Personal View site logo
Sony Alpha hacks talk
  • 238 Replies sorted by
  • @ma1co Thank you very much for your work. This patch is easy to handle and works very well with my A7s (firmware 3.1).

  • Yeah A7 series can handle heat much better than APS-C model it seems, the A6300/A6000/A5100/A5000 all overheat..

  • @oscillian I have had the A5100, it overheats. The A6000 is meant to not be as bad, but even it overheats as well....

    This mod could be great for an A7s however.

  • Which aps-c model would you pick that doesn't overheat though?

    Samsung :-) NX500 records 160Mbit HEVC videos.

  • Excellent! Which aps-c model would you pick that doesn't overheat though?

  • Nice work! Also handy for imported US models and set local language

  • nice one. Is there also an easy way to unlock playmemories on a Chinese NEX-6 without entpacking / changing bin to europe + calculate crc + compile?

  • Wow, this is big big news! Great for people who might be importing Sony cameras from Japan.

  • @ma1co

    you save my wedding job tomorrow! never run back to b-cam to reset the 29.50. Thank you very much!! image

    3264 x 2448 - 2M
    1024 x 768 - 579K
  • Big news: I've managed to unlock the 30min video recording limit and the language menu (for people with cameras fixed to Japanese). Test the app and tell me if it works:

  • @malco You are quite correct , Thanks so much . I just disassembly CA_2_0.APP in folder 0630_ca , then got tons of TMP19A44 instructions , i'm sooooo familiar with them ! Thanks again .

    BTW , anybody is willing to analyze TMP19A44 firmware ? i'll be very glad to work with him/her .

  • @alamizsna I'm glad the the firmware packing works for you. I can't really help you with the rest, I never tried that myself...

    @Leegong Look at the 0630_ca / 1630_ca folder in the firmware tar. It contains definitely TMP19A44 MIPS code. The 2nd gen devices have a CA_0_0.BOO file (probably the bootloader) and CA_2_0.APP.

  • After soft bricking twice and flashing 5 different mods successfully, I wasn't able to get any other language. I've tried:

    • swapping _UC2.bin with _J1.bin
    • swapping ALLLANG.bin, twice
    • replacing every bin with the ALLLANG.bin (no boot)
    • editing the files, swapping their names there too, as the header contains it (see attachment).

    Of course I made a factory reset after every update.

    I've got no other idea, I just assume they noticed and essentially eliminated this easy way of modifying the japanese unit's language in ILCE-6000. Or maybe I'm just missing something here.

    1245 x 482 - 65K
  • Somehow I missed the importance of line endings. Patch works now, repacking works, updating works.

    Now, I've read on nex-hacks that after making the changes you want, you can just put everyting back into a .tar with 7-zip, but I've noticed that this of course heavily messes up permission attributes.

    I can tell the original attributes are stored in a text file next to the extracted folder. How should I go packing it up properly after making the changes?

    What I'm trying to accomplish in the end is to set the default language to english. As far as I understand, all I have to do is swap the *_J1 file in the backup folder with the *_ALLLANG (so swap their names) and do the same in the sum file.

    EDIT1: I've managed to put everything back together properly on debian, with the modified tar utility explained in /faqs/sony-hack/languages. I was a little bit worried since the new tar file came out 2kb bigger, but I did it anyway. It took its time but the camera finished updating without any issue, and now the version says 3.11 in camera menu too, but doing a factory reset didn't change the language...

    Maybe they prevented this mod somehow? Or I should use another file instead of ALLLANG as J1.

    I'll experiment more tomorrow, I'm going to sleep now.

  • You definitely messed up with the code. The first ~512 bytes of your file are encrypted with the wrong key. Lines 0xf0 to 0x280 should be the same in both files (each line is an encrypted block of 16 bytes set to zero, so it should yield the same result every time). So check that you've applied the patch correctly!

    As I said in my previous post, for the patch command to work on windows, you have to replace all line endings (\n) with \r\n in the diff file. I guess that's why it crashes.

  • It's not the USB connection.

    The 2 files have the same size, and when I swap them, the updater works (or at least checks the version)

    I thought maybe I messed something up by patching by hand, but then it would probably either wouldn't build or wouldn't work at all.

    I couldn't get the patcher to work, once I try to run it with the diff file, it crashes.

    I attached how the beginning of the two files look like. Is this normal?

    1557 x 957 - 194K
  • Sry, I can't really help you, it works fine for me (at least until the version check, I didn't actually flash the firmware).

    I don't really think that the actual firmware image is the issue, it's rather your USB connection. If the .dat container was corrupted, another error would be shown in the beginning. If the actual encrypted fdat image was corrupted, this would only be detected during the version check one step later.

    Maybe make sure that and FirmwareData_NexHack.dat have exactly the same size and almost the same content (just some bytes near the beginning (the version) and some bytes in the end (the checksum) should be different).

    Maybe try flipping the 2 files. Theoretically you should have the same problem with the original image.

  • Thank you ma1co Sadly, the problem persists. I really got my hopes up when reading your reply, just to fail again :)

    Here's the steps I'm doing: (fwtool.exe and update.exe file in the same folder)

    1. cmd: fwtool Update.exe
    2. -- success
    3. rename FDAT_fw.tar to FDAT_fw.mod.tar
    4. rename FDAT_fs00.fsimg to FDAT_fs00.mod.fsimg
    5. cmd: fwtool -c Update
    6. --success
    7. camera plugged in, turned on, run the update
    8. gif attachment related
    959 x 745 - 75K
    611 x 422 - 185K
  • To apply the patch, use "patch -p1 -i patchfile.diff". On windows, you can download the patch binary here: (make sure the diff file has windows style line endings)

    The build is already broken in version control, just add the fwt_uxbrowse files to your project.

    Repacking should also work for gen3 firmware. Make sure you not only rename FDAT_fw.tar to FDAT_fw.mod.tar, but also FDAT_fs00.fsimg to FDAT_fs00.mod.fsimg.

    As always, be careful. It is too damn easy to brick your camera this way.

  • So did anyone ever managed to flash a repacked firmware onto gen 3 devices with the fwtool + patch?

    Decrypting works perfrectly, but even if I use the original FDAT_fw.tar and rename it to FDAT_fw.mod.tar, the repacking runs without errors, but then right before the tool would detect my camera (the first time I click NEXT) I get this, but only when the camera is connected: "The update is aborted due to an error during the process. Follow the following procedures. (remove hardware, reboot camera, reboot the software, etc)"

    Running the original fw update tells me there's no need to update, so it's not the detection of my camera.

    I will eventually want to change the language on my sony a6000, and in theory I know how to do that, but until repacking gets sorted out there's no point :S After failing to apply the patch with tortoisemerge and a bunch of others (even gnu patch for windows), I applied the patch BY HAND (dont judge ;_;) I've found that one thing is missing from the patch to be able to build, you have to add "fwt_uxbrowse.c" and "fwt_uxbrowse.h" to the cbp file, just like it adds fdat_cipher_gen3.h and .c

    Later I might dig into the source, I'm assuming only unpacking is implemented for gen 3 properly. I've done some programming before, but never played around with other people's code. A couple of months and I will get it ;)

  • @Vitaliy_Kiselev , I agreed with you , there should be one file for TMP19A44 firmware ,
    i disassembly several files in 0800_appli directory , none of them seems to match with TMP19 binary code , maybe it is compressed or encrypted or ... so i just wonder , anybody gets bin file (firmware) for this TMP19A44 ?

  • @Leegong

    By idea it must be part of firmware. So you need to look at all files after unpacking.

  • Just found Toshiba TMP19A44 on A55 camera main board , according to A55 level3 repair manual , TMP19A44 is responsibile for E mount communication with lens , did you guys get bin file (firmware) for this TMP19A44 ?

    1074 x 702 - 95K
  • On the main board of Sony 55-210 f4.5-5.6 lens ,there is a lens motor driving chip BU24130GU-E2 by ROHM , could anybody share datasheet/manual of this chip with me ?