ah I see, that the current fw of E40 Late 2013
v4.9.0 has no service menu
the important files for mapping bad pixels from old E40 FW 2.23.14
$ ls flir_exx_pn490_v2.23.14_update_pack/E2comb_v2.23.14.fif/FlashFS/system/web/service/ImgCorr
ActivateDigFilters.asp GainMapResult.asp Operability.asp StaticMap.asp StaticMapResult.asp
GainMap.asp GainMapSelCase.asp OperabilityLog.asp StaticMapCalc.asp StaticMapWarm.asp
GainMapCalc.asp GainMapWarm.asp PixKill.asp StaticMapCold.asp gainmapcalcGF.asp
GainMapCold.asp ImgCorrSelCase.asp ShutterMap.asp StaticMapPrepare.asp index.asp
see here for links to this files
https://www.eevblog.com/forum/testgear/flir-e40-upgrade-configuration/msg561542/#msg561542
you can simple read the html files of the old FW and make the same steps on the shell (setResourceValue = rset)
sample:
search for activating the service mode in Web GUI (file name
HighRes.asp = full resolution
):
$ cd flir_exx_pn490_v2.23.14_update_pack/E2comb_v2.23.14.fif/FlashFS/system/web
$ grep -i -r highres *
service/Diag/HighRes.asp: restree.setResourceValue( "prod.preparation.command", "restartHighRes" );
service/inc/servicemenu.inc: menuRow("Activate Service Mode", "/service/Diag/HighRes.asp", "submenu1", selectedMenu == "mnuDiagResolution");
service/index.asp: <FORM ACTION=diag\HighRes.asp METHOD="POST">
we get
restree.setResourceValue( "prod.preparation.command", "restartHighRes" );
and this is the same command on the shell
#start HighRes Modus
>rset prod.preparation.command restartHighRes
on the old E40 the command
restartHighRes perform following 2 steps:
(1) copy service config files and folders from
/FlashFS/system/service/appcore.d
to
/Temp/appcore.d
and calculate a new CRC01 checksum for the copied config files (it's a
integrated crc01 keygen )
(2) boot Exx to full resolution over restartapp.bat
$ cat flir_exx_pn490_v2.23.14_update_pack/E2comb_v2.23.14.fif/FlashFS/system/restartapp.bat
set PATH=\windows;\FlashFS\system\;
rset .watchdog.enable false
rset .services.log.active false
ps -k Prod
ps -k prod
ps -k uicore
ps -k Gui
ps -k MediaServer
ps -k appcore
ps -k AppServices
ps -k Resmon
ps -k Bit
ps -k syslog
ps -k Cam
ps -k cam
ps -k geni
ps -k dig
ps -k Dig
ps -k watch
ps -k Watch
ps -k RTP
ps -k fwa
ps -k progress
ps -k Med
delay 1
start appcore
delay 10
start prodapp
Not all listed processes are running!
for better understanding of the restartapp.bat I will illuminate
the Exx boot process:
(1) start the windows ce (NK.bin)
(2) over a windows registry entry CE starts the flir batch file FlashFS/system/applaunch.dat
(3) applaunch.dat start the appcore.exe
(4) appcore.exe start the Flir binaries (like the Flir GUI)
after booting we get this process list
\>ps
Process NK.EXE (87 threads), id 0x00400002, loaded at 0x88190000
Process udevice.exe ( 1 threads), id 0x01550002, loaded at 0x00010000
Process udevice.exe ( 2 threads), id 0x01630002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x01F20002, loaded at 0x00010000
Process udevice.exe ( 1 threads), id 0x03BF0002, loaded at 0x00010000
Process servicesd.exe (18 threads), id 0x04030002, loaded at 0x00010000
Process cmd.exe ( 1 threads), id 0x05000006, loaded at 0x00010000
Process appcore.exe (35 threads), id 0x05530006, loaded at 0x00010000
Process AppServices.exe (17 threads), id 0x070D0006, loaded at 0x00010000
Process Resmon.exe (12 threads), id 0x07260006, loaded at 0x00010000
Process MediaServer.exe (15 threads), id 0x07380006, loaded at 0x00010000
Process uicore.exe ( 9 threads), id 0x07850006, loaded at 0x00010000
Process CMD.EXE ( 1 threads), id 0x090C0046, loaded at 0x00010000
Process ps.EXE ( 1 threads), id 0x04C1001E, loaded at 0x00010000
i.e. the command "ps -k uicore" from restartapp.bat kills the process uicore.exe
applaunch.dat old E40 FW v
2.23.14$ cat flir_exx_pn490_v2.23.14_update_pack/E2comb_v2.23.14.fif/FlashFS/system/applaunch.dat
# Show intro bootlogo and start progress
progressapp -f \flashfs\system\bootlogo.bmp
# Start command shell on the RS-232 port
cmd /R
# Register a default user
defaultusr
# Start appcore. Appcore starts other necessary processes
appcore
and now with some new CRC checks in FW
v4.9.0 against hacking in E40 Late 2013
$ cat flir_exx_pn645_pn646_v4.9.0_update_pack/E2qtcomb_v4.9.0.fif/FlashBFS/system/applaunch.dat
# Show intro bootlogo and start progress
progressapp -f \flashbfs\system\bootlogo.bmp -d1
# Start command shell on the RS-232 port
cmd /R
# Register a default user
defaultusr
# Start appcore. Appcore starts other necessary processes
appcore
# doCRC FlashBFS\system\appcore.exe 1819648 214275933
# doCRC FlashBFS\system\common_dll.dll 1225216 3648436271
# doCRC FlashBFS\system\appcore_dll.dll 708608 3728193282
# doCRC FlashBFS\system\progressapp.exe 29184 4017170338
# doCRC FlashBFS\system\defaultusr.exe 5120 1997273047
# doCRC FlashBFS\system\chargeapp.exe 32768 1583842125
# doCRC FlashBFS\system\ui.d\design_ui_E2.xml 54099 4047603580
# doCRC FlashBFS\system\ui.d\facet_E2.rcc 861107 3311570564
# doCRC FlashBFS\system\ui.d\toolbar-config_E2.xml 6522 1692081231
# doACRC FlashBFS\system\appcore.exe 1819648 2566311456
# doACRC FlashBFS\system\common_dll.dll 1225216 1513280386
# doACRC FlashBFS\system\appcore_dll.dll 708608 3192873875
# doACRC FlashBFS\system\progressapp.exe 29184 3808303586
# doACRC FlashBFS\system\defaultusr.exe 5120 2154779382
@ ElectroTuna
Contains your FW
3.18.0 (E40 1.0) in applaunch.dat also the anti hack doACRC part??
If not, then you still have the web front end with the service menu and my explanation was unnecessary
+++ticker+++ticker+++ticker+++
ATTENTION ALL USERS
the new firmware (1.21.0) is likely designed to hinder/stop the hack!
look for yourself - introduction of a new CRC algo ....
Applaunch.dat:
# doCRC FlashBFS\system\appcore.exe 1760768 3442989494
# doCRC FlashBFS\system\common_dll.dll 1193984 3567384037
# doCRC FlashBFS\system\progressapp.exe 27648 3868968713
# doCRC FlashBFS\system\defaultusr.exe 5120 784976136
# ID all
# CRC03 aad87665
... do I need to say more?
PS: I like the "all" keyword there
PS: I hope you have now enough informations for understanding and hacking a E40