if any hardware proramming interface exists. It;s not uncommon for flash chips to be preprogrammed before assembly.

2. The use of a well documented application processor (iMX257 series) that doesn't have many security features enabled/available.

Any processor-level hack could require a lot of work. I've not looked but would bet even the full data is >1k pages

3. Haven't seen any mention of FLIR restricting downgrades.

We haven't seen any mention of anything.

• Mike's hack works on the premise of enabling certain features "post personality check" (see next point) such as the increased resolution. I think somewhere it was mentioned of finding other strings to put in the .cfg file but would need the .cfg from an E8 to be sure. While this hack is awesome to begin with I still think there is a better hack to be found/developed
• Keeping in mind that one FW pack (1.18.7) is used across all Ex models. That means your using a vanilla install (run-time image + rootfs) that is combined with something else (onboard not in FW update) that produces the final FW that contains the cfg we modify. This "something else" is the personality check I'm referring to. Where is this? Given the clues I have (i2c calls early in boot and exposed taps on the connector) I believe its on the smaller of the two non-volatile storages (EEPROM in the video). It would make sense to store the personality here as its small and can be configured easily. The larger flash device more than likely contains your rootfs and run-time image. Has anyone performed a protocol analysis at boot (better yet, while doing a stock fw upgrade)?

I am fairly sure that the config file is written at the factory, the eeprom has the serial number, which is baked into the config file by the CRC and cross-checked at startup. The serial number is the only thing unique to the unit - my guess is it gets written via I2C by the test system, and so is independent of any flash content.
I also think the resolution data found in the eeprom is just for backwards communication either to the bootloader or the FPGA

Bear in mind that 1.20 could just be some tidying up of debug interfaces and the one second-hand report of non-hackability could just be user error doing the CRC0. Or a troll.  I've had a few PMs from people who got the CRC01 wrong

Until we actually know something I don't see any point in endless speculation.

[mikeselectricstuff]

I actually overheard the conversation between David and a lady in the office on Monday when she stated that 30 were due in Monday afternoon or Tuesday. I suspect PASS has several customers waiting for units out of that 30 batch. If FLIR have stopped the delivery (and it is an IF), then there is little they can do. They should contact the customers though.

..and it could just be that Flir have been taken by surprise by the demand and have decided to allocate stock differently.

[JockeT]

Greetings from Sweden.
I just received my E4 which i ordered last week.
There was a slight delay with my order, which had me a little bit nervous.
However the received E4 has firmware version 1.19.8 so i doubt there'll be any problems applying the hack.
I have been looking to get a TIC for a while, and this finally tipped the scales. 

[mrflibble]

3. Haven't seen any mention of FLIR restricting downgrades.

We haven't seen any mention of anything.

Actually there is a "restriction", right in the .FIF. But nothing that cannot be handled.

[JockeT]

Hack applied just fine.
However just below center in the thermal image i have a bright spot. It was there in 80x60 and it looks exactly the same in 320x240.
Anyone seen anything like it? Seems a bit too obvious to have passed QC..

[mikeselectricstuff]

Looks a lot like dust on the sensor.

[JockeT]

I tried some mild shock therapy to see if i could make it move, but no effect.
I guess i have three options
1. Send it in and risk a firmware update
2. Take it apart to clean sensor and void warranty (and possibly not fix it anyway)
3. Live with it

The auto hotspot feature was quite nice, but that dot screws it up pretty badly.

[tnt]

Im looking forward to to the 1.20.x FW and will gladly sacrifice my TIC 

If you're so eager, I posted a possible 30 Hz hack some pages ago that nobody tried on real hw yet :p

[Loafdude]

All this speculation over a single 2nd hand report of patched firmware on a REPAIRED unit?
Jesus people, calm the f*ck down.

0) The report of patched firmware has NO details
I suspect user error

1) There is no evidence the units in the supply chain are patched. PERIOD.
People claiming they feel like they are or other such nonsense are silly.

2) It is most likely Flir only quickly removed the easy hack method.
They have not had time to do a full patch to try and secure the entire system.
I'm surprised they even have firmware out. Software validation usually takes a while.

3) Having now dissected a previous firmware version finding another way in should not be so difficult

4) People pissed at flir are retarded
Of course they are going to patch the security. It is going to wreak havoc on the TIC market and drive their margins down.