Here’s the first post in my Nikon Firmware investigations.
Firstly after removing the encryption from the Nikon DSLR firmware bundle file, we should extract each file from the bundle.
Form my looking at the files I have, there is 0x20 bytes of fluff, then there is a file count, header length, and a couple of dummy int32’s. Then there’s 0x10 bytes of file name, file start, length, and two more dummy int32’s. After that there’s a word ‘checksum’ and some padding bytes.
Thus this code (C#) pulls the files out of the bundle file decoded by the previous post:
static void ExactFirmware3(string fileName)
{
if (File.Exists(fileName))
{
BinaryReader br = null;
try
{
br = new BinaryReader(File.Open(fileName + ".out.bin",
FileMode.Open, FileAccess.Read, FileShare.ReadWrite));
br.BaseStream.Seek(0x20, SeekOrigin.Begin);
uint count = ReadUint32(br);
uint headerlen = ReadUint32(br);
uint dummy1 = ReadUint32(br);
uint dummy2 = ReadUint32(br);
var header = new List<Tuple<string,uint,uint>>();
// Read Header
for (int c = 0; c < count; c++)
{
string firmwareName = Path.Combine( Path.GetDirectoryName(fileName),
ReadString(br, 16));
uint start = ReadUint32(br);
uint len = ReadUint32(br);
uint hdummy1 = ReadUint32(br);
uint hdummy2 = ReadUint32(br);
header.Add(new Tuple<string, uint, uint>(firmwareName, start, len));
}
foreach (var t in header)
{
DumpFile(br, t.Item1, t.Item2, t.Item3);
}
}
finally
{
if (br != null)
br.Close();
}
}
}
static void DumpFile(BinaryReader br, string fileName, uint start, uint len)
{
BinaryWriter bw = null;
try
{
bw = new BinaryWriter(File.Open(fileName, FileMode.Create, FileAccess.Write,
FileShare.ReadWrite));
br.BaseStream.Seek(start, SeekOrigin.Begin);
var data = br.ReadBytes((int)len);
bw.Write(data);
}
finally
{
if (bw != null)
bw.Close();
}
}
Now for the D5100 we have two files, a640m010100.bin and b640101b.bin. The D7000 firmware is x75xxxx.BIN, the D3100 is x74xxxx.BIN, D300S is x81xxx.BIN and the D3S is xD3Sxxx.BIN.
All these systems are running the ‘Softune REALOS/FR is Realtime OS for FR Framily’, the Axxxx.BIN firmware is for the IO control CPU (metering, focus, buttons) and the larger Bxxxxx.BIN is the main processor firmware, with the main UI and processing (Fujitsu FR CPU).
Some great insight was found from the D70 Hack Project, which was the only remaining information I found. It’s in German, so thank you Google Translate. Also D7000 tear by by Chipworks was very inspiring.
Interested in more, come join the us at Nikon Hacker, or use the Online Patch Tool (Help)