How to decode the Nikon DSLR firmware

The firmware for the current generation Nikon DSLR camera’s have the firmware files packed into a single package, and this is then ‘encrypted’.

The package files is just XOR’ed with a three layer nested XOR pattern.

The first layer is a 256 byte pattern that is repeated across the file, then next over this there is a 256 byte pattern that is applied one byte at a time across each layer one pattern iteration. This is repeated again with another (layer three pattern) of 256 bytes that are applied, one byte at a time across the layer two pattern. Thus creating a one time pad that covers 2^24 bytes or 16MB. And what luck the largest firmware package Nikon has produced for the D3100 is 16MB.

So the code to un-XOR a file:

static void ExactFirmware4(string fileName)
{
  if (File.Exists(fileName))
  {
    BinaryReader br = null;
    BinaryWriter bw = null;

    try
    {
      br = new BinaryReader(File.Open(fileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite));
      bw = new BinaryWriter(File.Open(fileName + ".out.bin", FileMode.Create, FileAccess.Write, FileShare.ReadWrite));

      int count = (int)br.BaseStream.Length;
      byte[] data = br.ReadBytes(count);

      for (int i = 0; i < count; i++)
      {
        int ord1_idx = i & 0xFF;
        int ord2_idx = (i >> 8) & 0xFF;
        int ord3_idx = (i >> 16) & 0xFF;

        int b = data[i] ^ Xor_Ord1[ord1_idx] ^ Xor_Ord2[ord2_idx];
        int fix = Xor_Ord3_Eye[ord3_idx] ^ fixKnownTRUE[ord3_idx];

        data[i] = (byte)(b ^ fix);
      }

      bw.Write(data);
    }
    finally
    {
      if (br != null)
        br.Close();
      if (bw != null)
        bw.Close();
    }
  }
}

The code above refers to four Xor data sets. The first two Xor_Ord1 and Xor_Ord2 were found by just looking at the files. The fixKnownTRUE was found by searching all possible comibinations of XOR mask, and then search for text like ‘Nikon’ or other words observed in the older non-encrypted firmware files. Then the last set of data Xor_Ord3_Eye were found by looking at the transitions from block to block, and where one end with fifty 0xFF and the next had fifty 0xAD the next value was 0x52. That left a very few number of blocks that still were unknown, and for those I mainly used the difference in file alignment between the two D7000 firmware releases to see the same byte clean and encrypted.

So the actually useful stuff, the XOR data patterns:

static byte[] Xor_Ord1 = {
0xE8, 0xFE, 0x46, 0xE3, 0x7D, 0xAB, 0x5C, 0xB9, 0xA5, 0x53, 0xC4, 0xC7, 0x32, 0xCD, 0x9C, 0xED,
0x94, 0x67, 0x4E, 0x5B, 0x48, 0x3A, 0x52, 0xB6, 0x34, 0xF7, 0x8E, 0x12, 0x90, 0x98, 0x82, 0x3C,
0x09, 0x2B, 0x68, 0xA8, 0x24, 0xD5, 0x10, 0x9D, 0x9A, 0xD9, 0xA9, 0x7F, 0x50, 0x4B, 0xDD, 0x9E,
0x62, 0x1C, 0x6A, 0x64, 0x02, 0x11, 0xDA, 0x4A, 0x6E, 0x35, 0xBD, 0xA0, 0xB1, 0xD7, 0xDE, 0x83,
0x5D, 0xE5, 0x5E, 0xCC, 0xDB, 0xAC, 0x18, 0xE2, 0x25, 0x69, 0x07, 0xBC, 0x39, 0x97, 0x14, 0xEB,
0xB2, 0x73, 0x36, 0x8A, 0x99, 0xB8, 0x1E, 0x2E, 0xEF, 0x93, 0xBA, 0xEE, 0xF5, 0xC5, 0x7B, 0x74,
0x8D, 0xE1, 0xC3, 0x4F, 0x41, 0x42, 0x6C, 0xE6, 0xA2, 0x06, 0x6F, 0x85, 0x2A, 0x2F, 0x1B, 0x38,
0x08, 0xAF, 0x44, 0x00, 0x33, 0x63, 0x91, 0x22, 0x87, 0x70, 0xB0, 0x43, 0xB5, 0x66, 0xE0, 0xFF,
0x30, 0xAD, 0x8F, 0xC1, 0xF4, 0xEA, 0xF9, 0xF6, 0x51, 0xD6, 0xD4, 0x3E, 0x04, 0x72, 0x3D, 0x54,
0x78, 0xC0, 0x7E, 0x26, 0xFA, 0x56, 0x58, 0xC9, 0x55, 0xC8, 0xA6, 0x16, 0x23, 0x84, 0xB7, 0xCB,
0x45, 0x7C, 0xD8, 0x7A, 0x27, 0x2D, 0xCA, 0x03, 0x3F, 0x17, 0x0B, 0x57, 0xBB, 0x3B, 0xF0, 0x49,
0x1F, 0xD1, 0x86, 0x80, 0x95, 0x20, 0x6B, 0xC6, 0xBF, 0xAA, 0x79, 0xD2, 0x75, 0xCF, 0xAE, 0xD0,
0x5F, 0xF1, 0x61, 0xF3, 0xFB, 0xCE, 0x29, 0x65, 0x0F, 0x31, 0x2C, 0xFD, 0x76, 0x0C, 0x4C, 0x4D,
0x60, 0xF8, 0x88, 0x6D, 0xA4, 0xEC, 0x9B, 0x92, 0x47, 0xA1, 0xE4, 0x21, 0xFC, 0x81, 0xA7, 0xC2,
0x0E, 0xA3, 0x40, 0x0D, 0x8B, 0x59, 0x96, 0x37, 0xE7, 0xF2, 0x77, 0x1D, 0x28, 0x0A, 0x8C, 0x5A,
0x15, 0x9F, 0x01, 0xB3, 0xD3, 0xBE, 0xB4, 0x1A, 0x89, 0xE9, 0x13, 0x05, 0xDF, 0xDC, 0x71, 0x19,
};

static byte[] Xor_Ord2 = {
0x76, 0x0F, 0x43, 0xD9, 0xDB, 0xDC, 0x9B, 0x49, 0x4E, 0x42, 0xB7, 0x9F, 0xEC, 0x55, 0x19, 0x11,
0x58, 0x23, 0x69, 0xA2, 0xB8, 0x68, 0xE8, 0x2B, 0x91, 0xF3, 0x1A, 0x34, 0xED, 0x0A, 0x06, 0x89,
0xB2, 0x79, 0x2A, 0xC8, 0xEE, 0xA3, 0xB5, 0xD0, 0xFD, 0x17, 0xF9, 0xCE, 0x74, 0x39, 0x47, 0xC5,
0xC1, 0x5D, 0x86, 0x7F, 0x6A, 0xAB, 0xE5, 0xF5, 0xC9, 0x96, 0x71, 0x1C, 0x09, 0x25, 0xD3, 0x8C,
0x0C, 0x02, 0xB1, 0x48, 0x7C, 0x46, 0x3E, 0x08, 0x7B, 0x01, 0x54, 0x6B, 0xB9, 0x4F, 0xCD, 0xF1,
0x51, 0x50, 0x59, 0xA4, 0xA7, 0x6C, 0x3F, 0xB6, 0x9D, 0xBC, 0x4C, 0x9E, 0x16, 0x37, 0xA1, 0xC0,
0x6E, 0xE2, 0xDA, 0x3D, 0x22, 0xCB, 0xE7, 0x5B, 0x98, 0x53, 0x92, 0x36, 0x90, 0xAC, 0x31, 0x24,
0x21, 0xC6, 0x63, 0x35, 0xB4, 0x5C, 0x1F, 0x77, 0x4A, 0xE4, 0x0D, 0x13, 0x8D, 0xC7, 0x99, 0x7E,
0x81, 0x3C, 0x60, 0x28, 0xF0, 0xBF, 0x82, 0x2C, 0x78, 0x7A, 0x5F, 0x93, 0x84, 0x70, 0xEA, 0x9A,
0x8E, 0xD2, 0x27, 0xE0, 0xCF, 0x6D, 0x10, 0x9C, 0x56, 0x07, 0x12, 0xFA, 0x26, 0x97, 0x80, 0xE3,
0xE1, 0x61, 0x8A, 0x75, 0xA9, 0x5A, 0xDE, 0x1E, 0x5E, 0x4D, 0x66, 0x0E, 0xBA, 0x4B, 0x20, 0x40,
0xA8, 0x8F, 0x52, 0x7D, 0xDF, 0xE6, 0xAF, 0x6F, 0xBE, 0xFC, 0x94, 0xA0, 0x3A, 0x33, 0x45, 0x14,
0x62, 0x00, 0x87, 0xAE, 0xB3, 0x8B, 0xD4, 0xCA, 0xFF, 0xE9, 0x04, 0x88, 0xCC, 0x41, 0xD7, 0xD6,
0xBB, 0x95, 0x32, 0x18, 0xF8, 0x72, 0x65, 0x3B, 0x29, 0xAD, 0x44, 0x1B, 0xC2, 0xD8, 0x1D, 0xA5,
0xDD, 0x67, 0xD5, 0x30, 0xA6, 0xEF, 0x2F, 0xF2, 0x83, 0x2D, 0x03, 0xBD, 0x15, 0x2E, 0xD1, 0x73,
0x57, 0xAA, 0xFB, 0x85, 0xF4, 0x64, 0x0B, 0xC4, 0xF7, 0xEB, 0x38, 0xC3, 0xF6, 0x05, 0xFE, 0xB0,
};

static int[] Xor_Ord3_Eye = {
/*0*/ /*1*/ /*2*/ /*3*/ /*4*/ /*5*/ /*6*/ /*7*/ /*8*/ /*9*/ /*a*/ /*b*/ /*c*/ /*d*/ /*e*/ /*f*/
/*00*/ 0x00, 0x25, 0x06, 0xbb, 0xe3, 0x82, 0x70, 0xce, 0x86, 0xfb, 0x100, 0x3a, 0xf8, 0xbf, 0x76, 0xf5, /*00*/ // 0x0a is 0x00, therefore put 0x100.  
/*10*/ 0xc3, 0xf6, 0x9d, 0x9e, 0x10, 0x00, 0xfc, 0x9c, 0xdd, 0x12, 0x46, 0x93, 0x4f, 0xa6, 0xad, 0x68, /*10*/  
/*20*/ 0x94, 0xb8, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa9, /*20*/  
/*30*/ 0x3e, 0x00, 0x00, 0x00, 0x00, 0xaa, 0xba, 0xb2, 0xd0, 0x79, 0xa5, 0x00, 0x00, 0x6a, 0x00, 0xd4, /*30*/  
/*40*/ 0x83, 0x55, 0x87, 0x9b, 0x5c, 0x27, 0xab, 0x77, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*40*/  
/*50*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*50*/  
/*60*/ 0x00, 0x00, 0xcb, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*60*/  
/*70*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbe, 0x37, 0x90, 0xe8, 0x3b, 0x92, /*70*/  
/*80*/ 0x35, 0x4b, 0xd2, 0xd7, 0xd8, 0x0e, 0x51, 0x8b, 0xb0, 0xec, 0x4c, 0xb9, 0x59, 0x2e, 0x66, 0x54, /*80*/  
/*90*/ 0xb5, 0xd1, 0x00, 0x1E, 0x0f, 0x5a, 0xc4, 0xcd, 0xeb, 0x4e, 0x7c, 0x74, 0x8e, 0xfa, 0x81, 0xe2, /*90*/  
/*A0*/ 0x7f, 0x9a, 0xa8, 0x5f, 0x32, 0x89, 0x98, 0x07, 0x39, 0xc0, 0x38, 0x1f, 0x01, 0xe0, 0x8d, 0x1d, /*A0*/  
/*B0*/ 0xf3, 0x96, 0x57, 0xa0, 0x0b, 0xed, 0x09, 0x18, 0x8c, 0xf4, 0x0d, 0x21, 0xd9, 0x23, 0x78, 0xa1, /*B0*/  
/*C0*/ 0xc1, 0xfe, 0x3c, 0x30, 0x73, 0x5d, 0x40, 0x99, 0xb6, 0x6c, 0x7b, 0x14, 0xca, 0xc2, 0xe6, 0x8a, /*C0*/  
/*D0*/ 0xe9, 0xae, 0x7a, 0xd6, 0xf1, 0x3d, 0xa4, 0x34, 0x2b, 0xda, 0x63, 0x84, 0xb3, 0xaf, 0x88, 0xb7, /*D0*/  
/*E0*/ 0x45, 0x97, 0xdc, 0x20, 0x17, 0x3f, 0x4a, 0x52, 0x03, 0x33, 0xdf, 0xd3, 0x04, 0x69, 0x91, 0xf0, /*E0*/  
/*F0*/ 0xf9, 0xcc, 0x50, 0x44, 0xff, 0x80, 0x58, 0xf7, 0xc9, 0x60, 0x6b, 0x53, 0xa7, 0x85, 0xee, 0x1c, /*F0*/  
};  
  
static byte[] fixKnownTRUE = {  
/*00*/ 0x2f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*00*/  
/*10*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*10*/  
/*20*/ 0x00, 0x00, 0x00, 0xe1, 0x62, 0x5b, 0xcf, 0x67, 0x00, 0xe7, 0x48, 0x0c, 0x7e, 0x7d, 0xb1, 0x00, /*20*/  
/*30*/ 0x00, 0x1b, 0xc5, 0x0a, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xdb, 0xc6, 0x00, 0xa3, 0x00, /*30*/  
/*40*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x36, 0x42, 0x61, 0x2d, 0xb4, 0x4d, 0x1a, 0x9f, /*40*/  
/*50*/ 0x64, 0x8f, 0xd5, 0x43, 0x05, 0x24, 0x72, 0x02, 0x41, 0x15, 0x6d, 0x6e, 0x47, 0x26, 0x65, 0x13, /*50*/  
/*60*/ 0x49, 0x95, 0x00, 0x00, 0xef, 0x6f, 0x2c, 0xbd, 0xfd, 0xac, 0x31, 0xde, 0x2a, 0x5e, 0x29, 0xa2, /*60*/  
/*70*/ 0xbc, 0x28, 0xc7, 0x56, 0xc8, 0x16, 0x75, 0xe4, 0x19, 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*70*/  
/*80*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*80*/  
/*90*/ 0x00, 0x00, 0xe5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*90*/  
/*A0*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*A0*/  
/*B0*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*B0*/  
/*C0*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*C0*/  
/*D0*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*D0*/  
/*E0*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*E0*/  
/*F0*/ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /*F0*/  
};  

This was a very satisfying puzzle/project. Finding the layers of XOR was like parse the parcel as each layer was found.

I’ve read a lot of forum threads about people wanting the verious versions of the Nikon firmware hacked, it’s not happened so far, so I’m not to concerned what I’ve done, has distroyed value for Nikon.

So while it could be fun to sit down and try reverse engineer the code, I think I’m more interested using my camera to take photo’s.

[Updated: 26th Nov] fixed x93, x94, x95 in Xor_Ord3_Eye as these were missed

 

Interested in more, come join the us at Nikon Hacker, or use the Online Patch Tool (Help)

We are looking for C++ Developers

Well I didn’t say anything last time we posted C++ developer job roles, but we currently have two openings for C++ developers as permanent Caterpillar employees, so if you have 4+ year experince in C++ and you want to live in the greater Peoria, IL area.

go to http://www.caterpillar.com/careers/job-opportunities/job-search

then click on ‘Agree‘ at the bottom

click on the ‘Search for Jobs Now‘ button on the left

scroll down to ‘Job Opening ID:‘ and enter 89466

Job posting closes on the 11:59 pm (CST) on Monday, November 14, 2011.

Learn more about Team Caterpillar

Best Earplugs

At the test facility at work, they have bins of colorful earplugs that look like this:

earplugs
earplugs

No they are not the big… but they are really good. As they were in bulk I never knew the brand.

But today I noticed some different packaging in the ear protection bin by our workbench area, and found these individually wrapped. Moldex Sparkplugs is the product, and that ‘random color’ is a registered trade mark.

Amazon has 200 pairs for ~$20.

Movies: New Personal Best

The new PB for movie watching on a plane, six movies, and the last one finished 1 minute before landing. That’s good timing, even if I do pat myself on the back. The flip-side is that I’ve not slept in the last 24 hours, and I have another 7 hours till I land back in P-Town.

So the movies where:

  • Just call me nobody - A great Kung-Fu movie with great star-wars references

  • Thor - A very cheesy cartoon remake

  • Bridesmaids - Yes I finish it this time. It was quite good in the end, not exactly what I’d expected

  • Pirate of the Caribbean: On Stranger Tides - A slightly better PotC plot as compared to the earlier in the series, unfortunatily there were many gaps left open for yet-another-sequel….

  • The Switch - ok movie if not a little predictable at times

  • Arthur - very much what you might expect from the cover, blurb

So I’m starting to get a real fancy for Kung-Fu movies when flying. They are so cheesy and simple plotted, but action fun packed. Kind of like the old Arnie movies but with swords instead of bullets. Also of note was the sillest of the movies Artur was the only one I cried in, and I put that all down to mental fatigue after 12 hours of movies and not at all that the completely hapless lead character finally started to get a small grip on reality.

LAX Air New Zealand Lounge

Well I’m in LA now, Woot!, hoping the Air NZ lounge makes up for the hassle of going through security a second time…

LAX Sunny As Always
LAX Sunny As Always

OMG, this place is heaven compared to downstairs…

LAX Air NZ Gate
LAX Air NZ Gate

There’s Rugby on the TV, there’s really nice food, beer, wine & spirits.

LAX Air NZ Lounge
LAX Air NZ Lounge

Comfortable chairs, power points, and free Wi-Fi.

Now I just need to work-out how to keep my Gold status…

On my way back to New Zealand

Well, it’s that time of the of the year, so I’m traveling for work. Strangely for the last four years, I’ve done a NZ - USA trip, and this one was a bit of a surprise trip.

Anyway, I’m currently at Denver (DIA) in the United Red Carpet Club, and it’s so much better that hanging out in the terminal. Free Wifi, free coffee (instant machine stuff) and small snack items. Oh and the seats are comfortable.

Not so keen for the 9 hours I have in L.A. but there is an Air New Zealand lounge there so it shouldn’t be too bad ;-)

I read a travel tip somewhere suggesting carrying a power strip, and presently that would be useful, as the one near me is has both port blocked by someone’s huge MacBookPro power brick.

Pointless Post: 20K SPAM Barrier Hit

Woot!, I just passed the 20,000 SPAM barrier

20K Spam comments on blog
20K Spam comments on blog

Had been awaiting this for a few weeks, but the spam rate has recently dropped, so it didn’t occurs as soon as I expected…

can of spam
can of spam

Talking of SPAM, I had some the other day, because you know, it’s sold here. It was disturbing that in the ingredients listed “Pork with Ham”, ummm ham is pork, so then what is the pork? Opening the can it smelt like cat food, and tasted as I’d always expected cat food to be like. I fried some up, and it was better, but I’ll never eat it again, unless there some sort of end-of-world event. Also of interest, is notice on the can picture, the thing you can’t really see below the cheese in the burger, that’s the product in the can.

Spearman's Rank Correlation in Numbers

Michaela is doing a biostatistics paper, and today she was working on calculating Spearman’s Rank Correlation. While she was doing this by hand, I set about doing it in Numbers.

The tricky part was the ranking, as the textbook says to give equal ranking items the ‘average of the ranks’ they would have if unique, thus the values {10, 11, 11, 12} have the rank’s {1, 2.5, 2.5, 4}. The RANK function in Numbers gives nth equals ranking (thus giving {1, 2, 2, 4} for the prior data).

To calculate Spearman’s Rank for value A2 from column A use (in C2 for example):

=RANK(A2,A,1)+((COUNTIF(A,A2)-1)/2)

Pulling the formula down for all values in A (giving the ranks of A in column C). Do again for the second of the paired values in B (into column D). You then can calculate d and thus calculate d2 in their own columns and finally get Σd__2.  With n in cell H3 and Σd__2 in cell H2 you can pop this into a cell:

=1-((6*H2)/(POWER(H3,3)-H3))

and get your r__s

Looking at the Wikipedia article, it has a single line Excel formula, but the Numbers RANK function is not as complete as Excel’s, so you can’t use it. The formula also uses the CORREL function, but that is a linear regression, not the Spearman’s regression, so it’s not much use here either. Thus it seems you need an ugly table like this it after all:

Spearman's rank correclation in Numbers
Spearman's rank correclation in Numbers

This all applies to Numbers ‘09.