Firmware 3.5.0I guess no previous hack will work.
The wifi isn't that great, the camera can create a wifi network or also join your local network. I can detect the camera created network on my computer but it will never seem to connect. The camera will connect to my home wifi and the FLIR will show up in FLIR Tools with an option to stream but I believe some type of firewall is blocking it from streaming or getting pictures off the camera. I was able to access the files via RNDIS on the camera with the Temporary RNDIS file in FlirInstallNet, however I am unsure of how to use telnet so I cannot answer that question.Firmware 3.5.0I guess no previous hack will work.
how the WIFI works? is the camera accessible over Telnet like USB?
can you stream the camera image (WIFI Camera)?
The wifi isn't that great, the camera can create a wifi network or also join your local network. I can detect the camera created network on my computer but it will never seem to connect. The camera will connect to my home wifi and the FLIR will show up in FLIR Tools with an option to stream but I believe some type of firewall is blocking it from streaming or getting pictures off the camera. I was able to access the files via RNDIS on the camera with the Temporary RNDIS file in FlirInstallNet, however I am unsure of how to use telnet so I cannot answer that question.Firmware 3.5.0I guess no previous hack will work.
how the WIFI works? is the camera accessible over Telnet like USB?
can you stream the camera image (WIFI Camera)?
I don't own an E4 but have been reading up on the hack. I have read that the patch to common_dll.dll is to remove a signature check. Does anyone have a copy of the 2.11.0 dll before and after the patch has been applied. Then we can take a look at the common_dll.dll from version 3.5.0 and see if it just needs the offsets tweaked. I believe this was all that was needed to update the hack from 2.3.0 to 2.8.0.Attached are the requested files, I sorted them in different folders to make it a little easier. This is from a 2.11 camera.
I'm happy to have a peak at it if the files are easy to get.
If I suggest a patch to common_dll.dll and it turns out to be incorrect what are the ramifications? Will it brick the camera? I had a look at the 2.11 regular and patched dll files. There are 2 byte changes. I found similar routines at slightly different offsets(this is to be expected) in the 3.5.0 file. I can attach a patched file but I don't want to brick someone's camera. The best way would be a full disassembly but comparing previously patched files like this often works when patching new versions of previously patched routines.
OK, here is a patched version of common_dll.dll for version 3.5.0The other file that would need to be modified is the conf.cfc, I am not sure how to modify that without using the python script
No warranty, use at your risk - hopefully it's easy to copy the file to the cam.
I assume the other file needs to be updated too but I doubt it has changed.
That is beyond what I can do tonight. Hopefully someone else can package it up into the patch script to give it a try. Perhaps I will remove the attachment for now. If there is someone who want to give it a try though I can email it to them. I don't want a bunch of people downloading a useless or bad file.Attached is the common_dll.dll.delta file that is in the 2.11 hack pack
delta file updated for the addresses changed in 3.5.0
assert found, "UNKNOWN %s: digest/len is %s" % (name, h)Hi,
first for all, great work Guys, i´ve already Hacked a old Flir E4 Years ago.
Now i have a new Flir E4 2.0 L with Software 3.5.0. is it possibly to do the resolution hack and how does it Work?
Thx!
Here is how you can switch between encyrpted/decrypted conf files. You can try to decrypt, modify the resolution and encrypt again. I would try to decrypt it again, to verify it is working as expected.Thanks 2lps for that, I successfuly decrypted the conf.cfc file by getting the suid. I changed the conf.cfg, and then uses crc03.exe to find the CRC code, was this the correct process? After I added the CRC to the file, re-encrypted with the cfccfg.py, I then lost MSX. I will play around a little more with it later.
https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg948898/#msg948898 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg948898/#msg948898)
For the 2.3, 2.11 hacks, if the common_dll.dll was properly patched, you didn't need to recalculate CRC. That was the whole idea of patching it in the first place - to remove the checks.I did have just the modified .dll on there and the camera still worked fine. When you say I don't need to recalculate the CRC, does that mean that any CRC can be used or do I use the original CRC, or just delete the line out?
Missing MSX leads me to believe that the DLL patch is not correct, or there are additional checks. I will try to look at the code when I find some free time.
I did have just the modified .dll on there and the camera still worked fine. When you say I don't need to recalculate the CRC, does that mean that any CRC can be used or do I use the original CRC, or just delete the line out?
...
I believe DaveWB subbed my files in where needed however he still got an error when trying to install it(I believe related to the checksum which is very strange).
...
Regarding E4 with updated firmware:
The new "protection" is based on the fact that the per-device config files (FlashFS\system\appcore.d\config.d\conf.cfc, FlashFS\system\ui.d\config.d\conf.cfc, FlashFS\system\services.d\config.d\conf.cfc) are now encrypted and signed.
The encryption algorithm is RC4 with the key being the SHA1(key || "2A00"), where "key" comes from the "FAD1:" device, ioctl 0x800040C0. That ioctl, which I don't fully understand what it's actually doing, returns 0x18 bytes, with the last 8 bytes being the key (not sure if it's per-device or generic), and the second word indicating whether the config-files have to be globally signed or just including a hash. On my camera (1.2L, came with 2.3.0) it indicated that they have to be signed. common_dll.dll checks for the config file signature, and uses a RSA1024 bit public key to verify the signature.
So far, that's all bad news.
You can patch your config-file, and patch common_dll.dll to disable the signature check (and because I couldn't get CRC03 to compute correctly, I patched that as well), but then the camera doesn't auto-boot anymore since applauncher.exe verifies the CRCs from applaunch.dat (which fails for my patched common_dll.dll), and applaunch.dat itself is signed (applaunch.sig).
BUT: It appears that CRMD160 is very fundamentally broken for byte values >= 0x80 (talk about not compiling with /J, hehheh). This allows to conveniently patch the signature check in a way that applauncher.exe doesn't notice. (Unfortunately the config signature check uses MS Crypto Provider, not their custom stuff.)
...
with open(fileout, "wb") as tmpfile:
tmpfile.write(crypt(contents , key))
tmpfile.write("\x00" * delta)
[b] tmpfile.write("\x00" * 0x80)[/b]
tmpfile.write("".join(tail))
# Show intro bootlogo and start progress
progressapp -f \flashbfs\system\bootlogo.bmp -g flashbfs\system\bootlogo_legal.bmp -d1
# Start command shell on the RS-232 port
cmd /R
# Register a default user
defaultusr
# Start appcore. Appcore starts other necessary processes
appcore
# Show intro bootlogo and start progress
progressapp -f \flashbfs\system\bootlogo.bmp -g flashbfs\system\bootlogo_legal.bmp -d
# Start command shell on the RS-232 port
cmd /R
# Register a default user
defaultusr
# Start appcore. Appcore starts other necessary processes
appcore
# doCRC FlashBFS\system\appcore.exe 1821696 171809062
# doCRC FlashBFS\system\common_dll.dll 1225216 3274495904
# doCRC FlashBFS\system\appcore_dll.dll 708608 1774464110
# doCRC FlashBFS\system\progressapp.exe 29184 524537005
# doCRC FlashBFS\system\defaultusr.exe 5120 1813565132
# doCRC FlashBFS\system\chargeapp.exe 32768 1404156161
# doCRC FlashBFS\system\ui.d\design_ui_Z3.xml 36688 375538573
# doCRC FlashBFS\system\ui.d\facet_Z3.rcc 296494 1671048554
# doCRC FlashBFS\system\ui.d\toolbar-config_Z3.xml 1263 2286214514
BUT: It appears that CRMD160 is very fundamentally broken for byte values >= 0x80 (talk about not compiling with /J, hehheh). This allows to conveniently patch the signature check in a way that applauncher.exe doesn't notice. (Unfortunately the config signature check uses MS Crypto Provider, not their custom stuff.)
# Show intro bootlogo and start progress
progressapp -f \flashbfs\system\bootlogo.bmp -g flashbfs\system\bootlogo_legal.bmp -d1
# Start command shell on the RS-232 port
cmd /R
# Register a default user
defaultusr
# Start appcore. Appcore starts other necessary processes
appcore
# doCRC FlashBFS\system\appcore.exe 2018816 4043546286
# doCRC FlashBFS\system\common_dll.dll 1276928 1802841112
# doCRC FlashBFS\system\appcore_dll.dll 752640 3188104637
# doCRC FlashBFS\system\progressapp.exe 41984 196088817
# doCRC FlashBFS\system\defaultusr.exe 5120 2422935587
# doCRC FlashBFS\system\chargeapp.exe 32768 4243241340
# doCRC FlashBFS\system\ui.d\design_ui_Z3.xml 44574 4226502971
# doCRC FlashBFS\system\ui.d\facet_Z3.rcc 352779 2302427115
# doCRC FlashBFS\system\ui.d\toolbar-config_Z3.xml 1263 2286214514
# doACRC FlashBFS\system\appcore.exe 2018816 4215410483
# doACRC FlashBFS\system\common_dll.dll 1276928 639260284
# doACRC FlashBFS\system\appcore_dll.dll 752640 1574305936
# doACRC FlashBFS\system\progressapp.exe 41984 3268776627
# doACRC FlashBFS\system\defaultusr.exe 5120 3631190782
# doACRC FlashBFS\system\chargeapp.exe 32768 2540764423
# doACRC FlashBFS\system\ui.d\design_ui_Z3.xml 44574 1589578471
# doACRC FlashBFS\system\ui.d\facet_Z3.rcc 352779 246149579
# doACRC FlashBFS\system\ui.d\toolbar-config_Z3.xml 1263 1658689284
@DaveWB,With the stock common_dll.dll this camera has all the same symptoms as the other attempts made:
This is your files which I modify, replacement them by FTP, and see anything change or not.
@DaveWB,With the stock common_dll.dll this camera has all the same symptoms as the other attempts made:
This is your files which I modify, replacement them by FTP, and see anything change or not.
320x240 Thermal image only - no crosshairs showing, no image mode other than straight thermal available(no MSX).
Unfortunately, the result of the test was that uploading a patched common_dll.dll, causes the camera to not boot normally as I suggested in my previous post. We tried with just one byte change, which patches the signature verification.
BOGET,
Thanks for the :-+ detailed pictures
The ASCO was always considered to be a versatile platform that likely had parts not fitted, such as WiFi. Your tear-down has confirmed that belief. The ASCO design was always intended to support Wi-Fi and the Ex chassis even has the location for the Wi-Fi board as you have shown.
You have to wonder whether the Wi-Fi capability was removed from the Ex series at one of the marketing meetings, as either too expensive or 'too capable' for the intended market.
Fraser
@BOGET
thanks for sharing the images
Unfortunately only the third image is visible.
I checked it with Chrome / Safari / Firefox.
Please check your permissions ...
I made a mistake. I try downgraded firmware to 2.11 and camera (hardware 2.0L) is bricked. On screen is show Flir logo, and not boot. Camera isn't visible in Flir Tools. Only drive named ASCO. It's possible recovery firmware?
Did your camera run finish the all downgrade process?
If it did, you can try to connect 192.168.0.2 via FTP in default setting (don't login with flir/3vlig), and recover it by your backup files.
Otherwise, sent it back to manufacturer.
how it works
You can theoretically hack the new version by resigning the update files with your own private key and then replacing the public key in the device with yours: https://eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg465272/#msg465272
Has anyone tried this?
% python cfccfg.py 22C7E4020050281A conf.cfc conf.cfg1
% python cfccfg_V2.py 22C7E4020050281A conf.cfc conf.cfg2
% sha1sum conf.*
cc151985fdc0177f125e8420ced6df4a549ac021 conf.cfc
e3a3b0a4e89b6429cc2618ecb3581ab40230da79 conf.cfg1
3b59eb9f3fc0176acd6a652212a1ab1fcc06f359 conf.cfg2
% strings -n10 conf.cfg*
&YNbM(|(M:
&YNbM(|(M:
@DaveWB,
This is your files which I modify, replacement them by FTP, and see anything change or not.
There are two possibilities: one is your file has been a mess (older and new); the other is the signature mode has been changed.
I did have just the modified .dll on there and the camera still worked fine.
Unfortunately, the result of the test was that uploading a patched common_dll.dll, causes the camera to not boot normally as I suggested in my previous post.
BUT: It appears that CRMD160 is very fundamentally broken for byte values >= 0x80... This allows to conveniently patch the signature check in a way that applauncher.exe doesn't notice.
I don't have the 3.5.0 update package (neither I could find it on FLIR's site), so can't get the NK.bin for 3.5.0 and dissasemble applauncher.exe to see what exactly doACRC does. If someone knows a way to get it from the camera... I have limited knowledge about embedded device development (WindowsCE even less) or cryptography. I wonder if the code calculates 2 CRC values and somehow closes the loophole, but I can only speculate.
This is still the suid when I just ran the same command. I actually haven't messed with the cam in awhile and didn't have menu features. I looked and saw the .cfc was 6436 instead of the 6608 bytes. Anyways, attached is my original backup of the unit which includes the original conf.cfc and common_dll.dll, Both of which I just applied to the camera which brought the all the stock menu functions back.Here is how you can switch between encyrpted/decrypted conf files. You can try to decrypt, modify the resolution and encrypt again. I would try to decrypt it again, to verify it is working as expected.Thanks 2lps for that, I successfuly decrypted the conf.cfc file by getting the suid. I changed the conf.cfg, and then uses crc03.exe to find the CRC code, was this the correct process? After I added the CRC to the file, re-encrypted with the cfccfg.py, I then lost MSX. I will play around a little more with it later.
https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg948898/#msg948898 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg948898/#msg948898)
The suid for the camera files from the original post is 22C7E4020050281A if anyone wants to play around with the files
[HKEY_LOCAL_MACHINE\init]
"Depend110"=hex:64,00
"Launch110"="autoloadcheck.exe"
"Depend111"=hex:64,00
"Launch111"="timeprint.exe"
"Depend97"=hex:1e,00,3c,00
"Launch97"="timeprint.exe"
"Depend25"=hex:14,00
"Launch25"="timeprint.exe"
"Launch03"="timeprint.exe"
"Depend100"=hex:1e,00,3c,00
"Launch100"="applauncher.exe"
"Depend60"=hex:14,00
"Launch60"="servicesStart.exe"
"Depend30"=hex:14,00
"Launch30"="gwes.dll"
"Launch20"="device.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\FLIR Systems\Applauncher]
"LaunchFileAlt"="\\FlashBFS\\system\\applaunch.dat"
"LaunchFile"="\\FlashFS\\system\\applaunch.dat"
# doCRC FlashBFS\system\common_dll.dll 1276928 1802841112
....
# doACRC FlashBFS\system\common_dll.dll 1276928 639260284
signed int __fastcall sub_11B68(const wchar_t *a1)
{
const wchar_t *v1; // r4@1
signed int v2; // r9@1
signed int v3; // r5@1
DWORD v4; // r0@1
size_t v5; // r6@1
void *v6; // r7@3
FILE *v7; // r0@5
FILE *v8; // r8@5
const char *v9; // r6@9
char *v10; // r0@10
DWORD v11; // r4@12
int v12; // r0@13
const char *v13; // r6@18
char *v14; // r0@19
DWORD v15; // r4@21
int v16; // r0@22
size_t v18; // [sp+4h] [bp-34Ch]@7
int v19; // [sp+8h] [bp-348h]@11
char v20; // [sp+Ch] [bp-344h]@21
char v21; // [sp+14h] [bp-33Ch]@12
char v22; // [sp+30h] [bp-320h]@11
WCHAR Buffer; // [sp+130h] [bp-220h]@12
int v24; // [sp+330h] [bp-20h]@1
v1 = a1;
v24 = dword_161A0;
v2 = 0;
v3 = 0;
v4 = sub_1181C(a1);
v5 = v4;
if ( !v4 )
goto LABEL_2;
v6 = operator new(v4 + 1);
if ( !v6 )
{
sub_14994(v24);
return 3;
}
*(_BYTE *)v6 = 0;
v7 = wfopen(v1, L"rb");
v8 = v7;
if ( !v7 )
{
NKDbgPrintfW(L"verifyCRC - cannot open %s\r\n", v1);
LABEL_2:
sub_14994(v24);
return 1;
}
v18 = fread(v6, 1u, v5, v7);
if ( v18 != v5 )
v3 = 4;
fclose(v8);
v9 = (const char *)v6;
while ( !v3 )
{
v10 = strstr(v9, "# doCRC ");
if ( !v10 )
break;
v9 = v10 + 1;
if ( sscanf(v10, "# doCRC %s %u %u", &v22, &v18, &v19) == 3 )
{
wsprintfW(&Buffer, L"%S", &v22);
v11 = sub_1181C(&Buffer);
sub_14250((int)&v21, 1);
if ( v18 == v11 )
{
sub_125BC((int)&v21, &v22);
v12 = sub_142B4((int)&v21, (int)&v18, 4u);
if ( v12 != v19 )
{
NKDbgPrintfW(L"%S [CRC]\r\n", &v22);
v3 = 5;
}
}
else
{
NKDbgPrintfW(L"%S [size]\r\n", &v22);
v3 = 6;
}
sub_12978(&v21);
}
}
v13 = (const char *)v6;
if ( v3 )
goto LABEL_33;
do
{
v14 = strstr(v13, "# doACRC ");
if ( !v14 )
break;
v2 = 1;
v13 = v14 + 1;
if ( sscanf(v14, "# doACRC %s %u %u", &v22, &v18, &v19) == 3 )
{
wsprintfW(&Buffer, L"%S", &v22);
v15 = sub_1181C(&Buffer);
sub_12898((int)&v20, 0x4C11DB7);
if ( v18 == v15 )
{
sub_125BC((int)&v20, &v22);
v16 = sub_12844((int)&v20, &v18, 4);
if ( v16 != v19 )
{
NKDbgPrintfW(L"%S [CRC]\r\n", &v22);
v3 = 5;
}
}
else
{
NKDbgPrintfW(L"%S [size]\r\n", &v22);
v3 = 6;
}
sub_127AC(&v20);
}
}
while ( !v3 );
if ( !v2 )
LABEL_33:
v3 = 7;
operator delete(v6);
sub_14994(v24);
return v3;
}
BOOL __fastcall sub_11E1C(wchar_t *a1)
{
wchar_t *v1; // r4@1
v1 = a1;
return sub_11880(a1) && !sub_11B68(v1);
}
signed int __fastcall sub_11E5C(signed int a1, int a2)
{
int v2; // r5@1
signed int v3; // r6@1
BOOL v4; // r7@1
bool v5; // zf@2
signed int v6; // r3@5
int v7; // r0@7
int v8; // r4@7
int v9; // r8@7
int v10; // r3@10
signed int v12; // r5@16
const char *v13; // r0@21
const wchar_t *v14; // r1@30
wchar_t *v15; // r6@34
FILE *v16; // r0@34
const char *v17; // r0@37
HANDLE v18; // r4@41
DWORD v19; // r0@45
HDC v20; // r4@51
FILE *v21; // r6@56
int v22; // r4@57
int v23; // r7@57
int v24; // [sp+18h] [bp-A70h]@1
HKEY hKey; // [sp+1Ch] [bp-A6Ch]@1
DWORD cbData; // [sp+20h] [bp-A68h]@3
int v27; // [sp+24h] [bp-A64h]@7
DWORD dw; // [sp+28h] [bp-A60h]@1
DWORD Type; // [sp+2Ch] [bp-A5Ch]@22
CHAR v30[4]; // [sp+30h] [bp-A58h]@51
struct _PROCESS_INFORMATION v31; // [sp+34h] [bp-A54h]@49
HANDLE hObjects; // [sp+44h] [bp-A44h]@49
HANDLE v33; // [sp+48h] [bp-A40h]@51
char OutBuf; // [sp+4Ch] [bp-A3Ch]@41
int v35; // [sp+50h] [bp-A38h]@42
wchar_t pszImageName; // [sp+64h] [bp-A24h]@57
wchar_t Data[1024]; // [sp+264h] [bp-824h]@17
int v38; // [sp+A64h] [bp-24h]@1
v2 = a2;
v3 = a1;
v38 = dword_161A0;
hKey = 0;
v4 = 1;
dw = 0;
if ( !KernelIoControl(16850952, 0, 0, &v24) )
goto LABEL_76;
v5 = v24 == 1;
if ( v24 == 1 )
v5 = cbData == 4;
if ( v5 )
v6 = 1;
else
LABEL_76:
v6 = 0;
v24 = v6;
v7 = KernelIoControl(16850988, 0, 0, &v27);
v8 = v24;
v9 = v7;
v10 = v7 && v27 && !v24;
v27 = v10;
if ( v3 < 2 )
{
printf("Usage: applauncher [options]\n-f <filename> Execute commands in file <filename>\n-r Execute file specified by registry setting.\n(number) Automatic mode (OS internal).\n");
sub_14994(v38);
return 1;
}
if ( v3 != 2 )
{
if ( v3 != 3 || wcscmp(L"-f", *(const wchar_t **)(v2 + 4)) )
{
v13 = "Bad Argument(s)! Use \"applauncher\" for help.\n";
goto LABEL_72;
}
v14 = *(const wchar_t **)(v2 + 8);
v12 = 0;
wcscpy(Data, v14);
goto LABEL_31;
}
if ( !wcscmp(L"-r", *(const wchar_t **)(v2 + 4)) )
{
v12 = 0;
}
else
{
swscanf(*(const wchar_t **)(v2 + 4), L"%[0-9]", &Data[512]);
if ( wcscmp(&Data[512], *(const wchar_t **)(v2 + 4)) )
{
v13 = "Bad Argument! Use \"applauncher\" for help.\n";
goto LABEL_72;
}
swscanf(*(const wchar_t **)(v2 + 4), L"%d", &dw);
v12 = 1;
}
if ( !RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\FLIR Systems\\Applauncher", 0, 0, &hKey) )
{
cbData = 510;
if ( RegQueryValueExW(hKey, L"LaunchFile", 0, &Type, (LPBYTE)Data, &cbData) )
goto LABEL_39;
if ( Type != 1 )
goto LABEL_39;
cbData = 510;
if ( RegQueryValueExW(hKey, L"LaunchFileAlt", 0, &Type, (LPBYTE)&Data[256], &cbData) || Type != 1 )
goto LABEL_39;
RegCloseKey(hKey);
v8 = v24;
LABEL_31:
if ( v12 )
{
Sleep(0x64u);
v8 = v24;
}
if ( v8 )
goto LABEL_77;
v15 = Data;
v16 = wfopen(Data, L"r");
if ( !v16 )
{
v15 = &Data[256];
v16 = wfopen(&Data[256], L"r");
if ( !v16 )
{
if ( !v12 )
{
v17 = "Failed to open the launch specification file. Aborting!\n";
LABEL_38:
printf(v17);
LABEL_39:
RegCloseKey(hKey);
goto LABEL_73;
}
goto LABEL_40;
}
}
fclose(v16);
v18 = CreateFileW(L"FAD1:", 0, 0, 0, 3u, 0x80u, 0);
if ( DeviceIoControl(v18, 0x800040C0, 0, 0, &OutBuf, 0x18u, 0, 0) )
{
if ( v35 )
{
v4 = sub_11E1C(v15);
NKDbgPrintfW(L"Integrity: %d\r\n", v4);
}
else
{
NKDbgPrintfW(L"No integrity check necessary\r\n");
}
}
else
{
v19 = GetLastError();
NKDbgPrintfW(L"FAD call fails:%d hndl:%d err:%d\r\n", 0, v18, v19);
}
CloseHandle(v18);
if ( v24 )
goto LABEL_77;
if ( !v9 )
goto LABEL_78;
if ( !v4 )
goto LABEL_54;
NKDbgPrintfW(L"APPLAUNCHER: Starting usb charge App \r\n");
hObjects = CreateEventW(0, 0, 0, L"ChargeAppFinished");
if ( CreateProcessW(L"ChargeApp.exe", 0, 0, 0, 0, 0, 0, 0, 0, &v31) && v27 )
{
*(_DWORD *)v30 = 2;
v20 = CreateDCW(0, 0, 0, 0);
CreateProcessW(L"cmd.exe", L"/R", 0, 0, 0, 0, 0, 0, 0, &v31);
v33 = v31.hProcess;
WaitForMultipleObjects(2u, &hObjects, 0, 0xFFFFFFFF);
NKDbgPrintfW(L"APPLAUNCHER: Usb charging finished\r\n");
ExtEscape(v20, 100037, 4, v30, 0, 0);
}
CloseHandle(v31.hProcess);
CloseHandle(v31.hThread);
if ( v24 )
{
LABEL_77:
CreateProcessW(L"cmd.exe", L"/R", 0, 0, 0, 0, 0, 0, 0, &v31);
}
else
{
LABEL_78:
if ( !v4 )
{
LABEL_54:
if ( !v12 )
{
v17 = "APPLAUNCHER: Refuses to run launch specification file. Aborting!\r\n";
goto LABEL_38;
}
LABEL_40:
SignalStarted(dw);
goto LABEL_39;
}
v21 = wfopen(v15, L"r");
while ( !feof(v21) )
{
fwscanf(v21, L"%[\t\v\n\r\f]", &pszImageName);
v22 = fwscanf(v21, L"%[^ #\t\v\n\r\f]", &pszImageName);
v23 = fwscanf(v21, L"%[^#\t\v\n\r\f]", &Data[768]);
if ( v22 > 0 && wcslen(&pszImageName) >= 1 )
{
if ( !v27 || wcsicmp(&pszImageName, L"cmd") )
{
if ( v23 <= 0 )
CreateProcessW(&pszImageName, 0, 0, 0, 0, 0, 0, 0, 0, &v31);
else
CreateProcessW(&pszImageName, &Data[768], 0, 0, 0, 0, 0, 0, 0, &v31);
continue;
}
NKDbgPrintfW(L"APPLAUNCHER: Not starting duplicate cmd.exe \r\n");
}
fwscanf(v21, L"%[^\t\v\n\r\f]", &pszImageName);
}
}
if ( v12 )
SignalStarted(dw);
goto LABEL_73;
}
if ( !v12 )
{
v13 = "Failed to open registry settings. Aborting!\n";
LABEL_72:
printf(v13);
}
LABEL_73:
sub_14994(v38);
return 0;
}
Here is some code from applauncher.exe,
Not that I understand it fully (except that CRMD160 is the class that implements the RMD160 hash function (https://en.wikipedia.org/wiki/RIPEMD (https://en.wikipedia.org/wiki/RIPEMD)). I guess FLIR have some implementation of it in the applauncher.exe (I disassembled the code and found it). Also the crc03.exe (found in tools1.zip mentioned above) has some reproduction of it.
Pwned !!!Great news! I can start keeping an eye out for a new version for cheap then!
v3.5.0 is now history :box:
There is first successfully updated camera out there. Someone may post pictures soon. :popcorn:
Downgrade will NOT work.
It will brick the camera !!! It is because of hardware 2.0. The camera will than be stuck in bootloader mode.
so DO NOT try to downgrade on hardware 2.0.
regards
Pwned !!!
v3.5.0 is now history :box:
There is first successfully updated camera out there. Someone may post pictures soon. :popcorn:
I want to know with what file did you decrypt
Conf.cfg
Interesting discovery!Looking awesome!
One more shooting mode has been liberated - "Sport", which in turn brought a new palette with it - "Medical". Not sure at the moment what it is for but my guess is the Sport mode could be for taking pictures of fast moving objects. A controlled experiment to confirm this would be needed. But together with the Medical palette it make sense that they may be used for medical termography, perhaps by medics of sport teams or by medical researches. Below are samples of static objects how a hand and alien cat look under the medical palette.
(https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/?action=dlattach;attach=360862;image)
And a special feature from Bud, not being present in Ex series cameras: graphics overlay toggle using the Back button. Toggle the button to enable/disable the overlay. Very useful if only want to see the scene with no temperature scale and stuff. Provides 100% use of the screen real estate.
... not as simple as patching a couple bytes...
... implanting code from other device models...
"Not present in Ex series cameras", does that mean it's present in some other Flir models and you brought it over somehow? Or did you implement that from scratch?
(Don't suppose any of 'em have the ability to stream both the IR and Visible images simultaneously, say like a side-by-side image?)
.. mixing and matching snippets of compiled code, it sounds like?
I guess all the cameras in the series are based on the same processor
Bud, if you're ever in Detroit, hit me up for a beer or something!
EEPROM unlock code found ! 8)Well done, Bud! That's impressive, do you know what the new pw is?
Just wondering, if I was to have a recent E4 (without WiFi), could a 'hack' as this enable WiFi?3.9 can be found here:
Or would this method even only work on a E4 WiFi version?
@ Bud, I don't know how you do your magic, but it's impressive!
B.t.w. I can't find the firmware version 3.9 (which I thought was posted somewhere).
Does anybody know if it has been removed or am I loosing my eye sight?
Hard to guess if you are not a Swede:Does this mean that the camera could be set as an E8 and be seen as an E8 in flir tools?
ArneAnka
Google who Arne Anka is :D
Edit: The code was provided for learning/exploratory purpose. Be smart and do not change anything in the EEPROM, it may be devastating to the device.
@ Bud, I don't know how you do your magic, but it's impressive!
@ Bud, I don't know how you do your magic, but it's impressive!
Findig a way to beat the 2-layer hash validation in applauncher was the most challenging and took a few sleepless nights. The rest is easier but takes a LOT of editing, trying and rebooting. I am on my 300-ish restart counter as reported in Camera Information screen.
I recall i glanced over E75 file system and it seemed to have using the same 2-layer-ed hash , so my educated guess is E75 can be liberated to E95 configuration using the same procedure.
@ Bud, I don't know how you do your magic, but it's impressive!
Findig a way to beat the 2-layer hash validation in applauncher was the most challenging and took a few sleepless nights. The rest is easier but takes a LOT of editing, trying and rebooting. I am on my 300-ish restart counter as reported in Camera Information screen.
I recall i glanced over E75 file system and it seemed to have using the same 2-layer-ed hash , so my educated guess is E75 can be liberated to E95 configuration using the same procedure.
Tried to download 3.9.0 but there was no file. On Flir's site there is 3.12.0 now http://flir.custhelp.com/app/account/fl_download_software (http://flir.custhelp.com/app/account/fl_download_software)Wow, just worked for me a few hours ago.
The newer Exx series use Linux, but I assume that it won't make any difference? Would be good to unlock it to the full 640x480!
Just wondering, if I was to have a recent E4 (without WiFi), could a 'hack' as this enable WiFi?
Or would this method even only work on a E4 WiFi version?
qml_context_property type="string" name="registrationNag" value="N/A"
...
ui_model type="RegistrationWizardModel" name="registrationWizardModel" ... title="CAMERA_REGISTRATION_TITLE"
...
some other related crap such as screen to enter some verification code@Bud
The update went fine 8)
There were some typos in readme:
3.1 FlashIFS\version.rsc should be FLIRVers.rsc
7 when typing python cfccfg.py file ( the downloaded file has a _V2 on it so people should rename it or just point to right file )
9 (b) FlashFS\system\common_dll.dll the correct path is FlashBFS\system\common_dll.dll
And for the record this works with NON wifi model also!
Thanks !
@Bud
The update went fine 8)
There were some typos in readme:
3.1 FlashIFS\version.rsc should be FLIRVers.rsc
7 when typing python cfccfg.py file ( the downloaded file has a _V2 on it so people should rename it or just point to right file )
9 (b) FlashFS\system\common_dll.dll the correct path is FlashBFS\system\common_dll.dll
And for the record this works with NON wifi model also!
Thanks !
Thanks!
that is embarrasing typos. This is what happens when posting at 4am after working all day.
All - please take a notebefore i fix the typos in the packageand download the archive again, the instructions file has been updated.
About menu, if I edit toolbar-config.xml and remove this
<ToolBar name="new_settings"/>
<ToolBar name="recordingModeMenu">
<ToolBar name="recordingMode_still"/>
</ToolBar>
Is it all that is needed to be done to get rid of that toolbar "recording mode" ? ( since I don't see a reason beeing there it does nothing for me )
For me the updated failed.
For other users it would be nice if you could add the description of how to setup the camera in RNDIS mode.
I found a description for older firmware using FlirInstallNet.exe and some fif files, but using that description it seems it changes some wrong things in the new firmware version
FYI, the right way to set the camera in RNDIS mode is by going into the camera information menu and holding the right menu key for more than 10 seconds. Then you get a diagnostics menu where you can sat USB mode etcetera.
If anybody has a tip on how to get back normal camera functionality let me know.
Thanks Bud for the description.
For me the updated failed. For other users it would be nice if you could add the description of how to setup the camera in RNDIS mode. I found a description for older firmware using FlirInstallNet.exe and some fif files, but using that description it seems it changes some wrong things in the new firmware version, as in device information nothing is shown about the resolution of the camera anymore and the build in normal camera does not work anymore.
FYI, the right way to set the camera in RNDIS mode is by going into the camera information menu and holding the right menu key for more than 10 seconds. Then you get a diagnostics menu where you can sat USB mode etcetera.
If anybody has a tip on how to get back normal camera functionality let me know.
Thanks bud.
I read that for 3.9.0.
I just wanted to check if it works with 3.5.0, it just updates to 3.9.0.
@bud
do you think a 3.12.0 to 3.9.0 downgrade is possible? Want to know in case I get one that already comes with 3.12.0
Thanks Bud for the description.
For me the updated failed. For other users it would be nice if you could add the description of how to setup the camera in RNDIS mode. I found a description for older firmware using FlirInstallNet.exe and some fif files, but using that description it seems it changes some wrong things in the new firmware version, as in device information nothing is shown about the resolution of the camera anymore and the build in normal camera does not work anymore.
FYI, the right way to set the camera in RNDIS mode is by going into the camera information menu and holding the right menu key for more than 10 seconds. Then you get a diagnostics menu where you can sat USB mode etcetera.
If anybody has a tip on how to get back normal camera functionality let me know.
I used fif files from 2.11.0 Hack files and it worked both ways to RNDIS and back to MSD/VDC mode.
Would I be rude to ask if you could post these files?
I'm a newby at this and can find files about hack 2.3.0 (http://fubar.gr/hacking-the-flir-e4/ (http://fubar.gr/hacking-the-flir-e4/)) but not the 2.11.0 and I'm not sure they're the same.. :-[
Copied preset_threeSpots.rsc to /FlashBFS/system/ui.d/presets.d/ and it's working great!
Thanks again!
There's one thing I'd like to ask (just for clarity): does your basic packacke include some changes or additions to the palettes or menus? Apparently nothing changed here for my camera, so if there should be more, I'd have to investigate again, otherwise I'm just fine for now.
BTW the hidden menu is still there (10 sec keypress)
This package is for E4.thx, cap
This is side by side screenshots of menu and settings screens before and after.Thanks, that makes things clear for me: The menus didn't work, resolution does. I've got the "before" menus on my E4. So I'll go back and try to find the reason, maybe I've put a file in the wrong place - would be the first thing to check.
Make sure to copy/replace ui_control.rsc
For any other noobs like me, I offer this useful article:
http://fubar.gr/hacking-the-flir-e4/ (http://fubar.gr/hacking-the-flir-e4/)
So far it has helped me to switch to RNDIS mode, use Filezilla with the username Flir and password 3vlig, and backup the Flir E4 files. Obviously those simple steps apply to all firmwares, so at what step does the process become different for 3.9.0? I am hesitant to proceed lest this article be outdated.
I was being dumb, but at least I've learnt about the command line now.
The CFC has been created, now that I put C:\ and all that jazz before the file name. Of course the computer didn't know where to find the file because I didn't put its location. That is programming 101, I know, but I haven't taken that class!
I bet you PC-Einsteins are laughing at the screenshot I posted!
Regarding the back-up, that should be the easy part! I don't recognise the program WinSCP that you used (I chose Filezilla), but it's just a matter of copying and pasting. Your C: drive is where the back-up belongs, and I made one on several others of my drives just in case.
To answer your question about the Python step, there is an easy way to tell the command prompt (which you open by typing cmd into the Windows search bar) a file's location. Instead of typing out where your file is (C:\ etc), just drag the file on to the command prompt.
Hey Sam, thanks for coming to the resque! :)
But do you recognize the folders on the right?
Are those the ones to backup?
Cause I'm a bit surprised to see folders like "Program Files", "Windows" and "Temp".. which seem a lot like the C:\ folder structure..
But which file you mean? The conf.cfg file?
I've tried to put C:\ and C:\Python27\ in front of several places, but nothing worked.. got the same syntax error you got..
But which file you mean? The conf.cfg file?
I've tried to put C:\ and C:\Python27\ in front of several places, but nothing worked.. got the same syntax error you got..
To make it easier to type the locations, move the V2 file and conf.cfg files to your C: folder (and in no subfolders of that). Then you would type the following (no more, no less) where xxx etc. is your SUID:
python C:\cfccfg_v2.py xxx C:\conf.cfg C:\conf.cfc
Note that it worked for me only when I told the command prompt to create the new cfc file in a location (let's make it the C:\ drive for simplicity's sake and then move it later).
Then something else is wrong.. because that combination also doesn't work.. :-//
U da man! 8)
U officially r not allowed to call yourself noob again.. ;)
Use the recovery procedure on page 8.
And then re-do it?
Or will it not (never) work with my device for some reason (region or non-wifi related issues)?
Maybe this can be a clue as to why it didn't work for my E4?
And then re-do it?
Or will it not (never) work with my device for some reason (region or non-wifi related issues)?
Walk away from it for a day or two, let your mind relax, then do it again starting from downloading the package again. Print out the instructions and put a check mark against each step as you complete it. There is no reason for it not to work on a stock camera.QuoteMaybe this can be a clue as to why it didn't work for my E4?
No , it is supposed to be that way.
It is time to get another E4. A wifi version this round. Any good promotion going on now?
Oh, another thing..
...
Would that give a clue of why it didn't completely work?
Addendum: I too struggled getting the E4 into RNDIS mode.
Oh, another thing..
...
Would that give a clue of why it didn't completely work?
That what? Can you post one thing at a time.
Download and install FLIR Tools: http://support.flir.com/SwDownload/app/RssSWDownload.aspx?ID=120 (http://support.flir.com/SwDownload/app/RssSWDownload.aspx?ID=120)
Man.. hahaha.. if you keep going, you end up digging stuff up even FLIR doesn't know is there.. 8)
B.t.w. has there been any setting you came across (that could be unlocked) that enables you to turn off the "auto calibration"?
Or set it to "manual" or a user settable "time interval"?
Just curious. What exactly was done to common_dll.dll that made it so u are allowed to modify conf.cfc?
I uploaded it for you via WeTransfer (about 18MB): https://we.tl/cZNKdp304m
The download link will stay valid for 7 days, so be on time.. :)
Here is a .FIF I made for the normal E4 that turns off NUC'ing until the camera is restarted. (rset .tcomp.services.autoNuc.active false)
When I am going to record video I power on the camera - run the FIF, leave it connected to the charger for 15-20 min to warm up/equalize, then run a manual NUC by holding the "play" button to level it out.
Then your good to record without calibration popups.
(remember to rename it from .zip to .fif)
Man.. hahaha.. if you keep going, you end up digging stuff up even FLIR doesn't know is there.. 8)
B.t.w. has there been any setting you came across (that could be unlocked) that enables you to turn off the "auto calibration"?
Or set it to "manual" or a user settable "time interval"?
You may be able to turn off autoNUC in the resource tree using rset command, and then use long press of Archive button to trigger manual NUC when you want. If you do not know how to dump and manipulate the resource tree, search E4 Teardown thread for rls,rset,resource keywords.
Would I be rude to ask if you could post these files?
I'm a newby at this and can find files about hack 2.3.0 (http://fubar.gr/hacking-the-flir-e4/ (http://fubar.gr/hacking-the-flir-e4/)) but not the 2.11.0 and I'm not sure they're the same.. :-[
pull the RNDIS fif files from this zip archive
https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg531346/#msg531346 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg531346/#msg531346)
I recommend only using the Temporary one. You will be in better control over the camera USB interface. The Temporary fif only enables RNDIS until reboot, after which the camera returns to UVC mode. You will perhaps need to run it 2-3 times during the procedure as you reboot but it makes sure the camera will not get stuck in RNDIS using some weirdo IP settings which may give you headache and inability to connect to it. Ask me how I know this.
I tried Win7 64bit and Win10 64bit but the RNDIS mode not working. Network starting but no usable IP. (169.254.96.140 or similar). No responds to ping. :(I've experienced this behaviour quite a few times. Windows or the Flir drivers or both really suck at RNDIS.
I tried Win7 64bit and Win10 64bit but the RNDIS mode not working. Network starting but no usable IP. (169.254.96.140 or similar). No responds to ping. :(
I tried Win7 64bit and Win10 64bit but the RNDIS mode not working. Network starting but no usable IP. (169.254.96.140 or similar). No responds to ping. :(
Try unplugging your computer from the network before running the .fif
Well, jumped in on an E4 after following this thread, and what do I receive? An 1.2L/2.11 E4. Not what I expected. Apparently the 2016 E4's are still around...
Now I have some questions:
- Is there any reason to prefer the 2017 non-wifi E4 with 2.0 hardware over the 1.2L hardware?
- Will the hack for 3.9.0 also work on the 1.2L hardware?
I'd hate to miss out on all the extra goodies of the 3.9.0 hack... will this be 'backported' in the future?
I'm not sure if it's reasonable to demand a swap for a 2017 version. The one I received came with a completely flat battery, it needed an hour on the charger before any signs of life of the unit.
Hi Bud,
Where do we get the extras (Advanced Pack) from? Is it still in development?
Thanks!
... will this be 'backported' in the future?
hiTry "recovery procedure" https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1336326/#msg1336326 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1336326/#msg1336326) to connect the camera and access files etc.
I cant connect my flir
I have already done backup, but on the other day I cant connect by filezilla or ever PC cant see it like usb flashcard.
when I plug in flir in PC: ''configuring terma cam... camera ip adress 192.168.1.2... connecting to 192.168.1.2 Please wait...''
Flir E5 fw 3.9.0
Well, jumped in on an E4 after following this thread, and what do I receive? An 1.2L/2.11 E4. Not what I expected. Apparently the 2016 E4's are still around...
Now I have some questions:
- Is there any reason to prefer the 2017 non-wifi E4 with 2.0 hardware over the 1.2L hardware?
- Will the hack for 3.9.0 also work on the 1.2L hardware?
I'd hate to miss out on all the extra goodies of the 3.9.0 hack... will this be 'backported' in the future?
I'm not sure if it's reasonable to demand a swap for a 2017 version. The one I received came with a completely flat battery, it needed an hour on the charger before any signs of life of the unit.
MicroBliss - i have the same issue. I just hardreset the cam (unplug the battery for coupple minute), and reconect to usbThanks, but didnt help
Note that after each rebootnig camera, you have to re-run RNDIS mode, then filezilla will have no problem; Or at least I had that :)
hiTry "recovery procedure" https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1336326/#msg1336326 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1336326/#msg1336326) to connect the camera and access files etc.
I cant connect my flir
I have already done backup, but on the other day I cant connect by filezilla or ever PC cant see it like usb flashcard.
when I plug in flir in PC: ''configuring terma cam... camera ip adress 192.168.1.2... connecting to 192.168.1.2 Please wait...''
Flir E5 fw 3.9.0
Or try remove your wired network from the computer before connecting the camera, sometimes rebooting windows before connecting the camera helps.
BEWARE: Bud's package is for the E4 model. Anything else is at your own risk and not supported here, as applying the package to the E4 is at your own risk anyway.
Conected by "Recovery procedure" (user: anonymous, pass: NcFTP@ ). Load bakup. Didnt help.Sorry, didn't give you full instructions: Use "Recovery procedure" to connect, do not upload backup now but rather apply the patches then as written, you can probably skip the part with telnet and stopapp.
"\\IRCAM4953\Images
Information = 1231
network folder is not available(close to it in english)..."
Conected by "Recovery procedure" (user: anonymous, pass: NcFTP@ ). Load bakup. Didnt help.
"\\IRCAM4953\Images
Information = 1231
network folder is not available(close to it in english)..."
Why are not all measurement options showing on my camera?
(Or are they not supposed to yet, but part of the advanced hack?)
And if not, would it be possible to adjust the text in the .rsc files to construct my own preset and just (re)name that to for example “preset_threeSpots”, since I won’t be using the “threeSpots” function?
Or are these .rcs files not adjustable this way and need their operation be facilitated in some other part of the software?
Some camera’s, like the WIRIS Gen 2, allow you to change the autoNUC mode in the settings menu, where you can choose between “auto”, “every 1 minute”, “every 5 minutes” and “manual”.
Have you come across such similar function or feature while discovering and unlocking the E4 possibilities?
Quote from: Squawk
Why are not all measurement options showing on my camera?
(Or are they not supposed to yet, but part of the advanced hack?)
There are things other than just the config file that affect that. Advanced package does not add anything there.
My Flir E4 non Wifi model 2.0L firmware 3.9.0.
can I Resolution and Menu Hack Thread ,
Is there a way so I can upgrade Flir......?
Also when turn on Flir I see that "This device has unseported softwear...", but it works.The message is added on purpose by Bud's hack, to indicate the camera doesn't run official firmware.
How can i see that resolution has changed?) Images before had 320x240, and after 320x240.
Of course, I understand that this is something you have spent a lot of free time on and your effort is very much appreciated. I'm not asking you to do a backport, it's your free time and you should spend it as you please.... will this be 'backported' in the future?
Sorry we are not running a full time business operation here.
Of course, I understand that this is something you have spent a lot of free time on and your effort is very much appreciated.
@ Summer:
Yes, your hack was succesful! :)
Step 15 is not really a step you have to do. It is more a check if the hack worked so far.
And it did. Both your resolution and the options you now have to select different color pallets, confirms that.
How does the update work from Bud to flir e4 without wifi? or are there any problems?
BUD!
MANY THANKS for the great WORK!!!
Flir E4 without wifi works!
p.s. don't use win8.1
does anyone have the first numbers of the serials for E4/E5's with wifi? (so first 3-4 numbers of serial?)wifi units started around 63997xxx
thanks in advance :)
My Flir E4 non Wifi model 2.0L firmware 3.9.0.
Is this a success?
Power on the camera and see if you now have 320x240 resolution working. <=== step 15 , I see is 80x60 , how to I check resolution
I skipped the step 15 and proceeded to step 16. Now the resolution shows 320X240 by itself without me editing anything. Did I succeed in the hacking?
(https://i.imgur.com/6ABJx4c.jpg)
(https://i.imgur.com/QEehcVd.jpg)
I was wondering the same thing, I believe the old ones were indeed 640x480.
I see that the digital resolution is 320x240 for hardwareversion E4 2.0.
For my E4 1.2L I think this is 640x480.
Or am I wrong?
Did Flir downgrade the hardware?
So the hack reduces the Original digital camera resolution from 640x480 to 320x240?
That is a difference between the hacked E4 1.2L FW2.3 en E4 2.0 FW3.9
Yes, I understand and you are right, Bud. It will be a stock change by Flir and has nothing to do with the hack.
I first wonder why they make the change. My first thought was a hardware change but Fraser did explain it very well, I think.
I'm a bit surprised. There are 154 downloads of Bud's hack, yet there are only 10 "thank you's" in the post bar and less than 20 "thank you" posts..
Where are the other 124??
I'm going to venture the sensor is bad?
$ exiftool FLIR0010.jpg -b -RawThermalImage > FLIR0010.png
$ convert -define png:swap-bytes=on FLIR0010.png -auto-level FLIR0010a.png
From other posts in this forum you will see that it is a very bad idea to format the cameras image memory area. Never be tempted to do so as a short cut to deleting all images.I haven't seen that information before, or I've forgotten. And there's no way I'm going to work out where I left off the other thread and resume reading.
Thank you my friend. You still may not have the job complete, there should be no manufacturer logo in a properly liberated system.
Hello together,
I got a Flir E4 with Firmware 3.1.2 so I used the 3.9.0 upgrade package and downgraded the firmware with NO issues.
Now I will try Buds method for upgrading...
Hello together,
I got a Flir E4 with Firmware 3.1.2 so I used the 3.9.0 upgrade package and downgraded the firmware with NO issues.
Now I will try Buds method for upgrading...
Hello together,
I got a Flir E4 with Firmware 3.1.2 so I used the 3.9.0 upgrade package and downgraded the firmware with NO issues.
Now I will try Buds method for upgrading...
Can this be used for the E4 w/WiFi model?
Bud, just wanted to let you know it works like a charm! :D
One thing that got me curious though.. on one of your screenshots of "Image Mode", you have a "video" symbol.
Also, in the settings, it asks how you want video compression (mpeg or radiometric).
Did you manage to get video working?
...I did have to turn "Screening Mode" to ON in the settings menu.
After that, also Sport mode was visible. Not sure what the relation is, but one seemed to facilitate the other.
It do freeze for me to in that mode, i assume its no problem to delete it.
Without going back an reading 17 pages (I went back a few pages) can I go out and buy one off the shelf (amazon etc) and unlock it? I was aware of the hackability and then difficulty with non-wifi versions but I couldn't afford even the base camera then. Have hacks been released for all firmware versions of the E4 and E4 wifi to date? Thanks in advance!
Looks like my router should be OK since Bud's has a similar signature! :-+
Thanks again Bud for all your help!
Sadly no, I could not get it working and the screenshot was from the time I was playing with it.
As to the setting in the Main Settings menu, I left it because was not sure if that may affect the way video may be transferred via USB or RTP, though at this time I could not get RTP (real time video over TCP) working. Also, I had some ideas for taking short video clips from the menu for Super Resolution processing purpose. But I have not gotten there yet.
To be honest, I think the release of this 'hack' may even boost E4 (WiFi) sales more, for a people who otherwise may not buy it..
And FLIR can look the other way and gladly accept this boost..
win-win, right? :D
Just a heads up, perhaps coincidence or FLIR Is monitoring this page but the wifi version is on a national backorder until the 16th of January
Well.. If it costs them the same to manufacture the E4 as it would the E8, and not having to support/honor the voided warranty on the liberated E4, they would be very smart to sit back and collect the profit.
Actually, what they really should do is send a bonus check to Bud for the boost in WiFi E4 sales! :-+ :-+ :-+
In US only delivery,, price, you save 8$ :palm:
Is it wrong to buy flir original accessory ? Definitley not.
We do have a very nice tool now, thanks to Bud.
First off, thanks to Bud and all the folks that continue to keep this E4 camera an awesome deal for us newbies to IR scanning.Go to 2.11 or 2.3, both should work just fine. I wouldn't mess with 3.9 as you're entering uncharted territory(old hardware vs Bud's hack being done on the new hardware) with no real incentive as the other firmware will get you the same exact thing.
I recently purchased a lightly used E4 that was calibrated in Nov 2015 and it is 1.2L hardware and 2.8.0 firmware. Camera obviously has not been hacked.
I need to back up the camera before I do anything, of course.
I have seen a few successes with folks going from 2.8 to 2.11 and applying the 2.11 reshack and menu hacks.
I hooked up the camera to Flir Tools 6.4 (latest version as of Jan '18) and it says it can update the firmware in the camera to 3.12. Obviously don't want to do that right now - 3.12 is not yet hackable. Was not really sure the 1.2L hardware could accept the 3.x firmware but apparently they can if Flir Tools wants to upgrade my camera to it.
Was thinking of upgrading from 2.8 to 3.9 and using the reshack and menu hacks for 3.9. This would get the camera up to the most recent hackable firmware (which I would prefer).
Is this the way to go or should I just upgrade from 2.8 to 2.11 and call it a day? Or perhaps even go from 2.8 to 2.3 (would rather not "downgrade" the firmware as there is some more risk there)?
I have done quite a bunch or reading in both this and the teardown thread but questions like these are not easy to find the answer for. Especially for 2.8 (although it seems the prevailing opinion is to downgrade to 2.3 and hack). Would be nice to have a chart (wishful thinking) with the camera's original firmware and the best hackable solution listed.
Thanks in advance for any guidance/suggestions on my question.
Xenawise
I agree. Avoid going to 3.9 as Bud crafted his upgrade for a very specific firmware and hardware build. Updating firmware on older versions of the camera does install the firmware but not always in a way that mirrors the later models. There are recorded cases of FLIR upgrading forum members firmware after a repair and the camera firmware configuration being different to that of a camera that left the factory with the same firmware. Any differences could impact upon whether Bud's upgrade works of your camera crashes.
Just a heads up, perhaps coincidence or FLIR Is monitoring this page but the wifi version is on a national backorder until the 16th of January
The FLIR UK web shop also showed the E4 models to be in stock and available to buy. No sign of the model being 'on hold' so panic not ;D
http://www.flir.co.uk/instruments/ex-series/ (http://www.flir.co.uk/instruments/ex-series/)
Fraser
Got myself 3D printed at a local shop a 2-part lens holder for close-up PCB work, and a ZnSe 20mm lens. Love the holder design, very easy to install the lens and put the holder on and take it off the camera. The 3D file was downloaded from Thingiverse (https://www.thingiverse.com/thing:2108075)
With regard to the focus tool design. I own all available versions and personally like the design and fit of this tool:
https://www.thingiverse.com/thing:188896 (https://www.thingiverse.com/thing:188896)
It fits my cameras focus ring indents perfectly.
Fraser
With the advanced package installed, if I select Object Distance from Image mode, whatever value I select seems to be multiplied by 3.33. If I select 0 ft, it is 0 ft, 1 ft = 3 ft, 10 ft = 33 ft, 2000 ft = 6562 ft.
With regard to the focus tool design. I own all available versions and personally like the design and fit of this tool:
https://www.thingiverse.com/thing:188896 (https://www.thingiverse.com/thing:188896)
It fits my cameras focus ring indents perfectly.
Fraser
Is the sizing of this thing in mm or inches?
I don't have a 3D printer and when I send it to Shapeways, it asks if it's in mm, cm or inches.
When I choose inches, it resizes to something that now becomes: X:3.296, Y: 3.158, Z: 3 cm.
Not sure if that is the right size..
I am connecting via the share option on the camera directly to the iPad. The other features (capture) work. Any ideas? Or is it something that is opened up in the advanced tools?
What's the diameter of the lens? Is 20mm optimal for 6" away from PCB?
...
I'm curious if the additional lens would provide a sharper picture than adjusting the existing lens. Would you be able to post a pic of a PCB? I'll do the same once I get to the shop.
Hello, i just upgraded my new E4 non wifi camera (2.0L, 3.9.0)
Amazing change!!
Thank you for your great work, Bud :clap:
I dont understand to bitcoins, its possible some paypal donation?
With regard to the focus tool design. I own all available versions and personally like the design and fit of this tool:
https://www.thingiverse.com/thing:188896 (https://www.thingiverse.com/thing:188896)
Question: is there a way to just increase the resolution but leave everything else the same? I am more looking for the resolution than anything else.
Cabny,
Good isn't it ;D
If you look at the back of your hand with very close focus you will likely see pours of you skin in contrast to the skin around them :)
Fraser
With regard to the focus tool design. I own all available versions and personally like the design and fit of this tool:
https://www.thingiverse.com/thing:188896 (https://www.thingiverse.com/thing:188896)
It fits my cameras focus ring indents perfectly.
Fraser
Is the sizing of this thing in mm or inches?
I don't have a 3D printer and when I send it to Shapeways, it asks if it's in mm, cm or inches.
When I choose inches, it resizes to something that now becomes: X:3.296, Y: 3.158, Z: 3 cm.
Not sure if that is the right size..
By default, stl files should be mm units from my experience.
Hello everyone, new member here.
I'm curious if anyone has had any luck or knows if a FLIR E4 Wifi - 2.0L HW (3.12.0 FW) can be upgraded. In going through the forum it looks like it may be possible to load the 3.9.0 FW Markofq posted. Then follow Bud's amazingly helpful instructions.
Would appreciate any insight.
"toolbarSeparators" value="false"But why prperties write 320x240?
Edit#2
Reverified the image resolution using http://exif.regex.info/exif.cgi. (http://exif.regex.info/exif.cgi.) The extracted image says 80x60. Rechecked my setup and I overlooked the fact that I am running a Win7 64bit laptop, not a 32bit one. :palm:
I assume this resolution failure is due to using the 64bit machine to run the python script, correct? Does anyone have information on running a VM for this liberation? Again I apologize for the misinformation.
Known rabbithole is that one of the old conf. or common is still there in camera.
One way is to delete first then copy if you are to lazy to use stopapp.
check file date to be shure copy is done in camera.
There is a good easy phython explanation in this thread with picture.
Can 2.0 owners dream about getting higher temerature messurement ?not as i know of.
...
4. Obtain cfccfg.zip archive:
https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg596959/#msg596959 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-thermal-imaging-camera-teardown/msg596959/#msg596959)
and extract cfccfg_V2.py from it.
5. Install Python 2.7 . The script may not work with later Python versions.
6. Open the supplied conf.cfg , scroll down to the very bottom to the line that starts with "# ID " and replace the 9-digit number with your camera serial number.
Save the file.
7. Encrypt the updated conf.cfg from step 6 with your suid by running this command from command line on your PC with Python:
python cfccfg_v2.py XXXXXXXXXXXXXXXX conf.cfg conf.cfc
(where XXXXXXXXXXXXXXXX is the suid string from step 3)
This step will produce a new encrypted conf.cfc .Save it to your working folder for transferring to the camera.
...
Just a small update on cfccfg.py for 2.3. It now drops the signature/tail from the .cfg file. You can also make changes to the .cfg in plain text before converting back to .cfc, the file tail is created with the proper file size info (the signature is set to all 0). Note that you need the "HIRES" patch first in order to skip the CRC/signature check for this to work.
I tested adding a few lines to the .cfg file (comments, putting back 80x60 resolution...), convert to .cfc and use that on camera. Seems to work fine.
original post:
https://www.eevblog.com/forum/testgear/flir-e4-thermal-imaging-camera-teardown/msg594600/#msg594600 (https://www.eevblog.com/forum/testgear/flir-e4-thermal-imaging-camera-teardown/msg594600/#msg594600)
python cfccfg_V2.py XXXXXXXXXXXXXXXX C:/conf.cfg conf.cfcI did replace the XXX with my SUID obviously.
The Ex series do not contain the required additional pixel bias voltage tables or associated calibration files for the other temperature ranges.
The temperature imaging capabilities of the Ex series may be extended using various attenuators placed in front of the lens. A non multi coated UV (Haze) glass photographic filter enables imaging of a gas flame etc. Sadly calibration is not simple though. Other materials can act as attenuators as well. It is a case of experimenting. Try plastics first.
Fraser
I think it would help to provide a bit more detailed insight on how to perform the step for those who aren't familiar with this.
Also worth pointing that you can record video and remote control the Flir camera using the free PC-based Flir IR Camera Player (http://www.flir.com/instruments/display/?id=50428 (http://www.flir.com/instruments/display/?id=50428)) from Flir, as I haven't seen any mention of this yet in the "can I record video" discussions here.
Also worth pointing that you can record video and remote control the Flir camera using the free PC-based Flir IR Camera Player (http://www.flir.com/instruments/display/?id=50428 (http://www.flir.com/instruments/display/?id=50428)) from Flir, as I haven't seen any mention of this yet in the "can I record video" discussions here.
For some reason that player never worked for me thru Ethernet. Also, as far as I remember it does not display radiometric video (i.e. with temperature measuring cursor so you can measure different parts of the image), it is just a color overlay. For true radiometric video streaming we made an effort here (https://www.eevblog.com/forum/thermal-imaging/flir-ex-realtime-raw-radiometric-data-streaming-via-uvc/msg749464/#msg749464) but it was a quite convoluted solution and only available on Linux.
I followed the steps correctly. Perhaps my SUID is wrong? In step 3 you ask to get the SUID by two different means. Why is that? We expect them to be the same right? I copied the SUID to the cfg file and encrypted it with the "python cfccfg_v2.py XXXXXXXXXXXXXXXX conf.cfg conf.cfc"
script.
Sorry this thread is for E4. Please open a separate thread for your C2 to avoid confusions.
Hey Bud, look what I found with Spirit right this moment. This is on my E4 wifi advanced package and spirit down arrow key press to open his custom menu. When I hit back to close his menu, I'm stuck with this screen and the down button nor any other button will dismiss it. Have to reboot the camera, since even after killing Spirit's exe process the down button would work
Anyway I will stop posting here (in this tread) if I bother.
My guess is Spirit's menu steals the focus from this popup that is why you can't close it. You have to work with Spirit to resolve this key press conflict. Better use a non modded camera for your tests.
OK,no problem.Anyway I will stop posting here (in this tread) if I bother.
There is lots of newbies coming here for information on E4, mixing camera types in one thread may confuse them. Better keep it separate.
.caps.config.direction entry
.caps.config.direction.sensorAccel entry
.caps.config.direction.sensorAccel.enabled bool true
.caps.config.direction.compass entry
.caps.config.direction.compass.enabled bool true
.caps.config.direction.lcdAccel entry
.caps.config.direction.lcdAccel.enabled bool true
As I said, most likely Spirit's application grabs focus and does not retun it to that popup when you shut down Spirit's application. Any key presses are passed to the screen element that has current focus. If the popup loses focus it can't process key press events. You are trying to layer an application on top of other application on top of main application. My recommendation is - test your stuff on a non modded camera to prevent interference.
OK,no problem.
Can you help me please with a full dump from E4, here or on PM. Thanks.
Solved that yellow spot, I had some other lines on my cfg file. That startup message is from facet.rcc, with other rcc files doesn't show up. I will investigate more.
Here's the tree file from my E4 wifi with advanced package upgrade. I blacked out the serial number and SUID with XXX's.
See here :Here's the tree file from my E4 wifi with advanced package upgrade. I blacked out the serial number and SUID with XXX's.
here this point is also not clear to me. Please clarify .I use WinSCP
9. b) Using FTP program rename FlashBFS \ system \ common_dll.dll on the camera to common_dll_org.dll
As I said, most likely Spirit's application grabs focus and does not retun it to that popup when you shut down Spirit's application. Any key presses are passed to the screen element that has current focus. If the popup loses focus it can't process key press events. You are trying to layer an application on top of other application on top of main application. My recommendation is - test your stuff on a non modded camera to prevent interference.
I'll say it another way. How can we bring this never seen before splash screen up ? What are the buttons or conditions you've set to prompt this popup ? If you can't bring this popup up during normal operation of the camera, then what's the point of it ? Could it be a forgotten beta popup of yours ? If so, could we remove it since we already get the splash screen at startup ?
As I said, most likely Spirit's application grabs focus and does not retun it to that popup when you shut down Spirit's application. Any key presses are passed to the screen element that has current focus. If the popup loses focus it can't process key press events. You are trying to layer an application on top of other application on top of main application. My recommendation is - test your stuff on a non modded camera to prevent interference.
I'll say it another way. How can we bring this never seen before splash screen up ? What are the buttons or conditions you've set to prompt this popup ? If you can't bring this popup up during normal operation of the camera, then what's the point of it ? Could it be a forgotten beta popup of yours ? If so, could we remove it since we already get the splash screen at startup ?
Why is so much concern about something that never shows up in normal operation by your own words. Being a purist is not something that makes sense with E4 , in fact the whole E4 update became possible exactly because the manufacturer left low hanging fruits in the code here and there which were found and used for mod-ing. Take it as a test code or an Easter Egg, there is plenty of time before the Easter - if you won't figure out the buttons combination by then I will tell.
It's simply because of the few 4 buttons that are "free" as in they do not prompt any command of the E4 while in regular display mode, we need to be able to use them all for the implementation and it's hard to debug when I fall into that loop due to the popup. I'm all for giving you and the community credit for the E4 liberation achievement and hard work, and I don't mind having to deal with popup and splash screen, however I don't expect to have to deal with popup coming out of nowhere and serving no apparent purpose. I'd rather be working with all of you to make this as good as possible, so that's why I'm asking if this popup serve a purpose the way it is right now and if so, if we could move it to the startup or somewhere obvious for the users to actually see it under normal operation. If not, then I'll treat it as a remnant of a beta version and try to delete it or block it since its interfering with further development for no reason. That's why I'm asking you (plus the popup you wrote also say to come here for technical issues).
It's simply because of the few 4 buttons that are "free" as in they do not prompt any command of the E4 while in regular display mode, we need to be able to use them all for the implementation and it's hard to debug when I fall into that loop due to the popup. I'm all for giving you and the community credit for the E4 liberation achievement and hard work, and I don't mind having to deal with popup and splash screen, however I don't expect to have to deal with popup coming out of nowhere and serving no apparent purpose. I'd rather be working with all of you to make this as good as possible, so that's why I'm asking if this popup serve a purpose the way it is right now and if so, if we could move it to the startup or somewhere obvious for the users to actually see it under normal operation. If not, then I'll treat it as a remnant of a beta version and try to delete it or block it since its interfering with further development for no reason. That's why I'm asking you (plus the popup you wrote also say to come here for technical issues).
It is all yours, feel free to make any updates, but try to keep ebay resellers at a distance, that is - leave the startup splash screen alone.
and solve the last stupid question - if I exit the RNDIS mode, the break will remain in place
Yes, the manufacturer deactivated that menu long time ago. You cant use it.
i was stuck with only plain thermographic images.
i was stuck with only plain thermographic images.
This is an indication of the config file not loading. Yoh have to go back and carefully redo the config. You have the same problem as user sata-sata a few posts back.
Sorry which functions?
Is there any way on these to unlock the higher frame rate of the EXX series?
Someone is trying to reach me via PM but i am unable to reply, getting a message the recepient mailbox is full. you have to sort out your PM box problems.
Here is a version of the Basic Package for E4 WiFi 2.0L, fw v3.12.0
I do not have a 3.12.0 device, so this version has not been tested.
YOU TRY AT YOUR OWN RISK.
=============
Update: Advanced Package is now available for testing
because other lines seems to be not working
scale_lock_scale is not the same as manual scale.I didnt say it is the same. I said I add lock mode to my camera menu which had no such mode after hack.
Also it was removed on purpose because it did not retain the setting and worse - was screwing up Presets Palettes menu. Carefully test your camera to make sure that line does not cause problems.I see no problem with it so far.. But if you help me with manual mode, I'll appreciate it.
No new firmware for six months.... :o
I have a E4 with 3.12.0. I downloaded the basic 3.9.0 and advanced 3.12.0. I don't see the cfccfg_v2.py (or cfccfg.py) python script in any of the archives. Could someone please point me to where I can find it?
Hello Eevblog Community
I have read a lot about the upgrade of E4 Camera
I own a E4 2.0 L 3.12.0 with Wifi.
I would like to ask: Is it possible for a person who doesn't have great knowledge in programming to do this upgrade?
I am only interesting in the Resolution upgrade.
Only if you made a backup of the original. It's unique for each camera.
FlashFS\system\default_a\inital.rsc
FlashFS\system\default_a\stats.rsc
FlashFS\system\journal.d\default.rsc
FlashFS\system\journal.d\default_services.rsc
FlashFS\system\journal.d\journal.rsc
FlashFS\system\journal.d\journal.rsc.old
FlashFS\system\journal.d\default_services.rsc
Try turning it off, removing the battery, and waiting for about an hour. I believe this saved a camera with a similar issue before once.
FlashFS \ SYSTEM \ default_a \ inital.rsc
FlashFS \ SYSTEM \ default_a \ stats.rsc
Ok, so I ventured out into the dangerous lands of FLIR hacking. Upgraded our 2.0L 3.5.0 camera to 3.9.0 and tried the basic procedure from page 8. I got as far as step 12, but something very unfortunate must have happened because now the camera boots to a point where it says "Application appcore.exe a serious error and must shut down". It's not something I've seen mentioned before and I'm lost. Is there a way to completely restore an installation of the camera system? Can I force an upgrade? Or is the camera completely bricked? |O
If it had not been Win CE, the people in this and other threads would not have enjoyed their E4s.
Dear Bud. Thank you so much for the hack. I hacked my E4 with hardware 2.0L and firmware 3.12 successfully
Hey y'all
I read this entire thread, all 28 pages, and I have a pretty good grasp of the upgrade process.
The issue is, I have an E6, and I cannot find anything regarding that (except warnings to NOT use this on anything but an E4).
Is there a similar thread for the E6? I haven't been able to find it, and would be very grateful if someone could point me in the right direction (Or maybe I'm just out of luck and the E6 can't be upgraded?)
You can still add whatever palette you want. It is just not possible to add it to the toolbar if it is not included in facet_ui_qml.dll.
Just look at flashbfs/system/appcore.d/factory.d/default_params.rsc where it loads iron.pal (or palette.rsc in flashfs/system/appcore.d/factory.d for older firmware.)
It might be also possible to add a different palette to a preset in a newer firmware (look at flashbfs/system/ui.d/presets/*.rsc.) I didn't try it -- lots of other things of higher priority -- but it might work. And if everything else fails it might be possible to just set .image.sysimage.palette.* resource branch with whatever you want using rset.
BTW, flashbfs/system/appcore.d/factory.d/ui_control.rsc reads MULTIPLE Qt external resource files by using "facet_*.rcc" and the same is true for menu design (" design_ui*.xml") that would probably allow adding additional properly named resource/menu design files with user elements.
I might be wrong but I have a strong gut feeling that those settings can be simply added to regular user config files...
hi,
i want to do the upgrade to advanced package (i have basic liberation package installed already)
But surpriseley I can't go to RNDIS mode. When i connect camera to usb, without turning it on, after a few second it's disconnecting. Because of that, it also can't be charging that way.
As for now, I checked the power supply plan in my Windows, and disabled USB selective suspend setting. Also, reseted camera by unmount battery. Tryed annother USB ports.
This issue does'n occur with camera on. I can download pictures, etc.
any sugests?
I was a little confused about the many mentions of software v3.9 since the current software is 3.13 on the Flir site ...I am assuming v3.9 was for the non wf-fi version?This WiFi liberation thread started from v3.9 as can be seen in post #183. It was the first WiFi version liberated.
I would like to make a donation to Bud for all the work he has done. Is there a PayPal way to do that? Thanks in advance!Thanks obliterations. If I may I would like to donate this donation to the forum owner 8) for providing us with such a great platform for information exchange. Link: http://www.eevblog.com/donations/ (http://www.eevblog.com/donations/)
Also Bud - what are you using to unpack and repack the *.rcc files? (Windows or Linux tools?) Always wanted to tear into them but never managed to find anything that works on Windows... Any insight would be nice.
What is the hardware version, serial number range(you can withhold last 2 digits)? Probably something like 6390450xx?Not the OP, but similar predicament: sw 3.16.0
Where was it purchased from?
What is the hardware version, serial number range(you can withhold last 2 digits)? Probably something like 6390450xx?
Where was it purchased from?
What is the hardware version, serial number range(you can withhold last 2 digits)? Probably something like 6390450xx?Not the OP, but similar predicament: sw 3.16.0
Where was it purchased from?
HW: 2.0L
Serial: 639047xxx
Bought via online electro retailer local to my coutnry (not amazon or the like; smaller shop)
I'm going to try to downgrade to 3.12.0, though. As that is the official package available from the website. :-)
Hmm, that sounds scary. Sigh.I'm going to try to downgrade to 3.12.0, though. As that is the official package available from the website. :-)
Hmm I would not do that. I did that once with a 3.13 the UI was fine but the whole screen was scrambled in terms of image
Hmm, that sounds scary. Sigh.I'm going to try to downgrade to 3.12.0, though. As that is the official package available from the website. :-)
Hmm I would not do that. I did that once with a 3.13 the UI was fine but the whole screen was scrambled in terms of image
Hmm I would not do that. I did that once with a 3.13 the UI was fine but the whole screen was scrambled in terms of imageV3.13 was reported working using 3.12 liberation package, no need to downgrade.
Hmm I would not do that. I did that once with a 3.13 the UI was fine but the whole screen was scrambled in terms of imageV3.13 was reported working using 3.12 liberation package, no need to downgrade.
-00005a10: 0150 a003 1c04 9de5 a144 03eb 0500 a0e1 .P.......D......
.00005a10: 0150 a003 1c04 9de5 a144 03eb 0500 a0e1 .P.......D......
+00005a10: 0150 a003 1c04 9de5 a144 03eb 0500 a0e3 .P.......D......
-000b1110: 0900 a0e1 0070 8de5 edf7 ffeb 0050 b0e1 .....p.......P..
.000b1110: 0900 a0e1 0070 8de5 edf7 ffeb 0050 b0e1 .....p.......P..
+000b1110: 0900 a0e1 0070 8de5 edf7 ffeb 0050 b0e3 .....p.......P..
-0012b850: 0000 0000 ffff ffff ffff ffff ffff ffff ................
.0012b850: 0000 0000 ffff ffff ffff ffff ffff ffff ................
+0012b850: 0000 0000 ffff ffff ffff f999 fff8 cced ................
-0012b8c0: ffff ffff ffff ffff ffff ffff ffff ffff ................
.0012b8c0: ffff ffff ffff ffff ffff ffff ffff ffff ................
+0012b8c0: ffc2 f5e4 ffc5 c5d6 ffc2 ece7 ffff ffff ................
Legend:
- v12 original
. v16 original
+ v12 liberated
Downgrading may work. Peppy your image was probably blurry because you had to reapply the common dll and conf file
I told you how.Downgrading may work. Peppy your image was probably blurry because you had to reapply the common dll and conf file
Interesting. Might Try downgrading. So how do I prep for this. Say it doesn't work. How do I restore my 3.16.0 files?
I told you how.Downgrading may work. Peppy your image was probably blurry because you had to reapply the common dll and conf file
Interesting. Might Try downgrading. So how do I prep for this. Say it doesn't work. How do I restore my 3.16.0 files?
Try replacing the commondll on your 3.16 with the attached one. If the camera will boot ok, you can try proceeding with the Basic package from 3.12.0 , just use the attached version.
Enjoy it :-+Oh man. Oh man. This is so much better. It's not even funny.
Try replacing the commondll on your 3.16 with the attached one. If the camera will boot ok, you can try proceeding with the Basic package from 3.12.0 , just use the attached version.
I do not know what amazon or ITM are selling.
For E4 models sold over the last couple years you pretty much only need to read this thread.
I guess noone can tell you if All sw and hw versions can be done, your ask is unrealistic. For a list of fw that i know about refer to post #18 of this thread.
Upgrade it to 3.13 and do the most recent hack.
You've been given a free upgrade. Don't be greedy.This thread is full of users asking for help and features to be added. I don't see how me doing the same labels me as greedy or how this even has anything to do with greed.
This was answered already in this topic.
That's like saying "You don't want to remove the nag screen. That's fine. Could you point me to where it's located so I can do that myself instead?"No, it's me respecting the fact that the original modder would prefer that screen stay in place and instead saying "ok, what about adding something personal to it? Could you point me in the right direction?"
#
# Generated at 2018-12-04 13:15:14
#
.caps entry
.caps.config entry
.caps.config.name text "app E5xt"
.caps.config.revision text "2.1"
.caps.config.image entry
.caps.config.image.framegrab entry
.caps.config.image.framegrab.fusion entry
.caps.config.image.framegrab.fusion.enabled bool true
.caps.config.image.framegrab.fusion.pip entry
.caps.config.image.framegrab.fusion.pip.enabled bool true
.caps.config.image.framegrab.fusion.hcf entry
.caps.config.image.framegrab.fusion.hcf.enabled bool true
.caps.config.image.services entry
.caps.config.image.services.store entry
.caps.config.image.services.store.enabled bool true
.caps.config.image.services.store.radiometric entry
.caps.config.image.services.store.radiometric.enabled bool true
.caps.config.image.services.store.incompatible entry
.caps.config.image.services.store.incompatible.enabled bool false
.caps.config.image.services.store.incompatible.level int32 0
.caps.config.image.settings entry
.caps.config.image.settings.enabled bool true
.caps.config.image.settings.IRwidth int32 160
.caps.config.image.settings.IRheight int32 120
.caps.config.image.sysimg entry
.caps.config.image.sysimg.alarms entry
.caps.config.image.sysimg.alarms.enabled bool false
.caps.config.image.sysimg.alarms.measfunc entry
.caps.config.image.sysimg.alarms.measfunc.enabled bool false
.caps.config.image.sysimg.alarms.measfunc.maxCount int32 3
.caps.config.image.sysimg.alarms.humidity entry
.caps.config.image.sysimg.alarms.humidity.enabled bool false
.caps.config.image.sysimg.alarms.humidity.maxCount int32 1
.caps.config.image.sysimg.alarms.insulation entry
.caps.config.image.sysimg.alarms.insulation.enabled bool false
.caps.config.image.sysimg.alarms.insulation.maxCount int32 1
.caps.config.image.sysimg.irMarkers entry
.caps.config.image.sysimg.irMarkers.enabled bool false
.caps.config.image.sysimg.irMarkers.spot entry
.caps.config.image.sysimg.irMarkers.spot.enabled bool false
.caps.config.image.sysimg.irMarkers.spot.maxCount int32 0
.caps.config.image.sysimg.irMarkers.arrow entry
.caps.config.image.sysimg.irMarkers.arrow.enabled bool false
.caps.config.image.sysimg.irMarkers.arrow.maxCount int32 0
.caps.config.image.sysimg.irMarkers.box entry
.caps.config.image.sysimg.irMarkers.box.enabled bool false
.caps.config.image.sysimg.irMarkers.box.maxCount int32 0
.caps.config.image.sysimg.measureFuncs entry
.caps.config.image.sysimg.measureFuncs.enabled bool true
.caps.config.image.sysimg.measureFuncs.diff entry
.caps.config.image.sysimg.measureFuncs.diff.enabled bool false
.caps.config.image.sysimg.measureFuncs.diff.maxCount int32 1
.caps.config.image.sysimg.measureFuncs.diff.calcMask int32 65526
.caps.config.image.sysimg.measureFuncs.isotherm entry
.caps.config.image.sysimg.measureFuncs.isotherm.enabled bool true
.caps.config.image.sysimg.measureFuncs.isotherm.calcMask int32 20
.caps.config.image.sysimg.measureFuncs.isotherm.dual bool false
.caps.config.image.sysimg.measureFuncs.isotherm.fixScale bool false
.caps.config.image.sysimg.measureFuncs.isotherm.interval bool true
.caps.config.image.sysimg.measureFuncs.isotherm.invInterval bool false
.caps.config.image.sysimg.measureFuncs.isotherm.maxCount int32 1
.caps.config.image.sysimg.measureFuncs.mbox entry
.caps.config.image.sysimg.measureFuncs.mbox.enabled bool true
.caps.config.image.sysimg.measureFuncs.mbox.calcMask int32 1924
.caps.config.image.sysimg.measureFuncs.mbox.maxCount int32 1
.caps.config.image.sysimg.measureFuncs.mcircle entry
.caps.config.image.sysimg.measureFuncs.mcircle.enabled bool false
.caps.config.image.sysimg.measureFuncs.mcircle.calcMask int32 1924
.caps.config.image.sysimg.measureFuncs.mcircle.maxCount int32 0
.caps.config.image.sysimg.measureFuncs.mline entry
.caps.config.image.sysimg.measureFuncs.mline.enabled bool false
.caps.config.image.sysimg.measureFuncs.mline.calcMask int32 1924
.caps.config.image.sysimg.measureFuncs.mline.maxCount int32 0
.caps.config.image.sysimg.measureFuncs.reftemp entry
.caps.config.image.sysimg.measureFuncs.reftemp.enabled bool false
.caps.config.image.sysimg.measureFuncs.reftemp.calcMask int32 1924
.caps.config.image.sysimg.measureFuncs.reftemp.maxCount int32 0
.caps.config.image.sysimg.measureFuncs.script entry
.caps.config.image.sysimg.measureFuncs.script.enabled false
.caps.config.image.sysimg.measureFuncs.script.maxCount int32 0
.caps.config.image.sysimg.measureFuncs.spot entry
.caps.config.image.sysimg.measureFuncs.spot.enabled bool true
.caps.config.image.sysimg.measureFuncs.spot.calcMask int32 514
.caps.config.image.sysimg.measureFuncs.spot.maxCount int32 1
.caps.config.image.sysimg.visualMarkers entry
.caps.config.image.sysimg.visualMarkers.enabled bool false
.caps.config.image.sysimg.visualMarkers.spot entry
.caps.config.image.sysimg.visualMarkers.spot.enabled bool false
.caps.config.image.sysimg.visualMarkers.spot.maxCount int32 0
.caps.config.image.sysimg.visualMarkers.arrow entry
.caps.config.image.sysimg.visualMarkers.arrow.enabled bool false
.caps.config.image.sysimg.visualMarkers.arrow.maxCount int32 0
.caps.config.image.sysimg.visualMarkers.box entry
.caps.config.image.sysimg.visualMarkers.box.enabled bool false
.caps.config.image.sysimg.visualMarkers.box.maxCount int32 0
.caps.config.image.targetNoise entry
.caps.config.image.targetNoise.enabled bool false
.caps.config.image.targetNoise.targetNoiseMk int32 0
.caps.config.image.zoom entry
.caps.config.image.zoom.enabled bool false
.caps.config.image.zoom.maxFactor double 1
.caps.config.system entry
.caps.config.system.focus entry
.caps.config.system.focus.laser entry
.caps.config.system.focus.laser.updateFocus entry
.caps.config.system.focus.laser.updateFocus.enabled bool false
.caps.config.ui entry
.caps.config.ui.image entry
.caps.config.ui.image.adjust entry
.caps.config.ui.image.adjust.enabled bool false
.caps.config.ui.image.adjust.manual bool false
.caps.config.ui.fusion entry
.caps.config.ui.fusion.PIP entry
.caps.config.ui.fusion.PIP.enabled bool true
.caps.hw entry
.caps.hw.sdcard entry
.caps.hw.sdcard.enabled bool false
# ID 639060xxx
# CRC03 xxxxxxx
small bits that bother me after :
---MXM alignment is off. Looking over the forum I found solutions but the info is so scarce and scattered that it kinda freaks me out to try.
Is the CRC32 of calib.rsc declared on an XML somewhere or is it only in the file? like if i want to correct it, do I only need to get the new CRC32 and write it on the file?
--- small bright spot appeared lower left, seems like dust or something INSIDE the sensor. Camera was factory calibrated 18/01/2018 so it's still on the warranty period :-X (of course with the E6 software)
see attach
Q. Is the charging via USB port reserved only to charge with the genuine charger? heard stories about people frying the charging IC with a regular 5V 1A microUSB charger
PS About USB port: there is underrated post on this forum about using magnetic usb charing cables to physically
protect charging port on FLIR cameras because it fits under rubber cover I guess so its perfect.
The spot looks like some runaway thermal pixels, the spot is not visible when cold booting but appears aftef 1-2 mins.
My associate is busy hacking the sensor driver and maybe we can even sign it.Makes me think what type of job you do on the ATMs for living >:D
That would be like arc welding splash !not only a helpful member of this forum but also a clairvoyant... see the pic with the splash. 3 zones 7,6 and 2 o'clock
@ BUDHave no clue what that is. Answer is no.
Did u try running the MVT (+MCT) on any Ex/Exx machines?
I'll spend the night digging further. Microsoft has some very nice tools to a trace anything on Wince.
I'd bet that's what neuteres the ex vs exx.Any chance that this will help liberate Ex5 too?
I'd bet that's what neuteres the ex vs exx.Any chance that this will help liberate Ex5 too?
- In Settings -> Measurement parameters -> Alignment distance: " there are values from 0.10 to 1. They are applied to the image when selected but not acknowledged by the Menu both here or in pop-up menu (where we can read old value, 1.5 for example).That is a limitation, i think i talked about it before.
Is this a feature for close-up shooting or a bug?
That's a warning not to use the official update path as it will/could render your device to a paperweight. Why would you do that is beyond my understanding. Are u selling updates on Ebay?
First try to patch NAG screen. kthxbye :-DD
QuoteThat's a warning not to use the official update path as it will/could render your device to a paperweight. Why would you do that is beyond my understanding. Are u selling updates on Ebay?
First try to patch NAG screen. kthxbye :-DD
Does anyone here know which other series share the Ex sensors ( chipset would be nice but maybe I can dig it up somewhere)?
Al
https://www.youtube.com/watch?v=dP8R7FRYU0kIt seems to be a problem with the ui files i think.
Do i need additional steps not written in the instructions file in the basic package?
Software 3.16.0
Is possible hack to E8 ? The menu on the video I would like, exactly the same. It is possible ?
You can try rolling back the change, downgrade to 3.12 or 3.9 and do liberation on that firmware version.
What makes you think you run on high res right now though, can you post a radiometric image?
You should go to the Archive on your camera and check image Thermal Resolution information there.
...On another note, is it normal for the device to pause for 'Calibrating.." every thirty seconds or so during use?Whe you start the camera it does it often but as the camera warms up calibration becomes less often.
https://www.thingiverse.com/thing:197580https://www.thingiverse.com/thing:407201I'm not quite sure about Focus adjuster. What exactly does that mean? and the other lens holder is for what?
Thanks for answers.
@Bud, thanks for info and a little notice about all. I have a E6 (modded to E8). All Ex series are more or less the same, so I ask things about E6 (E8) in this thread.
@Bud, thanks for info and a little notice about all. I have a E6 (modded to E8). All Ex series are more or less the same, so I ask things about E6 (E8) in this thread.
I do not have an E6 and, not being able to test/replicate issues on one, I will not be responding to such questions.
@Bud, thanks for info and a little notice about all. I have a E6 (modded to E8). All Ex series are more or less the same, so I ask things about E6 (E8) in this thread.
I do not have an E6 and, not being able to test/replicate issues on one, I will not be responding to such questions.
all Ex series are more or less the same, so I don't understand a bit why such a reaction due to E6 when it is similar ...
Hi, first post - Just wanted to thank Bud, Fraser for sharing. Successfully upgraded Flir E5-xt model 2.1L firmware 3.16.0. :-+Really? What method do you use? Thank you
Hi sitongec,HI PDS
Used WiFi only on Windows 10.
Then used the Basic then Advanced Package for E4 WiFi 2.0L, fw v3.12.0 from BUD's post #478. Didn't use the common _dll though; used the common_dll_3.16.0 from BUD's post #788.
Just downloaded the ZIPs and followed the readme file. One thing that might help is just remember to put the python file and config file in the same location as python is installed - in my case the C drive. Run PowerShell as Admin to run the python script.
The Christmas pack that BUD posted works also.
Hey there,Hi darix362
today i successfully liberated my E5xt HW 2.1L FW 3.16 with the provided packages (basic and advanced, christmas not tried).
Thanks a lot to Bud for his work and to PDS for testing the E5xt.
But there ist one more thing i noticed: So the E5xt should have an extended temperature range from -10 to 400 °C next to -20 to 250 °C. With the Advanced package the extended temperature range is gone in menu. I only can choose the normal range from -20 to 250.
So i hope we could find a fix for that. I which file are the ranges written down, did someone know that?
So my camera was firmware 1.2L, software 2.8.
I put the camera in RNDIS mode and then realized I would need to downgrade to 2.3 software. I tried the link posted and it was dead.
So I installed the latest version of Flir Tools and saw there was a software update to 3.16, a known hackable version based on my reading.
I installed it and rebooted the camera. Everything seems fine, EXCEPT that I cannot connect to it via FTP. If I set the Flir RNDIS network adapter to an IP of 192.168.0.2, I can ping it, but I cannot live connect in Flir Tools. I get the error "CAMERA_RTREE_CONNECT ERROR" in the Log window.
When trying to run a FIF to remove RNDIS I get "RESPONSE_TIMEOUT" in FlirInstallNet
Thoughts?
So my camera was firmware 1.2L, software 2.8.
I put the camera in RNDIS mode and then realized I would need to downgrade to 2.3 software. I tried the link posted and it was dead.
So I installed the latest version of Flir Tools and saw there was a software update to 3.16, a known hackable version based on my reading.
I installed it and rebooted the camera. Everything seems fine, EXCEPT that I cannot connect to it via FTP. If I set the Flir RNDIS network adapter to an IP of 192.168.0.2, I can ping it, but I cannot live connect in Flir Tools. I get the error "CAMERA_RTREE_CONNECT ERROR" in the Log window.
When trying to run a FIF to remove RNDIS I get "RESPONSE_TIMEOUT" in FlirInstallNet
Thoughts?
I'm in the same situation, my CAM is E4,1.2 and firmware 3.16, I use FLIRInstallNet and Set_RNDIS_permament to set it in RNDIS model, but when I hard restart the CAM, it operations well but nobody can connect to the CAM via USB, include FLIRInstallNet, FTP or FLIR TOOLS, the IP address goes to 169.254.87.9. I manually set it to 192.168.1.7 and it response the ping but FTP and telnet to this address don't work, the host just closed the connection. FLIRInstallNet will recognize a device named like " network - 192.168.1.8" (yes, its 192.168.1.8, not 192.168.1.7). When trying to run a FIF to remove RNDIS I get "RESPONSE_TIMEOUT" in FlirInstallNet
I'm sick now |O
What do you mean by "enhanced" ? A newer product number?
Search this forum for E4 radiometric streaming, there was a Linux based application developed based on a hacked Libuvc.
2 questions:
1) How to enter the credit screen that bud implemented?
2) Using Iron or Rainbow with temp range.. and looking at objects like a house with the sky in the background (-40°) - how do I compensate the scale?
2) Using Iron or Rainbow with temp range.. and looking at objects like a house with the sky in the background (-40°) - how do I compensate the scale?
I just ask again ;)
You need to adjust Emissivity, Ambient temperature and Reflected temperature settings.
You should always match ambient and reflected temperature in Settings if you want better accuracy. These parameters represent vvariables into the object temperature calculation formula.
2) Using Iron or Rainbow with temp range.. and looking at objects like a house with the sky in the background (-40°) - how do I compensate the scale?
I just ask again ;)
2) not sure if this is what you mean, you can switch temperature scale to Manual and play with adjustment of low and high limit separately or together.
.calib.nrdp.ds250C_we_ap_fi_le.measureInfo.temporalMk double 11.611229Edit3: Now I'm not so sure if anything is broken or it's just the distance which causes the shifting. - here some pictures:
- close shots (shifted)
Here is a version of the Basic Package for E4 WiFi 2.0L, fw v3.12.0
I do not have a 3.12.0 device, so this version has not been tested.
YOU TRY AT YOUR OWN RISK.
=============
Update: Basic Package v3.12.0 is confirmed working.
Update: Advanced Package v3.12.0 is confirmed working.
Update August 2018: New camera version v3.13.0 confirmed working with this v3.12.0 Basic Package. See post here:
https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1733972/#msg1733972 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1733972/#msg1733972)
My flir E4 wifi arrived today and I the liberation procedure went smoothly! Thank you Bud for all the work do for the community on this!
For those looking on where to order the camera from, I ordered my flir E4 wifi from TEquipment a few months ago and it was backordered so it only recently shipped. The camera is hardware version 2.0L and software 3.16.0. The calibration card has a date of April 28, 2020, which is recent, so I would assume that there is no newer software than 3.16.0. I have not tried the advanced package yet.
For those not wanting to dig through endless pages of the thread:
I used the 3.12.0 files from here: https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1397359/#msg1397359 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1397359/#msg1397359)
and the new 3.16.0 dll from here: https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg2252082/#msg2252082 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg2252082/#msg2252082)
and instructions on how to put the camera in RNDIS mode from here (I had problems with the website so I had to access it through web archive) https://web.archive.org/web/20190409142550/https://fubar.gr/hacking-the-flir-e4/ (https://web.archive.org/web/20190409142550/https://fubar.gr/hacking-the-flir-e4/)
This was done on a windows 10 desktop.
$ telnet -l flir 10.5.1.215
Trying 10.5.1.215...
Connected to 10.5.1.215.
Escape character is '^]'.
Welcome to the Windows CE Telnet Service on IRCAM3926
FLIR Command Line Interpreter
Version 0.4.3 running on WinCE 6.0
\>suid
57E5D3020060152E
\>exit
Connection closed by foreign host.
# ID 639053926
# CRC03 11223344
$ python ./cfccfg_V2.py 57E5D3020060152E conf.cfg conf.cfc
\>stopapp
\>ps -k facet
\>ps -k uicore
\>ps -k Gui
\>ps -k Prod
\>ps -k prod
\>ps -k MediaServer
\>ps -k appcore
Failed to terminate process 0x5BA000E (170)
\>ps -k AppServices
Successfully terminated process 0x6AA000A
\>ps -k Resmon
Successfully terminated process 0x6BC000A
\>ps -k Bit
\>ps -k syslog
\>ps -k Cam
\>ps -k cam
\>ps -k geni
\>ps -k dig
\>ps -k watch
\>ps -k Watch
\>ps -k RTP
\>ps -k fwa
\>ps -k progress
\>ps -k dig
\>ps -k Med
\>ps -k ChargeApp
Successfully terminated process 0x406000E
$ lftp -u flir,3vlig 10.5.1.215
lftp flir@10.5.1.215:/> cd FlashBFS/
lftp flir@10.5.1.215:/FlashBFS> cd system/
lftp flir@10.5.1.215:/FlashBFS/system> mv common_dll.dll common_dll_org.dll
mv common_dll.dll=>common_dll_org.dll [Waiting for response...]
rename successful
lftp flir@10.5.1.215:/FlashBFS/system> put common_dll.dll
1276928 bytes transferred in 2 seconds (647.2 KiB/s)
lftp flir@10.5.1.215:/FlashBFS/system> exit
$ lftp -u flir,3vlig 10.5.1.215
lftp flir@10.5.1.215:~> cd FlashFS/system/appcore.d/config.d/
lftp flir@10.5.1.215:/FlashFS/system/appcore.d/config.d> ls
04-09-19 12:40 6608 conf.cfc
lftp flir@10.5.1.215:/FlashFS/system/appcore.d/config.d> mv conf.cfc conf_org.cfc
mv conf.cfc=>conf_org.cfc [Waiting for response...]
rename successful
lftp flir@10.5.1.215:/FlashFS/system/appcore.d/config.d> put conf.cfc
7712 bytes transferred
lftp flir@10.5.1.215:/FlashFS/system/appcore.d/config.d> exit
lftp flir@10.5.1.215:/FlashBFS/system> get common_dll_org.dll
1276928 bytes transferred in 4 seconds (348.6 KiB/s)
lftp flir@10.5.1.215:/FlashBFS/system> rm common_dll_org.dll
rm ok, `common_dll_org.dll' removed
lftp flir@10.5.1.215:/FlashBFS/system> cd ..
lftp flir@10.5.1.215:/FlashBFS> cd ..
lftp flir@10.5.1.215:/> cd FlashFS/system/appcore.d/config.d/
lftp flir@10.5.1.215:/FlashFS/system/appcore.d/config.d> ls
04-09-19 20:40 6608 conf_org.cfc
08-30-20 06:26 7712 conf.cfc
lftp flir@10.5.1.215:/FlashFS/system/appcore.d/config.d> get conf_org.cfc
6608 bytes transferred
lftp flir@10.5.1.215:/FlashFS/system/appcore.d/config.d> rm conf_org.cfc
rm ok, `conf_org.cfc' removed
Victors-MacBook-Pro-Personal:system victorhooi$ pwd
/Users/victorhooi/Documents/flir_e4_resolution_hack/hacked_files/Basic_3.12.0/FlashBFS/system
Victors-MacBook-Pro-Personal:system victorhooi$ lftp -u flir,3vlig 10.5.1.215
lftp flir@10.5.1.215:/> cd FlashBFS/
lftp flir@10.5.1.215:/FlashBFS> cd system
lftp flir@10.5.1.215:/FlashBFS/system> !ls
appcore.d arctic.pal battery.icons heat_det.pal lava.pal rainhc.pal ui.d
lftp flir@10.5.1.215:/FlashBFS/system> mput *.pal
12249 bytes transferred
Total 4 files transferred
lftp flir@10.5.1.215:/FlashBFS/system> cd appcore.d/factory.d/
lftp flir@10.5.1.215:/FlashBFS/system/appcore.d/factory.d> put appcore.d/factory.d/ui_control.rsc
461 bytes transferred
lftp flir@10.5.1.215:/FlashBFS/system/appcore.d/factory.d> cd ../..
lftp flir@10.5.1.215:/FlashBFS/system> cd ui.d/
lftp flir@10.5.1.215:/FlashBFS/system/ui.d> put ui.d/design_ui.xml
50680 bytes transferred
lftp flir@10.5.1.215:/FlashBFS/system/ui.d> put ui.d/facet.rcc
960556 bytes transferred in 2 seconds (397.3 KiB/s)
lftp flir@10.5.1.215:/FlashBFS/system/ui.d> put ui.d/toolbar-config.xml
2716 bytes transferred
lftp flir@10.5.1.215:/FlashBFS/system/ui.d> cd presets.d/
lftp flir@10.5.1.215:/FlashBFS/system/ui.d/presets.d> mput ui.d/presets.d/*.rsc
9750 bytes transferred in 1 second (8.0 KiB/s)
Total 9 files transferred
lftp flir@10.5.1.215:/FlashBFS/system/ui.d/presets.d> cd ../..
lftp flir@10.5.1.215:/FlashBFS/system> cd battery.icons/
lftp flir@10.5.1.215:/FlashBFS/system/battery.icons> put battery.icons/
lftp flir@10.5.1.215:/FlashBFS/system/battery.icons> mput battery.icons/*
79964 bytes transferred
Total 2 files transferred
If I just update the encrypted file conf.cfc, the camera starts but I lost all MSX features and resolution decrease also ...
To jrannison ->
Seems you were successful with E6 camera ... I was not.
Did you follow the basic procedure as described or changed something ?
Also, are you now 320x240 for sure ?
Thanks
There are a few errors in the text procedure dated January 10, 2018 by Bud.
There are a few errors in the text procedure dated January 10, 2018 by Bud.
They are not errors, but differences between the E4 for which the procedure was developed and your E6.
Thanks Fraser for your reply
the E4 product is old and discontinued, means there's no more production, i can't see the logic or good reason for putting that inconvenience pop up. it's like a helpless man that has been helped, but he is being reminded everyday that he has been help. LOL
a genuine help and support should be free... thanks anyway
You can't take videos with E4.
VideoTypeSettingsModel
ID_SETUP_VIDEOTYPE_MPEG_BRIEF ID_SETUP_VIDEOTYPE_CSQ_BRIEF
ID_SETUP_VIDEOTYPE_MPEG ID_SETUP_VIDEOTYPE_CSQ
VideoFormatSettingsModel
ID_SETUP_VIDEOFORMAT_NTSC VIDEOFORMAT_NTSC ID_SETUP_VIDEOFORMAT_PAL VIDEOFORMAT_PALcan someone give me help with this problem
my camera is a flir E4 with resolution 320 x 240 msx by mistake update to version 3.16 where I thought it was going to have some improvement where it was not like that the images were all pixelated and in poor quality I contacted the technical support of flir attended me one such Daniel Cuervo where I hurt the camera more than I was. I entered by team viewers and did the procedure and now my camera is completely in bootloader mode when you connect to the computer an ASCO unit with 23 mb comes out.
There is some solution for this problem since in Brazil or the USA they want to fix it after doing the damage.
I have not been able to work for 2 weeks this was my job and now I have no way to support my family since I depended on the camera to work
Not likely unless you change the lense or use a tool to adjust focus. I am assuming you are asking about thermal image part of the camera. For image resolution you already reached the limit by modding the camera. Some improvement can be achieved through superresolution post processing but it is not practical.
Wow, thank you for that quick answer.Technically speaking it is possible to take short (a few seconds) videos, limited in size by the device's small memory size, using the command interpreter scripting language. But this is not portable and as such not much practical because it would typically require connection to a computer. The computer could configure and launch a script on a schedule and manage the video clips. I.e. moving them from the camera to the computer to free the device memory after each take. If connection to a computer and the burst format of such videos is not an issue then this should be doable.
I had the felling - since the whole VideoPlayback feature seems available from archive - it was strange the recording is not possible.
Too bad :(
Have a nice day,
Narkoa
It was simply a technical challenge, and a few nights of digging in, that is all.
Will any (current) E4 get the extended temperature range of up -20-550°C when applying these packages?
Is there a way to save CSVs or any other file format with the actual temperature values as floats in them? This would allow for much simpler analysis
Since I don't have gotten my hands on the E4 before: how does one take an image? Does one have to press the pistol grip or does the modified menu offer something like an intervalometer where one can take one frame a second for instance?
I'm looking for a way to determine delta-temperatures in a static scene (camera mounted, nothing moves, just temperature changes). Thus, hitting a button to determine the reference image and for any further frame or live view subtracting the temperatures of the reference image in each pixel. Thus these dT images should be zero across all pixels. Whenever the temperature changes somewhere this would be drastically more visible and obvious then looking at images that barely change.
Used the FIF method to switch the camera to RNDIS mode, but when I now try to connect the camera to the PC it says thermacam connect 3 cannot connect.
Hello!
Anybody has experience with version 3.16.5 please? Got a replacement E4 wifi from flir service but forgot to ask them is it still hackable or does common_dll_3.16 works for it? So asking here ).
I'm going to order a new E4. Form below seems latest firmware 3.16.5? If hardware version same any guess whether this firmware version would work? Any hints to mod files if it's version 3.16.5. Alternatively are firmware downgrades generally possible to 3.16.0 then mod?
It has web service menu and may be more
I have an E4 non WIFI model (3.16.0) for a few months and the hack went through effortlessly thanks to the great resources here on the forum.
I just bought another E4 WIFI model (Date dec 2020 on 3.16.0) last month, trying to mod it for many times yet can't even get the enhanced resolution.
I have successfully replaced the dll file, booted up fine. Changed the conf.cfg, converted it using the SUID, copied it back and the system booted up to the old 80*60 resolution every single time.
Since this is a WIFI model, my first instinct was to FTP it via WIFI to replace the files. After trying and failing for many time, I gave up and turned off the WIFI and used the old RNDIS way, which not surprisingly failed to work again. (I didn't feel the method of connection would affect the outcome but tried it anyway since I was out of other options)
I tried the conf files in all 3 packages yet not a single one works to give me the enhanced resolution.
I wonder if I am missing something or is there any way to troubleshoot what has gone wrong? Many thanks in advance!
----
edit: Woops, found the answer from victorhooi's post and Bud's answer. We have the exact same issue. Just delete the original cfc file did the trick. This is so weird as the non-WIFI version worked fine with the original cfc filename changed. Fiddling around myself for hours doesn't beat some careful research on the forum apparently |O
When i load this onto my E4 WiFi version 3.16.0 i get the following:
(I am using the 3.16 common_dll)
- Flir logo boots
- I see the thermal view, but without menu
- The blue loading bar goed past the middle, and then the screen goes black
- Loadbar keeps progressing, eventually shuts down
Restoring the dll to the original version gives me back original functionality.
Any idea's ?
Is there a way to display a custom message / info on boot? Changing the boot logo or adding text to the message after boot?
Was not able to find a simple way to do that.
My questions:
1. Can this modding be done solely on a Win10 64-bit platform without the hit or miss? I've read Monolith was able to do so in post #255.
2. Should I go with a Wifi or USB connection?
3. Which version of PuTTy shall I use?
4. Will the basic modding, change the E4's thermal sensitivity and object temperature range to <50mk and 1,022°F? Never seen any affirmation nor confirmation about these specs in this thread beside the resolution euphoria.
'=====================
Update March 7, 2019: So far the following FW versions confirmed working: 3.9.0, 3.11.0, 3.12.0, 3.13.0, 3.16.0. They may use different packages, you need to scan this thread for information and attachments for a particular fw version.
'=====================
I do not think E4 had ever had extended temperature limit, I believe it was E6.
I do not think E4 had ever had extended temperature limit, I believe it was E6.
Ahh, ok, so maybe the e4 has a cheaper sensor but it's the e6 that is more limited by software then, I'll have to figure that out.
I just bought a second hand FLIR E4 1.2L Non-Wifi that had 2.11.0 software installed.
...
I got upgraded to version 3.16.0 and to the point where I could start the liberation! That took about all of an hour, including all the time I was playing with every feature it had in each basic, advanced, and christmas pack modes, as well as backing up each mode individually to allow me to more easily swap between versions if I desire to.
For actual thermal resolution, look at the saved picture in FLIR Tools on the right hand side information pane. That shows the true thermal resolution.
Thank you! I think it worked!
Although i see that in /FlashBFS/system/ui.d/ there exists toolbar-config_z3.xml, facet_z3.rcc and design_ui_z3.xml and the included files did not have the trailing _z3 in the name. Should I have renamed the replacement file and overwrite the existing ones?
I also spotted in the MSX mode there is some mismatch on the overlay positions. In the first pic the DELL logo and thermal image and DELL logo is not overlapping, is this normal?
probably normal since the 2 cameras have some distance between them
Also forgot to ask, i assume in this state updating to 3.16.0 (current latest) will brick the device? Since I do not have the unhacked common_dll.dll and conf.cfc I dont think I can revert back to factory state
My flir E4 wifi arrived today and I the liberation procedure went smoothly! Thank you Bud for all the work do for the community on this!
For those looking on where to order the camera from, I ordered my flir E4 wifi from TEquipment a few months ago and it was backordered so it only recently shipped. The camera is hardware version 2.0L and software 3.16.0. The calibration card has a date of April 28, 2020, which is recent, so I would assume that there is no newer software than 3.16.0. I have not tried the advanced package yet.
For those not wanting to dig through endless pages of the thread:
I used the 3.12.0 files from here: https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1397359/#msg1397359 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg1397359/#msg1397359)
and the new 3.16.0 dll from here: https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg2252082/#msg2252082 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg2252082/#msg2252082)
and instructions on how to put the camera in RNDIS mode from here (I had problems with the website so I had to access it through web archive) https://web.archive.org/web/20190409142550/https://fubar.gr/hacking-the-flir-e4/ (https://web.archive.org/web/20190409142550/https://fubar.gr/hacking-the-flir-e4/)
This was done on a windows 10 desktop.
Thank you! I'm a total dumbass and did not realize that the download package contained the proper step by step guide (yea sometimes you should open the readme.txt |O). I was endlessly searching the forum here for the 17-point guide everyone were refering to with no luck!
Hi, I’m new.1. Yes, you can do this to your E5 WiFi.
I have FLIR E5 WiFi with 3.16.0 firmware. Can I add this mod/hack to my camera? Where I can find a guide to do this?
I found only old guides for 2.x firmware. Is the same for 3.16.0?
I’m interested in advanced mod
In the conf.cfg I see this line “ .caps.config.name text "app E4" ” Must I change E4 to E5?
Thanks to all
Is it possible to increase refresh rate?
there was no prior design_ui.xml in FlashBFS\system\ui.d\ but only these files
design_ui_z3.xml
facet_Z3.rcc
design_ui_z3ets.xml
toolbar-config_z3.xml
toolbar-config_z3ets.xml
what's the purpose of the item: image mode > object distance?This is a correction factor into the object temperature formula. It has no to do with the hack. You have it in the original camera firmware. If you carefully test same object at a given distance playing with this parameter, you will see the resulting temperature measurement changing. Perhaps more detectable with objects located at bigger distances from the camera.
my E4 always records both images, thermal + visible (camera) as two files. Is there are way to deactivate the VIS images.This is an item in the camera setup screen, you can set it to save as separate files or in a same file, check the camera Settings, I can't recal lthe name for this parameter, you should be able to find it there.
I don't understand the screening mode and the sports mode. As for the latter, Bud mentioned that it had to be activated, might not serve a purpose. The screening mode is for measuring people? It talks about a P button, but I thought that button was only on the Exx series?P is the "Programmable" button. There is no dedicated button in the hacked E4 so I recall the "Back" button was programmed to act as the "Programmable" button.
I kept wondering why you guys (DaveWB, Bud) don't consolidate it a little more in the first post or something..People must be blind because there are links in the original post. Just follow the links in the original Dave's post. This is not my thread so I can't edit it but I think there are proper links in the initial Dave's post and I 've tested them a few times when I got comments like that. I am not sure why we are getting these comments, other than that people must have become so lazy these days that they want everything be chewed to them like to grade 1 students. As you yourself eluded to, it has been quite a few years since the work was done, and the environment and the atmosphere existing at the time have to be understood . Back then E4 was a hot cake, everyone was doing hacks and everyone knew how to switch RNDIS on, FTP to the camera and do things. My posts were written in that atmosphere and therefore omitted all that low level stuff. It was expected from the user that they know how to do it. I focused on providing the Core instructions and replacement files. Now several years later some newbies want to be spoon fed, how to get connectivity to the camera, how to configure the IP, this or that, while being yet miles away from starting the actual upgrade procedure. That was not the spirit that existed here on EEVBlog when my posts were written. Quite a few people who dedicated themselves to learning and reading the entire thread - they all succeeded and successfully upgraded.
Yes! As I said before, all by the manual. I also can see the conf.cfc has an effect on the camera. With the new one, MSX is gone and crosshair, too. I put back the old one (even with the new dll still on the cam), works like before with bad resolution but with image menu.
As I said before; when I copy and replace the original conf with the edited, the menu is broken. When I copy back the original again, it works. It is not affected by which dll I use.
Can you please tell me what the "advanced" zip file will change when I put it on the E4? Is it more than resolution? I mean there are additinal files in the FlashBFS folder, what do they do?
Hey Bud, hey guys!Something that may help you: Delete the files on the camera prior to sending the new ones. Don't let filezilla ask you to substitute the files on the camera.
Sorry for my late replay!
I bought a second E4 from the same shop, same hard- and software.
This time your manual worked instantly. I did not need to decrypt the conf.cfc. But it is the same as with the other one, only the resolution hack is working. Even if I copy all files from your advanced.zip to the proper folder (I get asked by FileZilla if I want to substitute files) menu stays the same.
This is no problem for me because the menu of the cam looks like before the hack but the resolution increased :)
Have a nice weekend!
look here
https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg3928928/#msg3928928 (https://www.eevblog.com/forum/thermal-imaging/flir-e4-wifi-resolution-and-menu-hack-thread/msg3928928/#msg3928928)
actually i have 3.16 firmware with hack. Or is any manual how instal hack to camera ? step by step ?You already have it applied. There is no anything else.
Then I ask you to explain to me how the metadata of the camera is being changed now? Model and part number on latest firmware version 3.16.0?Likely by changing the respective data in EEPROM. The EEPROM password is in this thread.
@ c00kemon
What you can try to improve quality of pictures you take on the liberated camera is the following
:
after you boot the camera, toggle the cursor mode, e.g. turn the measurement cursor off and then back on. This will reduce JPG compression (the "quality" will go from 80% to 100% in Flir terms).
There was no way to permanently change compression level, only temporarily until next reboot. The above method was a little hack.
You can compare jpg artefacts on a same object images before and after, you should see noticable improvement.
No noticeable difference in quality was noticed, perhaps when conducting the experiment for the first time, I accidentally turned off and on the cursor and there was already 100% jpeg quality.Can you post your center cursor preset?
I already understood about EEPROM from your first post. But I see that some people in the aftermarket in my country are changing the metadata on new cameras with latest FW, I just want to know how it's done in detail.We do not know, apparently it was someone's work outside of this thread.
Hi all,Does not look updated to me based on the pics you posted. There should be no logo in the bottom left corner.
I received yesterday a brand new E4 (2.0L 3.16.0) from Flir and updated it right away !
The quality is far better but the MSX feature is very impressive even with the original 80x60. The main difference is that you can use the thermal mode only and see (almost) everything.
I have update my E4 with basic and advanced pack.
All functions work ok, but added features have no icon, just blank, but can be selected.
Is there a way to get these working ?
Does not look updated to me based on the pics you posted. There should be no logo in the bottom left corner.
There is a problem. The equipment is FLIR E4 2.0L 3.16. The three points for temperature measurement after HACK are SP1、SP2、SP3 instead of Hot、 Cold , What is the problem?I have the same issue... Do you have solution?
Resolution and palette HACK are completed normally
Just replace the 3 point preset with the original one from your backup. ( You backed up your camera before the change, didn't you?)There is a problem. The equipment is FLIR E4 2.0L 3.16. The three points for temperature measurement after HACK are SP1、SP2、SP3 instead of Hot、 Cold , What is the problem?I have the same issue... Do you have solution?
Resolution and palette HACK are completed normally
Just replace the 3 point preset with the original one from your backup. ( You backed up your camera before the change, didn't you?)There is a problem. The equipment is FLIR E4 2.0L 3.16. The three points for temperature measurement after HACK are SP1、SP2、SP3 instead of Hot、 Cold , What is the problem?I have the same issue... Do you have solution?
Resolution and palette HACK are completed normally
.
Also had some weird problems with FTP because using password 3vlig did not work, filezilla said it was the wrong password.
Please help me to see what the complete model is, or the replacement model.
The identification of two FLIR E4 chips are: 0908 8GGA and 0952 456G
Does anyone have the FLIR Device Drivers (version: 1.9.1.0) files?
The links to the FLIR site for the driver downloads are now broken. FLIR Tools was also discontinued. This makes following most of the liberation guides impossible.
Thanks to everyone for all the hard work.
There was a problem upgrading my FLIR E5 system. Which directory is the calibration file located in?
After using the Tools update prompt to unplug the USB and start the update, I unplugged the USB but the device did not update. I forcefully shut down and then turned it on again, but found that it could not be turned on and remained stuck in the FLIR logo. Fortunately, I found a motherboard from the second-hand market, and after replacing the motherboard, it can boot up and display images, but there are many drawbacks. Before the update, I backed up the system. Do you know where the device's calibration files are stored? I want to try replacing the calibration file to solve the problem of bad points.
Attempted to replace these 3 files without xi
What do youmean completely unresposive? Does the startup screen shows up when you press the power button and it gets stuck there? Does the camera boot but you cant connect to usb? Or it does not turn on at all?
It was a new camera, did you charge the battery before using?
Things you can try:
Unplug the battery for 1 min, plug it again. Connect the wall charger to the camera. Push Left and Right keys together. Do you see the screen showing battery charging? What is charge level? Let the battery charge. If charge level is low, leave the camera charging for a few hours. You can monitor charge level on the screen.
If the camera even not charging and not enumerating in USB while powered off that is certainly a hardware failure....
And you also tried to connect it to USB with the battery removed, correct?
If the camera even not charging and not enumerating in USB while powered off that is certainly a hardware failure....
And you also tried to connect it to USB with the battery removed, correct?
I tried with the battery removed, no change. I'll send it for repair.
Explain in details what you did to set it to RNDIS mode and what it means "interface does not work".I used guide from this website: https://fubar.gr/hacking-the-flir-e4/
What made you use a procedure intended for E4 v2.3.0 on your E6 v3.16.0 ?My bad. idk i saw people saying it works so i thought it will work for me.. im rookie. The flir install 2 programm is .exe
Where did you get ""Flir Install 2" program? Is it an executable from Flir Tools or is it a python script ? Provide the exact name of this program with the extension (.exe or .py or whatever)
You said "Flir install 2". Was that a typo?when i open this app it shows Flir install 2 u can see screenshot
Unzip the attachment and run the .CMD from that Flir Install application. Capture the log output.As i understood its only can use .fif files
Select the camera first in the top boxthe same :(
sorry, u mean .cmd to .fif?
Edit: Actually I think you need to rename .zip to .fif , than run. Still need to select the camera.
route add 169.254.44.19 mask 255.255.255.0 169.254.44.18ping 169.254.44.18What version of Windows are you running?translation :
run the Windows command line and enter this command:Code: [Select]route add 169.254.44.19 mask 255.255.255.0 169.254.44.18
then from same command line ping the camera and see if it responds. If it responds, run the .fif again.Code: [Select]ping 169.254.44.18
Do you get anything when you click "Check Installation" or "Get Version" buttons in FlirInstallNet ?The same answer for both Connection timed out. Why is FlirInstallNet sees another ip like in the end its not 18 its 19? maybe thats the problem?
Because Windows 8 and 10 do not work properly with the Flir Tools.here is another problem.
Try using Filezilla (as in FUBAR's procedure) to connect to 169.254.44.19
If connects, make a backup as in FUBAR procedure, then navigate to flashfs/system/appcore.d/factory.d/ and delete the file zrndis.rsc
disconnect and reboot the camera.
OK you need to go to the last resort which is getting a computer or a Virtual Machine with Windows XP.Okay got it, is Virtual box ok to use as virtul machine?
Install the Flir Drivers and Flir Tools on Windows XP, then check if the IP address is now 192.168.0.2 - you should see a popup in the right bottom corner of Windows taskbar as you plug the camera in. Or you can use ipconfig. Then run the .fif
Yes it works fine for this purpose.Im sorry i have some troubles with this app maybe u can tip me another one pls? windows xp doesnt start bcs of some problems idk
I am unfamiliar with other VM platforms. You can download one of older versions. I am using VirtualBox v6.1, it runs XP just fine.okay okay as u say i downloaded same version. but still i have problem
I am unfamiliar with other VM platforms. You can download one of older versions. I am using VirtualBox v6.1, it runs XP just fine.This flir e6 belongs to my father, so he wanted to say thank you for your help! currently im downloading Windows XP iso to somehow boot this virtual machine, am i doing right things?
There are more knowledgeable people than me who should be able to help, as I Have not installed anything for a long time. I recommend you open a new topic perhaps in the Computers section of the forum and ask for help to guide you through setting up a WindowsXP VM and walk you through how to redirect USB ports to it.Please help me go through it :) almost done with iso.
OK you need to go to the last resort which is getting a computer or a Virtual Machine with Windows XP.How do i download all of this?
Install the Flir Drivers and Flir Tools on Windows XP, then check if the IP address is now 192.168.0.2 - you should see a popup in the right bottom corner of Windows taskbar as you plug the camera in. Or you can use ipconfig. Then run the .fif