Products > Thermal Imaging

FLIR Boson 640 Variant Teardown (Autoliv NV4?)

<< < (4/4)

gluckmaker:
Hello,

Is there any progress? I also bought 2 of these damaged cameras for a fair price and would like to unlock them.
I've read and compared their firmware, and all encrypted blobs are identical. The only differences are some mostly repeated unencrypted areas (sensor calibration?), serial numbers and some small binary data near to them. The "NV4-Authblock-Release-60" blob at the end is exactly same, so I would expect that the unlock key may be same for all devices. It may even be the old good Johan and Lennie, but I have no idea how to apply it.

The camera speaks the standard FLIR Boson binary protocol over GMSL UART - I can read the model, serial number, etc... There should be some extension for the car authentication, but command codes are 32-bit - it would take some long time to brute-force them (assuming that malformed and non-existent commands give different statuses - FLIR appnote does not specify this). Unfortunately, these cars are relatively rare, and eavesdropping GMSL link should be tricky.

JTAG tools (MoviDebug) are included in the Movidius MDK, but I was unable to find it. The same processor is used in DJI and Ryze Tello copters, and I found some mentions about these tools in DJI security researchers wiki, so, I think, at least somebody has that MDK.

Does anybody know where is it connected in the car? It might be useful to reverse-engineer the receiver unit. I tried to google, but cannot find anything like "Cadillac Escalade night vision ECU". There is some ECU for cameras on eBay, but it has several coax connectors, unlike the camera's HSD connector. There was a Veoneer press-release revealing a photo of two devices, the lower one is NV3 and the upper one expected to be NV4, and also I found a schematic picture of the same unit in some Jeep parts catalog, but I can not find its part number or any live photo. Looks like it is not really used. Also there is a photo of the Cadillac Escalade camera cable - one end is HSD, and another is some square connector. The similar connector is on the cluster display, but it would be generally uncommon in a car to connect the camera directly to the cluster. Also the connector seems water-proof, which is unneeded if it is connected inside the car interior.

quince:

--- Quote from: gluckmaker on April 21, 2024, 05:17:38 am ---I also bought 2 of these damaged cameras for a fair price and would like to unlock them.

--- End quote ---

Whoever sold those to you is counting on you never figuring out the decryption keys.

gluckmaker:

--- Quote from: quince on April 21, 2024, 08:30:45 am ---Whoever sold those to you is counting on you never figuring out the decryption keys.

--- End quote ---
I don't think they know such words, they tell "the camera is OK, just glass broke" ;D

However, the modules are not affected, and the power boards were easy to repair. The most rotten parts are shutters, but I cleaned one of them - all steel, plastic parts and winding stay intact, only aluminum casing surface is damaged. Unfortunately, one lens has serious dents.

Navigation

[0] Message Index

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod