Author Topic: FLIR Boson 640 Variant Teardown (Autoliv NV4?)  (Read 7645 times)

0 Members and 2 Guests are viewing this topic.

Offline BiDTopic starter

  • Contributor
  • Posts: 15
  • Country: us
FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« on: July 31, 2021, 09:19:42 am »
Hello,

I had picked up some FLIR Boson 640 variant from fleabay recently and notice that basic USB VPC interfacing doesn't work on it and currently working through figuring out it's interfacing.  It's housing look like custom metal housing and it doesn't seem to be the same as the standard ones from FLIR.   Anyhow, wanted to post some teardown of the device and some of the identified pinouts.   I was able to pull the firmware from the flash memory to have a look.

I use Bus Pirate ( http://dangerousprototypes.com/docs/Bus_Pirate ) and flashrom command line tool to dump the firmware via SPI.


Update 2021-07-31:

There's strings in the firmware that indicates it's potentially a Autoliv NV4:

* NV4-Release-60
* NV4-Authblock-Release-60

  Unfortunately, the firmware seems to be encrypted and needs some work to retrieve the key.

Update 2021-08-08:

I've identified the JTAG pads (see attached photo), using
Code: [Select]
urjtag tool, we're able to confirm it's

Code: [Select]
    jtag> detect
    IR length: 4
    Chain length: 1
    Device Id: 00011100010001010000011001100001 (0x1C450661)
    Unknown manufacturer! (01100110000) (/usr/local/share/urjtag/MANUFACTURERS)

Searching "0x1C450661" indicates it is indeed JTAG for Movidius ma2x5x:

http://eyesofthings.eu/wp-content/uploads/deliverables/EoT_D3.5.pdf

I went through the 80-bin and only see the video sync/clock with activities and I did see some brief clock activities for just a few clock cycles however it stops very soon after.  The video sync/clock is continuous after a brief boot period.

Aside from those ports, so far it looks like the secure-boot firmware disables USB and video outputs (analog and digital).  I assume there's some handshake/key that's needed from an ECU.  The older version, NV2, looks like it needed a key as well:

https://debugmo.de/2018/12/autoliv-nv2-teardown/

would not surprised if they carried this over.

Update 2021-10-02:

I was able to get a copy of the firmware on the external flash from a friend's device.  Flashing it to this device's external flash doesn't get it to boot as I've expected but worth a try.  I think the pathway that still needs more exploring is to get JTAG specification for Movidius ma2x5x so to se if debugging of the processor is possible and modification of on-chip flash.
« Last Edit: October 03, 2021, 04:46:40 am by BiD »
 
The following users thanked this post: tmbinc, VGN, hitechtalent

Offline VGN

  • Regular Contributor
  • *
  • Posts: 146
  • Country: am
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #1 on: August 02, 2021, 09:21:56 pm »
Hi, BiD!

Great discover!

As I know there is usb2/3 interface, looks like they are using some custom ASIC to interface the sensor over usb3.0.
Chekout this project: https://hackaday.io/project/160928-boson-frame-grabber
Also look though this schematics at page 4: https://cdn.hackaday.io/files/1609286885143552/bosonFrameGrabber_sch.pdf
Besides USB2/3 there is some 16-bit cmos interface. Can you detect any activity at this 16-bit bus?
 
The following users thanked this post: BiD, hitechtalent

Offline BiDTopic starter

  • Contributor
  • Posts: 15
  • Country: us
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #2 on: August 08, 2021, 07:48:27 am »
Thanks!

> As I know there is usb2/3 interface, looks like they are using some custom ASIC to interface the sensor over usb3.0.

It looks to be custom software which runs on Intel Movidius Myriad.

> Checkout this project: https://hackaday.io/project/160928-boson-frame-grabber

I have seen that however it looks like the secure-boot firmware disables all ports.  I assume there's some handshake/key that's needed from an ECU.  The older version, NV2, looks like it needed a key as well:

https://debugmo.de/2018/12/autoliv-nv2-teardown/

would not surprised if they carried this over.


> Besides USB2/3 there is some 16-bit cmos interface. Can you detect any activity at this 16-bit bus?

I went through the 80-bin and only see the video sync/clock with activities and I did see some brief clock activities for just a few clock cycles however it stops very soon after.  The video sync/clock is continuous after a brief boot period.
 

Offline tmbinc

  • Frequent Contributor
  • **
  • Posts: 250
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #3 on: August 09, 2021, 04:01:15 pm »
Wow, this is exciting! I was looking for NV4 for a while without success.

Can you give me any pointer what to look for on ebay?
 

Offline ArsenioDev

  • Frequent Contributor
  • **
  • Posts: 252
  • Country: us
    • DiscountMissiles: my portfolio and landing page
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #4 on: August 09, 2021, 05:25:48 pm »
If I had to bet, these would be those weird new 2021 Cadillac imagers
 
The following users thanked this post: BiD

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 13263
  • Country: gb
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #5 on: August 09, 2021, 07:47:15 pm »
I just found a picture of the 2021 Cadillac Escalade bumper thermal camera.
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 
The following users thanked this post: BiD

Offline BiDTopic starter

  • Contributor
  • Posts: 15
  • Country: us
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #6 on: August 10, 2021, 02:13:46 am »
Awesome thanks for these photos!  I think these modules are what sits inside those housings for the 2021 Cadillac Escalade thermal camera.
 

Offline boywai

  • Contributor
  • Posts: 14
  • Country: us
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #7 on: September 03, 2021, 04:09:30 pm »
Hello BID about  Boson 640@NV4´╝čIs there any new progress  Thinks
 

Offline lukep

  • Newbie
  • Posts: 2
  • Country: us
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #8 on: October 01, 2021, 10:17:21 am »
Any updates on this? Made the mistake of also collecting this from eBay thinking it would be plug and play with standard VPC :-//. Almost bought 2 but only got one luckily!
 

Offline BiDTopic starter

  • Contributor
  • Posts: 15
  • Country: us
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #9 on: October 03, 2021, 01:41:02 am »
Hello, sorry I don't have any update at the moment.  Mainly still stuck trying to figure out JTAG protocol Movidius ma2x5x, can't find any public documentation on it and having gotten it to respond for the JTAG comms I've been sending.
 

Offline fest

  • Contributor
  • Posts: 16
  • Country: lv
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #10 on: January 30, 2022, 03:34:25 pm »
I was also looking for the information about this device. It appears that this division of Autoliv underwent some corporate shenigans and this product is now called Veoneer NiVi4 (I was wondering why Autoliv NV4 yielded little results).

The MSRP of ~$850 sounds incredibly low for 640x512 LWIR device. I wonder if there are some savings done somewhere (lens sounds like the primary target) as the consumer Boson retails around $3000.
 

Offline ArsenioDev

  • Frequent Contributor
  • **
  • Posts: 252
  • Country: us
    • DiscountMissiles: my portfolio and landing page
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #11 on: January 31, 2022, 04:33:16 pm »
It's likely down to the locking down, lens and a simplified system, no need for ratiometrics here, and can use less than the best FPAs, plus larger scale manufacturing via fixed price contract.
 

Offline jhhong98

  • Newbie
  • Posts: 3
  • Country: us
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #12 on: March 09, 2022, 10:36:39 pm »
where did you see the MSRP $850? 
 

Offline fest

  • Contributor
  • Posts: 16
  • Country: lv
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #13 on: March 10, 2022, 06:53:35 am »
https://www.reverse-costing.com/teardowns/veoneer_nivi4_night_vision_thermal_camera/#features
https://www.gmpartsgiant.com/parts/gm-camera-night-vision-eccn-6a993-84834198.html

Of course, I can't really vouch for this, as I have not tried to actually purchase it at this price. There was one used unit on US ebay for ~$400, but I don't currently have the neccessary mental bandwidth to make use of such a purchase.
 

Offline hitechtalent

  • Newbie
  • Posts: 6
  • Country: us
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #14 on: July 18, 2022, 03:19:28 pm »
Perhaps the GMSL interface is compatible with this 'Vision Board'?

https://www.aliexpress.com/item/3256801632647200.html

I haven't taken the plunge to see if this would be compatible with my GM branded Flir Boson "paperweight" yet.
 

Offline gluckmaker

  • Newbie
  • Posts: 2
  • Country: ru
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #15 on: April 21, 2024, 05:17:38 am »
Hello,

Is there any progress? I also bought 2 of these damaged cameras for a fair price and would like to unlock them.
I've read and compared their firmware, and all encrypted blobs are identical. The only differences are some mostly repeated unencrypted areas (sensor calibration?), serial numbers and some small binary data near to them. The "NV4-Authblock-Release-60" blob at the end is exactly same, so I would expect that the unlock key may be same for all devices. It may even be the old good Johan and Lennie, but I have no idea how to apply it.

The camera speaks the standard FLIR Boson binary protocol over GMSL UART - I can read the model, serial number, etc... There should be some extension for the car authentication, but command codes are 32-bit - it would take some long time to brute-force them (assuming that malformed and non-existent commands give different statuses - FLIR appnote does not specify this). Unfortunately, these cars are relatively rare, and eavesdropping GMSL link should be tricky.

JTAG tools (MoviDebug) are included in the Movidius MDK, but I was unable to find it. The same processor is used in DJI and Ryze Tello copters, and I found some mentions about these tools in DJI security researchers wiki, so, I think, at least somebody has that MDK.

Does anybody know where is it connected in the car? It might be useful to reverse-engineer the receiver unit. I tried to google, but cannot find anything like "Cadillac Escalade night vision ECU". There is some ECU for cameras on eBay, but it has several coax connectors, unlike the camera's HSD connector. There was a Veoneer press-release revealing a photo of two devices, the lower one is NV3 and the upper one expected to be NV4, and also I found a schematic picture of the same unit in some Jeep parts catalog, but I can not find its part number or any live photo. Looks like it is not really used. Also there is a photo of the Cadillac Escalade camera cable - one end is HSD, and another is some square connector. The similar connector is on the cluster display, but it would be generally uncommon in a car to connect the camera directly to the cluster. Also the connector seems water-proof, which is unneeded if it is connected inside the car interior.
 

Offline quince

  • Contributor
  • Posts: 33
  • Country: de
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #16 on: April 21, 2024, 08:30:45 am »
I also bought 2 of these damaged cameras for a fair price and would like to unlock them.

Whoever sold those to you is counting on you never figuring out the decryption keys.
 

Offline gluckmaker

  • Newbie
  • Posts: 2
  • Country: ru
Re: FLIR Boson 640 Variant Teardown (Autoliv NV4?)
« Reply #17 on: April 21, 2024, 03:38:13 pm »
Whoever sold those to you is counting on you never figuring out the decryption keys.
I don't think they know such words, they tell "the camera is OK, just glass broke" ;D

However, the modules are not affected, and the power boards were easy to repair. The most rotten parts are shutters, but I cleaned one of them - all steel, plastic parts and winding stay intact, only aluminum casing surface is damaged. Unfortunately, one lens has serious dents.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf