« All
along this Firmware Disassembly page I try to keep things as simple as
possible so you could start this page with Everyone's
knowledge, but totally succeed at the end to Disassemble the
v1.03 Firmware of the Pentax Q10, as simply as that ! Then,
why not succeed to Disassemble another Q, Q7, Qs1's Firmware ? »
2014
July the 31th, the tiny Pentax Q10, I bought € 170, has just
been delivered... A few Test shots later, I am convinced that
its 1/2.3" BSI Sensor is Very Sensitive, so I decided to
dowload the last FirmWare v1.03, then to find tools to disassemble it.
The purpose is at least to overcome the 2 crippling
limitations of the Pentax Q10.
- Hack Noise
Reduction settings from "Low-Normal-High" to "OFF-Normal-ON", "Low-Normal-High"
is Automatic NR depending on Exposure, ISO, Temperature, in
order to get 2 new settings: NO-NR at all as the OFF setting + NR
Always ON. The string "GetSlowShutterNoiseReductionId" found
at 0x0DA 421A in the v1.03 FirmWare = a Function Call - may be
a useful track to begin with ? Another string "SetBulbExposureStartTemperature"
found at 0x0D9 871D to be considered too...
- 30 sec
is too short : Hack the 25 sec. Exposure setting up to 240 sec. if
possible. Many cameras with tiny sensors are able to reach at
least 60 sec. or even 240 sec. But this may be impossible to
do if 30sec. is a Hard limitation in the Shutter Device. The
strings "ShutterInit/Open/Delay/Speed/Close" that were found inside the
v1.03 FirmWare = Function Calls - Perhaps they are useful
tracks to begin with ? Even by warm summer nights, I never had
the "Camera Temperature" going a little higher than Ambient
Temperature: the imx078
can achieve up to Full-HD at 60 fps I got the "Camera
Temperature" in EXIF by a Short Exposure after Serial 30 secs. because
the "Camera Temperature" in Not recorded in EXIF with 30 sec. Expos !
-
The last Hack should be to record the "Camera Temperature" all the
times in the Exif Data and not only for the Short or Middle
Exposures, the simplest one to do ? The strings
"BulbExposure/DisplaySensor/GetCamera/StoreSensor/Temperature" inside
the v1.03 FirmWare - Function Calls - may be useful tracks to begin
with ?
What
is the purpose of a Firmware, how is it built ?
The
Purpose of a FirmWare is to keep in a Flash Memory all the Drivers and
Soft- Ware Functions needed by an Electronic Device and, at
the top of them, the User- Interface so everyone could use it
in the safer and easier possible way. In a camera, for
example, many Devices need to be Electronically Managed through a
Driver : the Shutter, the Iris, the Flash, the CMos
Sensor, the DSP, the Memory, etc... The SoftWare Functions are
: Smoothing the Noise in the Raw file before writing, Interpolate
the Raw file to get a Jpeg picture through a Profile, then write it,
etc... The User Interface is the easy Graphic Tool to you to
manage all these Drivers and all these Functions together via
Buttons and/or Menu-Choices on the LCD Screen...
So
you could easily imagine the FirmWare as an agregate of many
Drivers, Functions, a User Interface and Fonts, many
of them including Code-sections & Data-sections.
That
would be too simple if there weren't also 2 ways to Read the
Memory, by 8, 16, 32, 64 bit Forward called Big-endian, and by
8, 16, 32, 64 bit Backward called little- endian depending on
the Device and/or the SoftWare Function in the Section you are
in.
Click Image to enlarge at full-size Click Image to enlarge at full-size
HexEdit : inspecting the
FW, begin writing the mapfile
HexEdit
is a free ASCII / Hexadecimal Viewer / Editor, thanks to its writers ! The
first thing is to set HexEdit to display -1) the Address in 3 Hex Bytes
: from "00 0000" to "EC 00E0" here, -2) the Datas in 8 x 4 Hex
Bytes from "00" to "1F", and -3) the Datas in ASCII Chars from
"0" to "1F". The exact setting in the 'View- Tab' is :
Display-Mode = Both-Areas, Char-Set = ASCII, Control-Chars = None. The
minimum Horizontal Resolution is 1280 pixel, 1366 pixel and more is
just fine.
First : write all the 11 ELF-Headers with
their Start / End Address in your mapfile. Then you have to
write to mapfile every Address you think is the Start of a Code- Section
& then every Address you think is the Start of a Data-Section,
also, Every Readable String of chars should be written as
//Comments in the middle of the line of the mapfile.
Yes,
it's a long and fastidious job, but mandatory for the Disassembler to
work fine. I would have found an AI Recursive mapfile
Builder, but couldn't find any in 2014 ! In case you know a
mapfile Builder that works for MIPS Processor, let me know.
Aerial-View
in the 'Aerial-Tab' is helpful to reveal the Borders from Code to Data and
vice-versa. Toggling the whole view in ASCII : Display-Mode =
Char-Area is sometimes a good option too : see the Screen-Shot
of HexEdit below ~>
'Operations-Tab' -command
'Flip Bytes' -option 'Double Word 32-bit' to simulate a part
of the FW to be read as if it was "little-endian" acces in "Big-endian"
mode. link to the § here ~> Download
HexEdit here ~>
HexEdit searching for string
"Imx078" in the Q10 v1.03 FirmWare shows... a full screen of
Function Labels, 8 among them containing the string "Imx078" Click Image to enlarge at full-size
Useful Infos to
discover inside the Q10 Firmware
The
Pentax Q10 is powered by a MIPS RISC processor and... The Q10
v1.03 FW was built with MIPS Software Develop. Environement ? --
282 strings "mipssde" were found The Q10 v1.03 FW
User-Interface was built from Rtos OS ? -- 122 strings "Rtos"
were found The Q10 v1.03 FW was built by ZORAN Corp. EBISU,
Tokyo, Japan ? --
34 strings "ZORAN" were found from 0x088 4AC3... The Q10 v1.03
FW contains 26 References to SONY Devices (LCD...) : -- 26
strings "SONY" were found from 0x009 21CB... The Q10 BSI CMos
Sensor is an Imx078cqk Device made by Sony : -- 8 strings
"Imx078" were found from 0x0CA 932A... The Q10 Memory Device /
Management made by Express Logic Inc. ? -- 2 strings "Express
Logic Inc." were found from 0x009 8428... The Q10 Memory
Device, Management Compatible w/ Sony MemoryStick ? --
2 strings "MEMORYSTICK" were found from 0x00A 70BB... The Q10
BSI CMos Sensor confirmed as Imx078cqk Device, Sony made : --
string "SONY_IMX_078CQK @ 72MHz" found at 0x02B 66D5 -- string
"Sony_Imx_078Cqk" found at 0x0C7 E384
Disassembling
the Q10 FW once you've built a mapfile
DisasMips is a free Disassembler for Mips processors. Many thanks to Acade !
fwdc602p.bin
FirmWare file as is = fully Big-endian : - Sat Nov 22 01:09:37
2014 from fwdc602p.bin by disasmips0 2006-9-8 disasmips0 -m
mapfil?.tx? -n 10000 -h dir? -A fwdc602p.bin 258
files 0
functions 227
links 10000 call
targets 0 map
symbols - Wed Nov 26 19:13:56 2014 from fwdc602p.bin
by disasmips0 2006-9-8 disasmips0 -m mapfil0.txt -n 10000 -h
dir? -A fwdc602p.bin 258
files
0 functions
236 links 10000 call
targets 237 map symbols - Thu
Nov 27 17:49:16 2014 from fwdc602p.bin by disasmips0 2006-9-8 disasmips0
-m mapfil1.txt -n 10000 -h dir? -A fwdc602p.bin
258 files
0 functions
239 links 10000 call
targets
445 map symbols - Fri Nov 28 18:42:32 2014 from
fwdc602p.bin by disasmips0 2006-9-8 disasmips0 -m mapfil2.txt
-n 10000 -h dir? -g-b-c-F 500 -H-S-P fwdc602p.bin 258 files
0 functions
239 links
10000 call targets 645 map
symbols - Mon Dec 08 00:03:51 2014 from fwdc602p.bin by
disasmips0 2006-9-8 disasmips0 -m mapfil4.txt -n 10000 -h dir?
-g-b-c-F 500 -H-S-P fwdc602p.bin 258 files
0 functions
244 links
10000 call targets 1002 map
symbols - Mon Dec 08 12:45:06 2014 from fwdc602p.bin by
disasmips0 2006-9-8 disasmips0 -m mapfil5.txt -n 10000 -h dir?
-g-b-c-F 500 -H- -P fwdc602p.bin 258 files
0 functions
245 links
10000 call targets 1436 map
symbols All were Wrong disassemblies : No functions &
lots of Unresolved Call Targets
2018 Verified Disassemblies
: disasmips
is underlined + '=' sign before Results # :
fwdc602p.bin
FirmWare file as is = fully Big-endian : - Mon Dec 08 21:27:04
2014 from fwdc602p.bin by disasmips1
2006-9-8 disasmips1
-m mapfil6.txt -n 10000 -h dir? -g-b-c-F 500 -H-S-P fwdc602p.bin = 258 files
0 functions
531
links
10000 call
targets 1449 map symbols A
Wrong disassembly : No functions & lots of Unresolved
Call Targets !
Completing the mapfile to get all Addresses Resolved
Unresolved
Call Target / Unlinked Addresses among your disassembled listing indicate
that you'll have to correct your mapfile. Then start the Disassembler
one more time until every Call Target is a Correct Link
falling inside the FW code.
Explanations
about some of the Cabalistic-Signs I wrote in the mapfile.txt : #
: at start of a fully ignored line = Full Comments // : at
middle of a line = Next chars are ignored as Comments Label :
Hexadecimal value of the Address we are in : *C0x2d4 = Code Start @
: starting a Label : Data, Readable-Message, Table... * :
starting a Label : Code Text C : 2nd sign in Label : Code D
: 2nd sign in Label : Data T : 2nd sign in Label : Table
(Tbl4, often x4 chars, 00/80/8f/$ = terminators) U :
2nd sign in Label : Unknown (Unk???) Nop : 0x00 in Code-section Nul
: 0x00 in Data-section Msgs : Messages Jouts : if
this was Code-section, JAL Jumps would fall Outside the FW ! Black
: Color dominant as seen in ASCII / Aerial-View of HexEdit Blue
: Color dominant as seen in ASCII / Aerial-View of HexEdit Fonts
: Font definition section for the User-Interface Bazar :
Garbage ? Const : Constant / Message String 0x7f
454c46 : start of a ELF Header (52 bytes) Start 32 bit FLIP :
Start of part1 at 0x00:02d4 flipped to simulate little-endian 32
bit FLIP End : End of part1 at 0x2b:695c flipped to simulate
little-endian access
The 1st § was the
Theorical Theory when everything else works fine... But...
The Q10 FW is Big-endian, but, part1 is little-endian
Part1.bin
cut 0x00:02d4 - 0x2b:695c from fwdc602p.bin as is : -
Sun Nov 30 02:25:47 2014 from Part1.bin by disasmips0 2006-9-8 disasmips0
-m mapfil3.txt -n 10000 -h dir? -g -b -c -F 500 -H -S -P Part1.bin 49 files
0 functions 244
links 4679
call targets 663 map symbols A
Wrong disassembly : No functions & lots of Unresolved
Call Targets !
An
unacceptable number of Unresolved Call Targets / Unlinked
Addresses in that part1 which I though was a Code-section
indicates that something went wrong in my mapfile... Or...
Maybe that Code-section was to read as a little-endian access
one ? I decided to cut this Code-section off from the full
FirmWare, then to Flip the Bytes of that Code-section 4 by 4,
then to Disassemble this Code-section alone and..... Success !
No more Unresolved Addresses falling outside of Flip1.bin,
Yesss !
Flip1.bin
from 0x00:02d4 to 0x2b:695c flipped 4x4 Bytes with
HexEdit - Wed Dec 10 18:53:58 2014 from Flip1.bin by disasmips2
2006-9-8 disasmips2
-m mapfil6.txt -n 10000 -h dir? -F 1000 -A Flip1.bin = 59 files
2886 functions
3188 call
targets 1432 map symbols The
Decisive Test : from Part1.bin being flipped 4x4 Bytes to Flip1.bin
No
more Unresolved Addresses falling outside the Code, so I
copied the Flip1.bin Flipped
part1 at the right Address place inside the FW "fwdc602p.bin",
then I saved this new FW with its "little-endian access" part
from "0x00 02d4" to "0x2b 695c" as file "cdwfp206.bin"
and restarted DisasMips (Big-endian) one more time and..... Success !
No more Unresolved Addresses falling outside the full
FirmWare, Yesss !
cdwfp206.bin
with part1 0x00:02d4 - 0x2b:695c flipped 4x4 as if
little-endian - Wed Dec 10 01:19:54 2014 from cdwfp206.bin by disasmips2
2006-9-8 disasmips2
-m mapfil6.txt -n 10000 -h dir? -F 1000 -A cdwfp206.bin = 268 files
2886 functions
3188 call
targets 1432 map
symbols Except for the files #, same Results as for the
disassembly of Flip1.bin !
cdwfp206.bin
with part1 0x00:02d4 - 0x2b:695c flipped 4x4 as if
little-endian - Mon Dec 15 02:28:50 2014 from cdwfp206.bin by disasmips2
2006-9-8 disasmips2
-m mapfile.txt -n 10000 -h dir? -F 1000 -A cdwfp206.bin = 268 files
2886
functions 3197 call
targets 1185 map
symbols This was the last and Best disassembly, the one you'll
Download if interested in : Generated Mon Dec 15 02:28:22
2014 from cdwfp206.bin
= 15 MB by disasmips2
[ Win32 / Sep 8 2006 (c) acade.au7.de (h) mecastronics ] 0.084 MB - Symbols.htm = Symbol
Map file 0.177 MB - Calls.htm = Call
Statistics file : +
268 Html Files : the biggest one = 0.741
MB 2886
Total Functions 3197
Call Targets : the most called one = 614 times 1185
Map Symbols
In addition to these 270 HTML Files, 4 useful TXT Files : -
a summary of the remarkable things in the Pentax Q10 v1.03 FW -
the Exact mapfile.txt
that drove this Disassembly - the Disasmips.exe
How-To with 11 parameter
sets used for 11
Disassemblies - the 3197
Call Targets, but sorted by their Addresses
Everyone
who's interested in this Disassembly a/o in the Pentax Q - Qs1
Hacking Download the first 10
files to make everyone's idea about this work ~ 3 MB Zipped
to approx. ~ 0.6
MB ~> Download DisasQ10v103.zip here : Download
these 10 Files zipped to DisasQ10v103.zip
If you're interested in the Full Set of 274 files ~
132 MB
zipped to ~ 35
MB, email me at the address in the index-page/Help-Astro and
I'll send it back to you !
I'll send you another
Session zipped the same way : just write me the Date & Time, starting
from Nov 28 2014 included : it seems I did not kept the mapfiles before
?!
DisasMips is Hacked
to handle as huge files as Firmwares
DisasMips
2006 version available in August 2014 failed to handle the Huge File
Size of the 1.03 FW, listing of Call-Targets was
limited to 500,
didn't match the Number ! Before Flipping one part of the FW,
I got more than 10,000 Call Targets ! Of course ~65% of them
were False Unlinked Targets falling everywhere outside the FirmWare. link
to the § here ~>
So I had to Hack
DisasMips first ! After many tries and errors, I ended to
Modify 2 two Bytes only : a long time Hack achieved
successfully with HexEdit : 2 Bytes that limit the Listing of
Call-Targets to 500,
up-1 to 1000,
then-2 to 3200
: - at 0x00F40 : Original value 0xF3, modified-1 to 0xE7,
then-2 to 0x7F - at 0x00F41 : Original value 0x01, modified-1
to 0x03, then-2 to 0x0C 2 Bytes that set the Default Value of
the -F option to 500 : - at 0x055E2 : Original value 0xF4, Not
modified - at 0x055E3 : Original value 0x01, Not modified Download
: DisasMips0 2006 the Original version here ~> disasmips0.exe Download
: DisasMips1 2014 the 1st Hacked version here ~> disasmips1.exe Download
: DisasMips2 2014 the 2nd Hacked version here ~> disasmips2.exe : Download
these 3 Files zipped to DisasMips012.zip
Anyway many thanks to Acade, without him this
work wouldn't have
been possible Actual DisasMips version ok, but No
Garantee it will work with the old parameters ! Disassembler
for MIPS Processors : http://acade.au7.de/disasmips/disasmips.htm Give
me some time to try it when I'll have finished to save my whole memory
here : 4 years is eternity for memory, the time to forget
everything I didn't use in between... Next Step, a MIPS Decompiler to
improve our understanding of Q FW