All along the Q10 disassembly page I'll try to keep things as simple as
possible. So you could start this page with Everyone's
knowledge, but totally succeed at the end to disassemble
the firmware 1.03 of the Pentax Q10, as simply as that.
Stacking's very efficient Maximizing the SNR of Low Light RAW files that include random noise only. This is now possible cause Dark Current levels have been
divided by 10^6 since 1st CCD sensor in 1990. Pixel Response non Uniformity
Levels have been lowered a lot too. Tartan Fabric, Pattern Noise, Banding were
Absent 5/5 since the Pentax K5's Sony 071 Exmor. ExmorR Pentax Q10's 078,
Samsy NX mini's 183 are Top with Addressing transistors, Wiring moved under
the Photo Diodes allowing BEST Quantum Efficiency. Analog CdS before ADC,
digital Correlated double Sampling past Analog to Digital converter lower PRnU
levels to never seen levels. Astro Pics from Exmor Sensors w/o any other Frame
that 3,4 Flat-Fields and only a few Sub-Frames are far better than what I got with
my Eos 20d-5d with Bias-Maps, Dark-Frames, Dark+Flat-Fields, Sub-Frames !
Sometimes more than 100 Frames total and the Results were just acceptable w/
Huge Amp Glow ruining each Sub-Frame. Pentax K5 is the very First CMos ILC
that totally gets rid of any Amp-Glow, even during 25 min. Exposures (I tested) !
How such a huge improvement from Pntx Q10 to Samsy NX-mini could be seen.
Cause RAW Smoothing Destroys only random noise Condition by introducing
Artifacts and by Erasing many Faintest True Stars from the Raw files. Astro-Pics
require True RAWs, avoiding any Raw Smoothing or Star Eating, the Smoothing
of K5's RAW files begins at ISO-2000. Who will use the Pentax K-5 at ISO-2000
knowing that it doesn't have any Analog Amplification after ISO-80. It's far Easier
to get very Hight SNR Stacking a handful of ISO 80 Long Exposures than with 60
ISO-1k6 30sec. Expos. But I'm still the only one using my K5 at its Best ISO-80.
Low Light Raw SNR Maximizing: Smoothing-NR is the true enemy of Stacking.
It's why I am so Curious to See the Results of the Q-10 with 4 min. Exposures at
ISO 400 (see NX-mini's Results) and with the very Minimal RAW file Smoothing.
Guys, it's 9.5 years since I achieved the Disassembly of the Q10 FirmWare !
MIPS processors are of RISC type : means it's very hard to understand what's
going on at "this Address" in FW, cause each RISC instruction is meaningless.
It's somewhat as if one would Figure out a Landscape, just seeing Sand grains.
I would need a MIPS Decompiler to keep on working on Pentax Q10 Firmware.
Even if there are errors in the listing, more Sophisticated instructions will teach
us what's going on to happen at "this Address" in FW. w/ both listings in hands
the Disassembly + the Decompiling, the FW. will be far easier to understand.
No matter if Decompiled Final instructions are Basic, 'C', Pascal, Forth, etc...
Goal's to get bigger bricks than sand grains to Figure out the things in the FW.
W/ both listings under eyes, Doubts and Errors will "Auto Correct" themselves.
Who knows about such a Decompiler tool in Basic, C, Pascal, Forth language.
Many thanks in advance, Guys, next is the Huge Difference w/ vs w/o RAW NR.
This just to speak about the 2 1st Hacking Projects starting this Ptx Q10 page.
What Features Pentax Q10 is mostly Missing
2014 July the 31th, the tiny Pentax Q10, I bought € 170, has just
been delivered. A few Testings later, I am convinced that
its 1/2.3" BSI Sensor is Very Sensitive. I decided to
dowload the last FirmWare v1.03, then to find tools to disassemble it.
My project is to try to overcome the crippling
limitations of the Pentax Q10.
- Hack Noise Reduction settings from "Low-Normal-High" to "OFF-Normal-ON",
"Low-Normal-High" = Automatic NR depending on Exposure, ISO, Temperature,
in order to get 2 new settings: NO-NR at all as the OFF setting + NR
Always ON. The string "GetSlowShutterNoiseReductionId" found
at 0x0da:421a in the v1.03 FirmWare : a Function Call - may be
a useful track to begin with ? Another string "SetBulbExposureStartTemperature"
found at 0x0d9:871d to be considered too.
- 30 sec. Bulb-Manual Exposure setting has to be upped to 240 sec. if
possible. Many cameras with tiny CMos are able to reach at
least 60 sec or even 240 sec. This may be impossible to
do if 30sec. is a Hard limitation of the Shutter Device. The
strings "ShutterInit/Open/Delay/Speed/Close" that I've found inside the
1.03 FirmWare = Function Calls - perhaps they are the useful
tracks to begin with ? Even by warm summer nights, I never had
the "Camera Temperature" going little higher than Ambient
Temperature: the imx078
can achieve up to Full-HD at 60p. I got the Camera
Temperature in EXIF by a Short Exposure after Serial 30 secs. because
the Camera Temperature in Not recorded in EXIF with 30 sec. Expos !
- 3rd Hack should be to record the "Camera Temperature" all the times in the
Exif Data and not only for a Short or Middle Exposure, the simplest one to do.
Strings "BulbExposure/DisplaySensor/GetCamera/StoreSensor/Temperature"
inside the v1.03 FirmWare - Function Calls - may be useful tracks to begin with.
What's Firmware's purpose. How it is built
The Purpose of a FirmWare is to keep in a Flash Memory all the Drivers,
Soft- Ware Functions needed by an Electronic Device and, on
top of them, the User- Interface so everyone could use it
in the safest and easiest way. In a camera, for
example, many Devices need to be Electronically Managed through a
Driver. The Shutter, the Iris, the Flash, the Sensor,
the DSP, the Memory, the SD Card... The SoftWare Functions are:
Smoothing the Noise in the Raw file before writing, Interpolate
the Raw file to get a Jpeg picture through a Profile, then write it,
etc. The User Interface is the easy Graphic Tool to you to
use all these Drivers and all these Functions together via
Buttons or Menu-Choices on the LCD Screen.
You could easily imagine the FirmWare as an aggregate of many
Drivers, Functions, a User Interface and Fonts. Many
of them including Code-sections + Data-sections.
That
would be too simple if there weren't also 2 ways to Read the
Memory, by 8, 16, 32, 64 bit Forward called Big-endian, and by
8, 16, 32, 64 bit Backward called little- Endian depending on
the Device and the Software function in the Section you are
in.
Click Image to Enlarge Click Image to Enlarge
HexEdit : viewing the FW, writing the Mapfile
HexEdit is a free ASCII, Hexadecimal Viewer, Editor, thanks to its creators.
The first thing is to set HexEdit to display -1) the Address in 3 Hex Bytes
: from "00:0000" to "EC:00E0" here. -2) the Datas in 8*4 Hex
Bytes from "00" to "1F", -3) the Datas in ASCII Chars from
"00" to "1F". The exact setting in the 'View- Tab' is :
Display-Mode = Both-Areas, Char-Set = ASCII, Control-Chars = None. The
minimum Horizontal Resolution is 1280 pixels, 1366+ pixels are just fine.
First : write all the 11 ELF-Headers with
their Start, End Address in your Mapfile. Then you have to
write to mapfile every Address you think is the Start of a Code- Section
then every Address you think is the Start of a Data-Section,
also, Every Readable String of chars should be written as
//Comments in the middle of the line of the mapfile.
It's a long and fastidious job, but mandatory for the Disassembler to
work fine. I would have found an AI Recursive Mapfile
Builder, but couldn't find any in 2014 ! In case you know a
mapfile Builder that works for MIPS Processor, let me know.
Aerial-View in the 'Aerial-Tab' is helpful to reveal the Borders from Code to Data
and vice-versa. Toggling the whole view in ASCII : Display-Mode =
Char-Area is sometimes a good option too : see the Screen-Shot
of HexEdit below ~>
'Operations-Tab' -command 'Flip Bytes' -option 'Double Word 32-bit' to simulate
a part of the FW to be read as if it was "little-Endian" read in "Big-endian"
mode. link to the § here ~> Download
HexEdit here ~>
HexEdit searching for string
"Imx078" in the Q10 v1.03 FirmWare shows a full screen of
Function Labels, 8 among them containing the string "Imx078" Click Image to Enlarge
Useful Informations inside the Q10 Firmware
The Pentax Q10 is powered by a MIPS RISC processor and... The Q10
v1.03 FW was built with MIPS Software Develop. Environement ? --
282 strings "mipssde" were found The Q10 v1.03 FW
User-Interface was built from Rtos OS ? -- 122 strings "Rtos"
were found The Q10 v1.03 FW was built by ZORAN Corp. EBISU, Tokyo, Japan ?
-- 34 strings "ZORAN" were found from 0x088:4AC3... The Q10 v1.03
FW contains 26 References to SONY Devices (LCD...) : -- 26
strings "SONY" were found from 0x009:21CB... The Q10 BSI CMos
Sensor is an Imx078cqk Device made by Sony : -- 8 strings
"Imx078" were found from 0x0CA:932A... The Q10 Memory Device /
Management made by Express Logic Inc. ? -- 2 strings "Express
Logic Inc." were found from 0x009:8428... The Q10 Memory
Device, Management Compatible w/ Sony MemoryStick ? --
2 strings "MEMORYSTICK" were found from 0x00A:70BB... The Q10
BSI CMos Sensor confirmed as Imx078cqk Device, Sony made : --
string "SONY_IMX_078CQK @ 72MHz" found at 0x02B:66D5 -- string
"Sony_Imx_078Cqk" found at 0x0C7:E384
Disassembling Q10 FW. w/ a Mapfile started
DisasMips is a free Disassembler for Mips processors. Many thanks to Acade.
fwdc602p.bin
FirmWare file as is = fully Big-endian : - Sat Nov 22 01:09:37
2014 from fwdc602p.bin by disasmips0 2006-9-8 disasmips0 -m
mapfil?.tx? -n 10000 -h dir? -A fwdc602p.bin 258
files 0
functions 227
links 10000 call
targets 0 map
symbols - Wed Nov 26 19:13:56 2014 from fwdc602p.bin
by disasmips0 2006-9-8 disasmips0 -m mapfil0.txt -n 10000 -h
dir? -A fwdc602p.bin 258
files
0 functions
236 links 10000 call
targets 237 map symbols - Thu
Nov 27 17:49:16 2014 from fwdc602p.bin by disasmips0 2006-9-8 disasmips0
-m mapfil1.txt -n 10000 -h dir? -A fwdc602p.bin
258 files
0 functions
239 links 10000 call
targets
445 map symbols - Fri Nov 28 18:42:32 2014 from
fwdc602p.bin by disasmips0 2006-9-8 disasmips0 -m mapfil2.txt
-n 10000 -h dir? -g-b-c-F 500 -H-S-P fwdc602p.bin 258 files
0 functions
239 links
10000 call targets 645 map
symbols - Mon Dec 08 00:03:51 2014 from fwdc602p.bin by
disasmips0 2006-9-8 disasmips0 -m mapfil4.txt -n 10000 -h dir?
-g-b-c-F 500 -H-S-P fwdc602p.bin 258 files
0 functions
244 links
10000 call targets 1002 map
symbols - Mon Dec 08 12:45:06 2014 from fwdc602p.bin by
disasmips0 2006-9-8 disasmips0 -m mapfil5.txt -n 10000 -h dir?
-g-b-c-F 500 -H- -P fwdc602p.bin 258 files
0 functions
245 links
10000 call targets 1436 map
symbols All were Wrong disassemblies : No functions &
lots of Unresolved Call Targets
fwdc602p.bin
FirmWare file as is = fully Big-endian : - Mon Dec 08 21:27:04
2014 from fwdc602p.bin by disasmips1
2006-9-8 disasmips1
-m mapfil6.txt -n 10000 -h dir? -g-b-c-F 500 -H-S-P fwdc602p.bin = 258 files
0 functions 531 links
10000 call
targets 1449 map symbols A
Wrong disassembly : No functions + lots of Unresolved Call Targets !
Mapfile completed to get all Addresses solved
Unresolved Call Target / Unlinked Addresses among your disassembled listing indicate
that you'll have to correct your mapfile. Then start the Disassembler 1
more time until every Call Target is a Correct Link falling inside the FW code.
Explanations about some of the Cabalistic-Signs I wrote in the mapfile.txt :
# : at start of a fully ignored line = Full Comments
// : at middle of a line = Next chars are ignored as Comments
Label : Hexadecimal value of the Address we are in : *C0x2d4 = Code Start
@: starting a Label : Data, Readable-Message, Table...
* : starting a Label : Code Text C : 2nd sign in Label : Code
D : 2nd sign in Label : Data T : 2nd sign in Label : Table (Tbl4, often x4 chars, 00/80/8f/$ = terminators)
U : 2nd sign in Label : Unknown (Unk???)
Nop : 0x00 in Code-section
Nul : 0x00 in Data-section Msgs : Messages
Jouts : if this was Code-section, JAL Jumps would fall Outside the FW !
Black : Color dominant as seen in ASCII / Aerial-View of HexEdit
Blue : Color dominant as seen in ASCII / Aerial-View of HexEdit
Fonts : Font definition section for the User-Interface
Bazar : Garbage ?
Const : Constant / Message String
0x7f:454c46 : start of a ELF Header (52 bytes)
Start 32 bit FLIP : Start of part1 at 0x00:02d4 flipped to simulate little-endian
32 bit FLIP End : part1 End 0x2b:695c flipped to simulate little-endian access
The 1st § was the Theorical Theory when everything else works fine... But...
Q10 FW. is Big-endian but part1 is little-endian
Part1.bin
cut 0x00:02d4 - 0x2b:695c from fwdc602p.bin as is : -
Sun Nov 30 02:25:47 2014 from Part1.bin by disasmips0 2006-9-8 disasmips0
-m mapfil3.txt -n 10000 -h dir? -g -b -c -F 500 -H -S -P Part1.bin 49 files
0 functions 244 links 4679
call targets 663 map symbols A
Wrong disassembly : No functions & lots of Unresolved Call Targets !
Unacceptable number of Unresolved Call Targets / Unlinked Addresses in that
part1 which I though was a Code-section tells that something went wrong in my
mapfile. Or maybe that Code-section was to read as a little-endian access one.
I decided to cut this Code-section off from the full FW, then to Flip the Bytes of
this Code-section 4 by 4, then to Disassemble this Code-section Alone and... Success !
No more Unresolved Addresses falling outside of Flip1.bin, Yesss !
Flip1.bin from 0x00:02d4 to 0x2b:695c flipped 4x4 Bytes with HexEdit
- Wed Dec 10 18:53:58 2014 from Flip1.bin by disasmips2 2006-9-8 disasmips2 -m mapfil6.txt -n 10000 -h dir? -F 1000 -A Flip1.bin
= 59 files 2886 functions 3188 call targets 1432 map symbols
The Decisive Test : from Part1.bin being flipped 4x4 Bytes to Flip1.bin
None Unresolved Addresses falling outside the Code, so I copied the Flip1.bin
Flipped part1 at the right Address inside the FW "fwdc602p.bin", then I saved
this new FW w/ its "little-endian access" part from "0x00:02d4" to "0x2b:695c"
as file "cdwfp206.bin" and restarted DisasMips (Big-endian) 1 more time and...
Success ! None Unresolved Addresses falling outside the full FirmWare, Yess.
cdwfp206.bin with part1 0x00:02d4 - 0x2b:695c flipped 4x4 as if little-endian
- Wed Dec 10 01:19:54 2014 from cdwfp206.bin by disasmips2 2006-9-8 disasmips2 -m mapfil6.txt -n 10000 -h dir? -F 1000 -A cdwfp206.bin
= 268 files 2886 functions 3188 call targets 1432 map symbols
Except for the files #, same Results as for the disassembly of Flip1.bin !
Q10 FW. Disassembly, Final version 15.12.'14
cdwfp206.bin with part1 0x00:02d4 - 0x2b:695c flipped 4x4 as if little-endian
- Mon Dec 15 02:28:50 2014 from cdwfp206.bin by disasmips2 2006-9-8 disasmips2 -m mapfile.txt -n 10000 -h dir? -F 1000 -A cdwfp206.bin
= 268 files 2886 functions 3197 call targets 1185 map symbols
This was the last and Best disassembly, the one you'll Download if interested in
Generated Mon Dec 15 02:28:22 2014 from cdwfp206.bin = 15 MB
by disasmips2
[ Win32 Sep 8 2006 (c) acade.au7.de (c) DIMA-info ]
0.084 MB - Symbols.htm = Symbol Map file
0.177 MB - Calls.htm = Call Statistics file :
+ 268 Html Files : the biggest one = 0.741 MB
2886 Total Functions
3197 Call Targets : the most called one = 614 times
1185 Map Symbols
In addition to these 270 HTML Files, 4 useful TXT Files :
- a summary of the remarkable things in the Pentax Q10 v1.03 FW
- the Exact mapfile.txt that drove this Disassembly
- the Disasmips.exe How-To with 11 parameter sets used for 11 Disassemblies
- the 3197 Call Targets, but sorted by their Addresses
Everyone who's interested in this Disassembly or in the Pentax Q, Qs1 Hacking
Download the first 10 files to make everyone's idea about this work ~ 3 MB
Zipped to approx. ~ 0.6 MB ~> Download DisasQ10v103.zip here : Download these 10 Files zipped to DisasQ10v103.zip
If you're interested in the Full Set of 274 files ~ 132 MB zipped to ~ 35 MB,
email me at the address in the indexPage/HelpAstro and I'll send it back to you
I'll send you another Session zipped the same way : just add the Date & Time,
starting from Nov 28 2014 included, seems I did not kept the mapfiles before !
DisasMips hacked to handle as big file as FW.
DisasMips 2006 version available Aug 2014 failed to handle the Huge File size
of 1.03 FW, listing of Call-Targets was limited to 500, didn't match the Number.
Before Flipping part1 of the FW., I got more than 10k Call Targets ! Of course,
~65% were False Unlinked Targets Falling everywhere outside the FirmWare.
link to this § here ~>
So I had to Hack DisasMips 1st. After many tries and errors, I ended to Modify 2
two Bytes only : a long time Hack achieved successfully with HexEdit :
2 Bytes that limit the Listing of Call-Targets to 500, up-1 to 1000, then-2 to 3200
- at 0x00F40 : Original value 0xF3, modified-1 to 0xE7, then-2 to 0x7F
- at 0x00F41 : Original value 0x01, modified-1 to 0x03, then-2 to 0x0C
2 Bytes that set the Default Value of the -F option to 500 :
- at 0x055E2 : Original value 0xF4, Not modified
- at 0x055E3 : Original value 0x01, Not modified
Download : DisasMips0 2006 the Original version here ~> disasmips0.exe
Download : DisasMips1 2014 the 1st Hacked version here ~> disasmips1.exe
Download : DisasMips2 2014 the 2nd Hacked version here ~> disasmips2.exe Download these 3 Files zipped to DisasMips012.zip
Anyway, thanks to Acade, without him, this Work wouldn't have been possible !
New DisasMips version ok. But no Guarantee it will work with old parameters
Disassembler for MIPS Procs : http://acade.au7.de/disasmips/disasmips.htm
give me some time to try it when I'll have finished to save my whole memory here
4 years is Eternity for memory, time to forget everything I didn't use in between.
