Understanding Firmware

Introduction
The Expeed processor inside Nikon DSLRs we focus on is based on a Fujitsu FR (or FR-V) technology. As such, the firmware that drives the menus and the basic logic of the camera (known as "B" firmware) follows the rules of the language understood by this family of microcontrollers. Note : of course Nikon didn't write most of the firmware in assembly, but in a higher-level language such as C. Although, as we don't have access to these "sources", all we can do is start from what we have : compiled files.

It is thus highly advised to first read carefully chapters 1 to 3 of the FR Family Instruction Manual. Those 30 pages are really a prerequisite before trying to follow or ask questions about internals of the code.

Fortunately, work has been done to convert the binary format to human readable "text" format known as assembly language. A good deal of the work was made by Kevin Schoedel in his Dfr disassembler, and this disassembler was improved and included in several tools such as the Fr Emulator.

Basic address map
To the best of our knowledge, the basic address map of the D5100 firmware is as follows :
 * lower addresses (let's say 0x00000000-0x00001000) are microcontroller registers. They are used to configure the different circuits that live on the chip along with the CPU
 * the area 0x000E0000-0x000FFFFF is ROM, or at least an area that cannot be overwritten by a firmware update. It most probably contains the original interrupt vector as well as a bootloader with "recovery" functionality in case firmware update fails, or which gives control to the firmware code if valid
 * the firmware itself that is loaded at 0x00040000 till 0x00ABFFFF (and consequently overlaps the ROM area above : it only contains 0xFF in the 0xE0000-FFFFF area). That firmware contains code (the entry point being at 0x40000), another interrupt vector, but also data such as pointer tables, localized strings, icons and JPEG files.
 * an unknown component addressed at 0x40060000
 * a RAM area with variables etc. above 0x69000000
 * another RAM area with variables etc. above 0x80000000
 * screen memory area at 0xCE57DC60-CE6A9C5F