D5200 Information and Live View Timeout Removal

All things embedded.
*NO FEATURE REQUESTS*

D5200 Information and Live View Timeout Removal

Postby flutterguy317 » Fri Jul 24, 2015 7:23 pm

Hello!

I’ve been working on reversing the C1.02 firmware in the D5200 for the past couple of weeks for fun, a personal challenge, and to get the most out of my camera. I’ve currently decoded a large chunk of the firmware and was able to create a patch which essentially disables the live view timeout. I wanted to share some of my findings here in the event that they may be useful for anyone else who would want to take a look at this firmware. I’m going to continue working on this firmware for the next few days to see if it’s possible to remove the time restriction from video recording and possibly tackle some other goals, but there’s no guarantee that I’ll get around to everything. I also don’t know what format I should submit patches in, so I just included what bytes I changed in the firmware at the end of my info dump.

First a disclaimer though, I have tested my patch on my camera and it works, but it may not work 100% on other cameras. The information provided comes with absolutely no warranty and no guarantee that it will work. You take full responsiblity if you decide to use this information on your own camera.

General:

The D5200 EXPEED 3 is an ARMv7 / Thumb-2 processor with the vector table starting at address 0x50020000:

Image

On startup, the kernel is copied from 0x51490220 to RAM starting at addresses 0x10000000 and then launched. The kernel is based on the open-source T-Kernel and is created by eSol as part of their eBinder development package. Having the source and spec available was extremely useful for finding various system calls, constants, and structures. T-Kernel is an RTOS which handles lower level functionality for managing and synchronizing tasks, creating mutexes and semaphores, creating cyclic handlers, etc. The kernel is configured via a few parameters, which can be found at 0x5083E580:

Image

The D5200 firmware is written in C++ with a fair helping of polymorphism, which is good since the run-time type information (RTTI) is available starting at address 0x5141FA5C. Each entry includes the name of the class and its inheritance tree, which includes pointers to the RTTI of parent classes, flags, and the offset from an object’s “this” pointer to a pointer to the functions pertaining to that interface.

Image

The RTTI is referenced at the start of each class’s vTable, which can be found starting at address 0x51432068. The vTable contains pointers to each virtual function of a class. These functions are located in the same chunk of the firmware where non-virtual functions for that class exists. Non-static class functions are always passed a “this” pointer in R0 which refers to the location of the object in memory. Constructors for these classes can be found fairly easily because they will store a pointer to their vTable in [R0]. It’s also possible to determine a class’s structure by examining the constructor since parent constructors are run and variables are initialized at offsets from R0 (there are exceptions to this though). The memory location for instance classes can be found by looking for assignments of RAM locations to R0 before a constructor is called. Certain non-instance classes also contain “new” or “create” functions which perform a memory allocation and pass the resulting memory location to the constructor via R0.

It gets a bit tricky when trying to determine what a class or function without RTTI does, however there are a few hints that help out. In ARM, the SVC opcode is used for software interrupts and the T-Kernel uses it for system calls. It elevates the operational mode of the processor, allowing access to restricted memory, opcodes, and hardware. These system calls are well defined for the different sections of the T-Kernel, and the main OS uses SVC #6 along with an identifier in R1 to determine which function to run. The C functions for these syscalls are also documented in the T-Kernel spec, and C++ classes which use these C functions can be found by working backwards.

Image

Nikon uses a few info manager classes for handling user data in memory. A product data table is located at 0x512254A8 and each entry contains a type and flags, along with pointers to the default and current value. The default values are located at 0x512227A8, and are copied to RAM at 0x103A23A8 whenever the camera is reset. Each value is referenced by an index, and various info classes are used for data retrieval, conversion, and modification.

Live View:

The live view uses a few data points from the product data table for holding user preferences. The point at index 0x270 is the live view timeout mode (short, normal, long, custom), and the point at 0x273 is the custom live view timeout index. The STBL controller function starting at 0x50029258 and the INFS controller function starting at 0x5002CB42 access both of these values, convert it to a time in milliseconds, store it internally, and pass it to their parent class (JAPF Controller) function at 0x500354E2. This function sets up an alarm, which will call a function (in this case the function to stop the live view) after the time passed to it has elapsed.

The live view timeout mode is also retrieved in a function called by the SYSC Live View PC timer class at 0x50298710, along with an additional time index at index 0x277. This value is converted to a time in milliseconds and passed out to the calling function from the PC timer class. There, the value is divided by 1000 and stored. The PC timer class also sets up a cyclic handler which is called every 1 second which will load this time value, decrement it by 1, then store it back (and perform some additional handling if it hits 0).

The easiest way to patch the live view timeout is to simply return a different time value from the functions at 0x50029258, 0x5002CB42, and 0x50298710 for one of the custom time indices. For the patch that I created (and tested) I decided to change the time returned for the index normally associated with 15 minutes (because the value is used directly and not associated with any alternate modes). I tested it using a 3 hour timeout (value 0xA4CB80) and verified that it did extend beyond the original 15 minutes (I didn’t test for the full 3 hours though). Setting this to a value that extends beyond the battery life of the camera with live view active (such as 3 hours) essentially eliminates this timeout.

The patch requires the following bytes to be altered (without the offset of 0x50020000, add this offset to get the location in the ROM): 0x95B4, 0xCEB8, 0x27877C. The original byte sequence for these is {0xA0, 0xBB, 0x0D, 0x00} and the altered version for a 3 hour timeout is {0x80, 0xCB, 0xA4, 0x00}. Once the patched firmware is on the camera, the 15 minute custom timeout should be selected for the timeout to be "removed".

So that’s it for now! Hopefully this information will be useful to anyone who wants to use it, and hopefully I can get through more of the firmware over the next couple of days. Feel free to ask any questions and I’ll try to answer them, but since I’ll be actively reversing I might not be able to get to them all. I’ll post back with any updates either to this thread or to a new thread (if additional features/patches become available).
flutterguy317
Developer
 
Posts: 6
Joined: Thu Sep 11, 2014 6:12 am
Been thanked: 23 times

Re: D5200 Information and Live View Timeout Removal

Postby Justingunz96 » Fri Jul 24, 2015 9:05 pm

If you get rid of the Time Restriction for this camera you will save me so much money! Good Luck!
Justingunz96
 
Posts: 3
Joined: Mon Jun 01, 2015 2:47 pm
Been thanked: 0 time

Re: D5200 Information and Live View Timeout Removal

Postby flutterguy317 » Fri Jul 24, 2015 9:33 pm

Thanks! The recording time restriction is probably going to be quite a bit more involved than the live view because the file offsets might be only 32-bit values (maximum file size of 4GB). I'm not entirely sure yet, and if this is the case I may look into whether it would be possible to restart the recording automatically (using a different file) once the 4GB limit is reached. The camera does have a clean HDMI signal though, so with the live view timeout disabled an external recorder could be used (although this is definitely not a solution, just a workaround for the time being).
flutterguy317
Developer
 
Posts: 6
Joined: Thu Sep 11, 2014 6:12 am
Been thanked: 23 times

Re: D5200 Information and Live View Timeout Removal

Postby ebstein100 » Fri Jul 24, 2015 9:50 pm

Thank you flutterguy317. Please keep up the good work.

Hey, Simon can this be converted to patch for dummy like us??

Thank you.
ebstein100
 
Posts: 46
Joined: Sun Jul 21, 2013 12:23 pm
Been thanked: 15 times

Re: D5200 Information and Live View Timeout Removal

Postby Justingunz96 » Fri Jul 24, 2015 9:55 pm

flutterguy317 wrote:Thanks! The recording time restriction is probably going to be quite a bit more involved than the live view because the file offsets might be only 32-bit values (maximum file size of 4GB). I'm not entirely sure yet, and if this is the case I may look into whether it would be possible to restart the recording automatically (using a different file) once the 4GB limit is reached. The camera does have a clean HDMI signal though, so with the live view timeout disabled an external recorder could be used (although this is definitely not a solution, just a workaround for the time being).


I would think so, I know canon's are capable of it, but I am also aware that Nikon and Canon use different firmware so. Again, Good Luck! We're Rootin for ya! :handgestures-thumbupleft:
Justingunz96
 
Posts: 3
Joined: Mon Jun 01, 2015 2:47 pm
Been thanked: 0 time

Re: D5200 Information and Live View Timeout Removal

Postby flutterguy317 » Fri Jul 24, 2015 10:02 pm

Simeon, I wasn't sure what the best way to get the patch to you would be if you would want to put it into the online patch tool. If you want to PM me instructions I can get it to you in any format. Also, thanks for the amazing work you and the other developers have done, it helped out tremendously when I started on this project!
flutterguy317
Developer
 
Posts: 6
Joined: Thu Sep 11, 2014 6:12 am
Been thanked: 23 times

Re: D5200 Information and Live View Timeout Removal

Postby leegong » Sat Jul 25, 2015 6:33 pm

Great work you have done on D5200 , flutterguy317 .
How about porting D5100 decoding into D5200 side ? such as HDMI , CEC , Exif info , SD card , USB ptp ...
leegong
Core Developer
 
Posts: 2124
Joined: Mon Mar 19, 2012 12:21 am
Location: Hangzhou , China
Been thanked: 544 times

Re: D5200 Information and Live View Timeout Removal

Postby Simeon » Mon Jul 27, 2015 12:49 am

flutterguy317 wrote:Simeon, I wasn't sure what the best way to get the patch to you would be if you would want to put it into the online patch tool. If you want to PM me instructions I can get it to you in any format. Also, thanks for the amazing work you and the other developers have done, it helped out tremendously when I started on this project!


The patch tool's code is posted at https://github.com/simeonpilgrim/nikon- ... ikon-Patch, so patches to that are the easiest.

The next is a snippet, for the PatchSet used by above code, otherwise the notes you have are alright.

So change would write like:
Code: Select all
  1.         Patch[] patch_liveview_no_timeout_15m = {

  2.                                                     new Patch(1,0x95B4, new byte[]{0xA0, 0xBB, 0x0D, 0x00}, new byte[] {0x80, 0xCB, 0xA4, 0x00} ),

  3.                                                     new Patch(1,0xCEB8, new byte[]{0xA0, 0xBB, 0x0D, 0x00}, new byte[] {0x80, 0xCB, 0xA4, 0x00} ),

  4.                                                     new Patch(1,0x27877C, new byte[]{0xA0, 0xBB, 0x0D, 0x00}, new byte[] {0x80, 0xCB, 0xA4, 0x00} ),

  5.                                                 };



or if your dealing with Words or Dwords you might find the Big or Little Endian helpers userful:
Code: Select all
  1.         Patch[] patch_liveview_no_timeout_15m_b = {

  2.                                                     new Patch(1,0x95B4, Sys.BigDwords(900000), Sys.BigDwords(10800000) ),

  3.                                                     new Patch(1,0xCEB8, Sys.BigDwords(900000), Sys.BigDwords(10800000) ),

  4.                                                     new Patch(1,0x27877C, Sys.BigDwords(900000), Sys.BigDwords(10800000) ),

  5.                                                 };



These are then hooked up a few lines down:
Code: Select all
  1.             Patches.Add(new PatchSet(PatchLevel.Released, "Video HQ 40mbps Bit-rate", patch_40mbps, patch_64mbps, patch_8mbps, patch_1mbps));

  2.             Patches.Add(new PatchSet(PatchLevel.Beta, "Video HQ 64mbps Bit-rate", patch_64mbps, patch_40mbps, patch_8mbps, patch_1mbps));

  3.             Patches.Add(new PatchSet(PatchLevel.DevOnly, "Video HQ 8mbps Bit-rate", patch_8mbps, patch_40mbps, patch_64mbps, patch_1mbps));

  4.             Patches.Add(new PatchSet(PatchLevel.DevOnly, "Video HQ 1mbps Bit-rate", patch_1mbps, patch_40mbps, patch_64mbps, patch_8mbps));

  5.  

  6.             Patches.Add(new PatchSet(PatchLevel.Beta, "Liveview (15min) No Timeout", patch_liveview_no_timeout_15m));



patch level, name, patch, and the remanders are excluded patches, so you can force other patch unselected when this patch is selected (it's not unidirectional so you need to force it in both directions)
Simeon
Core Developer
 
Posts: 2563
Joined: Wed Nov 30, 2011 6:12 am
Location: Christchurch, New Zealand
Been thanked: 603 times

Re: D5200 Information and Live View Timeout Removal

Postby flutterguy317 » Mon Jul 27, 2015 5:25 am

Thanks! I can pull the patch tool and submit a patch to it later today!
flutterguy317
Developer
 
Posts: 6
Joined: Thu Sep 11, 2014 6:12 am
Been thanked: 23 times

Re: D5200 Information and Live View Timeout Removal

Postby farthammer » Tue Jul 28, 2015 8:26 am

Dude I will throw money at you to get this working. I'm at my wits end and about to buy a Blackmagic to get some jobs done, But if you can pull the firmware apart and get this stuff working I'm sure i'm not the only one on this board who would drop you some cash.
farthammer
 
Posts: 2
Joined: Tue Jul 28, 2015 8:19 am
Been thanked: 0 time

Next

Return to Firmware

Who is online

Users browsing this forum: No registered users and 1 guest