Last thing: i shot a thermal foto with full 320x240 , but lost the MSX-Option
Last thing: i shot a thermal foto with full 320x240 , but lost the MSX-Option
$ cat i2c.txt | gawk '{for(i=1; i <=NF; i=i+1) {tmp="00"$(i);tmp=sprintf ("%s",substr(tmp,length(tmp)-1)); printf " %s", tmp }}'| xxd -r -p | hexdump -C -v
00000000 ca 54 31 39 38 32 38 33 00 00 00 32 30 31 33 36 |.T198283...20136|
00000010 30 31 36 00 00 31 31 00 00 00 00 00 00 00 00 ed |016..11.........|
00000020 9c ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
00000030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
00000040 ff 0a f4 3c 00 00 00 00 00 00 00 00 00 00 00 00 |...<............|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 |...............F|
00000060 f4 54 31 39 38 33 30 34 00 00 00 36 33 38 31 33 |.T198304...63813|
00000070 38 30 38 00 00 30 31 00 00 ff ff ff ff ff ff f2 |808..01.........|
00000080 9f 50 00 3c 00 00 01 00 00 00 00 00 00 00 00 8c |.P.<............|
00000090 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
000000a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
000000b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
000000c0 00 46 4c 49 52 20 45 34 00 00 00 00 00 00 00 00 |.FLIR E4........|
000000d0 00 00 00 00 00 36 33 39 30 31 2d 30 31 30 31 00 |.....63901-0101.|
000000e0 00 00 00 00 00 36 33 39 31 34 37 35 32 00 00 32 |.....63914752..2|
000000f0 30 31 34 2d 30 32 2d 31 33 00 00 30 31 00 00 |014-02-13..01..|
>cat 1.txt | awk "{for(i=1; i <=NF; i=i+1) {tmp=sprintf (\"%s \",\"0x\"$(i)); printf \"%c\", strtonum(tmp) }}" | hexdump -n
00000000: 40 01 F0 00 00 01 00 00 - 00 00 00 00 00 00 30 03 |@ 0 |
00000010: FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF | |
00000020: FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF | |
00000030: FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF 00 | |
00000040: 46 4C 49 52 20 45 34 00 - 00 00 00 00 00 00 00 00 |FLIR E4 |
00000050: 00 00 00 00 36 33 39 30 - 31 02 0D 30 31 30 31 00 | 63901 0101 |
00000060: 00 00 00 00 00 36 33 39 - 30 30 30 30 30 00 00 32 | 6390xxxx 2|
00000070: 30 31 33 2D 31 31 2D 30 - 30 00 00 30 31 00 00 E1 |013-11-xx 01 |
00000080: D4 54 31 39 38 32 38 33 - 00 00 00 31 39 39 35 30 | T198283 1995x|
00000090: 30 30 30 00 00 30 39 00 - 00 00 00 00 00 00 00 F9 |xxx 09 |
000000a0: AD FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF | |
000000b0: FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF | |
000000c0: FF 0B 15 7D 00 00 00 00 - 00 00 00 00 00 00 00 00 | } |
000000d0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 88 | |
000000e0: 15 54 31 39 38 33 30 34 - 00 00 00 36 33 38 30 30 | T198304 6380x|
000000f0: 30 30 30 00 00 30 31 00 - 00 FF FF FF FF FF FF F9 |xxx 01 |
unfortunately i2c.exe dumps only the first 256 Byte from EEPROM
if you just do a read it may be reading a random page.
.caps.config: (3)
rw--r--------- 0 root root <e> image
r---r---r----- 0 root root <a> name "" // empty configuration name!!!
.caps.config.image.settings: (4)
r---r--------- 0 root root <i> IRheight 60 //no high res mode
r---r--------- 0 root root <i> IRwidth 80
.caps.config.image.targetNoise: (2)
r---r--------- 0 root root <b> enabled false
r---r--------- 0 root root <i> targetNoiseMk 0 //where is the noise generator?
.dump: (6)
rw--r---r----- 0 root root <b> commit false
rw--r---r----- 0 root root <a> file "\mod\servicemode\appcore.d\factory.d" //a new folder
.registry.system: (2)
rw-dr---r----- 0 registry factory <a> usbmode "UVC_MSD" // RNDIS
.version: (8)
r---r---r----- 0 root root <a> SUID "2A4BD5020080241B" // this is a new number
did you saved this file before you gone to the service mode?2014-03-04 20:38:40 ERROR: No Configuration name found. Bad camera serial number ??[64]
2014-03-04 20:38:40 Configuration name: ""
Now i'm fully confused?
The Thermal-Fotos are already in 320x240? Did the TIC store the 80x60 in a higher resolution?
FLIR Command Line Interpreter
Version 0.4.3 running on WinCE 6.0
\>set PATH=\windows;\FlashBFS\system\;
Bad command or filename
\>set PATH=\windows;\FlashBFS\system\;
Bad command or filename
\>set PATH=\windows;
\>set PATH=\windows;\FlashBFS\system\;
\>rset .watchdog.enable false
rset: .watchdog.enable: bad data
\>rset .watchdog.enable false
rset: .watchdog.enable: bad data
\>rset .services.log.active false
\>ps -k uicore
\>ps -k Gui
\>ps -k Prod
\>ps -k prod
\>ps -k MediaServer
\>ps -k appcore
Failed to terminate process 0x4D20002 (170)
\>ps -k AppServices
Successfully terminated process 0x76E0002
\>ps -k Resmon
Successfully terminated process 0x79A0002
\>ps -k Bit
\>ps -k syslog
\>ps -k Cam
\>ps -k cam
\>ps -k geni
\>ps -k dig
\>ps -k Dig
\>ps -k watch
\>ps -k Watch
\>ps -k RTP
\>ps -k fwa
\>ps -k progress
\>ps -k Med
\>ps -k appcore
\>start appcore19.exe
\>ps
Process NK.EXE (64 threads), id 0x00400002, loaded at 0x80100000
Process udevice.exe ( 2 threads), id 0x01510002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x015E0002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x01F20002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x03230002, loaded at 0x00010000
Process servicesd.exe (14 threads), id 0x03820002, loaded at 0x00010000
Process ChargeApp.exe ( 1 threads), id 0x046E0002, loaded at 0x00010000
Process cmd.exe ( 1 threads), id 0x04C50002, loaded at 0x00010000
Process CMD.EXE ( 1 threads), id 0x08EF002E, loaded at 0x00010000
Process appcore19.exe (35 threads), id 0x05050036, loaded at 0x00010000
Process AppServices.exe (15 threads), id 0x04DF0166, loaded at 0x00010000
Process Resmon.exe (14 threads), id 0x0778000A, loaded at 0x00010000
Process ps.EXE ( 1 threads), id 0x082E019A, loaded at 0x00010000
\>start prodapp
\>ps
Process NK.EXE (64 threads), id 0x00400002, loaded at 0x80100000
Process udevice.exe ( 2 threads), id 0x01510002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x015E0002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x01F20002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x03230002, loaded at 0x00010000
Process servicesd.exe (14 threads), id 0x03820002, loaded at 0x00010000
Process ChargeApp.exe ( 1 threads), id 0x046E0002, loaded at 0x00010000
Process cmd.exe ( 1 threads), id 0x04C50002, loaded at 0x00010000
Process CMD.EXE ( 1 threads), id 0x08EF002E, loaded at 0x00010000
Process appcore19.exe (36 threads), id 0x05050036, loaded at 0x00010000
Process AppServices.exe (15 threads), id 0x04DF0166, loaded at 0x00010000
Process Resmon.exe (14 threads), id 0x0778000A, loaded at 0x00010000
Process prodapp.EXE (18 threads), id 0x096802F6, loaded at 0x00010000
Process ps.EXE ( 1 threads), id 0x096C0302, loaded at 0x00010000
\>rset prod.preparation.command restartHighRes
\>rls -l .caps.config.image.settings
.caps.config.image.settings: (4)
r---r--------- 0 root root <i> IRheight 60
r---r--------- 0 root root <i> IRwidth 80
r---r--------- 0 root root <b> allowForcedCase false
r---r--------- 0 root root <b> enabled true
Welcome to the Windows CE Telnet Service on IRCAM4752
FLIR Command Line Interpreter
Version 0.4.3 running on WinCE 6.0
\>set PATH=\windows;\FlashBFS\system\;
Bad command or filename
\>set PATH=\windows;\FlashBFS\system\;
Bad command or filename
\>set PATH=\windows;
\>set PATH=\windows;\FlashBFS\system\;
\>rset .watchdog.enable false
rset: .watchdog.enable: bad data
\>rset .watchdog.enable FALSE
rset: .watchdog.enable: bad data
\>rset .services.log.active false
\>ps -k uicore
\>ps -k Gui
\>ps -k Prod
\>ps -k prod
\>ps -k MediaServer
\>ps -k appcore
Failed to terminate process 0x4D20002 (170)
\>ps -k AppServices
Successfully terminated process 0x71C000A
\>ps -k appcore
\>ps -k Resmon
Successfully terminated process 0x75B000A
\>ps -k Bit
\>ps -k syslog
\>ps -k Cam
\>ps -k cam
\>ps -k geni
\>ps -k watch
\>ps -k Watch
\>ps -k dig
\>ps -k Dig
\>ps -k RTP
\>ps -k fwa
\>ps -k progress
\>ps -k Med
\>start appcore19.exe
\>start prodapp
\>ps
Process NK.EXE (64 threads), id 0x00400002, loaded at 0x80100000
Process udevice.exe ( 2 threads), id 0x01510002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x015E0002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x01F20002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x03230002, loaded at 0x00010000
Process servicesd.exe (16 threads), id 0x03710002, loaded at 0x00010000
Process ChargeApp.exe ( 1 threads), id 0x046E0002, loaded at 0x00010000
Process cmd.exe ( 1 threads), id 0x04C50002, loaded at 0x00010000
Process CMD.EXE ( 1 threads), id 0x06912D2A, loaded at 0x00010000
Process appcore19.exe (35 threads), id 0x0342003A, loaded at 0x00010000
Process AppServices.exe (15 threads), id 0x07FB0016, loaded at 0x00010000
Process Resmon.exe (14 threads), id 0x06920016, loaded at 0x00010000
Process prodapp.EXE ( 7 threads), id 0x06830636, loaded at 0x00010000
Process ps.EXE ( 1 threads), id 0x096304D2, loaded at 0x00010000
\>rset prod.preparation.command restartHighRes
\>rls -l .caps.config.image.settings
.caps.config.image.settings: (4)
r---r--------- 0 root root <i> IRheight 60
r---r--------- 0 root root <i> IRwidth 80
r---r--------- 0 root root <b> allowForcedCase false
r---r--------- 0 root root <b> enabled true
\>
.caps.config: (3)
rw--r--------- 0 root root <e> image
r---r---r----- 0 root root <a> name "app E4 1.1"
.caps.config: (3)
rw--r--------- 0 root root <e> image
r---r---r----- 0 root root <a> name "" // empty configuration name!!!
runs without the conf.cfc file.next i delete the old conf.cfc-file, reset to factory->no changes
Un-Bricking an Ex + Version differences HW 1.0 <-> HW 1.1
# CRC
VerifyHash - [CRC error] : done
VerifyHash - [CRC OK] : done
VerifyHash -[CRC%d] : not accepted
# %19s %x
CRC%d
VerifyHash - [CRC not trusted] : done
%S [size]
%S [CRC]
# doCRC %s %u %u
# doCRC
verifyCRC - cannot open %s
Bad Argument(s)! Use "applauncher" for help.
APPLAUNCHER: Not starting duplicate cmd.exe
%[^
cmd
%[^ #
%[^#
APPLAUNCHER: Refuses to run launch specification file. Aborting!
FAD call fails:%d hndl:%d err:%d
No integrity check necessary
Integrity: %d
FAD1:
Failed to open the launch specification file. Aborting!
cmd.exe
APPLAUNCHER: Usb charging finished
APPLAUNCHER: Starting usb charge App
ChargeAppFinished
ChargeApp.exe
Bad Argument! Use "applauncher" for help.
LaunchFileAlt
LaunchFile
Failed to open registry settings. Aborting!
SOFTWARE\FLIR Systems\Applauncher
%[0-9]
Usage: applauncher [options]
-f <filename> Execute commands in file <filename>
-r Execute file specified by registry setting.
(number) Automatic mode (OS internal).
CRC04
CRC03
CRC02
CRC01
CRC00
CRC32
AshIrV:
ZeP0a_K
RSDS
Those are most interesting to me:Has anyone actually tried applying the original hack to the new cameras? I don't imagine it'll work, but I'm still curious as to what actually happens.
but do nothing!! wait on Taucher
All Tests with my TIC are tests with the 1.1L.
@tomas:Quotebut do nothing!! wait on TaucherThis is not my best fortitude/strength...
I do all the steps again but without the prodapp and generate a new rls for you.
The camera works fine with the appcore19. All normal E4-Options doing there job, but there are no extra menues or something like that.
Please do not forget that the new E4 version is not HW1.1, it is 1.1L. I don't think the differences between HW 1.1 and 1.1L have been established yet. It was of concern to me that FLIR advised that I should not just install their 1.21.0 firmeware update, but rather, return the camera to them for a special upgrade ! We all know what the result of that action would have been, and FLIR would love to 'upgrade' my camera for me
The question has to be....has FLIR done something to the hardware platform to sabotage any attempt to increase resolution in firmware or OS ? It is also a possibility that the HW1.1L change is not about a resolution upgrade countermeasure, but rather a frame rate upgrade countermeasure
It would be very useful to compare images of Mike's V1.0 camera PCB and the newer V1.1 and V1.1L PCB.
Please do not forget that the new E4 version is not HW1.1, it is 1.1L. I don't think the differences between HW 1.1 and 1.1L have been established yet. It was of concern to me that FLIR advised that I should not just install their 1.21.0 firmeware update, but rather, return the camera to them for a special upgrade ! We all know what the result of that action would have been, and FLIR would love to 'upgrade' my camera for me
The question has to be....has FLIR done something to the hardware platform to sabotage any attempt to increase resolution in firmware or OS ? It is also a possibility that the HW1.1L change is not about a resolution upgrade countermeasure, but rather a frame rate upgrade countermeasure
It would be very useful to compare images of Mike's V1.0 camera PCB and the newer V1.1 and V1.1L PCB.There is one very specific thing I'd like to compare if we can get pics of a 1.1L
If you've seen the teardown, you may be able to guess what it is.
OK, I am about to show my ignorance of this platforms configuration so please be gentle with me.
If I am presented with two similar (near identical) embedded computers, one 'protected' from change, one not, I would look at a complete firmware and OS transplant to overcome the protection systems in the firmware. Now this would not be simple if there were calibration settings and CRC's in play but it would be a start.
In a perfect world the approch would be:
1. Take a complete firmware and OS image from an unprotected E4 (data donor)
2. Overwrite the protected firmware and OS on a protected E4 with the unprotected E4 image.
3. Change all the CRC's to match the protected cameras serial number or clone the serial number from the donor unprotected E4 camera.
4. Deteremine where the Calibration data is held in the E4 and transplant the correct calibration data from the protected E4 firmware/OS into the newly installed unprotected firmware/OS.
5. Correct the CRC in the file that contains the calibration data.
6. Enjoy a previously protected camera that is running an unprotected image
Life is rarely this simple though and I expect challenges with CRC's hidden in files structures and also likley countermeasures in the new Version 1.1L hardware to prevent such an attack vector.
The approach would also be very much 'open case' and requiring IC programming tools.
No harm in blue sky thinking though
Also please note from the version info that the L comes from confkit (if I remember correctly) and probably has little to do with the read HW
So, tauchers BETA3 is installed:
1) colors: special palettes ( working fine
2) temperature scale: manual fixing works fine(all options)
3) measure spot: normal modes(Center spot on/off) doing fine, special options dont work and camera system freeze
4) Image mode: no changes
5) settings: new focus fine tuning,ambient relative humidy, device settings new usb-Mode, not working: condensation-menues
\FlashBFS\system>i2c.exe r AE FF
unfortunately i2c.exe dumps only the first 256 Byte from EEPROMFrom memory I think i2c.exe doesn't know about eeproms specifically, so you need to use a write+read operation to write the address first before reading the data - if you just do a read it may be reading a random page.
I don't recall the syntax but it's fairly obvious from the /? help
My gut feeling tells me it's that FLIR would add a SUID entry to the I2C prom (when @factory) ... and encrypt the config while DIY-upgrades would probably just have SUID = 0 set.
Also please note from the version info that the L comes from confkit (if I remember correctly) and probably has little to do with the read HW
Usage: i2c [2] {r|w} <address> <no of bytes if read> <data to write>
i2c [2] f <filename>
Write example: i2c w A0 11 22 33 - Write 11h 22h 33h to A0h
Read example 1: i2c 2 r A0 10 - Read 10h bytes from A0h on I2C2:
Read example 2: i2c r A0 10 80 - Write 80h and Read 10h bytes from A0h
Read example 3: i2c r A0 10 80 40 - Write 80h 40h and Read 10h bytes from A0h (16-bit addressing)
File example 1: i2c f vf.txt - Read command from file
File syntax: {r|w} <address> <no of bytes if read> <data to write>
d <delay ms>
Have been playing around with i2c.exe, it is a bit scary not knowing what it is actually doing on the bus. Especially when it comes to the read/write option and the effect it has on the read/write flag on the address byte being sent out. The read/write flag on the DS1388 Real time clock is inverted!!!
So, tauchers BETA3 is installed:
1) colors: special palettes ( working fine
2) temperature scale: manual fixing of the scale works fine(all options)
3) measure spot:
working: normal modes(Center spot on/off)
not working: special options(hot/cold etc) dont work and camera system freeze(you have to restart the TIC)
4) Image mode: no changes
5) settings:
working is: new focus fine tuning,ambient relative humidy, device settings new usb-Mode,
not working: condensation-menues