The B firmware is were the major action is, and it’s based on the Fujitsu FR chipset. This seems to be the same chip as used by the earlier Nikon DSLRs and the Pentax cameras.
Looking at the B firmware you can see text, for example English @ 0x5ACC68 to but the table of addresses prior to this text block have the same relative spacing of values but are 0x40000 bytes higher in value.
Browsing elsewhere in the file, shows this pattern holds up for the entire file. You can check by finding some text, ad 0x40000 to the text file address, then search for that resulting hex value, ta-da
So we can assume the code is loaded starting at 0x40000.
Next is what we are going to decode the file with. If you have commercial version of IDA Pro then your in luck as it comes with the Fujitsu FR CPU decoder built in. I only have the free version, so am not so luckly.
Kevin Schoedel however has written a pretty good dissembler for the FR CPU, as part of previous Pentax firmware work. I struggled to get the original code working correctly, so I rewrote it in C# and now understand how to use it, and really appreciate his efforts. But I am left oh-so-much wanting IDA Pro style everything. The worst thing is I almost want to pay the $500USD to have that IDA Pro magic, but if I have that money ‘spare’ why didn’t I just buy the D7000 to start with.
Anyway, my present D5100 B firmware DFR import file looks like:
\# File map: D5100
-i 0x00040000-0x00BFFFFF=0x00000000
\# Memory map:
-m 0x00040000-0x00040947=CODE
-m 0x00040948-0x000409b3=DATA:L
-m 0x000409b4-0x00050068=CODE
\# interupt vector table.
-m 0x000dfc00-0x000dffff=DATA:L
#-m 0x000e0000-0x0x000fffff=DATA:L // this is 0xFF rubbish
-m 0x00100000-0x00236A4A=CODE
and heres my C# port of DFR, to use the above with.
If Ilfak wants to give me a free copy of IDA Pro, or even just the FR processor that works with 5.0, I would be very humbled.
The FR - CM71-00101-5E.pdf instruction manual from Fujitsu is very useful.
Here the first 0x4a bytes of the firmware, you can see the interupt vector table being loaded at 0x4002c.
Disassemble 0x00040000-0x00040947 (file 0x00000000) as CODE
00040000 (00000000) 9F80 5000 0000 LDI:32 #0x50000000,R0
00040006 (00000006) C011 LDI:8 #0x01,R1
00040008 (00000008) 1501 STH R1,@R0 ; 0x50000000
0004000A (0000000A) 9B00 03E0 LDI:20 #0x003E0,R0
0004000E (0000000E) 9F81 4700 0000 LDI:32 #0x47000000,R1
00040014 (00000014) 1401 ST R1,@R0 ; 0x000003E0
00040016 (00000016) 9B00 03E7 LDI:20 #0x003E7,R0
0004001A (0000001A) C031 LDI:8 #0x03,R1
0004001C (0000001C) 1601 STB R1,@R0 ; 0x000003E7
0004001E (0000001E) 8710 STILM #0x10
00040020 (00000020) 9F8F 6800 0800 LDI:32 #0x68000800,R15
00040026 (00000026) 9F80 000D FC00 LDI:32 #0x000DFC00,R0
0004002C (0000002C) B300 MOV R0,TBR
0004002E (0000002E) 9B00 0600 LDI:20 #0x00600,R0
00040032 (00000032) 9B41 0185 LDI:20 #0x40185,R1
00040036 (00000036) 1401 ST R1,@R0 ; 0x00000600
00040038 (00000038) 9B00 0640 LDI:20 #0x00640,R0
0004003C (0000003C) C401 LDI:8 #0x40,R1
0004003E (0000003E) 1401 ST R1,@R0 ; 0x00000640
00040040 (00000040) 9B00 0680 LDI:20 #0x00680,R0
00040044 (00000044) 9F81 799F 9910 LDI:32 #0x799F9910,R1
0004004A (0000004A) 1401 ST R1,@R0 ; 0x00000680
The second address in parens is the original file offset to help with looking up the file.
Interested in more, come join the us at Nikon Hacker, or use the Online Patch Tool (Help)