Nikon J1/V1 Firmware decoded

I started looking at the J1/V1 firmware last weekend.

As compared to the DSLR firmware the XOR pattern is different, but using knowledge from the D5100 firmware, I made very quick progress getting past the first two XOR layers, the third was a little tricky.

Then yesterday, I got an email from Петр Кудинов that showed where in the D5100 firmware the XOR tables were stored. With this new insight (that they were stored verse calculated) I proceeded to search for what I had already found of the V1 XOR pattern in that firmware, and struck gold.

Here is the firmware based patterns used to decode the V1 and J1 firmware:

static byte[] Xor_Ord1_5 = {
    0xBB, 0x85, 0x12, 0xA7, 0xD7, 0x11, 0x15, 0x30, 0x53, 0x5C, 0x72, 0xCA, 0x61, 0x9F, 0xA3, 0xAC,
    0x2D, 0xC7, 0x05, 0x9C, 0xDF, 0x22, 0x37, 0xF5, 0x93, 0x6F, 0x24, 0x6B, 0x98, 0xB2, 0x0D, 0x44,
    0x8B, 0xCD, 0x3D, 0x33, 0x65, 0xF3, 0xF7, 0x52, 0x89, 0xB7, 0x34, 0x26, 0x79, 0x8F, 0xC1, 0x84,
    0x87, 0x07, 0x3A, 0xE2, 0xE0, 0x0C, 0xA1, 0xF0, 0xA0, 0x77, 0x4A, 0x7E, 0xFF, 0x25, 0xB6, 0x9D,
    0x4F, 0x36, 0xF4, 0xC8, 0xA9, 0xA8, 0x70, 0x00, 0x99, 0xC3, 0x32, 0x2A, 0x1F, 0xDA, 0x9B, 0x64,
    0xEA, 0xBA, 0x63, 0xC2, 0x23, 0xAF, 0xBF, 0x2C, 0x39, 0x16, 0x9E, 0x6D, 0xDC, 0x31, 0x02, 0x19,
    0x2F, 0x47, 0xAE, 0xE3, 0x5B, 0x74, 0x0F, 0x71, 0xD4, 0xFE, 0x50, 0xD6, 0x3E, 0xD0, 0x18, 0xA4,
    0xE8, 0x29, 0x80, 0x5A, 0x7D, 0xE5, 0x45, 0xE1, 0x62, 0x6C, 0xE6, 0xB5, 0x9A, 0x78, 0xA5, 0x7B,
    0x03, 0x81, 0x27, 0xB0, 0x06, 0xF1, 0xE7, 0x8E, 0xD2, 0xD9, 0x1E, 0x3F, 0x5E, 0x95, 0xED, 0xFA,
    0x20, 0x90, 0xEE, 0xFD, 0xDD, 0x4E, 0xDB, 0x6A, 0x82, 0x7A, 0x56, 0x1B, 0x8A, 0x1C, 0x09, 0x57,
    0x6E, 0x2B, 0xE4, 0x04, 0xAB, 0x67, 0xDE, 0xF6, 0x1D, 0x2E, 0x46, 0x86, 0x8C, 0xCB, 0xB8, 0x14,
    0x66, 0x10, 0xD1, 0xF2, 0x8D, 0x08, 0x54, 0xB4, 0x42, 0xF8, 0x49, 0xD5, 0x75, 0xBE, 0x76, 0x68,
    0x51, 0x7C, 0xEF, 0x96, 0xCE, 0x0E, 0xE9, 0xEB, 0x41, 0x28, 0x59, 0xEC, 0xB1, 0x13, 0x91, 0x40,
    0x0A, 0xCF, 0x5D, 0x01, 0xC9, 0x3B, 0xC0, 0xAA, 0x88, 0xC5, 0x92, 0x38, 0x4B, 0x5F, 0xD3, 0xA6,
    0x69, 0xA2, 0x35, 0x58, 0xFB, 0xC6, 0x0B, 0x17, 0x7F, 0x21, 0x3C, 0x83, 0xBC, 0xCC, 0x4D, 0x97,
    0xC4, 0x60, 0x48, 0xF9, 0xBD, 0x73, 0xB9, 0xB3, 0x1A, 0x55, 0xD8, 0x4C, 0xAD, 0xFC, 0x43, 0x94
};

static byte[] Xor_Ord2_5 = {
    0xB6, 0x0A, 0x9C, 0xBF, 0x54, 0x5C, 0x80, 0x8F, 0xFE, 0x1E, 0xF9, 0x3A, 0x8C, 0xEA, 0x78, 0x2A,
    0x01, 0xF7, 0x56, 0x38, 0x39, 0xE5, 0x72, 0xE6, 0x44, 0x0C, 0x41, 0x73, 0x82, 0x34, 0xCD, 0xC2,
    0x14, 0x37, 0xC7, 0xBD, 0xD3, 0xF3, 0x29, 0xAA, 0x8D, 0xC5, 0xE4, 0xEB, 0x9D, 0xE9, 0xFB, 0xF1,
    0x1F, 0x7D, 0x07, 0x93, 0x53, 0x95, 0x4A, 0x24, 0x05, 0x4D, 0xCE, 0x7E, 0x7F, 0x28, 0x22, 0xC8,
    0x6E, 0x40, 0x55, 0xE3, 0x65, 0xC3, 0x3B, 0x0F, 0xE2, 0xDC, 0xED, 0xBC, 0x1B, 0x61, 0xEF, 0x0B,
    0x92, 0x99, 0x1D, 0x64, 0x8E, 0x7C, 0xE1, 0x60, 0xAF, 0xA6, 0x85, 0xEC, 0x4C, 0xB8, 0x69, 0x23,
    0xDB, 0xBA, 0xCC, 0xC6, 0xEE, 0x0D, 0x27, 0x43, 0xF8, 0x11, 0x32, 0xFC, 0x75, 0xD1, 0xA1, 0x20,
    0x71, 0x63, 0x88, 0x2B, 0xD9, 0x2E, 0x89, 0x68, 0x3C, 0xF4, 0xDF, 0x33, 0xFD, 0xAC, 0x6C, 0xB3,
    0x19, 0xC1, 0x10, 0x57, 0x17, 0xFA, 0x79, 0xCF, 0x13, 0xF2, 0x86, 0x35, 0x51, 0xB1, 0xD5, 0xCB,
    0xA3, 0xAE, 0x94, 0x03, 0x5F, 0xD8, 0x6B, 0x31, 0x74, 0x81, 0xBB, 0x3D, 0x15, 0x16, 0xF6, 0xB5,
    0x4B, 0xF5, 0x77, 0x6F, 0x49, 0xA8, 0xA7, 0xCA, 0xAD, 0x02, 0x9A, 0x5E, 0x59, 0x25, 0x98, 0x62,
    0x1A, 0xB7, 0x9F, 0x2F, 0xA0, 0x76, 0x6D, 0xB4, 0x47, 0xB0, 0xA9, 0x06, 0xDA, 0x2D, 0x5B, 0xD7,
    0x8A, 0x66, 0x7B, 0xA5, 0xFF, 0x6A, 0xB9, 0xE0, 0xBE, 0x9E, 0x2C, 0x36, 0xF0, 0xD2, 0xD0, 0x97,
    0x26, 0x3E, 0xA2, 0x08, 0x5D, 0x58, 0x4F, 0x91, 0x70, 0x8B, 0xC0, 0x90, 0x0E, 0x00, 0x5A, 0xE7,
    0x45, 0x87, 0xB2, 0x83, 0x1C, 0xC4, 0x52, 0xD4, 0x96, 0xDE, 0x21, 0x04, 0x7A, 0x3F, 0x12, 0x30,
    0x67, 0x50, 0x09, 0x48, 0x42, 0xAB, 0xD6, 0xDD, 0x9B, 0xA4, 0x18, 0xE8, 0xC9, 0x4E, 0x46, 0x84
};

static byte[] Xor_Ord3_5 = {
    0xBF, 0xB7, 0x80, 0x05, 0x48, 0xDA, 0xF0, 0x77, 0xA0, 0x93, 0xE5, 0x0C, 0x07, 0x69, 0xE7, 0x2F,
    0xF4, 0x0D, 0x6F, 0xD4, 0x2C, 0x3B, 0x1E, 0x43, 0x71, 0xF5, 0x1A, 0xA8, 0x57, 0x31, 0x4B, 0x6D,
    0x35, 0x8E, 0xC8, 0x92, 0xED, 0x0F, 0xC2, 0xD7, 0xB9, 0x58, 0xB2, 0xC5, 0x7B, 0x18, 0x4A, 0x98,
    0x3C, 0x11, 0xBB, 0xFD, 0xAA, 0x41, 0xB5, 0x17, 0xE1, 0xF3, 0x22, 0x5B, 0xE4, 0x19, 0x9B, 0x42,
    0x81, 0xFF, 0x21, 0xA2, 0x64, 0xB1, 0x5E, 0x23, 0xC0, 0xDE, 0x28, 0xFC, 0x99, 0xF1, 0x0E, 0x9A,
    0x50, 0xB3, 0x09, 0x1B, 0xEC, 0x4D, 0x51, 0x6B, 0xD2, 0x33, 0x90, 0x79, 0x5D, 0x97, 0xB0, 0x60,
    0x1D, 0x63, 0xEF, 0xE9, 0x8F, 0x87, 0x75, 0x06, 0xBC, 0x68, 0xA5, 0x13, 0xD1, 0x26, 0x38, 0x82,
    0xBA, 0x04, 0x10, 0x56, 0xAF, 0x34, 0x62, 0x3E, 0x30, 0x5C, 0xAC, 0xE2, 0x91, 0x45, 0x2B, 0xCB,
    0xEE, 0x47, 0x2E, 0xB8, 0xA9, 0x96, 0xA3, 0x7C, 0xFE, 0xB6, 0xE0, 0xD3, 0xA6, 0xDF, 0x59, 0x84,
    0x32, 0xBD, 0xD5, 0xC6, 0x39, 0xA1, 0xA7, 0xBE, 0xAD, 0x4E, 0x66, 0x2D, 0xF8, 0x9E, 0xDC, 0xC7,
    0x7D, 0x03, 0x70, 0x40, 0x20, 0x8B, 0xE6, 0xD9, 0x7E, 0x85, 0xCC, 0x8A, 0x01, 0x16, 0xE8, 0x5A,
    0xAB, 0x4C, 0x74, 0x2A, 0x3D, 0xC9, 0x72, 0x29, 0xE3, 0x7F, 0x52, 0x94, 0x0A, 0x89, 0x8C, 0x37,
    0x1C, 0xEA, 0x3A, 0xD6, 0x6A, 0xB4, 0xC1, 0x65, 0x55, 0x3F, 0xF6, 0x08, 0x36, 0x95, 0x0B, 0x9F,
    0x73, 0xCD, 0x7A, 0x15, 0xCE, 0x9C, 0x14, 0xCF, 0x46, 0xFB, 0x02, 0xCA, 0xDB, 0x88, 0xF9, 0xC4,
    0x49, 0xEB, 0xDD, 0x6C, 0x00, 0x4F, 0x6E, 0xF2, 0x67, 0x24, 0xD0, 0x25, 0x9D, 0x54, 0xA4, 0xAE
};

Of interest is that the file is packaged the same as the newer DSLR firmware files, but that the A firmware is the larger file, while the B firmware is tiny.

I have no plan to start work on a J1/V1 firmware hack presently, as the D5100 work is all occupying, but people are welcome to come over to the Nikon Hacker forums, and discuss this work if they would like to progress it, or help with the DSLR work.

[Update] The A firmware does not appear to be a Fujitsu FR CPU like the DSLR are.

Also there are references to “SANYO” and “SANYO Digital Camera” in A firmware, how very strange Nikon.

[Update: 25th March - Thanks to Петр for pointing out that I had a row missing from table three due to cut’n’paste errors]

Interested in more, come join the us at Nikon Hacker, or use the Online Patch Tool (Help)

Comments:

Petr Kudinov 2012-03-18 22:37:31

I’m glad to have helped you. Now i’m writing universal Nikon firmware decoder.


Simeon 2012-03-18 22:48:29

Thanks again. For the D5100 I knew it could be done, but was not needed, but it was the brain spark needed to crack the J1/V1.Cheers Simeon.


Petr Kudinov 2012-03-18 23:01:19

Some content analysis and binary mathematics. When a encoding method is known, all becomes easier.


hq 2012-03-19 02:08:18

You guys are great. Keep up the great work.


Petr Kudinov 2012-03-19 03:12:20

Hmm. Last block little differ from real. Checking now.


Simeon 2012-03-19 08:40:18

Not sure what this means. The third XOR block, is taking from the V1 firmware, after calculating my own three blocks, and it gives the same decoding, as my three XOR blocks.


Petr Kudinov 2012-03-25 08:08:56

I’m done with beta nikon_key_finder
Patter 3 in V1_0111.bin and in V1_0111.bin (at 0x3A9347)

Found pattern 3 at 0x3A3433:
BF B7 80 05 48 DA F0 77 A0 93 E5 0C 07 69 E7 2F
F4 0D 6F D4 2C 3B 1E 43 71 F5 1A A8 57 31 4B 6D
35 8E C8 92 ED 0F C2 D7 B9 58 B2 C5 7B 18 4A 98
3C 11 BB FD AA 41 B5 17 E1 F3 22 5B E4 19 9B 42
81 FF 21 A2 64 B1 5E 23 C0 DE 28 FC 99 F1 0E 9A
D8 83 78 27 5F C3 76 44 1F 86 53 FA 61 8D 12 F7
50 B3 09 1B EC 4D 51 6B D2 33 90 79 5D 97 B0 60
1D 63 EF E9 8F 87 75 06 BC 68 A5 13 D1 26 38 82
BA 04 10 56 AF 34 62 3E 30 5C AC E2 91 45 2B CB
EE 47 2E B8 A9 96 A3 7C FE B6 E0 D3 A6 DF 59 84
32 BD D5 C6 39 A1 A7 BE AD 4E 66 2D F8 9E DC C7
7D 03 70 40 20 8B E6 D9 7E 85 CC 8A 01 16 E8 5A
AB 4C 74 2A 3D C9 72 29 E3 7F 52 94 0A 89 8C 37
1C EA 3A D6 6A B4 C1 65 55 3F F6 08 36 95 0B 9F
73 CD 7A 15 CE 9C 14 CF 46 FB 02 CA DB 88 F9 C4
49 EB DD 6C 00 4F 6E F2 67 24 D0 25 9D 54 A4 AE

Simeon 2012-03-25 09:14:40

I thought I had noted above that I pulled all three tables from the firmware, that’s why our tables are the same….


Simeon 2012-03-25 09:42:29

Thanks for pointing out the missing row the table three.


Calibrator 2012-03-26 06:00:13

“Also there are references to “SANYO” and “SANYO Digital Camera” in A firmware, how very strange Nikon.”

Strange indeed, could have been SONY… ;-)

It could be possible, though, that a (large) part of the firmware is bought - perhaps in a package with the ASIC or components of the ASIC?
Who does the chip manufacturing for Nikon in this case?

And where exactly does Nikon produce the N1? In China, yes, but do they have their own production facilities or do they outsource this? Perhaps Sanyo does most of the manufacturing - according to Nikon’s specs?

And by the way: Sanyo is nowadays a subsidary of Panasonic Corp. - well known for their mirrorless cameras…
http://en.wikipedia.org/wiki/Sanyo


OsoSolitario 2012-03-26 08:52:09

Sanyo usually works as third party enterprise for Nikon. I think most of Coolpix cameras are made by Sanyo.
So, not so strange to see this label inside 1 series camera.


Simeon 2012-03-26 08:53:22

I knew there would be some reason… Thanks for the explanation.


StMarcus 2012-04-18 16:28:01

Simeon,
The decode of the V1/J1 is good news. Compared to the DSLRs, the possibilities and potential upgrades to these mirrorless cameras are even greater. I wanted to start looking at this firmware, in order to offer my time and effort to this endeavor.
You mentioned that these two are not Fujitsu based. So, the Ntool2 wont work on them right? Also what is the best decompiler to use to work on these firmwares? Any suggestions, direction to right resource etc will help greatly as it has been years since I worked on system level code back in college days, and even then never reverse engineered/decompiled anything.
Thanks