Nikon Firmware Insights #04

A little under 24 hours ago, and roos posted he and Kungsholmens Kameraklubb found the checksum for the D7000 A & B firmware , but it didn’t work on the d5100 firmware.

The code they used was the big endian form of the CRC16, but running on little endian CPUs.

Turning the Wikipedia CRC code into C# follows:

For the D7000 A & B, D300S A&B, D3S A & B, D3100 A, D5100 A firmware files use start: 0x0000, mask=0x1021

For all models (D3S, D300S, D7000, D5100 & D3100) the CRC is a normal Xmodem CRC16, the originally reported difference for D5100 & D3100 was due to a XOR error (by me), that is now found & fixed.

static int crcBig(byte[] data, int len)  
  int rem = 0x0;  

  for (int i = 0; i < len; i++)  
    rem = rem ^ (data[i] << 8);  
    for (int j = 0; j < 8; j++)  
      if ((rem & 0x8000) != 0)  
        rem = (rem << 1) ^ 0x1021;  
        rem = rem << 1;    
      rem = rem & 0xFFFF; // Trim remainder to 16 bits  
  // A popular variant complements rem here  
  return rem;  

For the D5100 B firmware use start= 0x4ed4, mask= 0x1021

"D5100 checksum passed, now loading firmware"

D5100 HaCkEd firmware running.

The D3100 B firmware also matches the same start value, so I’d assume it’s common to both. And the only thing I modified here was the firmware help message, and I’ve not tested if you can load the 1.01 firmware over top it’s self. That is the next step. Also to make a tool (Vitaliy?) the patches and encrypts for you to avoid typo’s.

Very import and good news, firmware lets you flash same version over top it’s self. Thus my camera is now back running normal Nikon 1.01 firmware. Warranty unbroken!
[Update 2: 27 Nov] Fixed CRC code in light of XOR code change.

Interested in more, come join the us at Nikon Hacker, or use the Online Patch Tool (Help)



mojo43 2011-11-25 17:48:15

Awwwww ya! Nice Roos and company and thanks for getting it to work on the D5100!

You are awesome!

Kyle 2011-11-25 17:54:07

Absolutely amazing! I’ve got a computer programing degree but I could never have figured this stuff out. Simply brilliant.

mojo43 2011-11-25 18:25:27

Exactly the same with me, computer science and some assembly language courses but I could never have figured this out!

roos 2011-11-25 18:34:42

This is super, the two of us have the only two known hacked Nikon DSLRs and they both have this wonderful and highly usefull ability to say hacked instead of camera.

Simeon 2011-11-25 18:51:00

WE ARE SO POWERFUL!!!! but only if you know which menu to search under, and when to press the help button. Oh no, did I just let out the secret?

Rand Thompson 2011-11-25 23:44:38

Thank you all for furthering the hack of the Nikon DSLRs Simeon, Roos and Kungsholmens Kameraklubb.


Rand Thompson 2011-11-25 23:46:51

I don’t have any computer programming education so there wasn’t a chance in H#$L of me breaking the code.

Simeon 2011-11-26 00:32:21

Your allowed to say hell around here if needed…

now the f-bomb, maybe not…

Rand Thompson 2011-11-26 01:18:54

Alright Simeon,

I just needed to “CheckSum” of the 4 letter word boundaries for this forum to see what was and was not permitted.

Andrea 2011-11-26 02:35:21


The best news in the world!!!!
Is the first time that a nikon firmware is hacked, I hope the future of my D5100 will be really powerfull.

The best regards

ydaniels 2011-11-26 02:40:23

Thank you so much Simeon, Roos and Kungsholmens Kameraklubb!!! I wish u all the very best of LUCK in future work!

Vicne 2011-11-26 03:39:36

Even without a degree, I think everybody can help just by browsing around in the binary file with a hex editor (Notepad++ is my choice) and noticing information.
For example, I noticed a few JFIF strings (JPEG) in the D7000 firmware and extracted them with simple copy/paste. I don’t think it is directly useful for hacking, but anyway, here are the 21 JPG pictures included. They are all 200x150 px :

tashiy 2011-11-26 04:54:21

The future is Open Source. It` s so exciting!

yehia Amer 2011-11-26 06:01:17

WoOo0Oow That’s wonderful

I hope since D7000 & D5100 have the same sensor “APS-C 23.6x15.6mm”
we can add some features from here to there

This will be GREAT :D

Vicne 2011-11-26 09:42:12

Just for fun, I was browsing around in the D700 firmware (which is not encrypted) and spotted a few funny strings lost from 0x2FF600h on. They are “Test With Truncation”, “Hi There”, “Jefe” and “what do ya want for nothing?”
I take it as an invitation to work harder on this project :-)

Rand Thompson 2011-11-26 10:11:05

Maybe we can find the “At what bitrate would you like me to Encode?” and the “Would prefer a Framerate higher than 24fps in 1080p mode” within the strings as well.

Rand Thompson 2011-11-26 10:12:09


Sorry I misspelled your name in the last post!

Rand Thompson 2011-11-26 10:14:23


I saw D7000 instead of D700. Can you tell what it is I am thinking about?

Simeon 2011-11-26 11:30:01

Classic, I’ve not found any thing as funny yet in the D5100 firmware.

Simeon 2011-11-26 11:34:11


Simeon 2011-11-26 11:46:30

Ah that’s what those JFIF tags are…

If it’s any consolation I don’t have a degree. A degree is just a proxy for for knowledge. Having one does not imply the other. There’s just a correlation.

Simeon 2011-11-26 11:48:00

LOL, that is almost bad enough that I could have said it.

Rand Thompson 2011-11-26 13:58:28


I tried my best to make everything in this post relevant…Ha Ha

Christian Johansson 2011-11-26 19:55:04

What sort of things do you expect you (or someone else) can change with an unlocked firmware to a D3100 or D5100?

It would of course be awesome to get improvements like 4 or 5 photos per second or a bump in fps when filming in 1080p. But then again, I have never had a DSLR before and dont really know what might be software based and hardware based restrictions in the camera.

Simeon 2011-11-26 20:21:14

Honestly, I not no personal expectations for video, as I’m not a video guy, and didn’t buy the camera for video (I’m sure others have expectations for video).

For a D5100, Maybe more/better bracketing support. Maybe different AF point behavior. It would be good to reassign buttons, who needs help anyway, or how they currently work. Maybe overload the dial buttons, thus get rid of the “simple modes” and replace with user settings like the D7000.

roos 2011-11-26 21:15:18

First, id like to say exactly the same thing as Simeon did. I’m a photgrapher and neither I will be bothered to take time from whatever photography enhancements we can achieve on this project to play with the video stuff. Its simply not my cup of tea.

That said, we have been looking a bit at the FR family instruction manual, its a very good document to read for understanding the structure of the chip. In short, we can see no reason why we shouldnt be able to understand what the code does. However, the Nikon code is produced in softune C by paid staff. We have managed to decrypt their work, to disassemble it and found a way to put it back in the camera after we have made modifications. That does not mean that we, in a few spare time hours, can implement stuff to enhance your cameras that much. The workflow we are looking at here are something like this:

* Decrypt a firmware file
* Split it into A+B
* Disassemble it
* Trace through the compiler produced code to find whatever we want to change
* Write the change in assembler
* Manually translate it to machine code
* Insert it into the firmware file
* Disassemble it again
* compare the with the inteded assembler and iterate until it is the same
* Set the checksums
* Encrypt
* Upload it to a testbed camera if we can get hold of one else risk our pruduction gear

This is a lot of work even for the smallest of mods. Even if you help us in any way you can, in the foreseable future expect only what can be changed by redirecting a pointer, setting a constant or running an alternate part of code that allready exist in the firmware.

For my own sake, im in this because its fun and because it might take a few annoying flaws away from my camera. In my dreams that means I might play a small part in kickstarting a project that can make my camera a better tool in the long run. My longterm comittment in the camerabusiness will however remain shooting pictures, not being a software developer. I did that for a living once and stopped doing it for the best of reasons, i have better things to do :)

roos 2011-11-26 21:19:10

Raising the number of photos/sec might or might not be doable. It might even be one of the easiest things to mod. I wouldnt load it into my camera before it has been tested by more adventurous people than me for quite a while though.

Rand Thompson 2011-11-26 21:23:35


Unlike yourself and Simeon, I am interested in the Hack strictly for the Video benefits that can be derived from it. However, whatever Improvements you can make even if it is only for Photographic purposes will be greatly appreciated.

roos 2011-11-26 21:33:17

Well, there is nothing stopping you to do your own video enhancements now. Read up on the structure of the chip and the instruction set and start hacking :)

I dont have that much time to put in this, you and others may very well be ahead of whatever i can produce in a very short time even if i get nice help from Yann for the time being.

Simeon 2011-11-26 23:05:52

Wow, I owe you Vicne,

Because you found the jpeg’s I went searching in the D5100 firmware for them and found a 196K block inside the region where a large number of jpegs were. But this block didn’t have pictures in it. Digging into it I found…

I had missed three numbers in my third order XOR table. Will fix the table now, and email Vitaliy so he can fix his tool.

Rand Thompson 2011-11-26 23:19:38

If only I had yours and Simeon’s knowledge of computer programming. I wouldn’t even know where to start to look or understand what I was looking at.

Christian Johansson 2011-11-27 03:16:16

I agree with you about the video making, on my D3100 the mics position makes it almost useless anyway.
Replacing the modes on the dial button would be a great thing.

Christian Johansson 2011-11-27 03:26:09

The 3 photos/sec on my camera is probabely what I would like to bump most. I have my camera with me when me and my friends go fishing and 3 per second is not enough most times to get any good action photos. Not so bad that I dont want to use the camera but still an annoying thing sometimes.

I wish you all good luck. You guys really are amazing.

Vicne 2011-11-27 05:15:19

Can you post the fixed table so I update my code too ?
Not that I don’t trust other people’s code, it’s just that I like coding too :-)

Vicne 2011-11-27 05:46:15

Don’t set your hopes too high :-). For the time being, I’m just browing around for fun. I currently don’t own any of the DSLRs we talk about here, but I thought I’d have a look at D700 just because it doesn’t follow the same packing logic at all.

Vitaliy_Kiselev 2011-11-27 09:12:30

I updated NTool to v1.2

Now you can change firmware and pack all back.
It’ll recalculate all CRC sums.
It also checks CRC sums in existing file, just in case.

If someone want to talk about FR processor module, etc, welcome to

Alex Fishi 2011-11-27 23:54:08

What about some older models like D300?

Arturo 2011-11-28 06:06:01

For video:

Avchd intra codec for video like you did with the gh2.
60fps 1080
Iris control during liveview mode
Exposure control at the screen during recording

For photography:

Function button for iso
Light mettering at the top screen

roos 2011-11-28 07:20:48

Well, same status on the D300. Decryption and setting the checksums work, so go ahead and mod it if you like.

Fabrys 2011-11-28 07:39:32

A lot of people awaits for manuals controls in video on the D5100 (like on the D7000), it will be really great :)

ydaniels 2011-11-28 08:39:25

Agree. There’s a complain list:

Thousands of people are praying for FULL MANUAL CONTROL OVER EXPOSURE, SHUTTER SPEED and ISO in [M] MODE for shooting VIDEO.

Today you can’t set manual exposure, because it changes automatically everything!

You can’t even see the changes! :( Otherwise you could just LOCK the EXPOSURE.

Simeon 2011-11-28 08:44:49

That firmware is not encrypted, so is open for alteration…

I’m sure the any base functional changes made could be applied, but any specific features (video rates etc) will not apply.

roos 2011-11-28 09:12:49

You guys might be right, but 0% of them have voloneered to implement them, so far.

Fabrys 2011-11-28 09:47:50

Hope it will change, the first to do that will be a hero :D Yes there’s a big group on Vimeo (and I think not only there) which are awaiting for a hack.

arm.indy 2011-11-28 14:39:22

the Kanal plugin of PEiD finds “CCITT-CRC16 precomputed table for byte transform” at offset 0x1DD5d0 in b750103a.bin from D7000. So this is were the firmware unpacks and checks an update…

Simeon 2011-11-28 14:48:33

Great find. Now I’ll search for that in the D5100 firmware…

The data stream at that location is:

00 00 10 21 20 42 30 63

which is located at 0x1f7d30 in b640101b.bin

arm.indy 2011-11-28 15:41:36

confirmed : 256 entries, elements have word size, like page 11 of, by Eric E. Johnson (1995)

TheoKondak 2011-11-28 17:00:48

What is that exactly?Some kind of dream hacks for your camera?You don’t even mention what is your camera.I guess D7000?

Well what i would like to see implemented in future for D7000 at least (which has some advanced hardware and probably can support the changes better than other lower cost models).

Video.Even though i call myself a photographer, lot of times i am catching myself wanting to shoot some video too.DSLRs are we all know has a unique DoF feeling, which make it a lovely video camera too.So here are some thoughts, for future coders (including me):

Make digital focus possible.I know of just one camera that does that and its Canon T3i.Have a look here of what i mean:
Make possible lower quality videos for higher FPS.For example the new gopro can record 1080:30 720:60 480:120 .I believe that something similar is possible for other cameras via some firmware update.
Make possible to change aperture during video recording.Well, i don’t know the reason behind this for nikon D7000 but its a really nasty thing.Seeing it implimented in the rest of DSLRs out there makes me believe that it is possible for D7k too.

About Photographs a live Histogram would be nice, but i believe its something very hard to code.

I will keep an eye on this thread.I am really interested in hacking my camera in order to get some new features and i would like to contribute sometime in future.Keep it up guys, you really made my day with that news!

Max 2011-11-28 19:48:18

Nice work Indy,

I’ve listed how to create your own reference table (in C) to check against here

One interesting thing is that if you assume a table-version is in use, you could use any weird data chunk that started w/ {0x0000,0xNNNN} as a possible polynomial to brute force against.

Did someone confirm if the initial value is 0xFFFF or 0x0000 for these? The spec CCITT CRC algorithm is 0xFFFF, but often this polynomial is used w/ 0x0000.

PS. I’m trying to accumulate all this info in a wiki in the above site.

Simeon 2011-11-28 19:55:11

Yes as stated earlier, Roos and Yaan search the different possible start values, and end “fix” and the different big/little endian permutations. Plus the searched the polynomial space.

I originally only searched the little endian polynomial space, but didn’t think to try the big endian space….

Luis Gonzalez 2011-11-28 20:20:02

I have a software background and used to burn BIOS ROMS back in the 80s, but it’s been a LONG time since I did anything like that.

I think the first thing I would do is change the exposure increment for bracketing on my D700. I have to shoot 5 frames to do even a -2,-1,0,+1,+2 bracket, and ditch the -1,+1 to get -2,0,+2. Would love to be able to change the increments from 1/3, 2/3, 1 EV to a full 1, 2, 3 EV. That sounds like it shouldn’t be too hard to do IF I can find where those increment values are stored in the firmware.

arm.indy 2011-11-29 00:51:31

Tables for white balance decryption are at 0x1f7f5a and 0x1f805a in d5100/b640101b.bin, is it only for WB ? See for the code source and search for xlat[2][256].

Simeon 2011-11-29 07:11:12

Another great find…

rob 2011-12-01 00:55:18

“I think everybody can help just by browsing around in the binary file with a hex editor” id like to browse around. but as im a total noob i’ve no clue how.

where do i get the binary file and can i just open it with notepad ++ or is there more to it

roos 2011-12-01 01:46:06

The binary file is what you get after decrypting and splitting the firmware with ntool. The firmware files are on Nikons web and ntool.exe is on this blog.

I have no idea what OS you are running, but in unix (inc macos) you can just do “hexdump -C | less”. Im sure there are free hexeditors around for windos too, if not you can just install cygwin and use the above command.

Kyle 2011-12-01 07:06:36

HxD is a free windows hex editor.

You can use Notepad++ with a hex editor plugin like

Simeon 2011-12-01 09:01:33

I personally love notepad++ but for hex I use XVI32.

TheoKondak 2011-12-01 09:13:18

Is there a guide on how to start exploring the code?I found here something about ntool, and a hex editor, but can’t find info on how to use them altogether.Unfortunately i don’t have enough spare time to do a research on my own on that.So is there any guide available on how to start working with this project?

roos 2011-12-01 09:45:21

Well, if you read the 4 pieces Simeon has written here on his blog and the comments from the rest of us, I think You have a guide as good as it gets on howto decrypt, split and look at the firmware binary. If you need a guide on how to programme from the FA family CPU, there are links here too, but that is a lot more demanding reading.

TheoKondak 2011-12-01 10:35:00

Thanks.I will have a look at all the articles and comments.

rob 2011-12-01 14:37:30

Humm i was expecting understandable code like in the beging of this post. “01| static int crcBig” ect. but the code i am seeing in XVI32 or ++ with hex pluggin im pritty sure isnt understandable by everyone like vicne said.

i used the ntool to generate an A and a B bin file then dragged that in to the editor. and this got me code along these lines:
65 00 64 41 e8 a0 ff ff f4 00 64 f4 00 64 f4 f7 d7 4d eb e.dAé Me
and so on

what am i looking for in order for my efforts to be helpfull.

Simeon 2011-12-01 15:24:14

Haha, if it was so easy. Then I’d just recompile said code, and have the new feature whipped up is a second…

Your correct your now looking at a binary executable. You can ether disassemble it, and find useful functions, and/or workout how menu’s are driven by the data sections (the heavy lifting tasks).

Or look for interesting data. The embedded jpg files have been found, the pre-computed CRC table has been found…

max 2011-12-01 23:48:00

The only useful part of browsing through raw hex is finding data strings that give you a clue about what a chunk of code does, if that code points to that string. things are a little harder when there are translations involved. I’m amazed at how much space is taken up by translations!

Browsing through strings I found one line that sparked my curiosity (D5100/B)
“Ethernet cable is not connected.”


Vicne 2011-12-02 06:44:20

Of course you won’t change the video framerate by looking at the hex file, but first things first. For example, reading the included texts like max said or extracting JPEGs or other interesting contents is not that hard. I just explained how to extract JPEGs in the following thread :
Your turn now ;-)
Kind regards,

Charles 2011-12-21 05:32:18


great work so far!

I agree with TheoKondak as for the wishlist - personally i think that the most crucial features for the d7000 to be implemented are the video fps modes of the d5100. Especially 1080p 25 and 30. Very nice to have of course would be even higher fps in lower resolutions. And the ability to change aperture during shooting (which can also be done directly on non-g lenses).

Jack Frost 2011-12-27 23:31:19

I wonder if with the firmware update we can see the D3100 and many other Nikons getting the functions like AEB or timelapse modes!

loen 2012-02-08 17:17:54

hello guys!! what about the possibility to extend the recording time of the D300s or D3s from 5 min to 10min or more. possible?

Luis 2012-02-08 17:31:08

They limit the recording duration to keep the sensor from overheating. That’s just all the design allows. The new D800 will do up to 30 minutes.

loen 2012-02-09 12:15:27

i read that too in a magazine. ive been recording 16 gig 5 min at a time non stop. what is the diffence if i do 10 min in one shot? thats what i dont understand about the 5 min limitation. it sucks.

Simeon 2012-02-09 13:00:28

When it gets to the 5 minute limit, does it display any message?(aka if there something to look for) or does it just stop?

loen 2012-02-10 04:04:30

its stops and it show 5 more minutes or less if u card is getting empty…thats in 720p, in crop mode in does 20 min, but why would i want to record on crop mode on a d3s? thats the thing that i dont understand, nikon is weird

Mark 2012-04-10 19:38:26

Simeon- If he’s talking about the D300- It just stops… no message at all.

Nvm. I just saw his message under me lol.

Phani Kiran Kara 2012-06-06 00:24:28

Hey guys count me in. I am an embedded engineer and will start on this hack soon.. I just want live histogram.. whatever it takes…

Simeon 2012-06-06 07:00:15

Excellent, join the Nikon hacker forums and ask about this and I can give you some pointers where to start looking.