Flir (I7) Some Analysis

Introduction

I’m the proud owner of a Flir I7 Infrared camera.

With this nice camera, you can take 120×120 infrared pictures. These pictures are saved in an internal SD-Card. You can connect this camera to you computer.

On the picture, you can see the temperature of a 120×120 pixels area. You have a crossbar in the middle where you can see the temperature of the center. You have a scale at the bottom and the Flir logo on the top right.


Nice! Great! A pretty good camera for an expensive, but decent price.

 

My issue

Sadly the resolution is not high, and 30% of the image is covered by useless things (The logo, the temperature, the scale and the date).

It seams that the provided software can “take these things out of the interesting part”, I have not been able to test this software.

My configuration
– I’m on Linux, and the provided software only works on Windows (Not even on Mac…)
– I have a Windows in Virtual Box, but the provided software crashes!!! You can download a more recent version on the web site, but this version only loads images directly from the camera (and it doesn’t work for me), or from the SD-Card (and the SD-card is not mounted/accessible through my Windows).

Basically the Flir Team doesn’t seam to be able to write a correct software.

 

Goal

My goal is to be able to extract the original image without all the useless things (Logo, …) on Linux. You can probably use the same software on mac.

The provided software should be compatible with other models. (The old 120×120 and the new 140×140 Flir i7, Flir i5, Flir i3, and probably other models.)

 

Analysis

Let’s first analyze the JPG image.

> jhead IR_0248.jpg
File name : IR_0248.jpg
File size : 36197 bytes
File date : 2012:02:11 14:17:08
Camera make : FLIR Systems AB
Camera model : FLIR_i7
Date/Time : 2012:02:11 14:17:08
Resolution : 240 x 240
Focal length : 6.7mm
Exposure time: 0.031 s (1/32)
Focus dist. : 1.00m

Nothing really interesting here.

 

If you open this image with an hex editor (GHEX), you will see a PNG header.

#89 50 4E 47 0D 0A… PNG…

Flir have inserted a PNG image in your JPG image, interesting! This image is not visible when you use a normal viewer.

I can find the position of this PNG segment using
> strings -a -3 --radix=d IR_0248.jpg | grep PNG
8035 PNG

So my PNG image is starting at position 8034. Before the PNG segment you have a character “0x89”.

Let’s extract this PNG image
tail --bytes=+8035 IR_0248.jpg > t.png

And let’s get some information about this png file.

> file t.png
t.png: PNG image data, 120 x 120, 16-bit grayscale, non-interlaced
Data is stored on 16 bytes (A value between 0 – 65535). The image size is 120×120 as expected, it’s the size of my camera.

It’s looks really interesting, the temperature levels seams to be wrong, but you can recognize the original image without the added information (logo, …).

Let’s convert the PNG file to a raw file. This file will contains the first pixel in the first two bytes, then the second pixels in the two next bytes. The size of the file is 120*120*2 bytes.
> convert t.png -depth 16 gray:t.raw

0xa730, 0x9830, … seams to be the temperature of 20,3°c
We see that bytes are inverted (little endian), but after comparing different image, we cannot just rely on this information.
Let’s analyze the JPEG file again

 

If you open the file with an HEX editor (ghex2), you will see that the format of a JPEG file is
0xFF D8 E0 00 {2 bytes size of segment 1} [name and data of segment 1] {2 bytes size of segment 2} [name and data of segment 1]

Analyzing one of my files I have
0x0006: JFIF : Just a header
0x0018: Exif : This header is “classical” and contains description about the image. Date, camera brand and model, width and height, etc..
0x0e2a: FLIR : This header looks really interesting, this is where you have the PNG file and other data. This header is specific to FLIR, it means most of the viewer just ignore it.
0x4e02: Other data

 

We will focus on the FLIR segment.

I have first “analyzed” the file with PhotoMe, we see 10 “Manufacturer notes” segments.
0x01: Rational -> That’s the maximum temperature in the image in °K
0x02: Rational -> That’s the minimum temperature in the image in °K
0x03: Rational -> 0.8, 0.95 ??
0x04: Rational -> 250 – Always the same, perhaps the minimal “reliable” temperature of the camera
0x05: Rational -> 523 – Always the same, perhaps the maximum “reliable” temperature of the camera
0x06: Rational -> 273 – Always the same, it’s perhaps temperature 0°C
0x07: ASCII -> 00000
0x08: ASCII -> 0000
0x09: Undefined -> Binary
0x0A: Long -> 1 – Always the same

 

To better understand the Exif/FLIR format, you can read this PDF: DC-008-2010_E.pdf
This chapter explains how a data is structured in this FLIR segment: 4.6.2 IFD Structure
Bytes 0-1 Tag — Bytes 2-3 Type — Bytes 4-7 Count — Bytes 8-11 Value Offset

So if I take the first segment of one of my files:
Tag: 0x 00 01
Type: 0x 00 00
Count: 0x 46 46 46 00
Value offset: 0x

 

 

TO BE CONTINUED

 

Geroco et ZigBee

Disclaimer

Ce travail est un ébauche technologique et je ne suis pas affilié à la compagnie Geroco.

N’hésitez pas à me contacter si des choses ne marchent pas chez vous ou si vous passez du temps à trouver/comprendre une information, j’ai peut-être oublié des étapes et je mettrais ce document à jour.

C’est un “travail en cours”, ce document va pas mal évoluer ces prochains temps.

EcoWizz c’est quoi?

EcoWizz est une “prise intelligente”, c’est à dire qu’on a la possibilité de connaître la consommation actuelle d’un ou plusieurs appareils, on a aussi la possibilité d’activer ou désactiver cette prise à distance (en théorie). C’est un produit qui est compatible actuellement avec les prises Suisses.

Plus d’information sur http://www.geroco.ch/

Prérequis

Une machine installé avec linux. J’utilise la distribution “Ubuntu 11.04”.

Une clef USB EcoWizz avec quelques prises.

VirtualBox avec Windows d’installé et le support de l’USB. (Plus d’informations)

But

Le but de cet article est de mieux comprendre comment marche le produit EcoWizz de la société Geroco.

Cela vous permet d’ acquérir les compétences et compréhensions suivantes

  • ZigBee: Mieux comprendre comment ce protocole utilisé dans la domotique marche.
  • FT232: C’est quoi et comment ça marche (port série sur le port USB).
  • USB: Comment monitorer votre port USB (Linux), et mieux comprendre le protocole par un exemple concret.
  • Port série et Java: Comment utiliser un port série sur Linux avec le langage de programmation Java.

Mon but technologique est de pouvoir utiliser la solution d’EcoWizz dans mon environnement local, ceci en tant qu’ajout à ma solution de domotique – donc possibilité d’allumer et éteindre les prises, et de récupérer des informations de ces mêmes prises. Pour cela j’ai besoin de pouvoir interagir avec leur produit au travers d’une solution tournant sur Linux.

Le première étape consiste à en savoir plus sur le produit EcoWizz, et quels sont les composants hardware de cette solution.

En allant sur “http://www.geroco.ch/ecowizz.html”, on va découvrir que le protocole de communication qu’ils utilisent est ZigBee.

En insérant la clef USB sur un environnement linux et grâce aux commandes “usb-devices”, “lsusb”

On peut découvrir que cette clef utilise un “chip série” (uart) pour communiquer entre l’ordinateur et le “chip ZigBee”.

Bus 003 Device 003: ID 0403:6001 Future Technology Devices International, Ltd FT232 USB-Serial (UART) IC

 

T: Bus=03 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
P: Vendor=0403 ProdID=6001 Rev=06.00
S: Manufacturer=FTDI
S: Product=FT232R USB UART
S: SerialNumber=A700fjni
C: #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=90mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=ftdi_sio

En cherchant a l’aide d’un éditeur hexadécimal dans leur code installé sur la version Windows, on peut voir la chaîne de caractères: CC2480. Il s’agit du contrôleur ZigBee qu’ils utilisent. On peut probablement arriver à cette même conclusion en ouvrant leur clef USB, mais c’est quelque chose que je voulais éviter.

Quelques autres points intéressants à relever: Ils utilisent QT, SQLite format 3 (donc possibilité d’aller lire la base de donnée locale), WebnergyClient.dll

Pour résumer

  • ZigBee
  • Chip série (ftdi_sio) FT232R USB UART
  • CC2480 (Contrôleur ZigBee)

VirtualBox, Windows et espionner le port USB

=> Configurer VirtualBox et Windows

Le but de cette partie est de pouvoir “espionner” les messages qui sont envoyés à la clef EcoWizz, à la fin nous seront capable d’envoyer un premier message à la clef et de recevoir la première réponse.

Installez le produit VirtualBox qui vous permet de faire tourner Windows par dessus Linux. Nous auront besoin de la version avec le support de l’USB. (Plus d’informations, ou problèmes). WMWare marche aussi.
Installez le programme EcoWizz et assignez la clef à votre instance Windows. (Devices -> USB Devices -> FTDI …), essayez de rajouter des prises.

Vous devez être capable d’utiliser le clef sous votre environnement virtuel Windows.

=> Support de Wireshark et possibilité “d’espionner” ce qui se passe sur un port USB.

En “root”, installez wireshark. (Sur debian/ubuntu, sudo apt-get install wireshark). Ce programme permet d’espionner ce qui se passe entre

Vous devez activer quelques modules sous linux pour être capable de le faire. (Plus d’informations)

Lancez Wireshark en root (sudo wireshark), vous devriez avoir quelque chose qui s’affiche s’appelant “usbmon{id} USB bus number {id}”, si ce n’est pas le cas, le module de “debuggage” de l’USB n’est pas actif. Je vous conseil de mettre votre module EcoWizz sur un bus différent de la souris (sinon vous avez trop d’informations.).

Vous pouvez savoir sur quel port se trouve votre clef grâce à la commande "lsusb"
Bus 003 Device 003: ID 0403:6001 Future Technology Devices International, Ltd FT232 USB-Serial (UART) IC

Vous commencez à avoir des lignes qui s’affichent ressemblant à: 4 0.001532 host 3.0 USB “GET DESCRIPTOR”, “URB_CONTROL”.

Analyser le protocole USB

Commencez par lire le code source du drivers du FT232: ftdi_sio.c et lancez WireShark: “su wireshark”.
Utilisez 1-2 minutes votre clef EcoWizz sur votre instance windows, vous devriez voir défiler les messages TRES rapidement. Enlevez votre clef.

Il y a 3 types de messages qui nous intéressent

GET DESCRIPTOR: Décrit le type de device.
Qui nous donne par exemple
0040 20 03 46 00 54 00 32 00 33 00 32 00 52 00 20 00 .F.T.2. 3.2.R. .
0050 55 00 53 00 42 00 20 00 55 00 41 00 52 00 54 00 U.S.B. . U.A.R.T.

URB_CONTROL out: Contrôle les propriétés du device
Dans notre cas ce qui nous intéresse particulièrement, c’est de mettre ce filtre: “usb.setup.bRequest == 3”. Ce filtre va nous sortir tous les paquets responsables de configurer la vitesse du port série (baudrate).

Le paquet qui nous intéresse est
URB.bmRequestType: 0x40
URB.bRequest: 3
URB.wValue: 0x001a ( = 115’200)

Ce que l’on apprend de ce paquet est la vitesse de connexion du port serie EcoWizz: 115’200
On peut trouver les autres informations de configuration par introspection.

URB_BULK out: Envoi et réception des messages qui seront envoyés au module ZigBee.

Il y a beaucoup de message qui passent et ne sont pas très utiles. Ce qui nous intéresse vraiment sont les messages avec ce filtre: “usb.transfer_type == 0x03 && usb.data_len >2”

On a deux types de messages qui nous intéressent

Le message: Host -> x.2
0000 80 67 eb 6a 00 88 ff ff 53 03 02 03 03 00 2d 00 .g.j.... S.....-.
0010 fd fb 2e 4e 00 00 00 00 62 8c 01 00 8d ff ff ff ...N.... b.......
0020 06 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0040 fe 01 26 06 01 20 ....

Et la réponse: x.2 -> Host
0000 c0 63 eb 6a 00 88 ff ff 43 03 81 03 03 00 2d 00 .c.j.... C.....-.
0010 fd fb 2e 4e 00 00 00 00 ce c2 01 00 00 00 00 00 ...N.... ........
0020 10 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0030 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 ........ ........
0040 11 60 fe 09 66 06 01 a5 03 82 00 00 4b 12 00 15 .`..f... ....K...

La partie nous intéressant particulièrement commence à partir de l’adresse 0040.
Message envoyé au port série: fe 01 26 06 01 20
Réponse: 11 60 fe 09 66 06 01 a5 03 82 00 00 4b 12 00 15

On va analyser plus loin le contenu de ces messages. C’est intéressant de remarquer qu’un message envoyé du host au device commence toujours par “fe”, un message envoyé du device au host par “11 60 fe”.

Résumé:

  • Nom du port /dev/ttyUSB0
  • Vitesse du port 115’200
  • SerialPort.DATABITS_8, SerialPort.STOPBITS_1, SerialPort.PARITY_NONE, SerialPort.FLOWCONTROL_NONE
  • Un message envoyé du host au device est du style: fe xx xx xx …
  • Un message envoyé du device au host est du style: 11 60 fe xx xx xx …

Protocole de communication avec le contrôleur ZigBee CC2480

Le but de cette partie est de mieux comprendre comment votre ordinateur “discute” avec la clef ZigBee.

Comme nous l’avons vu, le contrôleur est un CC2480. Comme nous avons de la chance, quelqu’un a crée un code que nous pouvons utiliser ici: “http://zb4osgi.aaloa.org“.

J’ai récupéré le code de svn (svn checkout https://svn.aaloa.org/projects/zb4osgi/trunk zb4osgi-trunk)
Pour installer svn: “sudo apt-get install subversion”

En analysant le code, on comprend mieux comment les messages sont construits.

Du host au device:
fe {size(data)} {Message Type #1} {Message Type #2} {data}* {checksum}
Exemple: [fe] [01] [26 06] [01] [20]
=> Message type : 0x2606
=> Data : 01, de taille 01
=> Checksum : 20

Du device au host
11 60 fe {site(data)} {Message Type #1} {Message Type #2} {data}* {checksum}
Exemple: [11 60 fe] [09] [66 06] [01 a5 03 82 00 00 4b 12 00] [15]
=> Message type : 0x6606 (Réponse au message 2606…)
=> Data : 01 a5 03 82 00 00 4b 12 00, de taille 09
=> Checksum : 15

Le fichier ZToolCMD.java vous énumère les différents types de messages supportés.

Vous pouvez aussi charger cette documentation : ZigBee API

Envoyer notre premier message

Je suis capable d’envoyer des messages à la clef EcoWizz/ZigBee

Vous avez toutes les informations pour le faire (au travers d’un terminal)

  • Nom du port /dev/ttyUSB0
  • Vitesse du port 115’200
  • SerialPort.DATABITS_8, SerialPort.STOPBITS_1, SerialPort.PARITY_NONE, SerialPort.FLOWCONTROL_NONE

Vous pouvez par exemple envoyer en hexadécimal: fe 00 21 02 23 ..!.#
Vous allez recevoir normalement: 11 60 fe 05 61 02 02 01 01 00 00 64 .`..a… …d

Plus d’informations avec éventuellement du code quand j’aurais avancé dans cette partie.

Android Reverse Engineering

Note: The quality of this article is not good. It’s a way for me to keep some notes.

What is Android Reverse Engineering

The goal is to explain how you can reverse engineer an android application. How you can see the source code of an *.apk file.

The target audience is android developers, architects and geeks.

 

Note

This text targets people with some experience. If you think that some part are too complex or you want to improve part of the document, don’t hesitate to send me a mail!

 

Why

It’s always interesting to see how an application is built. I’m curious and my goal is to understand how great code to run great applications is built.

  • Design patterns: See the architecture of an application, what libraries they use, how developers write code. As an example some code is written in HTML, or compiled in a *.so libraries to avoid writing a different code for android and iPhone.
  • Privacy: Understand why an application needs to access things they don’t need. As an example why this application needs to access your address book or be able to send SMS?
  • Integration: Android is really an amazing system because you can integrate application in many features of the operating system. As an example, with the application “local.ch”, you can see who is calling even if not in your address book – It looks simple, but the system that do it is just amazing. (This is where you see that Android is way more mature than iOS.). AndroidManifest.xml is where many secrets are stored. Finding “how to do it” is not always easy but always interesting.
  • Secret features: Sometime you have “secret features”. As an example you can play videos on “MoboPlayer” using another application, but the way to do it is not documented anywhere.
  • API: Many application are integrated with web services, API. It’s interesting to see how the integration is done, secrets that are stored in an application. As a developer or architect always think that the code of your mobile application is “public”! It’s common to see: public static String API_SECRET = “top3eCret@”;
  • Security and database: Copy and past part of a code is easy, think about it when implementing your complex encryption algorithm! 😛 Might not be that useful!

 

Write an android application

To get the maximum benefit of this article, you need to be able to write a simple android application and deploy this application.

You need to know what adb is, what is this strange file “AndroidManifest.xml”, to know how to write some java code. This part is out of the scope of this article.

 

Unlock and root your mobile phone

You need to unlock and root your mobile phone if you really want to understand how it works.

How to do it is not part of this article.

Unlock: This process is a way to “open your phone” and keep your privacy. By default your phone is locked, it means you cannot install code that was not certified by the manufacturer. It’s important because otherwise someone who steal your phone can access your data.

During the unlock process all your data are deleted ! Once your phone is unlocked, your data are not secure if your phone is stolen.

Root: By default all your applications run in their own sandbox. It means that an application cannot change the content of another application. Android is running on top of a Linux layer, the user called “root” is allowed to change and read everything.

When you “root” your phone, you are able to connect as root.

Once your phone is rooted, you can do
./adb shell (connect to your phone using a terminal)
then “su”

Note: install “BusyBox Free” from the “Play Store” if your are used to Linux. Busybox is a way to have some common Linux commands on an embedded Linux system.

 

Common path

Connect to your phone:
./adb shell
Then “su”

/data/app: The package (apk) of your installed application is here. It’s interesting if you want to analyse an application you have installed.

/data/data: The data of your applications is stored here.

/sdcard/: Where your sdcard is mounted.

adb push <local> <remote> – copy file/dir to device
adb pull <remote> [<local>] – copy file/dir from device

 

View the resources of the application

Imagine you have an application called ch.nuage.test.apk.

You want to see images, the source code of AndroidManifest.xml.

Download this application: http://code.google.com/p/android-apktool/
Then run : “apktool d ch.nuage.test.apk”

You will have a new directory with
– AndroidManifest.xml (in plain text!)
– Images, texts, of the application
– Smali: The pseudo-code (I prefer to read the code given in the next paragraph)

 

View the source code of the application

Imagine you have an application called ch.nuage.test.apk.

The goal of this part is to browse the source code of the application.

First “unzip” the code. Change the extension to “.zip” ch.nuage.test.apk => ch.nuage.test.zip, or try to unzip this file directly.

Inside you have a file called “classes.dex”, it’s what interest us.

Download dex2jar http://code.google.com/p/dex2jar/
Use dex2jar to transform the “dex” to a common java jar file.
dex2jar.sh classes.dex

UnZip/UnJar classes_dex2jar.jar. You should now have a folder with *.class files.

To see a “pseudo” java code, your can use this tool: http://java.decompiler.free.fr

Please note that

  • Comments have been removed 😛
  • Name of many variables has changed.
  • Name of many classes is now “a, b, c, d”
  • Some part of the code cannot be compiled or displayed correctly.

 

What next?

You can change, repackage applications, recompile, but it’s not in the scope of this article.

You something have libraries in the application (lib/*.so), you can see the code using a decompiler like http://www.hex-rays.com/products/ida/index.shtml – but it’s out of the scope of this article (and the software is too expensive for me.)

 

SqLite

Many databases are using sqlite3.

You can change easily these files by installing sqlite and editing the content using SQL requests.

 

Bonus

GameCIH might interest you too. http://www.cih.com.tw/

It’s a way to “speed up” an application or change value in the application like money, lives.

 

Conclusion

As you see it’s quite easy to see the content of an application.

So

  • Think about it when developing mobile software. (It’s the same on iPhone…). Your top secret password or API is not that secret… Your oAuth secret should perhaps be stored on your server and not on the mobile application.
  • It’s a good way to see what other people do to improve your skills.