Understanding Firmware

Introduction
Most electronic devices nowadays are based on digital chips called microcontrollers, that run a program called firmware. This firmware is responsible for all operations, from initializing the device, checking all peripherials and other components are OK and ready to use, driving menu interface, responding to buttons, and ultimately perform what the device is designed for.

The Nikon DSLRs are such devices, and contain several chips, among which several microcontrollers. Two of them (called A and B in short) perform most of the hi-level logic. Like most advanced device makers, Nikon has foreseen the possibility that their cameras could benefit from improvements or bugfixes. The firmwares for those two microcontrollers are thus stored in semi-permanent memory (flash) that can be rewritten by a specific procedure to "update the firmware" (that is, replace it with another version including desired changes). This is known as "flashing" the camera.

For all cameras that have already received such updates, Nikon makes the updated firmware(s) available as downloadable files on their website. Recent firmwares (A and B) are combined into a single file, which is encrypted, then compressed into an executable with the RAR tool. To get the encrypted combined binary file, simply execute the downloaded file. You then normally put the resulting file on a memory card to flash the camera.

If you want to work on the firmware, instead of flashing the camera, you have first to decrypt that file. The encryption algorithm has been found at the end of 2011 by Simeon Pilgrim and you can find the details starting from this post on his blog. Several tools are now available to decrypt the firmware, one of them being built in the NikonEmulator.

Once decrypted and separated, the A and B firmware are just two binary files that are understood by the camera microcontrollers, but are not (yet) human readable.

General information
The "B" microcontroller is the one we mainly focus on because it drives the screen and handles user interaction such as menu navigation. It is a Nikon Expeed ASSP and is based on a Fujitsu Milbeaut-4 32-bit microcontroller, including processor core of FR80 family, like the chips numbered 916xx or 91F6xx to be found here.

As such, the firmware that drives the menus and the basic logic of the camera consists of binary machine code understood by that specific family of microcontrollers. That binary code can be converted back to very low-level human-readable code (assembly language). (Note: Nikon didn't write most of the firmware in assembly, but in a higher-level language such as C. Although, as we don't have access to these "sources", all we can do is start from what we have - compiled machine code files - and translate them into assembly language)

To dig into the B firmware code, it is thus highly advised to first carefully read chapters 1 to 3 of the FR Family instruction manual (see reference below). Those 30 pages are really a prerequisite before trying to follow or ask questions about internals of the code. For more advanced understanding of that microcontroller, reading the FR80 Programming manual is advised, because it approaches other aspects of the chip and has a slightly modified instruction set, used in the Expeed.

Fortunately, work has been done to convert the binary format to human readable "text" format known as assembly language. A good deal of the work was made by Kevin Schoedel in his Dfr disassembler, and this disassembler was improved and included in several tools such as the NikonEmulator.

Address map
To the best of our knowledge, the basic address map of the D5100 "B" firmware is as follows :

For overlapped areas following rules apply (according to Fujitsu documentation for example for MB91460 "mask area setting"):
 * "intern" regions are always seen and CS signal is not issued
 * for memory overlapped between two external areas CS of first area is issued and timing parameters of second area are used for access

After analyse of mirror areas, it is clear that this ASSP chip do not evaluate address lines A30 and A28 while accessing internal bus. But it still evaluates them inside FR80 processor core, so access at 0xCxxxxxxx basically access same memory on internal bus as address 0x8xxxxxxx, but without cache.

Fujitsu DSP
Additional Fujitsu FR-V family processor cores on same die acts as DSP. Basic FR-V instruction set (32-bit instruction width) is supported. More likely it is MB93577: dual core DSP and 256 KB internal RAM match findings.

I/O registers overview
Following devices were observed in D5100 firmware "B"


 * All FR80 registers are big endian.
 * "shared" means that same interrupt number is used. The source of interrupt can be discovered by examining correspondent shared interrupt status registers at 0x6B000080-0x6B0000BB.

Reload 16-bit timer
Appears be same as in MB91605A.

Reload 32-bit timer
Are similar to reload 16-bit timer, but registers are wider:

Cache controller
Registers appear to be same as in MB91605A. Registers ISIZE, IFUNC, DSIZE, DFUNC are not implemented.

Serial interfaces
Serial ports act same as "Multi-functional serial interface" of MB91605A, but FIFO size is 128 bytes.

External Bus interface
ASR0...ASR5 registers are similar to those from MB91665 datasheet, with following extensions: ACR0...ACR5 registers are similar to those from MB91665 datasheet.
 * bit 8 set to 1 mean that there is additional at the end of CS area with the same size. Contents of this area are not defined (sometimes mirror of CS area).
 * bit 3 set to 1 changes scale of bits ASZ0..3 to following:

AWR0...AWR5 registers are similar to those from MB91665 datasheet with extensions (reserved bits have a meaning now).

DMA controller
DMA channel registers appear be same in MB91605A.

External interrupt controller
It works similar to one in MB91605A, but each external interrupt is mapped to separate interrupt vector.

Resolution converter
Copy/resize plain. Real scaling is done during resize operation.

Image Transfer Circuit
Copy/fill plain. Can't scale - only able to clip or extend with given color.

SD Host Controller
SD card Host Controller registers fullfill SD Host Controller standard specification. Each access is converted automatically from big endian order of FR80 CPU to little endian SD Host (or back), so no additional conversion is need.

Debayer unit
Converts from bayer image to YCbCr 4:2:2 image.

Firmware Tasks
Overview of D5100 firmware B b640101b.bin tasks

Reference documentation from Fujitsu

 * FR Family Instruction Manual
 * FR 80 Programming manual
 * MB91605A Series Hardware manual - This model shares many aspects with the Expeed but some features differ

General information
The "A" microcontroller is aimed at I/O tasks. For our target cameras (D5100 etc), it's a Toshiba TMP19A44FEXBG.

Address map
Virtual addresses are used (as it is seen in firmware).

Firmware Tasks
Overview of D5100 firmware A a640m010100.bin tasks

Reference documentation from Toshiba

 * Architecture and Assembly language documentation (that official link seems broken. An archived copy is available here)
 * Hardware datasheet (that official link seems broken. An archived copy is available here)