When I was ten, Transformers where not that hard to transform.
Meet modern Bumblebee,
This transformer was crazy hard to transform, in the couple of days I was visting with the 4 year old owner, the head “popped off” multiple times, and I couldn’t get it back on without feeling I was going to break the toy. Lucky said child’s mother had the magic touch.
But transforming challenge aside, it was a pretty cool model/toy. Just not like the Starscream or Optimus Prime of my days gone by….
Wow, since doing the easy work of decrypting the newer Nikon firmware, I’ve felt an immense pressure to pull another rabbit from the hat, when in reality the last reversing engineering project I worked on took years (2-5), and thus I feeling real burnt out. a) due to trying to find the next “cool” insight, and 2) wanting to be part of the action, and keep up with others are finding. (the index scheme is an insiders joke)
To this end, I point would-be-helpers to nikonhacker.com, I’ve been contributing there, as best I can.
It’s very addictive having such large inflows of traffic to your site/blog, that I was reluctant to redirect it, but I have also felt since November a presure not to post stupid stuff like I used too, or am about to post, thus have been silent (besides the travel and working on things that are not up for chatter).
So there’s my Nikon update…. I have been having a good family holiday..
The family was given Monopoly Deal for Christmas, and it’s a fantastic game.
My first game was a six person double deck game, which was slower, and very brutal. Since then I have played many a game with Jacob (single player) and it’s fast and fun.
In fine to twenty minutes, you can compact all the fun and rage of the full 4 hour game, but it’s done, and you can move on so much quicker. It has stealing, ripping people off, double crossing, saying no (it’s a card, but it the best feeling in the game rejecting a big play, just watch out for the reverse no,back at you…).
It’s a very fun game, and while there it can have all the rage of the original it, also can be started and finished within 30 minutes.. so many hands can be played giving the “balance” missing from Monopoly.
A good friend has started reversing an old 16bit Borland C++ (3.1?) program, and had lots of stack push data segment offsets that were not correctly cross referencing.
After telling him the shortcuts for manually fixing the issue (press O for the data segment, or Alt-R for any segment offset), he wrote an IDC script to do it en mass.
Thus (made up example code)
push ds; mov ax, 0x1234; push ax
should look like:
push ds; mov ax, ds:dword_1234; push ax
Here’s his script:
#include <idc.idc>
static main()
{
auto seg, loc;
auto movloc, movtarget;
auto xref;
auto dsegbase;
dsegbase = SegByName("dseg") * 16;
Message("dsegbase=%x\n", dsegbase);
Message("========================================\n");
seg = FirstSeg();
while(seg != BADADDR )
{
Message("----------------------------------------\n");
loc = SegStart(seg);
if( Byte(loc) != 0xCD || Byte(loc+1) != 0x3F)
{
Message("Fixing indirect push [ds:xx] refs from %s\n", SegName(seg));
while(loc != BADADDR && loc < SegEnd(seg))
{
if (GetMnem(loc) != "push" || GetOpnd(loc, 0) != "ds")
{
loc = NextHead(loc, BADADDR);
continue;
}
loc = NextHead(loc, BADADDR);
if (GetMnem(loc) != "mov" || GetOpType(loc, 1) != o_imm)
{
loc = NextHead(loc, BADADDR);
continue;
}
movloc = loc;
movtarget = GetOpnd(movloc, 0);
loc = NextHead(loc, BADADDR);
if (GetMnem(loc) != "push" || GetOpnd(loc, 0) != movtarget)
{
continue;
}
// At this point, we know we're pushing a [ds:x] combo.
//Message("%x: mov %s, %s\n", movloc, movtarget, GetOpnd(movloc, 1));
// Abort if there already exists a Dxref
xref = Dfirst(movloc);
if (xref != BADADDR)
{
continue;
}
Message(" Updating %s:%04x\n", SegName(seg), (movloc - seg) & 0xffff);
OpOff(movloc, 1, dsegbase);
}
}
seg = NextSeg(seg);
}
}
Just to let people know, yes I’ve been working on understanding the D5100 firmware.
I’ve got most the area’s of code identified (where they are, not what they do), but there are some puzzles, with some chunks of code that are used (eg selects a picture to be shown based on shooting mode) but the code it self is not directly linked to, and it’s address in not present in the image. There is defiantly some form of jump/call table compression/encoding done, as there are functions that do some maths, and then call the result. So that needs to be puzzled out.
So to help map the data (and thus remove possible options from above puzzle), I previous mentioned mapping the jpg’s out:
As can be seen in this small sample, there’s the icons for the different shooting modes, and three colour schemes.
Last night I was working on using a modified version of BinViz (original found here) and have found how the font’s and overlay text/images are packed, and I am in the process of tracking down how the width/size information is encoded in the associated data tables. Shown below is the same block of data shown, but at two different widths, showing the “Dial” overlays and the “Bulb Time” text:
It’s quite neat looking at the Asian font sets, as the fonts/overlays use subpixel rendering, which can be seen in the green arm of the sports mode dial icon above. Much simpler, the normal overlays are just black/white, and now look better X/Y scaled.
I started a Google Code Project called Nikon Firmware Tools in which I’m placing the tools I’m using and the changes I’m making to them as I go. So interested developers can look there. Sorry only code so far.
