Prev. Page             Main Page             Page Bottom             Next Page

DiY, Pentax Q10 v1.03 Firmware Disassembly

«
All along this Firmware Disassembly page I try to keep things as simple as possible
so you could start this page with Everyone's knowledge, but totally succeed at the
end to Disassemble the v1.03 Firmware of the Pentax Q10, as simply as that !
Then, why not succeed to Disassemble another Q, Q7, Qs1's Firmware ?
»

2014 July the 31th, the tiny Pentax Q10, I bought € 170, has just been delivered...
A few Test shots later, I am convinced that its 1/2.3" BSI Sensor is Very Sensitive,
so I decided to dowload the last FirmWare v1.03, then to find tools to disassemble
it. The purpose is at least to overcome the 2 crippling limitations of the Pentax Q10.

- Hack Noise Reduction settings from "Low-Normal-High" to "OFF-Normal-ON",
"Low-Normal-High" is Automatic NR depending on Exposure, ISO, Temperature,
in order to get 2 new settings: NO-NR at all as the OFF setting + NR Always ON.
The string "GetSlowShutterNoiseReductionId" found at 0x0DA 421A in the v1.03
FirmWare = a Function Call - may be a useful track to begin with ? Another string
"SetBulbExposureStartTemperature" found at 0x0D9 871D to be considered too...

- 30 sec is too short : Hack the 25 sec. Exposure setting up to 240 sec. if possible.
Many cameras with tiny sensors are able to reach at least 60 sec. or even 240 sec.
But this may be impossible to do if 30sec. is a Hard limitation in the Shutter Device.
The strings "ShutterInit/Open/Delay/Speed/Close" that were found inside the v1.03
FirmWare = Function Calls - Perhaps they are useful tracks to begin with ?
Even by warm summer nights, I never had the "Camera Temperature" going a little
higher than Ambient Temperature: the imx078 can achieve up to Full-HD at 60 fps
I got the "Camera Temperature" in EXIF by a Short Exposure after Serial 30 secs.
because the "Camera Temperature" in Not recorded in EXIF with 30 sec. Expos !

- The last Hack should be to record the "Camera Temperature" all the times in the
Exif Data and not only for the Short or Middle Exposures, the simplest one to do ?
The strings "BulbExposure/DisplaySensor/GetCamera/StoreSensor/Temperature"
inside the v1.03 FirmWare - Function Calls - may be useful tracks to begin with ?

What is the purpose of a Firmware, how is it built ?

The Purpose of a FirmWare is to keep in a Flash Memory all the Drivers and Soft-
Ware Functions needed by an Electronic Device and, at the top of them, the User-
Interface so everyone could use it in the safer and easier possible way. In a camera,
for example, many Devices need to be Electronically Managed through a Driver :
the Shutter, the Iris, the Flash, the CMos Sensor, the DSP, the Memory, etc...
The SoftWare Functions are : Smoothing the Noise in the Raw file before writing,
Interpolate the Raw file to get a Jpeg picture through a Profile, then write it, etc...
The User Interface is the easy Graphic Tool to you to manage all these Drivers and
all these Functions together via Buttons and/or Menu-Choices on the LCD Screen...

ELF-layout
So you could easily imagine the FirmWare
as an agregate of many Drivers, Functions,
a User Interface and Fonts, many of them
including Code-sections & Data-sections.

That would be too simple if there weren't
also 2 ways to Read the Memory, by 8, 16,
32, 64 bit Forward called Big-endian, and
by 8, 16, 32, 64 bit Backward called little-
endian depending on the Device and/or the
SoftWare Function in the Section you are in.


Click Image to enlarge at full-size
Endian R/W
Click Image to enlarge at full-size

HexEdit : inspecting the FW, begin writing the mapfile

HexEdit is a free ASCII / Hexadecimal Viewer / Editor, thanks to its writers !

The first thing is to set HexEdit to display -1) the Address in 3 Hex Bytes : from
"00 0000" to "EC 00E0" here, -2) the Datas in 8 x 4 Hex Bytes from "00" to "1F",
and -3) the Datas in ASCII Chars from "0" to "1F". The exact setting in the 'View-
Tab' is : Display-Mode = Both-Areas, Char-Set = ASCII, Control-Chars = None.
The minimum Horizontal Resolution is 1280 pixel, 1366 pixel and more is just fine.

First : write all the 11 ELF-Headers with their Start / End Address in your mapfile.
Then you have to write to mapfile every Address you think is the Start of a Code-
Section & then every Address you think is the Start of a Data-Section, also, Every
Readable String of chars should be written as //Comments in the middle of the line
of the mapfile.

Yes, it's a long and fastidious job, but mandatory for the Disassembler to work fine.
I would have found an AI Recursive mapfile Builder, but couldn't find any in 2014 !
In case you know a mapfile Builder that works for MIPS Processor, let me know.

Aerial-View in the 'Aerial-Tab' is helpful to reveal the Borders from Code to Data
and vice-versa. Toggling the whole view in ASCII : Display-Mode = Char-Area is
sometimes a good option too : see the Screen-Shot of HexEdit below ~>

'Operations-Tab' -command 'Flip Bytes' -option 'Double Word 32-bit' to simulate
a part of the FW to be read as if it was "little-endian" acces in "Big-endian" mode.
link to the § here ~>
Download HexEdit here ~>

HexEdit searching for string "Imx078" in the Q10 v1.03 FirmWare shows...
a full screen of Function Labels, 8 among them containing the string "Imx078"
Pentax-Q10-FirmWar-by-HexEdit
Click Image to enlarge at full-size

Useful Infos to discover inside the Q10 Firmware

The Pentax Q10 is powered by a MIPS RISC processor and...
The Q10 v1.03 FW was built with MIPS Software Develop. Environement ?
-- 282 strings "mipssde" were found
The Q10 v1.03 FW User-Interface was built from Rtos OS ?
-- 122 strings "Rtos" were found
The Q10 v1.03 FW was built by ZORAN Corp. EBISU, Tokyo, Japan ?
-- 34 strings "ZORAN" were found from 0x088 4AC3...
The Q10 v1.03 FW contains 26 References to SONY Devices (LCD...) :
-- 26 strings "SONY" were found from 0x009 21CB...
The Q10 BSI CMos Sensor is an Imx078cqk Device made by Sony :
-- 8 strings "Imx078" were found from 0x0CA 932A...
The Q10 Memory Device / Management made by Express Logic Inc. ?
-- 2 strings "Express Logic Inc." were found from 0x009 8428...
The Q10 Memory Device, Management Compatible w/ Sony MemoryStick ?
-- 2 strings "MEMORYSTICK" were found from 0x00A 70BB...
The Q10 BSI CMos Sensor confirmed as Imx078cqk Device, Sony made :
-- string "SONY_IMX_078CQK @ 72MHz" found at 0x02B 66D5
-- string "Sony_Imx_078Cqk" found at 0x0C7 E384

Disassembling the Q10 FW once you've built a mapfile

DisasMips is a free Disassembler for Mips processors. Many thanks to Acade !

fwdc602p.bin FirmWare file as is = fully Big-endian :
- Sat Nov 22 01:09:37 2014 from fwdc602p.bin by disasmips0 2006-9-8
disasmips0 -m mapfil?.tx? -n 10000 -h dir? -A fwdc602p.bin
258 files    0 functions    227 links    10000 call targets    0 map symbols
- Wed Nov 26 19:13:56 2014  from fwdc602p.bin by disasmips0 2006-9-8
disasmips0 -m mapfil0.txt -n 10000 -h dir? -A fwdc602p.bin
258 files    0 functions    236 links    10000 call targets    237 map symbols
- Thu Nov 27 17:49:16 2014  from fwdc602p.bin by disasmips0 2006-9-8
disasmips0 -m mapfil1.txt -n 10000 -h dir? -A fwdc602p.bin
258 files    0 functions    239 links    10000 call targets    445 map symbols
- Fri Nov 28 18:42:32 2014  from fwdc602p.bin by disasmips0 2006-9-8
disasmips0 -m mapfil2.txt -n 10000 -h dir? -g-b-c-F 500 -H-S-P fwdc602p.bin
258 files    0 functions    239 links    10000 call targets    645 map symbols
- Mon Dec 08 00:03:51 2014 from fwdc602p.bin by disasmips0 2006-9-8
disasmips0 -m mapfil4.txt -n 10000 -h dir? -g-b-c-F 500 -H-S-P fwdc602p.bin
258 files    0 functions    244 links    10000 call targets    1002 map symbols
- Mon Dec 08 12:45:06 2014 from fwdc602p.bin by disasmips0 2006-9-8
disasmips0 -m mapfil5.txt -n 10000 -h dir? -g-b-c-F 500 -H- -P fwdc602p.bin
258 files    0 functions    245 links    10000 call targets    1436 map symbols
All were Wrong disassemblies : No functions & lots of  Unresolved Call Targets

2018 Verified Disassemblies : disasmips is underlined + '=' sign before Results # :

fwdc602p.bin FirmWare file as is = fully Big-endian :
- Mon Dec 08 21:27:04 2014 from fwdc602p.bin by disasmips1 2006-9-8
disasmips1 -m mapfil6.txt -n 10000 -h dir? -g-b-c-F 500 -H-S-P fwdc602p.bin
= 258 files    0 functions    531 links    10000 call targets    1449 map symbols
A Wrong disassembly : No functions & lots of  Unresolved Call Targets !

Completing the mapfile to get all Addresses Resolved

Unresolved Call Target / Unlinked Addresses among your disassembled listing
indicate that you'll have to correct your mapfile. Then start the Disassembler one
more time until every Call Target is a Correct Link falling inside the FW code.

Explanations about some of the Cabalistic-Signs I wrote in the mapfile.txt :
# : at start of a fully ignored line = Full Comments
// : at middle of a line = Next chars are ignored as Comments
Label : Hexadecimal value of the Address we are in : *C0x2d4 = Code Start
@ : starting a Label : Data, Readable-Message, Table...
* : starting a Label : Code Text
C : 2nd sign in Label : Code
D : 2nd sign in Label : Data
T : 2nd sign in Label : Table (Tbl4, often x4 chars, 00/80/8f/$ = terminators)
U : 2nd sign in Label : Unknown (Unk???)
Nop : 0x00 in Code-section
Nul : 0x00 in Data-section
Msgs : Messages
Jouts : if this was Code-section, JAL Jumps would fall Outside the FW !
Black : Color dominant as seen in ASCII / Aerial-View of HexEdit
Blue : Color dominant as seen in ASCII / Aerial-View of HexEdit
Fonts : Font definition section for the User-Interface
Bazar : Garbage ?
Const : Constant / Message String
0x7f 454c46 : start of a ELF Header (52 bytes)
Start 32 bit FLIP : Start of part1 at 0x00:02d4 flipped to simulate little-endian
32 bit FLIP End : End of part1 at 0x2b:695c flipped to simulate little-endian access

The 1st § was the Theorical Theory when everything else works fine... But...

The Q10 FW is Big-endian, but, part1 is little-endian

Part1.bin cut 0x00:02d4 - 0x2b:695c from fwdc602p.bin as is :
- Sun Nov 30 02:25:47 2014 from Part1.bin by disasmips0 2006-9-8
disasmips0 -m mapfil3.txt -n 10000 -h dir? -g -b -c -F 500 -H -S -P Part1.bin
49 files    0 functions    244 links    4679 call targets    663 map symbols
A Wrong disassembly : No functions & lots of  Unresolved Call Targets !

An unacceptable number of  Unresolved Call Targets / Unlinked Addresses in that
part1 which I though was a Code-section indicates that something went wrong in my
mapfile... Or... Maybe that Code-section was to read as a little-endian access one ?
I decided to cut this Code-section off from the full FirmWare, then to Flip the Bytes
of that Code-section 4 by 4, then to Disassemble this Code-section alone and.....
Success ! No more Unresolved Addresses falling outside of Flip1.bin, Yesss !

Flip1.bin from 0x00:02d4 to 0x2b:695c flipped 4x4 Bytes with HexEdit
- Wed Dec 10 18:53:58 2014 from Flip1.bin by disasmips2 2006-9-8
disasmips2 -m mapfil6.txt -n 10000 -h dir? -F 1000 -A Flip1.bin
= 59 files    2886 functions    3188 call targets    1432 map symbols
The Decisive Test : from Part1.bin being flipped 4x4 Bytes to Flip1.bin

No more Unresolved Addresses falling outside the Code, so I copied the Flip1.bin
Flipped part1 at the right Address place inside the FW "fwdc602p.bin", then I saved
this new FW with its "little-endian access" part from "0x00 02d4" to "0x2b 695c"
as file "cdwfp206.bin" and restarted DisasMips (Big-endian) one more time and.....
Success ! No more Unresolved Addresses falling outside the full FirmWare, Yesss !

cdwfp206.bin with part1 0x00:02d4 - 0x2b:695c flipped 4x4 as if little-endian
- Wed Dec 10 01:19:54 2014 from cdwfp206.bin by disasmips2 2006-9-8
disasmips2 -m mapfil6.txt -n 10000 -h dir? -F 1000 -A cdwfp206.bin
268 files    2886 functions    3188 call targets    1432 map symbols
Except for the files #, same Results as for the disassembly of Flip1.bin !

cdwfp206.bin with part1 0x00:02d4 - 0x2b:695c flipped 4x4 as if little-endian
- Mon Dec 15 02:28:50 2014 from cdwfp206.bin by disasmips2 2006-9-8
disasmips2 -m mapfile.txt -n 10000 -h dir? -F 1000 -A cdwfp206.bin
= 268 files    2886 functions    3197 call targets    1185 map symbols
This was the last and Best disassembly, the one you'll Download if interested in :

Generated Mon Dec 15 02:28:22 2014 from cdwfp206.bin = 15 MB by
disasmips2 [ Win32 / Sep 8 2006 (c) acade.au7.de (h) mecastronics ]
0.084 MB - Symbols.htm = Symbol Map file
0.177 MB - Calls.htm = Call Statistics file :
+ 268    Html Files : the biggest one = 0.741 MB
2886    Total Functions
3197    Call Targets : the most called one = 614 times
1185    Map Symbols

In addition to these 270 HTML Files, 4 useful TXT Files :
- a summary of the remarkable things in the Pentax Q10 v1.03 FW
- the Exact mapfile.txt that drove this Disassembly
- the Disasmips.exe How-To with 11 parameter sets used for 11 Disassemblies
- the 3197 Call Targets, but sorted by their Addresses

Everyone who's interested in this Disassembly a/o in the Pentax Q - Qs1 Hacking
Download the first 10 files to make everyone's idea about this work ~ 3 MB
Zipped to approx. ~ 0.6 MB ~> Download DisasQ10v103.zip here :
Download these 10 Files zipped to DisasQ10v103.zip

If you're interested in the Full Set of 274 files ~ 132 MB zipped to ~ 35 MB,
email me at the address in the index-page/Help-Astro and I'll send it back to you !

I'll send you another Session zipped the same way : just write me the Date & Time,
starting from Nov 28 2014 included : it seems I did not kept the mapfiles before ?!

DisasMips is Hacked to handle as huge files as Firmwares

DisasMips 2006 version available in August 2014 failed to handle the Huge File Size
of the 1.03 FW, listing of Call-Targets was limited to 500, didn't match the Number !
Before Flipping one part of the FW, I got more than 10,000 Call Targets ! Of course
~65% of them were False Unlinked Targets falling everywhere outside the FirmWare.
link to the § here ~>

So I had to Hack DisasMips first ! After many tries and errors, I ended to Modify 2
two Bytes only : a long time Hack achieved successfully with HexEdit :
2 Bytes that limit the Listing of Call-Targets to 500, up-1 to 1000, then-2 to 3200 :
- at 0x00F40 : Original value 0xF3, modified-1 to 0xE7, then-2 to 0x7F
- at 0x00F41 : Original value 0x01, modified-1 to 0x03, then-2 to 0x0C
2 Bytes that set the Default Value of the -F option to 500 :
- at 0x055E2 : Original value 0xF4, Not modified
- at 0x055E3 : Original value 0x01, Not modified
Download : DisasMips0 2006 the Original version here ~> disasmips0.exe
Download : DisasMips1 2014 the 1st Hacked version here ~> disasmips1.exe
Download : DisasMips2 2014 the 2nd Hacked version here ~> disasmips2.exe :
Download these 3 Files zipped to DisasMips012.zip

Anyway many thanks to Acade, without him this work wouldn't have been possible
Actual DisasMips version ok, but No Garantee it will work with the old parameters !
Disassembler for MIPS Processors : http://acade.au7.de/disasmips/disasmips.htm
Give me some time to try it when I'll have finished to save my whole memory here :
4 years is eternity for memory, the time to forget everything I didn't use in between...

Next Step, a MIPS Decompiler to improve our understanding of Q FW

Please, give me a little more time to write that one ... ;)
      ©Dima Lootvoet 2010-19

Prev. Page             Main Page             Top of Page             Next Page