Personal View site logo

User Tools

Site Tools


sony-hack:languages

Changing camera languages

Part 1

As you may (not) know, many cameras from Sony sold in Japan have this strange feature of allowing only menus in Japanese language. I received such a camera (Sony alpha 65) and nor I or my friend in Japan were aware of this limitation. He bought for me a J1 type camera. Since the transport was not cheap (had to use UPS as being the only post service accepting at that time lithium-ion batteries in the parcel) I decided to not send back the camera after discovering that the only menus available are in Japanese language. I looked for a way of ‘moding’ the camera to show menus in some other language which will be easier to read (English – since I was not set to learn Japanese). For generation 2 type of cameras from Sony (among them Sony alpha 55, 65, 77) I found no ready hack or firmware mod which will accomplish this and therefore I had to start from scratch.

In the end I managed changing the language on a japan only (J1) sony slt-a65. On the first successful mod I ended up with Russian language. On the second try I got English and I stopped there.

Here is how I managed to do that but please be aware that there is always a risk or permanently damaging your camera.

Sony is using for their cameras an embedded Linux which is open source and you can find the kernels and packages on Sony website on developer section – Source Code Distribution Service (for example some of them):

Kernel:

Packages:

  • sony-target-srel-busybox-1.13.4-06000007di1.src.rpm
  • sony-target-srel-dosfstools-2.11-06000005.src.rpm
  • sony-target-srel-e2fsprogs-1.40.8-06000006.src.rpm
  • sony-target-srel-hostname-2.95-06000005.src.rpm
  • sony-target-srel-procps-3.2.7-06000006.src.rpm

When you run the FW update software from Sony (e.g. Update_SLTA65V105.exe) this will unpack in some directory (eventually in the windows temp) showing following structure.

In the Resource directory you will find the actual firmware as a big .dat file which is unique for all cameras of a certain type (therefore it has all the languages included).

I have chosen to do unpacking and repacking of the .dat file on linux for easy keeping file attributes intact. I installed an openSUSE 11 on a virtual machine and worked as root using Mono-IDE for writing C code (packing and unpacking the dat file) and Okteta Hex-editor for easy computing of CRC checksums and modification of files at bit level.

The dat file is structured as following:

 
8 bytes header,
 
4 bytes 01 00 00 00,
 
4 bytes holding the size of the DATV section,
 
DATV section,
 
4 bytes 01 00 00 00,
 
4 bytes with the size of the PROV section,
 
PROV section,
 
4 bytes 01 00 00 00,
 
4 bytes with the size of the UDID section,
 
UDID section,
 
4 bytes 02 00 00 00,
 
4 bytes with the size of the FDAT section
 
FDAT section (actual firmware),
 
4 bytes with the size of DEND section
 
DEND section,

4 bytes CRC checksum of the whole file without DEND section (including it’s size) as seen on the following image: (THIS YOU HAVE TO CHANGE ACORDINGLY IF YOU HAVE MADE MODIFICATIONS TO THE DAT FILE !!!!)

I cut every section of the dat file and save them in separate files. The FDAT section is the actual firmware. This part is encrypted (with SHA1 for generation 1 cameras and AES for gen 2 cameras). I would not post any decryption keys here but you can find a decriptor for this somwhere else (google is your friend).

After you decrypt the FDAT section (let out the first 4 bytes which is the name of the section – FDAT) you end up with something like this:

The decoded FDAT file has three sections:

  • A header 512 bytes long,
  • CROMFS boot partition 124*1024 bytes long (for a65)
  • rest is a tar archive (I called it FDAT_FW) holding the files for the camera. By opening this tar archive with

tar -xf your_FDAT_FW_file -C

you get to see the files like following (example for a65):

You can proceed further and decompress the partition images (nflash3, nflash8 … ) found under /0700_part_image/dev but this is not needed for getting the language hack working.

Under /0110_backup/SYSAVIP-DSLR/PS_UUG you will find a set of configuration files for different regions

Each region supports a set of languages as shown in the following table.

Languages supported by different camera regions (* = Standard, + = supported, – = not supported):

  • Region J1(JPN) supports Japanese only
  • Region U2, CA2, AU2 supports English, French, Chinese,
  • Region CEE2 (CEE) supports English, French, German, Spanish, Italian, Portugenuese, Dutch, Russia, Sweden, Danish. Norwage, Finnish, Poland, Czech, Hungarian.
  • Region CEE4 supports English, French, German, Spanish, Italian, Portugenuese, Dutch, Russia, Sweden, Danish. Norwage, Finnish, Poland, Czech, Hungarian.
  • Region CEE5 supports English, French, German, Spanish, Italian, Portugenuese, Dutch, Russia, Sweden, Danish. Norwage, Finnish, Poland, Czech, Hungarian.
  • Region CEH E32, HK1, JE3, TW6 supports English, Spanish, Portugenuese, Chinese, Arabic, Thai, Korean, Persian.
  • Region CN2 supports English, Spanish, Portugenuese, Chinese, Arabic, Thai, Korean, Persian.
  • Region KR2 supports English, Spanish, Portugenuese, Chinese, Arabic, Thai, Korean, Persian.

J1 type cameras are missing the menu option for changing the language therefore with the method described here you will only get instead Japanese a language which is a standard language for a region. Therefore only English, Spanish, Russian, Chinese and Korean are possible.

The idea is simple: swap the 01000000_CX86800_J1.bin file with one who has the standard language you want to have (e.g. 21000000_CX86801_CEE2.bin for Russian or 21000000_CX86801_CEE4.bin for Spanish). You will also have to swap some numbers in /0111_backup_sum/backup file. This file stores the checksums of all files in the backup directory (second column values inside the file).

After putting the dat file back from the modified pieces (I will describe how in the second part of this post), with modifying all the checksums accordingly (and also the fw version) you can upload the fw to the camera. On the first camera start after new fw has been uploaded the language will still be Japanese. You have to go to the last menu item on the camera menu and perform a camera reset to the factory settings. This step will read the configuration file from /0110_backup/SYSAVIP-DSLR/PS_UUG and will take the J1 file (J1 is fixed in an eprom inside the camera) which by now is holding the configuration for another region.

Part 2

In this part I will explain how to put back all parts of the firmware and where to modify the checksums to have a valid .dat file. (Part 1 is to be found here)

As you remember the FDAT_FW part of the FDAT section (after decrypting it) is a simple tar archive which you can openup using tar tools under linux (I used openSUSE). If you try to use the same tar utilility to put the archive back you will observe that the new tar archive is not identical with the original one.

I had to modify the source of the tar utility and compile it anew. The source code for tar 1.26 is at http://www.gnu.org/software/tar/#releases. The changes are needed in the create.c file in src directory (comment lines 1889 to 1897 — see picture bellow).

Wih this modified tar utility and having the changes performed on the files (as described in Part 1) you tar back the directory structure as following:

tar -tf original_FDAT_FW_file | /usr/local/bin/tar -H ustar –no-recursion -b 5 -cf new_FDAT_FW_file -C location_where_directory structure_is -T -

The first tar command will read the table of contents (TOC) in the original FDAT_FW and organize the TOC for the new tar archive in the same way.

The header (512 byte long) from the FDAT section has to be also modified to increase the fw version number. The version number is to be found at offset 0×20 (minor version) and 0×21 (major version). After increasing the count of the minor version the checksum of the header have to be modified as well. The checksum starts at offser ox08 and is 4 bytes long but written in reverse order as seen in the picture bellow (is the checksum of the header without the first 12 bytes).

Glue now together the header, the CROMFS part and the new tar archive and you have a FDAT section ready to be encrypted (AES for gen2 cameras).

After encryption you have to know the new size of the FDAT section (this have to be written just before the section in the final .dat file). Put together all the sections of the .dat file (header, DATV, PROV, UDID, new FDAT, DEND) and do modify the last 4 bytes to match the CRC of the new created file (see picture on Part 1).

You have now a new .dat file ready to upload to your camera.

On the first camera start after new fw has been uploaded the language will still be Japanese. You have to go to the last menu item on the camera menu and perform a camera reset to the factory settings. This step will read the configuration file from /0110_backup/SYSAVIP-DSLR/PS_UUG and will take the J1 file (J1 is fixed in an eprom inside the camera) which by now is holding the configuration for another region.

Happy moding and don’t blame me if you brick your camera.

sony-hack/languages.txt · Last modified: 2015/08/10 12:32 by vitaliy_kiselev