Author Topic: FLIR E4 Wifi Resolution and Menu Hack Thread  (Read 436296 times)

0 Members and 2 Guests are viewing this topic.

Offline 2lps

  • Contributor
  • Posts: 28
  • Country: bg
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #25 on: April 06, 2017, 01:49:34 pm »
Here is how you can switch between encyrpted/decrypted conf files. You can try to decrypt, modify the resolution and encrypt again. I would try to decrypt it again, to verify it is working as expected.

https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg948898/#msg948898
 
The following users thanked this post: TheSteve, brunner

Offline DaveWBTopic starter

  • Regular Contributor
  • *
  • Posts: 146
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #26 on: April 06, 2017, 09:40:08 pm »
Here is how you can switch between encyrpted/decrypted conf files. You can try to decrypt, modify the resolution and encrypt again. I would try to decrypt it again, to verify it is working as expected.

https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg948898/#msg948898
Thanks 2lps for that, I successfuly decrypted the conf.cfc file by getting the suid. I changed the conf.cfg, and then uses crc03.exe to find the CRC code, was this the correct process? After I added the CRC to the file, re-encrypted with the cfccfg.py, I then lost MSX. I will play around a little more with it later.

The suid for the camera files from the original post is 22C7E4020050281A if anyone wants to play around with the files

« Last Edit: April 07, 2017, 06:17:55 pm by DaveWB »
 

Offline 2lps

  • Contributor
  • Posts: 28
  • Country: bg
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #27 on: April 07, 2017, 04:46:26 am »
For the 2.3, 2.11 hacks, if the common_dll.dll was properly patched, you didn't need to recalculate CRC. That was the whole idea of patching it in the first place - to remove the checks.
Missing MSX leads me to believe that the DLL patch is not correct, or there are additional checks. I will try to look at the code when I find some free time.
 

Offline DaveWBTopic starter

  • Regular Contributor
  • *
  • Posts: 146
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #28 on: April 07, 2017, 05:00:34 am »
For the 2.3, 2.11 hacks, if the common_dll.dll was properly patched, you didn't need to recalculate CRC. That was the whole idea of patching it in the first place - to remove the checks.
Missing MSX leads me to believe that the DLL patch is not correct, or there are additional checks. I will try to look at the code when I find some free time.
I did have just the modified .dll on there and the camera still worked fine. When you say I don't need to recalculate the CRC, does that mean that any CRC can be used or do I use the original CRC, or just delete the line out?
 

Offline Xavier64

  • Contributor
  • Posts: 35
  • Country: gi
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #29 on: April 07, 2017, 06:25:23 am »
Hello guys,

I'am happy to donate my brand NEW Flir E4 with

Hardware 2.0 Firmware 3.5.0

for testing.

Just PM to me.


 

Offline 2lps

  • Contributor
  • Posts: 28
  • Country: bg
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #30 on: April 07, 2017, 06:42:18 am »
I did have just the modified .dll on there and the camera still worked fine. When you say I don't need to recalculate the CRC, does that mean that any CRC can be used or do I use the original CRC, or just delete the line out?

Just leave it as it is. I guess, I will need to verify if common_dll.dll was modified correctly. I will try to find some time during the weekend.

...
I believe DaveWB subbed my files in where needed however he still got an error when trying to install it(I believe related to the checksum which is very strange).
...

He needs to be sure that the original file is on the camera before running the python script. If he still has the patched one, the checksum will fail.
« Last Edit: April 07, 2017, 06:44:43 am by 2lps »
 

Offline TheSteve

  • Supporter
  • ****
  • Posts: 3742
  • Country: ca
  • Living the Dream
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #31 on: April 07, 2017, 06:57:18 am »
Yeah, I thought he had put the original back before he tried.
VE7FM
 

Offline Monolith

  • Contributor
  • Posts: 33
  • Country: at
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #32 on: April 07, 2017, 04:08:58 pm »
I got my new Flir E4 (ordered without Wifi). I thought it would be equipped with FW 2.11. Now i have a Wifi-less device with model Flir 2.0L and Firmware 3.5.0

Is there a known 2.11 download source somewhere, so i could try a downgrade.

regards

Mono
 

Offline Xavier64

  • Contributor
  • Posts: 35
  • Country: gi
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #33 on: April 07, 2017, 04:13:20 pm »
Downgrade will NOT work.

It will brick the camera !!! It is because of hardware 2.0. The camera will than be stuck in bootloader mode.

so DO NOT try to downgrade on hardware 2.0.


regards
 
The following users thanked this post: Monolith

Offline Monolith

  • Contributor
  • Posts: 33
  • Country: at
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #34 on: April 07, 2017, 04:24:30 pm »
@Xavier64: Thanks for the advice!

Did you got your new E4 with our without WIFI?
 

Offline Xavier64

  • Contributor
  • Posts: 35
  • Country: gi
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #35 on: April 07, 2017, 04:31:44 pm »
Yes, already bricked one :-(
 

Offline Xavier64

  • Contributor
  • Posts: 35
  • Country: gi
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #36 on: April 07, 2017, 04:36:22 pm »
All cameras until Dec. 2016 are hardware 1.2 with firmware 2.11 .

All cameras from Feb. 2017 are hardware 2.0 with firmware 3.5.0 with or without Wifi.


Thats how it is. Try to get a used, old one to do this hack.


regards
« Last Edit: April 18, 2017, 06:59:03 pm by Xavier64 »
 

Offline DaveWBTopic starter

  • Regular Contributor
  • *
  • Posts: 146
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #37 on: April 07, 2017, 05:43:28 pm »
A little update:
2lps provided me with a conf.cfc file, the camera has 320x240. However MSX is lost along with the crosshair.

Attached is a photo of the picture I took with the E4 Wifi with the modified conf.cfc file.
 
The following users thanked this post: Xavier64

Offline Xavier64

  • Contributor
  • Posts: 35
  • Country: gi
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #38 on: April 07, 2017, 05:49:47 pm »
good job. Do you need any help?!


regards

 

Online Fraser

  • Super Contributor
  • ***
  • Posts: 13145
  • Country: gb
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #39 on: April 08, 2017, 09:34:53 am »
Loss of MSX and the crosshairs was a common symptom amongst earlier E4 upgrade attempts and was an indicator that the upgrade was not configured correctly to be accepted by the camera. I do not recall the details but someone else might. You appear to be on the right path though.

Good Luck :)

Fraser
« Last Edit: April 08, 2017, 01:47:27 pm by Fraser »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline 2lps

  • Contributor
  • Posts: 28
  • Country: bg
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #40 on: April 08, 2017, 12:33:27 pm »
How the 2.3/2.11 hack works:

Regarding E4 with updated firmware:

The new "protection" is based on the fact that the per-device config files (FlashFS\system\appcore.d\config.d\conf.cfc, FlashFS\system\ui.d\config.d\conf.cfc, FlashFS\system\services.d\config.d\conf.cfc) are now encrypted and signed.

The encryption algorithm is RC4 with the key being the SHA1(key || "2A00"), where "key" comes from the "FAD1:" device, ioctl 0x800040C0. That ioctl, which I don't fully understand what it's actually doing, returns 0x18 bytes, with the last 8 bytes being the key (not sure if it's per-device or generic), and the second word indicating whether the config-files have to be globally signed or just including a hash. On my camera (1.2L, came with 2.3.0) it indicated that they have to be signed. common_dll.dll checks for the config file signature, and uses a RSA1024 bit public key to verify the signature.

So far, that's all bad news.

You can patch your config-file, and patch common_dll.dll to disable the signature check (and because I couldn't get CRC03 to compute correctly, I patched that as well), but then the camera doesn't auto-boot anymore since applauncher.exe verifies the CRCs from applaunch.dat (which fails for my patched common_dll.dll), and applaunch.dat itself is signed (applaunch.sig).

BUT: It appears that CRMD160 is very fundamentally broken for byte values >= 0x80 (talk about not compiling with /J, hehheh). This allows to conveniently patch the signature check in a way that applauncher.exe doesn't notice. (Unfortunately the config signature check uses MS Crypto Provider, not their custom stuff.)
...

The common_dll.dll.delta from the hack package contains 2 offsets, which patches the checks for:
1. The signature at the end of the conf.cfc. We don't have the private key, which is used to create it. If you take a look at the cfccfg_V2.py found (https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg596959/#msg596959), you will see something like this:

Code: [Select]
with open(fileout, "wb") as tmpfile:
tmpfile.write(crypt(contents , key))
tmpfile.write("\x00" * delta)
[b] tmpfile.write("\x00" * 0x80)[/b]
tmpfile.write("".join(tail))

The 128 bytes, where the signature is supposed to be is set to 0 (before that is some padding).

2. The CRC03 check at the end of the conf.cfg

There is a crc03.exe, which can be used to calculate it (https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg403480/#msg403480). The ZIP also cointains the source code. Before running it, the line with the old CRC03 should be removed, and the empty line at the end should remain. While trying to figure out the 3.5 firmware, I verified that it outputs correctly the original CRC03.

I guess the patch for the CRC03 check in common_dll.dll is not needed, if it is re-calculated correctly. Confirmed this with the 2.11 firmware, but removing the second offset patch.

Of course, you first need to decrypt the conf.cfc to conf.cfg (see https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg948898/#msg948898), modify the settings you want, re-calculate the new CRC03 and encrypt it again.

So, patching the 2 locations sounds easy, if it wasn't for the applauncher.exe (found in \Windows, but originally in NK.bin, which is not modifiable. Some info how to extract it can be found here - https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg382279/#msg382279).

If you take a look at \FlashBFS\system\applaunch.dat, you will see this:
Code: [Select]
# Show intro bootlogo and start progress
progressapp -f \flashbfs\system\bootlogo.bmp -g flashbfs\system\bootlogo_legal.bmp -d1
# Start command shell on the RS-232 port
cmd /R
# Register a default user
defaultusr
# Start appcore. Appcore starts other necessary processes
appcore

# Show intro bootlogo and start progress
progressapp -f \flashbfs\system\bootlogo.bmp -g flashbfs\system\bootlogo_legal.bmp -d
# Start command shell on the RS-232 port
cmd /R
# Register a default user
defaultusr
# Start appcore. Appcore starts other necessary processes
appcore

# doCRC FlashBFS\system\appcore.exe 1821696 171809062
# doCRC FlashBFS\system\common_dll.dll 1225216 3274495904
# doCRC FlashBFS\system\appcore_dll.dll 708608 1774464110
# doCRC FlashBFS\system\progressapp.exe 29184 524537005
# doCRC FlashBFS\system\defaultusr.exe 5120 1813565132
# doCRC FlashBFS\system\chargeapp.exe 32768 1404156161
# doCRC FlashBFS\system\ui.d\design_ui_Z3.xml 36688 375538573
# doCRC FlashBFS\system\ui.d\facet_Z3.rcc 296494 1671048554
# doCRC FlashBFS\system\ui.d\toolbar-config_Z3.xml 1263 2286214514



As you can see, the applauncher.exe will doCRC check for the common_dll.dll (and no, you can't modify the .dat file, as there is a signature file  \FlashBFS\system\applaunch.sgn)

So, if there is a CRC check for the common_dll.dll, how was the 2.3 hack developed? If you take a look at the first quote,  you will see this:
Quote
BUT: It appears that CRMD160 is very fundamentally broken for byte values >= 0x80 (talk about not compiling with /J, hehheh). This allows to conveniently patch the signature check in a way that applauncher.exe doesn't notice. (Unfortunately the config signature check uses MS Crypto Provider, not their custom stuff.)

Not that I understand it fully (except that CRMD160 is the class that implements the RMD160 hash function (https://en.wikipedia.org/wiki/RIPEMD). I guess FLIR have some implementation of it in the applauncher.exe (I disassembled the code and found it). Also the crc03.exe (found in tools1.zip mentioned above) has some reproduction of it.

It appears that a loophole was found, which allowed the patch of common_dll.dll to be undetected. This was important, because this was how the signature check at the end of the conf.cfc was removed. We don't have the private key used to re-create it during encrypting the .cfg (after it was decrypted and modified).

I think if the common_dll.dll modification is detected, the camera will stop on the FLIR logo (but still will be recoverable, but returning the original common_dll.dll).

The image DaveWB posted (https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1181159/#msg1181159) was taken after uploading a decrypted/encrypted conf.cfc, which is missing the signature at the end. Also, I think it was with the original common_dll.dll. Apparently, if the signature check fails, the MSX and a lot of other features are gone. I guess the camera loads some default settings. Not sure about the 320x240 image. I think DaveWB tried with an 80x60 in the conf.cfc and it was the same.

Now, TheSteve did provide a .diff file. I took a look at it, and I think the signature patch was correct, but the second CRC03 patch was not (it doesn't matter if the CRC03 was properly calculated before encrypting the conf.cfg, but not sure what would be the result of patching the second offset). I created a common_dll.dll equivalent with the one for the 2.11 hack. We are still in the process of experimenting with it, but there was 1-2 times, when the camera stopped at the logo. I am not sure if DaveWB successfully uploaded the patched common_dll.dll as I think we need to execute stopapp via telnet, before ovewriting the common_dll.dll currently on the camera. I thought that it is not necessary, as FileZilla didn't give me any error, but it didn't also replace it successfully. When DaveWB tries to overwrite directly, it gave him some error about no space left.

He will retry the process when he has time and there will be 2 possible outcomes:
1. FLIR didn't add any additional checks and the camera will boot normally.
2. The camera will stop on the FLIR logo, indicating that the loophole for patching the common_dll.dll was closed. (It happened few times, but I am not sure if it was because of mistake by DaveWB, or the patched file was successfully copied at these 2 instances).

There is one thing in the \FlashBFS\system\applaunch.dat in the 3.5.0 firwmare that caught my attention:
Code: [Select]
# Show intro bootlogo and start progress
progressapp -f \flashbfs\system\bootlogo.bmp -g flashbfs\system\bootlogo_legal.bmp -d1
# Start command shell on the RS-232 port
cmd /R
# Register a default user
defaultusr
# Start appcore. Appcore starts other necessary processes
appcore

# doCRC FlashBFS\system\appcore.exe 2018816 4043546286
# doCRC FlashBFS\system\common_dll.dll 1276928 1802841112
# doCRC FlashBFS\system\appcore_dll.dll 752640 3188104637
# doCRC FlashBFS\system\progressapp.exe 41984 196088817
# doCRC FlashBFS\system\defaultusr.exe 5120 2422935587
# doCRC FlashBFS\system\chargeapp.exe 32768 4243241340
# doCRC FlashBFS\system\ui.d\design_ui_Z3.xml 44574 4226502971
# doCRC FlashBFS\system\ui.d\facet_Z3.rcc 352779 2302427115
# doCRC FlashBFS\system\ui.d\toolbar-config_Z3.xml 1263 2286214514
# doACRC FlashBFS\system\appcore.exe 2018816 4215410483
# doACRC FlashBFS\system\common_dll.dll 1276928 639260284
# doACRC FlashBFS\system\appcore_dll.dll 752640 1574305936
# doACRC FlashBFS\system\progressapp.exe 41984 3268776627
# doACRC FlashBFS\system\defaultusr.exe 5120 3631190782
# doACRC FlashBFS\system\chargeapp.exe 32768 2540764423
# doACRC FlashBFS\system\ui.d\design_ui_Z3.xml 44574 1589578471
# doACRC FlashBFS\system\ui.d\facet_Z3.rcc 352779 246149579
# doACRC FlashBFS\system\ui.d\toolbar-config_Z3.xml 1263 1658689284


The doCRC lines are followed by similar ones, but with the doACRC at the beginning, like this:
# doACRC FlashBFS\system\common_dll.dll 1276928 639260284

What the applauncher.exe does with the doCRC, is find all lines with it and use  sscanf to separate the file path, the size, uknown in 3 variables. Then  it checks the size, executes the RMD160 code and compares some result with the 3rd value.

I don't have the 3.5.0 update package (neither I could find it on FLIR's site), so can't get the NK.bin for 3.5.0 and dissasemble applauncher.exe to see what exactly doACRC does. If someone knows a way to get it from the camera... I have limited knowledge about embedded device development (WindowsCE even less) or cryptography. I wonder if the code calculates 2 CRC values and somehow closes the loophole, but I can only speculate.

Let's see what will happen when DaveWB successfully uploads the patched common_dll.dll.
 
The following users thanked this post: TheSteve, plurn

Offline Xavier64

  • Contributor
  • Posts: 35
  • Country: gi
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #41 on: April 08, 2017, 02:42:07 pm »
Flir E4 hardware 2.0 with firmware 3.5.0 backup image complete:

https://mega.nz/#!dN1UkIDD!zEMFz6rvrhuIo0desYyJZIvBeApmcEwPNL22Jr-dqlw


about 145 files were not saved according to TIconfig. Hope it will help.


Best regards
 

Offline 2lps

  • Contributor
  • Posts: 28
  • Country: bg
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #42 on: April 09, 2017, 09:09:42 am »
Unfortunately, the result of the test was that uploading a patched common_dll.dll, causes the camera to not boot normally as I suggested in my previous post. We tried with just one byte change, which patches the signature verification.
 

Offline BOGET

  • Contributor
  • Posts: 26
  • Country: 00
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #43 on: April 11, 2017, 03:33:56 am »
@DaveWB,

This is your files which I modify, replacement them by FTP, and see anything change or not.
 

Offline DaveWBTopic starter

  • Regular Contributor
  • *
  • Posts: 146
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #44 on: April 11, 2017, 04:35:06 pm »
@DaveWB,

This is your files which I modify, replacement them by FTP, and see anything change or not.
With the stock common_dll.dll this camera has all the same symptoms as the other attempts made:
320x240 Thermal image only - no crosshairs showing, no image mode other than straight thermal available(no MSX).
 

Offline BOGET

  • Contributor
  • Posts: 26
  • Country: 00
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #45 on: April 12, 2017, 01:08:48 pm »
There are two possibilities: one is your file has been a mess (older and new); the other is the signature mode has been changed.

BTW, your original files link is gone, Can you post the "clean" files again?
 

Offline sofi

  • Newbie
  • Posts: 2
  • Country: sk
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #46 on: April 23, 2017, 03:15:37 pm »
Friends something new? Did anyone unlock 3.5.0?
« Last Edit: April 23, 2017, 03:17:21 pm by sofi »
 

Offline peppy88

  • Regular Contributor
  • *
  • Posts: 89
  • Country: ua
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #47 on: May 08, 2017, 03:47:43 am »
@DaveWB,

This is your files which I modify, replacement them by FTP, and see anything change or not.
With the stock common_dll.dll this camera has all the same symptoms as the other attempts made:
320x240 Thermal image only - no crosshairs showing, no image mode other than straight thermal available(no MSX).

Were you able to revert back to the original files? I just got a new FLIR E4 with Wifi and I would like to try this hack. Also can you verify you were able to get 320x240 resolution?
 

Offline peppy88

  • Regular Contributor
  • *
  • Posts: 89
  • Country: ua
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #48 on: May 08, 2017, 03:56:29 am »
Unfortunately, the result of the test was that uploading a patched common_dll.dll, causes the camera to not boot normally as I suggested in my previous post. We tried with just one byte change, which patches the signature verification.

Earlier you said that the patch for the 1st check was correct, But the 2nd one was not. If that is the case can't we just used that patched common_dll.dll and recalculate the crc03 correctly using crc03.exe?

 

Offline 2lps

  • Contributor
  • Posts: 28
  • Country: bg
Re: FLIR E4 Wifi Resolution and Menu Hack Thread
« Reply #49 on: May 10, 2017, 07:21:44 am »
If you read https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1181686/#msg1181686, you will see that probably FLIR did change the code for checking the common_dll.dll CRC and now patching it is detected. The 2.3 hack required for it to be patched, as there is a signature at the end of the conf.cfc, which we can't recalculate.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf