Hello,
I need the flir eeprom unlocked, it needs password
anyone unlooked it yet?
cant find it, please please help me
thx!
Instead of just asking for unlocking the Eeprom it would be more helpful if you post what you have done with your E30, what worked and what worked not, where you had problems and how you solved them. Exactly what Mike and Taucher and others were doing. Then you will get much more feedback from many more people as they are interested in solving a challenge.
Look how the E4 hack worked ... many people provided little peaces of helpful (and sometimes not helpful) information - and together the 320x240 and the menu hack were possible.
Im not yet ready with my E30, WLAN doesnt work, 0-650°C doesnt work, aso...
but 320x240 works now....
I did same as mike does with conf.cfg nothing new...
I rent a E60 for one day, so Im in a hurry.....and want to reed its eeprom to get closer
what else do we need from it? BUT I will not tear it down!
Im not a PC crack, I normaly work with wood!
So any help for me?
I rent a E60 for one day, so Im in a hurry.....and want to reed its eeprom to get closer what else do we need from it?
use
rls in recursive mode and dump ALL settings to a file (use FlashIFS) - takes several minutes with
rls -rl > \FlashIFS\allsettings-yourcameratype.txt
EDIT: taking a copy of all available files via FTP will probably also be a good idea
I rent a E60 for one day, so Im in a hurry.....and want to reed its eeprom to get closer what else do we need from it?
use rls in recursive mode and dump ALL settings to a file (use FlashIFS) - takes several minutes with
rls -rl > \FlashIFS\allsettings-yourcameratype.txt
EDIT: taking a copy of all available files via FTP will probably also be a good idea
Gets my vote.
Both the full resource dump and the full download of all files has useful tidbits in it.
So any help for me?
O0 Peace!
As the former posters say: make full backup of all files with an FTP tool such as Filezilla.
If you need details for this: just send a PM and I will write down all needed steps.
Save these files/folders in one new folder and never touch them - make edits only to a copy of the whole directory.
Question: never tried this:
rls -rl > \FlashIFS\allsettings-yourcameratype.txtWill it also read out the Eeprom?
Question: never tried this: rls -rl > \FlashIFS\allsettings-yourcameratype.txt
Will it also read out the Eeprom?
Short: nope
as far as I remember mike stated something (like) that the eeprom is just beeing used to store the camera SN, model name etc.
... but we have seen that inside appcore that data is taken into account when enabling features - so a full dump of the eeprom could be interesting - did anybody already make a script/commandset for that?
Question: never tried this: rls -rl > \FlashIFS\allsettings-yourcameratype.txt
Will it also read out the Eeprom?
No. It will make a full dump of all the entries in the resource tree. Incidentally,
rls -rll will show even a bit more detail.
Also, you can use user root and password 3vlig when running those commands. This
does result in a different response for some entries, but so far I have not been able to do anything useful with it. Just thought I'd mention it in case someone else want to mess with the resource tree.
I rent a E60 for one day, so Im in a hurry.....and want to reed its eeprom to get closer what else do we need from it?
use rls in recursive mode and dump ALL settings to a file (use FlashIFS) - takes several minutes with
rls -rl > \FlashIFS\allsettings-yourcameratype.txt
EDIT: taking a copy of all available files via FTP will probably also be a good idea
Gets my vote. Both the full resource dump and the full download of all files has useful tidbits in it.
Yes! Please copy off the
entire folder structure - everything to your local PC.
What FTP client are you using and we can explain how to do this.
The OS on the Exx will have extra bits & pieces included with the build that are not present on the Ex or in the firmware updates (which are just application updates, not the full OS).
so a full dump of the eeprom could be interesting - did anybody already make a script/commandset for that?
Not me. I tried to use i2c.exe to read out the eeprom, but all I got was FF entries. So I was probably doing something wrong there.
Is there an example i2c.exe command that
does read out something meaningful? I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things.
I like my magic smoke on the
inside.
Come to think of it, please do both:
rls -rl > \FlashIFS\allsettings-yourcameratype.txt
rls -rll > \FlashIFS\allsettings-yourcameratype-full.txt
For some entries the full (-ll) listing does give a bit of extra info. And for all the others it's noise. But since you only have it for a day, and it doesn't take you any extra time ... please run both. It would be a bit silly to find out afterwards that we would have liked the extra detail on some field in the resource tree.
As for ftp clients ...
winscp is pretty handy. Put it in ftp mode, and connect to 192.168.0.2. Login with user=flir, pass=3vlig. Then you simply select your destination folder on the left, and do select all on the right side (source). Press F5 to recursively copy the lot...
Question: never tried this: rls -rl > \FlashIFS\allsettings-yourcameratype.txt
Will it also read out the Eeprom?
Short: nope
as far as I remember mike stated something (like) that the eeprom is just beeing used to store the camera SN, model name etc.
... but we have seen that inside appcore that data is taken into account when enabling features - so a full dump of the eeprom could be interesting - did anybody already make a script/commandset for that?
Yes, and it appears that all of the data in the EEPROM appears to be editable from via the service menu via the web server.
... I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things. I like my magic smoke on the inside.
Would you mind taking some hi-res images of the inside/PCB?
I'd like to check if there's some pre-defined place for the identified gyro/compass sensor-chips
so a full dump of the eeprom could be interesting - did anybody already make a script/commandset for that?
Not me. I tried to use i2c.exe to read out the eeprom, but all I got was FF entries. So I was probably doing something wrong there.
Is there an example i2c.exe command that does read out something meaningful? I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things. I like my magic smoke on the inside.
It may need some probing to find what I2C device address the eeprom lives at, normal values would be addresses A0 to AE in steps of 2 - I think I2c.exe will give an error or message for an un-acked device address.
You may also need to guess the size - the easiest way is usually to read a big chunk and look for the address wraparound.
... I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things. I like my magic smoke on the inside.
Would you mind taking some hi-res images of the inside/PCB?
I'd like to check if there's some pre-defined place for the identified gyro/compass sensor-chips
I'll see what I can manage with my decidedly NON hi-res collection of who-the-hell-cares photography equipment.
As an aside, didn't Mike's teardown vid show those unpopulated pads?
... I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things. I like my magic smoke on the inside.
Would you mind taking some hi-res images of the inside/PCB?
I'd like to check if there's some pre-defined place for the identified gyro/compass sensor-chips
I'll see what I can manage with my decidedly NON hi-res collection of who-the-hell-cares photography equipment.
As an aside, didn't Mike's teardown vid show those unpopulated pads?
I don't recall any unpopulated chips, but there was an unpopulated FFC and one other, possibly a board-stack connector.
Anything on the PCB would be shielded by the internal metal frame and LCD casing, so either the module, or at least the antenna would need to be outside the metal area.
It may need some probing to find what I2C device address the eeprom lives at, normal values would be addresses A0 to AE in steps of 2 - I think I2c.exe will give an error or message for an un-acked device address.
You may also need to guess the size - the easiest way is usually to read a big chunk and look for the address wraparound.
Ah okay. I thought you maybe had some working i2c.exe commands since you said:
You can edit the eeprom via the I2C command. The test mode seems to implement some simple access control but not looked at this.
EEPROM records are protected by a simple 16 bit checksum - this is documented fairly early in this thread
I'm not entirely sure what the eeprom unlock password in the service mode would have to do with anything. I mean, if you can just read (and write!) eeprom using i2c.exe. That said, I would expect the eeprom to be write-able directly on the SCL/SDA wires. As in bypassing any flir applications, but just toggling the wires yourself. Best done with the application killed.
I rent a E60 for one day, so Im in a hurry.....and want to reed its eeprom to get closer what else do we need from it?
use rls in recursive mode and dump ALL settings to a file (use FlashIFS) - takes several minutes with
rls -rl > \FlashIFS\allsettings-yourcameratype.txt
EDIT: taking a copy of all available files via FTP will probably also be a good idea
I took the files via filezilla
but the rls thing
inside cmd promt? telnet promt doesnt work....
the eeprom pasword is needed in service menu!
but the rls thing inside cmd promt? telnet promt doesnt work....
What windows version are you using?
Probably you have not installed it yet. It is easy to do: Press F1 on the desktop to enter Windows help. Then enter 'Telnet' and you will be given some instructions how to enable it.
I took the files via filezilla
but the rls thing inside cmd promt? telnet promt doesnt work....
If you can ftp, then you have tcp/ip connection. So I will read "telnet prompt doesnt work" as "telnet client not present or no workey"
In which case the solution is:
1) install + run putty.exe from this here download page
2) select telnet mode
3) connect to 192.168.0.2 (or the same ip you used for ftp)
And then run those
rls commands.
Edit: Also, since you didn't attach the files ... by way of sanity check, how many files did you get? Just to be sure you got it all. Would be a shame to find out later you didn't recursively grab everything, what with this being a rental and all.
PW seems to be no big deal:
function EEPromIsUnlocked() { return restree.getResourceValue("system.eeprom.unlock") == "Unlocked" ? true : false; }
function PrintEEPromControls() {
var EEPromStatusText = restree.getResourceValue("system.eeprom.unlock");
var EEPromMakeUnlockCmd = !EEPromIsUnlocked();
Response.Write('<INPUT id="ee_unlock" type="submit" name="ee_unlock" value="Unlock">');
Response.Write(' Password <INPUT id="ee_pw" type="password" name="ee_pw" value=""> ');
}
function EEPromLockActions() {
if ( Request.Form( "ee_unlock" ) != "" )
restree.setResourceValue("system.eeprom.unlock", Request.Form( "ee_pw" ));
else if ( Request.Form( "ee_lock" ) != "" )
restree.setResourceValue("system.eeprom.unlock", "lock");
}
but the rls thing inside cmd promt? telnet promt doesnt work....
telnet command not installed or no connection?
was the camera on/running
chance of doing a portscan?
I've read that too, but I fail to see how you come to the conclusion that it doesn't matter.
What that does is READ the system.eeprom.unlock resource. Which either has value "Unlocked" or not. If it is NOT unlocked, then it presents the html form, in which you plonk your super secret password. You then submit it. And then your favorite .asp page will effectively do a rset .system.eeprom.unlock PASSWORD_YOU_JUST_SUBMITTED. After that it will do a read of the resource again to show you if it is "Unlocked" or not.
I've read that too, but I fail to see how you come to the conclusion that it doesn't matter.
What that does is READ the system.eeprom.unlock resource. Which either has value "Unlocked" or not. If it is NOT unlocked, then it presents the html form, in which you plonk your super secret password. You then submit it. And then your favorite .asp page will effectively do a rset .system.eeprom.unlock PASSWORD_YOU_JUST_SUBMITTED. After that it will do a read of the resource again to show you if it is "Unlocked" or not.
it means there will be code to compare the PW ... so the solution is probably already somewhere in the IDA files
edit: ...if not ... then a bruteforce hack is still scriptable
Sorry
guys
Jest tu kto? z Polski
Wstawi? instrukcje po Polsku ?