Poll

Has the hackabiliy of the E4 made you buy one :  

Yes, I was already looking at the competition at a similar price, but the hack swung it to E4
274 (27.9%)
Yes, I'd not considered buying a TIC before, but 320x240 resolution at this price justifies it (as either tool or toy!)
444 (45.3%)
Yes, I was going to buy an E5/6/8 class of unit but will now get the E4
49 (5%)
No, but am looking out for a cheap i3 to hack
50 (5.1%)
Not yet, but probably will if now that a closed-box hack becomes is possible
164 (16.7%)

Total Members Voted: 803

Author Topic: Flir E4 Thermal imaging camera teardown  (Read 3769104 times)

0 Members and 13 Guests are viewing this topic.

Offline cricri103

  • Newbie
  • Posts: 4
  • Country: ca
  • Autozone
Re: Flir E4 Thermal imaging camera teardown
« Reply #8275 on: August 26, 2017, 07:52:52 am »
I made a mistake!!
My model is 1,2L
FW 3.5.0
Mars 2017
This is not the model 2L
Sorry :palm:
 

Offline scm

  • Newbie
  • Posts: 1
  • Country: ch
Re: Flir E4 Thermal imaging camera teardown
« Reply #8276 on: August 28, 2017, 10:01:26 am »
Hi


I triy to hack the Flir E4. I made all steps from the guide succesfully until the first filezila-step. I cant connect to the camera. The Flir is in the RNDIS mode. I can ping the Flir so there should be a connection. I get this error in Filezila:

Status: Connectiong attempt failed with "ECONNREFUSED - Connection refused by server."
Error: Could not connect to server



What can i do?

Best regards
scm

**edit 08.28.2017**
Now it worked. I've changed to a windows xp PC.
« Last Edit: August 28, 2017, 01:50:21 pm by scm »
 

Offline groundhog

  • Newbie
  • Posts: 6
  • Country: ca
Re: Flir E4 Thermal imaging camera teardown
« Reply #8277 on: September 02, 2017, 11:17:21 pm »
[ This is a copy of a reply I made in the thread about the E4 wifi model, but the question is generally about converting between cfc and cfg files, so perhaps it might get a response here? ]

I've been trying to better understand cfccfg.py and cfccfg_V2.py.  I'm having difficulty decoding the conf.cfc file into a conf.cfg file, even when using what I believe to be the correct SUID value.  As a check, I tried to decode the conf.cfc file from DaveWB's "Stock Camera" zip file over in the E4 wifi thread (https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/), using the SUID value that DaveWB mentioned in that thread (22C7E4020050281A), and I get non-ASCII output in the conf.cfg file.  Specifically:

Code: [Select]
% python cfccfg.py 22C7E4020050281A conf.cfc conf.cfg1
% python cfccfg_V2.py 22C7E4020050281A conf.cfc conf.cfg2
% sha1sum conf.*
cc151985fdc0177f125e8420ced6df4a549ac021  conf.cfc
e3a3b0a4e89b6429cc2618ecb3581ab40230da79  conf.cfg1
3b59eb9f3fc0176acd6a652212a1ab1fcc06f359  conf.cfg2
% strings -n10 conf.cfg*
&YNbM(|(M:
&YNbM(|(M:

The conf.cfc file's SHA1 sum I believe corresponds to DaveWB's "Stock Camera" file, and the "strings" command shows that there's nothing remotely resembling the cfg file ASCII contents in the resulting output.  The differences in SHA1 sum of conf.cfg1 vs conf.cfg2 are because cfccfg_V2.py strips off the tail; the decoded contents up to the tail are identical (and non-ASCII).

What's super puzzling to me is that DaveWB reports that he got his file decoded using cfccfg, using the same SUID that I'm trying to use on his same file...  I get the same issue when trying to decode my own cfc file with my own SUID value (the same SUID value reported by the "suid" command and from "rls" output).

Any thoughts on what might be going wrong here?  Am I somehow calling cfccfg.py wrong?  Does the SUID need to be supplied in some other format?
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 6877
  • Country: ca
Re: Flir E4 Thermal imaging camera teardown
« Reply #8278 on: September 03, 2017, 12:24:14 am »
I recall at earlier hacks there was a requirement for a particular version of Python software. Check if you are using same version as the other person.
Facebook-free life and Rigol-free shack.
 

Offline eg14

  • Contributor
  • Posts: 26
Re: Flir E4 Thermal imaging camera teardown
« Reply #8279 on: September 03, 2017, 08:56:53 pm »
Does anyone know where one can obtain a modifiable E4 these days?
 

Offline groundhog

  • Newbie
  • Posts: 6
  • Country: ca
Re: Flir E4 Thermal imaging camera teardown
« Reply #8280 on: September 05, 2017, 02:41:08 am »
Thanks for the suggestion about the Python version.  Unfortunately, I couldn't find a Python version that works (and I'm a bit skeptical that the Python version matters).  I tried Python 2.6 (2.6.9) and 2.7 (2.7.12), and both gave the same results.  I also re-implemented the SHA1/RC4 logic from scratch, based on the description of the algorithm by tmbinc (https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg530520/#msg530520), and it also produced the same result as cfccfg.py.
 

Offline LTCAnonymous

  • Newbie
  • Posts: 1
  • Country: us
Re: Flir E4 Thermal imaging camera teardown
« Reply #8281 on: September 09, 2017, 05:49:42 pm »
Hello guys, if anyone can help me I would appreciate it. I have flir e4 1.1L with firmware 1.21.0 but unable to complete the upgrade. Below is the original config file and if someone modify it for me.
Thanks.
 

Offline stefbeer

  • Regular Contributor
  • *
  • Posts: 57
  • Country: de
Re: Flir E4 Thermal imaging camera teardown
« Reply #8282 on: September 09, 2017, 05:59:43 pm »
 
The following users thanked this post: LTCAnonymous

Offline SamLowryBrazil

  • Contributor
  • Posts: 21
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #8283 on: September 10, 2017, 12:00:06 am »
Yesterday I got a Flir e4 on ebay for £500, brand new from UK-based erontec. It is the Wifi version, so I knew that it is currently unhackable. If you were to give me betting odds, what are the chances of a hack before 2018? By the way, I was proud to think up the zinc selenide lens idea on my own, and then surprised to watch Mike's excellent video and realise it is old news!
« Last Edit: September 10, 2017, 12:02:36 am by SamLowryBrazil »
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 6877
  • Country: ca
Re: Flir E4 Thermal imaging camera teardown
« Reply #8284 on: September 10, 2017, 04:32:53 am »
Thanks for the suggestion about the Python version.  Unfortunately, I couldn't find a Python version that works (and I'm a bit skeptical that the Python version matters).  I tried Python 2.6 (2.6.9) and 2.7 (2.7.12), and both gave the same results.  I also re-implemented the SHA1/RC4 logic from scratch, based on the description of the algorithm by tmbinc (https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg530520/#msg530520), and it also produced the same result as cfccfg.py.

I checked and this SUID does not decode properly  the "stock camera" .cfc file. Seems it is from a different camera image.

EDIT: this SUID properly decodes the conf.cfc file supplied by user Boget in this post:
https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1183379/#msg1183379

I found a few typos in that conf.cfc file, fixing which may help with the work on wi-fi version of the camera. Read my post here:
https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1298737/#msg1298737
« Last Edit: September 10, 2017, 06:00:47 am by Bud »
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: groundhog

Online Fraser

  • Super Contributor
  • ***
  • Posts: 13145
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #8285 on: September 10, 2017, 11:43:09 am »
@Samlowrybrazil

Congratulations on buying an E4 and finding this forum.

The current situation is that FLIR have done what they likely wish they had done in the original E4 firmware.
They have significantly increased the difficulty in upgrading the cameras configuration files.

You need to read back in this threads history to see how FLIR responded to the upgrade of the E4. They were limited in what could be done to the standard firmware build in terms of countermeasures. They applied basic protection that was circumvented by members of this forum. I should state, even these measures required the significant knowledge of some clever guys to get around them.

The original upgrade was relatively simple as the only challenge was to recalculate the CRC01 checksum for the modified configuration files. A clever forum member wrote the required CRC01 calculator and shared it with us. He deserves recognition for his work !

This first upgrade technique did not really qualify as a 'hack' of the camera. As FLIR placed ever more challenging barriers in the way of the upgrade, it began to edge into the world of hacking in order to beat thiese countermeasures. The defensive capabilities of the early firmware and hardware was not that great however and clever people found ways to still upgrade the camera configuration files.

Now jump to 2017 and the release of FLIR's Wi-Fi equipped Ex series. Both 2017 Wi-Fi and non Wi-Fi capable Ex series cameras use the same hardware platform and firmware. With this new version of the Ex series, FLIR have put some decent effort into thwarting attempts to upgrade the cameras. Changes to the firmware are no longer a 'simple' case of calculating CRC01 and CRC03 values. The camera appears to now be protected using public-private key encryption.

If you are not familiar with P-P encryption you may wish to google it to see how effective it can be. This is not the place for an encryption lesson. If I were just to say that even Governments hate P-P encryption, that is done well, you will understand the challenge that the'front door' security of the Ex series now presents. There are sometimes ways to circumvent encryption via a back door that provides access to what is needed but you are well and truly into hacking territory now.

The two vulnerabilities that the Ex series camera still exhibits are its use of Win CE and the fact that physical access to the hardware is still unprotected from hacking. These vulnerabilities would take significant effort and knowledge to exploit though.

Basically, if FLIR have indeed gone down the route of P-P encryption, and have done it properly, had it penetration tested, and it has passed the tests without P-P key vulnerabilities, the E4 2017 model will likely remain unhacked for a very long time ! 

A way around the current situation would be to gain access to the hardware, meaning the chipset, and then placing a cloned copy of an earlier E4 camera onto the platform. This is a VERY significant challenge as all flash memory areas need to be accessed to complete the cloning operation. All the original calibration data would be lost and the camera would need to be recalibrated and a new dead pixel map created. I am not saying this cannot be done, but it is more effort than the camera is worth. Better to buy a used E4 that can be upgraded.

I own two E4 cameras that are running the excellent, and very upgrade friendly firmware 1.19. Firmware 1.19 even has the excellent service menu for dead pixel map updating present in it (later removed by FLIR) Both are upgraded to E8+ spec  ;)  I will be selling one of them as I now have an E60+. If anyone is interested, let me know :). .... end of advert !

Fraser
UK
« Last Edit: September 10, 2017, 11:54:20 am by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 
The following users thanked this post: SolderSucker

Online Fraser

  • Super Contributor
  • ***
  • Posts: 13145
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #8286 on: September 10, 2017, 12:15:33 pm »
P-P cryptography explained.....

https://en.m.wikipedia.org/wiki/Public-key_cryptography?sa=X&sqi=2&ved=0ahUKEwid8YjIy5rWAhWiJsAKHWyaB9wQ9QEIGTAA

Done properly at all levels, hardware and software, it is VERY resilient against cracking  ;)

Fraser
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Online Fraser

  • Super Contributor
  • ***
  • Posts: 13145
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #8287 on: September 10, 2017, 01:04:37 pm »
I have made a decision...... shock, horror, I am going to sell a thermal camera rather than buy one  ;D

I will be advertising my used, spare E4 in the For Sale area of this forum later today. It is running its original 1.19 firmware (the best version in my opinion) so it has the nice service menu and easy reconfiguration needing only FileZilla and the CRC01 calculator provided in this thread. It is so easy to enable and disable features on this firmware.

My unit has already been upgrade by me to the E8+ spec and it has the extra menus as well  :) Fully operational with battery, charger, USB lead,  hard case and original documents.

If you are interested, you can PM me or wait to see the advert and pictures later. I am still considering how much to ask for it and welcome offers. If I like the offer, it will not even get to the for sale area ! This is NOT a silent auction though ! I will be fair to all.

Fraser
Milton Keynes UK
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline SamLowryBrazil

  • Contributor
  • Posts: 21
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #8288 on: September 10, 2017, 02:35:59 pm »
Thank you very much, Fraser!
I know very little about electronics and nothing about programming, so I try my best to decipher the technical stuff on this forum! It's a shame that the e4 can no longer be upgraded to its full potential; I was considering getting one a year or two ago for £750-850. Now I know this is why one other Ebayer made only one bid and let me have it for £500!

The Flir hasn't arrived yet, but I also bought 2x ZnSe 50mm focal length, 2x 63.5mm, and 2x 100mm lenses. They were £10 each on Amazon and shipped from the UK. I'll have fun playing around with them for macro, but what are my chances of making something telescopic? I have heard it is almost impossible of an amateur. I don't mind about an inverted image, but is the problem too few lenses or mirrors or the type of these cheap laser cutter lenses?
 

Online Fraser

  • Super Contributor
  • ***
  • Posts: 13145
  • Country: gb
« Last Edit: September 10, 2017, 03:11:46 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline groundhog

  • Newbie
  • Posts: 6
  • Country: ca
Re: Flir E4 Thermal imaging camera teardown
« Reply #8290 on: September 12, 2017, 03:18:22 pm »
Thank you for tracking down the conf.cfc file that corresponds to DaveWB's SUID.  It's good to have a confirmed example of a conf.cfc file that properly decodes -- I'm able to decode it just fine now with cfccfg.py!

Now I just need to figure out why my camera's conf.cfc does not decode with the SUID value that my camera reports..

On my camera, running the "suid" command via telnet, or looking up the suid value with "rls -l -r" under .version.SUID, produces a 16-byte string (the same string both from "suid" and "rls -l -r"), but cfccfg.py produces garbage output when decoding any of the 3 conf.cfc files from my camera's FlashFS image (in appcore.d, ui.d, and services.d) that I downloaded via FTP (both with filezilla, and directly downloading an individual file with command-line ftp).

Any guesses off-hand as to what I might be missing here?  The camera is running 2.11.
 

Offline groundhog

  • Newbie
  • Posts: 6
  • Country: ca
Re: Flir E4 Thermal imaging camera teardown
« Reply #8291 on: September 12, 2017, 03:50:59 pm »
One thing I should have mentioned earlier is that my camera is an E6.  So far, it seemed identical to the E4 as far as the DLL modifications were concerned, but perhaps the decoding algorithm for .cfc files is slightly different on the E6 as opposed to the E4?

Overall, the E6 .cfc files seem similar enough, and @tmbinc generated a diff for the E6 conf.cfc file a while back (https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg816257/#msg816257).

One thing that seemed suspicious is the "2A00" tail constant used in cfccfg.py.  I thought maybe "2A00" is specific to the E4 camera, and I tried iterating over all possible 1-byte and 2-byte tail values, but nothing produced a sensible conf.cfg file.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 6877
  • Country: ca
Re: Flir E4 Thermal imaging camera teardown
« Reply #8292 on: September 12, 2017, 05:58:41 pm »
Sorry, I know nothing about E6...  :(
Facebook-free life and Rigol-free shack.
 

Offline groundhog

  • Newbie
  • Posts: 6
  • Country: ca
Re: Flir E4 Thermal imaging camera teardown
« Reply #8293 on: September 14, 2017, 03:11:32 am »
Well, embarrassingly enough, turned out the problem was that my camera was 1.1L (not 1.2L), even though it was running software version 2.11.0.  Which meant that I should have used the older ftool to decode and re-encode the .cfc files.  I didn't quite realize that 1.1L cameras used the older conf.cfc encoding format regardless of firmware version.  Now I know. :-)
 

Online Fraser

  • Super Contributor
  • ***
  • Posts: 13145
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #8294 on: September 14, 2017, 10:18:10 am »
Groundhog,

You got lucky. Your camera has obviously been updated to the newer firmware at some point in its life. Other owners had the same situation after returning their camera to FLIR for calibration or rework. FLIR like to install the latest firmware in any camera they receive. Those owners discovered, as you have, that it was possible to revert the camera to an earlier firmware version again and that not all the countermeasures were present in their cameras due to the earlier hardware version/bootloader (?)

Well done for working this out and getting the upgrade working.

Fraser
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline tmbinc

  • Regular Contributor
  • *
  • Posts: 249
Re: Flir E4 Thermal imaging camera teardown
« Reply #8295 on: September 28, 2017, 04:29:54 pm »
(As a side note, 2.3 already use public key cryptography to sign the configuration files, and had a chain-of-trust by verifying the hashes of everything that they boot. They just messed it up when they didn't implement MD160 correctly because they assumed "char" is an unsigned type - which it is on some compilers - but in fact it was signed. That allowed to patch files without changing their hash, and in turn allowed to remove the signature requirement for cfc files)
 

Offline sof1980

  • Newbie
  • Posts: 2
  • Country: ua
Re: Flir E4 Thermal imaging camera teardown
« Reply #8296 on: September 28, 2017, 07:31:19 pm »
Good day to all
I'm newbie. Sorry for my questions.
I going to buy used Flir E4 and hack it to E8.
But where I can see firmware version in Flir E4?
And how I can know 1.2L or 1.1L?
Thanks
 

Offline miliskot17

  • Newbie
  • Posts: 2
  • Country: cz
Re: Flir E4 Thermal imaging camera teardown
« Reply #8297 on: September 29, 2017, 10:35:37 am »
Will anyone advise me on hack FLIR E5 version 2.0L, firmware 3.5.0, does anyone have a way to hack? i would need files to hakt this version thanks for the advice.
 

Offline miliskot17

  • Newbie
  • Posts: 2
  • Country: cz
Re: Flir E4 Thermal imaging camera teardown
« Reply #8298 on: September 29, 2017, 10:39:29 am »
Hello everybody!!!

I bought flir E5 few days ago, only yesterday I found that I can hack her through this forum....
I did not resist a long time...
The thermographic camera has the fw 2.11
i followed this http://fubar.gr/hacking-the-flir-e4/ , with the files indicated here https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg921880/#msg921880,
res and menu hacked!  :-+ Thanks to all those who have worked for this wonderful hack!!!!!
Now everything seems to work fine except this screen appeared 2 times.
I turned off and on again.
the error is serious?
what can it be?
you advise me to put everything back the original?

I hope will be of help to other people who E5 2:11


Will anyone advise me on hack FLIR E5 version 2.0L, firmware 3.5.0, does anyone have a way to hack? i would need files to hakt this version thanks for the advice.
 

Online Fraser

  • Super Contributor
  • ***
  • Posts: 13145
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #8299 on: September 29, 2017, 11:10:23 am »
Please check out the Ex series Wi-Fi 2017 model thread.

https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/

No hack at this time.

Fraser
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf