My E4 is 1.19.8. I hope that hack will be working on that firmware.
Did you see any differences from the 1.18.8 firmware (see review video)? E.g. is the joystick in the middle connected with any action (without pressing the middle button before)?
No, any actions on joystick. I´am afraid of anti-hack firmware. Mike will sent me FFC breakout PCB, I will hack my E4 ASAP, and we will see.
Can you see any differences between files on your E4 and older firmware files?
At any rate, it will be interesting to see if this is a regularly scheduled boring update, or an OMG th3 h4X0rZ quick fix. Does anyone know how often Flir typically do their updates? And what is their policy in making these updates available for download. As in, there apparantly are devices with 1.19.8 firmware out there, but I can't find any mention of this firmware on the flir website.
Can you see any differences between files on your E4 and older firmware files?
At any rate, it will be interesting to see if this is a regularly scheduled boring update, or an OMG th3 h4X0rZ quick fix. Does anyone know how often Flir typically do their updates? And what is their policy in making these updates available for download. As in, there apparantly are devices with 1.19.8 firmware out there, but I can't find any mention of this firmware on the flir website.
1.18.8 isn't there either. Could be that the update is only for their internal functions - production test etc. or E8 features when are not currently enabled in the hack .cfg file.
I have it on good authority that they are planning something to improve the UI but no timescale.
the latest manual is also slightly out of step in that it shows multiple PiP sizes, but the current FW only supports one ( as seen in UI files).
I'd be interested to see the .cfg and UI files in the later firmware.
I wonder if the serial port is fed to the pads on the board for a bluetooth module? then it will be simple to just get a BT serial module and populate the board pads for the module and you will have the serial terminal available without any cable needing to be inserted. Pair the module with a PC or phone with terminal software and you will have another comms method.
Can you see any differences between files on your E4 and older firmware files?
At any rate, it will be interesting to see if this is a regularly scheduled boring update, or an OMG th3 h4X0rZ quick fix. Does anyone know how often Flir typically do their updates? And what is their policy in making these updates available for download. As in, there apparantly are devices with 1.19.8 firmware out there, but I can't find any mention of this firmware on the flir website.
I haven´t older firmware to compare, its shipped with 1.19.8
Almost there!
If you install the Flir tools there is a file in the bin map: FlirInstallNet.exe which opens a telnet and ftp connection over the
standard USB connection !
Just run the program, click the [Get Versions] button and be surprised.
Oh yes, the [Get resource] button is nice too.
The communication stuff is in the Flir.Cronos.Net.CameraUpdate.FIFEngine.dll
It also creates a nice log file, viewable when clicking the [L] button:
<cut>
FIF::UVCCommandDispatcher::DispatchMessageA sending message:
FIF::UVCCommandDispatcher::DispatchMessageA sending message: start cmd
CMD started successfully.
FIF::FIFInstallerEngine::OnCommandDispatcherMessage
Received shell command message:
FLIR Command Line Interpreter
Version 0.4.3 running on WinCE 6.0
\>
<cut>
Now a little USB sniffing and we have a closed-box hack
Sorry, why the USB sniffing? What's missing?
Once you have a console, you have the hack.... All you need to be able to do is copy one file from the user partition to flashfs
So I was in the process of purchasing (awaiting for it to ship an E6 unit) when I came across a review video from Mike for the e4. He seemed to be very thorough and so I looked at some of his other videos and came across this teardown thread.
I watched the video and was amazed at everything mike was doing (nearly all of it went over my head). In any case I notice the thread is quite long so I jump to the end and their is discussion of the E4 being modded to be an E8.
I saw Mikes most recent post and am curious as to what exactly this mod does to the E4. I know it is very common for manufactures to put the full capabilities into some electronic items and gimp the lower end models via software to lower production costs. However, they usually have it locked or encrypted.
So because i cant find anywhere that makes it clear, what is the end result of this mod? Does it turn into a fully functional (higher res thermal image, picture in picture, all other options) E8? Or what exactly does it do? Any help appreciated, maybe I have time to cancel my order.
I might also suggest making an entirely new thread or updating the first post of this one with this info to make it easier to locate. UNless of course you dont want it to be found that easily to make this mod possible for as long as possible before it gets eliminated via an update.
So because i cant find anywhere that makes it clear, what is the end result of this mod? Does it turn into a fully functional (higher res thermal image, picture in picture, all other options) E8?
Yes.
The only thing we don't currently know is if the E6 and/or 8 have a better lens.
I might also suggest making an entirely new thread or updating the first post of this one with this info to make it easier to locate. UNless of course you dont want it to be found that easily to make this mod possible for as long as possible before it gets eliminated via an update.
There is still some ongoing work to see if it can be done without opening the case. And isn't it worth some time spent reading to get this much added upgrade...?
UNless of course you dont want it to be found that easily to make this mod possible for as long as possible before it gets eliminated via an update.
Nah, that's not it. He just want to give other people the chance as well to cultivate patience and persistence.
Not
that hard to through 30-ish pages. Besides, that's a useful skill too. Quickly getting the useful tidbits from long threads.
No doubt when all is done there will be a summary, but if you want it now now then you can always read the thread.
Sorry, why the USB sniffing? What's missing?
The console....
There is no text input.
When it's sending those commands over USB, do you see any extra usb-serial devices? Probably not, but it's worth checking. It would be totally easy if you could get it to register itself as a usb-serial adapter.
Most definitely not hard to go through it all. I am doing so as we speak. The only reason I posted at all to find out exactly what the mod did instead of finding it myself was because of my current order for the E6. I wanted to cancel it as early as possible.
Thank you very much for answering promptly. You saved me the hassle of returning my unit (hopefully) and $1500.
I am a programmer by trade and like I said, most of what Mike did went over my head but I will be looking forward to donating toward this forum and some beer money for mike if he lets me know how
Thanks again! and keep up the great work!
Ok. Been lurking for a while...
Just chiming in with an idea:
So it seems that you can take:
camera.cmd
eFLIRinstall_MSD.dat
FLIRLaunch.dat
From the original .fif firmware file, modify them (camera.cmd to run Mike's hack command, FLIRLaunch.dat to not check for CRC?)
Pack them with no compression using 7zip together with Mike's e4hack folder, change .zip to .fif.
When opening this file in FLIRInstallNet.exe and pressing "CMD" the new commands from camera.cmd appears.
So pressing "Run FIF", run commands from camera.cmd? Could we make our own .fif hack file?
Maybe just start with activating RNDIS...
FIF test file below. Change .zip to .fif. Please do not run it :-)
Just had a thought... if you look at the contents of the installer .cab, there is a script file camera.cmd
If it is possible to create a new firmware .cab/.fif which can pass any required signing/CRC check, It should be possible to produce a new /cmd file whose sole purpose is to copy the one config file.
If course that is a big If....
## 10
# Combined fif installation for "ASCO Z3"
# Start by examining camera components. Use md to note state for later coming
# handlers.
# Note: This initial check code should not use "addfile" to ease/speed up
# execution with "eFLIRInstall" when camera is already updated
#
#old kit without gethwtype. Use os name for identify
type \windows\osimgkit.rev
[NAME ASCO*][$GOTO isOScorrect]
$FAIL "Update is intended for FLIR Z3-Series - not this camera - aborts install"
$GOTO end
#
$LABEL isOScorrect
## 12_header.spec
$SHOW "Combined firmware (1.18.7) is intended for FLIR Z3-Series"
# Clean from potential earlier install
rmdir \temp\OS
rmdir \temp\APP
rmdir \temp\PROD
#
#
## 20
#check OS - appcore independent check
type \windows\osimgkit.rev
[*1.0.0*}][$GOTO wrongOS]
[*16.0.10*][$GOTO checkOSEnd]
#Here if OS is not 16.0.10, mark OS for update
md \temp\OS
$GOTO checkOSEnd
#
#
$LABEL wrongOS
$SHOW "OSimage need to bigger than 1.0.0! Install OS-image manualy first",2
$GOTO end
$LABEL checkOSEnd
## 30
rls .version.kits.appkit.ver
[*1.0.13"*][$GOTO extendedCheckApp]
[*Bad command*][$GOTO appUnknown]
[*bad data*][$GOTO appUnknown]
[*failed*][$GOTO appUnknown]
$GOTO setAPPforupdate
$LABEL extendedCheckApp
kitcrc -c \FlashBFS\system\kits.d\appkit.rev
[*FAIL*][$GOTO setAPPforupdate]
$GOTO checkAppEnd
$LABEL appUnknown
#Not possible to check app - assume update
$FAIL "***Warning*** Unable to check camera! Press ignore to install anyway",2
$LABEL setAPPforupdate
md \temp\APP
$LABEL checkAppEnd
## 40
rls .version.kits.prodkit.ver
[*"1.0.0.7"*][$GOTO extendedCheckProd]
[*Bad command*][$GOTO prodUnknown]
[*bad data*][$GOTO prodUnknown]
[*failed*][$GOTO prodUnknown]
$GOTO setPRODforupdate
$LABEL extendedCheckProd
kitcrc -c \FlashBFS\system\kits.d\prodkit.rev
[*FAIL*][$GOTO setPRODforupdate]
$GOTO checkPRODEnd
$LABEL prodUnknown
#Not possible to check prod - assume update
$FAIL "***Warning*** Unable to check camera! Press ignore to install anyway",2
#
$LABEL setPRODforupdate
md \temp\PROD
#
#
#
$LABEL checkPRODEnd
## 50
$LABEL cont1
# Now we should have an analyse of needed updates noted as directories in \temp
dir /B \temp
[*OS*][$GOTO cont2]
[*APP*][$GOTO cont2]
[*PROD*][$GOTO cont2]
$FAIL "Camera is already updated",1
# If continued here, user wants to force an update
md \temp\OS
md \temp\APP
md \temp\PROD
#
$LABEL cont2
# Update decisions has been taken, stop app applications
$SHOW "Will now update OS/appkit/prodkit"
# Try to stop applications
rset .services.log.active false
rset .watchdog.enable false
ps -k facet
ps -k Facet
ps -k Fenix
ps -k fenix
ps -k uicore
ps -k Gui
ps -k Prod
ps -k prod
...snip
addfile flashbfs/system/web/service/focus/index.asp
addfile flashbfs/system/web/service/focus/laser.asp
addfile flashbfs/system/web/service/focus/lensdist.asp
addfile flashbfs/system/web/service/imgcorr/activatedigfilters.asp
addfile flashbfs/system/web/service/imgcorr/gainmap.asp
addfile flashbfs/system/web/service/imgcorr/gainmapcalc.asp
addfile flashbfs/system/web/service/imgcorr/gainmapcalcgf.asp
addfile flashbfs/system/web/service/imgcorr/gainmapcold.asp
addfile flashbfs/system/web/service/imgcorr/gainmapresult.asp
addfile flashbfs/system/web/service/imgcorr/gainmapselcase.asp
addfile flashbfs/system/web/service/imgcorr/gainmapwarm.asp
addfile flashbfs/system/web/service/imgcorr/imgcorrselcase.asp
addfile flashbfs/system/web/service/imgcorr/index.asp
addfile flashbfs/system/web/service/imgcorr/operability.asp
addfile flashbfs/system/web/service/imgcorr/operabilitylog.asp
addfile flashbfs/system/web/service/imgcorr/pixkill.asp
addfile flashbfs/system/web/service/imgcorr/shuttermap.asp
addfile flashbfs/system/web/service/imgcorr/staticmap.asp
addfile flashbfs/system/web/service/imgcorr/staticmapcalc.asp
addfile flashbfs/system/web/service/imgcorr/staticmapcold.asp
addfile flashbfs/system/web/service/imgcorr/staticmapprepare.asp
addfile flashbfs/system/web/service/imgcorr/staticmapresult.asp
addfile flashbfs/system/web/service/imgcorr/staticmapwarm.asp
addfile flashbfs/system/web/service/inc/accmeasprottempl.inc
addfile flashbfs/system/web/service/inc/calibprottempl.inc
addfile flashbfs/system/web/service/inc/eepromlock.inc
addfile flashbfs/system/web/service/inc/errorcodes.inc
addfile flashbfs/system/web/service/inc/servicemenu.inc
addfile flashbfs/system/web/service/inc/serviceutils.inc
addfile flashbfs/system/web/service/index.asp
addfile flashbfs/system/web/service/ppr.asp
addfile flashbfs/system/web/service/ppri.htm
addfile flashbfs/system/web/service/tdrift/curcomp.asp
addfile flashbfs/system/web/service/tdrift/index.asp
addfile flashbfs/system/web/service/tdrift/logging.asp
addfile flashbfs/system/web/service/tdrift/sensors.asp
addfile flashbfs/system/web/smallcam.asp
addfile flashbfs/system/web/styles/flirweb.css
addfile flashbfs/system/web/sysinfo.asp
addfile flashbfs/system/web/web-addon/a-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/a-web-addon/index_s.asp
addfile flashbfs/system/web/web-addon/a-web-addon/index_us.asp
addfile flashbfs/system/web/web-addon/a2-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/a2-web-addon/index_s.asp
addfile flashbfs/system/web/web-addon/a2-web-addon/index_us.asp
addfile flashbfs/system/web/web-addon/e-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/e2-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/e3-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/fx-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/g-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/p-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/prem-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/prem-web-addon/service/inc/servicemenu.inc
addfile flashbfs/system/web/web-addon/pt-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/x-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/x2-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/z-web-addon/inc/camtype.inc
addfile flashbfs/system/web/web-addon/z3-web-addon/inc/camtype.inc
addfile flashbfs/system/web/webcam.asp
addfile flashbfs/system/web/webpopup.asp
## 110
$LABEL checkinstallProdEnd
#
#
#
## 130
# EOF Post commands
#
#FIF Add a temporary config
# No need
#
$SHOW "Camera will now restart",7
restart
$DISCONNECT
$WAIT 40
$RECONNECT 5
DEL /f /s /q \FlashBFS\system\xx*
#
rls .version.swcombination.ver
[*1.18.7"*][$GOTO successful1]
$FAIL "Failed update,wrong version after restart",4
$GOTO end
$LABEL successful1
# Check if crc have changed
kitcrc -c \FlashBFS\system\kits.d\appkit.rev
[*FAIL*][$GOTO failed2]
kitcrc -c \FlashBFS\system\kits.d\prodkit.rev
[*FAIL*][$GOTO failed2]
$LABEL showSuccess
$SHOW "Successfully updated combined firmware to version 1.18.7"
$GOTO end
$LABEL failed2
$FAIL "Failed update, file checksum error",3
$LABEL end
I beat you by 8 seconds...
The greyed-out CMD and Files buttons in FlirInstallNet.exe look interesting
And we got RNDIS working via .fif ...
Thank you Mike and everybody else that have been working on this hack.
I beat you by 8 seconds...
I beat you by eons (internet time).
At any rate, camera.cmd is full of inspiration.
But if you managed to generate a working .fif that copies the RNDIS files, then good job.
In that case all you need to do is put your CRC'd E8.cnf in the .fif, and put
copy e8.cfg \flashfs\system\appcore.d\config.d\e8.cfg
in the .cmd file
Job Done.
I'm amazed it doesn't check the integirity of the .fif...
I'm amazed it doesn't check the integirity of the .fif...
There is some CRC in FLIRLaunch.dat. I commented it out just to be sure
Would be nice to be able to copy the cfg from the USB partition, but this won't be mounted when plugged in to USB.
I think we need to use addfile, and create the equivalent path in the install fif
I think we need to use addfile, and create the equivalent path in the install fif
addfile would be the way to go yes. Same mechanism as camera.cmd uses to copy the new firmware files during an update.
So e8.cfg should be in \flashfs\system\appcore.d\config.d\e8.cfg in the .fif?