Okay,
I'm not good enough to make heads or tails of a lot of what I'm seeing here. I don't have a full version of IDA Pro so I can't disassemble for ARM, but I can as a generic binary. I'm still learning but maybe this will mean something to someone else. Attached are the results of IDA's disassembly and code generation.
I've been silently following the E4 related threads for some time. Must say, juicy information
I don't have an E4 (yet... - that may change ) but I've tried to put together some bits of information that I've found around in this thread. IMHO the simple way to go is using the Web Interface (you can access most, if not all, camera settings from there - including a special Service Menu) - all menus conveniently listed in FlashBFS/system/web/ and sub-folders
..and if you send a <space> to the UART during boot....
SETTINGS:
0) IP address: 0.0.0.0
1) Subnet Mask: 0.0.0.0
2) Boot delay: 1 seconds
3) DHCP: Enabled
4) Reset to factory default configuration
5) Autoboot: NK from NOR
6) MAC address: 00:40:7F:0B:91:39
7) Host connection: (USB MSD)
Option 7 may be intersting - options are USB BSD, ETHERNET and USB RNDIS, which provides virtual ethernet over USB - fairly sure the latter is what enabled the i7 hack
As Mike said, if 7) is changed to USB RNDIS (and may be that IP address and subnet mask also need to be set manually and DHCP disabled - if the PC doesn't assign them automatically over USB), the web service can be accessed.
Now, as for the A310 FLIR (the attached PDF with Technical Notes), it must be password protected, but I see that the password is already known: webpasswd "IRCAM"
Therefore (stating the obvious) the login info should be:
Username: flir
Password: IRCAM
Could someone try this?
P.S. With the risk of being Cpt. Obvious, I just want to be involved in this and help if I can do so
ABOUT ChARMeD:
ChARMeD is a Windows Mobile / Pocket PC / Win CE (for ARM CPUs) Disassembler and Assembler
The name ChARMeD stands for:
Carolo's Hexadecimal ARM Editor and Disassembler
FEATURES:
· Disassemble a Windows CE Executable for ARM CPUs.
· Assemble instructions in ARM Assembler.
· Upload modified file to Windows CE Device.
I am fairly convinced there is a secret menu that allows access to this setting without needing to access the serial port, probably a a magic key combination.
Rats! ChARMed doesn't seem to understand this flavour of ARM... Anyone have access to a full version of IDA PRO?
Rats! ChARMed doesn't seem to understand this flavour of ARM... Anyone have access to a full version of IDA PRO?
Anyway I took a look with an old version of IDA (not all ARM instructions supported so there's valid code mixed with bits of rubbish) and it looks like it might be reading resolution etc. from the sensor itself over I2C...
I'm pretty sure the EEPROM->Edit Camera Information menu allows changing the 'Camera part number' to the one of E8 for instance. There seems to be a locking mechanism in place for EEPROM editing (protected by password) - I don't know yet how it's implemented but it may have to do with Mike's attempt to directly modify the EEPROM content: Mike: Hmmm - changed eeprom and it changed it back....! See also attached a picture of the EEPROM->Edit Camera Information.
I have tried changing E4 to E8 in the eeprom with no effect.
I have found code (100033AC for those following along) that reads 16 bytes from the EE, checksums it and if sums OK, stores the EEPROM values somewhere , and if not stores 80 and 60 in the same locations. Still looking at other eeprom related code. I think the 6 near the resoltion data is also significant - seems to correlate with the "downsampling setting" vales displayed at boot.
I only had a very quick try at changing the ee so could be I got the sum wrong.
I will be on vacation now for a week ..... hoping that you guys find a solution in the meantime.
If not; I can offer to lend an E8 for a day or two and read out the eeprom for you, assuming that it will help.
I can of course readout even more from the E8, but will need some help. If there is no progress here when I return, I will write a PM to Mike then.
I keep my fingers crossed.
Peter
Heh, that's good news Mike! Now if we only knew what needs to be changed to make it an E8
Meanwhile I've spent some time trying to find out how to get in the Hidden Service Settings menu (to be able to enable USB RNDIS without opening the camera). I think "facet_Z3.rcc" is the file to check for key-combination parsing. I'm still trying to find out a way to decode parts of it.
Heh, that's good news Mike! Now if we only knew what needs to be changed to make it an E8
Meanwhile I've spent some time trying to find out how to get in the Hidden Service Settings menu (to be able to enable USB RNDIS without opening the camera). I think "facet_Z3.rcc" is the file to check for key-combination parsing. I'm still trying to find out a way to decode parts of it.Bear in mind it may also be a magic key combination during startup that enables the menu in the UI - this was the case with the i7 .