Rooting the new FLIRs (E76, etc)

[KaneTW]

Hey Kane, I tried doing some testing with the conf.cfc file, but although it decrypts fine (I had tried that in the past), it doesn't seem to encrypt it back properly. The camera does not recognize it and reverts to a default one (it has only some palletes and no MSX, etc)
Strange thing is that when I decrypt it to a txt file, on the bottom I see this:
(Attachment Link)

Are those boxes supposed to be CRs? In your comment for the decrypt script you mention CRC32, but here it says CRC05. Does it have to do anything with this? 

I even tried conf.cfc > decrypt to conf.txt > don't even touch the txt file > encrypt conf.txt to conf.cfc > replace file in camera. Not recognized by camera (E75). 

CRC05 is just a FLIR-internal tag. The problem is likely the failed libcommon.so patch

[agiorgitis]

Guys is it possible that you could help me? I tried a Hex editor but I have no clue what I'm looking for 
That's my file (remaned from .so) what are the changes I should make the the py script?
Thanks a lot 

[KaneTW]

Replace the string in line 33 with b'\x14\x30\x9D\xE5\x01\x00\x44\xE2\xAC\x25\x9D\xE5\x10\x0F\x6F\xE1\xA0\x02\xA0\xE1\x00\x30\x93\xE5'

(Method: open libcommon.so in decompiler of your choice, go to _Zn4Cfc... (string in line 21), find where the return value is set, make sure it's 1. In this case I just changed the search string so it matches another mov r0, ... instruction that sets the retur nvalue)

[agiorgitis]

Ok thanks!

Unfortunately it's not working... The script works and created the new .so file, but now the camera does not boot up 
I guess that i'll have to now research how to put the original .so file in the camera, apart from wifi.

Any ideas?

[agiorgitis]

Alright, I managed to revert back to my firmware by loading the update folder in my SD card and placing the update.ful in SD root.

A strange thing I noticed was that after the update it has kept my altered conf file, so it booted with the backup settings. I placed the original conf in the folder but it got deleted after the reboot, and my altered was placed in the folder again. 
So I fooled it by placing my original conf in the folder and doing another firmware update. 

Now everything is back to normal, ready to mess around again 

[KaneTW]

Ok thanks!

Unfortunately it's not working... The script works and created the new .so file, but now the camera does not boot up 
I guess that i'll have to now research how to put the original .so file in the camera, apart from wifi.

Any ideas?

Hm, interesting. Here's the manually patched file. If it fails again, can you ssh into it and look for logs?

[agiorgitis]

i looked at your version and it's the same as mine

Original  : 14 30 9D E5 01 00 44 E2 AC 25 9D E5 10 0F 6F E1 A0 02 A0 E1 00 30 93 E5
Becomes: 14 30 9D E5 01 00 44 E2 AC 25 9D E5 10 0F 6F E1 01 00 A0 E3 00 30 93 E5

At offset 99DC0, 99DD0

If the above is correct, it may be because I also replaced the altered conf file too?
(I changed the resolution in it)
Upon boot there was the FLIR image and then black screen, no focus motor moves as it normally does. So I don't think it was even reaching to the point to load the conf file.

PS1: From _ZN4CCfc how do you end up on the above hex places?
PS2: Where can I find the logs? (to speed up my search process)

[Bud]

A strange thing I noticed was that after the update it has kept my altered conf file, so it booted with the backup settings. I placed the original conf in the folder but it got deleted after the reboot, and my altered was placed in the folder again. 

You should have used a cold boot with the battery removed for 20 sec.

[KaneTW]

i looked at your version and it's the same as mine

Original  : 14 30 9D E5 01 00 44 E2 AC 25 9D E5 10 0F 6F E1 A0 02 A0 E1 00 30 93 E5
Becomes: 14 30 9D E5 01 00 44 E2 AC 25 9D E5 10 0F 6F E1 01 00 A0 E3 00 30 93 E5

At offset 99DC0, 99DD0

If the above is correct, it may be because I also replaced the altered conf file too?
(I changed the resolution in it)
Upon boot there was the FLIR image and then black screen, no focus motor moves as it normally does. So I don't think it was even reaching to the point to load the conf file.

PS1: From _ZN4CCfc how do you end up on the above hex places?
PS2: Where can I find the logs? (to speed up my search process)

Uh it's been a while, /var/log somewhere usually. Maybe also post an output of "ps ax"

I just open up the file in IDA and see what assembly line to change to make it always succeed.

[insinion]

Hello. Sorry for not writing on topic. I'm new here and don't quite understand how to post my question on the forum. Please tell me if you can help me. I have Flir E86. When I turn it on, why do I have a logo on the screen, a loading animation on the black screen and nothing else happens? It won't load further. The firmware has been updated, the memory card is working. Batteries are fully charged. Thanks in advance for your understanding and reply.

[_Wim_]

Hello. Sorry for not writing on topic. I'm new here and don't quite understand how to post my question on the forum. Please tell me if you can help me. I have Flir E86. When I turn it on, why do I have a logo on the screen, a loading animation on the black screen and nothing else happens? It won't load further. The firmware has been updated, the memory card is working. Batteries are fully charged. Thanks in advance for your understanding and reply.

Please don't double post, this is considered not polite. Did you try to remove the battery and reinstall it to ensure it fully boots from zero?

[KaneTW]

Hello. Sorry for not writing on topic. I'm new here and don't quite understand how to post my question on the forum. Please tell me if you can help me. I have Flir E86. When I turn it on, why do I have a logo on the screen, a loading animation on the black screen and nothing else happens? It won't load further. The firmware has been updated, the memory card is working. Batteries are fully charged. Thanks in advance for your understanding and reply.

Is this a stock device? Have you performed a factory reset?

Hard to know what's happening without logs.

[aproape]

Good morning KaneTW!

Great work - thanks for the info - I just purchased a sh E54 and I'm ready to try and liberate it..

Can you post again your de-crypt / re-encrypt scripts?

I believe the pastebin links no longer works..

Thank you - I'll keep you updated on progress on my end.

Cheers,
aproape

[KaneTW]

These should work. I'm not sure if they're the exact same as the ones I uploaded last time, though.

[aproape]

Thanks!

I'll keep you posted on the progress.

The salty hash I have is $1$X.SORnX.$Pk2brCZWqimHPBeiyNPsy/

(initial attempt with 6 alphanumeric didn't seem to work)


Cheers,
aproape

[aproape]

Seems like the FPGA is pretty stubborn about outputting the reduced resolution.
The code indicated that it's cropped, but wouldn't that mess with viewing angles? Hm.

The bitstream is in one of the accessible SPI flashes, but reversing that is a pain.

E: Checked the datasheets. E76/E86 have 17um pitch, E96 has 12um. This gives a sensor size of 5440, 7888, 7680 respectively. This means that the sensor is, in fact, cropped.

However, it's unclear how it manages to maintain the FOV.

E2: Requesting a /dev/mtdblock{0,1} dump from a E75 and E86 please, if someone has access.

Would a similar dump from an E54 help? (it's still listed as current model / should be more in line with E76/E86/E96.. )

[KaneTW]

Seems like the FPGA is pretty stubborn about outputting the reduced resolution.
The code indicated that it's cropped, but wouldn't that mess with viewing angles? Hm.

The bitstream is in one of the accessible SPI flashes, but reversing that is a pain.

E: Checked the datasheets. E76/E86 have 17um pitch, E96 has 12um. This gives a sensor size of 5440, 7888, 7680 respectively. This means that the sensor is, in fact, cropped.

However, it's unclear how it manages to maintain the FOV.

E2: Requesting a /dev/mtdblock{0,1} dump from a E75 and E86 please, if someone has access.

Would a similar dump from an E54 help? (it's still listed as current model / should be more in line with E76/E86/E96.. )

The E76+E86 likely share a 17um pitch sensor (probably an ULIS UL 04 27 2), while the E96 has a 12um pitch sensor (probably i3system DB640-12C-A). I haven't taken it apart so I don't know for sure, but someone DM'd me those specs last year. This means that it's not possible to use the full 640x480 resolution without prohibitive reverse engineering efforts, and even then it might be occluded by the hardware design (12um 640x480 is a smaller optical window than 17um 640x480, but the two systems share lenses => 17um will have clipped or distorted peripheral image at full resolution)

[Spirit532]

The E76+E86 likely share a 17um pitch sensor

FLIR manufactures their own sensors.
The entire E7x and E8x series shares the same 640x480 sensor.

[KaneTW]

The E76+E86 likely share a 17um pitch sensor

FLIR manufactures their own sensors.
The entire E7x and E8x series shares the same 640x480 sensor.

If you check the datasheet, E76+E86 have a 17um pitch sensor. E96 has a 12um sensor.

[aproape]

Good morning everyone,

I have recently added to my Flir stable the E96 (I know, I know.. )

If someone needs anything extracted from it - let me know (-:


Cheers,
aproape