Flir E4 Thermal imaging camera teardown

[mikeselectricstuff]

Thanks for the hint... I will try this. Where can I find this tools and how do I "inject" the files?

In Mikes video, he's playing with a serial connection and displaying some startup logs. Has someone ever tried to communicate with the cam through that serial port? I wonder which pins a re used...
Sometimes amazing things can be achieved with a simple RS232 connection. Maybe even activating hidden menus or options.

The pinouts are listed early in this thread.
I don't think anyone has checked to see if the serial console is still present in firmware 1.2x or later

[sofisticated]

Here is an old package of tools at attachment. It includes FIF files.

You need to install Flir Tools first. Then you should go manually to C:\Program Files (x86)\FLIR Systems\FLIR Tools\bin and find flirinstallnet.exe file. By clicking it brings the screen that you can inject .FIF files to your device. Grab according Temporary or Permanent RNDIS.fif file from package and it will activate RNDIS mode. Any how the hidden menu for USB connection selection from E4 is not becoming active after all but you can use flirinstallnet.exe to activate temporary or permanently or removing RNDIS mode.

[bookaboo]

Thanks for the hint... I will try this. Where can I find this tools and how do I "inject" the files?

In Mikes video, he's playing with a serial connection and displaying some startup logs. Has someone ever tried to communicate with the cam through that serial port? I wonder which pins a re used...
Sometimes amazing things can be achieved with a simple RS232 connection. Maybe even activating hidden menus or options.

The pinouts are listed early in this thread.
I don't think anyone has checked to see if the serial console is still present in firmware 1.2x or later

No need to break out the serial port to enable RNDIS, this can be done with Mike's flirinstallnet.exe hack from way back.
Once you have uploaded the FIF file you can then connect via USB and Filezilla as normal, I had played around with a friends 2.3.0 unit and was able to modify files but could not get any upgrade to work in the time I had it.

[compet17]

Ok that's a lot of useful information. Thank you all. I will try this next week and report whatever I find out :-)

[FireBird]

According to the Flir updater pdf, there is a way to manually select the firmware fif and eFLIRInstall.exe. Has a 2.x user ever tried what happens if the 1.22 fif and exe are selected for upload?

[compet17]

I'm a couple of steps further.... i got an FTP connection, could download the conf.cfc from the camera and tried to decrypt it with ftool.exe.

And then I get the error "tail part 2 invalid"   What does that mean? (attached conf.cfc from firmware V2.3.0, zipped)

[sofisticated]

It means that old ftool can not decrypt your config file. You should find private key to decrypt with some other tools. Then a new ftool can be decompiled from that point to make easy decryption like before.

You can play with system setup menu over browser (write 192.168.02 in firefox adress and you will see a system menu. But also when you click detailed service tabs it will give http 401 error. System service web files are not present in your device also, but you can copy old firmware's web cluster to your device with ftp and valaaa, now you will have your system service tabs active and working   -this page's loading time is a little long maybe 40 seconds). There is a tab for EEPROM settings which you can change your device serial number and model and many more things. Thomas has changed his device's model name to E8 and updated again, now he has E8 as he mention. But new devices eeprom unlock password is not 1235. I believe finding EEPROM unlock password will help to find public key in system's config files encryption. So trying to make brute force attack on that web service. But until now I couldn't penetrate Burp Suite correctly because of web service works with authentication with username flir and pswrd 3vlig.   


PS: My Reply #5597 has those web service files.

[compet17]

I'm not a decryption specialist but the plaintext (decrypted) file will not differ much from the old cfg file... so I have a encrypted file and I know the plaintext. Finding the key should be easy in this case. The question is what tool can I use to brute force the file...?

[compet17]

A notice regarding this error:

"Application Error" (An OK button displays on the top right corner)
"Application appcore.exe encountered a serious error and must shutdown".

I got this error one time on my brandnew, not modified, not even tried to modify E4. I got this after switching it off/on a couple of times.
Seems not to be a real problem... it's WINDOWS inside :-) Sudden crashes must be accepted.

Action taken: Removed battery and rebooted.

[tmbinc]

I have a potential, albeit "dirty" (won't survive firmware upgrade, for example) solution for E4 cams that came with 2.3.0. It gives upgraded resolution _only_ (for now). But before widely releasing it, I'd like to test it on a few more devices.

So if anyone
 - feels adventurous (although unlikely, it could simply not work, or even brick your camera, or maybe create a black hole and swallow up earth),
 - has an E4 that _came_ with 2.3.0 (though it should work with upgraded units too, but let's start with known facts),
 - already has experience with the Flir E4 (including setting up RNDIS mode, ftp access, telnet)
please send me a PM and I'll supply you with a tool. I promise(*) that once the hack turns out to be useful I'll publish it here.


(*) You should not believe any promises from random strangers on the internet.

[cenkaetaya]

Hi,

Can someone tell me if this hack works on the FLIR E5?

Thank you

[bookaboo]

If it is V1.22.0 or before then there is no reason why not.

[tmbinc]

Ok, whatever, here's a firstsecond version.

From the readme:

Please check if your /FlashFS/system/appcore.d/config.d/conf.cfc is 6608
bytes.

If that's the case, that sounds good. Otherwise, this hack is not for you.

 - Download+install python2 (not python3)
 - Download+extract this zip
 - Set Camera to RNDIS mode
 - run "apply.py apply <ipaddress of camera>". If it fails, please provide
   the output for diagnostics.
 - Hard-Reset the camera

Let me know if anyone has problems using this.

EDIT: If you get "550 File unavailable", please just re-run the script. I'll work on a better fix. If retrying doesn't work, let me know.
EDIT: tried to fix the "550" issue with more retries. Seems killing the app sometimes keeps the DLLs busy for "a while" (for whatever definition of that). Let's hope this helps.

IF YOU STILL HAVE ISSUES WITH "550" with v0.3, let me know. You can always resort to manually uploading the binaries if you want - they are preserved if upload fails.

EDIT2: Added v0.4.zip with support for the E5.

[miguelvp]

They probably should make a backup first

[warcow]

tmbinc,

Your update is for getting the resolution to the e8 (max) setting right? What are the probabilities for getting other functionalities working, like the e5's (and up) Min and Max hotspot? We are looking to get an Ex (4 or 5) camera and not sure what the firmware version will be. If chances are that the newest firmware can also be hacked soon we don't have to worry too much and go for the E4 model.

[sofisticated]

Ok, whatever, here's a first version.

From the readme:

Please check if your /FlashFS/system/appcore.d/config.d/conf.cfc is 6608
bytes.

If that's the case, that sounds good. Otherwise, this hack is not for you.

 - Download+install python2 (not python3)
 - Download+extract this zip
 - Set Camera to RNDIS mode
 - run "apply.py apply <ipaddress of camera>". If it fails, please provide
   the output for diagnostics.
 - Hard-Reset the camera

Let me know if anyone has problems using this.

I've tried that hack but unluckily it didn't work at first trial. You can see the screen shot of dos screen. Resolution was the same at hard boot.

Then I've applied v0.1 of that hack which tmbinc sent previously (last night with PM) . And it gave a real hack for resolution. Thank you very much tmbinc on behalf of new fw 2.3.0 E4 owners. 

(v0.1 is doing the same file replacements; but it is manually with FTP and Telnet command.)

Tugbay

[tmbinc]

Ah, I see. For everybody getting the "550 File unavailable" error, it _appears_ to help if you just try again (re-run the script with same arguments).

I'll see if I can come up with a better fix.

[tomas123]

only two bytes in common_dll.dll !
great work 

[compet17]

I can confirm that the "resolution improvement" v0.1 works for an newly bought E4 (V2.3.0) camera. I also tried v0.2 and it has a problem finding the files to send back to the camera. Maybe only a file-path naming problem... So I did it manually with Windows-CMD/FTP

Great job!!! 

BTW: I got the information that FLIR did not only reduce the resolution but also installed a noise generator to further impair the picture... I think this is a bad move, only that they can say "see, how much better our E8 model is!"
Fortunately the upgrade eliminates also the noise, which is very good visible.

Such manufacturers deserve to be hacked! 

[tmbinc]

If the final upload fails, the patched files are not removed, so you can manually upload them. (But remember to execute "stopapp" via telnet before doing so, if you didn't let the script doing it.)

- upload common_dll.dll to /FlashBFS/system/
- upload conf.cfc to /FlashFS/system/appcore.d/config.d/

Not sure why deleting common_dll.dll fails sometimes.

[warcow]

Just ordered the Flir E4, looking forward to try your patch/update, tmbinc!

[Iphone_hack]

If the final upload fails, the patched files are not removed, so you can manually upload them. (But remember to execute "stopapp" via telnet before doing so, if you didn't let the script doing it.)

- upload common_dll.dll to /FlashBFS/system/
- upload conf.cfc to /FlashFS/system/appcore.d/config.d/

Not sure why deleting common_dll.dll fails sometimes.

Great job
So here we go again
I am sure flir will start selling E4 like crazy
I know you just got it working

Could you or someone post all the instructions step by step
Even how to connect the new E4 to computer from the beginning
I am sure new member will be interested too
Thanks

[macsisi]

If the final upload fails, the patched files are not removed, so you can manually upload them. (But remember to execute "stopapp" via telnet before doing so, if you didn't let the script doing it.)

- upload common_dll.dll to /FlashBFS/system/
- upload conf.cfc to /FlashFS/system/appcore.d/config.d/

Not sure why deleting common_dll.dll fails sometimes.

I tried the procedure with v0.2 on my camera which runs 2.3 firmware and model number is 1.2L and indeed it gave me an error not to find proper files. But using FTP I could easily overwritten the two files and now my camera works at 320x240 resolution. Great hack indeed and most of all it works.
At first the center point was a bit off, but after a reboot everything is OK now.

Thanks!

[warcow]

If the final upload fails, the patched files are not removed, so you can manually upload them. (But remember to execute "stopapp" via telnet before doing so, if you didn't let the script doing it.)

- upload common_dll.dll to /FlashBFS/system/
- upload conf.cfc to /FlashFS/system/appcore.d/config.d/

Not sure why deleting common_dll.dll fails sometimes.

I tried the procedure with v0.2 on my camera which runs 2.3 firmware and model number is 1.2L and indeed it gave me an error not to find proper files. But using FTP I could easily overwritten the two files and now my camera works at 320x240 resolution. Great hack indeed and most of all it works.
At first the center point was a bit off, but after a reboot everything is OK now.

Thanks!

Preparing for the hack..
In the case you get the error, do you need to do the telnet stopapp action before uploading the files with ftp or is is it already executed with the script even though it gives an error?
Can we also change the bootlogo file with ftp?

EDIT: Done, after the script its easy to FTP to the FLIR and overwrite the 2 files. Did not yet try to change the bootloader. It's really impressive to see the noise generator gone. The picture was very grainy before the resolution hack. Very happy here and keeping an eye on this topic to check if there is an update to fix the menu. Min/Max hotspotting would be great.

[compet17]

STEP BY STEP INSTRUCTIONS for Flir E4 (Firmware 2.3.0) for beginners (How I did it... and it worked)
-----------------------------------------------------------------------------------------

(If somebody finds an error in this procedure, please tell me immediately and I will correct it)

- Get FlirTools from Flir website (free download) PC version recommended
- Install FlirTools on your PC
- Get the files "Set_RNDIS_temporary.fif" and "Set_RNDIS_permanent.fif" from this forum (zipped downloads somewhere in this thread)
- If you want to use the "permanent" file, you also need "remove_RNDIS_Permanent.fif"
   (Temporary.fif sets the USB of your cam to RNDIS mode UNTIL A REBOOT. Permanent does the same but it stays in RNDIS until YOU RUN   
     REMOVE.fif)
- Get E4 hack "v02.zip" for Version 2.3.0
- I assume that the installation of FlirTools does also install the camera driver. If not install it manually. Links are found in this thread
- Get PYTHON version 2.x (not version 3.x!) from the Python website and install it. This is needed to run the hack script. It's a programming language.

- Connect your E4 via USB to your PC and turn it on
- Go to "Programs(x86)/Flir systems/Flir Tools/bin and execute FLIRInstallNet.exe (this is part of the FlirTools software installed in step 2)
- Select the RNDIS_xxxxxxx.fif (permanent or temporary) and click RUN FIF button.
  (A timeout error is normal after the command has succeeded because USB is now set to RNDIS mode)
- Wait a moment and open a CMD window, then enter IPCONFIG
- An additional network connection should be listed with IP Address 192.168.0.1 and gateway 192.168.0.2
- Enter "FTP", then "open 192.168.0.2" and a connection to your cam should be established
- Login with user "flir" and password "3vlig"
- Issue a "dir" command and the files and directories of your cam are listed.
- If all that works, type "quit" to exit and close ftp connection.

- copy the hack files from the zip into the PYTHON folder.
- open CMD, go into python folder and enter "python apply.py apply 192.168.0.2"
- it will read two files from your cam and stores them in a backup folder, then it will do some magic with the files.
- you will find newly created conf.cfc and common_dll.dll in that folder and upload them back to the camera.

- In case you get an error 500 at the upload, you have to upload the files manually by FTP:

*** Only in case of error 500 ***
- Open CMD and FTP again and connect to your camera as before
- go to the indicated folders (cd /foldername/foldername/foldername)
- check the folder with "pwd" to make sure you're in the right one
- Use the lcd command to change to your local directory where the conf and common files are.
- put the files to the correct folders (put filename)

MAKE SURE YOU PUT THE RIGHT FILES INTO THE RIGHT FOLDER!!!

common_dll.dll  ->  /FlashBFS/system
conf.cfc             -> /flashfs/system/appcore.d/config.d

***------***

- Reboot your cam by removing/inserting the battery
- Be happy!!!

- It is possible that the measuring spot is off center after reboot. Turn the spot off/on in the setup menu of the cam and it should be centered.