Hacking the FLIR E4 thermal camera (2.3.0 resolution and menu hack)
Update 17 Dec 2015: New E4 cameras are coming with firmware version 2.8.0. The hacks cannot be applied on those cameras, however there’s some indication that it’s possible to downgrade to 2.3.0 firmware and then apply the hacks. Results so far have been inconclusive, with some cameras getting bricked in the process. If you have a 2.8.0 camera please wait and stay tuned. I will post an updated guide as soon as the problem will be sorted out. Thanks!
The FLIR Ex series is the latest line of entry-level thermal imaging cameras by FLIR Systems. The cheapest of the series is E4 with a resolution of 80 by 60 pixels, while the top of the range E8 has a 320 by 240 thermal image resolution.
In this article I will describe step-by-step the procedure to unleash the full potential of the FLIR E4 and effectively convert it to an E8.
See here for some before and after the resolution upgrade photos: http://toolguyd.com/flir-e4-thermal-imaging-camera-enhancements/
Also see this video to get an idea of how the extended menus look like:
The procedures, scripts, hacks, etc. are not mine. The hack is the result of the hard work of several people from the EEVblog forum and specifically this thread. However, this thread is becoming quite a beast and all the good info is scattered all over the place.
What I am trying to do here is to make a clearly laid out guide for performing the hack, without having to rummage through the 500 pages of the original forum thread.
This guide is only for the E4 cameras with the 2.3.0 firmware. You can find the firmware version by going to Settings, Device Settings, Camera information, Software.
Edited April 15 2015:
If your camera has an older firmware, upgrade it first to 2.3.0 and then perform the hack.
There seems to be some issue with cameras that have been upgraded from 1.xx to 2.3.0. For the time being it is recommended to NOT upgrade the camera and use the hack technique for 1.xx firmwares described in the eevblog thread instead. I hope this problem will be sorted out soon!
If it has a firmware version greater than 2.3.0 you’ll have to wait until a new hack comes out. Check the EEVblog thread for updates.
This modification involves replacing some important files from within the camera’s internal operating system. The hack so far has been successfully performed on hundreds of E4 cameras, however when meddling with OS files there’s always the possibility of something going wrong and the camera may end up permanently BRICKED!
Don’t blame me if this happens!
Also performing this hack could result into voiding the warranty and/or legal action against you from FLIR Systems or the United States government.
You are entirely on your own here.
I will also show the procedure to revert the camera back to its original state. But it is quite possible that there are tamper counters inside the camera. In that case, even if the camera is reverted back to normal, FLIR repair personnel will still be able to tell if the camera has been tampered with and may void your warranty.
Enough with the disclaimers, let’s cut to the chase!
What you will need:
1. A computer running Windows XP 32 bit or Windows 7 32 bit.
There have been some reports of the hack being successfully deployed from Windows 8, 8.1 or 64 bit Windows versions, but it’s mostly hit-and-miss.
So it is strongly recommended to find a Windows XP or 7, 32 bit PC. To see which version of Windows you have, right click on My Computer and select Properties.
The image below is from my laptop, Windows 8.1 AND 64 bit, not good!
It also works from a virtual machine too. Actually, all screenshots below are from a Win7 x32 virtual machine running on Oracle VM Virtualbox. However, and especially if you don’t have experience in using virtual machines, I’d recommend to use a physical machine.
2. FLIR device drivers
Download and install the drivers from here: http://cdn.cloud.flir.se/swdownload/assets/other/flir_device_drivers.exe
3. FLIR Tools
This is the older 4.1 version that is compatible with XP too. Download and install them from here: http://cdn.cloud.flir.se/update/flir tools/4.1.14066.1001/flir tools.zip
4. Python 2.x
Python is a programming language and is needed for running the hack scripts. Don’t get the newer 3.x versions!
Download it from here: https://www.python.org/ftp/python/2.7.9/python-2.7.9.msi
When this dialog comes up during the installation, click the little box on the left of Python and select “Entire feature will be installed on local drive”, then click next and finish the installation.
Edited, 21/09/2015: When the installer finishes, restart the computer, else the python scripts described later in this guide might not run properly. (thanks to marcins, from the comments)
Filezilla is a free FTP client. We will use it to move files to and from the camera filesystem. Download it from here: https://filezilla-project.org/download.php?type=client
6. Script pack
Download the script pack from this link: FLIR_E4_2.3.0_hack
There are three folders in the zipped file, FLIRfif, FLIRmenuhack and FLIRreshack. Copy these folders to the root of the system hard drive (C:\).
General description of the hack
The procedure can be broken down in three parts
- Switching camera to RNDIS mode
- Increasing resolution to 320 x 240 (resolution hack)
- Enabling PIP, extra measuring options, color palettes, etc (menu hack)
Switching camera to RNDIS mode
Normally, when the camera is connected to a PC via USB it is recognized as an external storage device (similar to a USB stick) and the captured photos can be accessed. By turning the RNDIS mode on, the camera is converted to a virtual FTP server and then we can gain access to the embedded OS files.
Assuming you have installed all the software and drivers I mentioned earlier, we can start.
The first step is to connect the camera to the PC using the USB cable provided. Windows will detect the camera and automatically install the drivers:
When the installation is complete, navigate to C:\Program Files\FLIR Systems\FLIR Tools\bin\ and run FLIRInstallNet.exe
(Since we will be using this program a lot, it is a good idea to make a shortcut to the desktop)
Under Camera you should see FLIR USB video. That means the drivers were installed correctly and the tool can communicate with the camera.
Hit Browse… , navigate to C:\FLIRfif, select Set_RNDIS_permament.fif and hit the Run FIF button.
Don’t worry about the permament [sic] in the file name, this can always be reverted by repeating the procedure using the Remove_RNDIS_permament.fif file instead.
When the program has finished running, remove and replace the battery from the camera to do a hard reset (the camera doesn’t turn off completely with the on-off button, it simply goes to low-power mode).
Turn the camera on. Windows will again start searching for drivers, because now it is in RNDIS mode and needs a different set of drivers.
When the camera is in RNDIS mode and connected to the computer, it is possible that your Internet connection will go down. This is normal and your Internet connection will be automatically restored when the camera is disconnected.
So, don’t do anything that requires Internet at the same time!
When it has finished, go to Start, Run… (or alternatively, press the Windows logo button on the keyboard and ‘R’ at the same time). On the window that pops up type cmd and press enter.
This will bring up the command line interface. Now type ipconfig and press enter. This will do an enumeration of all network interfaces currently on the computer. Scroll a bit to the top and you should see this:
The word INFRARED is a dead giveaway!
Write down the Default Gateway. This is the IP of the camera, in this case 192.168.0.2
There have been reports that if the 192.168.0.x network is already taken, the camera will switch to 192.168.1.2, etc.
Now run Fillezilla. On the quick connect boxes enter the host IP (192.168.0.2 in this case), username: flir and password: 3vlig and hit Quickconnect.
If you haven’t used Filezilla before, there are two main panes. The pane on the left shows the local filesystem, ie. the files and folders of your computer. The right pane shows the remote device files and folders, in this case the files inside the E4 camera.
So far we haven’t really modified anything, so it is a good idea to make a full backup of the camera files. Select a folder on the left pane, where the backup will be stored. Then select all files and folders in the right pane, right click and select Download.
Some files and folders will fail to transfer, that’s normal. Note that some of these files are UNIQUE for your camera. You can’t simply copy the files from another E4, it won’t work since they are different files. So keep these files safe in case something goes wrong.
Now we are ready to do the resolution hack. Close Filezilla and bring up the command line interface (Windows key + R, cmd)
Type cd \flirreshack and hit Enter
then type python apply.py apply 192.168.0.2 (or whatever the camera IP is) and hit Enter
If you get: ‘python’ is not recognized as an internal or external command, operable program or batch file. then you forgot to tick the PATH option during the Python installation. Re-install python with the option enabled.
This is the expected output after running the script:
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\user>cd \flirreshack C:\FLIRreshack>python apply.py apply 192.168.0.2 E4HACK-2 v0.4 **** DISCLAIMER **** - You do this on your own risk. - By using this tool, you agree that you will remove the hack before selling the device. - TO REPEAT: UNDER NO CIRCUMSTANCES you are allowed to sell a device that has this hack installed. - Please also uninstall the hack before attempting to do any firmware upgrade. - This was only tested with a factory 2.3.0 E4. IF ANY OF THIS FAILS AND YOU NEED TO RESTORE THE ORIGINAL CONTENTS MANUALLY: (which you shouldn't need to, but just in case...) A backup directory of relevant files is created for each "apply". Simply upload the files manually using FTP. You may have to run "stopapp" before you can overwrite common_dll.dll. Make sure you keep a good backup of your .CFC files. They are strong-signed so if you lose all your backups and the on-device files, _THEY ARE GONE_. (This script backs them up when you "apply", though.) = CONNECT TO FTP = CREATING BACKUP DIR backup-20150330124652 = RETR /FlashBFS/system/common_dll.dll = RETR /FlashFS/system/appcore.d/config.d/conf.cfc Applying 1 bytes of delta at 000053c7 Applying 1 bytes of delta at 000aeedf Applying 4652 bytes of delta at 0000042c * stopping application... * uploading common_dll.dll to /FlashBFS/system/ * failed (error_perm('550 File unavailable (e.g., file not found, no access).', )). * attempt 2 * failed (error_perm('550 File unavailable (e.g., file not found, no access).', )). * attempt 3 * failed (error_perm('550 File unavailable (e.g., file not found, no access).', )). * attempt 4 * uploading conf.cfc to /FlashFS/system/appcore.d/config.d/ * PLEASE HARD-REBOOT DEVICE. C:\FLIRreshack>
The script retrieves files /FlashBFS/System/common_dll.dll and /FlashFS/System/appcore.d/config.d/conf.cfc and backs them up in the backup-xxxxxxxxxxxx folder. Beware, the backed up files are UNIQUE to your camera, if you lose them you will never be able to revert it to its original state. So take good care to not delete them.
Then it generates a new common_dll.dll and conf.cfc files (saved in C:\FLIRreshack\) and replaces the original files in the camera with the generated ones. As seen in the printout, the script returns a 550 error, but after a few retries it manages to push them through.
Hard reboot the camera by removing and replacing the battery. Turn on the camera again. The crosshair will be off-center. Disable it from the camera menu and re-enable it and it should be centered again.
Now the thermal image should be much crispier. Congratulations, you now have a 320 x 240 resolution!
Reverting the resolution hack
To remove the resolution hack and bring the camera back to its original state,
First make sure that the camera is in RNDIS mode and check with ipconfig as shown in the Switching camera to RNDIS mode section of this guide.
Copy the original common_dll.dll and conf.cfc files from the backup folder (C:\FLIRreshack\backup-xxxxxxxxxxxx) to C:\FLIRreshack\. This will overwrite the modified files, but it doesn’t matter because they can be generated again with the method shown above.
Then type python apply.py revert 192.168.0.2
This should push original files back to the camera and bring the resolution to the original 80 by 60.
You can do the menu hack independently from the resolution hack. To do it, first make sure the camera is in RNDIS mode with ipconfig.
Then connect to the camera with Filezilla as shown before. Using the right pane, navigate to /FlashFS/System/appcore.d/config.d/ and right click on the conf.cfc file and download it to C:\FLIRmenuhack\
Go to command line interface (Windows key + R, cmd) and type:
This will rename the original conf.cfc file you just downloaded from the camera to conf_reso_only.cfc and generate a new conf.cfc in C:\FLIRmenuhack.
Using Filezilla again, replace the conf.cfc found in /FlashFS/System/appcore.d/config.d/ with the one you just generated.
Then, run FLIRInstallNet.exe from C:\Program Files\FLIR Systems\FLIR Tools\bin\
Select the 2.3.0_Menu.fif from C:\FLIRfif\ and click on Run FIF.
When it finishes, your camera will have the E8 menu options!
Reverting the Menu Hack
To revert the menu hack, run FLIRInstallNet.exe from C:\Program Files\FLIR Systems\FLIR Tools\bin\
Select the 2.3.0_Menu_Restore.fif from C:\FLIRfif\ and click on Run FIF.
Then take conf_reso_only.cfc found in C:\FLIRmenuhack, rename it to conf.cfc and upload it to /FlashFS/System/appcore.d/config.d/ overwriting the file under the same name that is already there.
Do a hard reset on the camera and when restarted you should see the original E4 menus.