Poll

Has the hackabiliy of the E4 made you buy one :  

Yes, I was already looking at the competition at a similar price, but the hack swung it to E4
256 (27%)
Yes, I'd not considered buying a TIC before, but 320x240 resolution at this price justifies it (as either tool or toy!)
436 (46%)
Yes, I was going to buy an E5/6/8 class of unit but will now get the E4
46 (4.9%)
No, but am looking out for a cheap i3 to hack
47 (5%)
Not yet, but probably will if now that a closed-box hack becomes is possible
162 (17.1%)

Total Members Voted: 781

Author Topic: Flir E4 Thermal imaging camera teardown  (Read 2963430 times)

0 Members and 2 Guests are viewing this topic.

Offline funzt

  • Contributor
  • Posts: 12
Re: Flir E4 Thermal imaging camera teardown
« Reply #1825 on: November 27, 2013, 01:35:31 pm »
Hello,
I need the flir eeprom unlocked, it needs password  |O
anyone unlooked it yet?

cant find it, please please help me
thx!
Instead of just asking for unlocking the Eeprom it would be more helpful if you post what you have done with your E30, what worked and what worked not, where you had problems and how you solved them. Exactly what Mike and Taucher and others were doing. Then you will get much more feedback from many more people as they are interested in solving a challenge.
Look how the E4 hack worked ... many people provided little peaces of helpful (and sometimes not helpful) information - and together the 320x240 and the menu hack were possible.


Im not yet ready with my E30, WLAN doesnt work, 0-650°C doesnt work, aso...

but 320x240 works now.... :-+ I did same as mike does with conf.cfg nothing new...

I rent a E60 for one day, so Im in a hurry.....and want to reed its eeprom to get closer
what else do we need from it? BUT I will not tear it down!

Im not a PC crack, I normaly work with wood!
So any help for me? :box:
 

Offline Taucher

  • Frequent Contributor
  • **
  • Posts: 456
  • Country: de
  • 1DsaYDGWXEYhEKL rfrbFyYsehaAtfBWawf
Re: Flir E4 Thermal imaging camera teardown
« Reply #1826 on: November 27, 2013, 01:49:36 pm »
I rent a E60 for one day, so Im in a hurry.....and want to reed its eeprom to get closer what else do we need from it?

use rls in recursive mode and dump ALL settings to a file (use FlashIFS) - takes several minutes with
Code: [Select]
rls -rl > \FlashIFS\allsettings-yourcameratype.txt

EDIT: taking a copy of all available files via FTP will probably also be a good idea

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 2030
  • Country: nl
Re: Flir E4 Thermal imaging camera teardown
« Reply #1827 on: November 27, 2013, 01:55:14 pm »
I rent a E60 for one day, so Im in a hurry.....and want to reed its eeprom to get closer what else do we need from it?

use rls in recursive mode and dump ALL settings to a file (use FlashIFS) - takes several minutes with
Code: [Select]
rls -rl > \FlashIFS\allsettings-yourcameratype.txt

EDIT: taking a copy of all available files via FTP will probably also be a good idea
Gets my vote.  :-+ Both the full resource dump and the full download of all files has useful tidbits in it.
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 674
Re: Flir E4 Thermal imaging camera teardown
« Reply #1828 on: November 27, 2013, 02:00:51 pm »
 :'(
So any help for me? :box:
O0 Peace!
As the former posters say: make full backup of all files with an FTP tool such as Filezilla.
If you need details for this: just send a PM and I will write down all needed steps.
Save these files/folders in one new folder and never touch them - make edits only to a copy of the whole directory.

Question: never tried this: rls -rl > \FlashIFS\allsettings-yourcameratype.txt
Will it also read out the Eeprom?
 

Offline Taucher

  • Frequent Contributor
  • **
  • Posts: 456
  • Country: de
  • 1DsaYDGWXEYhEKL rfrbFyYsehaAtfBWawf
Re: Flir E4 Thermal imaging camera teardown
« Reply #1829 on: November 27, 2013, 02:09:01 pm »
Question: never tried this: rls -rl > \FlashIFS\allsettings-yourcameratype.txt
Will it also read out the Eeprom?
Short: nope

as far as I remember mike stated something (like) that the eeprom is just beeing used to store the camera SN, model name etc.
... but we have seen that inside appcore that data is taken into account when enabling features - so a full dump of the eeprom could be interesting - did anybody already make a script/commandset for that? :)

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 2030
  • Country: nl
Re: Flir E4 Thermal imaging camera teardown
« Reply #1830 on: November 27, 2013, 02:09:21 pm »
Question: never tried this: rls -rl > \FlashIFS\allsettings-yourcameratype.txt
Will it also read out the Eeprom?

No. It will make a full dump of all the entries in the resource tree. Incidentally, rls -rll will show even a bit more detail.

Also, you can use user root and password 3vlig when running those commands. This does result in a different response for some entries, but so far I have not been able to do anything useful with it. Just thought I'd mention it in case someone else want to mess with the resource tree.
 

Offline MrSquirrel

  • Contributor
  • Posts: 34
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #1831 on: November 27, 2013, 02:11:55 pm »
I rent a E60 for one day, so Im in a hurry.....and want to reed its eeprom to get closer what else do we need from it?

use rls in recursive mode and dump ALL settings to a file (use FlashIFS) - takes several minutes with
Code: [Select]
rls -rl > \FlashIFS\allsettings-yourcameratype.txt

EDIT: taking a copy of all available files via FTP will probably also be a good idea
Gets my vote.  :-+ Both the full resource dump and the full download of all files has useful tidbits in it.

Yes! Please copy off the entire folder structure - everything to your local PC.

What FTP client are you using and we can explain how to do this.

The OS on the Exx will have extra bits & pieces included with the build that are not present on the Ex or in the firmware updates (which are just application updates, not the full OS).
 
 

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 2030
  • Country: nl
Re: Flir E4 Thermal imaging camera teardown
« Reply #1832 on: November 27, 2013, 02:13:09 pm »
so a full dump of the eeprom could be interesting - did anybody already make a script/commandset for that? :)

Not me. I tried to use i2c.exe to read out the eeprom, but all I got was FF entries. So I was probably doing something wrong there.

Is there an example i2c.exe command that does read out something meaningful? I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things. :P I like my magic smoke on the inside.
 

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 2030
  • Country: nl
Re: Flir E4 Thermal imaging camera teardown
« Reply #1833 on: November 27, 2013, 02:19:52 pm »
Come to think of it, please do both:

Code: [Select]
rls -rl > \FlashIFS\allsettings-yourcameratype.txt
rls -rll > \FlashIFS\allsettings-yourcameratype-full.txt

For some entries the full (-ll) listing does give a bit of extra info. And for all the others it's noise. But since you only have it for a day, and it doesn't take you any extra time ... please run both. It would be a bit silly to find out afterwards that we would have liked the extra detail on some field in the resource tree. :P

As for ftp clients ... winscp is pretty handy. Put it in ftp mode, and connect to 192.168.0.2. Login with user=flir, pass=3vlig. Then you simply select your destination folder on the left, and do select all on the right side (source). Press F5 to recursively copy the lot...
 

Offline MrSquirrel

  • Contributor
  • Posts: 34
  • Country: gb
Re: Flir E4 Thermal imaging camera teardown
« Reply #1834 on: November 27, 2013, 02:21:10 pm »
Question: never tried this: rls -rl > \FlashIFS\allsettings-yourcameratype.txt
Will it also read out the Eeprom?
Short: nope

as far as I remember mike stated something (like) that the eeprom is just beeing used to store the camera SN, model name etc.
... but we have seen that inside appcore that data is taken into account when enabling features - so a full dump of the eeprom could be interesting - did anybody already make a script/commandset for that? :)

Yes, and it appears that all of the data in the EEPROM appears to be editable from via the service menu via the web server.
 

Offline Taucher

  • Frequent Contributor
  • **
  • Posts: 456
  • Country: de
  • 1DsaYDGWXEYhEKL rfrbFyYsehaAtfBWawf
Re: Flir E4 Thermal imaging camera teardown
« Reply #1835 on: November 27, 2013, 02:23:10 pm »
... I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things. :P I like my magic smoke on the inside.

Would you mind taking some hi-res images of the inside/PCB?
I'd like to check if there's some pre-defined place for the identified gyro/compass sensor-chips :)

Online mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12401
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #1836 on: November 27, 2013, 02:23:32 pm »
so a full dump of the eeprom could be interesting - did anybody already make a script/commandset for that? :)

Not me. I tried to use i2c.exe to read out the eeprom, but all I got was FF entries. So I was probably doing something wrong there.

Is there an example i2c.exe command that does read out something meaningful? I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things. :P I like my magic smoke on the inside.
It may need some probing to find what I2C device address the eeprom lives at, normal values would be addresses A0 to AE in steps of 2 - I think I2c.exe will give an error or message for an un-acked device address.
You may also need to guess the size - the easiest way is usually to read a big chunk and look for the address wraparound.

Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 2030
  • Country: nl
Re: Flir E4 Thermal imaging camera teardown
« Reply #1837 on: November 27, 2013, 02:32:12 pm »
... I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things. :P I like my magic smoke on the inside.

Would you mind taking some hi-res images of the inside/PCB?
I'd like to check if there's some pre-defined place for the identified gyro/compass sensor-chips :)

I'll see what I can manage with my decidedly NON hi-res collection of who-the-hell-cares photography equipment. ;)
As an aside, didn't Mike's teardown vid show those unpopulated pads?
 

Online mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12401
  • Country: gb
    • Mike's Electric Stuff
Re: Flir E4 Thermal imaging camera teardown
« Reply #1838 on: November 27, 2013, 02:36:58 pm »
... I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things. :P I like my magic smoke on the inside.

Would you mind taking some hi-res images of the inside/PCB?
I'd like to check if there's some pre-defined place for the identified gyro/compass sensor-chips :)

I'll see what I can manage with my decidedly NON hi-res collection of who-the-hell-cares photography equipment. ;)
As an aside, didn't Mike's teardown vid show those unpopulated pads?
I don't recall any unpopulated chips, but there was an unpopulated  FFC and one other, possibly a board-stack connector.
Anything on the PCB would be shielded by the internal metal frame and LCD casing, so either the module, or at least the antenna would need to be outside the metal area.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 2030
  • Country: nl
Re: Flir E4 Thermal imaging camera teardown
« Reply #1839 on: November 27, 2013, 02:37:34 pm »
It may need some probing to find what I2C device address the eeprom lives at, normal values would be addresses A0 to AE in steps of 2 - I think I2c.exe will give an error or message for an un-acked device address.
You may also need to guess the size - the easiest way is usually to read a big chunk and look for the address wraparound.

Ah okay. I thought you maybe had some working i2c.exe commands since you said:

You can edit the eeprom via the I2C command. The test mode seems to implement some simple access control but not looked at this.
EEPROM records are protected by a simple 16 bit checksum - this is documented fairly early in this thread

I'm not entirely sure what the eeprom unlock password in the service mode would have to do with anything. I mean, if you can just read (and write!) eeprom using i2c.exe. That said, I would expect the eeprom to be write-able directly on the SCL/SDA wires. As in bypassing any flir applications, but just toggling the wires yourself. Best done with the application killed. :P

 

Offline Taucher

  • Frequent Contributor
  • **
  • Posts: 456
  • Country: de
  • 1DsaYDGWXEYhEKL rfrbFyYsehaAtfBWawf
Re: Flir E4 Thermal imaging camera teardown
« Reply #1840 on: November 27, 2013, 02:42:09 pm »
... I'd try it right now, but it's opened up and I'd rather not power it right now until I check a few things. :P I like my magic smoke on the inside.

Would you mind taking some hi-res images of the inside/PCB?
I'd like to check if there's some pre-defined place for the identified gyro/compass sensor-chips :)

I'll see what I can manage with my decidedly NON hi-res collection of who-the-hell-cares photography equipment. ;)
As an aside, didn't Mike's teardown vid show those unpopulated pads?
Yes, and he panned around most of the time - I greatly appreciate his teardown, but I really wished there was more light during the teardown filming and less "speed" while turning things... many frames are pretty motion-smeared :)

@Mike - I think there were unpopulated areas and pads ... will review the teardown again...

Offline funzt

  • Contributor
  • Posts: 12
Re: Flir E4 Thermal imaging camera teardown
« Reply #1841 on: November 27, 2013, 02:46:19 pm »
I rent a E60 for one day, so Im in a hurry.....and want to reed its eeprom to get closer what else do we need from it?

use rls in recursive mode and dump ALL settings to a file (use FlashIFS) - takes several minutes with
Code: [Select]
rls -rl > \FlashIFS\allsettings-yourcameratype.txt

EDIT: taking a copy of all available files via FTP will probably also be a good idea


I took the files via filezilla :-+
but the rls thing ??? inside cmd promt? telnet promt doesnt work.... :--

the eeprom pasword is needed in service menu!
 

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 674
Re: Flir E4 Thermal imaging camera teardown
« Reply #1842 on: November 27, 2013, 02:51:13 pm »
Quote
but the rls thing inside cmd promt? telnet promt doesnt work....
What windows version are you using?
Probably you have not installed it yet. It is easy to do: Press F1 on the desktop to enter Windows help. Then enter 'Telnet' and you will be given some instructions how to enable it.
 

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 2030
  • Country: nl
Re: Flir E4 Thermal imaging camera teardown
« Reply #1843 on: November 27, 2013, 02:55:41 pm »
I took the files via filezilla :-+
but the rls thing ??? inside cmd promt? telnet promt doesnt work.... :--

If you can ftp, then you have tcp/ip connection. So I will read "telnet prompt doesnt work" as "telnet client not present or no workey"
In which case the solution is:
1) install + run putty.exe from this here download page
2) select telnet mode
3) connect to 192.168.0.2 (or the same ip you used for ftp)

And then run those rls commands.

Edit: Also, since you didn't attach the files ... by way of sanity check, how many files did you get? Just to be sure you got it all. Would be a shame to find out later you didn't recursively grab everything, what with this being a rental and all.
« Last Edit: November 27, 2013, 02:59:29 pm by mrflibble »
 

Offline Taucher

  • Frequent Contributor
  • **
  • Posts: 456
  • Country: de
  • 1DsaYDGWXEYhEKL rfrbFyYsehaAtfBWawf
Re: Flir E4 Thermal imaging camera teardown
« Reply #1844 on: November 27, 2013, 02:59:10 pm »
PW seems to be no big deal:
Code: [Select]
function EEPromIsUnlocked()    {        return restree.getResourceValue("system.eeprom.unlock") == "Unlocked" ? true : false;    }

function PrintEEPromControls()    {
        var EEPromStatusText = restree.getResourceValue("system.eeprom.unlock");
        var EEPromMakeUnlockCmd = !EEPromIsUnlocked();
        Response.Write('<INPUT id="ee_unlock" type="submit" name="ee_unlock" value="Unlock">');
        Response.Write('&nbsp;&nbsp;Password&nbsp;<INPUT id="ee_pw" type="password" name="ee_pw" value="">&nbsp;');
}

function EEPromLockActions()    {
        if ( Request.Form( "ee_unlock" ) != "" )
            restree.setResourceValue("system.eeprom.unlock", Request.Form( "ee_pw" ));
        else if ( Request.Form( "ee_lock" ) != "" )
            restree.setResourceValue("system.eeprom.unlock", "lock");
}

Offline Taucher

  • Frequent Contributor
  • **
  • Posts: 456
  • Country: de
  • 1DsaYDGWXEYhEKL rfrbFyYsehaAtfBWawf
Re: Flir E4 Thermal imaging camera teardown
« Reply #1845 on: November 27, 2013, 03:00:40 pm »
but the rls thing ??? inside cmd promt? telnet promt doesnt work.... :--
telnet command not installed or no connection?
was the camera on/running
chance of doing a portscan? :)

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 2030
  • Country: nl
Re: Flir E4 Thermal imaging camera teardown
« Reply #1846 on: November 27, 2013, 03:04:33 pm »
I've read that too, but I fail to see how you come to the conclusion that it doesn't matter.

What that does is READ the system.eeprom.unlock resource. Which either has value "Unlocked" or not. If it is NOT unlocked, then it presents the html form, in which you plonk your super secret password. You then submit it. And then your favorite .asp page will effectively do a rset .system.eeprom.unlock PASSWORD_YOU_JUST_SUBMITTED. After that it will do a read of the resource again to show you if it is "Unlocked" or not.
 

Offline Taucher

  • Frequent Contributor
  • **
  • Posts: 456
  • Country: de
  • 1DsaYDGWXEYhEKL rfrbFyYsehaAtfBWawf
Re: Flir E4 Thermal imaging camera teardown
« Reply #1847 on: November 27, 2013, 03:13:17 pm »
I've read that too, but I fail to see how you come to the conclusion that it doesn't matter.

What that does is READ the system.eeprom.unlock resource. Which either has value "Unlocked" or not. If it is NOT unlocked, then it presents the html form, in which you plonk your super secret password. You then submit it. And then your favorite .asp page will effectively do a rset .system.eeprom.unlock PASSWORD_YOU_JUST_SUBMITTED. After that it will do a read of the resource again to show you if it is "Unlocked" or not.
it means there will be code to compare the PW ... so the solution is probably already somewhere in the IDA files :)
edit: ...if not ... then a bruteforce hack is still scriptable :)

Online max-bit

  • Frequent Contributor
  • **
  • Posts: 495
  • Country: pl
Re: Flir E4 Thermal imaging camera teardown
« Reply #1848 on: November 27, 2013, 03:21:36 pm »
Sorry :) guys
Jest tu kto? z Polski
Wstawi? instrukcje po Polsku ?
 

Offline Taucher

  • Frequent Contributor
  • **
  • Posts: 456
  • Country: de
  • 1DsaYDGWXEYhEKL rfrbFyYsehaAtfBWawf


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf