Flir E4 Thermal imaging camera teardown

[Fraser]

A friendly word of warning:

When FLIR first released the E4, its firmware was not protected by encryption and I was advised that it was not illegal for a user to UPGRADE the camera by simple changes to the configuration files. That situation may have changed now that FLIR is encrypting their firmware to actively prevent upgrading. Carrying out a hack that cracks an encrypted product invites action from the OEM against any individual involved in creation of the hack, or the selling of hacked units. Sellers of hacked units on ebay beware !

I am not in a position to say more, but please consider this situation carefully before thinking of hacking the new E4 firmware. IMHO the upgrading of the E4 has run its course and ends with FW 1.22.

I also recommend that you do not post images from hacked cameras on the internet or provide any full serial numbers of such units. With regret, I will not be compiling any more serial number Vs firmware version details in my useful information thread.

Disclaimer: I do not work for, or represent FLIR. But I do have contacts and information sources in the trade.

Take Care

Aurora

[mikeselectricstuff]

its firmware was not protected by encryption and I was advised that it was not illegal for a user to UPGRADE the camera by simple changes to the configuration files. That situation may have changed now that FLIR is encrypting their firmware to actively prevent upgrading. Carrying out a hack that cracks an encrypted product invites action from the OEM against any individual involved in creation of the hack

How would encryption make any difference to legality or otherwise?
The original FW had a form of digital signature (CRC01) on it - the only difference is that it was possible (via service mode) to make the unit sign the file itself. 

[tsmith35]

freak_ge, hope you can read this. Life sucks, sometimes. Hope things work out for you. There are too many things to do in the world to worry about just one thing. Cheer up and move forward with your head held high. You've done much for many. Thank you.

[Taucher]

"Oh boy" - Flir could have quintrupled their sales and even not have to develop software themself...
Just provide some Open SDK and a reasonably priced module and the community will thrive (But I guess that's too much innovation to grasp at once).
Naturally this assumption could be wrong - time will show.

I was "looked on strange" (not to say I got ridiculed) when I claimed "Linux will become REALLY big" (1998 ff)... well, now it's the world's most widely used, dominant OS.
... oh, of cause - the guys at Google don't know what they are doing - and they are not making any profit either...

It might take some time, but sooner or later some competitor (if there is any) will decide that there's good money to be made with the hobbyist segment - hopefully we'll see where the game theory plays out.




(PS - Just in case somebody gets sued then I'd suggest to remember how "home-talking" the Flir tools are - they claim to not collect personal information, yet the machine and user name are sent over to the data collecting server in order to identify the user ... and there's more mud to find once somebody starts digging).

[ixfd64]

I don't see how encryption is anything more than a technical barrier. Several years ago, Texas Instruments unleashed its lawyers on people who cracked the signing keys of their graphing calculators. It didn't exactly end well for the company: http://en.wikipedia.org/wiki/Texas_Instruments_signing_key_controversy

[Fraser]

I am no lawyer and know little of the law regarding hacking. My thoughts were that if a manufacturer provides a product that has not been specifically protected against changing the configuration, then changing such is not an act for which a user may be pursued. Not sure how a CRC is considered in terms of a manufacturers intention to protect its product especially when they include the tools to re calculate it !CRC's are commonly used to detect defective data rather than a defence system. The passwords were also public domain from their own on-line documentation.

No move forwards a few months.... FLIR deliberately change their CRC to stop the upgrade. The change is flawed and the CRC was still able to be calculated. No password changes. In short, not a very effective response by FLIR

Move forward a few more months..... FLIR release Firmware 2.1 and then 2.3. Both of these Firmware versions include a protection mechanism designed to be very hard to circumvent or 'crack'. the protection is true encryption using Public Private keys. Can there be any doubt that FLIR have got serious about stopping the upgrades ?

Place yourself in front of a Judge and consider the three stages above. In stages one and two I believe that it is the mildest form of hacking and could be described as hobbyist 'playing' with simple CRC calculations. Then consider stage 3. If you have been involved in cracking a public private key encryption, can there be any doubt that the the manufacturer did not wish you to access the configuration and took serious steps to prevent it. You would also have needed to enact an advanced form of hacking to circumvent or crack the encryption. The law may take the side of the OEM against you and who knows what that could mean.

I have absolutely no idea what, if anything FLIR would do if someone publicised a hack of the 2.1 and 2.3 firmware's but I would not wish to find out in person, as such acts can sometimes bring fire and brimstone down on the head of those involved. Not scare mongering, just a warning based upon recent actions by FLIR that have come to my attention.

Just be careful what you place in the public domain.

[GeoffS]

I thought you couldn't delete your own messages if they are very old ? Doesn't it take an admin to do that ? Or am I mistaken ?

You can remove any of your own posts unless it's the first post in a thread i.e a thread you've started.

[mikeselectricstuff]

My thoughts were that if a manufacturer provides a product that has not been specifically protected against changing the configuration, then changing such is not an act for which a user may be pursued.
Not sure how a CRC is considered in terms of a manufacturers intention to protect its product

The old CRC01 was a specific measure to prevent changing configuration, and inclusion of the serial number prevents copying a config from a higher spec model.

No move forwards a few months.... FLIR deliberately change their CRC to stop the upgrade. The change is flawed and the CRC was still able to be calculated. No password changes. In short, not a very effective response by FLIR
Move forward a few more months..... FLIR release Firmware 2.1 and then 2.3. Both of these Firmware versions include a protection mechanism designed to be very hard to circumvent or 'crack'. the protection is true encryption using Public Private keys. Can there be any doubt that FLIR have got serious about stopping the upgrades ?

No, but I can't see that it has any bearing on any legal issues.
I own it. I agreed to no license agreement on purchase. I can do what I want with it.
May be different in the US where they have industry-sponsored legislation like the DMCA, though it's questionable to what extent this would apply in this situation as it has no relation to copyright infringment or copying.

Place yourself in front of a Judge

On what charge?

and consider the three stages above. In stages one and two I believe that it is the mildest form of hacking and could be described as hobbyist 'playing' with simple CRC calculations. Then consider stage 3. If you have been involved in cracking a public private key encryption, can there be any doubt that the the manufacturer did not wish you to access the configuration and took serious steps to prevent it. You would also have needed to enact an advanced form of hacking to circumvent or crack the encryption. The law may take the side of the OEM against you and who knows what that could mean.

I can't see how the degree of protection, or level of incompetence in the design of any protection has any bearing on legality. It was always protected, and it has always been clear that they did not intend it to be possible to hack. All they've done over time is plugged some unintended holes.

I have absolutely no idea what, if anything FLIR would do if someone publicised a hack of the 2.1 and 2.3 firmware's but I would not wish to find out in person, as such acts can sometimes bring fire and brimstone down on the head of those involved.

Or backfire spectacularly - the Striesand Effect

Nobody can know what goes on in their heads, but the fact is that if there is still a flaw in the protection (and I'm not aware that anyone has taken a serious look yet), there's a good chance someone will find it, and it will become public. Any attempt to suppress it will just cause the Striesand effect to kick in.

The stupid thing is that it would have been so easy for them to make it completely unhackable months ago, and if there is still a way in then they only have themselves to blame.   

[uski]

Hi,

If you have been involved in cracking a public private key encryption, can there be any doubt that the the manufacturer did not wish you to access the configuration and took serious steps to prevent it. You would also have needed to enact an advanced form of hacking to circumvent or crack the encryption. The law may take the side of the OEM against you and who knows what that could mean.

Come on. Of course, it depends of the country you are in. But generally speaking :
- The fact that the manufacturer "did not wish" us to access this information is irrelevant.
- The fact that they took serious steps to prevent it is irrelevant. Reverse engineering is even allowed by law in some countries.
- The fact that you are doing something bad for the business of the manufacturer is irrelevant.
- The fact that they are loosing money is irrelevant too.

The law and judges are not there to protect business strategies and business revenues by themselves.

However, companies may use their money and size to try to intimidate people. It's a bit like terrorism : even if your requests are not 100% legit, you try to make people do what you want by using fear. That can work. It can also backlash (as shown with the example from TI - but there are many other examples, see the Sony DRM story for an example).

Even if FLIR does manage to get the sale of hacked units to stop (I suspect many customers of hacked units are in fact very happy customers !), even if they do manage for the information to disappear from the Internet (which would piss people off), there is already a lot of people who are informed of all this stuff and who will remember it. And many those people are mostly FLIR customers.

Time will tell what will happen to FLIR. In my eyes, they look more and more like a big company struggling to keep their profits using questionable business practices, and less and less like a respectable company acting in good faith for the benefit of their customers.

And I have no problem publishing my opinion in public domain. Free speech.

While we're speculating about law, I'm wondering if FLIR actions by themselves could not be subject of a legal action too. I'm not sure selling crippled hardware is legal everywhere, especially with such a price difference for the same hardware, a price difference which can not really be justified by differences in the software.

And I think customers who bought a full-priced E8 must be very unhappy when they learnt that the E4 hardware can do the same for like 6x times less. FLIR might think that those customers are unhappy because of the hack. But even if there was no hack, no upgrade possibility, those customers would still be unhappy. They've been induced to pay a huge premium. They might feel cheated : I would feel cheated.

[EDIT] I also believe that the sale of hacked unit is legal, as long as the customer precisely knows what he is buying, of course.
Actually I believe that someone buying a hacked E4 from an eBay seller knows more what he's buying than someone buying a crippled E4 from FLIR... which customer is being cheated on ? Which seller is lying the most about the capabilities of the product ? Think about it.
Aurora, you think that a judge might fall in the side of FLIR. I think he might also laugh about their practices. It all depends of the country I believe.

uski

[miguelvp]

We are getting off topic but I'll leave this for your perusal:

http://en.wikipedia.org/wiki/Anti-circumvention#Reverse_Engineering_and_Circumvention

Reverse Engineering and Circumvention

Sec. 103(f) of the DMCA (17 U.S.C. § 1201 (f) ) says that if you legally obtain a program that is protected, you are allowed to reverse-engineer and circumvent the protection to achieve the ability the interoperability of computer programs (i.e., the ability to exchange and make use of information). The section states:

(f) Reverse Engineering.— (1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title. (2) Notwithstanding the provisions of subsections (a)(2) and (b), a person may develop and employ technological means to circumvent a technological measure, or to circumvent protection afforded by a technological measure, in order to enable the identification and analysis under paragraph (1), or for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute infringement under this title. (3) The information acquired through the acts permitted under paragraph (1), and the means permitted under paragraph (2), may be made available to others if the person referred to in paragraph (1) or (2), as the case may be, provides such information or means solely for the purpose of enabling interoperability of an independently created computer program with other programs, and to the extent that doing so does not constitute infringement under this title or violate applicable law other than this section. (4) For purposes of this subsection, the term "interoperability" means the ability of computer programs to exchange information, and of such programs mutually to use the information which has been exchanged.

This doesn't mean you can crack the code to enable features but you can to be able to exchange information with other programs that otherwise you would be prevented to do.

Edit: but I'm no lawyer, so I don't know to what extent will this protect anyone. but to me it reads I can circumvent the protection to enable features written by myself and being able to publish my results for that purpose.

[uski]

We are getting off topic but I'll leave this for your perusal:

http://en.wikipedia.org/wiki/Anti-circumvention#Reverse_Engineering_and_Circumvention

(DMCA only applies in the USA)

Unless I don't read this properly (I'm not a lawyer), it gives cases where reverse engineering is explicitely allowed by law.
However, it does not forbid doing so in other cases. As Mike pointed out, a customer who lawfully bought a FLIR Ex has not signed anything preventing him from reverse engineering its software or hardware. And I am not aware of any legal provision that prevents someone from doing so.

[EDIT] Miguel I didn't see your last paragraph, sorry.

Also, it says it's about a "program". We're speaking about hardware. I don't know if the DMCA applies to its embedded program. It seems likely, but it's not 100% sure. I also believe that the spirit of this paragraph is to prevent companies from putting restrictions in the data format which is output by their software. I wonder if the fact of enabling the raw output of the sensor (raw resolution, reduction in noise added artificially) doesn't in fact help with interoperability and doesn't, in fact, follows the spirit of this paragraph (of course, depending of your country, this may or may not be taken into account by the judges).

By the way, I have heard of a program that will only process 320x240 images. The hack is needed for interoperability with this program.

This is not off topic. This is exploring the legal implications of what this thread is all about, and also being informed instead of pissing in our pants for no reason

Some people read this thread like bad hackers hacking software and hardware of a legitimate company who is a poor victim. I read it like normal people finding out that some company has been possibly cheating on its customers and finding how it's been done, and stopping it. Just my opinion. The fact that FLIR is, indeed, a legitimate company, doesn't mean that they are always right in what they do.

[Iphone_hack]

All this lawyer stuffs or regarding hacking a product
Didn't we see this constantly?
The biggest company in the world today can't even stop it.
Apple!
Couple weeks ago, Chinese team released jailbreak for iOS 7.1.2
That is hacking too

In my opinion it is so stupid when company try to stop things like that.
I bought the dam product, paid with my hard earn money.
I should be able to do anything I want

If company wants to prevent hacking, then hire better staff, or make more secure product

[miguelvp]

To play the devil's advocate some of those companies might dilute their IP by hackers forcing them to lay of employees and/or close doors because their pricing scheme is not viable anymore.

Sure you can claim that their efforts were not enough or that their hardware shouldn't be limited by their license. But there is still that side of the story specially on companies that can't afford a good cypher programmer or can't afford to protect their intellectual property.

[Fraser]

Many thanks to all for the comments. All very interesting 

The comments that FLIR are likely just trying scare tactics seems reasonable. As I stated, I am not familiar with the law regarding what has been achieved with the E4 firmware and I am not going to lose any sleep over it.

As previously stated, I am not trying to scaremonger, but thought the community should know that FLIR MAY be changing tactics. This is based only on information received and so could be unreliable. I have not seen any communications sent by FLIR to individuals or dealers, so do not know any content, or if they are even genuine. There is always the possibility that a HOAX is being played out here 

No harm in being careful though 

Aurora

[uski]

The comments that FLIR are likely just trying scare tactics seems reasonable. As I stated, I am not familiar with the law regarding what has been achieved with the E4 firmware and I am not going to lose any sleep over it.

You seem to say that FLIR is actively fighting people involved in the hack.

I do believe that a big company sending lawyers after people is indeed using scare tactics, if they don't do any public communication beforehand. Until someone with a good lawyer or some experience in that actually goes to court and fight back.
And here comes the Streisand effect (the company may be right or wrong - doesn't matter).

It will be interesting to see how it plays out in the long term. I'm a bit sorry that FLIR acts this way. They could have taken the opportunity to open their platform and let the talented people they are fighting improve their products. Instead, they close it down. Too bad

[Fraser]

The evidence that FLIR are changing tactics will likely come from e*ay auctions. If the 'upgraded' E4 auctions disappear it is likely that FLIR will have lodged a complaint against them. The auctions are the easiest to shut down rather than chasing buyers or users of the upgraded cameras. If we do not see the disappearance of the auctions, then I will call HOAX on the whole matter as it would make no sense at all.

It's a case of wait and see. I have no evidence that FLIR is carrying out a campaign against individual users. FLIR may just be trying to close down the upgraded camera sellers. remember that web site that was offering an E4 upgrade service ?  It disappeared for reasons unknown.

Aurora

[jjmmss00]

Hi all,

I hate to distract from the interesting legal discussion, but I was hoping that someone could help me out with a more practical problem. I have been having a hard time making some of the scripts described earlier work properly (see reply 2396 by thomas123) .

Starting out with an E4 image FLIR0108.jpg, I ran the following command:

exiftool -b -RawThermalImage FLIR0108.jpg > t1.png

and got t1.png (so far so good). Then I ran:

convert t1.png gray:- | convert -depth 16 -endian msb -size 320x240 gray:- t2.png
and
convert t2.png -auto-level t3.png

looking at t2 and t3, things don't seem to be working. Can anyone see a problem?

thanks

[tomas123]

your byte switching doesn't work

- use the Q16 version of imagemagick !!

>convert -version
Version: ImageMagick 6.8.8-5 Q16 x64 2014-02-08 http://www.imagemagick.org[/url

your sample

Code: [Select]

>convert t1.png gray:- | convert -depth 16 -endian msb -size 320x240 gray:- t2.png
>convert t2.png -auto-level t3.png

mystery: your t2.png is 16 Bit

Code: [Select]

>identify t2.png
t2.png PNG 320x240 320x240+0+0 16-bit sRGB 110KB 0.000u 0:00.000
with a Q8 version of IM I got

Code: [Select]

>C:\util\ImageMagick-6.8.9-Q8\convert.exe t1.png gray:- | convert -depth 16 -endian msb -size 320x240 gray:- t2b.png

>identify t2b.png
t2b.png PNG 320x240 320x240+0+0 8-bit sRGB 256c 60KB 0.000u 0:00.000

• reinstall imagemagick
• there are another byte switching methods - see my thread here:
  http://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=24818

[uski]

Hi

The evidence that FLIR are changing tactics will likely come from e*ay auctions. If the 'upgraded' E4 auctions disappear it is likely that FLIR will have lodged a complaint against them.

Those auctions are going to disappear anyway once the stock of 1.22.0 cameras will be depleted.

[jjmmss00]

Thomas123,

Thanks for testing my images with your software. I reinstalled Imagemagick, but am getting the same result. Note version:

$ convert -version
Version: ImageMagick 6.8.9-5 Q16 x64 2014-06-26 http://www.imagemagick.org

which seems slightly newer than your version, but probally doesn't make any difference. I couldn't find the windows version 6.8.8-5 on the imagmagick web.

Also I obtain:

$ identify t2.png
t2.png PNG 320x240 320x240+0+0 16-bit sRGB 110KB 0.000u 0:00.000


I am thinking that I should convert the .png file to a raw file and then reverse the bytes myself with a simple C/C++ program, and then convert it back to .png. I am working on that approach.

[ixfd64]

This thread just went from 350 to 349 pages. It seems more posts are still being deleted.

[Taucher]

Please note - the page count can be configured individually (I prefer longer pages *G*)
... but this is post #5235

Whoever decides to delete the own posts - I think that's their right (but an useless action anyway).

[seleo]

Hello,

I have a flir E4 that I was able to get with 1.22 firmware, that I was under the impression could still be modified

Did the resolution mods but having manual temperature range in camera would really help with the use of it.

The Menu mod page for Taucher says to avoid 1.21 or higher with beta 3.

What is the issue and could it be possible to mod menu for manual temperature with 1.22?

Thanks,

Seleo

[Taucher]

I can't test my menu-mod with more recent firmwares, but 1.21 and up contain additional checksums ... the most recent firmwares contain private/public key signatures... read up on this thread for details.

[tomas123]

Thomas123,

Thanks for testing my images with your software. I reinstalled Imagemagick, but am getting the same result. Note version:

$ convert -version
Version: ImageMagick 6.8.9-5 Q16 x64 2014-06-26 http://www.imagemagick.org

I rechecked your problem with a fresh self compiled version of IM on a mac

Code: [Select]

$ convert -version
Version: ImageMagick 6.8.9-1 Q16 x86_64 2014-07-08 http://www.imagemagick.org
and I get the same wrong image like you.
I think, there is a new bug in the begin of pipe "convert t1.png gray:- ".

But I wrote above, there is a new switch for byte changing, and it works fine (thanks to the PNG developer glennrp)

Code: [Select]

$ convert -define png:swap-bytes t1.png t2.png
$ convert t2.png -auto-level t3.pngtry it