Nikon Firmware Insights #04

A little under 24 hours ago, and roos posted he and Kungsholmens Kameraklubb found the checksum for the D7000 A & B firmware¬†, but it didn’t work on the d5100 firmware.

The code they used was the big endian form of the CRC16, but running on little endian CPUs.

Turning the Wikipedia CRC code into C# follows:

For the D7000 A & B, D300S A&B, D3S A & B, D3100 A, D5100 A firmware files use start: 0x0000, mask=0x1021

For all models (D3S, D300S, D7000, D5100 & D3100) the CRC is a normal Xmodem CRC16, the originally reported difference for D5100 & D3100 was due to a XOR error (by me), that is now found & fixed.

static int crcBig(byte[] data, int len)
    int rem = 0x0;

    for (int i = 0; i < len; i++)
        rem = rem ^ (data[i] << 8);
        for (int j = 0; j < 8; j++)
            if ((rem & 0x8000) != 0)
                rem = (rem << 1) ^ 0x1021;
                rem = rem << 1;

            rem = rem & 0xFFFF; // Trim remainder to 16 bits
    // A popular variant complements rem here
    return rem;

For the D5100 B firmware use start= 0x4ed4, mask= 0x1021

D5100 checksum passed, now loading firmware
D5100 HaCkEd firmware running.

The D3100 B firmware also matches the same start value, so I’d assume it’s common to both. And the only thing I modified here was the firmware help message, and I’ve not tested if you can load the 1.01 firmware over top it’s self. That is the next step. Also to make a tool (Vitaliy?) the patches and encrypts for you to avoid typo’s.

Very import and good news, firmware lets you flash same version over top it’s self. Thus my camera is now back running normal Nikon 1.01 firmware. Warranty unbroken!
[Update 2: 27 Nov] Fixed CRC code in light of XOR code change.

Interested in more, come join the us at Nikon Hacker, or use the Online Patch Tool (Help)

75 thoughts on “Nikon Firmware Insights #04”

  1. Absolutely amazing! I’ve got a computer programing degree but I could never have figured this stuff out. Simply brilliant.

  2. Exactly the same with me, computer science and some assembly language courses but I could never have figured this out!

  3. This is super, the two of us have the only two known hacked Nikon DSLRs and they both have this wonderful and highly usefull ability to say hacked instead of camera.

  4. WE ARE SO POWERFUL!!!! but only if you know which menu to search under, and when to press the help button. Oh no, did I just let out the secret?

  5. Thank you all for furthering the hack of the Nikon DSLRs Simeon, Roos and Kungsholmens Kameraklubb.


  6. I don’t have any computer programming education so there wasn’t a chance in H#$L of me breaking the code.

  7. Alright Simeon,

    I just needed to “CheckSum” of the 4 letter word boundaries for this forum to see what was and was not permitted.

  8. Hi,

    The best news in the world!!!!
    Is the first time that a nikon firmware is hacked, I hope the future of my D5100 will be really powerfull.

    The best regards

  9. Even without a degree, I think everybody can help just by browsing around in the binary file with a hex editor (Notepad++ is my choice) and noticing information.
    For example, I noticed a few JFIF strings (JPEG) in the D7000 firmware and extracted them with simple copy/paste. I don’t think it is directly useful for hacking, but anyway, here are the 21 JPG pictures included. They are all 200×150 px :

  10. WoOo0Oow That’s wonderful

    I hope since D7000 & D5100 have the same sensor “APS-C 23.6×15.6mm”
    we can add some features from here to there

    This will be GREAT :D

  11. Just for fun, I was browsing around in the D700 firmware (which is not encrypted) and spotted a few funny strings lost from 0x2FF600h on. They are “Test With Truncation”, “Hi There”, “Jefe” and “what do ya want for nothing?”
    I take it as an invitation to work harder on this project :-)

  12. Vince,
    Maybe we can find the “At what bitrate would you like me to Encode?” and the “Would prefer a Framerate higher than 24fps in 1080p mode” within the strings as well.

  13. Ah that’s what those JFIF tags are…

    If it’s any consolation I don’t have a degree. A degree is just a proxy for for knowledge. Having one does not imply the other. There’s just a correlation.

  14. What sort of things do you expect you (or someone else) can change with an unlocked firmware to a D3100 or D5100?

    It would of course be awesome to get improvements like 4 or 5 photos per second or a bump in fps when filming in 1080p. But then again, I have never had a DSLR before and dont really know what might be software based and hardware based restrictions in the camera.

  15. Honestly, I not no personal expectations for video, as I’m not a video guy, and didn’t buy the camera for video (I’m sure others have expectations for video).

    For a D5100, Maybe more/better bracketing support. Maybe different AF point behavior. It would be good to reassign buttons, who needs help anyway, or how they currently work. Maybe overload the dial buttons, thus get rid of the “simple modes” and replace with user settings like the D7000.

  16. First, id like to say exactly the same thing as Simeon did. I’m a photgrapher and neither I will be bothered to take time from whatever photography enhancements we can achieve on this project to play with the video stuff. Its simply not my cup of tea.

    That said, we have been looking a bit at the FR family instruction manual, its a very good document to read for understanding the structure of the chip. In short, we can see no reason why we shouldnt be able to understand what the code does. However, the Nikon code is produced in softune C by paid staff. We have managed to decrypt their work, to disassemble it and found a way to put it back in the camera after we have made modifications. That does not mean that we, in a few spare time hours, can implement stuff to enhance your cameras that much. The workflow we are looking at here are something like this:

    * Decrypt a firmware file
    * Split it into A+B
    * Disassemble it
    * Trace through the compiler produced code to find whatever we want to change
    * Write the change in assembler
    * Manually translate it to machine code
    * Insert it into the firmware file
    * Disassemble it again
    * compare the with the inteded assembler and iterate until it is the same
    * Set the checksums
    * Encrypt
    * Upload it to a testbed camera if we can get hold of one else risk our pruduction gear

    This is a lot of work even for the smallest of mods. Even if you help us in any way you can, in the foreseable future expect only what can be changed by redirecting a pointer, setting a constant or running an alternate part of code that allready exist in the firmware.

    For my own sake, im in this because its fun and because it might take a few annoying flaws away from my camera. In my dreams that means I might play a small part in kickstarting a project that can make my camera a better tool in the long run. My longterm comittment in the camerabusiness will however remain shooting pictures, not being a software developer. I did that for a living once and stopped doing it for the best of reasons, i have better things to do :)

  17. Raising the number of photos/sec might or might not be doable. It might even be one of the easiest things to mod. I wouldnt load it into my camera before it has been tested by more adventurous people than me for quite a while though.

  18. Roos,

    Unlike yourself and Simeon, I am interested in the Hack strictly for the Video benefits that can be derived from it. However, whatever Improvements you can make even if it is only for Photographic purposes will be greatly appreciated.

  19. Well, there is nothing stopping you to do your own video enhancements now. Read up on the structure of the chip and the instruction set and start hacking :)

    I dont have that much time to put in this, you and others may very well be ahead of whatever i can produce in a very short time even if i get nice help from Yann for the time being.

  20. Wow, I owe you Vicne,

    Because you found the jpeg’s I went searching in the D5100 firmware for them and found a 196K block inside the region where a large number of jpegs were. But this block didn’t have pictures in it. Digging into it I found…

    I had missed three numbers in my third order XOR table. Will fix the table now, and email Vitaliy so he can fix his tool.

  21. If only I had yours and Simeon’s knowledge of computer programming. I wouldn’t even know where to start to look or understand what I was looking at.

  22. The 3 photos/sec on my camera is probabely what I would like to bump most. I have my camera with me when me and my friends go fishing and 3 per second is not enough most times to get any good action photos. Not so bad that I dont want to use the camera but still an annoying thing sometimes.

    I wish you all good luck. You guys really are amazing.

  23. Great.
    Can you post the fixed table so I update my code too ?
    Not that I don’t trust other people’s code, it’s just that I like coding too :-)

  24. Don’t set your hopes too high :-). For the time being, I’m just browing around for fun. I currently don’t own any of the DSLRs we talk about here, but I thought I’d have a look at D700 just because it doesn’t follow the same packing logic at all.

  25. For video:

    Avchd intra codec for video like you did with the gh2.
    60fps 1080
    Iris control during liveview mode
    Exposure control at the screen during recording

    For photography:

    Function button for iso
    Light mettering at the top screen

  26. Agree. There’s a complain list:

    Thousands of people are praying for FULL MANUAL CONTROL OVER EXPOSURE, SHUTTER SPEED and ISO in [M] MODE for shooting VIDEO.

    Today you can’t set manual exposure, because it changes automatically everything!

    You can’t even see the changes! :( Otherwise you could just LOCK the EXPOSURE.

  27. That firmware is not encrypted, so is open for alteration…

    I’m sure the any base functional changes made could be applied, but any specific features (video rates etc) will not apply.

  28. Hope it will change, the first to do that will be a hero :D Yes there’s a big group on Vimeo (and I think not only there) which are awaiting for a hack.

  29. the Kanal plugin of PEiD finds “CCITT-CRC16 precomputed table for byte transform” at offset 0x1DD5d0 in b750103a.bin from D7000. So this is were the firmware unpacks and checks an update…

  30. Great find. Now I’ll search for that in the D5100 firmware…

    The data stream at that location is:

    00 00 10 21 20 42 30 63

    which is located at 0x1f7d30 in b640101b.bin

  31. What is that exactly?Some kind of dream hacks for your camera?You don’t even mention what is your camera.I guess D7000?

    Well what i would like to see implemented in future for D7000 at least (which has some advanced hardware and probably can support the changes better than other lower cost models).

    Video.Even though i call myself a photographer, lot of times i am catching myself wanting to shoot some video too.DSLRs are we all know has a unique DoF feeling, which make it a lovely video camera too.So here are some thoughts, for future coders (including me):

    Make digital focus possible.I know of just one camera that does that and its Canon T3i.Have a look here of what i mean:
    Make possible lower quality videos for higher FPS.For example the new gopro can record 1080:30 720:60 480:120 .I believe that something similar is possible for other cameras via some firmware update.
    Make possible to change aperture during video recording.Well, i don’t know the reason behind this for nikon D7000 but its a really nasty thing.Seeing it implimented in the rest of DSLRs out there makes me believe that it is possible for D7k too.

    About Photographs a live Histogram would be nice, but i believe its something very hard to code.

    I will keep an eye on this thread.I am really interested in hacking my camera in order to get some new features and i would like to contribute sometime in future.Keep it up guys, you really made my day with that news!

  32. Nice work Indy,

    I’ve listed how to create your own reference table (in C) to check against here

    One interesting thing is that if you assume a table-version is in use, you could use any weird data chunk that started w/ {0x0000,0xNNNN} as a possible polynomial to brute force against.

    Did someone confirm if the initial value is 0xFFFF or 0x0000 for these? The spec CCITT CRC algorithm is 0xFFFF, but often this polynomial is used w/ 0x0000.

    PS. I’m trying to accumulate all this info in a wiki in the above site.

Comments are closed.