The family was given Monopoly Deal for Christmas, and it’s a fantastic game.
My first game was a six person double deck game, which was slower, and very brutal. Since then I have played many a game with Jacob (single player) and it’s fast and fun.
In fine to twenty minutes, you can compact all the fun and rage of the full 4 hour game, but it’s done, and you can move on so much quicker. It has stealing, ripping people off, double crossing, saying no (it’s a card, but it the best feeling in the game rejecting a big play, just watch out for the reverse no,back at you…).
It’s a very fun game, and while there it can have all the rage of the original it, also can be started and finished within 30 minutes.. so many hands can be played giving the “balance” missing from Monopoly.
A good friend has started reversing an old 16bit Borland C++ (3.1?) program, and had lots of stack push data segment offsets that were not correctly cross referencing.
After telling him the shortcuts for manually fixing the issue (press O for the data segment, or Alt-R for any segment offset), he wrote an IDC script to do it en mass.
Thus (made up example code)
push ds;
mov ax, 0x1234;
push ax
should look like:
push ds;
mov ax, ds:dword_1234;
push ax
Here’s his script:
#include <idc.idc>
static main()
{
auto seg, loc;
auto movloc, movtarget;
auto xref;
auto dsegbase;
dsegbase = SegByName("dseg") * 16;
Message("dsegbase=%x\\n", dsegbase);
Message("========================================\\n");
seg = FirstSeg();
while(seg != BADADDR )
{
Message("----------------------------------------\\n");
loc = SegStart(seg);
if( Byte(loc) != 0xCD || Byte(loc+1) != 0x3F)
{
Message("Fixing indirect push [ds:xx] refs from %s\\n", SegName(seg));
while(loc != BADADDR && loc < SegEnd(seg))
{
if (GetMnem(loc) != "push" || GetOpnd(loc, 0) != "ds")
{
loc = NextHead(loc, BADADDR);
continue;
}
loc = NextHead(loc, BADADDR);
if (GetMnem(loc) != "mov" || GetOpType(loc, 1) != o_imm)
{
loc = NextHead(loc, BADADDR);
continue;
}
movloc = loc;
movtarget = GetOpnd(movloc, 0);
loc = NextHead(loc, BADADDR);
if (GetMnem(loc) != "push" || GetOpnd(loc, 0) != movtarget)
{
continue;
}
// At this point, we know we're pushing a [ds:x] combo.
//Message("%x: mov %s, %s\\n", movloc, movtarget, GetOpnd(movloc, 1));
// Abort if there already exists a Dxref
xref = Dfirst(movloc);
if (xref != BADADDR)
{
continue;
}
Message(" Updating %s:%04x\\n", SegName(seg), (movloc - seg) & 0xffff);
OpOff(movloc, 1, dsegbase);
}
}
seg = NextSeg(seg);
}
}
Just to let people know, yes I’ve been working on understanding the D5100 firmware.
I’ve got most the area’s of code identified (where they are, not what they do), but there are some puzzles, with some chunks of code that are used (eg selects a picture to be shown based on shooting mode) but the code it self is not directly linked to, and it’s address in not present in the image. There is defiantly some form of jump/call table compression/encoding done, as there are functions that do some maths, and then call the result. So that needs to be puzzled out.
So to help map the data (and thus remove possible options from above puzzle), I previous mentioned mapping the jpg’s out:
Embedded Jpg's
As can be seen in this small sample, there’s the icons for the different shooting modes, and three colour schemes.
Last night I was working on using a modified version of BinViz (original found here) and have found how the font’s and overlay text/images are packed, and I am in the process of tracking down how the width/size information is encoded in the associated data tables. Shown below is the same block of data shown, but at two different widths, showing the “Dial” overlays and the “Bulb Time” text:
Overlay Images 2 Overlay Images 1
It’s quite neat looking at the Asian font sets, as the fonts/overlays use subpixel rendering, which can be seen in the green arm of the sports mode dial icon above. Much simpler, the normal overlays are just black/white, and now look better X/Y scaled.
I started a Google Code Project called Nikon Firmware Tools in which I’m placing the tools I’m using and the changes I’m making to them as I go. So interested developers can look there. Sorry only code so far.
For the D7000 A & B, D300S A&B, D3S A & B, D3100 A, D5100 A firmware files use start: 0x0000, mask=0x1021
For all models (D3S, D300S, D7000, D5100 & D3100) the CRC is a normal Xmodem CRC16, the originally reported difference for D5100 & D3100 was due to a XOR error (by me), that is now found & fixed.
static int crcBig(byte[] data, int len)
{
int rem = 0x0;
for (int i = 0; i < len; i++)
{
rem = rem ^ (data[i] << 8);
for (int j = 0; j < 8; j++)
{
if ((rem & 0x8000) != 0)
{
rem = (rem << 1) ^ 0x1021;
}
else
{
rem = rem << 1;
}
rem = rem & 0xFFFF; // Trim remainder to 16 bits
}
}
// A popular variant complements rem here
return rem;
}
For the D5100 B firmware use start= 0x4ed4, mask= 0x1021
D5100 checksum passed, now loading firmware D5100 HaCkEd firmware running.
The D3100 B firmware also matches the same start value, so I’d assume it’s common to both. And the only thing I modified here was the firmware help message, and I’ve not tested if you can load the 1.01 firmware over top it’s self. That is the next step. Also to make a tool (Vitaliy?) the patches and encrypts for you to avoid typo’s.
[Update] Very import and good news, firmware lets you flash same version over top it’s self. Thus my camera is now back running normal Nikon 1.01 firmware. Warranty unbroken! [Update 2: 27 Nov] Fixed CRC code in light of XOR code change.
Yesterday after a couple of suggestions, I added a PayPal donate button, I thought I’d done it correctly, but it appears it didn’t work.
I also said I would be happy to accept money in order to pay for a legit version of IDA Pro. I’ll return the one donation I did get.
I then proceeded to have many emails with Vitaliy about how the work could be done with the free version. While his methods will technically work, I’m just not sure I want to publicly endorse them.
So to avoid offending ‘the scene’ with personal greed, I’m pulling my hat from the race. I’ll just be the guy that solved the encryption and stick with that.
The B firmware is were the major action is, and it’s based on the Fujitsu FR chipset. This seems to be the same chip as used by the earlier Nikon DSLRs and the Pentax cameras.
Looking at the B firmware you can see text, for example English @ 0x5ACC68 to but the table of addresses prior to this text block have the same relative spacing of values but are 0x40000 bytes higher in value.
Text Locations
Browsing elsewhere in the file, shows this pattern holds up for the entire file. You can check by finding some text, ad 0x40000 to the text file address, then search for that resulting hex value, ta-da
So we can assume the code is loaded starting at 0x40000.
Next is what we are going to decode the file with. If you have commercial version of IDA Pro then your in luck as it comes with the Fujitsu FR CPU decoder built in. I only have the free version, so am not so luckly.
Kevin Schoedel however has written a pretty good dissembler for the FR CPU, as part of previous Pentax firmware work. I struggled to get the original code working correctly, so I rewrote it in C# and now understand how to use it, and really appreciate his efforts. But I am left oh-so-much wanting IDA Pro style everything. The worst thing is I almost want to pay the $500USD to have that IDA Pro magic, but if I have that money ‘spare’ why didn’t I just buy the D7000 to start with.
Anyway, my present D5100 B firmware DFR import file looks like:
So once the D5100 1.01 firmware was update was released, I couldn’t help but decrypt it.
As noted in the previous post, the bundle is checksum’ed, but I didn’t mention that each sub-file is also checksum’ed. But you can see the checksum at the end of the files:
File Checksum
Now on some Pentax forum I was reading about people wondering if the checksum was checked. So I altered the help file text for the viewing firmware information to make the ‘c’ of camera upper case.
D5100 Help Text Firmware version
Now the file is just XOR’d with the larger one time pad discussed earlier, and ‘c’ to ‘C’ is just XOR’ing with 0x20, applying the same XOR to the encrypted file at the same location, will have the net result of making the output upper case.
I put this altered firmware on a SD stick, and popped in into the D5100. Long story short, it recognized the update, but once I started the update, it quit really early in the process. The amount of time I’d expect for the checksum to be checked…
Update?
So I then turned to the internet for checksum algorithms, and it doesn’t appear to be a CRC-16-anything, as I brute forced the full possibility space, that was a fun adventure in multi-threading batch processing. Nor does it seam to be a Fletcher’s Checksum.
So now I’m up to searching for the answer in code…
Form my looking at the files I have, there is 0x20 bytes of fluff, then there is a file count, header length, and a couple of dummy int32’s. Then there’s 0x10 bytes of file name, file start, length, and two more dummy int32’s. After that there’s a word ‘checksum’ and some padding bytes.
Thus this code (C#) pulls the files out of the bundle file decoded by the previous post:
Now for the D5100 we have two files, a640m010100.bin and b640101b.bin. The D7000 firmware is x75xxxx.BIN, the D3100 is x74xxxx.BIN, D300S is x81xxx.BIN and the D3S is xD3Sxxx.BIN.
All these systems are running the ‘Softune REALOS/FR is Realtime OS for FR Framily’, the Axxxx.BIN firmware is for the IO control CPU (metering, focus, buttons) and the larger Bxxxxx.BIN is the main processor firmware, with the main UI and processing (Fujitsu FR CPU).
Some great insight was found from the D70 Hack Project, which was the only remaining information I found. It’s in German, so thank you Google Translate. Also D7000 tear by by Chipworks was very inspiring.
I have been having problems activating my new work laptop. And due to being offsite, and a comedy of errors, the issue wasn’t resolved until today, once it had got the “expired” state.
This copy of Windows is not genuine You may be a victim of software counterfeiting
The original activation error was 0xC004F074 and the event log was:
The client has sent an activation request to the key management service machine.
Info:
0xC0020017, 0x00000000, USO-AM-WDS-00:1688, ec1ed660-a0d5-4670-8fb1-663d1e70ba40, 2011/10/25 18:32, 0, 2, 27420, ae2ee509-1b34-41c0-acb7-6d4650168915, 25
Today my IS people provided a .bat that fixed it, that contained:
@echo off
slmgr.vbs /ckms
slmgr.vbs /ato
This needed to be run as administrator. Reading the Microsoft help for slmgr.vbs shows the first command reset the Activation registry settings, and the second triggers activation.
OMG I am so happy, the D5100 (which I own) has had a firmware update released. Now I can look at it’s firmware instead of the D3100 and D7000 model camera’s. Also I can then compare it to the D7000 to get upgrade ideas….
