Page 1 of 2

Nikon Z6/Z7

PostPosted: Thu Aug 23, 2018 1:56 am
by leegong
How about hacking Nikon Z6/Z7 ?

Re: Nikon Z6/Z7

PostPosted: Fri Oct 05, 2018 3:49 pm
by Simeon
they seem pretty nice devices..

Re: Nikon Z6/Z7

PostPosted: Sun Oct 07, 2018 9:10 pm
by leegong
Just find Nikon Z7 teardown ,
STM32F412 and R5F56519AD are found on Z7 mother board .
Wild guessing :
The firmware is probably divided into 3 parts , for Expeed , for STM32F412 and R5F56519AD respectively.

Re: Nikon Z6/Z7

PostPosted: Wed Oct 17, 2018 3:24 am
by leegong
Just take a look at D750 Firmware A (running on Toshiba TMPM440 ARM cortex-M4 MCU),
there is one useful backdoor added , it reads Firmware A directly and sends back to PC over USB connection .
I hope this backdoor is supported in Nikon Z7 , then we don't have to wait for Nikon Z7 Firmware updating package .

Re: Nikon Z6/Z7

PostPosted: Mon Nov 19, 2018 10:02 pm
by leegong
Download Nikon Z7 firmware package v1.01 and v1.02 .
Thanks to Simeon's tool , just decrypt and extract 3 files from FW package ,
i believe they are FirmWare A , FirmWare B and FirmWare C respectively.

Re: Nikon Z6/Z7

PostPosted: Sun Nov 25, 2018 6:54 pm
by leegong
Find codes that communicate with battery

Re: Nikon Z6/Z7

PostPosted: Fri Dec 21, 2018 4:11 am
by leegong
Lots of SVCs :

Re: Nikon Z6/Z7

PostPosted: Wed Dec 26, 2018 8:21 am
by coderat
I've got 4 files out of package:
  1. ex1610_010000.bi - Firmware A
  2. eg1610_0102b0.bi - Firmware B (ARM)
  3. vr1610_010000.bi - Firmware for Vibration Reduction MCU
  4. _tpj01_v140.bin ?

Unfortunately they dropped RTTI out of Firmware B.

Re: Nikon Z6/Z7

PostPosted: Wed Dec 26, 2018 9:07 am
by coderat
License/Dongle software integrated:
Hardware:MS7709ASE01 - Software:matrixNET

?

Re: Nikon Z6/Z7

PostPosted: Wed Dec 26, 2018 9:24 pm
by leegong
coderat wrote:I've got 4 files out of package:
  1. ex1610_010000.bi - Firmware A
  2. eg1610_0102b0.bi - Firmware B (ARM)
  3. vr1610_010000.bi - Firmware for Vibration Reduction MCU
  4. _tpj01_v140.bin ?
Unfortunately they dropped RTTI out of Firmware B.


ex1610_010000.bi - Firmware A runs on ARM Cortex-M4-based STM32F412 ,
i'm not sure if it uses ARM-CMSIS and STM offical HAL library .
Firmware A communicates with Remote control/UART debug/GPS module , shoulder LED , SB , battery ......
it also communicates with unknown module over I2C , maybe Power Manage IC , just wild guessing.